ISO 27001 to NIS2 Gap Analysis
An ISO 27001 certification covers roughly 70% of NIS2 technical requirements – but the remaining 30% includes the areas with the highest enforcement risk: registration, incident reporting timelines, and management personal liability.
ISO 27001 Is a Head Start, Not a Finish Line
If your company holds an ISO 27001:2022 certification, you are ahead of most NIS2-affected entities. The ISMS framework, risk assessment methodology, and Annex A controls map well onto the ten cybersecurity measure areas defined in §30(2) BSIG. The BSI has explicitly acknowledged that ISO 27001 certification demonstrates a mature security posture – but it has equally explicitly stated that certification alone does not equal NIS2 compliance.
The gap exists because NIS2 introduces obligations that ISO 27001 was never designed to address. ISO 27001 is a voluntary management system standard focused on information security within an organisation. NIS2 is a regulatory obligation focused on critical infrastructure resilience with government reporting, personal liability for management, and statutory penalties. These are fundamentally different compliance paradigms – one is about best practice, the other is about legal compliance.
ENISA's mapping guidance and analyses by DataGuard, secuvera, and the BSI itself consistently identify the same gaps. Understanding where ISO 27001 covers NIS2 – and where it does not – allows certified companies to build on their existing ISMS rather than starting from scratch, while ensuring they do not overlook the regulatory-specific requirements that carry the highest enforcement risk.
Risk management (§30(2)(1) BSIG)
ISO 27001 Clauses 6.1 and 8.2 require risk identification, analysis, evaluation, and treatment – precisely what §30(2)(1) demands. An existing ISMS risk assessment methodology, if properly maintained, meets this requirement. Ensure your risk register covers operational technology and supply chain risks specifically, not just information security risks.
Access control (§30(2)(5) BSIG)
ISO 27001 Annex A.5.15 through A.5.18 and A.8.2 through A.8.5 cover access control policy, user access provisioning, privileged access management, and information access restriction. This maps directly to §30(2)(5) BSIG requirements for access control to network and information systems.
Incident handling (§30(2)(2) BSIG)
ISO 27001 Annex A.5.24 through A.5.28 cover incident management planning, assessment, response, and learning. The technical incident handling process required by NIS2 is well covered – though the reporting timelines and BSI notification are not part of ISO 27001 (see gaps below).
Business continuity (§30(2)(3) BSIG)
ISO 27001 Annex A.5.29 and A.5.30 address information security during disruption and ICT readiness for business continuity. Combined with a proper BIA and tested recovery procedures, this covers the NIS2 continuity requirements substantially.
Cryptography (§30(2)(8) BSIG)
ISO 27001 Annex A.8.24 covers use of cryptography. A mature ISMS includes cryptographic policies, key management procedures, and algorithm selection standards that align with NIS2 cryptography requirements.
Supplier relationships (§30(2)(4) BSIG – partial)
ISO 27001 Annex A.5.19 through A.5.23 address information security in supplier relationships, including supplier assessment, service delivery monitoring, and change management. This provides a foundation but NIS2 requires more extensive supply chain due diligence (see gaps).
Training and awareness (§30(2)(9) BSIG)
ISO 27001 Annex A.6.3 covers information security awareness, education, and training. This aligns with the general NIS2 training requirement, though NIS2 adds specific management training obligations under §38 BSIG that go beyond ISO 27001's scope.
BSI registration obligation (§33 BSIG)
ISO 27001 has no concept of government registration. §33 BSIG requires every NIS2 entity to register with the BSI, providing entity information, sector classification, contact details, and IP ranges. This is a standalone regulatory obligation with its own penalty provisions – your ISO certification does not trigger or replace it.
Incident reporting timelines (§32 BSIG)
ISO 27001 requires incident response but sets no external reporting timelines. §32 BSIG mandates: early warning to BSI within 24 hours, incident notification within 72 hours, and final report within one month. These are statutory deadlines with separate penalties for non-compliance. Your ISMS incident process must be extended with BSI-specific reporting workflows.
Management personal liability (§38 BSIG)
ISO 27001 requires management commitment and leadership (Clause 5) but creates no personal legal liability. §38 BSIG makes Geschäftsleiter personally liable for failures in cybersecurity governance, including a non-waivable duty to approve measures, oversee implementation, and complete personal cybersecurity training. No ISO control addresses this.
Statutory penalty framework (§65 BSIG)
ISO 27001 non-compliance results in loss of certification – a reputational consequence. NIS2 non-compliance under §65 BSIG carries fines of up to EUR 10 million or 2% of global turnover for besonders wichtige Einrichtungen. The enforcement mechanism is fundamentally different: government penalties vs. voluntary certification status.
Enhanced supply chain due diligence (§30(2)(4) BSIG)
While ISO 27001 Annex A.5.19–A.5.23 covers supplier security, NIS2 requires more granular supply chain risk assessment including evaluation of suppliers' own cybersecurity maturity, consideration of supply chain-specific vulnerabilities, and assessment of critical dependencies. The CIR 2024/2690 Annex specifies contractual security requirements and ongoing supplier monitoring that exceed ISO 27001's supplier management controls.
NIS2-specific governance requirements
NIS2 requires specific governance structures including designated contact points for the BSI (§33 BSIG), participation in sector-specific CSIRTs, and compliance with BSI enforcement orders. These are regulatory governance requirements that sit outside the ISMS scope – they concern the relationship between the entity and government authorities, not internal security management.
| NIS2 / §30(2) BSIG Measure | ISO 27001:2022 Controls | Coverage |
|---|---|---|
| Risk analysis and security policies | Clause 6.1, 8.2; A.5.1 | Full |
| Incident handling | A.5.24–A.5.28 | Partial – no BSI reporting timelines |
| Business continuity and crisis management | A.5.29, A.5.30 | Full |
| Supply chain security | A.5.19–A.5.23 | Partial – enhanced due diligence missing |
| Security in acquisition, development, maintenance | A.8.25–A.8.31 | Full |
| Effectiveness evaluation | Clause 9.1, 9.2, 9.3; A.8.8 | Full |
| Cybersecurity training | A.6.3 | Partial – §38 management training not covered |
| Cryptography | A.8.24 | Full |
| Access control and asset management | A.5.9–A.5.18; A.8.2–A.8.5 | Full |
| Multi-factor authentication and secure communication | A.8.5 | Partial – MFA requirement more specific in NIS2 |
- ISO/IEC 27001:2022 – Information security, cybersecurity and privacy protection – Information security management systems
- BSIG – §30(2) (Risikomanagementmaßnahmen), §32 (Meldepflichten), §33 (Registrierung), §38 (Geschäftsleitung), §65 (Bußgeldvorschriften)
- BSI – Guidance on relationship between ISO 27001 certification and NIS2 compliance
- ENISA – NIS2 to ISO 27001 mapping guidance (2024)
- DataGuard – ISO 27001 to NIS2 gap analysis and mapping (2024)
- CIR (EU) 2024/2690 – Annex technical requirements and ISO 27001 references