Guide Compliance Cybersecurity

NIS2 vs. ISO 27001: do you need both, and where do you start?

NIS2 is EU law. ISO 27001 is a voluntary standard. Both land on the same compliance officer's desk, often in the same month. Understanding the relationship lets you build one coherent system that satisfies both, rather than running two parallel programmes.

CT
Cyvra Team
Cyvra Consultancy
2 June 2026
8 min read
Key takeaways
  • NIS2 is mandatory EU law. ISO 27001 is a voluntary international standard. They are different instruments with different purposes.
  • ISO 27001 maps to all 10 NIS2 Article 21 security measures, making it an effective vehicle for NIS2 compliance
  • An ISO 27001-certified organisation still has NIS2-specific gaps: incident notification timelines, management liability, and registration obligations
  • If you are starting from scratch, a gap analysis is the right first step, not choosing one framework and deferring the other
  • The most efficient path is to build one integrated programme rather than two separate compliance projects

Two frameworks, one inbox

Compliance officers at medium and large European companies are fielding questions about NIS2 and ISO 27001 at the same time. It is easy to see why teams conflate the two: both deal with cybersecurity, both require risk assessments and documented controls, and both lead to audits. But they are fundamentally different instruments, and treating them as interchangeable leaves real compliance gaps.

NIS2 (Directive 2022/2555) is EU legislation. If your organisation operates in one of 18 critical sectors and meets the size threshold, you are in scope and must comply. There is no opt-out. Non-compliance is enforceable by national authorities and carries fines up to €10 million or 2% of global annual turnover for essential entities. NIS2 has been in force since October 2024.

ISO/IEC 27001:2022 is an international standard for information security management systems (ISMS). Certification is voluntary. Any organisation can pursue it, in any sector, at any size. The standard does not tell you exactly what security controls to implement; it asks you to build a risk-based management system that systematically identifies threats, selects proportionate controls, and continuously improves. Third-party certification bodies assess you against the standard and issue a certificate.

160,000
entities in scope for NIS2 across the EU, in 18 sectors
93
controls in ISO 27001:2022 Annex A, across 4 control domains
10
mandatory security measures under NIS2 Article 21

Where they overlap

NIS2 Article 21 specifies 10 mandatory security measures. ISO 27001 Annex A contains 93 controls across four domains. All 10 NIS2 measures correspond to ISO 27001 control areas:

Risk analysis & security policies
Full coverage ISO 27001 Clause 6.1 requires formal risk assessment; Annex A.5 covers information security policies in detail.
Incident handling
Full coverage Annex A.5.24-5.28 address incident management, including detection, classification, response, and lessons learned.
Business continuity, backup & DR
Full coverage Annex A.5.29 (ICT readiness for business continuity) and A.8.13 (information backup) cover both tested backups and recovery planning.
Supply chain security
Full coverage Annex A.5.19-5.23 require assessment of supplier security, contractual obligations, and ongoing monitoring of third-party risk.
Security in system acquisition & development
Full coverage Annex A.8.25-8.34 address secure development practices, vulnerability disclosure, and patch management.
Policies to assess effectiveness
Full coverage ISO 27001 Clause 9.2 mandates internal audits; Annex A.5.35-5.36 require independent review and policy compliance assessment.
Cyber hygiene & training
Full coverage Annex A.6.3 (awareness) and A.8.8 (vulnerability management) directly cover staff training and baseline hygiene controls.
Cryptography & encryption
Full coverage Annex A.8.24 requires documented cryptography policies covering data at rest, in transit, and key management.
HR security, access control & asset management
Full coverage Annex A.6 (people controls) and A.8.1-8.12 cover joiners/leavers, least-privilege access, and asset inventory in full.
MFA & secure communications
Partial Annex A.8.5 covers privileged access management and A.8.20 network security, but MFA is not as explicitly mandated as in NIS2.

