NIS2 vs ISO 27001: Differences, Overlap, and How to Align

Last verified: March 2026. Based on Directive (EU) 2022/2555 (NIS2), ISO/IEC 27001:2022, Commission Implementing Regulation (EU) 2024/2690, and ENISA Technical Implementation Guidance (June 2025).

If your organisation already holds ISO 27001 certification, you’re asking exactly the right question: how much of NIS2 do we already cover, and what’s the gap? The answer is encouraging — roughly 70–80% of NIS2’s security requirements overlap with ISO 27001 controls — but the remaining 20–30% includes some of the directive’s most consequential obligations: mandatory incident reporting timelines, personal management liability, and sector-specific supply chain requirements that ISO 27001 simply doesn’t address.

Conversely, if you don’t have ISO 27001 and are starting from scratch with NIS2 compliance, you might wonder whether to pursue ISO certification as a foundation. The short answer: yes, in most cases it’s the most efficient path. ISO 27001 provides the structured Information Security Management System (ISMS) framework that NIS2 expects but doesn’t itself define.

This guide provides a complete, clause-level comparison of both frameworks — where they align, where they diverge, and exactly how to close the gap. If you’re a CISO, compliance manager, or consultant managing NIS2 implementation, this is the mapping reference you need.

NIS2 and ISO 27001 at a Glance

Before diving into the detailed comparison, it helps to understand what each framework is and what it isn’t. They serve fundamentally different purposes, which explains both the overlap and the gaps.

Aspect	NIS2 (Directive 2022/2555)	ISO/IEC 27001:2022
What it is	EU cybersecurity law — a directive requiring Member State transposition into national legislation	International standard for Information Security Management Systems (ISMS) — published by ISO and IEC
Legal status	Mandatory for in-scope entities across the EU. Non-compliance triggers fines and enforcement actions	Voluntary. Organisations choose to certify. No fines for non-certification
Scope	Sector-specific: 18 critical sectors defined in Annexes I and II. Size thresholds apply (50+ employees or €10M+ turnover)	Universal: any organisation, any sector, any size can implement and certify
Focus	Cybersecurity resilience of critical infrastructure and essential services across the EU	Establishing, maintaining, and continuously improving an information security management system
Enforcement	National competent authorities conduct audits and inspections. Fines up to €10M or 2% of global turnover	Certification bodies audit compliance. Failure means loss of certificate, not legal penalties
Incident reporting	Mandatory 24h/72h/1-month reporting to national CSIRT	Requires incident management procedures but prescribes no reporting deadlines or external notification
Management accountability	Article 20: board members must approve measures, undergo training, and face personal liability	Clause 5 (Leadership): top management must demonstrate commitment but faces no personal legal liability
Current version	Adopted December 2022, enforceable since October 2024	ISO/IEC 27001:2022 (third edition, October 2022)

The fundamental distinction: NIS2 tells you what you must do (and punishes you if you don’t). ISO 27001 tells you how to build the system that does it (and certifies you if you succeed). They’re complementary, not competing — and the most efficient compliance strategy uses both [1] [2].

Where They Overlap: The 70–80% Foundation

The overlap between NIS2 and ISO 27001 is substantial and well-documented. ENISA’s Technical Implementation Guidance explicitly maps NIS2 requirements to ISO 27001 controls, confirming that an organisation with a mature ISMS has already addressed the majority of NIS2’s technical security requirements [4].

