Key Takeaways
  • ISO 27001:2022 provides ~70-80% coverage of NIS2 Article 21 requirements
  • Organisations with certified ISMS can accelerate NIS2 readiness by 3-6 months
  • Key gaps: incident reporting timelines, supply chain depth, management body accountability, regulatory registration
  • A mapping exercise identifies exactly what your ISMS already covers and where additional work is needed
  • The mapping is not just a theoretical exercise—it requires evidence that ISO 27001 controls actually satisfy NIS2 intent

Why Map ISO 27001 to NIS2?

The Network and Information Security Directive 2 (NIS2), which entered into force across EU Member States in October 2024, represents the most sweeping cybersecurity regulation Europe has ever produced. It applies to essential and important entities across 18 sectors, imposes stringent cybersecurity risk-management obligations under Article 21, and introduces personal accountability for management bodies under Article 20. For the thousands of organisations now navigating NIS2 compliance, the question is not whether to act, but where to start.

If your organisation already operates an ISO/IEC 27001:2022 Information Security Management System, you hold a significant advantage. A structured mapping exercise between your existing ISMS and NIS2 requirements delivers several strategic benefits.

Strategic Value

Mapping ISO 27001 to NIS2 is not merely a compliance checkbox—it is a strategic exercise that provides clarity on your current posture, identifies precise gaps, and creates a defensible evidence trail. The benefits include:

  • Clear visibility of your compliance baseline: Rather than treating NIS2 as an entirely new challenge, a mapping exercise reveals exactly how much of the regulatory terrain your ISMS already covers. Our analysis shows this is approximately 70-80% of Article 21 measures.
  • Focused remediation: Instead of duplicating effort across the entire NIS2 scope, you concentrate resources on the genuine gaps—incident reporting timelines, supply-chain depth, management body governance, and registration obligations.
  • Demonstrable due diligence: NIS2 competent authorities will conduct supervisory activities, including audits, security scans, and on-site inspections. Organisations that can present a documented mapping between their certified ISMS and NIS2 requirements demonstrate systematic due diligence—a factor that may influence regulatory outcomes.

Cost Efficiency and Avoiding Duplicate Effort

Organisations that treat NIS2 as a standalone compliance programme, separate from their existing ISMS, inevitably create duplicated controls, parallel documentation, and inconsistent evidence repositories. This approach is not only more expensive—it actively increases audit fatigue and the risk of conflicting information being presented to different assessors.

By contrast, organisations that map NIS2 requirements into their existing ISO 27001 framework benefit from a single risk register, a unified Statement of Applicability (extended with NIS2 columns), one internal audit programme, and a consolidated evidence repository. The operational savings are substantial: our experience shows that organisations taking the integrated approach spend 30-40% less on NIS2 compliance than those building a parallel programme.

NIS2 Recital 79: "Member States should encourage the use of relevant European and international standards... including ISO/IEC 27001."

Demonstrating Due Diligence to Regulators

NIS2 introduces a supervision model that distinguishes between essential entities (subject to ex ante supervision) and important entities (subject to ex post supervision). In both cases, competent authorities have broad powers to request evidence of compliance. An organisation that can present a structured, documented mapping between its ISO 27001 controls and NIS2 Article 21 measures—complete with evidence references, gap identification, and remediation records—demonstrates a level of diligence that unstructured approaches cannot match.

Furthermore, NIS2 Article 21(1) requires measures to be "appropriate and proportionate." ISO 27001's risk-based approach, which requires justification for every control inclusion or exclusion in the SoA, provides precisely the proportionality framework that NIS2 demands. The mapping exercise makes this proportionality argument explicit and auditable.

Coverage Overview

Before examining the detailed control-by-control mapping, it is important to understand the high-level picture: where ISO 27001 provides strong alignment with NIS2, and where the gaps sit.

