R
Reglyze
Crosswalk guide

NIS2 vs ISO 27001

NIS2 is an EU regulatory directive. ISO/IEC 27001 is an international standard. They overlap significantly, but they are not the same. Here's a complete mapping and guidance on which one you need.

Quick comparison

NIS2 Directive

Type: EU regulatory directive (mandatory)

Who: Essential/Important entities in specific sectors

Geographic scope: EU only

Certification: No certification — enforced by national authorities

Fines: Up to EUR 10M or 2% of turnover

Governance: Article 20 requires management accountability

ISO/IEC 27001

Type: International standard (voluntary)

Who: Any organization wanting an ISMS

Geographic scope: Global

Certification: Third-party audit, 3-year cert cycle

Fines: None — but loss of certification

Governance: Requires documented ISMS

Mapping: NIS2 Article 21 to ISO 27001 Annex A

The 10 minimum measures in NIS2 Article 21(2) map heavily to ISO 27001:2022 Annex A. Here's the full crosswalk.

Art. 21(2)(a)
High overlap

Risk analysis and information system security policies

ISO 27001 Annex A: A.5.1, A.5.2, A.8.8 Policies for information security, review, vulnerability management

Art. 21(2)(b)
High overlap

Incident handling

ISO 27001 Annex A: A.5.24-A.5.28 Information security incident management

Art. 21(2)(c)
High overlap

Business continuity and crisis management

ISO 27001 Annex A: A.5.29, A.5.30 Information security during disruption, ICT readiness for business continuity

Art. 21(2)(d)
Medium overlap

Supply chain security

ISO 27001 Annex A: A.5.19-A.5.23 Supplier relationships, ICT security in supplier agreements

Art. 21(2)(e)
High overlap

Security in acquisition, development and maintenance

ISO 27001 Annex A: A.8.25-A.8.33 Secure development lifecycle

Art. 21(2)(f)
Medium overlap

Policies and procedures to assess effectiveness

ISO 27001 Annex A: A.5.35, A.5.36 Independent review, compliance monitoring

Art. 21(2)(g)
High overlap

Basic cyber hygiene and training

ISO 27001 Annex A: A.6.3, A.8.7 Information security awareness, protection against malware

Art. 21(2)(h)
High overlap

Cryptography and encryption

ISO 27001 Annex A: A.8.24 Use of cryptography

Art. 21(2)(i)
High overlap

HR security, access control, asset management

ISO 27001 Annex A: A.6.1-A.6.7, A.5.15-A.5.18, A.5.9-A.5.14 Human resources, access control, asset management

Art. 21(2)(j)
Medium overlap

MFA, secure comms, secure emergency comms

ISO 27001 Annex A: A.8.5, A.8.20-A.8.23 Secure authentication, network security

Do you need both?

You already have ISO 27001

You're 80% of the way to NIS2 compliance. Your ISMS already covers most of the 10 minimum measures.

What's still missing:

  • Registration with your national competent authority (e.g., BSI, ANSSI, ACN)
  • Incident reporting workflows aligned with 24h / 72h / 1 month deadlines
  • Management accountability (NIS2 Article 20) — formal approval of risk management measures
  • Supply chain risk assessment for NIS2-specific critical suppliers
  • NIS2-specific policies and templates
You're building NIS2 compliance without ISO 27001

You don't need ISO 27001 to be NIS2 compliant. But ISO 27001 certification can:

  • Serve as evidence during NIS2 audits
  • Help you win enterprise customers who require ISO 27001 in vendor assessments
  • Provide a structured ISMS framework for ongoing compliance

If budget is tight, start with NIS2 compliance (Reglyze makes this affordable) and pursue ISO 27001 later if market demand requires it.

Reglyze bridges the NIS2 + ISO gap

Our gap assessment highlights which ISO 27001 controls you already have and what's missing for NIS2 — so you can focus only on the delta.