norppa.io
Guides

NIS2 Guide · 7 min

ISO 27001 and NIS2: what your ISMS already covers, and the gaps it doesn't

If you already hold ISO/IEC 27001, you're not starting NIS2 from zero: far from it. A working ISMS covers most of the Article 21 baseline. But certification isn't compliance: NIS2 layers on statutory duties an ISMS doesn't, by itself, satisfy. This guide maps what carries over, where the real gaps sit, and how to close them without rebuilding what you already have.

Key takeaways

  • ISO 27001 covers most of the NIS2 Art. 21 measures (risk management, access control, cryptography, continuity, supplier controls) so it's a strong head start.
  • But certification isn't compliance: NIS2 adds statutory incident-reporting deadlines, management liability, registration and continuous supply-chain assurance.
  • The widest gaps are usually the 24/72-hour reporting duty and continuous third-party monitoring: not the core controls.
  • Close the gaps on top of the ISMS: don't rebuild; map your Annex A controls to the Art. 21 list and add what's missing.

What your ISMS already covers

The NIS2 Article 21 baseline and ISO/IEC 27001 (with its Annex A controls) overlap heavily. If your ISMS is genuinely operating (not just certified) much of the directive's technical and organisational substance is already in place:

  • Risk management. Your ISMS risk assessment and treatment process maps straight onto Art. 21(2)(a).
  • Access control and cryptography: the Annex A access-control and cryptographic controls line up with Art. 21(2)(i) and (h).
  • Incident management. Your incident process covers the handling side of Art. 21(2)(b); the reporting side is where NIS2 asks for more.
  • Business continuity: backup, recovery and continuity controls map to Art. 21(2)(c).
  • Supplier relationships: the Annex A supplier controls are the foundation Art. 21(2)(d) builds on.

Where NIS2 goes beyond your ISMS

Certification proves a managed system exists for a defined scope. NIS2 is a legal obligation on the whole in-scope entity, and it adds duties an ISO certificate doesn't, on its own, discharge:

Statutory incident reporting: ISO 27001 has you manage incidents; NIS2 has you report the significant ones to a national authority on a 24-hour / 72-hour / one-month clock (Art. 23). No ISMS deadline matches that.

Management liability and training: NIS2 makes the management body approve and oversee the measures, take training, and carry personal liability (Art. 20). ISO asks for management commitment, not legal accountability.

Continuous supply-chain assurance: the Annex A supplier controls are largely point-in-time. Art. 21(2)(d), read with the 'appropriate measures' standard, pushes toward ongoing monitoring of supplier risk.

Registration and scope: many entities must register with their national authority, and NIS2 applies to the whole in-scope organisation regardless of the ISMS scope you chose.

Enforcement reality: an ISO non-conformity is between you and your certifier; a NIS2 failure can mean binding orders and fines up to €10M or 2% of turnover (Art. 34).

Closing the gap without rebuilding

The efficient path treats NIS2 as a delta on top of a working ISMS, not a parallel programme:

  • Map your Annex A controls onto the Art. 21(2)(a)–(j) list: most cells will already be filled.
  • Stand up the reporting workflow: who decides 'significant', who contacts the CSIRT, and the 24/72-hour playbook.
  • Put NIS2 governance on the board: approval of the measures, oversight reporting, and management training (Art. 20).
  • Upgrade supplier assurance from an annual questionnaire to continuous monitoring for the critical ones.
  • Confirm registration with your national authority, and that the ISMS scope actually covers the in-scope services.

Source: Directive (EU) 2022/2555 (NIS2), Articles 20, 21 and 23 — the ISO/IEC 27001 mapping is indicative; confirm the binding requirements in your national transposition law.

How norppa.io helps

The two gaps an ISMS leaves widest are exactly what norppa.io is built for: continuous supplier assurance and incident-ready evidence. Every monitored supplier is checked across more than a hundred control points daily, with findings mapped to the same Art. 21 sub-clauses your ISMS already speaks, so the supply-chain control becomes continuous instead of annual.

And because everything is timestamped and exportable, the evidence behind an Art. 23 notification or a supervisory audit sits alongside your ISMS documentation rather than in a separate silo. norppa.io complements ISO 27001; it doesn't duplicate it.

Close the supply-chain gap your ISMS leaves

See continuous, NIS2-mapped supplier monitoring in the sample report: about two minutes.

View sample report
See the sample dashboard

Related guides

How to comply with NIS2: a step-by-step roadmap

The steps to NIS2 compliance in order: confirm scope, register, management accountability (Art. 20), the Article 21(2) measures, supply-chain security, incident reporting (Art. 23) and continuous, evidenced assurance.

Who is in scope for NIS2? Essential vs important entities, sectors and size thresholds

Determine whether NIS2 applies to you: the two tiers, the Annex I/II sectors, the size thresholds, size-independent exceptions, and how the supply chain pulls you in even if you're not designated.

NIS2 and the supply chain requirement: what it means in practice

NIS2 requires significant and important entities to assess their supply chain cyber risks. Supplier tiering, 4th-party risk, Art. 23 notification, and what auditors look for.

Supplier cyber risk assessment: what automated NIS2 monitoring checks

All check categories explained: ransomware, dark web leaks, TLS/DNSSEC, cookie security, CVE/EPSS, sanctions, MX blacklists and SAQ. Finding lifecycle and NIS2 article mapping.

NIS2 Art. 21(2): supplier security checklist

Checklist for procurement and security teams: what to ask, what evidence to collect, and how to respond when a supplier falls short. Includes suggested evidence documents.

NIS2 supplier questionnaire (SAQ): what to ask, how to score it, and a free template

What to ask suppliers under Art. 21(2)(d), how to score answers and respond to gaps, why self-attestation needs verification, and a free copy-paste questionnaire template.

NIS2 incident reporting: the 24- and 72-hour deadlines explained

What counts as a significant incident, the Article 23 timeline (24-hour early warning, 72-hour notification, one-month final report), and when a supplier's incident becomes your obligation.

NIS2 and management responsibility: what boards and leadership must know

What NIS2 expects of the management body: approval and oversight duties, personal liability (Art. 20), training, board reporting KPIs, and the penalties under Art. 34.

NIS2 vs DORA: how they differ, where they overlap, and which one applies to you

How the two EU regimes differ and overlap, why DORA is lex specialis for financial entities, which applies to you, and what both mean for third-party and supply-chain risk.

GDPR vs NIS2: how they overlap, where they differ, and when one incident triggers both

How GDPR and NIS2 differ and overlap, when one incident triggers both (GDPR Art. 33 72h to the DPA vs NIS2 Art. 23 24h/72h/1-month to the CSIRT), the Art. 35 cooperation and no-double-fine rule, and what both mean for supplier due diligence.

The EU Cyber Resilience Act (CRA): scope, timeline and what it means for your supply chain

What the CRA requires, its phased dates (in force 2024, reporting Sept 2026, full compliance Dec 2027), who is in scope and why pure SaaS often isn't, how it complements NIS2, and what it means for procurement and supplier due diligence.

The EU AI Act: risk tiers, the timeline, and what deployers must do (Article 26)

What the EU AI Act requires: the risk tiers, the phased dates (in force 2024, prohibited Feb 2025, GPAI Aug 2025, high-risk Aug 2026), the Article 26 deployer obligations, how it stacks with NIS2 and the GDPR, and what it means for AI procurement.