TL;DR ISO 27001 and the NIS 2 directive overlap substantially, but are not identical. Companies certified to ISO 27001 have roughly 70 to 80 percent of NIS 2 duties technically covered. The remaining 20 to 30 percent decide auditability and board liability. An integrated programme saves effort and reduces risk.

Why the question matters

Many companies under NIS 2 already have ISO 27001 implemented or certified. The temptation is to think: "We are ISO-certified, NIS 2 is covered." That is half-true. Anyone taking the half for the whole truth runs toward an expensive surprise, because NIS 2-specific duties on board liability and reporting channels are not covered by ISO 27001.

Other companies start with NIS 2 without ISO history. For them, the question runs the other way: is ISO 27001 worth as a foundation, or is a NIS 2-specific programme enough?

What both have in common

The two frameworks overlap substantially in content. ISO/IEC 27001:2022 Annex A defines 93 controls across organisational, people, physical and technological themes. The ten measures from NIS 2 Article 21 can mostly be mapped onto these controls:

  • - Risk management (NIS 2 Art. 21(2)(a)) β†’ ISO 27001 Clause 6.1 and A.5
  • - Incident management (Art. 21(2)(b)) β†’ ISO 27001 A.5.24 to A.5.30
  • - Backup, crisis management (Art. 21(2)(c)) β†’ A.5.29, A.5.30
  • - Supply-chain security (Art. 21(2)(d)) β†’ A.5.19 to A.5.23
  • - Secure development and maintenance (Art. 21(2)(e)) β†’ A.8.25 to A.8.34
  • - Effectiveness assessment (Art. 21(2)(f)) β†’ Clause 9
  • - Cyber hygiene and training (Art. 21(2)(g)) β†’ A.6.3
  • - Cryptography (Art. 21(2)(h)) β†’ A.8.24
  • - Personnel security, access control (Art. 21(2)(i)) β†’ A.6 and A.8.1 to A.8.18
  • - MFA, secure communication (Art. 21(2)(j)) β†’ A.5.17, A.8.5

A well-run ISO 27001 ISMS largely covers the substance of the NIS 2 measures.

Where NIS 2 goes beyond ISO 27001

Three areas where NIS 2 sets additional or more specific duties:

Reporting duties with strict deadlines. ISO 27001 requires an incident-management procedure. NIS 2 prescribes concrete deadlines: 24 hours for early warning, 72 hours for update, 30 days for final report. With the BSI as the addressed authority. ISO 27001 does not state to whom and when to report.

Personal board liability. ISO 27001 requires management responsibility (Clause 5.1) and a management review (Clause 9.3). NIS 2 goes further: the board must actively approve measures, undergo training, and is personally liable. Supervisory authorities can suspend leading individuals.

Legal binding force. ISO 27001 is voluntary. Certification is a market promise. NIS 2 is law. Violations lead to fines (up to 10M EUR or 2 percent of global annual turnover for essential entities) and supervisory orders.

Additionally, NIS 2-specific supply-chain requirements are ISO-conformant but in practice go deeper than what many certified companies live today.

What ISO 27001 has that NIS 2 does not

In the other direction, ISO 27001 brings tools that NIS 2 does not provide by default:

  • - Certifiability by accredited bodies, with annual surveillance audits
  • - Structured ISMS framework with clear clauses and internationally recognised audit logic
  • - Market relevance: ISO 27001 is widespread in tenders and supplier evaluations; NIS 2 compliance is a legal duty, not a competitive differentiator

For most organisations, taking ISO 27001 as foundation and building NIS 2 on top makes sense.

Integrated programme: what it looks like

An integrated compliance programme runs ISO 27001 and NIS 2 in one stack:

  1. 1. One risk assessment, two views. ISO-compliant risk management per Clause 6.1, extended with NIS 2-specific threat scenarios (especially supply chain and availability).
  2. 2. One control catalogue, two mappings. ISO 27001 Annex A controls additionally mapped to NIS 2 Article 21 measures. Gaps are closed.
  3. 3. One board resolution, both duties. Management responsibility per ISO 27001 Clause 5.1, extended with NIS 2 duties for active approval and training.
  4. 4. One reporting process, strict deadlines. ISO incident management extended with 24/72/30-day deadlines and BSI reporting channel.
  5. 5. One documentation, two audits. ISO auditor and BSI supervision draw from the same evidence base, with clear mapping.

This approach avoids duplicate work, keeps audit-readiness high, and makes the compliance programme manageable for the board.

Where to start

  • - ISO 27001 in place, NIS 2 new: gap analysis against Article 21, add reporting process, establish board training. Estimated additional effort: 3 to 6 months, depending on maturity.
  • - Both new: start with ISO 27001 as foundation, think NIS 2 from the outset. Timeline 9 to 18 months to certification, with NIS 2 compliance reachable earlier.
  • - NIS 2 without ISO plan: functional, but strategically short-sighted. Anyone targeting B2B tenders will need ISO 27001 anyway.

How GermanAI Defense supports

We guide companies through both frameworks in one programme. ISO 27001 certification support, NIS 2 gap analysis and implementation, BSI-compliant reporting, audit-ready documentation. We are ISO/IEC 27001:2022 certified ourselves, based in Frankfurt am Main.

β†’ More on our GRC and compliance services: germanaidefense.com/grc