Here’s where the alignment is strongest:

• Risk management. Both frameworks centre on risk-based approaches to information security. NIS2 Article 21(2)(a) requires “policies on risk analysis and information security,” which maps directly to ISO 27001 Clauses 6.1 (actions to address risks) and 8.2–8.3 (risk assessment and treatment). If your ISMS risk assessment methodology is mature, your NIS2 risk management foundation is largely in place.
• Incident handling. NIS2 Article 21(2)(b) requires prevention, detection, and response procedures. ISO 27001 Annex A controls 5.24–5.28 (incident management) and 6.8 (event reporting) cover the same ground in terms of establishing procedures for detecting, analysing, and responding to security incidents.
• Business continuity. NIS2 Article 21(2)(c) maps to ISO 27001 Annex A controls 5.29–5.30 (ICT continuity planning) and 8.13–8.14 (backups and redundancy). Both require documented continuity plans and backup procedures.
• Supply chain security. NIS2 Article 21(2)(d) maps to ISO 27001 Annex A controls 5.19–5.23 (supplier management). Both require assessing and managing security risks from third-party providers.
• Access control. NIS2 Article 21(2)(i) maps to ISO 27001 Annex A controls 5.15–5.18 (identity management) and 8.2–8.5 (access controls). Both require role-based access, least privilege, and identity management.
• Cryptography. NIS2 Article 21(2)(h) maps to ISO 27001 Annex A control 8.24 (use of cryptography). Both require policies governing when and how encryption is used.
• Asset management. NIS2 Article 21(2)(i) includes asset management requirements that map to ISO 27001 Annex A controls 5.9–5.13 (asset inventory, classification, and handling).
• HR security and training. NIS2 Article 21(2)(g) and (i) map to ISO 27001 Annex A controls 6.1–6.6 (HR security lifecycle) and 6.3 (awareness and training).

This overlap explains why ISO 27001 is widely considered the best starting framework for NIS2 compliance. You’re not building from zero — you’re extending an existing system to meet additional legal requirements [5].

Key insight: The overlap is in security controls. The gaps are in legal and governance processes — incident reporting to authorities, board-level personal accountability, and sector-specific requirements that ISO 27001, as a universal standard, was never designed to address.

Six Key Differences Between NIS2 and ISO 27001

Understanding the overlap gives you confidence. Understanding the differences tells you where to focus your gap-closure effort. These six areas represent the most significant divergences:

1. Incident Reporting Timelines

This is the single largest operational gap. ISO 27001 requires you to have incident management procedures (Annex A 5.24–5.28) and to report events internally — but sets no deadlines for external notification. NIS2 Article 23 imposes a strict three-stage reporting timeline:

Stage	NIS2 Requirement	ISO 27001 Equivalent
Early warning	Within 24 hours of becoming aware of a significant incident	No equivalent
Incident notification	Within 72 hours with severity assessment, impact analysis, and IoCs	No equivalent
Final report	Within 1 month with root cause analysis and remediation details	No equivalent

If your organisation holds ISO 27001 but has never had to report incidents externally within a 24-hour window, this is your most urgent implementation priority. You need defined escalation paths, pre-drafted notification templates, and a direct communication channel to your national CSIRT. For the full reporting requirements, see our NIS2 incident reporting guide.

2. Management Accountability and Personal Liability

ISO 27001 Clause 5 requires top management to “demonstrate leadership and commitment” to the ISMS. This is a governance requirement — management must set direction, allocate resources, and review performance. But it carries no personal legal consequences if they fail to do so. The worst outcome is a certification audit non-conformity.

NIS2 Article 20 goes dramatically further. Management bodies must:

• Formally approve the cybersecurity risk-management measures under Article 21
• Actively oversee their implementation on an ongoing basis (not just annual reviews)
• Undergo cybersecurity training themselves — not delegate understanding to the CISO
• Face personal liability for failures in these duties, including potential temporary bans from management positions in some Member States

This transforms cybersecurity from an IT governance matter into a fiduciary duty. Your ISMS management review (ISO 27001 Clause 9.3) is a starting point, but it won’t satisfy NIS2’s requirements for documented board approval, evidence of training completion, and ongoing active oversight [1] [7].

3. Supply Chain Depth

Both frameworks address supplier security, but NIS2 goes deeper. ISO 27001 Annex A 5.19–5.22 requires you to assess supplier risks, establish security requirements in contracts, and monitor third-party compliance. This is solid baseline coverage.