Where ISO 27001 Provides Strong Coverage

ISO 27001:2022's strength lies in its comprehensive treatment of risk management, access control, cryptography, secure development, supplier relationships, and effectiveness measurement. The 2022 revision of Annex A introduced updated controls for threat intelligence (A.5.7), information security for cloud services (A.5.23), and ICT readiness for business continuity (A.5.30), which further narrowed the gap with NIS2. These areas map directly—and in many cases fully—to NIS2 Article 21 measures.

Specifically, ISO 27001 delivers full or near-full coverage for:

  • Risk analysis and IS policies — ISO 27001 Clauses 6.1, 8.2-8.3 and Annex A 5.1 directly address this
  • Secure acquisition, development, and maintenance — Annex A 8.25-8.31, 8.8-8.9 provide comprehensive secure development and vulnerability management
  • Effectiveness assessment — Clauses 9.1-9.3 and Annex A 5.35-5.36 cover monitoring, internal audit, and independent review
  • Cryptography — Annex A 8.24 addresses cryptographic policies
  • HR security, access control, and asset management — Annex A 5.9-5.18, 6.1-6.6, and 8.1-8.5 provide extensive coverage

Where the Gaps Sit

NIS2 goes beyond information security management in several material ways. It prescribes specific incident reporting timelines (24-hour early warning, 72-hour detailed notification, one-month final report) that ISO 27001 does not mandate. It imposes registration requirements with national CSIRTs and competent authorities. It introduces personal liability for management bodies, including mandatory cybersecurity training for board members. And it demands a deeper level of supply-chain security, requiring organisations to consider cascading risks through multi-tier supplier relationships.

Understanding these boundaries is essential before you invest effort in remediation. The detailed mapping table that follows identifies the coverage level for each Article 21 measure so you can prioritise precisely where work is needed.

Complete Article 21 to ISO 27001 Mapping

This is the core of the guide. The table below maps each of the ten cybersecurity risk-management measures specified in NIS2 Article 21(2)(a) through (j) to the corresponding ISO 27001:2022 clauses and Annex A controls. Five columns are provided: the NIS2 measure, the ISO 27001 clause-level coverage, the specific Annex A controls, the assessed coverage level, and notes on any gaps requiring remediation.

