Cybersecurity regulation vs standard
NIS2 vs ISO 27001: Legal Obligation vs Best-Practice Standard
NIS2 (Directive (EU) 2022/2555) is binding EU law for essential and important entities in critical sectors, with fines up to β¬10M or 2% of global turnover; ISO 27001 is a voluntary international standard with no enforcement. ISO 27001 certification substantially covers NIS2 Article 21 security requirements but does not satisfy NIS2's mandatory incident reporting (Article 23), registration obligations, or senior management liability clauses. For NIS2-scope entities, ISO 27001 is the fastest path to Article 21 compliance β but it must be supplemented with NIS2-specific obligations.
Does ISO 27001 satisfy NIS2 requirements?
NIS2 (Directive (EU) 2022/2555) is binding EU law for essential and important entities in critical sectors, with fines up to β¬10M or 2% of global turnover; ISO 27001 is a voluntary international standard with no enforcement. ISO 27001 certification substantially covers NIS2 Article 21 security requirements but does not satisfy NIS2's mandatory incident reporting (Article 23), registration obligations, or senior management liability clauses. For NIS2-scope entities, ISO 27001 is the fastest path to Article 21 compliance β but it must be supplemented with NIS2-specific obligations.
- NIS2 is binding EU law β fines up to β¬10M or 2% global turnover for essential entities
- ISO 27001 is voluntary β no fines, no enforcement, globally recognised
- ISO 27001 covers most NIS2 Art. 21 security measures β significant overlap
- ISO 27001 does NOT cover: mandatory incident reporting (Art. 23), registration, or management liability
- Pursue ISO 27001 as the fastest Art. 21 route, then address NIS2-specific gaps
Side-by-side comparison
| Aspect | EU Β· MandatoryNIS2 | ISO Β· VoluntaryISO 27001 |
|---|---|---|
| Legal status | Binding EU directive β transposed into national law in all 27 member states | Voluntary international standard β no legal obligation |
| Enforcement | National competent authorities (e.g. BSI in Germany, ANSSI in France, NCSC-NL) | None β voluntary certification bodies (e.g. BSI Group, TΓV) |
| Maximum fine | Essential entities: β¬10M or 2% global turnover β Important entities: β¬7M or 1.4% | No fines β voluntary standard |
| Scope | Essential/important entities in 18+ sectors (energy, health, transport, digital infra, etc.) with 50+ employees or β¬10M+ revenue | Any organisation, any sector, any size |
| Incident reporting | Mandatory: early warning 24h, notification 72h, final report 30 days (Art. 23) | Not required β internal incident management only |
| Management liability | Senior management personally liable for failure to implement security measures (Art. 20) | No personal liability β organisational certification only |
| Supply chain | Mandatory supplier security assessment and contractual obligations (Art. 21(2)(d)) | Best practice via Annex A controls (A.5.19β5.22) |
| Art. 21 overlap | 10 mandatory security categories: policies, incidents, BCP, supply chain, procurement, vuln management, cyber hygiene, MFA, encryption, access control | ISO 27001 Annex A covers most of these β significant overlap |
| Registration | Mandatory registration with national authority (Art. 3) β due 2025 in most states | No registration requirement |
| Certification | Member states may require certification in specific sectors (Art. 24) | Certification by accredited certification bodies |
Recommended approach for NIS2-scope entities
- Register with your national competent authority (if not already done β most states required this by early 2025).
- Pursue ISO 27001 certification β this covers the majority of Article 21 security measures and gives auditors evidence of systematic ISMS.
- Gap-fill the NIS2-specific obligations ISO 27001 does not address: incident reporting runbooks (24h/72h/30d timelines), senior management sign-off process, supply chain contractual clauses.
- Set up an incident detection and escalation workflow that meets Article 23 timelines before enforcement increases.
Frequently asked questions
Does ISO 27001 satisfy NIS2 requirements?
ISO 27001 certification substantially covers NIS2 Article 21 security measures (risk management, incident handling, BCP, supply chain, access control, encryption) but does not satisfy NIS2's mandatory incident reporting deadlines (24h/72h/30d under Article 23), registration obligations, or senior management personal liability under Article 20. ISO 27001 is the fastest path to Article 21 compliance but must be supplemented.
Who is in scope for NIS2?
NIS2 applies to medium and large organisations (50+ employees or β¬10M+ annual turnover) in 18 critical sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, postal services, waste management, chemicals, food, manufacturing, digital providers (marketplaces, search engines, social networks), and research. Essential entities face stricter supervision than important entities.
Is ISO 27001 required for NIS2 compliance?
ISO 27001 is not legally required by NIS2. However, some EU member states and regulated sectors may require or strongly recommend it (Article 24 allows member states to mandate sector-specific certification). In practice, ISO 27001 certification is the most efficient way to demonstrate NIS2 Article 21 compliance and many national authorities accept it as evidence of adequate security measures.
What are the NIS2 incident reporting deadlines?
Under NIS2 Article 23, essential and important entities must: (1) submit an early warning to the national CSIRT within 24 hours of becoming aware of a significant incident; (2) submit a full incident notification within 72 hours; (3) submit a final report within 1 month. A 'significant incident' is one that has caused or is capable of causing severe operational disruption or financial loss.
Check if your organisation is in scope for NIS2
The NIS2 Compliance Checker determines your entity type (essential or important), Article 21 measures required, and Article 23 reporting timelines.
Related comparisons
Informational only. Not legal advice β consult qualified legal counsel for your specific situation.
Last reviewed: