In the past, information security was primarily regarded as the responsibility of the IT department. Organisations viewed the management of information security risks primarily as the implementation of technical measures and relied on securing their IT infrastructures through firewalls, endpoint security, intrusion detection and prevention systems, or network segmentation. This approach was supplemented by physical security measures and awareness training to strengthen the ‘human firewall’, in order to demonstrate a structured approach to managing information security risks.

Since then, the focus has broadened significantly. Today, cybersecurity no longer means merely protecting IT-related information assets, but also warding off financial losses, maintaining business continuity, safeguarding critical services and supply chains – in short: strengthening an organisation’s resilience. Hardly anything illustrates this paradigm shift as clearly as the European Union’s NIS2 Directive.

What is NIS2?

NIS2 is the European Union’s updated Directive on Network and Information Security (Directive (EU) 2022/2555), which sets out harmonised obligations regarding cybersecurity and incident reporting for medium-sized and large organisations in key sectors such as energy, chemicals, manufacturing, transport, healthcare, digital infrastructure and other critical economic sectors. Once transposed into national law in the European Member States, it will require the organisations concerned to implement risk-based cybersecurity measures, comply with strict reporting deadlines of 24 or 72 hours, and face substantial fines in the event of serious breaches.

While NIS2 is an EU directive, its practical impact extends well beyond the borders of the Union. Manufacturers, technology providers, logistics companies and service providers that are part of European value chains are increasingly confronted with specific cybersecurity expectations and evidence requirements from their customers. ISO 27001 certification is becoming a key signal in this context: it demonstrates that an organisation manages information security risks systematically and in line with an internationally recognised standard.

For many organizations, this raises a strategic question:

If we want to participate reliably in European supply chains, is ISO 27001 certification becoming an entry requirement?

ISO 27001 as a gateway to European supply chains

From a growing number of tenders and supplier assessments, a clear picture is emerging:

  • ISO 27001 provides a recognised and auditable foundation for many of the cybersecurity and governance expectations that arise in the wake of NIS2.
  • For access to demanding customer relationships and critical supply chains, certification is increasingly viewed as a minimum expectation rather than a differentiator.
  • Organisations with a mature, certified ISMS are better positioned to respond to NIS2‑driven questionnaires, audits and due‑diligence activities along the supply chain.

In this sense, ISO 27001 certification is becoming an effective gateway to European supply chains – not because it alone fulfils all NIS2 obligations, but because it provides the structured, verifiable framework that many European customers now expect as a minimum requirement.

The growing cost of cyber disruption

Cyber incidents today rarely stay isolated — they cascade across supply chains, halt operations and expose organizations to regulatory scrutiny long after the initial breach.

Across manufacturing, healthcare, transportation, and critical infrastructure, organizations have faced operational shutdowns lasting days or even weeks: production lines have stopped, logistics networks have stalled and customer services have become unavailable.

What makes many of these incidents particularly concerning is that they did not always begin with highly sophisticated attacks. In many cases, attackers exploited weaknesses in supplier ecosystems, unpatched systems, insufficient monitoring, or delayed incident response.

For business leaders, one lesson has become clear:
the key question is no longer whether an organization can prevent every cyber incident, but whether it can continue operating when one occurs.

This shift in thinking sits at the core of NIS2.

Why NIS2 matters for boards

  • Cybersecurity has become a boardroom issue rather than a purely IT matter: management bodies must approve and oversee cybersecurity risk‑management measures.
  • National laws implementing NIS2 can impose GDPR‑level fines – up to EUR 10 million or 2% of global annual turnover for essential entities, and up to EUR 7 million or 1.4% for important entities.
  • Members of the management body can be held liable for inadequate oversight of cybersecurity risk‑management, subject to national liability rules.