An organisation with a mature, well-documented ISO 27001 ISMS will have controls in place for nine of the ten NIS2 Article 21 requirements. The tenth (MFA) needs only a targeted addition. ISO 27001 is the most efficient vehicle for building NIS2-compliant security controls.

Where they diverge

The overlap has real limits. ISO 27001 was designed as a management systems standard, not a regulatory compliance framework, and NIS2 goes further in three areas.

Topic
NIS2
ISO 27001
Legal obligation
Mandatory for in-scope entities; non-compliance is enforceable
Voluntary; no legal obligation to certify
Who it applies to
Medium and large organisations in 18 defined sectors across the EU
Any organisation, any sector, any size, anywhere
Incident notification
Mandatory: 24h early warning, 72h notification, 1-month final report to national authority
No external notification timelines; internal incident management only
Management liability
Article 20: board members personally liable; can be prohibited from exercising managerial responsibilities
No personal liability provisions
Registration requirement
In-scope entities must register with national competent authority
No registration requirement
Audit / certification body
National supervisory authorities (NCSC and sector regulators in NL)
Accredited third-party certification body (e.g., BSI, Bureau Veritas, DNV)
Control specificity
10 prescriptive measures, including explicit MFA requirement
93 controls, risk-based selection; not all apply to every organisation
Fines for non-compliance
Up to €10M or 2% of global turnover (essential entities)
Loss of certification; no financial penalties from the standard itself

The three gaps that matter most in practice are incident notification, management liability, and registration. ISO 27001 says nothing about notifying a government authority within 24 hours of discovering an incident. It says nothing about holding your board personally accountable for cybersecurity governance. And it does not require you to register with a national body. These are NIS2-specific obligations that an ISO 27001 programme, however mature, does not address.

Common mistake

Many organisations assume that ISO 27001 certification means NIS2 compliance. It does not. Regulators will look for documented incident notification procedures, evidence of management training, board-approved cybersecurity risk measures, and registration. An ISO 27001 certificate alone will not satisfy an audit on these points.

If you already have ISO 27001 certification

You are in a strong position, but you are not finished. Based on where most certified organisations sit, the remaining NIS2-specific gaps typically fall into four categories:

  • Incident notification process. Your incident response plan almost certainly does not include the three-stage NIS2 notification sequence. You need to add a regulatory notification step with named individuals responsible for the 24-hour early warning, and test it in a tabletop exercise.
  • Management training and documentation. NIS2 Article 20 requires board-level training on cybersecurity risk identification and its impact on operations. Board minutes and structured training records need to demonstrate this explicitly.
  • Registration. In-scope entities must register with the relevant national competent authority. In the Netherlands, the NCSC coordinates this process. ISO 27001 does not prompt this step.
  • MFA enforcement. ISO 27001 Annex A addresses privileged access management but does not mandate MFA as explicitly as NIS2 Article 21 does. Review your Statement of Applicability and close the gap if MFA is not already a documented control.

For a certified organisation, closing these gaps is a targeted piece of work, not a transformation project. A focused gap assessment can identify exactly what is missing and produce a remediation plan within a few weeks.

If you are starting from scratch

Your instinct may be to pick one framework, complete it, then tackle the other. That sequence wastes material effort. The documentation, risk assessments, policies, and control evidence you build for NIS2 apply directly to ISO 27001. Running them as separate projects means doing the same work twice.

In practice

Adding ISO 27001 certification on top of a well-structured NIS2 programme takes roughly 20-30% more effort. Running them as two separate programmes from scratch typically doubles that: you build the same risk assessments, policies, and control evidence twice.

If you are in scope for NIS2, that obligation is already active. Start there. But structure your NIS2 programme using ISO 27001's management system approach from day one: a defined scope, a formal risk assessment, a Statement of Applicability mapping your controls, and a documented improvement cycle. This approach means that when you are ready to pursue ISO 27001 certification, the certification body is reviewing a programme that already exists in mature form, rather than starting from scratch.

