The question I hear at almost every first meeting goes like this: since we are supposed to implement NIS2, do we still need ISO 27001 for anything? Or the other way round: we have an ISO certificate, so surely NIS2 is taken care of? Both answers are a misunderstanding. These are two different things that work together very well.

Two different natures

The most important difference is legal, not technical.

  • NIS2 is an EU directive, meaning an obligation. If your company is an essential or important entity, you must apply it, and non-compliance risks penalties and personal liability for management.
  • ISO/IEC 27001 is a voluntary standard. No one forces you to certify, but the market, tenders and large contractors increasingly expect it.

In other words: NIS2 says you must manage cybersecurity risk. ISO 27001 gives a proven method for doing it in a repeatable and auditable way.

Where they overlap

Good news for companies that already have one of the two: the common areas are considerable. If you run an Information Security Management System compliant with ISO 27001, you have a ready foundation for most NIS2 requirements.

The shared elements include, among others:

  • systematic risk analysis and risk treatment,
  • security policies and the division of responsibilities,
  • access control and multi-factor authentication,
  • backups and business continuity,
  • incident handling,
  • security of the supply chain and suppliers.

What ISO does not settle for NIS2

An ISO 27001 certificate is not, however, automatic proof of compliance with the directive. NIS2 imposes several things the standard does not explicitly enforce.

  • Specific deadlines for reporting incidents to the competent authority, including an early warning within 24 hours.
  • Personal liability and an obligation to train management.
  • Registration of the entity and communication with the supervisory authority.

I have seen a company with a valid ISO certificate that still had no agreement on who, and within what time, decides to report an incident. The paper was there, the decision-making process was not. This is exactly the gap NIS2 exposes.

What to implement first

The answer depends on where you are today, but the principle is one: we always start from risk, not from documents.

If you have neither

Start with a gap analysis and a risk analysis. This is the common denominator of both worlds. On that basis set priorities: MFA, permissions, ransomware-resilient backups, basic monitoring. Only then decide whether you are aiming for a formal certificate or first closing the NIS2 obligation.

If you have ISO 27001

Map your existing controls onto the NIS2 requirements and focus on the differences: an incident reporting procedure with deadlines, management training, entity registration. This is usually a matter of weeks, not months.

If you have a NIS2 obligation and want to put it in order for good

Consider building a system in the spirit of ISO 27001, even without immediate certification. You get a structure that maintains compliance over time, instead of a one-off effort ahead of an inspection.

A practical minimum plan

For an SME that wants to get moving, a sensible order looks like this:

  1. Establish whether NIS2 applies to you, and document it.
  2. Carry out a risk analysis and a gap analysis.
  3. Deploy controls starting from the greatest risk.
  4. Describe procedures you can actually use in a crisis.
  5. Decide on ISO 27001 certification as a way to maintain order.

Such an order means the money goes first towards a real reduction of risk, and the formalities are its natural effect rather than a goal in themselves.

Summary

NIS2 says you must manage information security. ISO 27001 shows how to do it maturely and repeatably. Do not choose between them, treat them as two sides of the same coin. The obligation sets the direction, the standard provides the method.

If you want to check how much of NIS2 you already have thanks to your existing practices and what really remains to be done, take a look at our NIS2 compliance and ISO 27001 services. We start with a gap analysis, so you do not pay twice for the same thing.