Meeting NIS-2 Directives with ISO 27001 – How Companies Should Now Take a Strategic Approach
The EU’s new NIS-2 Directive raises cybersecurity requirements to an entirely new level. From October 2024, significantly more companies will have to meet strict requirements – including medium-sized industrial companies, IT service providers, critical suppliers, and organizations from energy, transport, healthcare, and many other sectors.
At the same time, we observe that many organizations are already considering implementing an Information Security Management System (ISMS) according to ISO 27001 – or are already certified. But is an ISO 27001 certification sufficient to comply with NIS-2? And how should companies strategically connect the two regulatory frameworks?
In this article, we provide practical insights into how NIS-2 and ISO 27001 are related – and why a properly implemented ISMS is the best path to NIS-2 compliance.
What is NIS-2 – and whom does it affect?
With the NIS-2 Directive, the EU aims to strengthen the resilience of digital infrastructure in Europe. The focus is on companies whose failure or compromise would have significant impacts on society, the economy, or security of supply.
The directive affects, among others:
- Energy, Transport, Health, Water, Finance
- Digital infrastructure, data centers, cloud and managed service providers
- Manufacturers of critical components (e.g., semiconductors, medical technology, mechanical engineering)
- IT service providers, software vendors, hosting companies
- Public entities
What’s new: Numerous medium-sized enterprises are also falling under this regulation for the first time.
What exactly does NIS-2 require?
NIS-2 defines eleven security areas, including:
- Risk Analysis & Security Concepts
- Incident Response & Reporting Obligations
- Business Continuity & Emergency Planning
- Supply Chain Security
- Access Controls & Identity Management
- Cryptography, Network and System Hardening
- Patch Management
- Monitoring & Logging
- Training & Awareness
- Vulnerability Management
- Documentation and Evidence Requirements
In addition, there are extensive requirements for:
- Management Responsibility (Liability & Personal Accountability)
- Supply Chain Security
- Minimum contractual requirements for service providers
- Regular audits, controls, and reporting obligations
For many companies, this means: a structured management system is almost indispensable.
How does ISO 27001 fit in?
ISO 27001 is the globally recognized standard for implementing an effective Information Security Management System (ISMS). It defines:
- systematic risk analysis
- processes for governance, controls, and improvements
- technical, organizational, and physical security measures
- clear responsibilities
- audit and reporting structures
The parallels to NIS-2 are no coincidence.
ISO 27001 already covers ~80–90% of NIS-2 requirements.
Key Overlaps:
| NIS-2 Requirement | ISO 27001 Coverage |
| Risk Analysis | Annex A.8, ISMS Processes |
| Incident Response | Annex A.5.25–27 |
| Business Continuity | Annex A.5.30–34, ISO 22301 |
| Supply Chain Security | Annex A.5.19–23 |
| Access Management | Annex A.5.17 |
| Security Awareness | Annex A.6.3 |
| Technical Controls (Patch, Logging, Monitoring) | Annex A.8 |
| Documentation & Evidence | Fundamental component of the ISMS |
Thus, ISO 27001 is one of the most efficient ways to comply with NIS-2.
Where ISO 27001 alone is not yet sufficient
NIS-2 goes beyond ISO 27001 in some aspects:
- Reporting Obligations & Communication Deadlines
NIS-2 mandates compulsory reporting to authorities (e.g., ENISA, national CSIRTs within 24h/72h).
→ These requirements must be explicitly supplemented.
- Management Liability
The management bears personal responsibility for implementation.
→ ISO 27001 requires management involvement, but not legal liability.
- Stricter Supply Chain Requirements
NIS-2 demands minimum contractual, technical, and organizational requirements for external partners.
→ A Supplier Security Framework becomes necessary.
- Sector-specific Requirements
some sectors (e.g., energy or health) have additional regulations.
How Companies Efficiently Combine NIS-2 & ISO 27001
The most successful approach is an Integrated ISMS, where ISO 27001 serves as the foundation and NIS-2 extensions are built upon it.
Recommended Steps:
- Conduct a Gap Analysis
Which NIS-2 requirements are already met by ISO 27001?
Which are missing?
→ The result is a clear roadmap. - Supplement NIS-2-specific processes
- Incident reporting, reporting, management obligations, supply chain controls.
- Modernize or Establish ISMS
Companies without existing ISO certification should act now – time is running out by 2024/25 at the latest. - Conduct Management Training
Since management is personally liable, training is mandatory. - Ensure Documentation & Auditability
Conduct regular internal audits, risk reviews, and external examinations.
Advantages of an ISO 27001-based NIS-2 Program
- Legal Certainty & Compliance
- Traceable and auditable processes
- Reduced effort in annual NIS-2 reporting
- Improved Cyber Risk Management
- Strengthening Market and Customer Perception
- Higher Resilience and Lower Damage Risks
A well-implemented ISMS is not just an obligation, but a competitive advantage.
Summary: ISO 27001 is the Most Efficient Path to NIS-2 Compliance
Companies already working with ISO 27001 have a clear advantage – they already meet a large part of the NIS-2 obligations.
For all others, now is the right time to build an ISMS. Not only to be compliant with the law, but to sustainably strengthen their own cyber resilience.