You hold an ISO 27001 certificate, or you are most of the way to one. Then a customer questionnaire or a regulator raises NIS2, and you cannot tell whether the work you already did covers it, partly covers it, or starts a second project from scratch.
That uncertainty is what most NIS2 vs ISO 27001 comparisons fail to resolve. They list the differences and leave you to work out what it means for your own obligations. The two are not interchangeable: one is a voluntary standard you choose to adopt, the other is a legal duty that applies whether you have a certificate or not.
By the end of this guide you will know where the two overlap, whether your certificate exempts you from NIS2, what NIS2 demands that ISO 27001 never asks for, and how to make one evidence record satisfy both.
In this guide:
- Where ISO 27001 Annex A and NIS2 Article 21 overlap, and where they do not
- The incident-reporting and liability duties NIS2 adds on top of any ISMS
- How to reuse one set of evidence across both frameworks
What is the difference between NIS2 and ISO 27001?
ISO 27001 (officially ISO/IEC 27001:2022, co-published by ISO and the International Electrotechnical Commission, IEC) is a voluntary international standard for an Information Security Management System (ISMS) that an organisation chooses to implement and may certify against. NIS2 is an EU directive: a legal cybersecurity obligation that applies to in-scope organisations by sector and size, with no certificate involved.
| ISO 27001 | NIS2 | |
|---|---|---|
| What it is | Voluntary standard (ISMS) | EU legal obligation (Directive 2022/2555) |
| Applies because | You choose to adopt or certify | Your sector and size put you in scope |
| Controls | Annex A control catalogue | Article 21 risk-management measures |
| Incident reporting | Not required by the standard | Mandatory: 24h, 72h, one month |
| Management liability | Not defined | Management body can be held liable |
| Oversight | Accredited certification body, on request | Competent authority, can audit and fine |
| Proof demanded | Evidence the ISMS operates | Evidence the measures are in place and effective |
Both are built on the same foundation, which is why the overlap is real but the obligations are not the same.
Does being ISO 27001 certified mean NIS2 doesn't apply to you?
No. NIS2 applicability is set by what your organisation does and how large it is, not by whether you hold a certificate. A certificate neither pulls you into scope nor exempts you from it.
NIS2 applies to "essential" and "important" entities operating in the sectors listed in the NIS2 Directive (energy, transport, health, digital infrastructure, manufacturing of critical products, and more), that also meet a size threshold, broadly medium-sized organisations and above. If your sector and size put you in scope, NIS2 is a legal duty regardless of your ISO 27001 status. If they do not, no certificate makes NIS2 apply. Confirm your own position against the national transposition law in each country where you operate, because member states set the precise scope locally. This is the first question to settle, before any control mapping: am I in scope at all?
Does ISO 27001 cover NIS2 requirements?
ISO 27001 covers most of the technical security measures NIS2 asks for, but not the legal duties around it. A certified ISMS gives you risk assessment, access control, vulnerability management, and supplier security, which map closely to Article 21. It does not give you NIS2's incident-reporting clock, its management-body liability, or its supervisory oversight.
So certification is a strong head start, not a pass. Being compliant with one does not automatically satisfy the other, and the two audits are run by different bodies for different purposes. An ISO 27001 auditor checks that your ISMS operates as documented. A NIS2 competent authority checks that legally mandated measures are in place and can hold the management body accountable when they are not. Treat ISO 27001 as the control engine and NIS2 as the legal wrapper that the engine has to satisfy.
Mapping ISO 27001 Annex A controls to NIS2 Article 21
The technical core of Article 21 maps directly onto ISO 27001:2022 Annex A controls. The European Union Agency for Cybersecurity (ENISA) publishes an official crosswalk between the NIS2 implementing regulation and ISO 27001, so the mapping is not guesswork.
The implementing regulation, Commission Implementing Regulation (EU) 2024/2690, translates Article 21 into detailed technical requirements for a named set of digital-sector entities (cloud providers, managed service providers, data centres, and similar). For those entities the mapping is binding; for everyone else in scope of the directive it is the clearest available statement of what "good" looks like under Article 21. The vulnerability-relevant rows:
| NIS2 requirement (CIR 2024/2690 Annex) | ISO/IEC 27001:2022 Annex A |
|---|---|
| 6.10 Vulnerability handling and disclosure | A.8.8 Management of technical vulnerabilities |
| 6.5 Security testing | A.8.29, A.8.33, A.8.34 |
| 6.6 Security patch management | A.8.31, A.8.32 |
NIS2 vulnerability handling maps to ISO 27001 control A.8.8. If you already run A.8.8, you are doing the control NIS2 names, the same work serves both records.
The practical consequence: most of the scanning, testing, and patching evidence your ISMS already produces is the same evidence a NIS2 assessment wants. What changes is what you have to prove, and to whom.
What does NIS2 require that ISO 27001 does not?
