If you run security or compliance for a European company, the pairing of NIS2 and ISO 27001 has probably come up more than once in the last year or two. You might already be certified to the ISO standard and wondering how much of that work carries over into the new directive. Or you might be staring down NIS2 obligations and asking whether an ISO 27001 program is a smart foundation to build on. Either way, the good news is that these two frameworks share a surprising amount of common ground, and knowing exactly where they overlap can save your team months of redundant effort.
This article maps out that overlap in detail, points out where the frameworks genuinely diverge, and shows you how to build a compliance program that satisfies both without running two entirely separate tracks.
A Quick Map of the Terrain
Before diving into the overlaps, it helps to have a clear picture of what each framework actually is. They come from different places and serve different purposes, though their practical requirements converge considerably.
What NIS2 Requires
NIS2 is a European Union directive that became enforceable across member states in October 2024. It applies to organizations in 18 critical and important sectors, including energy, transport, financial services, healthcare, and digital infrastructure, and sets minimum cybersecurity obligations for those entities. The focus is on outcomes: NIS2 tells you what you must achieve (incident reporting, supply chain controls, business continuity planning, and more) but largely leaves the "how" up to you. Non-compliance carries significant financial consequences, with fines reaching up to €10 million or 2% of global annual turnover for essential entities. You can read the full text of the directive here.
What ISO 27001 Establishes
ISO 27001 is an internationally recognized certification standard for information security management systems, commonly known as an ISMS. Unlike a legal directive, it is voluntary, but achieving it demonstrates to customers, partners, and auditors that your organization has a documented, risk-based approach to protecting information. The 2022 version of the standard includes 93 controls organized across four themes: organizational, people, physical, and technological. Where NIS2 defines the destination, ISO 27001 gives you a detailed map for getting there.
Where NIS2 and ISO 27001 Overlap
The most valuable insight for any compliance team is this: a well-implemented ISO 27001 program already covers a significant portion of NIS2 obligations. The table below gives a high-level picture, and we unpack each area below it.
This degree of overlap is not accidental. When the European Commission drafted NIS2, established security standards like ISO 27001 were already in wide use. The directive's technical requirements drew heavily from that existing body of work.
Risk Management
Both frameworks treat risk management as a foundation, not an optional layer. NIS2 Article 21 explicitly requires that covered entities implement risk analysis and information system security policies. ISO 27001's Clause 6.1 on risk assessment and treatment is one of the most detailed parts of the standard, requiring organizations to identify, assess, and treat risks using a consistent, documented methodology.
If your ISO 27001 ISMS already includes a live risk register, regular risk reviews, and a documented risk treatment plan, you are already building toward NIS2 compliance on this front. The methodologies differ in a few particulars, but the underlying work is largely the same.
Incident Response and Reporting
This is an area where the two frameworks reinforce each other particularly well. NIS2 imposes specific reporting timelines: an early warning to your national authority within 24 hours of becoming aware of a significant incident, a fuller notification within 72 hours, and a final report within one month. ISO 27001's Annex A controls cover the full incident management lifecycle, from planning and detection through response, recovery, and lessons learned.
An organization with a mature ISO 27001 incident management process already has the detection and response infrastructure in place. Adding the specific NIS2 reporting cadence on top of that is a much smaller task than building it all from scratch. The European Union Agency for Cybersecurity publishes detailed guidance on what qualifies as a reportable incident and how national authorities expect reports to be structured.
Supply Chain Security
Supply chain requirements are one of the most discussed aspects of NIS2, and for good reason. The directive requires covered entities to assess the cybersecurity practices of their suppliers and service providers, particularly those involved in critical services. ISO 27001's Annex A controls 5.19 through 5.22 address exactly this, covering how you establish agreements, monitor ongoing performance, and manage changes in supplier relationships.
If you have already gone through a supplier evaluation process as part of your ISO 27001 program, you have the foundational work done. NIS2 may push you to go deeper on certain technology providers, but you are extending an existing program rather than starting from zero. The NIS2 obligations for managing directors article covers how supply chain accountability flows up to leadership level under the directive.