NIS2 Article 21 Measure ISO 27001 Coverage Annex A Controls Coverage Level Gap Notes
(a) Risk analysis and information system security policies Clause 6.1 (Actions to address risks), Clause 8.2 (Risk assessment), Clause 8.3 (Risk treatment) A.5.1 (Policies for information security) Full Minor: ensure policies explicitly reference network and information system security as required by NIS2 wording, not just information security generically
(b) Incident handling
Detection, response, reporting and recovery		 Clause 6.1 (Risk-based planning for incidents) A.5.24 (Incident management planning), A.5.25 (Assessment of IS events), A.5.26 (Response to IS incidents), A.5.27 (Learning from incidents), A.5.28 (Collection of evidence), A.6.8 (IS event reporting) Partial NIS2 mandates 24-hour early warning and 72-hour notification to CSIRT. ISO 27001 requires incident handling but does not prescribe external reporting timelines or mandatory CSIRT notification channels
(c) Business continuity and crisis management
Backup, disaster recovery, crisis management		 Clause 6.1 (Risk-based planning) A.5.29 (IS during disruption), A.5.30 (ICT readiness for business continuity) Partial NIS2 explicitly requires crisis management governance and crisis communication plans. ISO 27001 covers BCP and ICT readiness but may lack formal crisis-management structures and cyber-specific crisis scenarios
(d) Supply chain security
Security of relationships with direct suppliers and service providers		 Clause 6.1 (Risk assessment of external parties) A.5.19 (IS in supplier relationships), A.5.20 (IS within supplier agreements), A.5.21 (Managing IS in ICT supply chain), A.5.22 (Monitoring/review of supplier services) Partial NIS2 requires assessment of Tier 2/Tier 3 supplier dependencies, supplier-specific vulnerability analysis, overall quality assessment of supplier cybersecurity practices, and cascading contractual requirements—deeper than ISO 27001's Tier 1 focus
(e) Security in acquisition, development and maintenance
Including vulnerability handling and disclosure		 Clause 8.1 (Operational planning and control) A.8.25 (Secure development lifecycle), A.8.26 (Application security requirements), A.8.27 (Secure system architecture), A.8.28 (Secure coding), A.8.29 (Security testing), A.8.30 (Outsourced development), A.8.31 (Separation of environments), A.8.8 (Management of technical vulnerabilities), A.8.9 (Configuration management) Full Good coverage. Ensure vulnerability disclosure processes are documented and coordinated with external parties as NIS2 expects participation in coordinated vulnerability disclosure
(f) Policies and procedures to assess effectiveness of cybersecurity measures Clause 9.1 (Monitoring, measurement, analysis, evaluation), Clause 9.2 (Internal audit), Clause 9.3 (Management review) A.5.35 (Independent review of IS), A.5.36 (Compliance with IS policies, rules and standards) Full Strong alignment. ISO 27001's PDCA cycle and mandatory internal audit programme satisfy NIS2's effectiveness assessment requirements comprehensively
(g) Basic cyber hygiene practices and cybersecurity training Clause 7.2 (Competence), Clause 7.3 (Awareness) A.6.3 (IS awareness, education and training), A.6.1 (Screening), A.6.2 (Terms and conditions of employment) Partial NIS2 is more prescriptive: requires management body members to undergo cybersecurity training specifically, and demands "basic cyber hygiene" practices be formally defined. ISO 27001 covers awareness generically but does not mandate board-level training
(h) Policies and procedures regarding cryptography and, where appropriate, encryption Clause 6.1 (Risk-based control selection) A.8.24 (Use of cryptography) Full Good coverage. Ensure cryptographic policy addresses both data at rest and data in transit, and consider encryption mandates that may arise from national transpositions
(i) Human resources security, access control policies and asset management Clause 7.2 (Competence), Clause 8.1 (Operational control) A.5.9-5.13 (Inventory, acceptable use, return, classification, labelling of assets), A.5.14-5.18 (Information transfer, access control, identity management, authentication, access rights), A.6.1-6.6 (People controls: screening, employment terms, awareness, disciplinary, termination, confidentiality), A.8.1-8.5 (User devices, privileged access, access restriction, source code access, secure authentication) Full Comprehensive alignment. ISO 27001 provides extensive coverage across HR security, access control, and asset management domains
(j) Use of multi-factor authentication or continuous authentication, secured voice/video/text communications, secured emergency communication systems Clause 8.1 (Operational control) A.8.5 (Secure authentication) Partial ISO 27001 requires "secure authentication" but does not explicitly mandate MFA or continuous authentication. NIS2 is more specific about MFA requirements, secured communications channels, and emergency communication system resilience

Coverage Summary

  • Full coverage (5 of 10 measures): (a) Risk analysis and IS policies, (e) Secure acquisition/development/maintenance, (f) Effectiveness assessment, (h) Cryptography, (i) HR security/access control/asset management
  • Partial coverage (5 of 10 measures): (b) Incident handling, (c) Business continuity/crisis management, (d) Supply chain security, (g) Cyber hygiene/training, (j) MFA/secure communications
  • Complete gap (0 of 10 measures): ISO 27001 provides at least a working foundation for every Article 21 measure

This confirms the estimated 70-80% overlap. Crucially, even where coverage is partial, your ISMS provides a working baseline. The remediation effort is incremental, not transformational. However, the mapping is not just a theoretical exercise—it requires evidence that each ISO 27001 control actually satisfies the NIS2 intent. A control that exists on paper but lacks operational evidence will not pass regulatory scrutiny.

NIS2 Requirements NOT Covered by ISO 27001

While the mapping table demonstrates that no Article 21 measure is a complete gap at the measure level, several critical NIS2-specific requirements sit entirely outside the scope of ISO 27001. These are obligations that require new processes, documentation, or governance structures regardless of how mature your ISMS is.

