Are You Really NIS 2 Ready, or Still Trusting ISO 27001 Alone?
The regulatory ground has shifted, catching many organisations off guard. If your leadership team still treats ISO 27001 as a near-total shield against legal, customer, or board risk, NIS 2 is the market reset none can afford to ignore. Today’s compliance battlefield stretches beyond your ISMS paperwork to personal board liability, sector escalation, and cross-European operational proof. ISO 27001 certification remains powerful, but it no longer guarantees regulatory immunity-especially with NIS 2 setting new standards for what “ready” truly means.
Compliance doesn’t prevent consequences-clarity does.
Real-world triggers make this urgent: a vendor contract suddenly pauses pending NIS 2 proof, a regulator initiates a scope review, or a boardmember realises their name is explicitly tied to potential noncompliance. NIS 2 doesn’t just target telecom giants. SaaS providers, legal and professional services, energy, logistics, healthcare, and even public authorities find themselves pulled into the expanded net (ENISA). Relying solely on ISO 27001-a practise comfortable but incomplete for “in-scope” regulated sectors-won’t cut through the new expectation for operational and legal resilience.
The Hidden Cost of Certification Comfort
Heres what companies discover at the pointy end:
- Audit and regulation are no longer just paperwork reviews. Missed incident notifications, supply chain register gaps, or a lagging policy update can trigger fines, public headlines, or even direct questions to the board.
- Board-level frustration grows: Certification feels like progress, but does it actually reduce their personal risk? Are business units equipped to respond to policy, sector, or audit changes practically and in real time?
- A recent Linklaters legal analysis delivers a warning: Certification alone is not regulatory defence if your actual evidence sets dont match NIS 2s scarcer, sharper, and sector-specific demands.
Anticipate: When was your last true stress test against live NIS 2 regulator or board questions-not just an internal audit? If your compliance backbone relies on SharePoint folders, emails, or siloed logs, youre primed for nasty surprises. The right time for realignment is before-not after-the next contract block, regulator inquiry, or high-urgency incident.
Book a demoDoes ISO 27001 Actually Cover All New NIS 2 Requirements-or Do Gaps Remain?
ISO 27001 sets the global mark for information security management and is rightly valued by security and compliance teams. But passing its audit is a starting place-NIS 2 is now the finish line for legal defensibility and business resilience, demanding a pace and precision ISO 27001 doesn’t, by itself, deliver.
You’re audited on two fields at once-rules and regulator.
ISO 27001 vs. NIS 2: Where Gaps Appear
The shift is tangible:
- ISO 27001: Champions a systemic, risk-based, and improvement-oriented model. It asks you to show your controls-and that you’re in control of them.
- NIS 2: Codifies mandatory, clock-driven, and sector-specific obligations. You’re required to notify authorities within set hours, maintain supply chain evidence registers, and guarantee board-level ownership-with legal force.
Where the cracks appear:
- Incident Notification: ISO verifies incident management plans, but NIS 2 expects you to file verified incident notifications with regulators within 24/72h and document response cycles.
- Supplier and Chain Governance: Under ISO, supplier evaluation is guided; under NIS 2, it’s required, sector-mapped, and annually updated-plus must be instantly auditable.
- Board Accountability: The ISO “management commitment” delivers a foundation. NIS 2 raises the bar, explicitly holding directors liable and requiring risk awareness to be continuously logged and evidenced.
Ignoring these distinctions is high risk-many organisations overestimate ISO’s coverage and are caught unprepared by NIS 2’s sharper teeth. A risk-based approach isn’t an exemption from legal specificity-it’s a challenge to prove, in practise, that you meet it.
Process Over Paperwork-Active Measures Win
A mindset shift separates leaders from the exposed. Passive policies, generic registers, and “hopeful” evidence are replaced with:
- Active mapping: Consistent, clause-by-clause crosswalk of ISO controls to NIS 2 requirements.
- Living registers: Supplier, incident, and notification evidence that’s current and provable.
