How Article 24 Changes Cyber-Security Certification in the EU: Immediate Actions for NIS 2 Teams
Article 24 of the NIS 2 Directive doesn’t just tweak requirements for cyber-security certification across the EU; it fundamentally reshapes how organisations, suppliers, and even national regulators must define and prove their security posture. If your team is responsible for compliance, procurement, or audit in a covered sector, this is not an abstract legal update or a slow-moving transition-it’s a live regulatory border you must cross. Beginning October 2024, only certificates and schemes specifically recognised under EU law and listed in ENISA’s registry (e.g., EUCC for ICT products, EUCS for cloud, EU5G for telecom) may be used as core evidence of compliance. Standards like ISO 27001, SOC 2, or NIST, long considered gold standards in security, become supporting acts unless explicitly elevated to equivalence through a Commission delegated act-an exception rather than the rule.
Modern compliance isn’t about brand names-it’s about evidence that meets today’s regulatory threshold for assurance and traceability.
In practise, using certifications that aren’t found in the ENISA registry or covered by a specific delegated act exposes both your organisation and your supply chain to audit failure, contractual disputes, and even direct regulatory penalties. Procurement checklists and onboarding protocols that anchor on anything less than this regulatory baseline are inviting unnecessary risk. As delegated acts currently cover only a handful of product or service categories (and may be withdrawn with little warning), you must monitor these legal exemptions dynamically-not just at audit time, but as part of your operational rhythm.
Starting now:
- Audit every certification in your compliance inventory.
- Rewrite vendor questionnaires and onboarding flows to demand ENISA registry evidence as a non-negotiable baseline.
- Treat legacy or international certificates as secondary-useful for transition, but not for legal or audit clearance.
What ENISA Actually Does-and Why It Matters for Compliance and Audit
Behind the scenes of Article 24 sits ENISA, the EU agency tasked with designing, registering, and maintaining the very certification frameworks that define compliance. ENISA isn’t just a policy body; it’s the live operational nucleus of the European cyber certification ecosystem.
Key ENISA responsibilities include:
- Maintaining up-to-date registries of EU-recognised certification schemes, listing valid certificates for products/services across ICT, cloud, telecom, OT, and new sectors as schemes are ratified.
- Publishing official checklists, SoA mapping tools, and implementation guides for procurement, compliance, and audit teams-enabling organisations to directly mirror required evidence and acceptance tests.
- Supporting national and sectoral authorities: (BSI, ANSSI, ECB, etc.) to ensure that sector rules (like DORA for finance, MDR for health) dovetail with, rather than duplicate or conflict with, EU baseline rules.
- Offering mapping tables that link non-EU standards (ISO 27001, NIST 800 series, SOC 2) to EU controls-an essential resource for managing both transition and dual-compliance gaps.
- Issuing news, updates, and alerts on scheme changes, delegated acts, and registry amendments-these are not optional emails; they’re compliance-critical signals.
When procedures reflect ENISA registry protocols, you future-proof your compliance-no more surprises during vendor review, audit, or regulator visits.
Operational checklist for compliance teams:
- Build supplier and contract reviews with live registry queries at the top-don’t rely on emailed certificates or PDFs alone.
- Integrate ENISA’s sector-targeted guidance into both your evidence-gathering process and your internal audits.
- Keep watch for new or withdrawn delegated acts and update your SoA and process flows proactively-do not assume equivalence until it’s literally codified.
Master NIS 2 without spreadsheet chaos
Centralise risk, incidents, suppliers, and evidence in one clean platform.
International Certifications: Useful for Maturity-Insufficient for NIS 2 Compliance
Many mature organisations-especially those operating internationally-lean on strong non-EU certifications (like ISO 27001, SOC 2, NIST, FedRAMP) as de facto signals of robust security. Article 24 makes it explicit: none of these certifications are automatically sufficient for legal compliance within the EU NIS 2 scope, unless a delegated act says so.
The question isn’t Do we have ISO 27001? but Is our ISO 27001 certificate recognised in the ENISA registry, or given explicit equivalence for our product/service by a current delegated act?
