ISO 27001 vs NIS2: How They Overlap and Where They Don't

NIS2 went into force across the EU in October 2024. If your organisation is "essential" or "important" under the directive, you now have legal obligations around cybersecurity risk management, incident reporting, and supply chain security. The good news: most of what NIS2 asks for is already in ISO 27001.

Where they overlap

NIS2 Article 21 lists ten minimum measures: risk analysis policies, incident handling, business continuity, supply chain security, vulnerability disclosure, training, cryptography, access control, MFA, and asset management. Every single one maps to one or more ISO 27001 Annex A controls.

Where they don't

• Incident reporting timelines. NIS2 requires an early warning within 24 hours and a full notification within 72 hours to your national CSIRT. ISO 27001 has no such legal deadline.
• Management accountability. NIS2 makes the management body personally liable for non-compliance. ISO 27001 requires "top management commitment" but doesn't trigger personal fines.
• Enforcement. NIS2 has supervisory authorities with audit powers and fines up to €10M or 2% of global turnover. ISO 27001 is voluntary.

Strategic recommendation

If you're NIS2-obligated and don't yet have an ISMS, certify to ISO 27001 first. It gives you ~80% of NIS2 compliance for free, plus a recognised certificate you can show customers and supervisors. Add a thin NIS2 overlay for the unique requirements (reporting timelines, management body responsibilities).

Related posts

• The complete Annex A guide
• How long does certification take?

Related: external

RGI bv — NIS2 compliance · RGI bv — ISO 27001 certification