- Update discipline: Automation and reminders, not “fire drill” refresh a week before the audit.
ISO gives you a fighting chance, but NIS 2 expects receipts, not reassurances.
Best practise, flagged by KPMG, is clear: harmonised, evidence-rich crosswalks-never afterthoughts built in crisis. The organisations thriving under NIS 2 are the ones investing in platforms and processes that unify ISO 27001’s systematic strengths with NIS 2’s legal demands (KPMG 2024).
Master NIS 2 without spreadsheet chaos
Centralise risk, incidents, suppliers, and evidence in one clean platform.
Mapping NIS 2 Articles to ISO 27001: What You Cover, What You Miss
Compliance is no longer measured in box-ticks-it’s about traceable, timely, operationalised connections between framework clauses and sector laws. That’s why mapping NIS 2 articles to ISO 27001:2022 is so important-and why knowing where the bridges break can make or break your next audit or review.
NIS 2 to ISO 27001 Crosswalk Table
| NIS 2 Article | ISO 27001:2022 Clauses | Overlap | Evidence to Provide | Practical Gap |
|---|---|---|---|---|
| 20, 21 (Governance) | 5, 6, 8, Annex A.5–A.8 | High | Board logs, SoA, management review records | Explicit director accountability, sector scope |
| 21(2)-(3) (Measures) | A.5.7, A.5.19–A.5.24, A.8.7–A.8.8 | High | Supplier reviews, asset/inventory evidence | Multi-level annual registers, sector mapping |
| 23 (Incidents) | A.5.24–A.5.28, 6.1.3 | Partial | Incident logs, notification records | Rapid regulator reporting, not just internal logs |
| 25+ (Standards) | 4, 6, Annex A | High | Certification, sectoral docs | Sector registration, cross-border proof |
| All | Various | Partial | Residual risk register, SoA notes | Supply chain depth, cross-jurisdictional mapping |
Mapping is a shortcut to ‘dual report’ readiness-but only if your logs and ownership are living, not static.
ISO 27001 → NIS 2: Watch for Hidden Assumptions
Passing internal audits raises confidence-but NIS 2 expects more:
- Proof, not policy: Supply chain reviews with role-based signoff, not policy PDFs.
- Real-time, not reflectively: Retrieval of last SoA updates and notification timestamps must be instant.
- Regulator-facing logs: Chain-of-custody, evidence, and logs that link every control to a NIS 2 domain and timeline.
Fragmented responsibilities, multiple registers, or siloed risk/compliance logs are red flags-sometimes leading to conflicting versions or “shadow” risk ownership. Harmonisation and centralisation are now regulatory prerequisites, not just good practise.
How Annex A Controls Align-and Break Down-Against NIS 2 Sector Demands
ISO 27001’s Annex A controls remain the backbone of security practises. However, NIS 2’s granular, sector-focused, and deadline-driven reality pushes far beyond generic ISMS implementations. Compliance must now prove practical: sector-mapped, register-driven, and instantly retrievable.
Annex A/NIS 2 Equivalence Table
| Control Area | NIS 2 Directive Scope | ISO 27001:2022 Control Reference | Key Gap/Consideration |
|---|---|---|---|
| Supplier Management | Mandatory sector-level register & annual review | A.5.19–A.5.21, A.8.30 | Sector mapping, scheduled logging |
| Incident Response | 24/72h notification, regulator-facing logs | A.5.24–A.5.28 | Actual notification logs, root cause chains |
| Board Responsibility | Explicit ongoing, named director accountability | Clauses 5 (Management), 6, 9 | Role-based signoff and sector mapping |
| Cross-Border Activity | Sectoral registration, ENISA/CSIRT reporting | Not explicit | SOPs and registers for cross-jurisdiction |
| Sectoral Demands | E.g., healthcare, digital, public admin | A.8.x | Add sector-specific controls, notification logs |
The gap emerges when platforms and teams treat sector tags as optional. Under NIS 2, they’re legally binding and auditable.
