NIS2 & ISO 27001 Mapping

NIS2 and ISO 27001: Two Sides of the Same Coin

Organisations that already operate an Information Security Management System (ISMS) under ISO 27001 have a significant head start in NIS2 implementation. Approximately 70% of NIS2 requirements are covered by an ISO 27001-compliant ISMS. However, there are important differences: NIS2 imposes specific requirements on reporting obligations, governance, and supply chain depth that go beyond the scope of ISO 27001.

This mapping shows you measure by measure which ISO 27001 controls contribute to the NIS2 requirements and where you need to take additional action. This way, you avoid duplicate work and make optimal use of existing structures.

Why Consider ISO 27001 and NIS2 Together?

The NIS2 Implementation Act (NIS2UmsuCG) has been in force in Germany since 06.12.2025. Organisations that fall under NIS2 must implement its requirements. At the same time, ISO 27001 is the internationally recognised standard for information security management systems. Both frameworks pursue the same core objective: protecting network and information systems from threats. Viewing them in isolation leads to duplicate work, inconsistent processes, and higher costs.

ISO 27001 provides the management system (ISMS) that forms the structural framework: risk analysis, measure planning, effectiveness review, and continuous improvement. NIS2 provides the regulatory obligations: specific reporting deadlines, governance requirements, sanctions framework, and supervisory oversight. Together, they create a complete picture: the ISMS is the vehicle, NIS2 is the rules of the road.

The pragmatic advantage is clear: organisations that already operate a certified ISMS under ISO 27001 have approximately 70% of NIS2 requirements already covered. Instead of building a parallel compliance programme, you extend your existing ISMS with the NIS2-specific requirements. This not only saves resources but also creates a consistent documentation base for audits and supervisory inspections.

Organisations without ISO 27001 certification also benefit from the combined view. ISO 27001 offers a proven methodology that serves as a blueprint for NIS2 implementation. The Annex A controls can be directly mapped to the NIS2 measures under Art. 21, significantly simplifying planning.

Cross-Reference: NIS2 Art. 21 to ISO 27001 Annex A

The following table maps the ten measures from Art. 21 of the NIS2 Directive to the relevant controls from ISO 27001:2022 Annex A. The mapping is based on a content analysis of the requirements and serves as guidance for integrated implementation.

* Medium: ISO 27001 covers the fundamentals, but NIS2 imposes additional specific requirements (e.g. tiered reporting deadlines, depth of supply chain assessment).

What this table demonstrates: Most NIS2 measures have a direct counterpart in ISO 27001. For eight of ten measures, the coverage level is high. This does not mean no additional work is required, but the basic structures already exist. For the two measures with medium coverage (incident handling and supply chain), you need to make targeted adjustments. Details can be found in the gaps section below.

Benefits of Combined Implementation

The high overlap between NIS2 and ISO 27001 offers significant synergy potential. Organisations that implement both requirements in an integrated manner benefit in multiple ways:

Approximately 70% Overlap

As the mapping table shows, most NIS2 measures are addressed by existing ISO 27001 controls. Organisations with a certified ISMS do not need to build parallel structures but can extend their existing system. This saves considerable effort during initial implementation and reduces ongoing operational costs.

ISO 27001 as a Framework for NIS2

ISO 27001 provides, with the PDCA cycle (Plan-Do-Check-Act), the risk management process, and the requirement for internal audits, exactly the management structure that NIS2 presupposes. You can integrate NIS2 requirements as additional controls into your existing ISMS rather than building a separate compliance framework.

In practice, this means: Extend your Statement of Applicability (SoA) with the NIS2-specific requirements. Integrate the NIS2 reporting deadlines into your existing incident management process. Use your ISO 27001 risk analysis as the basis for the NIS2 risk analysis.

Reuse Audit Evidence

Evidence you create for ISO 27001 certification can largely be reused for NIS2 audits and supervisory inspections. This includes risk analyses, security policies, audit reports, training records, and measure tracking. A GRC tool like Kopexa enables you to capture evidence once and reference it for both frameworks.

Gaps: What ISO 27001 Does Not Cover

Despite the high overlap, there are NIS2-specific requirements that an ISO 27001 ISMS alone does not fulfil. You must address these gaps in a targeted manner. Assuming that ISO 27001 certification automatically means NIS2 compliance carries significant risk.