NIS2 Article 21(2)(d) and CIR 2024/2690 Chapter 5 add specific requirements that go beyond ISO 27001:

• A maintained directory of all direct suppliers classified by criticality
• Coordinated security risk assessments of critical supply chains (no ISO equivalent)
• Specific contractual security obligations scaled by supplier criticality
• Assessment of suppliers’ cybersecurity practices, not just their contractual commitments

If your ISO 27001 supplier management is limited to contractual clauses and annual questionnaires, you’ll need to expand it significantly. NIS2 expects you to understand the actual cybersecurity posture of your critical suppliers, not just have paper agreements. See our supply chain security guide for implementation detail.

4. Crisis Management

ISO 27001 covers business continuity planning (Annex A 5.29–5.30) focused on ICT service continuity. NIS2 Article 21(2)(c) and CIR Chapter 4 extend this into crisis management — a broader discipline that includes:

• Formal crisis management processes with defined roles, escalation procedures, and communication plans (CIR 4.3.1–4.3.4 — no ISO equivalent)
• Tabletop exercises and testing of crisis response capabilities
• Integration of cybersecurity incidents into organisational crisis management, not just IT continuity

The distinction matters: business continuity ensures your IT services recover. Crisis management ensures your organisation survives, including stakeholder communication, regulatory notification, and reputational response.

5. CISO Reporting and Governance Structure

CIR 2024/2690 Section 1.2.3 requires that the person responsible for network and information security has a direct reporting line to the management body. ISO 27001 has no equivalent requirement for any specific organisational reporting structure.

This matters for organisations where information security reports through IT, which reports through a COO or CTO, with no direct board access. NIS2 expects the CISO (or equivalent) to have an unmediated path to the board for escalation.

6. Sector-Specific and Legal Requirements

ISO 27001 is deliberately sector-agnostic — that’s its strength as a universal standard and its limitation for regulatory compliance. NIS2 introduces several legal and sector-specific requirements with no ISO equivalent:

• Entity registration with the national competent authority (some Member States require self-registration by specific deadlines)
• Penalties framework with fines up to €10M or 2% of global turnover for essential entities
• Cross-border cooperation obligations through CSIRTs and the NIS Cooperation Group
• Sector-specific technical standards that may be adopted by the European Commission under Article 25

These aren’t security controls — they’re legal compliance processes. No amount of ISO 27001 maturity will address them; they require separate legal and regulatory workstreams.

Full Controls Mapping: NIS2 Article 21 to ISO 27001

This table maps each NIS2 Article 21(2) cybersecurity measure to the corresponding ISO 27001:2022 clause or Annex A control, with a coverage assessment. Use it as the starting point for your gap analysis [3] [4] [5].

NIS2 Art. 21 Measure	ISO 27001 Mapping	Coverage	Gap Notes
(a) Risk analysis & information security policies	Clause 6.1 (risk assessment), Clause 8.2–8.3 (risk treatment), Annex A 5.1–5.4 (policies)	High	ISO covers risk methodology and policy framework. NIS2 adds requirement for formal management body approval under Art. 20
(b) Incident handling	Annex A 5.24–5.28 (incident management), A 6.8 (event reporting)	Partial	ISO covers internal incident processes. No external reporting timelines (24h/72h/1m) — the biggest single gap
(c) Business continuity & crisis management	Annex A 5.29–5.30 (ICT continuity), A 8.13–8.14 (backups, redundancy)	Partial	ISO covers IT continuity. No crisis management framework (CIR 4.3.1–4.3.4)
(d) Supply chain security	Annex A 5.19–5.23 (supplier management)	Partial	ISO covers contractual controls. NIS2 adds supplier directory, criticality classification, coordinated supply chain risk assessments
(e) Acquisition, development & maintenance security	Annex A 5.8, 8.25–8.34 (secure development, change mgmt, testing)	High	Strong alignment. NIS2 adds emphasis on vulnerability disclosure processes
(f) Effectiveness assessment	Clause 9.1 (monitoring & measurement), A 5.36 (compliance), A 8.34 (audit)	High	ISO’s internal audit and measurement clauses align well with NIS2 effectiveness testing
(g) Cyber hygiene & training	Annex A 6.3 (awareness & training), Clause 7.2 (competence)	High	Good alignment. NIS2 adds explicit board-level training requirement under Art. 20
(h) Cryptography & encryption	Annex A 8.24 (use of cryptography), A 5.14 (information transfer)	High	Strong alignment on policy level. NIS2 adds explicit requirements for encryption of data in transit and at rest
(i) HR security, access control & asset management	Annex A 6.1–6.6 (HR security), A 5.15–5.18 (identity mgmt), A 8.2–8.5 (access controls), A 5.9–5.13 (asset management)	High	Comprehensive alignment. Minor gap: NIS2 explicitly requires privileged access management procedures
(j) MFA & secure communications	Annex A 8.5 (secure authentication), A 5.14 (information transfer)	Partial	ISO mentions secure authentication generally. NIS2 explicitly mandates MFA or continuous authentication for specific access scenarios