Business Continuity
Both NIS2 and ISO 27001 expect you to have tested plans in place to keep critical functions running when things go wrong. ISO 27001 covers this through Annex A controls 5.29 and 5.30, addressing information security during disruptions and ICT readiness for business continuity. NIS2 Article 21 requires business continuity management, backup management, and disaster recovery as named security measures.
If you have done this work for your ISO 27001 certification, you have a solid base. The NIS2 angle focuses more explicitly on ICT systems and the continuous availability of critical services, so you may need to extend your continuity plans in those specific directions, but the documentation approach and testing cadence you already follow will carry over.
The Key Differences You Still Need to Know
Overlap does not mean equivalence. NIS2 and ISO 27001 differ in three important ways that shape how you approach each one.
Legal obligation vs. voluntary certification. NIS2 is law. If your organization falls within scope, compliance is not optional and non-compliance has legal consequences. ISO 27001 is a choice you make for commercial, reputational, or operational reasons.
Scope. ISO 27001 can be applied to a specific part of your organization: a product line, a subsidiary, a defined set of services. NIS2 does not work that way. It applies to your organization as a whole, across all systems and processes relevant to the services that bring you into scope.
Governance and personal liability. NIS2 places explicit obligations on management bodies, requiring that senior leaders approve cybersecurity risk measures and can be held personally liable for infringements. ISO 27001 recommends leadership commitment but does not carry the same personal accountability provisions.
Does ISO 27001 Certification Mean You Are NIS2 Compliant?
No, but it puts you much further along than most organizations realize. ISO 27001 certification does not automatically satisfy NIS2 obligations, because the directive carries specific requirements around governance, reporting timelines, and senior management accountability that go beyond what the standard alone mandates.
That said, organizations with a current and well-maintained ISO 27001 certification typically find that 60 to 70 percent of the required NIS2 work is already complete. The remaining gap is real but bridgeable, and it is considerably smaller than starting from scratch. Some EU member states are moving toward formal equivalence arrangements; Belgium has already indicated that ISO 27001 certification can serve as evidence of compliance for certain NIS2 requirements. Most other member states have not yet gone that far.
The Kertos platform maps your existing ISO 27001 controls against NIS2 requirements automatically, giving you a clear view of where you stand and what genuinely requires new attention.
Building a Unified Compliance Program
The most practical conclusion from understanding NIS2 and ISO 27001 together is that you should not be running two parallel compliance programs. That approach multiplies cost, fragments your team's attention, and creates gaps where the two tracks fail to align.
Start with a Gap Analysis
If you are already ISO 27001 certified, begin by mapping your current controls against the specific obligations in NIS2 Article 21. This tells you exactly what is already covered and what requires new work. If you are approaching both frameworks fresh, a combined gap analysis is actually more efficient than two separate ones, because the overlapping areas only need to be assessed once.
Build a Shared Evidence Base
One of the practical challenges in multi-framework compliance is that the same piece of evidence, a risk assessment report, a supplier security questionnaire, an incident response runbook, needs to satisfy requirements in multiple places. A compliance platform designed for this maps evidence to multiple frameworks simultaneously so your team is not recreating documentation twice. The principles behind this approach are covered in more depth in the multi-framework compliance guide.
Bring Leadership In Early
NIS2's governance requirements make senior management involvement unavoidable. Rather than treating this as a compliance box to check, use it as an opportunity to establish the kind of leadership engagement around security that will also strengthen your ISO 27001 program. Organizations that treat compliance as a board-level topic tend to find it easier to resource properly, which matters when you are managing obligations across multiple frameworks at once.
What This Means for Your Organization
Understanding the overlap between NIS2 and ISO 27001 changes how you think about security investment. Every control you implement that satisfies requirements in both frameworks at the same time is a control that delivers double the compliance value. A risk management process that meets ISO 27001's Clause 6.1 and NIS2's Article 21 simultaneously is not a compromise. It is good program design.
The most efficient path through both frameworks is to treat them as two lenses on a single security program, not two separate projects. Kertos is built precisely for this kind of continuous compliance, keeping your ISMS audit-ready across multiple frameworks while automating the evidence collection that would otherwise consume your team's time. Book a demo to see exactly where your current program stands against both NIS2 and ISO 27001.
