NIS2 vs ISO 27001: how they overlap and how to comply with both
By ComplyBricks · Last reviewed Jul 12, 2026
Two of the most talked-about security frameworks for European companies are NIS2 and ISO 27001. They overlap heavily, but they serve different purposes: one is EU law you may be legally required to follow, the other is a voluntary international standard you can be certified against. This guide explains the difference — and how doing the work once can satisfy both.
The short version
- NIS2 is an EU directive (Directive (EU) 2022/2555). If your organisation is in scope, compliance is a legal obligation, enforced through each member state's national law.
- ISO 27001 is a voluntary international standard (ISO/IEC 27001:2022) that you can be independently certified against.
- They overlap substantially: a well-run ISO 27001 management system covers a large part of NIS2's security requirements — but ISO 27001 alone does not make you NIS2-compliant.
What is NIS2?
NIS2 is the EU's updated cybersecurity directive, replacing the original 2016 NIS Directive. It sets a baseline of security and incident-reporting obligations for "essential" and "important" entities across sectors such as energy, transport, health, and digital infrastructure (defined in the directive's annexes). Because it is a directive, it takes effect through each member state's national transposition law. The transposition deadline was 17 October 2024, but national implementation timing has varied — verify the current status and the exact obligations in your own country.
Core obligations include:
- Risk-management measures (Art. 21): a defined set of measures, including risk analysis and information security policies, incident handling, business continuity and backup, supply-chain security, security in system acquisition and development, cryptography, access control, and staff training.
- Incident reporting (Art. 23): notify your national CSIRT or authority on a tight timeline — an early warning within 24 hours, a fuller notification within 72 hours, and a final report within one month.
- Management accountability: senior management must approve and oversee cybersecurity measures and can be held responsible.
The article numbers above refer to the directive itself; your national transposition law may number or detail these requirements differently.
What is ISO 27001?
ISO/IEC 27001 is the international standard for an information security management system (ISMS) — a risk-based framework for managing information security. The current version is ISO/IEC 27001:2022. Unlike NIS2 it is voluntary: organisations adopt it to manage risk and to earn certification (often to win customer trust or meet contractual requirements), audited by an accredited certification body.
It has two parts:
- The management-system clauses (4–10): context, leadership, planning, support, operation, performance evaluation, and improvement — the ongoing "run the ISMS" requirements, including risk assessment and a Statement of Applicability.
- Annex A controls: a reference set of 93 controls organised into four themes — Organizational, People, Physical, and Technological — that you select from based on your risk assessment.
Where they overlap
Much of what ISO 27001 asks for maps directly onto NIS2's Art. 21 measures:
| Requirement | NIS2 (Art. 21) | ISO 27001:2022 |
|---|---|---|
| Risk management & security policies | Yes | Yes — clauses 5–6 + Annex A |
| Incident handling | Yes | Yes — Annex A |
| Business continuity & backup | Yes | Yes — Annex A |
| Supply-chain security | Yes | Yes — Annex A |
| Cryptography | Yes | Yes — Annex A |
| Access control | Yes | Yes — Annex A |
| Awareness & training | Yes | Yes — Annex A (People) |
If you already run a mature ISO 27001 ISMS, you have done much of the groundwork NIS2 expects.
Where they differ (why ISO 27001 alone isn't enough)
- Legal status: NIS2 is mandatory law for in-scope entities; ISO 27001 is voluntary.
- Incident reporting: NIS2 imposes specific notification deadlines to a national authority (24h / 72h / one month) that ISO 27001 does not require.
- Registration & jurisdiction: NIS2 has entity registration and cross-border jurisdiction rules with no ISO 27001 equivalent.
- Management liability & penalties: NIS2 attaches accountability for management and administrative fines; ISO 27001 non-conformities affect your certificate, not your legal standing.
- Scope: ISO 27001 covers information security broadly; NIS2 targets the security of network and information systems for specific sectors.
In short: ISO 27001 is a strong foundation for NIS2, not a substitute for it.
How to comply with both — once
The efficient path is to treat ISO 27001 as your operating system and layer NIS2's specific legal obligations on top:
- Run a single risk assessment and control set, and map each control to the frameworks it satisfies, so one piece of evidence counts for both.
- Adopt ISO 27001's ISMS as the backbone — risk management, policies, continual improvement.
- Add the NIS2-specific pieces ISO 27001 doesn't mandate: the incident-reporting workflow with the required timelines, entity registration, and documented management oversight.
- Maintain shared evidence so an auditor or a regulator can trace any requirement back to the same underlying work.
This "do it once, satisfy many" approach is exactly what cross-framework control mapping is for — see how ComplyBricks maps one control across ISO 27001, NIS2 and GDPR in the live demo.
Which should you start with?
- If NIS2 applies to you, it is a legal obligation — prioritise confirming your scope and meeting its requirements.
- If customers ask for certification, ISO 27001 gives you a structured ISMS that carries most of the NIS2 load.
- In practice, many EU SMBs pursue both together, using ISO 27001's structure to satisfy NIS2's substance.
References
- NIS2 — Directive (EU) 2022/2555, esp. Art. 21 (risk-management measures) and Art. 23 (reporting)
- ISO/IEC 27001:2022
This guide is for general information only and is not legal advice. Requirements change and depend on your circumstances — verify against the primary sources and consult a qualified professional or your DPO before making compliance decisions.
See how one control satisfies ISO 27001, NIS2 and GDPR at once.
Explore the live demo →