Patroklos PatroklouISO 27001:2022 covers approximately 70% of the ten cybersecurity risk-management measures NIS2 Article 21 requires. Five of the ten measures (policy and risk analysis, secure systems acquisition and development, effectiveness assessment, cryptography, and HR security/access control/asset management) have full ISO 27001 coverage. The other five (incident handling, business continuity and crisis management, supply chain security, cyber hygiene and training, and MFA/secure communications) have only partial coverage — and these are the areas where most NIS2 audit findings concentrate. This guide gives you the full measure-by-measure mapping, the specific evidence ISO 27001 already supplies, and exactly what is still left to close for NIS2.
For the full NIS2 picture, see our NIS2 compliance guide.
Why ISO 27001:2022 is the right starting point — but not enough
ISO 27001:2022 is the closest ISMS standard to NIS2 in spirit: both are risk-based, both demand documented controls, both expect continuous improvement evidence. ENISA’s mapping (published 2023, refined 2024) confirms approximately 70% of NIS2’s Article 21 measures are covered by an ISO 27001:2022-compliant ISMS.
But — and this is what most cross-walk posts miss — the 30% gap is concentrated in five specific measures that turn out to be the operational pain points: the 24-hour incident clock, supplier security beyond contract clauses, the workforce hygiene programme, MFA on remote access, and the secure-comms backbone for crisis management. These are exactly the measures NIS2 auditors and CSIRT inspectors test first.
This guide stops at the table for the five fully-covered measures (where the ISO evidence transfers as-is) and zooms in on the five partial measures to spell out what is left to do.
Article 21(2)(a)–(j) to ISO 27001:2022 mapping
| NIS2 measure | ISO 27001:2022 primary controls | Coverage | Headline reuse |
|---|---|---|---|
| (a) Policies on risk analysis and information system security | Clauses 5.2, 6.1.2, 8.2, 8.3 + A.5.1 Policies | Full | Risk-management framework, IS policy |
| (b) Incident handling | A.5.24, A.5.25, A.5.26, A.5.27 + A.8.15, A.8.16 | Partial | Incident response framework but no 24-hour clock or CSIRT routing |
| (c) Business continuity and crisis management | A.5.29, A.5.30 + A.8.13, A.8.14 | Partial | BCP/DR framework but no NIS2-specific crisis-comms or regulator-liaison procedures |
| (d) Supply chain security | A.5.19, A.5.20, A.5.21, A.5.22 | Partial | Vendor due-diligence and contract clauses but no ICT-third-party register or ongoing assurance cadence |
| (e) Security in network/info systems acquisition, development, maintenance | A.8.25–A.8.34 + A.5.23 | Full | Secure SDLC, vuln management, secure config |
| (f) Effectiveness assessment | Clauses 9.1, 9.2, 9.3 + A.5.35, A.5.36 | Full | Internal audit, monitoring, management review |
| (g) Basic cyber hygiene and training | A.6.3 Awareness training | Partial | Training control but no NIS2 measurable hygiene programme metrics |
| (h) Cryptography and encryption | A.8.24 | Full | Crypto policy, key management |
| (i) HR security, access control, asset management | A.6.1, A.6.2 + A.5.15–A.5.18 + A.5.9–A.5.13 | Full | HR vetting, RBAC, asset inventory |
| (j) MFA, secured comms, secured emergency comms | A.8.5 partial; A.5.14 partial | Partial | Authentication standard but no MFA-on-remote-access default or secure-comms backbone for crisis |
Zoom-in on the five partially covered measures
Article 21(2)(b) Incident handling — what’s left after ISO 27001:2022
ISO 27001:2022 (A.5.24–A.5.28) gives you: an incident management plan, incident classification, response, learning. What it does not give you for NIS2:
- The 24-hour early warning clock with an awareness timestamp
- The 72-hour CSIRT notification format with IOCs
- The one-month final report with cross-border impact assessment
- The CSIRT submission channels per member state
- Parallel filing to GDPR and sector regulators
Close it by: extending your IR runbook with the NIS2 cascade and adding CSIRT-routing presets. See our NIS2 incident reporting cascade.
Article 21(2)(c) Business continuity and crisis management — what’s left
ISO 27001:2022 A.5.29 and A.5.30 give you: information security continuity, ICT readiness for BC. What’s missing for NIS2:
- A crisis-management plan that explicitly covers NIS2 reportable events (separate from BCP-style BAU recovery)
- Pre-approved crisis communications for regulators, customers, and the public
- Tested out-of-hours crisis decision-making with documented escalation
- Recovery time objectives that line up with NIS2 service-impact thresholds (not just internal RTOs)
Close it by: layering a NIS2-aware crisis plan on top of the BCP/DR. Tabletop with a realistic ransomware scenario.
Article 21(2)(d) Supply chain security — what’s left
ISO 27001:2022 A.5.19–A.5.22 cover supplier policy, agreements, monitoring, and ICT product/service supplier risk. The NIS2 gap is operational:
- An ICT third-party register (similar to DORA’s ICT register), with tiering by criticality
- Ongoing assurance evidence (annual security reviews, attestations, monitoring)
- Sub-processor controls and notification rights
- Member-state specific cross-border data transfer clauses
- A documented exit strategy for material ICT suppliers
Close it by: standing up an ICT third-party register (Enactia or equivalent), tier suppliers, contract refresh cycle.
Article 21(2)(g) Basic cyber hygiene and training — what’s left
ISO 27001:2022 A.6.3 requires awareness, education, and training. NIS2 expects measurable hygiene practices and management training:
- A workforce training programme with completion records and refresh cadence
- Hygiene metrics (phishing-simulation click-rate, password reuse, USB usage policy compliance)
- Management body training under Article 20
- Role-specific training for high-risk roles (admins, developers, finance)
Close it by: documenting a hygiene programme with KPIs and a separate management-body training record.