NIS2 places great emphasis on governance, accountability and organisational resilience. Organisations falling within the scope of the Directive must demonstrate, amongst other things:

  • The active involvement of senior management in the implementation and monitoring of cybersecurity measures,
  • Effective reporting processes for significant security incidents,
  • Structured cybersecurity risk management,
  • Effective security controls in the supply chain,
  • Business continuity arrangements 

Where ISO 27001 provides a solid Foundation

ISO 27001-certified organisations already have a structured framework for risk management, governance and incident handling – all of which are elements that support the requirements of NIS2.

At its core, ISO 27001 is based on a risk-based selection of control measures relating to an organisation’s business processes, clear governance responsibilities and policies, and continuous improvement (the PDCA cycle). These principles can be directly applied to the organisational and technical measures set out in the NIS2 regulations.

Organisations with a mature information security management system (ISMS) usually already have the following in place:

  • Governance structures for information security
  • Effective processes for risk assessment and risk treatment
  • Documented security policies and clearly defined responsibilities
  • Procedures for incident management
  • Cycles for internal audits and management reviews
  • Supply chain management measures
  • Disaster recovery and business continuity plans

These elements form a solid foundation for implementing the key NIS2 risk management measures.

Where ISO 27001 Alone May Not Be Enough

ISO/IEC 27001:2022 is an international standard, not a law. ISO 27001 certification does not guarantee NIS2 compliance. Three areas – supply chain security, management accountability and the statutory obligation to report security incidents – generally require measures and evidence that go beyond what an ISO 27001 certificate alone can demonstrate.

ISO 27001 is a voluntary international standard, whereas NIS2 is binding European law. Certification therefore does not automatically replace compliance with all NIS2 obligations, particularly regarding supply chain security, reporting obligations and management accountability.

Article 21(2) of NIS2 defines ten categories of cybersecurity risk management measures that affected organisations are legally required to implement. The content of the ISO/IEC 27001:2022 standard and the controls listed in Annex A can be mapped to most of these categories – though without corresponding to them on a one-to-one basis as legal requirements:

Supply Chain Security

The NIS2 Directive requires organisations to assess and manage cybersecurity risks across their entire supply chain – not just within their own corporate boundaries.

Recent cyber security incidents have repeatedly shown that attackers exploit the supply chain to gain unauthorised access to larger customer networks. After all, the principle of efficiency – ‘achieving maximum reach with minimum effort!’ – applies here too.

Consequently, Article 21(2)(d) of NIS2 requires supply chain security, which is consistent with requirements 5.19–5.23 of Annex A to ISO 27001:

  • Information security in supplier relationships
  • Addressing information security in supplier agreements
  • Management of information security in the ICT supply chain
  • Monitoring, auditing and change management of supplier services
  • Information security for the use of cloud services

Executive Accountability

Under NIS2, cybersecurity is no longer regarded as a purely technical matter that can be delegated to the IT department.

The Directive stipulates that the organisation’s management body must assume responsibility for approving, monitoring and regularly reviewing the implementation of cybersecurity risk management measures. In practice, senior management is expected to:

  • Understand cyber risks and actively engage with them,
  • Participate in governance activities and decision-making processes relating to cybersecurity,
  • Provide adequate resources for resilience measures, and
  • Monitor incident response preparedness and reporting obligations.

Depending on the national implementation of NIS2 and the relevant corporate and liability regulations, members of the management body may also face personal consequences if they fail to fulfil their cybersecurity duties adequately. Cybersecurity governance is thus becoming a key management responsibility – with potential regulatory and financial implications should sufficient oversight not be convincingly demonstrated.

Incident Reporting

NIS2 introduces legally binding timelines: organisations must submit an initial early‑warning notification to the competent authority within 24 hours of becoming aware of a significant incident, followed by a more detailed report within 72 hours and a final report at a later stage as defined in the legislation.

Many organisations currently lack the documented processes, clearly assigned responsibilities and tested procedures needed to meet these timeframes reliably. Existing incident management frameworks within an ISMS often require targeted adjustments to reflect the regulatory deadlines and external reporting obligations introduced by NIS2.

