| Nature of Compliance | NIS2 Directive (EU) 2022/2555 | ISO/IEC 27001:2022 |
| Mandatory within the EU legal framework | Voluntary (Internationally certifiable standard) |
NIS2 is a Directive published by the European Commission, making compliance mandatory for all entities within its scope.
ISO/IEC 27001, on the other hand, is a standard developed by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), and its implementation is voluntary. Despite this, ISO/IEC 27001 has become one of the most recognized and widely adopted security standards, often required by other regulations or service contracts.
Its recognition is also influenced by the fact that it is a certifiable standard, allowing organizations to obtain a conformity certificate that often serves as sufficient evidence of maintaining an adequate level of information security.
For this reason, many organizations already have an information security management system aligned with ISO/IEC 27001 requirements, which—as we will see—provides a solid foundation for implementing the NIS2 Directive.
| Scope of Application | NIS2 Directive (EU) 2022/2555 | ISO/IEC 27001:2022 |
| Essential and important entities in critical sectors | Any organization, regardless of sector or size |
In general, NIS2 applies to medium and large enterprises (with some exceptions), whether public or private, operating in highly critical sectors and other critical sectors listed in Annexes I and II, respectively, that provide services or conduct activities within the European Union.
Thus, applicability is determined based on sector criticality and organizational size, with these criteria (and their exceptions) clearly defined in the Directive.
ISO/IEC 27001, however, is applicable to any organization and allows defining the scope of the information security management system across the entire organization, a business unit, or a specific service. Although the scope must be clearly defined, implementation can occur regardless of sector or size, facilitating alignment with NIS2.
| Objective | NIS2 Directive (EU) 2022/2555 | ISO/IEC 27001:2022 |
| Raise cybersecurity levels in essential and important entities | Implement an information security management system |
Although they differ slightly in how they achieve it, NIS2 and ISO/IEC 27001 share the objective of establishing a management framework that increases the cybersecurity level of the entities implementing them.
ISO/IEC 27001 relies on implementing an information security management system to achieve this goal, while NIS2 relies on its legal nature to ensure that entities within its scope comply and manage cybersecurity risks according to the criticality of their societal role. In other words, ISO/IEC 27001 defines the structure for security management, while NIS2 establishes specific mandatory security measures.
| Approach | NIS2 Directive (EU) 2022/2555 | ISO/IEC 27001:2022 |
| Risk‑based, oriented toward minimum legal requirements | Fully risk‑based and focused on continuous improvement |
Both frameworks use a risk‑based approach to ensure that applied security measures are adequate and proportional to the organization’s risk level.
In ISO/IEC 27001, risk management is integrated into the PDCA (Plan‑Do‑Check‑Act) model, requiring organizations to identify risks, define and implement controls, review and evaluate them, and continuously improve.
NIS2 establishes clear obligations related to risk management, aligned with ISO/IEC 27001, requiring organizations to assess, mitigate, and continuously review risks under the direct supervision of top management.
Neither framework mandates a specific methodology, so organizations already aligned with ISO/IEC 27001 can adapt their risk management processes to meet NIS2 requirements.
| Governance | NIS2 Directive (EU) 2022/2555 | ISO/IEC 27001:2022 |
| Requires defining cybersecurity responsibilities for top management | Requires top management involvement in the ISMS |
As analyzed in previous articles, one of NIS2’s key obligations is defining responsibilities for top management: supervising and approving risk management measures, receiving and promoting cybersecurity training, and even being held accountable in case of non‑compliance.
ISO/IEC 27001 also emphasizes leadership and commitment from top management, requiring involvement in establishing the security policy, allocating necessary resources, periodically reviewing the management system, and promoting continuous improvement.
Both frameworks elevate cybersecurity to the highest organizational level, although NIS2’s legal nature implies more severe consequences for non‑compliance.
| Incident Notification | NIS2 Directive (EU) 2022/2555 | ISO/IEC 27001:2022 |
| Mandatory notification of significant incidents within strict deadlines | Requires a formal incident management and notification process |
NIS2 establishes very specific obligations regarding the notification of significant security incidents*, requiring strict phases and deadlines: early warning within 24 hours, initial notification with a preliminary assessment within 72 hours, and a final detailed report one month after the first notification.
ISO/IEC 27001 also defines controls for incident management in Annex A, such as A.5.24 (Planning and preparation), A.5.25 (Assessment and decision), A.5.26 (Response), A.5.27 (Learning from incidents), and A.5.28 (Evidence collection).
Since these controls do not prescribe specific implementation measures, they can be easily integrated with NIS2 obligations.
(*) Significant security incident:
1. Has caused or may cause major operational disruptions or economic losses for the affected entity (internal impact).
2. Has affected or may affect other individuals or organizations by causing significant material or immaterial harm (external impact).
| Security Measures | NIS2 Directive (EU) 2022/2555 | ISO/IEC 27001:2022 |
| Technical, operational, and organizational measures defined in Art. 21 | Annex A controls grouped into organizational, people, physical, and technological controls |
ISO/IEC 27001 defines its security measures in Annex A, grouped into organizational, people, physical, and technological controls. NIS2 defines its measures in Article 21 (Article 15 of the Spanish draft bill), expanded in greater detail in Implementing Regulation (EU) 2024/2690.
There is a high degree of correspondence between both frameworks, and ISO/IEC 27001 controls can be mapped to nearly all NIS2 requirements.
However, organizations using ISO/IEC 27001 as a base must analyze control implementation in greater depth to ensure compliance with NIS2’s more specific requirements, such as incident notification or assigning a security officer.
These synergies also facilitate review tasks, including internal audits, allowing combined audits to assess compliance with both frameworks and reducing the effort required.
References
Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union: https://eur-lex.europa.eu/eli/dir/2022/2555/oj?locale=es
Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 laying down implementing rules for Directive (EU) 2022/2555 as regards the technical and methodological requirements of cybersecurity risk‑management measures: https://eur-lex.europa.eu/legal-content/ES/TXT/?uri=CELEX:32024R2690
Draft Law on Cybersecurity Coordination and Governance: https://www.interior.gob.es/opencms/es/servicios-al-ciudadano/participacion-ciudadana/participacion-publica-en-proyectos-normativos/audiencia-e-informacion-publica/
NIS2 Directive – Transposition in Spain and Draft Cybersecurity Law: https://blog.isecauditors.com/en/nis2-directive-transposition-in-spain-and-draft-law
ISO/IEC 27001:2022 Standard: https://www.iso.org/es/norma/27001