Article 21(2)(j) MFA, secured communications — what’s left
ISO 27001:2022 A.8.5 covers secure authentication; A.5.14 covers information transfer. NIS2 is more specific:
- MFA on remote access by default
- MFA on administrative accounts and privileged sessions
- Secured voice/video/text channels for sensitive internal comms
- Secured emergency comms for incident response (encrypted out-of-band channel)
Close it by: enforcing MFA on remote and admin access; standing up an encrypted out-of-band channel for incident response.
Evidence reuse — one artefact, two frameworks (often three)
| One artefact | Satisfies ISO 27001:2022 | Satisfies NIS2 | Bonus framework |
|---|---|---|---|
| Annual ISMS internal audit report | Clause 9.2 + A.5.35 | Article 21(f) effectiveness assessment | DORA Pillar 1 governance |
| Risk register export | Clauses 6.1.2, 8.2 + A.5.4 | Article 21(a) | GDPR ROPA |
| Incident response runbook (NIS2-aware) | A.5.24 | Article 21(b) | DORA major-incident reporting |
| BCP test report + crisis tabletop minutes | A.5.30 | Article 21(c) | DORA ICT operational resilience |
| Supplier register with tiering | A.5.19, A.5.20 | Article 21(d) | DORA ICT third-party register |
| Workforce training tracker + management-body training log | A.6.3 | Article 21(g) + Article 20 | EU AI Act AI literacy (Art. 4) |
| MFA policy + enforcement evidence | A.8.5 | Article 21(j) | Cyber Essentials Plus / SOC 2 |
| Cryptography policy + key-management procedure | A.8.24 | Article 21(h) | GDPR Art. 32 |
What NIS2 adds that ISO 27001:2022 does not have at all
A few NIS2 obligations have no ISO 27001 equivalent and need standalone work regardless of how mature your ISMS is:
- Article 20 management-body accountability and training
- Article 23 regulator notification (24/72/one-month CSIRT cascade)
- Registration with the competent authority and ongoing notification of changes
- Cross-border CSIRTs Network engagement
- Member-state-specific scope deviations and reporting routes (see the country transposition tracker)
These do not appear in Annex A and must be addressed as a NIS2-specific work package on top of the ISMS.
Practical migration plan if you hold ISO 27001:2022
- Annotate your Statement of Applicability with the NIS2 measure each Annex A control supports. Export as the seed for your NIS2 control catalogue.
- Stand up an Article 21 measure-by-measure register; mark each as Full / Partial / Gap based on the table above.
- For each Partial measure, scope a sub-project to close the specific NIS2 delta listed above.
- Build the NIS2-specific work package (Article 20 management training, Article 23 incident reporting workflow, competent authority registration).
- Layer NIS2 reporting on top of your existing ISMS audit cycle — internal audit needs to cover both.
- Update vendor contracts with the cross-border data transfer and incident notification clauses.
How Enactia automates the cross-mapping
Enactia’s cross-mapping engine maintains both NIS2 and ISO 27001:2022 control catalogues and links each control to a single evidence record. One uploaded artefact (policy, training tracker, BCP test, vendor review minute) satisfies every control it is mapped to, across both frameworks simultaneously. The same evidence chain extends to DORA, GDPR, the EU AI Act, and ADHICS v2.0. The platform’s NIS2 module also ships pre-built Article 21 measure templates with the 30% gap items pre-tagged, so you start the project with the deltas already visible. Book a demo now to see your ISO 27001 evidence mapped to NIS2 live.
Frequently asked questions
Does ISO 27001 certification make me NIS2 compliant?
No. ISO 27001:2022 covers approximately 70% of the Article 21 measures. The remaining 30% — incident handling specifics, BC/crisis management for regulator scenarios, supply chain assurance, hygiene programme metrics, MFA-on-remote-access by default — needs explicit NIS2 work. You also need Article 20 management training and Article 23 reporting workflow, neither of which exist in ISO 27001.
Where does ENISA publish its mapping?
ENISA published an Article 21 cybersecurity risk-management measures implementation guide in 2024 that includes the mapping reference. The European Commission Implementing Regulation (EU) 2024/2690 supplements it for digital providers with sector-specific technical requirements.
Is ISO 27001:2022 better than ISO 27001:2013 for NIS2?
Yes. The 2022 update merged several legacy Annex A controls and introduced new ones (A.5.7 Threat intelligence, A.5.23 Cloud services, A.5.30 ICT readiness for BC, A.8.7 Threat hygiene), all of which align more closely with NIS2’s all-hazards risk approach. Re-issuing your ISMS on the 2022 version before scoping NIS2 saves work.
Can the same SoA serve NIS2 and ISO 27001?
The SoA is your starting point but cannot serve NIS2 on its own. NIS2 expects a measure-by-measure control catalogue and an Article 21 gap register. The practical pattern is to maintain a single control inventory tagged with the framework(s) it serves, and produce framework-specific exports.
What about DORA?
DORA and NIS2 overlap heavily for in-scope financial entities. DORA’s ICT third-party register and major-incident reporting requirements are stricter than NIS2 in some areas; NIS2 applies more broadly across the entity. Most credit institutions need an integrated NIS2 + DORA + ISO 27001 evidence chain.
Already hold ISO 27001:2022 and now scoping NIS2? Book a demo now and we will overlay your Statement of Applicability onto the ten Article 21 measures so you see — in one screen — the 70% that transfers and the 30% you still need to close.