Practitioner Lens: Aligning Controls Means Rethinking Process
Annex A controls align on paper, but regulators look for:
- Dated, linked evidence (e.g., procurement log cross-referenced to SoA, supplier risk mapping by sector).
- Scheduled, logged reviews and approvals-annually or per incident, not just at audit intervals.
- Proof that your SoA and registers reflect live, active alignment-not passive documentation.
Sector regulators (see CMS Guide) want to see registers, logs, and owner assignments by sector. If you’re logging by “security group” alone, you’re exposed. The right system ensures sectoral and role-based traceability, mapped straight from incident or register to board file.
Be NIS 2-ready from day one
Launch with a proven workspace and templates – just tailor, assign, and go.
Are Your Supply Chain, Sector, and Incident Logs Really Regulator-Ready?
NIS 2 flips the burden: compliance teams must show-not state-security, readiness, and risk mapping. That means registering, evidencing, and regularly updating every supplier, process, and notification, with sector-aware detail and board-visible traceability.
Evidence, not assertion, now rules the audit room.
Risk Register Discipline: What Boards, DPOs, and IT Must Prove
Traceability Table
| Trigger Event | Risk Register Update | Control/SoA Link | Evidence to Log |
|---|---|---|---|
| Supplier flagged as critical | Update risk record, supply log | A.5.21, SoA | Dated, signed supply log |
| Major incident detected | Incident log + notification | A.5.24, A.5.25 | Timestamped regulator notice, root cause |
| Regulatory update | SoA and policy update | 5, 6 + SoA | Policy change, board signoff logs |
| Board review meeting | Risk/action status updated | 9.3 | Minutes, decision trail |
Teams who turn policies and logs into living registers-not periodic documents-are ahead on audit day and credible with regulators. (ISMS.online, ENISA)
The “Living Evidence Room”: Operationalising Logs and Reviews
Your platform and process must provide:
- Direct links from control registers to supplier logs or incidents for any given period or trigger.
- Instant retrieval (ideally within 10 minutes) of the last review, notification, or board approval-complete with timestamp, role, and document chain.
- Role- and status-based approvals, not inferred from emails or generic checklists.
- Real-time and annual review proofs for key sectors, not “tick once, file forever.”
If you can’t answer: ‘Where is our last board-approved, sector-logged supplier review?’-your operation is exposed.
Are Your Incident Response and Timeline Procedures Ready for Live Regulatory Scrutiny?
NIS 2 requires organisations to move beyond plans on paper; incident logs must show chain-of-command escalation, 24/72-hour regulator notification, and documented remediation, all cross-referenced with rapid evidence logging and approval chains.
The cost of a late or missed regulator notification far exceeds any ISO 27001 audit finding. (Linklaters)
Incident Management Timeline and Evidence Table
| Event / Action | Mandatory Deadline | ISMS.online Platform Step | What the Regulator Expects |
|---|---|---|---|
| Incident detection/report | 24h | Trigger log, timestamp notify | Regulator notification, system log |
| Root cause analysis, update | 72h | File update, chain attachment | Evidence register, status chain |
| Remediation, lessons learned | 2 weeks | Link update, SoA, dashboard | Audit of learning chain, board minutes |
Break the “Audit Sprint” Mindset-Operate for Live Expectations
Patterns undermining compliance:
- Evidence sits on SharePoint or is scattered across unsearchable logs-regulators can’t verify timely notification.
- Incident reviews are handled as “special projects,” not living workflows tied to named controls.
- Board sign-off is a “checkbox” without a traceable, timestamped decision log.
If your incident register isn’t timestamped, cross-linked, and export-ready for every incident, audit, and board review, NIS 2 noncompliance risk is real, and board patience wears thin fast.
All your NIS 2, all in one place
From Articles 20–23 to audit plans – run and prove compliance, end-to-end.
Is Your Compliance Loop Continuous, or a Fragmented Sprint from Audit to Audit?
