NIS2 vs ISO 27001: A Gap Analysis You Can Act On
An ISO 27001 NIS2 mapping and gap analysis for European enterprises — where your ISMS already covers NIS2, and where it does not.
If you run a mature ISO 27001 information security management system, the arrival of the NIS2UmsG raises a fair and slightly anxious question: how much of this do we already have? The honest answer is encouraging — most of it — but the gap that remains is exactly the part that carries statutory deadlines, personal liability, and regulatory fines. This is the NIS2 vs ISO 27001 gap analysis we run with clients: not a marketing crosswalk, but a working method you can act on.
Key takeaways
- A certified ISO 27001 ISMS covers the large majority of NIS2's technical and organisational measures. It is the right foundation — but certification is not compliance with NIS2.
- The genuine gaps are statutory, not technical: BSI registration, the 24-hour / 72-hour / one-month incident reporting chain, mandatory supply-chain security clauses, and personal liability of management for approving and overseeing risk-management measures.
- Scope is the subtle trap. ISO 27001 scope is whatever you declare; NIS2 scope is fixed by law. If your ISMS scope is narrower than your regulated services, you have a gap even with a valid certificate.
- Treat NIS2 as a delta on top of the ISMS — extend scope, add the statutory reporting and registration processes, and tighten supplier contracts — rather than as a parallel programme.
- Fines reach EUR 10M or 2% of global turnover, and management is personally liable. The reporting timeline and the governance record are where unprepared organisations get caught.
Two regimes that look similar and behave differently
ISO 27001 is a voluntary international standard for an information security management system. You define the scope, you select controls, you certify against an accredited auditor, and you maintain a continuous improvement cycle. Its strength is the management system itself: a disciplined, evidence-producing way of governing risk.
NIS2, transposed in Germany as the NIS2UmsG, is law. It applies from 6 December 2025 with no transition period, scope is decided by the legislator rather than by you, and non-compliance is a regulatory offence rather than a missed certification. The two regimes share most of their control content, which is why ISO 27001 is such a useful starting point — but they diverge sharply on three things: who decides the scope, what you must report and when, and who is personally accountable.
| Dimension | ISO 27001:2022 | NIS2 (NIS2UmsG) |
|---|---|---|
| Nature | Voluntary standard | Statutory obligation |
| Scope | Self-declared (statement of applicability) | Fixed by law to regulated services |
| Controls | Annex A, risk-driven selection | Article 21 minimum measures, mandatory |
| Incident reporting | Manage internally; no external deadline | 24h early warning, 72h detailed, 1 month final |
| Supply chain | A control objective | Mandatory security requirements you must impose |
| Accountability | Defined by your governance | Management personally liable for approval and oversight |
| Enforcement | Loss of certificate | Fines up to EUR 10M or 2% of global turnover |
| Registration | None | Mandatory BSI registration |
Where ISO 27001 already does the heavy lifting
The NIS2 Directive lists ten minimum measures in Article 21. When we map them against ISO 27001:2022 Annex A, most are already covered by a competent ISMS. This is the good news, and it is substantial.
| NIS2 Article 21 measure | ISO 27001:2022 coverage | Gap? |
|---|---|---|
| Risk analysis and information security policies | Clauses 6.1, 5.2; A.5.1 | Full |
| Incident handling | A.5.24–A.5.28 | Partial — reporting deadlines missing |
| Business continuity, backup, crisis management | A.5.29, A.5.30, A.8.13 | Mostly full |
| Supply chain security | A.5.19–A.5.22 | Partial — mandatory clauses missing |
| Security in acquisition, development, maintenance | A.8.25–A.8.29 | Full |
| Policies to assess effectiveness | Clause 9; A.5.35, A.5.36 | Full |
| Cyber hygiene and training | A.6.3, A.8.7 | Full |
| Cryptography and encryption | A.8.24 | Full |
| Human resources, access control, asset management | A.5.15–A.5.18, A.6.x, A.8.1–A.8.3 | Full |
| MFA, secured communications, emergency comms | A.5.14, A.8.5, A.8.20, A.8.21 | Full |
If your statement of applicability is honest and your controls operate as designed, six of these are effectively done. That is why we never recommend tearing up an ISMS to "do NIS2." The ISO 27001 NIS2 mapping above is the spine of the work — but read the "Gap?" column carefully, because the partials and the omissions are where the regulatory teeth are.
The four gaps that actually matter
1. Scope alignment
This is the gap most teams miss because their certificate feels like proof. ISO 27001 scope is whatever you wrote in your statement of applicability — it might be a single data centre, one product line, or the corporate IT function. NIS2 scope is fixed by law to the services that made you a regulated entity in the first place. If a regulated service sits outside your ISMS boundary, your certificate is valid and you still have a NIS2 gap. Aligning the two scopes — usually by extending the ISMS to cover all regulated services — is the first corrective action we recommend, and often the largest. If you have not yet confirmed which of your entities and services are in scope, start with the NIS2 scope test for the NIS2UmsG.
2. Statutory incident reporting
ISO 27001 requires you to manage incidents competently. It does not impose an external clock. NIS2 does, and it is unforgiving:
- Early warning to the competent authority within 24 hours of becoming aware of a significant incident.
- Detailed incident report within 72 hours, including an initial assessment, severity, and indicators of compromise.
- Final report within one month, with root cause, applied mitigations, and cross-border impact.
Your A.5.24–A.5.28 incident process probably produces the internal substance, but it almost certainly lacks the externally facing timeline, the notification routing, and the rehearsed decision on what counts as "significant." This is a procedural addition, not a new control set. Build it as a runbook and test it; our NIS2 incident reporting 24/72-hour runbook walks through the timeline in operational detail.