1. 24-Hour / 72-Hour / One-Month Incident Reporting to CSIRT

NIS2 Article 23 mandates a structured, multi-stage incident reporting process that is far more prescriptive than anything in ISO 27001:

  • Within 24 hours: An early warning to the national CSIRT or competent authority, indicating whether the significant incident is suspected to be caused by unlawful or malicious acts and whether it could have cross-border impact
  • Within 72 hours: A detailed incident notification providing an initial assessment including severity, impact, and indicators of compromise
  • Within one month: A final report detailing root cause analysis, mitigation measures applied, cross-border impact assessment, and lessons learned

ISO 27001 Annex A 5.24-5.28 requires organisations to plan for, assess, respond to, and learn from incidents—but it does not prescribe these specific timelines, define "significant incident" in NIS2 terms, or mandate external reporting to government bodies. This gap requires new procedures, designated reporting channels, pre-drafted templates, and regular rehearsals to ensure the timelines can be met under pressure.

2. Management Body Personal Liability

NIS2 Article 20 holds the management body directly and personally accountable for cybersecurity risk-management measures. This includes:

  • Formally approving the cybersecurity risk-management measures adopted pursuant to Article 21
  • Overseeing the implementation of those measures
  • Being held liable for infringements of Article 21
  • Undergoing mandatory cybersecurity training and encouraging similar training for all employees on a regular basis

ISO 27001 Clause 5 (Leadership) requires top management commitment, resource allocation, and assignment of ISMS roles—but it does not impose personal liability on individual board members, nor does it mandate that specific directors complete cybersecurity training. This gap requires formal governance updates, documented board resolutions, training records for named individuals, and potentially legal review of liability implications under your national transposition law.

3. Registration with National Competent Authority

NIS2 Article 3(3) requires essential and important entities to register with their national competent authority or CSIRT. Registration information typically includes entity name, registered address, sector classification, contact information for the designated responsible person, IP address ranges, domain names, and a list of Member States where the entity provides services. This is a purely administrative obligation with no equivalent whatsoever in ISO 27001. Failure to register may itself constitute a compliance breach.

4. Coordinated Vulnerability Disclosure Participation

NIS2 Article 12 establishes a framework for coordinated vulnerability disclosure at the EU level. While ISO 27001 Annex A 8.8 addresses management of technical vulnerabilities within the organisation, NIS2 expects entities to participate in broader coordinated disclosure mechanisms. This means establishing processes for receiving vulnerability reports from external researchers, coordinating with CSIRTs on vulnerability disclosure timelines, and contributing to the European vulnerability database. Organisations must formalise their vulnerability disclosure policy, designate a point of contact, and integrate external disclosure processes into their vulnerability management workflow.

5. Supply Chain Cascading Requirements

NIS2 Article 21(2)(d) and Article 21(3) go significantly beyond ISO 27001's supplier management controls. Specifically, NIS2 requires:

  • Assessment of vulnerabilities specific to each direct supplier and service provider—not just generic supplier risk categories
  • Evaluation of the overall quality of products and cybersecurity practices of suppliers, including their secure development procedures
  • Consideration of the results of coordinated security risk assessments of critical supply chains carried out at EU level (Article 22)
  • Cascading of cybersecurity requirements through contractual arrangements beyond Tier 1 suppliers into Tier 2 and Tier 3 relationships

ISO 27001 Annex A 5.19-5.22 provides a solid foundation for supplier management, but it does not require the depth of multi-tier assessment, supplier-specific vulnerability analysis, or contractual cascading that NIS2 demands. Closing this gap typically requires significant enhancement of existing supplier risk assessment processes, contract templates, and monitoring procedures.

Gap Remediation Roadmap

For ISO 27001-certified organisations, the remediation programme should be structured as an extension of your existing ISMS—not as a parallel compliance project. The following prioritised roadmap addresses each identified gap in order of regulatory criticality and implementation complexity.

Priority 1: Incident Reporting Procedures (Weeks 1-4)

This is the highest-priority gap because failure to report a significant incident within the mandated timelines carries immediate regulatory consequences and potential penalties.