An ISO 27001 programme built without NIS2 in mind leaves compliance gaps that require rework. Building NIS2-first, with an ISO 27001-aligned structure from the start, avoids that.

Where to start: the gap analysis

The first step for any organisation, regardless of whether it has existing controls, existing certifications, or nothing in place, is a structured gap analysis. Without one, you are making decisions based on assumptions about your own posture that are rarely accurate.

A good gap analysis covers three things:

  1. Scope confirmation. Are you in scope for NIS2? Which tier are you (essential or important)? Have you registered with the relevant national authority? This is not always obvious, particularly for diversified groups operating in multiple sectors.
  2. Control mapping. Where do your current controls, documentation, and processes map against NIS2 Article 21 and ISO 27001 Annex A? This produces a clear picture of what you have, what needs formalising, and what needs building from scratch.
  3. Prioritised remediation roadmap. Not everything needs to happen at once. The gap analysis should produce a risk-prioritised list of actions, with realistic timelines and resource estimates, that lets you make informed decisions about sequencing.

With that roadmap in hand, you can build a single integrated programme that moves you toward both NIS2 compliance and ISO 27001 certification in parallel, without duplicating effort or creating conflicting documentation.

Organisations that come to a NIS2 regulatory audit with a completed gap analysis and a documented remediation plan are in a fundamentally different position from those that arrive without one. Regulators are looking for evidence that management has taken the obligations seriously. A credible roadmap is exactly that evidence.

Frequently asked questions

Is NIS2 the same as ISO 27001?

No. NIS2 is an EU directive, a legal obligation that applies automatically to in-scope organisations in 18 sectors. ISO 27001 is an international standard for information security management systems (ISMS) that any organisation can pursue voluntarily. NIS2 tells you what you must achieve; ISO 27001 gives you a structured system for achieving and demonstrating it.

Does ISO 27001 certification satisfy NIS2 compliance?

Not entirely, but it covers most of the ground. ISO 27001 maps well to all 10 Article 21 security measures. However, ISO 27001 does not include NIS2's specific 24-hour incident notification requirement, personal management liability provisions, or sector-specific registration obligations. An ISO 27001-certified organisation is typically 70-80% of the way to NIS2 compliance and needs targeted gap work to close the remaining distance.

Which should we do first: NIS2 or ISO 27001?

If you are in scope for NIS2, that obligation is already active. It cannot wait. The most efficient path for most organisations is to pursue NIS2 compliance first, using an ISO 27001-aligned structure from the outset. This way, the work you do for NIS2 becomes the foundation of your ISO 27001 certification, rather than running two parallel programmes.

Do SMEs need to worry about NIS2?

Organisations with fewer than 50 employees and under €10 million in annual turnover are generally exempt from NIS2's direct requirements. However, larger in-scope companies are required to assess and manage the security of their supply chains, which means SMEs supplying those companies will face security requirements flowing down through contracts, even without being directly regulated.

How long does ISO 27001 certification take?

Most medium-sized organisations take between 9 and 18 months to achieve ISO 27001 certification for the first time. The timeline depends on how mature your existing security controls are, the scope of the ISMS, and how quickly your team can document processes and evidence. An experienced consultancy can significantly compress this timeline by avoiding common pitfalls and structuring the programme efficiently.

Gap Analysis Workshop

Not sure where your NIS2 or ISO 27001 gaps are?

Our gap analysis workshop gives you a clear, prioritised picture of what you have, what you are missing, and the fastest path to compliance.

Book a Workshop Our Compliance Services

Disclaimer: This article is for general informational purposes only and does not constitute legal, regulatory, or professional advice. Cyvra makes no warranty as to the accuracy or completeness of this content, which may not reflect the most current regulatory developments. Readers should seek independent legal and regulatory advice appropriate to their specific circumstances. Cyvra accepts no liability for any loss arising from reliance on this content.