Current landscape:
- Barring rare delegated acts, no mutual legal recognition exists between EU-recognised schemes and major non-EU standards. As of July 2025, ENISA’s registry and official documentation state clearly: *only products, services, or platforms with valid certificates in their registry count for NIS 2 audit pass-through*.
- Non-EU certifications can bridge gaps or provide maturity signals within your own team, supply chain, or internal controls, but they aren’t proof for auditors or regulators unless specifically elevated by EU law.
- Delegated acts may offer time-bound or narrowly scoped equivalence (e.g., for a sector, technology class, or transitional period)-but these should be monitored like material risks, as they can expire or be withdrawn with little lead time.
Practical guidance:
- Maintain non-EU certifications for broader assurance, but treat them as internal or managerial evidence-never as fulfilment of Article 24 requirements unless supported by a binding delegated act.
- Track changes to delegated acts using official ENISA feeds and legal monitors; update your compliance SoA immediately upon changes.
Audit-Ready Doesn’t End with Certification-National and Sectoral Overlays Matter
Security teams in highly regulated verticals-from banking to critical infrastructure-face an even denser evidence burden: not only must you meet ENISA’s baseline and NIS 2 requirements, but you must satisfy any national regulator or sectoral scheme that imposes stricter or parallel obligations. DORA, MDR, HERA, and other regulations layer on top-but nothing ever undercuts the need for an ENISA-listed certificate.
Double reporting and minimum plus compliance are the new normal. Don’t assume that one certificate, even from ENISA, can clear all regulatory hurdles.
What does this mean in practise?
- Any supplier, service, or system must be mapped against both the ENISA registry (for minimum compliance) and all relevant sector/national overlays. Approvals or certificates required by BSI (Germany), ANSSI (France), or DNB (Netherlands) may be necessary in addition to-but never in place of-the EU scheme.
- Tender and supplier onboarding now require a matrixed compliance tracker: one row for each regulatory regime, columns for EU and national/sector schemes, evidence links, gap logs, delegated act dependencies, and responsible owners.
- When sectoral overlay exists, the stricter scheme prevails. Always satisfy the highest bar-falling short on any axis triggers enforcement.
Regularly update your compliance dashboard and audit trail every time ENISA or a national regulator issues a scheme update, delegated act, or revokes a legacy equivalence. Add each event to your risk register and SoA.
Be NIS 2-ready from day one
Launch with a proven workspace and templates – just tailor, assign, and go.
Implementation Barriers: When Certification Gaps Threaten Business Operations
The most acute operational risk facing large-scale and multinational organisations today? Relying on legacy or non-EU certifications-FedRAMP, NIST, or SOC 2-without a living compliance crosswalk to ENISA registry evidence.
Audit failures are now contractual and reputational risks, often resulting from a lag in updating proof from non-EU bar to current EU scheme-and increasingly triggering supply chain holds or account suspensions.
Overcome these common pitfalls:
- Exception logs are no longer nice-to-haves: All supplier exceptions, legacy certs, compensating controls, or onboarding gaps must be recorded with assigned owners, deadlines, and closure actions. Use your ISMS platform as the operational heart of this process.
- Procurement and Risk teams must have a “pause/play” authority: for any relationship or contract on which ENISA (or sectoral) scheme evidence is incomplete or expired. Escalate issues instantly to the board or compliance oversight-do not wait until an audit to discover noncompliance.
- Continuously update: New delegated acts, auditing instructions, or ENISA registry entries should immediately trigger a workflow update, owner action, and documentation refresh.
Fines for noncompliance can reach €10 million or 2% of global turnover; supply chain interruption and director liability are at stake.
Evidence Table: Making Compliance Operational, Not Just Documented
Cyberspace regulatory affairs have moved beyond static checklists. Article 24 demands a living evidence matrix, directly linking every procurement, vendor, or supplier action to a corresponding ENISA registry entry and EU scheme.
Operational blueprint:
- Begin every onboarding, audit, or critical project with a live ENISA checklist-cross-reference with sectoral/national overlays.
