ISO 27001 Is Not NIS2 Compliance: What's Actually Missing
ISO 27001 provides the governance foundation for NIS2 – but not the operational execution. What's missing between ISMS documentation and actual NIS2 compliance, and why that's been a concrete problem since December 6, 2025.
ISO 27001 Is Not NIS2 Compliance: What's Actually Missing
Many organizations have an ISMS aligned with ISO 27001 – certified, documented, embedded in a GRC tool. The assumption: that makes us NIS2-ready. The reality: ISO 27001 covers roughly 70% of NIS2 requirements. The remaining 30% are the ones that actually matter when regulators come calling.
ISO 27001 structures internal governance. NIS2 demands operational capabilities on top of that: incident reporting under time pressure, continuous supply chain oversight, and evidence available on demand. An ISMS alone can't deliver this.
Jump to:
- What ISO 27001 covers – and where it stops
- The three operational gaps
- What this means for your organization
Why This Distinction Matters Now
NIS2 is no longer a directive waiting for transposition. Across Europe, national implementations are going live. In Germany, the implementing legislation (NIS2UmsuCG) was published in the Federal Law Gazette and entered into force on December 6, 2025 – with no transition period. Approximately 30,000 organizations are affected. Registration with the BSI is underway, reporting obligations are active, and authorities can request evidence at any time.
In this situation, many organizations fall back on what they already have: their ISMS. And that's the right starting point – but it's not the finish line.
The equation "ISO 27001 = NIS2 compliance" is the most dangerous simplification circulating in the market right now. Not because ISO 27001 is inadequate – quite the opposite. But because it obscures what's actually still missing.
What ISO 27001 Covers – and Where It Stops {#what-iso-27001-covers}
In brief: ISO 27001 delivers the governance structure that NIS2 requires under Article 20 and large parts of Article 21. What it doesn't deliver are the operational requirements.
ISO 27001 and NIS2 share a common foundation: risk-based information security management. An organization running an ISMS aligned with ISO 27001:2022 typically has solid groundwork in place:
- Risk assessments and treatment plans (NIS2 Art. 21(2)(a))
- Business continuity policies (NIS2 Art. 21(2)(c))
- Access controls and asset management (NIS2 Art. 21(2)(i))
- Training and awareness programs (NIS2 Art. 21(2)(g))
- Procedures to evaluate the effectiveness of measures (NIS2 Art. 21(2)(f))
- Cryptography policies (NIS2 Art. 21(2)(h))
ENISA itself acknowledges this overlap: Recital 79 of the NIS2 Directive explicitly recommends implementing cybersecurity risk management measures in accordance with international standards, including the ISO 27000 series.
So far, so good. The less good news: NIS2 doesn't stop at governance. The directive – and the national laws implementing it – requires measures that go beyond what an ISMS is typically designed to deliver. Not because the ISMS is built wrong, but because it was built for a different purpose.
An ISMS is an internal control instrument. NIS2 additionally demands operational capabilities with external impact: communication under time pressure, continuous visibility into the supply chain, and evidence that doesn't need to be assembled for the next audit cycle.
The Three Operational Gaps Between ISO 27001 and NIS2 {#the-three-operational-gaps}
1. Incident Reporting: 24 Hours Is Not a Documentation Problem
NIS2 Article 23 introduces a tiered reporting regime: an early warning within 24 hours, a qualified incident notification within 72 hours, and a final report within one month. National implementations may add further requirements – in Germany, KRITIS operators face additional detail obligations.
ISO 27001 includes incident management – as a process that documents, evaluates, and reviews incidents. Typically after the fact. What ISO 27001 does not provide: the capability to deliver a coordinated, fact-based report to authorities within 24 hours while the incident is still unfolding.
This is not a documentation problem. It's an operating system problem. Within those 24 hours, questions that span multiple functions need to be answered simultaneously: What happened? How severe is the incident? Who decides what, based on what evidence? How do Security, Legal, Communications, and executive management coordinate? And how is all of this versioned and documented in a traceable, auditable way – while it's happening?
Having an incident response plan means having a policy. Being able to reliably meet the 24-hour deadline means having an incident management system. The difference is operational – and it's the difference NIS2 evaluates.
→ Deep dive: NIS2 Incident Reporting: How to Actually Meet the 24-Hour Deadline
2. Supply Chain Security: Once a Year Isn't Enough
Article 21(2)(d) of the NIS2 Directive requires measures to ensure supply chain security – specifically the security-relevant aspects of relationships with direct suppliers and service providers, taking into account the specific vulnerabilities of each individual supplier.
Most ISMS solutions support vendor assessments – at onboarding or once a year. A questionnaire is sent out, answers are filed, the process is documented. Formally correct, operationally insufficient.
NIS2 means something different. It's not about checking boxes on questionnaires. It's about keeping business-critical dependencies manageable on an ongoing basis – in a geopolitical reality that shifts constantly. This inevitably requires a continuously maintained interface with service providers and suppliers: ongoing monitoring, event-triggered re-assessments, integrated evidence, and fast communication when the situation evolves.
