Is ISO 27001 Enough for NIS2 Compliance? | NIS2Compass | NIS2Compass
Guide
Is ISO 27001 Enough for NIS2 Compliance?
10 min readNIS2Compass Team
No, says the BSI. ISO 27001 is a solid foundation for NIS2, but scope freedom, risk acceptance, and §32/§38 BSIG duties remain open. How to close the gaps.
No. An ISO 27001 certification alone is not enough for NIS2 compliance. The BSI (Federal Office for Information Security) has clarified this on its official information page about ISO/IEC 27001 in the NIS2 context. The certification is a valuable foundation, but scope freedom, risk acceptance, and statutory duties such as BSI registration, the 24-hour notification deadline, and §38 management board liability remain open. The free NIS2Compass Pre-Check shows you which gaps your organization needs to close.
No. The BSI states clearly on its official information page: "Eine Zertifizierung nach ISO/IEC 27001 bedeutet nicht automatisch, dass ein Unternehmen NIS-2-konform ist oder sämtliche Anforderungen nach § 30 BSIG erfüllt." (English: "A certification according to ISO/IEC 27001 does not automatically mean that a company is NIS-2 compliant or fulfills all requirements under § 30 BSIG.") In Germany, around 29,500 companies are subject to NIS2, but only about 16,000 are ISO certified. Both numbers overlap only in part.
This position is unambiguous and binding. The BSI has published a dedicated information page, ISO/IEC 27001 im Kontext NIS-2/BSIG, responding to one of the most frequently asked questions from its #nis2know webinars. Anyone who treats an ISO certification as automatic compliance proof is arguing against the explicit position of the responsible supervisory authority.
The orders of magnitude make the gap visible. According to the BSI, around 29,500 companies in Germany fall under the NIS2 Umsetzungsgesetz. By comparison, the ISO Survey 2024 lists about in the German market. Even if every certified company were subject to NIS2, which is not the case, a substantial gap would remain on a purely numerical basis. In practice, the picture shifts further because many certificates are held by large corporations, IT service providers, or cloud providers that do not match the typical NIS2 target group.
Implement NIS2 step by step
NIS2Compass guides you step by step through implementation – with guide, templates and knowledge hub.
The message is therefore clear: ISO 27001 is a solid foundation, but not a free pass. Certified companies do not start from scratch and have a clear head start over organizations without an ISMS base. However, this lead replaces neither the BSI registration record, nor the notification cascade, nor the personal liability of the management board. This is exactly where NIS2Compass comes in: the Implementation Guide walks ISO-certified companies through closing the remaining gaps in a structured way, without questioning the existing ISMS.
The BSI cites two structural reasons: ISO 27001 lets companies define the scope of their ISMS freely and accepts risk acceptance as a legitimate treatment option. The BSIG, on the other hand, requires the implementation of risk management measures across the entire relevant entity operations and demands appropriate, effective, and proportionate measures, with no cherry-picking.
Problem 1: Scope freedom. ISO 27001 lets companies decide for themselves which scope their ISMS covers. A certification can be limited to a single site, a department, or a business unit. A corporate group might certify only its headquarters and leave the production sites out. The NIS2 Directive and the BSIG do not recognize this freedom of choice. On its information page on ISO/IEC 27001 in the NIS-2/BSIG context, the BSI puts it unmistakably: "das BSIG verlangt die Umsetzung der Risikomanagementmaßnahmen für den gesamten relevanten Einrichtungsbetrieb" (English: "the BSIG requires the implementation of risk management measures for the entire relevant entity operations"). Anyone who has certified only parts of their entity does not close a NIS2 gap, they merely shift it.
"Most ISO-certified companies underestimate the scope point. When the certification historically covers only the corporate IT, but the BSIG includes all plants and sites, a gap opens up that cannot be closed with a certificate alone." — Dr. Markus Hartmann, Senior Compliance Consultant at NIS2Compass
Problem 2: Risk acceptance. ISO 27001 allows four risk treatment options: reduction, avoidance, transfer, and acceptance. The BSI clarifies: "ISO/IEC 27001 erlaubt neben Risikoreduktion auch Risikoakzeptanz oder Risikotransfer als zulässige Behandlungsoptionen" (English: "Alongside risk reduction, ISO/IEC 27001 also permits risk acceptance or risk transfer as admissible treatment options"). NIS2 is structured differently. §30 (1) BSIG prescribes ten measure areas that require "angemessene, wirksame und verhältnismäßige technische und organisatorische Maßnahmen" (English: "appropriate, effective, and proportionate technical and organizational measures"). The statement "we accept the risk" is not enough here if the measure area is relevant for the entity. Risk acceptance remains permissible as a methodology, but it does not replace the statutory implementation duty. The BSI also addresses these two points regularly in its #nis2know webinar series.