- For each control (e.g., Access Management, Incident Response, Supply Chain), build an evidence crosswalk table tracking:
- Scheme and certificate (with registry link)
- Supplemental or legacy certificates
- Exception, gap, or delegated act dependency
- Owner, remediation plan, status, and closure date
Sample crosswalk:
| ENISA Control | EU Schemes Certificate | Supplemental Cert | Gap/Exception | Status | Date Closed |
|---|---|---|---|---|---|
| Access Control (AC-1) | EUCC–1234–2024 | ISO 27001:2022 | None | Complete | 14/02/2025 |
| Supply Chain Resilience | EUCC–5678–2024 | SOC 2 Type II | Legacy: Supplier no EUCC | Remediation Planned | – |
| Incident Response | EUCS–9012–2025 | NIST 800-53:2017 | Pending EUCS | Q3 2025 Upgrade | – |
Audit readiness is now measured in registry updates, not PDF hoarding. Live links, action logs, and owner assignments are non-optional.
Automate these tables and reminders in your ISMS platform for speed and rigour.
All your NIS 2, all in one place
From Articles 20–23 to audit plans – run and prove compliance, end-to-end.
Risk, Board Reporting, and Change Triggers: Stay Ahead, Not Just Compliant
True operational excellence emerges when leadership treats compliance as a live risk discipline, not a static certification process. Article 24’s real threat is silent drift-evidence that is outdated, certificates that have expired, or delegated acts that quietly lapse.
Best-in-class processes:
- Tie quarterly ENISA registry and delegated act reviews directly to both compliance owner and board cycles (e.g., management review, board risk committee agenda).
- Keep a live risk and evidence register: across all regulated areas or divisions. Every exception is traceable. Link registry checks, delegated act changes, and deadline events directly to your SoA and risk sheet.
- Make your evidence crosswalk and exception status a standing item in management reviews and board packs; escalate drift immediately and assign remediation owners.
ISO 27001 Bridge Table:
| Expectation | Operational Practise | Annex A Reference |
|---|---|---|
| EU certificate for all vendors | Registry check + mandatory onboarding | A.15.1, A.15.2 |
| Evidence gap logged, owner assigned | Crosswalk table auto-updated, board escalated | A.9.1, A.5.35 |
| Incident logged in ENISA scheme | Dual evidence logged (EUCS + national), board alert | A.5, A.5.29 |
Boards expect leading indicators, not reactive reporting. Audit surprise is a failure signal in both risk and governance.
Traceability, Exception Management, and ENISA Registry Workflow-Daily Practise
For audit and compliance leadership, traceability and exception management are now daily disciplines, not annual rituals. Every Article 24–relevant control must directly link to proof in the ENISA registry or, for exceptions, a current delegated act and a logged remediation plan.
Traceability Table Sample:
| Trigger | Risk/Control Update | SoA Link | Evidence Logged |
|---|---|---|---|
| Delegated act updated | New product/service class mapped | SoA + crosswalk updated | ENISA registry proof attached |
| Supplier onboarding | Risk and review cycle triggered | A.15.1, A.5.6 | Onboarding audit, board feed |
| Quarterly registry review | Expired cert / delegated act flagged | Evidence table, risk sheet | Remediation log; owner triggered |
Exception escalation workflow:
- Log every exception in SoA, risk register, and evidence table.
- Assign remediation owner and timeline.
- Integrate update into board agenda/review.
- Close only after registry or delegated act proof is attached and action plans completed in SoA.
Traceability lag time is a critical risk metric-boards and auditors look for audit-to-evidence gaps as first signs of control drift.
ISMS.online tip: Leverage your platform to schedule, log, and automate these cycle reviews, evidence attachments, and board reporting links.
ISMS.online in the Article 24 Era: Automating Evidence, Registry Mapping, and Board Confidence
For organisations leading on NIS 2 compliance, ISMS.online is engineered to make Article 24 requirements operational-not just auditable-for every stakeholder.
Leading teams:
- Integrate ENISA registry checks into every workflow-procurement, onboarding, audit, and supply chain review.
- Automate crosswalk, exception, and evidence matrix management; dynamically update with any ENISA registry or delegated act change.
- Live dashboards provide traceability and registry mapping at all times, not just during audit cycles.
- Treat all non-EU certifications as gap/transition signals-flagged for future action, never accepted in isolation.