  • Define "significant incident" criteria aligned with NIS2 Article 23(3) and your national transposition law
  • Establish a 24-hour early-warning procedure with a designated internal escalation chain and pre-configured CSIRT reporting channel
  • Create standardised templates for the 72-hour detailed notification (covering severity, impact, indicators of compromise) and the one-month final report (root cause, remediation, cross-border assessment)
  • Identify and train designated incident reporters who can operate the procedure under time pressure
  • Conduct a tabletop exercise simulating the full 24h/72h/1-month reporting cycle
  • Integrate NIS2 reporting triggers into your existing incident management process (Annex A 5.24-5.28)

Priority 2: Management Body Governance (Weeks 2-6)

Article 20 liability provisions mean this cannot wait until the technical work is complete. Management body engagement should run in parallel with incident reporting enhancements.

  • Brief the management body on NIS2 obligations, personal liability provisions, and penalty structures
  • Obtain formal board resolution approving the organisation's cybersecurity risk-management measures as required by Article 21
  • Document management body oversight responsibilities in ISMS governance documents
  • Schedule and deliver mandatory cybersecurity training for all management body members, with documented attendance
  • Establish a regular reporting cadence (quarterly at minimum) from the ISMS manager to the management body on cybersecurity risk status
  • Engage legal counsel to review personal liability implications under your specific national transposition

Priority 3: Entity Registration (Weeks 3-5)

Registration is an administrative prerequisite that should be completed early in the programme.

  • Confirm your entity classification (essential or important) under NIS2 Annexes I and II and your national transposition
  • Compile the required registration information: entity name, address, sector classification, responsible-person contact details, IP ranges, domain names, and list of Member States where services are provided
  • Submit registration to your national competent authority or CSIRT through the designated portal
  • Establish a process to update registration details when material changes occur

Priority 4: Supply-Chain Security Enhancement (Weeks 4-12)

This is typically the most effort-intensive gap to close, as it involves changes to supplier assessment processes, contract templates, and monitoring procedures.

  • Map your critical supply chain beyond Tier 1 suppliers to identify significant Tier 2 and Tier 3 dependencies
  • Develop a supplier-specific vulnerability assessment methodology that goes beyond generic risk categories
  • Evaluate the overall quality of cybersecurity practices for critical suppliers, including their secure development procedures
  • Update contract templates to include NIS2-aligned cybersecurity requirements, including incident notification obligations and the right to cascade requirements to sub-suppliers
  • Establish a coordinated vulnerability-disclosure process with key suppliers
  • Monitor the outcomes of EU-level coordinated supply-chain risk assessments (Article 22) and incorporate findings into your risk register

Priority 5: MFA and Secure Communications (Weeks 6-10)

  • Deploy multi-factor authentication for all privileged access, remote access, and administrative interfaces where not already in place
  • Evaluate continuous authentication mechanisms for high-risk systems and user populations
  • Implement secured voice, video, and text communication channels for sensitive operational communications
  • Establish and test secured emergency communication systems that can operate independently of primary channels
  • Document MFA deployment scope and any risk-accepted exclusions in your SoA

Priority 6: Business Continuity and Crisis Management Enhancement (Weeks 6-12)

  • Develop or formalise a crisis-management governance structure with defined roles, escalation procedures, and decision authorities
  • Create a crisis-communication plan covering internal stakeholders, customers, competent authorities, CSIRT, and media
  • Design and conduct crisis-management exercises that include cyber-specific scenarios (ransomware, data breach, supply-chain compromise)
  • Ensure alignment with any sector-specific crisis-management regulations in your national transposition
  • Integrate crisis-management processes with your existing BCP and incident management controls

Priority 7: Cyber Hygiene and Board Training Programme (Weeks 8-14)