An existing ISO 27001 certification covers around 70 to 80 percent of the ten §30 measure areas in the BSIG. The BSI itself puts it this way: "Sehr wohl aber bildet eine ISO/IEC 27001-Zertifizierung ein gutes Fundament auf dem sich im Sinne der Pflichten nach BSIG aufbauen lässt." (English: "An ISO/IEC 27001 certification does, however, form a good foundation on which to build in terms of the duties under the BSIG.") Certified companies therefore start NIS2 implementation with a clear head start.
In concrete terms, the ISO standard provides four structural building blocks that the BSIG also requires. These structures are not detailed measures but the framework on which all further requirements rest. Companies that have already established them typically save months in NIS2 implementation compared to a greenfield start.
What ISO 27001 covers for NIS2:
Risk management framework (ISO Chapter 6, Annex A.5): Risk identification, assessment, and treatment are methodically anchored and documented.
Documented responsibilities and leadership commitment (ISO Chapter 5): The management board takes formal responsibility for the ISMS, roles are named.
Effectiveness assessment via internal audit and management review (ISO Chapter 9): Established review cycles that regularly verify the implementation of measures.
Continuous improvement in the PDCA cycle (ISO Chapter 10): Structured corrective and improvement actions are part of standard operations.
Asset management, access control, and cryptography (ISO Annex A): Central technical safeguards are integrated into the control catalogue.
The concrete coverage of around 70 to 80 percent comes from the openKRITIS NIS2 mapping, which systematically compares the ISO controls with the §30 requirements. You will find a detailed comparison of the ten §30 measures with the ISO controls in NIS2 vs. ISO 27001 — What Is the Difference?.
The message is clear: those who have ISO do not start from scratch, but they are not at the finish line. The remaining 20 to 30 percent concern exactly the NIS2-specific duties that the next section names.
Even a valid ISO 27001 certificate does not replace five specific NIS2 duties: the BSI registration duty, the three-stage notification cascade under §32 BSIG, the personal liability of the management board under §38 BSIG, the mandatory training of the management board, and the full and binding implementation of all ten §30 measure areas without cherry-picking.
BSI registration duty (§33 BSIG): Affected companies had to register with the BSI by March 6, 2026. ISO 27001 does not know this purely national duty, it has no counterpart in the international standard. Anyone who missed the deadline must register late and risks fines. A practical checklist on §30 BSIG shows the concrete approach for late registrants.
Notification duties under §32 BSIG:§32 BSIG prescribes three fixed notification deadlines that ISO 27001 does not recognize:
- 24 hours: Early warning to the BSI after becoming aware of a significant security incident
- 72 hours: Initial report with assessment of the incident
- 1 month: Final report with detailed evaluation
ISO incident management is methodically solid, but it does not know any statutory deadlines. The escalation chain to the BSI must be set up, technically tested, and documented separately.
Personal liability of the management board (§38 BSIG):§38 BSIG puts it unambiguously: "Geschäftsleitungen, die ihre Pflichten nach Absatz 1 verletzen, haften ihrer Einrichtung für einen schuldhaft verursachten Schaden nach den auf die Rechtsform der Einrichtung anwendbaren Regeln des Gesellschaftsrechts." (English: "Members of management who violate their duties under paragraph 1 are liable to their entity for any culpably caused damage according to the corporate law rules applicable to the legal form of the entity.") ISO 27001 only requires "leadership commitment". A personal civil liability of the management board is not part of the international standard. The overview of NIS2 fines and penalties for violations shows what additional fines can apply.
Training duty for the management board (§38 (3) BSIG): The law explicitly requires: "Die Geschäftsleitungen besonders wichtiger Einrichtungen und wichtiger Einrichtungen müssen regelmäßig an Schulungen teilnehmen" (English: "The management boards of essential and important entities must participate in training on a regular basis"). ISO 27001 demands general awareness measures for staff but names no training duty for the board or management level. Participation must be documented in a verifiable way.
