If your organization already has ISO 27001 certification - or is working toward it - you’ve done a lot of the work NIS2 requires. The overlap between the two frameworks is around 70-80%. But “overlap” doesn’t mean “done.” The remaining 20-30% contains some of NIS2’s hardest requirements, and the mapping isn’t always obvious.
I’ve spent a lot of time helping organizations figure out exactly where their ISMS stops and NIS2 starts. This guide is the result: a control-by-control mapping that shows you what you already have, what needs adjustment, and what you need to build from scratch.
If you need background on NIS2 itself - scope, entity classification, penalties - read our NIS2 directive explainer first. For a checklist of every Article 20-25 requirement, see the NIS2 requirements checklist. This article assumes you know NIS2 applies to you and you want to leverage your existing ISO 27001 work.
Why map rather than start over?
Organizations that treat NIS2 as a completely separate compliance program from their ISMS end up with duplicated controls, parallel documentation, and two sets of evidence that say slightly different things. This is expensive and it makes audits harder, not easier.
NIS2 Recital 79 explicitly encourages the use of ISO 27001: “Member States should encourage the use of relevant European and international standards… including ISO/IEC 27001.” Regulators expect to see recognized standards as the foundation. Building on your ISMS is not a shortcut - it’s the intended approach.
The practical benefit: a single risk register, one Statement of Applicability (extended with NIS2 columns), one internal audit program, and a consolidated evidence repository. Organizations I’ve worked with that take this integrated approach spend roughly 30-40% less on NIS2 compliance than those building a parallel program.
The complete mapping: NIS2 Article 21 to ISO 27001
Article 21 is the core of NIS2’s technical requirements. It lists ten categories of cybersecurity measures. Here’s how each one maps to ISO 27001:2022.
(a) Risk analysis and information system security policies
NIS2 requires: Written policies on risk analysis and information system security.
ISO 27001 coverage: Full.
| ISO 27001 control | What it covers |
|---|---|
| Clause 6.1 (Actions to address risks) | Risk assessment and treatment process |
| Clause 8.2 (Risk assessment) | Performing risk assessments |
| Clause 8.3 (Risk treatment) | Applying risk treatment plan |
| A.5.1 (Policies for information security) | Management-approved security policy |
Gap to close: Minimal. Check that your policy language explicitly mentions “network and information system security” rather than just “information security” generically. NIS2’s wording is specific, and an auditor may look for that alignment.
Action: Review your information security policy. If it already follows ISO 27001, you likely just need a minor wording update to reference NIS2 terminology. No structural changes needed.
(b) Incident handling
NIS2 requires: Processes for detecting, managing, responding to, and recovering from incidents.
ISO 27001 coverage: Partial - your incident management framework is there, but the external reporting obligations are not.
| ISO 27001 control | What it covers |
|---|---|
| A.5.24 (Incident management planning) | Incident response plan |
| A.5.25 (Assessment of IS events) | Triage and severity classification |
| A.5.26 (Response to IS incidents) | Containment and response procedures |
| A.5.27 (Learning from incidents) | Post-incident reviews |
| A.5.28 (Collection of evidence) | Forensic evidence handling |
| A.6.8 (IS event reporting) | Internal reporting channels |
| A.8.16 (Monitoring activities) | Detection and monitoring |
Gap to close: NIS2 Article 23 mandates external reporting to your national CSIRT: early warning within 24 hours, detailed notification within 72 hours, final report within one month. ISO 27001 requires you to handle incidents internally but does not prescribe these external timelines.
What to add:
- Incident classification criteria aligned to NIS2’s “significant incident” definition (severe operational disruption, financial loss, or damage to others)
- Pre-drafted reporting templates for all three stages (24h, 72h, final)
- Identified reporting contacts at your national CSIRT
- Internal escalation procedure that can trigger the 24-hour early warning reliably
- Tested the process at least once through a tabletop exercise
This is one of the areas where the gap hits hardest. Most ISO 27001 certified organizations have solid incident response internally but have never reported an incident to a government authority on a fixed timeline.
(c) Business continuity, backup, disaster recovery, crisis management
NIS2 requires: Backup management, disaster recovery, and crisis management processes.
