InfoSec

Interpreting and Implementing NIS2 through the Lens of ISO 27001

Most often, NIS2 and ISO 27001 are intertwined together. ISO 27001 touches NIS2 at many key points that facilitate compliance with the latter if the former is achieved.

Autor
Dr. Kilian Schmidt
Datum
Aktualisiert am
28.2.2025
Interpreting and Implementing NIS2 through the Lens of ISO 27001
  • ISO 27001 and NIS2 share the common goal of improving cybersecurity, with ISO 27001 serving as an international standard that covers many of the measures required by NIS2
  • Risk assessment is a key component of both frameworks, with ISO 27001 offering flexibility based on a company’s risk appetite, while NIS2 defines specific requirements for essential and important entities
  • Incident management is emphasized in both approaches, with detailed processes and control mechanisms in ISO 27001 helping companies meet NIS2’s reporting obligations and response measures
  • While ISO 27001 partially addresses business continuity, compliance with NIS2 often requires additional standards such as ISO 22301 to fully cover sector-specific requirements and continuity plans

ISO 27001 and NIS2: Synergies and Strategies for Meeting Cybersecurity Requirements

Most often, NIS2 and ISO 27001 are intertwined together. ISO 27001 touches NIS2 at many key points that facilitate compliance with the latter if the former is achieved. While their approach to cyber security differs, they share a common goal: enhancing cyber security and protecting critical information assets.

NIS2 recommends organisations work with existing cybersecurity frameworks and standards to meet the required level of security. ISO 27001 can address a large majority of cybersecurity requirements stated under NIS2. Evidently, there remain some gaps in each, which need additional measures to be addressed.

Quick overview of the frameworks

ISO 27001

ISO 27001 is an international standard for information security management systems. It incorporates top-level management commitment, risk assessment, clear and concise information security policies in place, internal audits, and continuously evaluating and improving the information security processes and controls as key components for establishing a comprehensive information security management system.  

Organisations voluntarily choose to get certified against ISO 27001. It improves their operational efficiency and regulatory compliance, as well as showcases commitment towards enhanced information asset security and customer data protection. Its flexibility in terms of security controls and implementation measures for an organisation varies with its risk tolerance, industry, team size, resources, data sensitivity and volume, etc.

The NIS2 Directive

The NIS2 Directive is an updated version of NIS that was first introduced by the European Union to improve the resilience and security of networks and information systems within critical sectors. NIS2 has two classes of entities: essential and important. Disruption to operations of entities providing critical/essential services can severely disturb the functioning of the economy and public well-being. Comparatively, service disruption to important entities isn’t considered that critical.

NIS2 aims to increase cyber resilience levels across the EU, reduce resilience inconsistencies, and improve cooperation mechanisms among member states and at the Union level (Chapter 3, Article 14). The Directive includes two main articles—risk assessment and management (Article 21) and incident response preparedness and reporting obligations (Article 23)—that matter the most for companies that need to become compliant. Governance (Article 20) further aids in implementing Article 21 and promoting cybersecurity risk-management practices among employees.

How is ISO 27001 connected to NIS2?

Risk assessments

Both frameworks emphasise the importance of conducting risk assessments to identify and manage security risks. However, they differ in terms of flexibility.

ISO 27001 requires organisations to implement security controls as per their risk appetite. For example, a smaller organisation with smaller team strength and a bigger organisation with a multinational presence will have different risk management requirements. It affects the scope of each organisation’s ISMS and also the respective time it would consume to get compliant or certified.

NIS2 prescribes both essential and important entities to conduct a risk assessment. The basic difference between the two categories lies in the depth of conducting risk assessment and the sophistication of threat detection and response mechanisms. Compared to important entities, essential entities are required to conduct in-depth risk assessment and implement enhanced defence mechanisms.

Incident response

Instances of breaches in information security can be triggered by malicious software, unauthorised access, data breaches, human error, lack of security awareness or training, etc. Both ISO 27001 and NIS2 advocate for organisations to have incident response plans in place. Incident management ensures swift resolution of cybersecurity incidents and recovering quickly.

NIS2 requires essential and important entities to inform national authorities—national competent authorities (NCA) or computer security incident response teams (CSIRTs)—and recipients of services about major disruptions to the security of their network and information systems. A significant incident under the NIS2 Directive is typically defined as an event that can substantially impact the continuity of essential services.

NIS2 encourages the adoption of best practices in incident management. It mandates organisations to report instances of significant incidents but doesn’t include a detailed methodology required for it. ISO 27001 provides a structured process for the identification, assessment, and management of these incidents. Annex A 5.24 describes how organisations should create processes, establish incident response plans, define roles and responsibilities, and educate staff on effectively dealing with incidents.