Reading the table: “High” coverage means your existing ISO 27001 controls likely satisfy NIS2’s technical requirements with minor adjustments. “Partial” means significant additional work is needed beyond what ISO 27001 requires. The gap notes identify exactly where to focus.

CIR 2024/2690 to ISO 27001: Detailed Mapping

The Commission Implementing Regulation (EU) 2024/2690 breaks Article 21’s ten high-level measures into 13 detailed chapters with more than 150 specific technical controls. Here’s how each CIR chapter maps to ISO 27001 [3] [5]:

CIR Chapter	Topic	ISO 27001 Controls	Notable Gaps
1. Security Policies	NIS policy framework, roles, CISO appointment	A 5.1–5.4	CIR 1.2.3: CISO must report directly to management body (no ISO equivalent)
2. Risk Management	Risk assessment methodology, treatment, acceptance	A 5.7, 5.29–5.31, 5.36, 8.34	Aligned
3. Incident Management	Detection, classification, response, external reporting	A 5.24–5.28, 6.8, 8.15–8.16	External notification timelines (24h/72h/1m)
4. Business Continuity	BIA, continuity plans, disaster recovery, crisis management	A 5.29–5.31, 7.5, 8.13–8.14	CIR 4.3.1–4.3.4: crisis management processes (no ISO equivalent)
5. Supply Chain	Supplier directory, criticality classification, contractual obligations	A 5.19–5.23	CIR 5.1.3: coordinated supply chain risk assessments (no ISO equivalent)
6. Acquisition & Development	Secure development lifecycle, change management, testing	A 5.8, 8.25–8.34	Aligned
7. Effectiveness	Vulnerability scanning, penetration testing, audit	A 5.36, 8.34, 9.2	Aligned
8. Cyber Hygiene	Awareness training, acceptable use, phishing exercises	A 6.3, 7.2–7.3	Aligned
9. Cryptography	Encryption policies, key management, data-in-transit protection	A 5.14, 8.24	Minor: NIS2 more prescriptive on encryption of data at rest
10. HR Security	Background checks, security responsibilities, termination	A 6.1–6.6	Aligned
11. Access Control	Identity management, RBAC, privileged access, MFA	A 5.15–5.18, 8.2–8.5	CIR 11.7: explicit MFA/continuous authentication mandate
12. Asset Management	Asset inventory, classification, lifecycle	A 5.9–5.13, 7.9–7.10	Aligned
13. Physical Security	Perimeter controls, access zones, environmental protection	A 7.1–7.5, 7.11–7.12	Aligned

Of 13 CIR chapters, 8 align closely with ISO 27001 controls. Five chapters — security policies, incident management, business continuity, supply chain, and access control — contain specific requirements that go beyond what ISO 27001 addresses. These are your priority gap areas.

