ISO 27001 vs NIS2 Mapping 2026: Where Controls Align and Where Gaps Remain

Aligned areas

NIS2 Art. 21(2)(a) risk management: ISO 27001 clause 6.1.2 plus Annex A 5.7 covers this fully.

NIS2 Art. 21(2)(b) incident handling: ISO 27001 Annex A 5.24-5.28 covers detection, response, lessons learned. What's missing: the NIS2-specific 24h/72h/one-month deadlines, which must be added at the process layer.

NIS2 Art. 21(2)(c) business continuity: ISO 27001 Annex A 5.29-5.30 plus the recommendation to align with ISO 22301 covers this well.

NIS2 Art. 21(2)(e) network-procurement security: ISO 27001 Annex A 8.20-8.23 aligns.

NIS2 Art. 21(2)(g) cyber hygiene + training: ISO 27001 Annex A 6.3 is the baseline.

NIS2 Art. 21(2)(h) cryptography: ISO 27001 Annex A 8.24 aligns.

NIS2 Art. 21(2)(i) personnel security + asset management: ISO 27001 Annex A 6.x + 5.9-5.14 covers this.

NIS2 Art. 21(2)(j) MFA + encryption + voice/video: ISO 27001 Annex A 8.5 + 8.24 covers the MFA requirement.

Where NIS2 demands structurally more

Art. 20 management body duties: ISO 27001 requires top management commitment in clause 5, but NIS2 goes further. Specific training duties for the leadership body, documented approval of measures via a resolution record, personal liability. This must sit as a separate governance layer above the ISMS.

Art. 21(2)(d) supply chain security: ISO 27001 Annex A 5.19-5.23 aligns at the relationship layer, but NIS2 explicitly requires that supplier security maturity be assessed and that results land in contract clauses. The NIS2 supplier assessment is deeper than the typical ISO 27001 vendor assessment.

Art. 21(2)(f) effectiveness evaluation of measures: ISO 27001 has clause 9 (performance evaluation, internal audit, management review), but NIS2 additionally requires evaluation against objective effectiveness criteria (e.g. mean time to detect, backup restore test outcomes).

Art. 23 notification duties: ISO 27001 requires incident reporting internally but not to the supervisor. The NIS2 cascade (24h/72h/one-month) is genuinely new and must be built as its own process with its own ownership.

Art. 24 third-party conformity assessment: NIS2 can require that measures be assessed by an independent body (in Germany via BSI competence centres). ISO 27001 does not have the same format.

Where ISO 27001 demands structurally more

Statement of Applicability (SoA): ISO 27001 forces formal justification of which Annex A control is activated or excluded. NIS2 has no equivalent.

Risk assessment methodology and acceptance criteria (ISO 27001 clauses 6.1.2 and 6.1.3): NIS2 implies but does not prescribe a method.

Continual improvement (clause 10): NIS2 implies via effectiveness evaluation, but ISO 27001 makes Plan-Do-Check-Act explicit.

Practical consequences

An ISO 27001 certified organisation has 70-80% of NIS2 Art. 21 duties operationally in place. Critical gaps are usually: Art. 20 (governance), Art. 21(2)(d) deep supply chain, Art. 23 (notification cascade), and the effectiveness-measurement discipline.

Pragmatic add-on effort: 6-9 months, mainly for governance setup, supply chain deepening and notification-process testing.

Strategic question: keep ISO 27001 as foundation and add NIS2 as a governance layer, or run a parallel NIS2 special programme. In most cases the layered variant is more efficient.

Gap analysis template

Column 1: NIS2 Art. 20-23 duties (10 minimum measures plus governance).

Column 2: mapping to ISO 27001 clause + Annex A control.

Column 3: implementation status (full / partial / none).

Column 4: evidence (document, audit finding, self-declaration).

Column 5: identified gap + measure + due date.

Column 6: accountable role + stakeholder sign-off.

This table is the actual memo the supervisor expects to see in an audit.

What DecisionOS does

The gap analysis itself is a structured decision about priority, time, budget and risk acceptance per identified gap. DecisionOS produces this as an audit-ready memo: per gap a compact justification with stakeholder alignment (CISO, ISMS officer, management body) and a readiness score signalling the ISO 27001 + NIS2 overall maturity.