  • Define a formal "basic cyber hygiene" programme as referenced by NIS2, covering password management, phishing awareness, software updates, secure configuration, and backup practices
  • Ensure the programme is delivered to all employees, not just IT staff
  • Develop a separate, board-specific cybersecurity training module covering NIS2 obligations, threat landscape, risk posture, and governance responsibilities
  • Establish annual refresher requirements and maintain training records as evidence

Priority 8: Coordinated Vulnerability Disclosure (Weeks 10-14)

  • Publish a vulnerability disclosure policy (VDP) on your website with clear reporting instructions
  • Designate a point of contact for receiving vulnerability reports from external researchers
  • Define a process for coordinating disclosure timelines with reporters and CSIRTs
  • Contribute to the European vulnerability database where applicable
  • Integrate external vulnerability reports into your existing vulnerability management process (Annex A 8.8)
Validation Checkpoint

After completing the remediation roadmap (typically weeks 14-18), conduct a comprehensive validation cycle: internal audit of all NIS2-specific controls, a full incident-reporting tabletop exercise, management body review of NIS2 readiness status, and compilation of an evidence pack that links each Article 21 measure to documented controls and evidence. This validation should be completed before your first potential supervisory interaction.

Can ISO 27001 Certification Demonstrate NIS2 Compliance?

This is one of the most frequently asked questions, and the answer requires nuance. ISO 27001 certification does not automatically equal NIS2 compliance—but it provides strong, defensible evidence of a systematic approach to cybersecurity risk management.

What Certification Does Provide

An accredited ISO 27001:2022 certificate demonstrates that your organisation has undergone independent, third-party assessment of its ISMS and that it meets internationally recognised standards for information security management. Specifically, it evidences:

  • A functioning risk assessment and treatment process (Clauses 6.1, 8.2, 8.3)
  • Implemented controls proportionate to identified risks (Annex A, SoA)
  • Regular internal audits and management reviews (Clauses 9.2, 9.3)
  • A continual improvement cycle (Clause 10)
  • Leadership commitment and resource allocation (Clause 5)

These elements directly underpin NIS2 Article 21(1)'s requirement for "appropriate and proportionate technical, operational and organisational measures." A competent authority reviewing an organisation with current ISO 27001 certification will recognise that the foundational risk management framework is in place.

What Certification Does NOT Provide

Certification does not address the NIS2-specific obligations that fall outside ISO 27001's scope: the 24h/72h/1-month incident reporting timelines, management body personal liability and mandatory training, entity registration, coordinated vulnerability disclosure participation, and the depth of supply-chain security assessment that NIS2 requires. An organisation that presents only its ISO 27001 certificate without addressing these gaps will not satisfy a competent authority's supervisory assessment.

Member State Recognition

NIS2 Recital 79 explicitly encourages Member States to recognise relevant international standards, including ISO 27001, as evidence of compliance. Some national transposition laws may formalise this recognition more than others. For example, certain Member States may provide a presumption of compliance for specific Article 21 measures where ISO 27001 certification exists, while still requiring evidence for the gaps identified above. Organisations should monitor their national transposition law for any formal recognition provisions and adjust their compliance strategy accordingly.

The strongest compliance posture combines ISO 27001 certification with a documented NIS2 gap assessment, a completed remediation programme, and an extended Statement of Applicability that maps every Article 21 requirement to specific evidence. This integrated approach provides both the breadth of ISO 27001 and the specificity of NIS2.

Dual-Compliance Strategy

Achieving NIS2 readiness is a milestone, not a destination. Sustaining dual compliance with both ISO 27001 and NIS2 over time requires embedding NIS2 requirements into your ongoing ISMS lifecycle rather than treating them as a one-time project.

Integrated Audit Approach

Rather than conducting separate audit cycles for ISO 27001 and NIS2, expand your existing internal audit programme (Clause 9.2) to include NIS2-specific requirements. Each internal audit should assess both ISO 27001 control effectiveness and NIS2-specific obligations in a single pass. This means auditing the incident-reporting chain (including 24h/72h timeline adherence), supply-chain control depth, management body governance records, entity registration status, and MFA deployment alongside your standard Annex A control reviews.

During ISO 27001 surveillance audits, request that your certification body reviews your NIS2-extended SoA. While the CB will not certify NIS2 compliance, their independent review of your NIS2-aligned controls adds assurance and identifies potential weaknesses before a supervisory authority audit.

Unified Statement of Applicability

The most efficient governance mechanism for dual compliance is an extended SoA. Add the following columns to your existing SoA:

SoA Column Purpose
NIS2 Article 21(2) Reference Which NIS2 measure(s) this control supports—e.g., "Art. 21(2)(a)", "Art. 21(2)(b)"
NIS2 Coverage Level Full, Partial, or Gap—indicating how much of the NIS2 requirement is met by the ISO 27001 control alone
Additional NIS2 Measures Specific additional controls, processes, or documentation needed to achieve full NIS2 compliance
NIS2 Evidence Reference Pointer to the evidence or documentation that demonstrates NIS2 compliance for this requirement
NIS2 Owner The person or team responsible for the additional NIS2 measure (may differ from the ISO 27001 control owner)

For NIS2-only requirements with no corresponding Annex A control, add new rows:

  • NIS2-REG-01: Entity registration with national competent authority / CSIRT
  • NIS2-INC-01: 24-hour early-warning reporting procedure
  • NIS2-INC-02: 72-hour detailed incident notification
  • NIS2-INC-03: One-month final incident report
  • NIS2-GOV-01: Management body approval and oversight of cybersecurity measures
  • NIS2-GOV-02: Management body cybersecurity training programme
  • NIS2-SUP-01: Multi-tier supply-chain risk assessment
  • NIS2-VDP-01: Coordinated vulnerability disclosure policy
  • NIS2-COM-01: Secured emergency communication systems

Management Review Integration

Include NIS2 compliance status as a standing agenda item in management reviews (Clause 9.3). Report on incident-reporting readiness metrics, supply-chain risk status, national transposition developments, supervisory authority communications, and the status of management body training. This ensures the management body fulfils its Article 20 oversight obligation while simultaneously satisfying ISO 27001 management review requirements.

Regulatory Monitoring

NIS2 implementation across the EU is ongoing. The European Commission will adopt implementing and delegated acts specifying technical and methodological requirements for certain sectors. National competent authorities will issue sector-specific guidance. ENISA will publish reports, threat assessments, and peer reviews. Assign responsibility for monitoring these developments and feeding them into your ISMS continual-improvement process (Clause 10). Individual Member States may also update their national transposition laws over time.

Risk Assessment Refresh

NIS2 introduces a broader risk landscape than traditional information security. Your risk assessments (Clauses 6.1, 8.2) should now incorporate:

  • Supply-chain risks at Tier 2 and Tier 3 levels
  • Cross-border incident escalation risks
  • Regulatory penalty risks for NIS2 non-compliance (up to EUR 10 million or 2% of global turnover for essential entities)
  • Reputational risks from mandatory public disclosure of incidents
  • Management body personal liability risks

Continuous Evidence Maintenance

Unlike ISO 27001 certification audits that follow a predictable three-year cycle with annual surveillance, NIS2 supervisory activities—particularly for essential entities subject to ex ante supervision—can occur at any time. Regulatory inspections may be triggered by a reported incident, a sector-wide review, a complaint, or a random selection. Maintain your evidence repository continuously, not just before scheduled audits. Automated evidence collection through GRC tooling is strongly recommended for organisations subject to NIS2.