In practice, this usually means closing three specific gaps. First, defining and documenting a clear trigger for when “becoming aware” of a significant incident starts the 24‑hour clock – most ISMS procedures focus on internal severity classification rather than regulatory timing. Second, designating a specific role responsible for the early‑warning notification and direct liaison with the national CSIRT or competent authority, separate from the role that leads the internal response. Third, establishing an auditable evidence trail – including timestamped logs, copies of notifications and the rationale behind the initial severity assessment – that can be produced if a supervisory authority later reviews how the 24‑ and 72‑hour deadlines under NIS2 were met.

Operational Resilience

Regulators and customers increasingly expect evidence that resilience measures have been tested — not just documented on paper.

Organisations are therefore expected to demonstrate that they can maintain or quickly restore critical operations during disruptive events, rather than merely presenting written plans. This typically includes:

  • Business continuity planning and regular testing
  • Disaster recovery exercises for critical systems and data
  • Realistic incident response simulations
  • Defined and practised crisis management procedures

Together, these elements show whether resilience is truly embedded in day‑to‑day operations.

Is your organization also assessing broader cybersecurity resilience needs?

ISO 22301 (Business Continuity Management) provides a complementary framework for demonstrating operational continuity under pressure.

Find out more

New Questions Customers and Partners Are Asking

ISO 27001 certification is becoming a prerequisite for supplier discussions. European customers expect not only an ISO 27001 certificate but also evidence of proven resilience.

Companies in the supply chain must address the following questions:

  • How quickly can you recover from a serious cyber incident?
  • How are critical suppliers and third parties assessed for security risks?
  • What role does senior management play in cybersecurity governance?
  • How often are incident response and business continuity plans tested?
  • What measures are in place to ensure business continuity during a disruption?

Companies that can demonstrate both certification and proven operational resilience stand out in highly competitive markets.

What Management Teams Should Consider

The most effective approach is to use an existing ISO 27001 ISMS as the foundation for broader NIS2 compliance — then identify and close the specific gaps that certification alone does not address.

Organizations do not need to choose between ISO 27001 and NIS2 compliance. In most cases, ISO 27001 provides the management system platform; NIS2 and its national implementing laws raise the bar in specific areas. The key is understanding where current practices already align with those legal requirements – and where targeted improvements are still necessary..

Useful questions for management teams to consider:

  • Does our cybersecurity program adequately address risks across our supplier ecosystem?
  • Are executive leaders actively involved in cybersecurity governance — not just informed after the fact?
  • Can we demonstrate operational resilience beyond documented procedures alone?
  • Are incident response and recovery processes regularly tested against realistic scenarios?
  • Do we have documented processes that meet NIS2’s 24- and 72-hour reporting timeframes?
  • Do our customers and business partners expect more than certification as evidence of resilience?

How do NIS2 and ISO 27001 requirements map to each other?

Download the DQS whitepaper for a detailed comparison of NIS2 obligations and ISO 27001 controls, designed to support organizations assessing where their ISMS already meets the directive's expectations and where gaps may remain.

Download the white­pa­per

Key Takeaways

  1. ISO/IEC 27001:2022 supports a large proportion of the ten risk management measures set out in Article 21(2) of NIS2 – although the extent to which this is the case depends on the maturity and scope of the existing ISMS.
  2. Typical areas of focus in certified ISMSs primarily include: supply chain risks extending beyond directly contracted partners; a documented 24-hour/72-hour incident reporting workflow with clear triggers
  3. Clearly assigned responsibility for risk acceptance at senior management level
  4. Emergency and business continuity arrangements that are regularly tested, not merely described.
  5. ISO 27001 assigns responsibility for risks to top management (including in clause 6.1.3(f)), but does not establish personal liability in its own right – this arises only from NIS2 and the relevant national implementation (e.g. regarding governing bodies and supervisory duties).
  6. Customers and procurement teams regard ISO 27001 certification as a prerequisite for supplier assessments.
Questions & Answers

Frequently asked questions.