Continuous evidence is competitive advantage. In the Article 24 era, trust and resilience are measured in speed-between regulatory change and proof of compliance across suppliers.
Next steps for teams intent on board-level readiness:
- Scope an ISMS.online platform review focused on registry integration, crosswalk automation, and delegated act alerting.
- Embed Article 24 logic in daily supplier review, contract approval, and management reporting flows.
- Invite your leadership and compliance teams to trial ENISA-mapped workflows, traceable audit logs, and dynamic exception tracking.
Tomorrow’s lead indicator isn’t last year’s certificate-it’s a living map, registry-linked, resilient in the face of change. Take your place at the compliance frontier-where audit, procurement, and board trust converge.
Frequently Asked Questions
What is the actual effect of NIS 2 Article 24 on your use of ISO 27001, NIST, or SOC 2 certifications for EU compliance?
Article 24 of NIS 2 cements this reality: only certifications issued under EU-wide cyber-security schemes entered in ENISA’s public registry are recognised as direct evidence for NIS 2 compliance. Certificates from renowned standards like ISO 27001, NIST, or SOC 2, while still signals of serious security posture, are legally “adjunct” unless the European Commission passes a delegated act granting them formal equivalence-and as of 2025, that remains theoretical. Auditors, procurement teams, and clients increasingly ask for more than a brand or certificate PDF-they require registry-backed traceability.
You can’t demonstrate compliance if your asset or service isn’t traceable in real time to an ENISA-registered certification.
What does this look like in practise? Your compliance evidence table now needs to show, for each asset or supplier, the EU scheme name, registry number, scope, and validity. Non-EU certificates can still feature as evidence of maturity, but they can’t fill the Article 24 compliance gap. This is a move away from paper-based certificate checks towards real-time, registry-referenced proofs.
| Product/Service | ENISA Cert # | Scheme | ISO/NIST/SOC2 | Compliance Status |
|---|---|---|---|---|
| Customer Portal | EUCS00415 | EUCS | ISO 27001 | Pass |
| Cloud Vendor X | EUCC00867 | EUCC | SOC 2 | Pass |
| Legacy ERP System | – | – | ISO 27001 | Not compliant |
How are certifications recognised, updated, and operationalised under NIS 2?
All certifications accepted for NIS 2 compliance flow through the ENISA-led ecosystem. Key schemes right now include EUCC (ICT products), EUCS (Cloud), and EU5G-each with approval cycles and public registries. ENISA updates both the scheme definitions and the live registry, often responding to new threats, standards, or regulatory actions. Member States and sector agencies anchor audits and procurement gates to these official lists.
To operationalise this into your compliance programme, your team must:
- Reference the live ENISA registry for all asset and supplier certifications.
- Record each certification’s registry number, scope, assurance level, and expiration date.
- Automate alerts for scheme revisions, new delegated acts, or expiring certifications.
- Link every asset, product, or supplier to its registry entry in your ISMS and procurement flow.
- Prepare for regulatory change by monitoring ENISA, sector regulators, and updates to delegated acts.
Compliance has become a living process, not a static document exercise-you must prove registry alignment at every audit, not just once a year.
A typical compliance workflow now includes automated registry syncs, certificate validation at every contract renewal, and board-level reporting on Article 24 asset coverage.
| Asset/Supplier | ENISA Registry # | Scheme | Assurance | Expiry | Status |
|---|---|---|---|---|---|
| Employee Directory | EUCS01234 | EUCS | High | 2026-04-21 | Active |
| Payroll Provider | EUCC05678 | EUCC | Basic | 2025-02-10 | Pending Update |
| On-prem DB | – | – | – | – | Gap/Transition |
Do national agency requirements or sector overlays override the ENISA registry under Article 24?
No-national rules, sector overlays, and historic certificates only stack on top of, never replace, the pan-EU requirement. Article 24’s registry-backed schemes form the legal floor: if your asset, service, or vendor isn’t tied to a current ENISA registry entry, neither a national bulletin nor a sector checklist will satisfy the law. Agencies like BSI (Germany) or ANSSI (France) may list “accepted” non-EU certs as supporting signals, but not as direct proof.