How Glocert International Helps

Glocert International provides end-to-end support for organisations navigating ISO 27001 and NIS2 compliance. Our services include:

  • NIS2 Gap Assessment: Structured gap analysis mapping your current ISMS to every NIS2 Article 21 measure, with a prioritised remediation plan and effort estimates
  • SoA Extension Workshop: Hands-on session to extend your Statement of Applicability with NIS2 columns, additional rows, and evidence references—creating a unified compliance view
  • Incident-Response Enhancement: Design and testing of NIS2-compliant incident-reporting procedures, including tabletop exercises simulating the full 24h/72h/1-month reporting cycle
  • Supply-Chain Security Review: Deep-dive assessment of your supply-chain risk management against NIS2's enhanced Tier 2/3 requirements, with contract template updates
  • Management Body Briefings: Board-level sessions explaining NIS2 obligations, personal liability provisions, and governance requirements, delivered by experienced practitioners
  • ISO 27001 Certification: As an accredited certification body, we can certify your ISMS to ISO 27001:2022, providing the strongest possible foundation for NIS2 compliance
  • Integrated Audit Programme: Design of a combined internal audit programme that covers both ISO 27001 and NIS2 requirements in a single cycle

Contact our team to discuss your NIS2 readiness programme →

Frequently Asked Questions

Does ISO 27001 certification automatically mean NIS2 compliance?

No. ISO 27001 provides an excellent foundation—covering roughly 70-80% of NIS2 requirements—but it does not deliver automatic NIS2 compliance. Key gaps include mandatory incident reporting timelines (24-hour early warning, 72-hour notification to CSIRT), management body personal liability provisions, entity registration obligations, coordinated vulnerability disclosure participation, and deeper supply-chain security requirements. Organisations must conduct a formal gap analysis and implement additional measures to close these gaps. However, ISO 27001 certification provides strong evidence of a systematic approach to cybersecurity risk management that competent authorities will recognise.

How much of NIS2 Article 21 is covered by ISO 27001:2022?

Our analysis shows that ISO 27001:2022 provides full coverage for 5 of the 10 Article 21(2) measures and partial coverage for the remaining 5. Full coverage exists for risk analysis and IS policies (a), secure acquisition/development/maintenance (e), effectiveness assessment (f), cryptography (h), and HR security/access control/asset management (i). Partial coverage—meaning a solid foundation exists but specific enhancements are needed—applies to incident handling (b), business continuity and crisis management (c), supply chain security (d), cyber hygiene and training (g), and MFA/secure communications (j). No Article 21 measure is a complete gap.

How long does it take an ISO 27001-certified organisation to achieve NIS2 readiness?

For organisations already certified to ISO 27001:2022 with a mature ISMS, achieving NIS2 readiness typically takes 3-6 months following the prioritised remediation roadmap. The timeline depends on several factors: the depth of existing supply-chain controls (the most effort-intensive gap), the maturity of incident response processes, whether MFA is already broadly deployed, and how quickly the management body can schedule governance updates and training. Organisations still operating under ISO 27001:2013 should budget additional time for the 2022 edition transition before beginning the NIS2 mapping.

What are the biggest NIS2 gaps for ISO 27001-certified organisations?

The five most significant gaps are: (1) incident reporting—NIS2 mandates a 24-hour early warning and 72-hour detailed notification to the CSIRT, which ISO 27001 does not prescribe; (2) supply-chain depth—NIS2 requires cascading cybersecurity requirements through the entire supply chain including Tier 2/3 dependencies, not just direct suppliers; (3) management body personal liability—NIS2 holds senior management personally accountable and requires them to undergo cybersecurity training; (4) entity registration—organisations must register with their national competent authority; and (5) coordinated vulnerability disclosure—NIS2 expects participation in EU-wide disclosure mechanisms.

Should we use the ISO 27001 Statement of Applicability for NIS2 mapping?

Yes—extending your existing Statement of Applicability (SoA) is one of the most practical and efficient approaches to managing dual compliance. Add a NIS2 column to your SoA that maps each Annex A control to the corresponding NIS2 Article 21 measure, notes the coverage level (full, partial, or gap), identifies any additional controls or processes needed, and references the specific evidence. For NIS2-only requirements (incident reporting timelines, entity registration, management body training), add new rows with dedicated identifiers. This keeps all compliance evidence in a single document, simplifies both ISO 27001 certification audits and NIS2 supervisory assessments, and ensures nothing falls through the cracks.

NIS2 ISO 27001