Information Security

NIS2 & ISO 27001: the overlap, differences ánd how to make your organization compliant

NIS2 & ISO 27001: the overlap, differences ánd how to make your organization compliant
The introduction of the NIS2 directive has significantly raised the bar for information security within Europe. Organizations already working with ISO 27001 are logically asking themselves: how do NIS2 and ISO 27001 compare? Is our current certification sufficient? Or do we need to take additional measures? In this blog, we answer those questions based on practical experience as well as substantive knowledge of the ISO 27001:2022 standard and the NIS2 legislation.
This article was last updated on
16/10/2025

And good news: we've compiled all the key insights in the white paper "ISO 27001 & NIS2: the differences and similarities " - perfect if you want to dive even deeper.

NIS2 & ISO 27001: a shared foundation

Both NIS2 as well as ISO 27001 have a clear goal: to protect organizations from cyber threats, data breaches and disruptions. Both take a risk-based approach and emphasize the importance of continuous improvement. Consider:

 

  • Risk analyses
  • Incident Management
  • Access Management
  • Information Security Policy
  • Continuity plan

 

Yet there are also significant differences - and those very differences determine that your ISO 27001 certification is not yet sufficient to achieve NIS2 compliance.

The main differences between NIS2 and ISO 27001

Obligation versus voluntary standard

  • NIS2 is European legislation. Certain organizations are required by law to take measures.
  • ISO 27001 is a voluntary standard for information security. Certification shows that you are serious about security, but it is not in itself a legal requirement.

Administrative responsibility

NIS2 not only looks at technology, but also explicitly sets requirements for governance. Directors can be liable for negligence. The ISO 27001 standard makes no firm statement on this.

Suppliers and supply chain responsibility

An NIS2 organization is not only responsible for its own security, but also that of suppliers. ISO 27001 does name supplier management, but NIS2 goes a step further: suppliers to NIS2 organizations must be able to demonstrate, for example, through an information security policy or the NIS2 Quality Mark, that they operate information security.

Incident reporting: stricter under NIS2

NIS2 has a reporting requirement: you must report within 24 to 72 hours to CISR in case of a security incident. ISO 27001 requires registration and evaluation of incidents, but has no hard deadlines.

Crisis management and continuity

NIS2 demands clear procedures for backup management, crisis communication and business continuity. Whereas ISO 27001 remains primarily policy-based, NIS2 also requires practical implementation and review.

Zero Trust as a Standard

NIS2 explicitly names Zero Trust principles such as microsegmentation, least privilege access and continuous authentication. In short, Zero Trust is based on the idea: "Never just trust, always verify."

 

Three key components of this are:

  • Microsegmentation: this is where you divide your network into small pieces (segments). As a result, even if an attacker gets in, he can't just reach everything; he is "stuck" in a small part of the network.
  • Least privilege access: users and systems get access only to what they really need, and nothing more. That's how you limit damage if something goes wrong.
  • Continuous authentication: instead of logging in once, it continuously checks that the user is still who they say they are. For example, by behavior, location or device recognition.

ISO 27001 does provide frameworks, but less detailed and prescriptive.

ISO 27001 as a stepping stone to NIS2 compliance

Do you already have an ISO certificate (ISO 27001)? Then you have a good foundation. But: ISO 27001 is not enough to fully comply with NIS2. Additional measures are needed, such as:

 

  • Administrative anchoring of security
  • Comprehensive chain analysis
  • Establishment of incident response and reporting procedures
  • Meet more stringent documentation and reporting requirements

 

Combining NIS2 & ISO 27001? Download the whitepaper

Want to know how to use ISO 27001 smartly as the basis for your NIS2 implementation? Then download our comprehensive white paper 👉 Download

 

The white paper includes:

  • A practical mapping between NIS2 and ISO 27001:2022
  • Examples of measures
  • A clear NIS2 checklist

 

NIS2 compliance without ISO 27001?

Of course, you can also choose to start an NIS2 implementation without the ISO 27001. Through our NIS2 GAP analysis (also called an NIS2 check or NIS2 quick scan) we map out where you are now and which steps you still need to take.

Are you a supplier to an NIS2 organization? 

Then it might be an idea to look into the NIS2 Quality Mark (also called NIS2 QM: an NIS2 seal of approval for vendors). This is how you as a vendor show that you have cybersecurity in order according to NIS2.

 

Finally, don't wait too long

The deadline for NIS2 is fast approaching. By starting now with an integrated approach, you avoid panic soccer and reduce the risk of fines or image damage.

Looking for an NIS2 consultant? Let us help you with a clear approach without unnecessary complexity. Contact us for a free, no-obligation consultation.

Download free whitepaper
Kilian Houthuijzen
Commercial Manager
085 773 60 05
To news overview

Related articles

News
Fendix kicks off NIS2 Quality Mark implementations
read more
News
New partnership for NIS2: Fendix x Samen Digitaal Veilig
read more
KAM Certificeringen is now Fendix

We are a partner of

SGS
BSI
TUV
DEKRA
KIWA
Brand Compliance
LRQA
DNV
Digitrust