Tiered Reporting Obligations

NIS2 defines strict, tiered reporting deadlines: 24 hours for the early warning, 72 hours for the detailed notification, and 30 days for the final report. ISO 27001 requires incident management (A.5.24 to A.5.26) but does not define specific reporting deadlines to authorities. You must extend your incident response process with the authority notification chain, prepare templates, and ensure that responsible persons are reachable around the clock. A dry run (tabletop exercise) at least twice a year is strongly recommended to test compliance with the 24-hour deadline under realistic conditions.

Authority Registration and NIS2 Declaration

Affected entities must register with the supervisory authority and provide specific information: contact details, sector, entity type, IP address ranges, and details of the services provided. Essential entities must additionally submit a NIS2 declaration confirming that the requirements are being implemented. This regulatory obligation does not exist in ISO 27001. Registration is not a one-time task: changes to registered information must be reported to the authority without delay.

Executive Liability

Personal liability of senior management under Art. 20 NIS2 has no equivalent in ISO 27001. While ISO 27001 requires top management commitment in Chapter 5.1, the standard does not provide for personal liability in the event of a breach of duty. Under NIS2, senior management must be actively involved in governance, formally approve risk management measures, oversee their implementation, and participate in cybersecurity training. In the event of a breach of duty, they are liable with their personal assets. This liability cannot be contractually excluded. Details can be found on our NIS2 Penalties and Executive Liability page.

Supply Chain Depth

ISO 27001 addresses supplier relationships through controls A.5.19 to A.5.22. NIS2 goes significantly further in the required depth and breadth. NIS2 expects you to assess not only your direct suppliers but also their security practices and the entire ICT supply chain within your risk analysis. This includes sub-contractors, open-source components, and cloud providers throughout the chain. You must be able to demonstrate that you systematically assess the cybersecurity risks of your supply chain and have appropriate contractual agreements with your suppliers. The NIS2 Requirements describe the details.

Sector-Specific Obligations

Depending on the industry, additional sector-specific requirements may apply that are not covered by either ISO 27001 or the general NIS2 measures. For sectors such as energy, health, transport, and digital infrastructure, delegated acts from the EU Commission or national regulations may define additional technical and organisational requirements. These must then be implemented in addition to the general NIS2 obligations.

Practical Implementation Approach

If you already operate a certified ISMS under ISO 27001, you do not need a second management system. The most efficient path to NIS2 compliance is through extending your existing ISMS. The following steps show you the concrete path:

Step 1: Conduct a Gap Analysis

Compare your existing Statement of Applicability (SoA) with the ten measures under Art. 21 NIS2. For each measure, identify whether it is covered by existing controls, partially covered, or completely missing. Use the mapping table above as a starting point. Document the gaps in a structured manner, ideally in your GRC tool.

Step 2: Extend the SoA with NIS2 Controls

Extend your SoA with the identified NIS2-specific requirements. Create a control for each gap with clear ownership, implementation deadline, and evidence requirements. The new controls should be integrated into the existing control structure, not placed as a separate block alongside it. This keeps your ISMS consistent and auditable.

Step 3: Adapt the Incident Response Process

Integrate the NIS2 reporting deadlines into your existing incident management process. Define clear escalation paths that ensure an early warning can be submitted to the authority within 24 hours. Prepare reporting templates. Designate responsible persons who are reachable around the clock. Test the process at least semi-annually with a simulated notification.

Step 4: Adapt Governance Structures

Ensure that senior management is formally integrated into NIS2 governance. This means: regular reporting to senior management on the state of cybersecurity, formal approval of risk management measures by senior management (documented and signed), demonstrated participation of senior management in cybersecurity training, and resolution protocols documenting the active involvement of senior management in security-relevant decisions.

Step 5: Deepen Supply Chain Assessment

Extend your existing supplier assessment under A.5.19 to A.5.22 with the NIS2-specific requirements. Identify all critical ICT suppliers and their sub-contractors. Systematically assess their cybersecurity practices. Embed security requirements and reporting obligations in contracts. Conduct regular reviews of supply chain security and document the results as audit evidence.

Step 6: Authority Registration and Ongoing Obligations

Register with the supervisory authority and provide the required information. Establish a process that ensures changes to registered data are reported without delay. Plan resources for ongoing cooperation with the authority: responding to information requests, providing evidence, and participating in inspections.

The entire process can be significantly accelerated with a GRC tool like Kopexa. You can map the gap analysis, measure planning, evidence management, and supplier assessment in one system and use it for both frameworks (ISO 27001 and NIS2).

A comprehensive comparison of both frameworks can be found on our Comparison Page: ISO 27001 vs. NIS2. There we also discuss the strategic aspects of a combined certification and compliance strategy.