ISO 27001:2022 covers approximately 70% of NIS2 article 21 obligations. It's the best possible starting base. But it's not equivalent to complying with NIS2: there are NIS2-specific obligations ISO doesn't formally require, like 24h/72h notification, active supply chain management, specific board training, personal liability of directors and effectiveness assessment through technical tests such as recurring pentesting. The recommended strategy: a NIS2-ready extended ISMS, where the ISO acts as the base framework and the NIS2 deltas get documented as an extension. Indicative timeline for the NIS2 extension on an already certified ISO base: 2-4 additional months.
The key question: does ISO 27001 satisfy NIS2?
Short answer: partially. Coverage is high but insufficient to consider NIS2 satisfied without additional work.
Long answer: ISO 27001:2022 establishes a complete management framework for information security (clauses 4-10) and a controls catalogue (Annex A, 93 controls). NIS2 establishes specific enforceable obligations on 10 areas of article 21 plus its own regime for incident notification, governance and sanctions. There's high overlap in controls, but NIS2 exceeds ISO on five concrete fronts.
Control-to-control mapping: Annex A 2022 ↔ NIS2 article 21
This is the operational equivalence table we use in real projects.
| NIS2 article 21 | Most relevant ISO 27001:2022 controls (Annex A) | ISO coverage |
|---|---|---|
| a. Risk analysis and security policies | A.5.1 Policies, A.5.7 Threat intelligence, A.5.36 Compliance; clause 6.1 Actions to address risks | High |
| b. Incident handling | A.5.24 Incident management planning, A.5.25 Assessment, A.5.26 Response, A.5.27 Learning, A.5.28 Evidence collection | Medium-High (missing 24h/72h deadline) |
| c. Business continuity | A.5.29 Information security during disruption, A.5.30 ICT readiness for continuity, A.8.13 Backups, A.8.14 Redundancy | High |
| d. Supply chain security | A.5.19 Supplier relationships security, A.5.20 Clauses, A.5.21 ICT chain, A.5.22 Monitoring and review, A.5.23 Cloud services | Medium (NIS2 demands periodic active verification beyond clauses) |
| e. Security in acquisition, development and maintenance | A.8.8 Technical vulnerability management, A.8.25-A.8.34 Secure development, A.5.37 Operational procedures | High |
| f. Policies and procedures for effectiveness assessment | Clauses 9.1 Monitoring, 9.2 Internal audit, 9.3 Management review, A.5.35 Independent review | Medium-High (NIS2 implies technical tests beyond documentary audit) |
| g. Basic cyber hygiene and training | A.6.3 Awareness, education and training; A.5.4 Management responsibilities | Medium (NIS2 requires specific board training) |
| h. Cryptography and encryption | A.8.24 Cryptography; standards and key management | High |
| i. HR security, access control, asset management | A.6 People (8 controls), A.5.9-A.5.18 Assets and access, A.8.2-A.8.5 Privileges and authentication | High |
| j. MFA, secure communications, emergency communication | A.8.5 Secure authentication, A.8.20-A.8.23 Network security, A.5.14 Information transfer | High |
Aggregate coverage: 70-75% of the areas, with variable quality per area.
What ISO 27001 DOES cover from NIS2
If you have ISO 27001:2022 implemented and certified, you already have:
- Governance framework aligned with clause 5: policy approved by management, roles and responsibilities, visible commitment.
- Structured risk analysis with methodology, criticality and documented treatment.
- Incident management procedure with detection, classification, response and learning.
- Continuity plan with tested BCP/DRP.
- Minimum contractual clauses with ICT providers.
- Secure SDLC with vulnerability management.
- MFA and access control policies.
- Internal audits and management review.
- General staff training in cyber hygiene.
- Documented cryptography.
This is the solid base on which to build.
What ISO 27001 DOES NOT cover from NIS2
1. Incident notification 24h / 72h / 1 month
ISO 27001 requires an incident management procedure but doesn't set deadlines or channels to authorities. NIS2 requires:
- Early alert within 24 hours to the competent CSIRT
- Full notification within 72 hours
- Final report within 1 month
Action: extend the ISO procedure with a NIS2 flow that automatically activates the deadlines when an incident gets classified as significant. Designate the competent CSIRT as recipient in templates.
2. Supply chain: extended scope and active verification
ISO requires contractual clauses and periodic review (A.5.22). NIS2 goes further:
- Maintained, reviewable inventory of critical ICT providers
- Documented periodic evaluation of each provider's risk
- Concentration risk considered at aggregate level
- Response plan for incidents affecting a critical provider
Action: document the inventory, the periodic evaluation procedure (questionnaires, evidence, frequency) and concentration risk. Usually requires formalising what already exists informally.
3. Personal liability of directors
ISO 27001 requires board commitment (clause 5.1) but doesn't impose personal liability for non-compliance. NIS2 does: authorities can disqualify directors and demand personal accountability.
Action: document board due diligence: approval minutes, training received, decisions on security budget and priorities. It's the best defence in an inspection.
4. Specific training for the management body
ISO 27001 requires general staff training (A.6.3). NIS2 requires specific training for the board on cybersecurity risk management and management practices.
Action: design a training plan aimed at the board with content on NIS2 obligations, real sector scenarios, decisions they'll have to make. At least annually, with attendance register and assessment.
5. Effectiveness assessment through technical tests
ISO 27001 (clause 9 + A.5.35) requires internal audit and independent review. NIS2 (article 21 letter f) requires assessing the effectiveness of measures operationally.