NIS 2 resets the compliance narrative: the regulator wants evidence you’re always “in compliance”-not just prepared in the run-up to an audit. This means dynamic, living processes that prove policies, risk registers, and sector logs are maintained and actionable every day.
Real resilience is built in daily, not rehearsed in the week before an audit.
The Modern Compliance Loop: Live, Visible, Always Auditor-Ready
Compliance Operations Table
| Loop Step | ISMS.online Platform View | Who’s Involved | Records Expected |
|---|---|---|---|
| Scheduled policy, SoA updates | Dashboard, reminders | Compliance lead/DPO | Live, timestamped register |
| Incident test or review | Linked logs, cross-controls | IT/Board | Outcome, signoff |
| Board review, signoff | Dashboard, PDF export | Board, DPO, Legal | Minutes, approval log |
| Task & action tracking | Role-based workflow | Stakeholders | Ticket & closure record |
A board that relies on annual audit sprints faces a regulatory shift: NIS 2 expects proof of continuous, in-the-moment compliance, not just paperwork in preparation. This demands real-time reminders, role-based logging, and dashboards that drive regular engagement rather than “danger month” reactivity.
Close the Gap: Continuous NIS 2 & ISO 27001 Compliance with ISMS.online
Organisations that rise above the compliance “reaction curve” embed dual mapping, register automation, and instant evidence review into their working DNA. ISMS.online empowers this shift-giving boards, DPOs, and practitioner teams a unified, always-on compliance mesh across frameworks and regulatory lines.
Key Features That Deliver Real-World Resilience
- Dual mapping templates: Clause-by-clause mapping for ISO 27001 and NIS 2, configurable for various regulatory scopes (e.g., digital infrastructure, healthcare, SaaS, and supply chain).
- Automated dashboards & registers: Real-time supply register, incident log, audit workflow, and board sign-off-no more manual cross-referencing.
- Integrated risk and regulatory trail: Live SoA, risk register, linked evidence, and role-based approvals keep compliance visible, current, and defensible.
- Continuous compliance simulation: Always-on “living audit” enables boards and DPOs to fulfil NIS 2’s expectation for in-the-moment evidence.
- Rapid traceability: Instantly find last supplier review, notification, or sign-off-timestamped and export-ready for regulators or clients.
Recent ENISA guidance and ISMS.online client success stories confirm: a harmonised, unified platform is your edge in the move from audit interval to real-time defensibility.
Security compliance lives and dies by evidence. Make your platform do the heavy lifting, so your team focuses on responding, not scrambling.
The Dual Compliance Identity Call
The step from episodic audit survival to ongoing regulatory and operational mastery is the foundation of modern trust and resilience. Teams that lead this change become the operators of audit-ready, regulatory-resilient businesses-trusted by boards, regulators, and the customers who depend on them.
When your compliance can withstand an unscheduled test-anytime, from any lens-you become the team boards trust, regulators respect, and competitors quietly envy. Step up to dual compliance with ISMS.online and transform your resilience from annual checkbox to everyday reality.
Book a demoFrequently Asked Questions
Who falls under NIS 2 scope, and why isn’t ISO 27001 certification by itself enough now?
Any “essential” or “important” organisation under NIS 2 faces direct regulatory scrutiny in the EU, and the net is cast wider than ever: not only sectors like energy, finance, water, or health, but SaaS, ICT services, digital marketplaces, public administration, and critical suppliers-even if they’re non-EU headquartered but operate in the Union. With NIS 2, ISO 27001 stops being your compliance finish line and becomes just the starting block. The reason: NIS 2 is EU law, imposed nationally, with mandatory controls, deadlines, and personal accountability for boards and C-suites. Where ISO 27001 focuses on best-practise, NIS 2 requires real evidence of compliance-time-stamped registers, live supplier mapping, accountable sign-offs, regulator notification within 24/72 hours, and board-level participation. Without adapting ISO 27001’s controls to these new legal requirements, you stay exposed to audits, fines, and lost trust-even with the certificate on your wall.