An ISMS documents that a vendor assessment took place. NIS2 evaluates whether the supply chain is actually under control – not whether the process exists, but whether it works.
→ Deep dive: NIS2 Supply Chain Security: Why Annual Vendor Assessments Are No Longer Enough
3. Proof of Effectiveness: Evidence on Demand, Not on Request
Article 21(2)(f) requires procedures to evaluate the effectiveness of risk management measures. At the same time, NIS2 significantly expands supervisory powers: authorities can conduct on-site inspections, audits, and scans – and, critically, request information at any time.
ISO 27001 prepares organizations for audits – typically in a planned cycle. What NIS2 demands is a different operating model: evidence must be available at all times, not assembled when the request arrives.
Concretely, this means: verifiable artifacts rather than assertions – systems and logs, not just documents. Artifacts with metadata: version status, validity period, owners, change history. The ability to present current vendor assessments, incident reports, and control evidence to an auditor at any moment.
Evidence under NIS2 is not "audit decoration" – it's the continuous output of ongoing work. Organizations that assemble evidence for audits have a governance system. Organizations that can retrieve it on demand have an operational system. NIS2 requires the latter.
→ Deep dive: NIS2 Audit Readiness: From Documentation to Continuous Evidence
What ISO 27001 Covers and What It Doesn't – Overview
| NIS2 Requirement | ISO 27001 | Operational Addition Needed? |
|---|---|---|
| Risk analysis and security policies (Art. 21(2)(a)) | ✅ Core component | No |
| Business continuity and crisis management (Art. 21(2)(c)) | ✅ Covered | No |
| Training and awareness (Art. 21(2)(g)) | ✅ Covered | No |
| Cryptography policies (Art. 21(2)(h)) | ✅ Covered | No |
| Access controls and asset management (Art. 21(2)(i)) | ✅ Covered | No |
| Effectiveness evaluation (Art. 21(2)(f)) | ⚠️ Process yes, continuous evidence no | Yes |
| Incident handling and reporting obligations (Art. 21(2)(b), Art. 23) | ⚠️ Process yes, operational 24h capability no | Yes |
| Supply chain security (Art. 21(2)(d)) | ⚠️ Point-in-time assessment, no continuous monitoring | Yes |
| Management liability (Art. 20) | ⚠️ Roles defined, personal liability not operationalized | Yes |
What This Means for Your Organization {#what-this-means}
The consequences are clearly defined: violations of Articles 21 or 23 can result in fines of up to EUR 10 million or 2% of global annual turnover for essential entities, and up to EUR 7 million or 1.4% for important entities. In Germany, § 38 BSIG makes executive management personally liable – and any waiver of claims against management is legally void.
These are not theoretical scenarios. Supervisory authorities have the power to request evidence at any time, conduct audits, and issue binding instructions. The question is not whether, but when.
What Organizations Should Do Now
Having an ISMS means having a solid starting position. But three steps are necessary to close the gap between ISO 27001 and actual NIS2 compliance:
First: Run a gap analysis between your ISMS and the operational NIS2 requirements. Not "do we have a process?" but "can we execute this under time pressure, against external parties, operationally?" The three gaps above – reporting obligations, supply chain, proof of effectiveness – are the starting point.
Second: Build operational systems for what the ISMS doesn't cover. An incident management system that can produce coordinated reports within 24 hours. A vendor assurance process that goes beyond annual questionnaires. An evidence layer that provides proof continuously – not just for the next audit.
Third: Connect your ISMS and your operational systems. NIS2 compliance isn't either/or. An ISMS for internal control, a Trust Center for external communication and evidence – two sides of the same coin. Organizations that connect both turn compliance effort into a functioning system – and documentation into real resilience.
→ Related: You're NIS2-Affected — Now What? The Operational Gaps Beyond Your ISMS
Sources
- Directive (EU) 2022/2555 (NIS2 Directive) – Full Text – Official Journal of the European Union. The complete NIS2 Directive text, including Articles 20, 21, and 23 referenced throughout this article.
- BSI – NIS-2-Umsetzungs- und Cybersicherheitsstärkungsgesetz (NIS2UmsuCG) – Bundesamt für Sicherheit in der Informationstechnik. Germany's implementing legislation, registration requirements, and guidance for affected organizations.
- ISO/IEC 27001:2022 – Information Security Management Systems – International Organization for Standardization. The ISMS standard referenced as the governance baseline throughout this article.
- ENISA – Implementing Guidance on NIS2 Security Measures – Technical guidance on implementing the risk management measures required by Article 21.
- ENISA – NIS2 Requirements Mapping to ISO 27001 – ENISA's mapping between NIS2 requirements and ISO 27001 controls.
- BSI – NIS-2-Betroffenheitsprüfung – BSI's self-assessment tool for NIS2 applicability.