Sector frameworks (e.g., DORA for finance, MDR for health) may trigger further controls or board reporting layers-but you always start with the EU registry first. If a delegated act adds new recognition or retires a scheme, your compliance evidence must show the timeline and response for each affected asset.
The compliance gold standard is: prove you meet the most demanding layer first-ENISA, then sector, then local overlays-and document each step for your audit trail.
| Layer | Mandatory Proof | Extra/Overlay Requirements |
|---|---|---|
| EU/NIS 2 | ENISA Cert Registry # | |
| Sector | Sector-specific mapping | DORA reports, MDR incident playbooks |
| National | Country audit checklist | BSI/ANSSI supplement, local vendor log |
Why aren’t ISO 27001, NIST, or SOC 2 certificates enough for NIS 2, even with robust controls?
Because Article 24 makes legal registry inclusion-via ENISA-the only direct evidence channel. International schemes like ISO 27001, SOC 2, and NIST are not currently mapped legally into the EU Cyber-Security Act, nor do they appear in the ENISA registry. Even with a strong history of external audits, an organisation cannot use these standards as a substitute unless a delegated act is enacted (and none are, as of now).
These global standards often lag on requirements for GDPR alignment, EU-specific incident disclosure, and nuanced supply chain assurance. Your compliance evidence should still log them-but as maturity indicators, gap analysis aids, and as preparation for future EU schemes, not for “pass/fail” on Article 24.
A robust ISO 27001 programme shows you take security seriously; only an ENISA registry certificate proves you’re NIS 2 compliant for that asset.
| Control Area | ENISA Scheme | ISO/NIST/SOC2 | Role in Evidence | Owner |
|---|---|---|---|---|
| User Access Control | EUCC | ISO 27001 | ENISA cert = main proof | IT |
| Cloud Security | EUCS | SOC 2 | SOC 2 as supplement | Compliance |
What does audit readiness mean as Article 24 schemes and delegated acts keep changing?
“Audit-ready” now means your ISMS and procurement pipelines are always mapped to the current live registry-no gap, no expired certificate, no ambiguity:
- Only procure/renew tools and vendors that confirm a valid ENISA-registered certificate.
- Continuously map your assets to registry entries and monitor expiry, scope, and assurance levels.
- Log any asset or supplier without a registry entry as an exception; document next steps (migrate, seek delegated act, remediate).
- Subscribe to registry and delegated act updates, and refresh compliance dashboards every quarter.
- Ensure management and board reviews include live registry coverage, gap analysis, and exception updates.
Audit resilience means every process, system, and vendor can be proved, on demand, via ENISA registry mapping-not after a scramble, but at every review.
| Step | Registry Mapped | Responsible | Status | Next Action |
|---|---|---|---|---|
| Cloud Procurement Review | EUCS00213 | IT Buyer | Mapped | Annual check |
| App Renewal | EUCC04659 | Security | Exp. Soon | Renewal planned |
| Local App | – | – | Gap | Migration |
How does ISMS.online automate dynamic EU registry compliance for Article 24?
ISMS.online transforms registry-first compliance into a living, automated workflow:
- Live registry syncing: Feeds ENISA registry updates and delegated act notices into your compliance logs, tying every asset and supplier to their official certificate record.
- Automated mapping: Every procurement, IT, or supplier record auto-checks for registry coverage; gaps are flagged, owners assigned, remediation tracked.
- Exception handling: Assets lacking a registry match trigger action plans and delegated act monitoring, so no gap goes unseen or unaddressed.
- Dashboard insights: Audit and board dashboards turn real-time registry statuses, expiry alerts, and compliance gaps into actionable insights-no spreadsheet sprawl.
- Overlays for sectors and nations: Add DORA, MDR, or national overlays to your compliance stack, always anchored to the ENISA registry for full coverage and audit defensibility.
The most resilient security and compliance leaders are never caught off guard-they know, instantly, which of their assets and suppliers fit Article 24 and can prove it in seconds.
Ready to simplify Article 24 compliance?
Connect with ISMS.online to see registry-mapped, audit-ready pipelines across your supply chain-turning compliance into a real-time, evidence-driven advantage you can trust in boardrooms, tenders, and audits.