ISO 27001 coverage: Partial - good on BCP and backup, but NIS2 expects more on crisis management.
| ISO 27001 control | What it covers |
|---|---|
| A.5.29 (IS during disruption) | Maintaining security during business disruptions |
| A.5.30 (ICT readiness for business continuity) | IT disaster recovery planning |
| A.8.13 (Information backup) | Backup policies and procedures |
| A.8.14 (Redundancy of information processing) | High availability |
Gap to close: NIS2 explicitly requires “crisis management” as a distinct capability. ISO 27001 covers business continuity and IT disaster recovery, but most ISMS implementations don’t include a formal crisis management structure - who makes decisions, how communication flows during a major cyber incident, how you coordinate with external parties.
What to add:
- Crisis management plan separate from (or extending) your BCP
- Defined crisis team with named roles and decision authority
- Crisis communication plan covering internal, external, regulatory, and media channels
- Cyber-specific crisis scenarios (ransomware, supply chain compromise, data breach) tested through exercises
If your BIA and BCP are solid, the gap here is mostly about governance during a crisis, not the technical recovery. Our BIA Calculator can help you define recovery priorities if you haven’t done that yet.
(d) Supply chain security
NIS2 requires: Security measures for relationships with direct suppliers and service providers.
ISO 27001 coverage: Partial - your supplier management controls are a foundation, but NIS2 expects more depth.
| ISO 27001 control | What it covers |
|---|---|
| A.5.19 (IS in supplier relationships) | Security requirements for suppliers |
| A.5.20 (IS within supplier agreements) | Contractual security clauses |
| A.5.21 (Managing IS in ICT supply chain) | ICT supply chain risk management |
| A.5.22 (Monitoring/review of supplier services) | Ongoing supplier monitoring |
| A.5.23 (IS for cloud services) | Cloud-specific security requirements |
Gap to close: NIS2 Article 21(3) goes significantly deeper than ISO 27001:
- You must assess vulnerabilities specific to each direct supplier - not generic risk categories
- You must evaluate the “overall quality of products and cybersecurity practices of their suppliers,” including secure development procedures
- You must consider results from EU-level coordinated supply chain risk assessments (Article 22)
- The expectation is that security requirements cascade through contracts to Tier 2 and Tier 3 suppliers
Most ISO 27001 implementations handle Tier 1 supplier assessments well. The NIS2 gap is about going deeper: understanding how your suppliers manage their own suppliers, and building contractual language that flows down the chain.
What to add:
- Supplier-specific vulnerability assessments (not just a questionnaire - look at their actual risk profile)
- Evaluation of supplier secure development practices for any software or ICT product you depend on
- Contract clauses requiring suppliers to apply equivalent security measures to their own subcontractors
- Process for incorporating EU coordinated assessment results into your supplier risk reviews
Our vendor security management guide covers the operational process, and the free Supplier Risk Assessment tool provides a structured scoring framework that covers NIS2-depth requirements.
(e) Security in acquisition, development, and maintenance
NIS2 requires: Security throughout the system lifecycle, including vulnerability handling and disclosure.
ISO 27001 coverage: Full.
| ISO 27001 control | What it covers |
|---|---|
| A.8.25 (Secure development lifecycle) | SDLC security requirements |
| A.8.26 (Application security requirements) | Security specs for applications |
| A.8.27 (Secure system architecture) | Security-by-design principles |
| A.8.28 (Secure coding) | Coding standards |
| A.8.29 (Security testing) | SAST, DAST, pen testing |
| A.8.30 (Outsourced development) | Third-party development oversight |
| A.8.31 (Separation of environments) | Dev/test/prod separation |
| A.8.8 (Management of technical vulnerabilities) | Vulnerability scanning and patching |
| A.8.9 (Configuration management) | Secure baseline configurations |
Gap to close: Minimal. One thing to check: NIS2 expects participation in coordinated vulnerability disclosure. This means having a process for receiving vulnerability reports from external researchers and coordinating disclosure timelines with CSIRTs. Most ISO 27001 implementations focus on internal vulnerability management and may not have a public disclosure policy.
Action: If you develop software or run public-facing services, create a vulnerability disclosure policy (even a simple security.txt file) and designate a contact for external reports.
(f) Policies to assess effectiveness of cybersecurity measures
NIS2 requires: You must verify that your security measures actually work.