(See: EU Digital Strategy – NIS 2)
What does this legal perimeter shift mean?
- Direct enforcement: NIS 2 is non-optional national law, not a voluntary standard.
- Personal liability: Boards, directors, and senior managers are accountable for failures.
- Live supply chain evidence: You need documented supply chain registers, sector mapping, and proof of regular review.
- Time-bound incident reporting: Must report to regulators within fixed 24 or 72-hour windows-a clear escalation from internal-only logs.
- Sector and national rules: Obligations vary by national annex; ENISA and local regulators set sector specifics.
When legal ground shifts, last year’s pass is next year’s exposure. ISO 27001 now sets the floor, not the ceiling.
Where does ISO 27001:2022 fall short under NIS 2 audit-what are the real post-certification gaps?
ISO 27001:2022 creates a strong operational base-risk management, technical controls, and governance. But NIS 2 demands live, regulator-oriented compliance, and audits most often find gaps where evidence isn’t kept in real time or where notification and supplier oversight aren’t visible. Relying on “annual review” or “internal log-only” status-what used to pass-means critical audit failures under NIS 2.
| Area | ISO 27001:2022 | NIS 2 Demand | Common Audit Gap |
|---|---|---|---|
| Supply chain | Policy & risk | Live register, mapped | Moderate–High |
| Incident notification | Internal logs | Formal 24/72h alerts | High (timeliness) |
| Board accountability | Leadership role | Personal fines, logs | High |
| Sector/national rules | Not explicit | National annex rules | High |
| Traceability/audit | SoA, logs | Signed/logged chain | High |
If your ISMS is static, or incident response runs on “honour system,” NIS 2 regulators and auditors will spot the gap.;*
What does clause-by-clause mapping between NIS 2 and ISO 27001 actually reveal about compliance risk?
Examining specific articles, you’ll see that ISO 27001 covers much of the governance and risk intent behind NIS 2-especially via Clause 5 (leadership), 6 (planning and risk), and 8 (operations), plus Annex A’s 93 controls. But, where NIS 2 calls out board liability, sector-specific registers, or statutory deadlines, the overlap frays.
| NIS 2 Article | ISO 27001 Clause(s) | Level of Overlap | Evidence Auditors Want | Blind Spot |
|---|---|---|---|---|
| Art. 20/21: Governance | 5, 6, 8 + A.5–A.8 | Strong | SoA, board review, sign-off | Named director/board liability |
| Art. 23: Notification | 6.1.3, A.5.24–5.28 | Partial | Alert workflow, chain of logs | Time-stamped external notification |
| Sector & national rules | Not explicit | Low | Mapped registers, sector log | Compliance with sector annex rules |
Unless your ISMS logs are updated, mapped to sectors, and supply chain and incident notifications are regulator-proof, even a “perfect” ISO audit won’t cover NIS 2.)*
Where do practitioners most frequently fall down in practise-how can you close Annex A and sectoral gaps?
Annex A’s controls run deep on IT, supplier, and policy, but living evidence is the differentiator. Audit findings and real-world penalties most often arise because:
- Supplier and sector registers fall out of date; no proof of review or ownership.
- Incident and notification workflows are not time-stamped, have gaps in escalation, or lack board/management sign-off.
- No digital logs for key evidence-approval, update cycle, asset criticality.
- Sectoral requirements (energy, health, etc.) hidden in policy, not linked to mapped registers or workflows.
Practitioner’s checklist for closing the gap:
- Build and update digital, role-tagged registers (supplier, sector)-not just static lists.
- Set automated reminders for incident reviews, alerts, and sectoral policy updates; log and timestamp every step.
- Use workflows for board/manager sign-off, with exportable evidence trails.
- Lock dashboard views for audit/compliance, so regulators can see updates, alerts, and sign-offs in real time.