NIS2 adds three duties that no ISO 27001 control imposes: mandatory incident reporting on a fixed clock, personal accountability for the management body, and supervision by a state authority with the power to fine. These are legal obligations, not security controls, which is why an ISMS alone cannot satisfy them.
The reporting clock is the sharpest difference. Under Article 23, an in-scope entity must submit an early warning within 24 hours of becoming aware of a significant incident, a fuller notification within 72 hours, and a final report no later than one month after that notification. ISO 27001 expects you to manage incidents; it never sets a statutory deadline to notify an authority.
24 hours, 72 hours, one month. NIS2 sets a statutory incident-reporting clock that no ISO 27001 control imposes.
The other two duties shift who is responsible. NIS2 makes the management body approve and oversee the risk-management measures, and it can be held liable for failures. Enforcement sits with a national competent authority that can investigate and impose administrative fines of up to €10,000,000 or 2% of worldwide annual turnover for essential entities, and €7,000,000 or 1.4% for important entities. ISO 27001 has no equivalent: its worst case is losing the certificate, not a regulatory penalty. If you map only the technical controls and stop, these are the gaps an assessment will find.
Can ISO 27001 certification accelerate NIS2 compliance?
Yes. An existing ISO 27001 ISMS is the fastest route to the technical half of NIS2, because the control work, the risk assessments, and most of the evidence already exist. You reuse them rather than rebuild them.
The efficient path is to treat your ISMS as the foundation, then close the NIS2-specific gaps on top: stand up the incident-reporting workflow against the Article 23 clock, document management-body approval and oversight, and confirm your scope under the national transposition law. The control evidence carries over almost entirely. The legal and procedural layer is the net-new work. This is why teams already pursuing ISO 27001 often sequence it first, then extend the same documentation to NIS2, instead of running two parallel projects. For the underlying control work that feeds both, see the vulnerability management lifecycle and the full NIS2 compliance requirements.
The gap both frameworks leave open: evidence you can produce on demand
Both frameworks demand the same thing at audit time, and it is the thing lean IT teams most often lack: evidence that a vulnerability was found, assigned, fixed, and confirmed fixed, on a record an assessor can verify. ISO 27001 A.8.8 wants it. NIS2 wants scan results recorded and critical findings shown addressed. Neither tells you how to produce it, and a scan report on its own does not.
This is the part a side-by-side table never answers, and where the real work begins for a team carrying IT, security, and compliance as one job. You do not need a second tool per framework. You need one finding that already carries both its ISO 27001 and its NIS2 mapping, with a lifecycle an auditor can trust.
That is what Vornin produces as a by-product of normal use. Every finding is auto-mapped to the 9 compliance frameworks it touches, so a single record satisfies ISO 27001 Annex A and NIS2 Article 21 at the same time. Each finding's full history is sealed in a per-tenant tamper-evident evidence chain and exports as a per-finding auditor pack you can hand over without assembling anything by hand.
Scoring is honest: controls a scanner cannot test are marked for manual attestation, never faked to a clean pass. And it is EU-hosted, which removes the data-residency question before a reviewer raises it. You can map findings to ISO 27001 Annex A controls and walk into a NIS2 audit with the evidence already built from the same scan, with no dedicated security team required.
Frequently asked questions
Is ISO 27001 mandatory like NIS2?
No. ISO 27001 is a voluntary standard. You choose whether to implement it, and separately whether to certify against it. NIS2 is an EU legal obligation that applies to in-scope entities whether or not they want it. The two sit at different levels: one is best practice you opt into, the other is law.
Does NIS2 require ISO 27001 certification?
No. NIS2 does not require any specific certification. It requires that you have appropriate risk-management measures and can demonstrate them. ISO 27001 is the most efficient way to evidence the technical controls, because its Annex A maps closely to Article 21, but it is a route to compliance, not a legal requirement of it.
Is ISO 27001 alone enough to pass a NIS2 audit?
No. An ISO 27001 ISMS covers most of NIS2's technical measures but not its incident-reporting deadlines, management-body liability, or supervisory oversight. Certification gives you a strong head start on the controls; you still have to add the legal and procedural duties NIS2 imposes on top.
Can I reuse my ISO 27001 documentation for NIS2?
Largely, yes. The control evidence, risk assessments, and vulnerability-management records from an ISO 27001 ISMS carry over to NIS2 because the technical requirements overlap heavily. What you add is NIS2-specific: the Article 23 reporting workflow, documented management oversight, and a scope confirmation under your national transposition law.
Conclusion
ISO 27001 is the voluntary control catalogue; NIS2 is the law that bolts incident reporting, management liability, and state oversight on top. If you are certified, you already own most of the technical work, the gap is the legal layer and the evidence to prove it, both frameworks, from one record.
Read-only access · Working scan data deleted after each scan · EU-hosted