The Gap: What ISO 27001 Doesn’t Cover

Based on the mapping analysis, here are the specific NIS2 requirements that an ISO 27001-certified organisation will need to implement separately. These represent the “last 20–30%” — and they are disproportionately important because they carry the highest legal risk [1] [3] [6].

Critical Gaps (Highest Priority)

Gap Area	NIS2 Requirement	Why ISO 27001 Doesn’t Cover It	Action Required
Incident reporting to authorities	24h early warning, 72h notification, 1-month final report to national CSIRT (Art. 23)	ISO requires internal incident management but has no external notification deadlines or CSIRT reporting	Build a three-stage notification process with templates, escalation paths, and CSIRT contact information. Run tabletop exercises
Management personal liability	Board must approve measures, oversee implementation, and undergo training (Art. 20)	ISO requires “leadership commitment” but imposes no personal legal consequences	Schedule formal board approval of cybersecurity programme. Document training attendance. Establish regular board-level cybersecurity reporting
Entity registration	Self-registration with national competent authority (Art. 3)	ISO is a voluntary certification — no regulatory registration concept	Identify your national competent authority and complete registration by the deadline set in national law

Significant Gaps (High Priority)

Gap Area	NIS2 Requirement	Action Required
Crisis management framework	Formal crisis management processes beyond IT continuity (CIR 4.3.1–4.3.4)	Develop a crisis management plan with defined roles, escalation procedures, communication plans, and regular testing
CISO direct reporting	Security officer must report directly to management body (CIR 1.2.3)	Review and adjust organisational reporting structure if CISO doesn’t have direct board access
Supply chain directory	Maintained directory of all direct suppliers classified by criticality (CIR Ch. 5)	Build and maintain a supplier register with criticality ratings. Implement tiered security requirements based on classification
Coordinated supply chain assessment	Participate in coordinated EU-level supply chain risk assessments (CIR 5.1.3)	Establish processes to participate when called upon by national authorities or the NIS Cooperation Group
MFA mandate	Multi-factor or continuous authentication for defined access scenarios (CIR 11.7)	Deploy MFA for all administrative access, remote access, and access to critical systems. ISO mentions secure authentication but does not mandate MFA specifically

Documentation and Evidence Gaps

Beyond specific technical controls, NIS2 expects a different standard of evidence than ISO 27001 certification audits. National competent authorities conducting NIS2 supervisory inspections look for:

• Live evidence of implementation, not just documented policies
• Documented board-level decisions on cybersecurity risk acceptance
• Evidence of regular testing (including crisis management exercises)
• Audit trails for incident handling, including decisions made during response and evidence of notification timelines being met

An ISO 27001 certificate is strong evidence of a functioning ISMS, but NIS2 auditors will look through the certificate to the underlying evidence. “We have ISO 27001” is not itself an adequate answer to a supervisory inspection [6].

How to Align: A Practical Roadmap

Whether you’re starting with ISO 27001 and extending to NIS2, or approaching both frameworks together, here’s the most efficient path:

If You Already Have ISO 27001

1. Run a formal gap analysis. Use the mapping tables above. Walk through each NIS2 Article 21 measure and CIR chapter, and mark which ISO 27001 controls you already have in place. The NIS2 compliance checklist provides a structured format for this.
2. Close the incident reporting gap first. This is the highest-risk area because the 24-hour deadline doesn’t wait for your implementation programme. Build the three-stage process, establish your CSIRT channel, and run at least one tabletop exercise before anything else.
3. Address management accountability. Schedule formal board approval of your cybersecurity programme. Arrange board-level training. Document everything — minutes, attendance, decisions.
4. Extend supply chain management. Build the supplier directory with criticality classifications. Review and strengthen contractual obligations for critical suppliers. Establish monitoring mechanisms beyond annual questionnaires.
5. Implement remaining technical gaps. Deploy MFA where not yet in place. Develop a crisis management plan separate from IT continuity. Adjust CISO reporting lines if needed.
6. Register with your national competent authority. Check your national transposition law for registration requirements and deadlines.