ISO 27001 coverage: Full.
| ISO 27001 control | What it covers |
|---|---|
| Clause 9.1 (Monitoring, measurement, analysis) | Performance metrics |
| Clause 9.2 (Internal audit) | Regular internal audits |
| Clause 9.3 (Management review) | Leadership review of ISMS performance |
| A.5.35 (Independent review of IS) | Third-party assessments |
| A.5.36 (Compliance with IS policies) | Compliance checking |
Gap to close: None for most organizations. ISO 27001’s Plan-Do-Check-Act cycle and mandatory internal audit program satisfy this requirement. If you’re maintaining your certification, you’re already doing this.
(g) Basic cyber hygiene practices and cybersecurity training
NIS2 requires: Training for all employees and management.
ISO 27001 coverage: Partial - the training framework exists, but NIS2 is more prescriptive about who must be trained.
| ISO 27001 control | What it covers |
|---|---|
| Clause 7.2 (Competence) | Role-based competency requirements |
| Clause 7.3 (Awareness) | General security awareness |
| A.6.3 (IS awareness, education, training) | Training program |
Gap to close: NIS2 Article 20 specifically requires that management body members undergo cybersecurity training - not just general awareness, but enough to “identify risks and assess cybersecurity risk-management practices.” ISO 27001 treats training broadly and doesn’t single out board members.
NIS2 also uses the term “basic cyber hygiene practices,” which implies a formally defined baseline rather than generic awareness.
What to add:
- Documented cybersecurity training for board/management members (with attendance records and completion certificates)
- Defined “basic cyber hygiene” standard for the organization (password hygiene, phishing awareness, device security, clean desk, etc.)
- Evidence that the hygiene standard is communicated, not just documented
(h) Cryptography and encryption policies
NIS2 requires: Policies governing the use of cryptography and, where appropriate, encryption.
ISO 27001 coverage: Full.
| ISO 27001 control | What it covers |
|---|---|
| A.8.24 (Use of cryptography) | Cryptographic policy and key management |
Gap to close: Minimal. Make sure your cryptography policy covers both data at rest and data in transit, and that you document key management procedures. If your national transposition law introduces specific encryption mandates (some countries may), adjust accordingly.
(i) Human resources security, access control, and asset management
NIS2 requires: Controls for who has access, how access is managed through the employee lifecycle, and what assets you have.
ISO 27001 coverage: Full.
| ISO 27001 control | What it covers |
|---|---|
| A.5.9-5.13 | Asset inventory, acceptable use, return, classification, labeling |
| A.5.14-5.18 | Information transfer, access control, identity management, authentication, access rights |
| A.6.1-6.6 | Screening, employment terms, awareness, disciplinary, termination, confidentiality |
| A.8.1-8.5 | User devices, privileged access, access restriction, source code access, secure authentication |
Gap to close: None for most organizations. This is one of ISO 27001’s strongest areas. If you maintain your asset inventory (A.5.9), run regular access reviews, and have joiner/mover/leaver processes, you’re covered.
Our asset management guide covers building an inventory that holds up under both ISO 27001 audits and NIS2 supervision.
(j) Multi-factor authentication and secured communications
NIS2 requires: MFA or continuous authentication, secured voice/video/text communications, and secured emergency communication systems.
ISO 27001 coverage: Partial - A.8.5 covers authentication but isn’t explicit about MFA.
| ISO 27001 control | What it covers |
|---|---|
| A.8.5 (Secure authentication) | Authentication mechanisms generally |
Gap to close: ISO 27001 requires “secure authentication” but doesn’t specifically mandate MFA. NIS2 calls out MFA by name, plus two additional requirements most ISMS implementations miss:
- Secured communications - voice, video, and text channels must be protected. For most organizations this means encrypted messaging, encrypted video conferencing, and TLS everywhere.
- Secured emergency communications - you need communication channels that work even when your primary systems are compromised. If your incident response relies on Slack and your infrastructure is down, you have a problem.
What to add:
- MFA policy defining where MFA is required (at minimum: remote access, privileged accounts, critical systems)
- Risk-based exceptions with documented justification for any system without MFA
- Encrypted communication tools for day-to-day operations
- Out-of-band emergency communication plan (mobile phones, dedicated emergency channel separate from corporate infrastructure)
The five things ISO 27001 does not cover at all
Beyond the Article 21 gaps above, NIS2 introduces requirements with no ISO 27001 equivalent:
1. Mandatory external incident reporting (Article 23)
ISO 27001 tells you to manage incidents. NIS2 tells you to report them to the government within 24 hours. These are different things, and the second one requires its own procedures, templates, and rehearsals. This is your biggest implementation gap if you’re coming from pure ISO 27001.