What is the NIS2 Directive?

NIS2 (the second Network and Information Security Directive, Directive (EU) 2022/2555) is an EU directive that has applied at EU level since January 2023 and must be implemented into national law by the Member States by 17 October 2024. It sets mandatory cybersecurity and resilience requirements for organisations in a broad range of essential and important sectors across Europe, including energy, transport, manufacturing, healthcare and digital infrastructure. National laws implementing NIS2 introduce direct legal obligations, financial penalties that can reach up to €10 million or 2% of global annual turnover for essential entities (and €7 million or 1.4% for important entities), and clearer accountability of senior management for cybersecurity risk management and compliance.

Does ISO 27001 cover NIS2 requirements?

ISO/IEC 27001 supports many NIS2 expectations through its structured, risk‑based approach to information security management. However, certification alone does not automatically fulfil all NIS2 obligations, particularly with regard to statutory incident reporting timelines, supply chain risk management and the specific governance and accountability requirements placed on management bodies under NIS2‑based national laws.

Is ISO 27001 mandatory under NIS2?

No. NIS2 does not require ISO 27001 certification. However, many organisations use ISO/IEC 27001 as a recognised framework to structure and demonstrate their cybersecurity risk management practices, which can significantly support their efforts to comply with NIS2 obligations and to meet customer and regulator expectations.

What is the biggest difference between ISO 27001 and NIS2?

ISO/IEC 27001 is a voluntary international management system standard that organisations can adopt to demonstrate structured information security governance. NIS2 is an EU directive that, once implemented into national law, creates binding legal obligations relating to cybersecurity risk management, resilience, incident reporting and management‑level oversight – with potentially significant penalties for non‑compliance.

What penalties can organisations face under NIS2?

Under the NIS2 framework, national laws can provide for administrative fines for essential entities of up to €10 million or 2% of global annual turnover, whichever is higher, and for important entities of up to €7 million or 1.4% of global annual turnover, whichever is higher. Senior management may also face consequences under applicable national corporate and liability laws if they seriously neglect their oversight duties in relation to cybersecurity.

What are the NIS2 incident reporting requirements?

NIS2 requires in‑scope organisations to follow a tiered reporting timeline to the relevant national authority or CSIRT. Typically, this includes an early‑warning notification within 24 hours of becoming aware of a significant incident, a more detailed incident notification within 72 hours and a final report within a later deadline (often one month) set out in national law. Organisations that lack documented processes, assigned responsibilities and tested procedures for these steps may find it difficult to meet these legally binding timeframes.

Can ISO 27001 help improve operational resilience?

Yes. ISO/IEC 27001 supports risk management, incident response procedures, supplier security controls and governance practices that, taken together, contribute to stronger organisational resilience. For organisations seeking to demonstrate resilience in line with the expectations of NIS2 and their customers, a well‑implemented ISO 27001‑based ISMS provides a valuable and widely recognised starting point.

Find out what ISO 27001 certification involves

Explore DQS ISO 27001 certification services — from initial assessment through to certification and ongoing surveillance.

Explore DQS cer­ti­fic­a­tion services
Author

Markus Jegelka

DQS expert for information security management systems (ISMS) and long-time auditor for the standards ISO 9001, ISO/IEC 27001 and IT security catalog according to para 11.1a/b of the German Energy Industry Act (EnWG) with test procedure competence for § 8a (3) BSIG

Loading...

You Might Also Enjoy These Reads

Discover more articles that dive deep into related themes and ideas.
Blog
Loading...

A best practice guide for creating effective ISMS objectives for ISO 27001

Blog
Loading...

ISO 42001 Certification in Hong Kong: Should Your Business Get Certified Now?

Blog
Loading...

TISAX® Assessment Level 2: Why the Cheapest Option Is Not Always the Most Cost-Effective