If it isn’t in the live register or workflow log, it didn’t exist for audit. The biggest risk now is an invisible evidence gap.)*
What are the real operational differences between classic ISO 27001 and NIS 2 dual compliance-how does it affect your audits and board?
NIS 2 moves you from static compliance-“pass the audit, file it and forget it”-to dynamic, board and regulator-facing operations:
- Incidents must be logged, escalated, and notified externally-within 24/72h-not just to IT, but to regulators and in board minutes.
- Chains of evidence must be logged stepwise: who signed, when; board and management must be part of closure, not just react after the fact.
- Supply chain and sector evidence must show not only existence, but ownership, periodic review, and update.
Failures come from:
- Evidence stuck in silos-spreadsheet, inbox, file share.
- Lack of clarity in “who does what/when” when incidents break.
- Board being left out of incident closure or post-mortem.
- Internal “green lights” but audit gaps where national/sector rules apply.
Modern ISMS platforms resolve this by integrating workflows for incident, policy, supplier, and audit, making updates and sign-offs easy for every stakeholder, not just IT.;*
What is the “continuous audit” model for NIS 2, and how can automation and ISMS.online turn compliance into resilience?
“Cram-and-hope” audit cycles no longer cut it. Boards, compliance leads, and auditors now expect continuous, automated, real-time visibility over all evidence-policies, SoA, supplier/sector registers, incidents, and sign-offs. ISMS.online answers this by:
- Offering live dashboards for all policy and asset controls.
- Automating evidence requests, deadline reminders, update reviews, and escalation notifications.
- Registering suppliers, incidents, and sign-offs digitally-with accountability logs.
- Giving exportable dashboards for Board/Audit/Regulator instantly.
| Compliance Step | Automation/Visibility | Evidence Logged | Accountable Stakeholder |
|---|---|---|---|
| Policy/SoA update | Dashboard + auto-reminder | Signed log, timestamp | Compliance/Board |
| Incident review/notification | Escalation chain + workflow | Timed log, closure audit | IT, Legal, DPO |
| Board approval/audit export | Dashboard export, sign-off | Board minutes, audit log | Board, Compliance Lead |
| Supplier/sector review | Register + auto-review cycle | Review/proof, assignment log | Procurement, Security, IT |
When evidence is live, trust happens daily-not just at audit time. Audit resilience means any stakeholder can see, in real time, who acted, when, with the full chain from incident through board sign-off, sidestepping audit panic and proving trust to both regulators and customers.;*
How does ISMS.online specifically bridge ISO 27001 and NIS 2, and what makes automation a dual-resilience must?
ISMS.online operationalizes both frameworks by making evidence, workflow, and registers live-and regulator/board-ready at all times:
- Maps your clauses, supplier/sector evidence, incident logs, and sign-offs for both ISO 27001 and NIS 2-with exportable proof for audits, procurement, or regulators.
- Drives reminders, auto-logs deadlines, notifications, and compliance reviews so no task waits on memory or manual chasers.
- Makes board, legal, and ops approval part of the workflow, so compliance is a lived, accountable process.
| Expectation | ISMS.online Automation | ISO 27001 / Annex A | NIS 2 Article |
|---|---|---|---|
| Live Policy/SoA Controls | Dashboard, reminders, sign-off | 5.1, 9.3, A.5.1, A.5.3 | Arts. 20, 21 |
| Supplier/Sector Mapping | Register, assignment, reviews | A.5.19, A.5.21, A.8.10, A.8.9 | Art. 21(2), Art. 22 |
| Incident Log & Notification | Workflow, chain, audit export | 6.1.3, A.5.24–A.5.28 | Art. 23, 24 |
| Board Sign-Off/Audit Export | Board dashboard + export | 5.2, 5.3, 9.3 | Arts. 20–21, nat’l law |
Bottom line:
Dual compliance becomes an organisational muscle-checked and evidenced in real time, not guessed at once per year. Board and regulator confidence rises; audit stress falls; your organisation becomes the trust carrier in the supply chain-fully covered, not just “certified.”
