NIS2 vs ISO 27001
NIS2 is an EU regulatory directive. ISO/IEC 27001 is an international standard. They overlap significantly, but they are not the same. Here's a complete mapping and guidance on which one you need.
Quick comparison
Type: EU regulatory directive (mandatory)
Who: Essential/Important entities in specific sectors
Geographic scope: EU only
Certification: No certification — enforced by national authorities
Fines: Up to EUR 10M or 2% of turnover
Governance: Article 20 requires management accountability
Type: International standard (voluntary)
Who: Any organization wanting an ISMS
Geographic scope: Global
Certification: Third-party audit, 3-year cert cycle
Fines: None — but loss of certification
Governance: Requires documented ISMS
| Dimension | NIS2 Directive | ISO/IEC 27001 |
|---|---|---|
| Type | EU regulatory directive (mandatory) | International standard (voluntary) |
| Who it applies to | Essential / Important entities in specific sectors | Any organization wanting an ISMS |
| Geographic scope | EU only | Global |
| Certification | No certification — enforced by national authorities | Third-party audit, 3-year cert cycle |
| Fines / penalties | Up to EUR 10M or 2% of turnover | None — but loss of certification |
| Governance | Article 20 requires management accountability | Requires documented ISMS |
This crosswalk is currently undergoing an independent review by an external ISO/IEC 27001:2022 lead auditor. The mapping reflects Reglyze's own technical analysis; the reviewed-and-signed badge will appear here once the engagement closes.
- Crosswalk version: 1.0.0
- Reviewer: —
- Opinion date: —
Mapping: NIS2 Article 21 to ISO 27001 Annex A
The 10 minimum measures in NIS2 Article 21(2) map heavily to ISO 27001:2022 Annex A. Here's the full crosswalk.
Risk analysis and information system security policies
ISO 27001 Annex A: A.5.1, A.5.2, A.8.8 — Policies for information security, review, vulnerability management
Incident handling
ISO 27001 Annex A: A.5.24-A.5.28 — Information security incident management
Business continuity and crisis management
ISO 27001 Annex A: A.5.29, A.5.30 — Information security during disruption, ICT readiness for business continuity
Supply chain security
ISO 27001 Annex A: A.5.19-A.5.23 — Supplier relationships, ICT security in supplier agreements
Security in acquisition, development and maintenance
ISO 27001 Annex A: A.8.25-A.8.33 — Secure development lifecycle
Policies and procedures to assess effectiveness
ISO 27001 Annex A: A.5.35, A.5.36 — Independent review, compliance monitoring
Basic cyber hygiene and training
ISO 27001 Annex A: A.6.3, A.8.7 — Information security awareness, protection against malware
Cryptography and encryption
ISO 27001 Annex A: A.8.24 — Use of cryptography
HR security, access control, asset management
ISO 27001 Annex A: A.6.1-A.6.7, A.5.15-A.5.18, A.5.9-A.5.14 — Human resources, access control, asset management
MFA, secure comms, secure emergency comms
ISO 27001 Annex A: A.8.5, A.8.20-A.8.23 — Secure authentication, network security
Do you need both?
You're 80% of the way to NIS2 compliance. Your ISMS already covers most of the 10 minimum measures.
What's still missing:
- Registration with your national competent authority (e.g., BSI, ANSSI, ACN)
- Incident reporting workflows aligned with 24h / 72h / 1 month deadlines
- Management accountability (NIS2 Article 20) — formal approval of risk management measures
- Supply chain risk assessment for NIS2-specific critical suppliers
- NIS2-specific policies and templates
You don't need ISO 27001 to be NIS2 compliant. But ISO 27001 certification can:
- Serve as evidence during NIS2 audits
- Help you win enterprise customers who require ISO 27001 in vendor assessments
- Provide a structured ISMS framework for ongoing compliance
If budget is tight, start with NIS2 compliance (Reglyze makes this affordable) and pursue ISO 27001 later if market demand requires it.
NIS2 vs ISO 27001: frequently asked questions
- If I have ISO 27001, do I need NIS2?
- ISO 27001 is voluntary and global; NIS2 is a mandatory EU directive for Essential and Important entities in specific sectors. If NIS2 applies to your organisation you still need to comply with it, but an existing ISO 27001 ISMS already covers most of the 10 minimum measures in NIS2 Article 21 — so you are roughly 80% of the way there. The remaining gaps are registration with your national competent authority, incident-reporting workflows aligned to the 24h / 72h / 1-month deadlines, management accountability under Article 20, NIS2-specific supply-chain risk assessment, and NIS2-specific policies.
- What is the difference between NIS2 and ISO 27001?
- NIS2 is an EU regulatory directive that is mandatory for in-scope entities, applies in the EU only, is enforced by national authorities with fines up to EUR 10M or 2% of turnover, and has no certification. ISO/IEC 27001 is a voluntary international standard, applies globally, is verified through a third-party audit on a 3-year certification cycle, and carries no fines — the consequence of failure is loss of certification.
- Do I need ISO 27001 to be NIS2 compliant?
- No. You do not need ISO 27001 to be NIS2 compliant. ISO 27001 certification can still help — it serves as evidence during NIS2 audits, helps win enterprise customers who require it in vendor assessments, and provides a structured ISMS framework. If budget is tight, start with NIS2 compliance and pursue ISO 27001 later if market demand requires it.
- How much do NIS2 Article 21 and ISO 27001 Annex A overlap?
- The 10 minimum measures in NIS2 Article 21(2) map heavily to ISO 27001:2022 Annex A controls. Most measures — including risk and security policies, incident handling, business continuity, secure development, cyber hygiene and training, cryptography, and HR/access/asset management — have high overlap, while supply-chain security and the effectiveness-assessment and MFA/secure-communications measures have medium overlap.
Related NIS2 reading
- Best NIS2 compliance software: an honest side-by-side comparison — how Reglyze, Vanta, Drata, Secfix and other NIS2 platforms compare for European SMEs.
- NIS2 fines and penalties: amounts, calculation and personal liability — what non-compliance costs (up to EUR 10M or 2% of turnover) and how authorities enforce it.