NIS2 vs ISO 27001: EU Regulation vs International Standard — How They Work Together

NIS2ISO 27001

With the EU's NIS2 Directive coming into full enforcement across member states, many European companies face a question: how does NIS2 relate to ISO 27001, and do we need to comply with both? The short answer is that they are fundamentally different instruments — NIS2 is a regulatory directive with legal obligations and penalties, while ISO 27001 is a voluntary international standard — but they complement each other significantly. Understanding the relationship between these two frameworks is essential for building an efficient compliance strategy that satisfies regulatory requirements while leveraging international best practices. Companies that already hold ISO 27001 certification have a significant head start on NIS2 compliance, and those starting fresh can build a unified approach that covers both.

Legal Nature & Obligation

NIS2 (Directive (EU) 2022/2555) is a binding EU legislative instrument. It requires EU member states to transpose its requirements into national law, meaning the specific legal obligations vary somewhat by country. Organizations classified as 'essential entities' or 'important entities' under NIS2 are legally required to comply. Non-compliance can result in significant fines — up to EUR 10 million or 2% of global annual turnover for essential entities, and up to EUR 7 million or 1.4% of turnover for important entities. Management bodies can be held personally liable. ISO 27001 is a voluntary international standard published by ISO/IEC. No law requires you to be certified, though some contracts, industry regulations, or customer requirements may effectively mandate it. There are no statutory penalties for not having ISO 27001 — the consequence is limited to business opportunities you may miss. This difference is fundamental: NIS2 compliance is a legal requirement with enforcement mechanisms. ISO 27001 is a business decision.

Scope & Applicability

NIS2 applies to specific sectors and entity types. Essential entities include energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, and space. Important entities include postal services, waste management, chemicals, food, manufacturing, digital providers, and research organizations. The directive applies based on sector and size — generally companies with 50+ employees or EUR 10M+ turnover in covered sectors. ISO 27001 can be applied by any organization, regardless of sector, size, or location. There are no restrictions on who can pursue certification. A 3-person startup and a 100,000-employee enterprise can both implement ISO 27001. The scope of the ISMS is defined by the organization itself — you can certify your entire company or a specific business unit or service.

Requirements & Controls

NIS2 Article 21 specifies cybersecurity risk management measures that entities must implement, including risk analysis, incident handling, business continuity, supply chain security, cryptography, access control, multi-factor authentication, and secure communications. The directive provides high-level requirements but leaves implementation details to national transposition and organizational discretion. ISO 27001 provides a comprehensive framework with 93 specific controls (in the 2022 revision) organized across Organizational, People, Physical, and Technological domains, plus management system requirements covering leadership, planning, support, operation, performance evaluation, and improvement. ISO 27001 is more prescriptive and structured in its control requirements. There is significant overlap: most NIS2 requirements map directly to ISO 27001 controls. The European Union Agency for Cybersecurity (ENISA) has published mapping documents showing how ISO 27001 implementation addresses NIS2 obligations.

Incident Reporting

NIS2 introduces strict incident reporting requirements with specific timelines. Significant incidents must be reported to the relevant national CSIRT or competent authority with an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month. These are legal obligations with prescribed deadlines. ISO 27001 requires organizations to have incident management procedures and to report information security events through appropriate management channels, but it does not prescribe specific reporting timelines to external authorities. Incident management under ISO 27001 is primarily an internal process. For organizations subject to NIS2, ISO 27001's incident management controls provide the procedural foundation, but additional mechanisms are needed to meet NIS2's external reporting requirements and timelines.

Supply Chain & Third-Party Requirements

NIS2 places significant emphasis on supply chain security, requiring entities to address cybersecurity risks in their relationships with direct suppliers and service providers. This includes conducting due diligence on suppliers and incorporating cybersecurity requirements in contractual arrangements. The supply chain focus is a distinguishing feature of NIS2. ISO 27001 addresses supplier relationships through controls on information security in supplier relationships, supplier service delivery monitoring, and information security for cloud services. However, the depth of supply chain risk management expected under NIS2 — particularly regarding cascading risks across supply chains — goes beyond what most ISO 27001 implementations cover. Companies need to enhance their supplier assessment and monitoring practices to fully satisfy NIS2's supply chain requirements.

Governance & Accountability

NIS2 introduces explicit management body accountability. Article 20 requires that management bodies approve cybersecurity risk management measures, oversee their implementation, and can be held liable for infringements. Management members must undergo cybersecurity training. This personal liability provision is unprecedented in most EU cybersecurity regulation. ISO 27001 requires leadership commitment and management involvement in the ISMS, but it does not impose personal liability on individual managers. The standard expects top management to demonstrate leadership and commitment, but enforcement is through the certification body rather than legal authorities. For executives at organizations subject to NIS2, ISO 27001 provides the management system framework, but the legal accountability layer requires additional governance structures and board-level awareness.

The verdict

NIS2 and ISO 27001 are not alternatives — they serve different purposes and, for many European organizations, both are relevant. NIS2 is a legal requirement for entities in covered sectors; non-compliance carries significant financial and personal liability. ISO 27001 is a voluntary best-practice standard that provides a structured framework for implementing the security measures NIS2 requires. The most efficient approach is to use ISO 27001 as the implementation framework for meeting NIS2 obligations. Organizations that already hold ISO 27001 certification will find they have covered approximately 70-80% of NIS2's requirements and need to address specific gaps around incident reporting timelines, supply chain security depth, and management accountability. AuditFront supports assessments for both NIS2 and ISO 27001, helping you identify gaps and build a unified compliance strategy that satisfies both the regulatory directive and the international standard.

Frequently Asked Questions

Does ISO 27001 certification mean I comply with NIS2?

Not automatically, but it provides a strong foundation. ISO 27001 covers approximately 70-80% of NIS2 requirements. Key gaps typically include NIS2-specific incident reporting timelines (24/72 hours), enhanced supply chain security measures, management body accountability requirements, and registration obligations with national authorities. An ISO 27001-certified organization needs targeted additions rather than a complete overhaul to achieve NIS2 compliance.

Does my company fall under NIS2?

NIS2 applies to organizations in specific sectors (energy, transport, health, digital infrastructure, ICT services, and others) that meet size thresholds — generally 50+ employees or EUR 10M+ annual turnover. Some entities are covered regardless of size, such as qualified trust service providers, DNS service providers, and TLD name registries. Check your national transposition of NIS2 for the specific criteria in your country.

Should I pursue ISO 27001 before or after NIS2 compliance?

If you face immediate NIS2 compliance deadlines, focus on the directive's specific requirements first — particularly incident reporting, supply chain security, and management accountability. However, implementing ISO 27001 alongside or as part of your NIS2 compliance effort creates a sustainable security management system that makes ongoing compliance easier. The two are complementary, not sequential.

Can ENISA guidance help with both frameworks?

Yes. ENISA has published guidance on NIS2 implementation that references ISO 27001 controls. These mapping documents are valuable resources for organizations building a unified compliance program. AuditFront's assessments for both frameworks incorporate these mappings to help you identify where your existing ISO 27001 controls satisfy NIS2 requirements and where additional measures are needed.

Try AuditFront free

All 5 frameworks included. No credit card required. No sales calls.

Start free assessment