NIS2 vs ISO 27001: how they overlap and how to comply with both

By ComplyBricks · Last reviewed Jul 12, 2026

Two of the most talked-about security frameworks for European companies are NIS2 and ISO 27001. They overlap heavily, but they serve different purposes: one is EU law you may be legally required to follow, the other is a voluntary international standard you can be certified against. This guide explains the difference — and how doing the work once can satisfy both.

The short version

  • NIS2 is an EU directive (Directive (EU) 2022/2555). If your organisation is in scope, compliance is a legal obligation, enforced through each member state's national law.
  • ISO 27001 is a voluntary international standard (ISO/IEC 27001:2022) that you can be independently certified against.
  • They overlap substantially: a well-run ISO 27001 management system covers a large part of NIS2's security requirements — but ISO 27001 alone does not make you NIS2-compliant.

What is NIS2?

NIS2 is the EU's updated cybersecurity directive, replacing the original 2016 NIS Directive. It sets a baseline of security and incident-reporting obligations for "essential" and "important" entities across sectors such as energy, transport, health, and digital infrastructure (defined in the directive's annexes). Because it is a directive, it takes effect through each member state's national transposition law. The transposition deadline was 17 October 2024, but national implementation timing has varied — verify the current status and the exact obligations in your own country.

Core obligations include:

  • Risk-management measures (Art. 21): a defined set of measures, including risk analysis and information security policies, incident handling, business continuity and backup, supply-chain security, security in system acquisition and development, cryptography, access control, and staff training.
  • Incident reporting (Art. 23): notify your national CSIRT or authority on a tight timeline — an early warning within 24 hours, a fuller notification within 72 hours, and a final report within one month.
  • Management accountability: senior management must approve and oversee cybersecurity measures and can be held responsible.

The article numbers above refer to the directive itself; your national transposition law may number or detail these requirements differently.

What is ISO 27001?

ISO/IEC 27001 is the international standard for an information security management system (ISMS) — a risk-based framework for managing information security. The current version is ISO/IEC 27001:2022. Unlike NIS2 it is voluntary: organisations adopt it to manage risk and to earn certification (often to win customer trust or meet contractual requirements), audited by an accredited certification body.

It has two parts:

  • The management-system clauses (4–10): context, leadership, planning, support, operation, performance evaluation, and improvement — the ongoing "run the ISMS" requirements, including risk assessment and a Statement of Applicability.
  • Annex A controls: a reference set of 93 controls organised into four themes — Organizational, People, Physical, and Technological — that you select from based on your risk assessment.

Where they overlap

Much of what ISO 27001 asks for maps directly onto NIS2's Art. 21 measures:

Requirement NIS2 (Art. 21) ISO 27001:2022
Risk management & security policies Yes Yes — clauses 5–6 + Annex A
Incident handling Yes Yes — Annex A
Business continuity & backup Yes Yes — Annex A
Supply-chain security Yes Yes — Annex A
Cryptography Yes Yes — Annex A
Access control Yes Yes — Annex A
Awareness & training Yes Yes — Annex A (People)

If you already run a mature ISO 27001 ISMS, you have done much of the groundwork NIS2 expects.

Where they differ (why ISO 27001 alone isn't enough)

  • Legal status: NIS2 is mandatory law for in-scope entities; ISO 27001 is voluntary.
  • Incident reporting: NIS2 imposes specific notification deadlines to a national authority (24h / 72h / one month) that ISO 27001 does not require.
  • Registration & jurisdiction: NIS2 has entity registration and cross-border jurisdiction rules with no ISO 27001 equivalent.
  • Management liability & penalties: NIS2 attaches accountability for management and administrative fines; ISO 27001 non-conformities affect your certificate, not your legal standing.
  • Scope: ISO 27001 covers information security broadly; NIS2 targets the security of network and information systems for specific sectors.

In short: ISO 27001 is a strong foundation for NIS2, not a substitute for it.

How to comply with both — once

The efficient path is to treat ISO 27001 as your operating system and layer NIS2's specific legal obligations on top:

  1. Run a single risk assessment and control set, and map each control to the frameworks it satisfies, so one piece of evidence counts for both.
  2. Adopt ISO 27001's ISMS as the backbone — risk management, policies, continual improvement.
  3. Add the NIS2-specific pieces ISO 27001 doesn't mandate: the incident-reporting workflow with the required timelines, entity registration, and documented management oversight.
  4. Maintain shared evidence so an auditor or a regulator can trace any requirement back to the same underlying work.

This "do it once, satisfy many" approach is exactly what cross-framework control mapping is for — see how ComplyBricks maps one control across ISO 27001, NIS2 and GDPR in the live demo.

Which should you start with?

  • If NIS2 applies to you, it is a legal obligation — prioritise confirming your scope and meeting its requirements.
  • If customers ask for certification, ISO 27001 gives you a structured ISMS that carries most of the NIS2 load.
  • In practice, many EU SMBs pursue both together, using ISO 27001's structure to satisfy NIS2's substance.

References

  • NIS2 — Directive (EU) 2022/2555, esp. Art. 21 (risk-management measures) and Art. 23 (reporting)
  • ISO/IEC 27001:2022

This guide is for general information only and is not legal advice. Requirements change and depend on your circumstances — verify against the primary sources and consult a qualified professional or your DPO before making compliance decisions.

See how one control satisfies ISO 27001, NIS2 and GDPR at once.

Explore the live demo →