norppa.io
Guides

NIS2 Guide · 7 min

ISO 27001 and NIS2: what your ISMS already covers — and the gaps it doesn't

If you already hold ISO/IEC 27001, you are not starting NIS2 from zero — far from it. A working ISMS covers most of the Article 21 baseline. But certification is not compliance: NIS2 adds statutory duties an ISMS does not, by itself, satisfy. This guide maps what carries over, where the real gaps are, and how to close them without rebuilding what you already have.

Key takeaways

  • ISO 27001 covers most of the NIS2 Art. 21 measures — risk management, access control, cryptography, continuity, supplier controls — so it's a strong head start.
  • But certification is not compliance: NIS2 adds statutory incident-reporting deadlines, management liability, registration and continuous supply-chain assurance.
  • The biggest gaps are usually the 24/72-hour reporting duty and continuous third-party monitoring, not the core controls.
  • Close the gaps on top of the ISMS — don't rebuild; map your Annex A controls to the Art. 21 list and add what's missing.

What your ISMS already covers

NIS2's Article 21 baseline and ISO/IEC 27001 (with its Annex A controls) overlap heavily. If your ISMS is genuinely operating — not just certified — much of the directive's technical and organisational substance is already in place:

  • Risk management — your ISMS risk assessment and treatment process maps directly to Art. 21(2)(a).
  • Access control & cryptography — Annex A access-control and cryptographic controls align with Art. 21(2)(i) and (h).
  • Incident management — your incident process covers the handling side of Art. 21(2)(b) (the reporting side is where NIS2 adds more).
  • Business continuity — backup, recovery and continuity controls map to Art. 21(2)(c).
  • Supplier relationships — Annex A supplier controls are the foundation Art. 21(2)(d) builds on.

Where NIS2 goes beyond your ISMS

Certification proves a managed system exists for a defined scope. NIS2 is a legal obligation on the whole in-scope entity, and it adds duties an ISO certificate does not, on its own, discharge:

Statutory incident reporting — ISO 27001 requires you to manage incidents; NIS2 requires you to report significant ones to a national authority on a 24-hour / 72-hour / one-month clock (Art. 23). No ISMS deadline matches this.

Management liability & training — NIS2 makes the management body approve and oversee the measures, take training, and be personally liable (Art. 20). ISO asks for management commitment, not legal accountability.

Continuous supply-chain assurance — Annex A supplier controls are largely point-in-time. NIS2's Art. 21(2)(d), read with its 'appropriate measures' standard, pushes toward ongoing monitoring of supplier risk.

Registration & scope — many entities must register with their national authority, and NIS2 applies to the whole in-scope organisation regardless of your chosen ISMS scope.

Enforcement reality — an ISO non-conformity is between you and your certifier; a NIS2 failure can mean binding orders and fines up to €10M or 2% of turnover (Art. 34).

Closing the gap without rebuilding

The efficient path treats NIS2 as a delta on top of a working ISMS, not a parallel programme:

  • Map your Annex A controls to the Art. 21(2)(a)–(j) list — most cells will already be filled.
  • Stand up the reporting workflow: who decides 'significant', who contacts the CSIRT, and the 24/72-hour playbook.
  • Put NIS2 governance on the board: approval of measures, oversight reporting, and management training (Art. 20).
  • Upgrade supplier assurance from an annual questionnaire to continuous monitoring for critical suppliers.
  • Confirm registration with your national authority, and that your ISMS scope covers the in-scope services.

Source: Directive (EU) 2022/2555 (NIS2), Articles 20, 21 and 23 — the ISO/IEC 27001 mapping is indicative; confirm the binding requirements in your national transposition law.

How norppa.io helps

The two gaps an ISMS leaves widest are the ones norppa.io is built for: continuous supplier assurance and incident-ready evidence. Every monitored supplier is checked across 100+ control points daily, with findings mapped to the same Art. 21 sub-clauses your ISMS already speaks — so the supply-chain control becomes continuous, not annual.

And because everything is timestamped and exportable, the evidence that supports an Art. 23 notification or a supervisory audit sits alongside your ISMS documentation rather than in a separate silo. norppa.io complements ISO 27001; it does not duplicate it.

Close the supply-chain gap your ISMS leaves

See continuous, NIS2-mapped supplier monitoring in the sample report — two minutes.

View sample report

Related guides

NIS2 and the supply chain requirement — what it means in practice

NIS2 requires significant and important entities to assess their supply chain cyber risks. Supplier tiering, 4th-party risk, Art. 23 notification, and what auditors look for.

NIS2 Art. 21(2) — supplier security checklist

Checklist for procurement and security teams: what to ask, what evidence to collect, and how to respond when a supplier falls short. Includes suggested evidence documents.

Supplier cyber risk assessment: what automated NIS2 monitoring checks

All check categories explained: ransomware, dark web leaks, TLS/DNSSEC, cookie security, CVE/EPSS, sanctions, MX blacklists and SAQ. Finding lifecycle and NIS2 article mapping.

Who is in scope for NIS2? Essential vs important entities, sectors and size thresholds

Determine whether NIS2 applies to you: the two tiers, the Annex I/II sectors, the size thresholds, size-independent exceptions, and how the supply chain pulls you in even if you're not designated.

NIS2 supplier questionnaire (SAQ): what to ask, how to score it, and a free template

What to ask suppliers under Art. 21(2)(d), how to score answers and respond to gaps, why self-attestation needs verification, and a free copy-paste questionnaire template.

NIS2 vs DORA: how they differ, where they overlap, and which one applies to you

How the two EU regimes differ and overlap, why DORA is lex specialis for financial entities, which applies to you, and what both mean for third-party and supply-chain risk.

NIS2 and management responsibility: what boards and leadership must know

What NIS2 expects of the management body: approval and oversight duties, personal liability (Art. 20), training, board reporting KPIs, and the penalties under Art. 34.

NIS2 incident reporting: the 24- and 72-hour deadlines explained

What counts as a significant incident, the Article 23 timeline (24-hour early warning, 72-hour notification, one-month final report), and when a supplier's incident becomes your obligation.