In practice European authorities look at:
- Recurring pentesting of critical applications and infrastructure
- Architecture and segmentation audit
- Threat modeling of significant services
- Drills of the incident procedure (tabletop, technical)
- Red Team exercises in large organisations
Action: documented annual technical testing programme, with schedule, scope and actionable results.
Recommended strategy: NIS2-ready extended ISMS
Rather than managing two parallel frameworks, the best strategy is a single ISMS extended with NIS2 annexes.
Extended ISMS structure
Corporate ISMS (based on ISO 27001:2022):
- Clauses 4-10: identical, serve both frameworks.
- Annex A: 93 controls, common base.
- NIS2 Annex (extension documented as expansion):
- 24h / 72h / 1 month notification procedure
- Inventory and periodic evaluation of critical ICT providers
- Specific training plan for the board
- Technical testing programme aligned with article 21 letter f
- Register of board due diligence evidence
- Map of critical services with threat modeling
- Integrated compliance annex: evidence mapping across frameworks:
- ISO 27001 Annex A ↔ NIS2 article 21
- ISO 27001 Annex A ↔ ENS (if applicable)
- ISO 27001 Annex A ↔ DORA (if applicable)
Benefits
- Single governance: the security committee covers both
- Single internal audit verifying both frameworks
- Single risk analysis
- Single set of evidence
- External ISO audit remains independent; NIS2 gaps get closed via additional audit or consulting
Incremental effort for an SME already ISO-certified
Typical components of the NIS2 extension on an already implemented ISO 27001:2022 base:
- Design of the 24h/72h/1 month notification procedure + templates + tabletop drill.
- Inventory of critical ICT providers and periodic evaluation procedure.
- Specific training plan for the board and first documented session.
- Annual technical testing programme aligned with article 21 letter f, including pentesting of critical services.
- Board due diligence documentation and ISMS update.
Timeline: 2-4 additional months on top of the implemented ISO base. The concrete effort and budget get calculated from the scope of critical services and the depth of the technical component, request an initial conversation for a tailored assessment.
Practical case: tech SME with ISO 27001:2022 complying with NIS2
Context: Spanish B2B software company, 120 employees, €22M turnover, certified ISO 27001:2022. Provides SaaS services to healthcare and transport entities (clients under NIS2 as essential entities).
Why NIS2 applies: the company sits in the B2B ICT services sector of NIS2 Annex I, exceeds the thresholds and its clients will require equivalent measures even if it didn't apply directly.
Starting state (ISO 27001:2022):
- Documented ISMS
- Annual risk analysis
- Incident procedure with "reasonable" undefined timeframe
- Contractual clauses with providers
- Tested BCP/DRP
- MFA on privileged access
- One-off pentesting performed in the last year
Gaps identified against NIS2:
- Incident procedure doesn't contemplate 24h/72h or interaction with the competent CSIRT
- Critical ICT provider inventory exists but without documented periodic evaluation
- Board not specifically trained in NIS2
- One-off pentesting, not a structured programme
- Missing board minutes approving NIS2 scope and measures
Plan executed (3 months):
| Week | Activity |
|---|---|
| 1-2 | NIS2 applicability and scope documented; board approval |
| 3-4 | 24h/72h notification procedure adapted; channel with CSIRT |
| 5-6 | ICT provider questionnaire + annual periodic evaluation plan |
| 7-8 | Board training plan; first session delivered |
| 9-10 | Annual pentesting programme + threat modeling of the 3 critical services |
| 11-12 | Tabletop drill of the notification procedure; lessons learned |
| 13 | Internal audit of the NIS2 extension |
Outcome: the company moves from "ISO 27001 certified" to "NIS2-ready with current ISO 27001", keeping ISO certification unchanged and with defensible evidence in front of a potential inspection.
Frequently asked questions
If I have ISO 27001:2013, is it enough or do I need to migrate to 2022?
You need to migrate to 2022. The 2013 version is being phased out and current ISO audits are run against 2022. The 2022 version also incorporates controls relevant to NIS2 (threat intelligence, cloud services, monitoring) that 2013 doesn't have.
Can I get certified in NIS2?
There's no formal NIS2 certification. What gets done is an external (compliance) audit that produces a defensible report in front of authorities. Some certification bodies offer voluntary NIS2 attestations, but they aren't certifications equivalent to ISO.
What happens if I lose ISO 27001 certification?
You lose the base on which NIS2 rests. NIS2 compliance remains enforceable and you'll have to demonstrate the measures by other means. The reasonable thing is to keep ISO as structured proof of the underlying clauses and controls.
Does the external ISO audit include NIS2 compliance review?
Not by default. The ISO audit focuses on the ISMS and Annex A controls. For NIS2 you need an additional specific audit or to expand the scope (some certification bodies offer combined modules).
How long after ISO can I demonstrate NIS2 compliance?
With a well-run project, 2-4 additional months are enough to have complete evidence. Starting from scratch (without ISO) the timeline is 8-12 months for both.
Will NIS2 require me to keep ISO 27001 current?
Not formally, but authorities look at ISO as evidence of a good framework. Keeping ISO simplifies regulatory audits and commercial processes (tenders, client due diligence).
Extend your ISO 27001 to NIS2 with Secra
At Secra we design the NIS2-ready extended ISMS on top of your existing ISO, with a 2-4 month gap-closure plan, annual technical testing programme and board due diligence documentation.
→ Learn about our GRC Consulting
→ Request an initial conversation, no commitment
Related reading
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.