The standard provides a well-guided roadmap for incident response management planning and preparation. It encompasses key aspects like incident identification, response, management, and recovery, which are elaborated under the following controls:

  • Responsible incident management team (Annex A 5.25)
  • Preparing for incident response (Annex A 5.26)
  • Documenting incidents and learning from them (Annex A 5.27)
  • Having a process for employees to report incidents (Annex A 6.8)
  • Technically gather incident data and alerts (Annex A 8.15 and 8.16)

Business continuity

Although both the frameworks call for a risk-based approach, the purpose of NIS2 to ensure the business continuity for essential and important entities does not align adequately with ISO 27001-compliant companies with a very high risk appetite.

NIS2 requires business entities to not only protect their systems but also have plans in place to maintain operations even during or after the security incident occurs. In its purview, ISO 27001 alone falls short of expectations or requirements under the NIS2, which are predominantly sector- and business continuity-specific.

While ISO 27001 does include some elements of business continuity, it doesn’t define a process for business continuity management. That’s where complementary standards like ISO 27002 (disaster recovery) and ISO 22301 (requirements for business continuity management systems) fill in, corroborating compliance with NIS2.

Wrapping up: Achieving NIS2 compliance through ISO 27001

In short, the NIS2 Directive is about what organisations need to do, and ISO 27001 provides the required tools and processes needed to meet the requirements. ISO 27001 certification doesn’t ensure guaranteed compliance with the NIS2. However, the how’s of ISO 27001 solves the what’s of NIS2 to a great extent.

The standard offers an effective governance framework to establish an ISMS for information security, which fulfils the NIS2’s requirement for implementing a cyber and information security management system. Also, the management-led governance model of the standard reinforces NIS2’s requirements of involving top management in decision-making and accountability.

ISO 27001 prepares organisations for future requirements even though they’re currently not directly subject to the NIS2. British or American companies that supply to the EU are also covered by the directive. Therefore, even if you are a supplier, international recognition of this framework can act as a baseline upon which you can build to ease compliance with NIS2.

Der Founder-Guide zur NIS2: Bereite dein Unternehmen jetzt vor

Schütze dein Startup: Entdecke, wie sich NIS2 auf dein Unternehmen auswirken kann und was du jetzt beachten musst. Lies jetzt das kostenlose Whitepaper!

Der Founder-Guide zur NIS2: Bereite dein Unternehmen jetzt vor

Schütze dein Startup: Entdecke, wie sich NIS2 auf dein Unternehmen auswirken kann und was du jetzt beachten musst. Lies jetzt das kostenlose Whitepaper!

Jetzt downloaden
Interpreting and Implementing NIS2 through the Lens of ISO 27001
Bereit, deine Compliance auf Autopilot zu setzen?
Angebot anfordern
Dr Kilian Schmidt

Dr Kilian Schmidt

CEO & Co-Founder, Kertos GmbH

Dr. Kilian Schmidt entwickelte schon früh ein starkes Interesse an rechtlichen Prozessen. Nach seinem Studium der Rechtswissenschaften begann er seine Karriere als Senior Legal Counsel und Datenschutzbeauftragter bei der Home24 Gruppe. Nach einer Tätigkeit bei Freshfields Bruckhaus Deringer wechselte er zu TIER Mobility, wo er als General Counsel maßgeblich am Ausbau der Rechts- und Public Policy-Abteilung beteiligt war - und das Unternehmen von einer auf 65 Städte und von 50 auf 800 Mitarbeiter vergrößerte. Motiviert durch die begrenzten technologischen Fortschritte im Rechtsbereich und inspiriert durch seine beratende Tätigkeit bei Gorillas Technologies, war er Co-Founder von Kertos, um die nächste Generation der europäischen Datenschutztechnologie zu entwickeln.

Über Kertos

Kertos ist das moderne Rückgrat der Datenschutz- und Compliance-Aktivitäten von skalierenden Unternehmen. Wir befähigen unsere Kunden, integrale Datenschutz- und Informationssicherheitsprozesse nach DSGVO, ISO 27001, TISAX®, SOC2 und vielen weiteren Standards durch Automatisierung schnell und günstig zu implementieren.

Bereit für Entlastung in Sachen DSGVO?

Angebot anfordernPlattform entdecken
CTA Image

ARTIKEL

Other Articles

ISO 27701 certification at a glance
InfoSec
All
ISO 27701 certification at a glance

Learn how ISO 27701 certification helps companies improve data protection and facilitate cross-border data transfers. Increase customer trust and open up international markets with solid data protection management.

Jetzt reinhören
Not just a legal concept — creating trust with data protection
Data Protection
All
Not just a legal concept — creating trust with data protection

Discover how improving data protection can help companies comply with laws and regulations while enhancing their reputation with customers.

Jetzt reinhören
What is an external data protection officer?
Data Protection
All
What is an external data protection officer?

The duties of a data protection officer include in particular taking on an intermediary role, acting as a contact person and providing the necessary documents and information to the supervisory authority.

Jetzt reinhören