Mapping ISO 27001 to the NIS 2 Directive
Use your ISO 27001 ISMS as the implementation pathway for NIS 2 Article 21.
Using ISO 27001 as the NIS 2 implementation pathway
NIS 2 Article 21(2) lists ten measure areas: risk analysis, incident handling, business continuity, supply-chain security, secure acquisition, effectiveness assessment, cyber hygiene and training, cryptography, access control and asset management, and authentication. Most map onto ISO 27001:2022 Annex A themes and clauses 6, 8 and 9, which is why ISO 27001 is widely treated as the practical route to demonstrating Article 21 measures. ISMS Copilot produces an informative crosswalk showing which Annex A controls evidence each Article 21 area, where ISO 27001 stops short, and what NIS 2 adds, notably the Article 23 incident-notification timelines and the Article 20 management-body accountability and training duties. The mapping is an implementation aid, not a legal equivalence: certifying ISO 27001 does not by itself discharge NIS 2 obligations, which remain a competent-authority determination.
Explore the NIS 2 Copilot →Frequently Asked Questions
Does ISO 27001 certification make us NIS 2 compliant?
No. ISO 27001 is the most practical implementation pathway for the Article 21(2) measures, but NIS 2 compliance is determined by national competent authorities and adds duties ISO 27001 does not cover, such as Article 23 incident reporting and Article 20 management accountability.
Which NIS 2 obligations sit outside Annex A?
The early-warning and incident-notification deadlines in Article 23 (24-hour, 72-hour, one-month reporting) and the explicit management-body approval, oversight and training requirements in Article 20 have no direct Annex A equivalent. ISMS Copilot flags these as additive work.
Is the crosswalk an official mapping?
It is an informative mapping built from the published texts of ISO 27001:2022 and the NIS 2 Directive. It is not endorsed by ISO, ENISA, or any national authority, and it does not assert one-to-one equivalence between controls and measures.
Ready to streamline your compliance work?
Built for speed, accuracy, and audit-ready output.