2. Management body personal liability (Article 20)
ISO 27001 Clause 5 requires top management commitment. NIS2 says management members can be held personally liable and temporarily banned from their roles. This requires board resolutions, personal training records, and potentially legal review of what your national transposition law means for individual directors.
3. Registration with national authorities
NIS2 Article 3(3) requires you to register with your national competent authority. This is a purely administrative task: entity name, address, sector, contact person, IP ranges, domain names, list of member states where you provide services. There’s no ISO 27001 equivalent - just do it.
4. Coordinated vulnerability disclosure
NIS2 Article 12 expects entities to participate in coordinated vulnerability disclosure. This means having a public channel for security researchers to report vulnerabilities and a process for coordinating disclosure timelines with CSIRTs. Most ISO 27001 implementations handle vulnerability management internally but don’t have an external disclosure process.
5. EU-level supply chain coordination (Article 22)
When the Cooperation Group conducts coordinated supply chain risk assessments, the results may affect your compliance obligations. This requires monitoring EU publications and integrating findings into your own risk assessments. No ISO 27001 equivalent exists.
Practical implementation roadmap
If you’re starting from a certified ISMS, here’s a realistic timeline for closing the NIS2 gaps:
Weeks 1-2: Assessment and mapping
- Run the NIS2 framework in CISO Assistant alongside your existing ISO 27001 assessment
- Document which ISO 27001 controls satisfy each NIS2 Article 21 measure
- Identify the specific gaps using the mapping tables above
- Run our free NIS2 Readiness Assessment for a quick baseline score
Weeks 3-4: Quick wins
- Update information security policy wording to reference NIS2 terminology
- Register with your national competent authority
- Schedule management body cybersecurity training
- Define “basic cyber hygiene” standards and communicate them
- Publish a vulnerability disclosure policy (security.txt)
Months 2-3: Core gap closure
- Build the incident reporting procedure (24h/72h/1mo templates, CSIRT contacts, internal escalation)
- Create the crisis management plan (roles, decision authority, communication channels)
- Enhance supplier assessments to NIS2 depth (supplier-specific vulnerabilities, secure development evaluation, contractual cascading)
- Deploy MFA where not yet in place, establish emergency communication channels
- Obtain board resolution formally approving cybersecurity measures and recording management liability awareness
Month 4: Testing and validation
- Run a tabletop exercise testing the full incident reporting chain (from detection through 24h early warning to final report)
- Test emergency communication systems
- Internal audit of NIS2-specific controls
- Update your Statement of Applicability with NIS2 mapping columns
Ongoing
- Quarterly management briefings on cybersecurity posture (documented)
- Annual supplier reassessments
- Regular incident response exercises
- Monitor national transposition developments and ENISA publications
Using CISO Assistant for dual compliance
CISO Assistant has both NIS2 and ISO 27001:2022 frameworks pre-loaded. The multi-framework mapping feature lets you see exactly where one control satisfies requirements from both frameworks. Instead of maintaining two separate compliance programs, you assess each control once and the platform shows coverage across both standards.
To see this in action, explore the live CISO Assistant demo with both frameworks loaded. If you want a deployment configured with your specific combination of frameworks and your organization’s risk context, that’s what we do.
What to take away
ISO 27001 gives you a 70-80% head start on NIS2. That’s real, and it means your investment in the ISMS was not wasted - it was preparation.
The gaps are concentrated and predictable: incident reporting to external authorities, management personal liability, deeper supply chain assessment, and specific technical requirements around MFA and emergency communications. None of these are impossible to close. They require new procedures and governance structures more than new technology.
The organizations that struggle are the ones that try to treat NIS2 as a separate program. The ones that succeed are the ones that extend their existing ISMS, add the NIS2-specific columns to their SoA, and handle both frameworks through a single management system.
For the detailed requirements behind each NIS2 article, see our NIS2 requirements checklist. For understanding who NIS2 applies to and what the penalties look like, start with the NIS2 directive explainer. And if you need help configuring CISO Assistant for dual ISO 27001/NIS2 compliance, get in touch - it’s one of the most common setups we deploy.