3. Supply-chain obligations
ISO 27001 treats supplier security as a control objective you may interpret. NIS2 makes it mandatory: you must assess and manage the security of your supply chain and impose security requirements on suppliers, with audit rights and incident-notification clauses flowing down your contracts. The gap here is contractual and operational — refreshing supplier risk assessments and amending agreements — rather than a deficiency in your existing A.5.19–A.5.22 controls.
4. Management accountability and registration
NIS2 makes management personally liable for approving and overseeing the risk-management measures. ISO 27001 expects leadership commitment but leaves the accountability model to your governance design. Under NIS2 you need a documented, dated record that management has approved the measures and exercises oversight — minutes, sign-offs, a standing agenda item. Separately, NIS2 requires registration with the BSI; the portal opened on 6 January 2026 and the deadline was 6 March 2026, but late registration remains mandatory and advisable. The BSI registration walkthrough covers the mechanics.
A practical gap-analysis method
When we run this with a client that already holds ISO 27001, the work is deliberately lean. We do not rebuild the ISMS; we measure the delta and close it.
- Confirm regulated scope. List the services and legal entities that fall under NIS2 by law. Lay them next to your ISO 27001 scope and statement of applicability and mark every regulated service that sits outside the current ISMS boundary.
- Map Article 21 to Annex A. Use the table above as your template. For each measure, record full, partial, or absent coverage and cite the operating evidence — not just the policy.
- Isolate the statutory-only obligations. Reporting timeline, supply-chain clauses, management approval record, and BSI registration. These are the items no control catalogue produces for you.
- Close procedural and contractual gaps. Write the incident-reporting runbook, amend supplier contracts, formalise the management approval and oversight record, and complete registration.
- Validate with evidence. Run a tabletop incident end to end. Capture the 24-hour and 72-hour timestamps, produce the draft reports, and assemble an evidence pack that satisfies both an ISO surveillance audit and a BSI inquiry.
In one recent engagement with a mid-sized logistics operator, the client arrived convinced their fresh ISO 27001 certificate "covered NIS2." It covered the controls well — but their ISMS scope excluded the very platform that placed them in scope, and their incident process had no external reporting timeline. Both were fixable in weeks precisely because the management system was already sound. That is the pattern we see repeatedly: ISO 27001 makes NIS2 a delta, not a programme.
How the two reinforce each other
Done well, this is not duplicated effort. NIS2 gives your ISMS a sharper, legally fixed scope and forces the reporting discipline that internal incident processes often lack. ISO 27001, in turn, gives NIS2 a mature management system, a defensible risk methodology, and a continuous audit trail — which is exactly what a BSI assessor wants to see. The right architecture is a single management system that satisfies both: one risk register, one control set, one evidence pipeline, with the NIS2 statutory processes bolted on as first-class citizens rather than a separate binder.
If you want to extend this thinking into your identity and access architecture, much of the NIS2 access-control and segmentation expectation aligns naturally with a Zero Trust approach.
FAQ
Does ISO 27001 certification make us NIS2 compliant? No. ISO 27001 is a strong foundation that covers most of the technical and organisational measures NIS2 requires, but it is not equivalent. NIS2 adds statutory obligations that no ISO certificate satisfies on its own — BSI registration, the 24-hour and 72-hour incident reporting timeline, mandatory supply-chain security clauses, and personal liability of management for approving and overseeing risk-management measures.
What is the biggest gap between an ISO 27001 ISMS and NIS2? Incident reporting and management accountability. ISO 27001 requires you to manage incidents, but it does not impose external reporting deadlines. NIS2 requires an early warning to the authority within 24 hours, a detailed report within 72 hours, and a final report within one month. Separately, NIS2 makes management personally liable for approving and supervising risk-management measures, which ISO leaves to your governance design.
How do we map ISO 27001 controls to NIS2 requirements? Start from the ten minimum measures in Article 21 of the NIS2 Directive and trace each to the relevant ISO 27001:2022 Annex A controls. Most map cleanly — risk management, access control, cryptography, business continuity, vulnerability handling. The exceptions are reporting timelines and governance accountability, which need procedural and contractual additions rather than new controls.
Can we use our existing ISMS as the basis for NIS2 compliance? Yes, and you should. A certified or well-run ISO 27001 ISMS gives you the management system, risk methodology, control set, and audit evidence that NIS2 assumes you already have. Treat NIS2 as a delta on top of the ISMS: extend the scope to the regulated services, add the statutory reporting and registration processes, and tighten supply-chain clauses.
Is ISO 27001 enough to satisfy a BSI audit under NIS2? An ISO 27001 certificate is strong supporting evidence and will shorten an audit, but it is not a substitute for demonstrating the specific NIS2 obligations. The BSI assesses whether your risk-management measures are appropriate and proportionate to the regulated services, whether reporting works in practice, and whether management has documented its approval and oversight. Certification does not exempt you from these.
Where do NIS2 and ISO 27001 genuinely diverge in scope? Scope is the subtle trap. ISO 27001 scope is whatever you declare in your statement of applicability; NIS2 scope is fixed by law to the services that make you a regulated entity. If your ISMS scope is narrower than your regulated services, you have a compliance gap even with a valid certificate. Aligning the two scopes is usually the first corrective action we recommend.
A clean ISO 27001 ISMS is the best possible starting point for NIS2 — but the delta is where the liability lives. If you would like a second pair of senior eyes on your gap analysis, or help turning the statutory requirements into working runbooks, our Zero Trust and security advisory team at CC Conceptualise has delivered exactly this for regulated European enterprises.
Topics