If You’re Starting from Scratch

1. Implement ISO 27001 as your ISMS foundation. This gives you the management system structure, risk methodology, and 93 Annex A controls that cover 70–80% of NIS2’s requirements.
2. During implementation, add NIS2-specific extensions. As you build each ISO 27001 control area, add the NIS2 extras: external reporting procedures with incident management, crisis management with business continuity, supplier directories with supplier controls.
3. Consider certification. While ISO 27001 certification is not required for NIS2 compliance, it provides two practical benefits: an independent validation of your security controls, and strong evidence for NIS2 supervisory inspections that your ISMS is functioning effectively.

The NIS2 requirements guide covers all ten Article 21 measures in detail, and our NIS2 compliance templates provide ready-to-use policy and procedure documents aligned with both the CIR and ISO 27001 control structure.

Frequently Asked Questions

Does ISO 27001 certification mean I am NIS2 compliant?

No. ISO 27001 covers approximately 70–80% of NIS2’s security requirements, but it does not address mandatory incident reporting timelines, management personal liability, entity registration, crisis management processes, or sector-specific legal obligations. ISO 27001 is the best foundation for NIS2 compliance, but additional work is needed to close the gaps.

Can I use ISO 27001 as evidence for NIS2 compliance?

Yes, and NIS2 itself recognises this. Article 21(1) states that Member States shall ensure measures are based on “European and international standards.” ENISA’s Technical Implementation Guidance explicitly maps NIS2 requirements to ISO 27001 controls. An ISO 27001 certificate is strong evidence of a functioning ISMS and will be viewed positively by supervisory authorities — but it is not sufficient on its own [4].

Should I get ISO 27001 before starting NIS2 compliance?

If you don’t already have an ISMS, implementing ISO 27001 is the most efficient path to NIS2 compliance. It provides the structured management system framework and security controls that cover the majority of NIS2’s technical requirements. You can extend it with NIS2-specific processes during implementation rather than treating them as separate projects.

What is the biggest gap between ISO 27001 and NIS2?

Mandatory incident reporting to national authorities within 24 hours (early warning), 72 hours (full notification), and 1 month (final report). ISO 27001 requires internal incident management procedures but has no external reporting timelines and no obligation to notify regulators. This is the highest-risk gap because the deadline is absolute and non-compliance is immediately visible to authorities.

How much does NIS2 overlap with ISO 27001?

Approximately 70–80% of NIS2’s cybersecurity risk-management measures (Article 21) have direct equivalents in ISO 27001 Annex A controls. The overlap is strongest in risk management, access control, cryptography, asset management, and HR security. The remaining 20–30% consists of legal, governance, and sector-specific requirements that ISO 27001 was not designed to address.

Does ENISA recommend ISO 27001 for NIS2 compliance?

Yes. ENISA’s Technical Implementation Guidance (published June 2025) explicitly maps NIS2 and CIR 2024/2690 requirements to ISO 27001 controls. It treats ISO 27001 as a primary reference framework for implementing NIS2 cybersecurity measures, while noting that supplementary processes are needed for NIS2-specific legal obligations [4].

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. “Directive (EU) 2022/2555 — Official Text” — EUR-Lex, Full text
2. “ISO/IEC 27001:2022 — Information security management systems” — International Organization for Standardization, Standard page
3. “Commission Implementing Regulation (EU) 2024/2690” — EUR-Lex, Full text
4. “NIS2 Technical Implementation Guidance” — ENISA, Publication page
5. “NIS2 Implementing Act — NIS2/ISO 27001 Mapping” — OpenKRITIS, Mapping table
6. “NIS 2 vs. ISO 27001 mapping” — Advisera, Article
7. “NIS2 directive explained: Management bodies rules” — DLA Piper, Analysis