Full implementation of all §30 measure areas: §30 BSIG lists ten areas that must be implemented "appropriately, effectively, and proportionately". If an area is relevant for the entity, a risk acceptance under ISO methodology is not enough. Cherry-picking individual measures is incompatible with the BSIG.
A mid-sized mechanical engineering company with 220 employees has been certified to ISO 27001 since 2022, but only with a scope covering its corporate headquarters in Stuttgart. As an important entity in the "manufacturing" sector (NIS2 Annex II), the NIS2 duties have applied since December 2025 to the entire company, including the two plants in Saxony and Poland.
What the ISO certification provides:
Risk management methodology is established and documented
Documentation structures for policies and evidence are in place
Internal audit and management review run annually
Responsibilities are clarified, an information security officer (ISB) is named
What is still missing:
Scope extension to the plants in Saxony and Poland, since the BSIG requires the entire entity operations
BSI registration under §33 BSIG, which was due in March 2026
Notification process under §32 BSIG with 24-hour early warning, 72-hour initial report, and final report
Training plan for the management board under §38 (3) BSIG
Supplier mapping for the plants, since supply chain security applies entity-wide
The NIS2Compass Pre-Check identifies these gaps in 15 minutes. The Implementation Guide then walks management through the closure in 8 structured chapters. The Template Library delivers ready-made templates for the notification process, training plan, and supplier assessment.
The BSI recommends five steps for ISO-certified companies: review the scope of the certification against the NIS2 entity definition, conduct a structured gap analysis against §30 BSIG, build the notification process under §32 BSIG, involve the management board under §38 BSIG, and document the bridge between ISO and NIS2 in writing.
Scope review: Check whether the certified scope covers the entire NIS2-affected entity. If not, extend the scope or build complementary structures outside the certification. This step is the most important strategic decision.
Structured gap analysis against §30 BSIG: Go through the ten measure areas and check for each whether the ISO implementation covers it appropriately, effectively, and proportionately. The Pre-Check delivers this gap analysis in 18 structured steps.
Build notification process under §32 BSIG: Define the escalation chain for the 24-hour early warning, 72-hour initial report, and final report after one month. Establish responsibilities and document the BSI notification channels. The Template Library provides ready-made templates for this.
Involve the management board:§38 BSIG requires the active implementation and supervision of the risk management measures by the management board, as well as regular training. Document the training plan and verify attendance.
Extend documentation: Which §30 measures are covered through ISO, which are built separately? This bridge must be available in writing and is part of the evidence duty toward the BSI.
The NIS2Compass Guide typically walks ISO-certified companies through the closure of the NIS2-specific gaps in 4 to 6 weeks, compared to 6 to 12 months without an ISMS base. The Knowledge Hub contains further specialist articles on §30 BSIG, ISMS, and management board liability. If you want to dive deeper into the ISMS tool discussion, NIS2 and ISMS: What Your Existing System Does Not Cover offers a complementary perspective on the typical tool gaps.
No. The BSI has officially clarified in its FAQ that an ISO 27001 certification does not replace NIS2 compliance. The standard covers around 70 to 80 percent of the §30 requirements. Specific duties such as BSI registration, the §32 notification cascade, and §38 management board liability must be set up and documented separately.
No. The BSI puts it unambiguously: "Eine solche Zertifizierung kann nicht als Nachweis der NIS-2-Konformität betrachtet werden." (English: "Such a certification cannot be considered proof of NIS-2 conformity.") ISO 27001 is recognized as a methodological foundation, not as compliance evidence. In a BSI audit, you must fulfill all NIS2 duties separately and demonstrably, regardless of your certification.
ISO 27001 allows a deliberate scope limitation to individual sites or business units. The BSIG, however, requires the entire relevant entity operations. If your ISO scope does not cover the complete entity, you must either extend it or close and document the remaining gaps outside the ISMS in a targeted way.
Yes. ISO 27001 does require incident management, but it does not recognize statutory notification deadlines. §32 BSIG demands a 24-hour early warning, a 72-hour initial report, and a final report within one month. You must additionally build the escalation chain to the BSI, test it technically, and integrate it into your incident process.
The BSI recommends four steps: review the scope of the ISO certification against the NIS2 entity definition, conduct a gap analysis against the ten §30 measure areas, document complementary measures, and separately set up NIS2-specific duties on notification, liability, and training. The NIS2Compass Pre-Check supports you in a structured way with the gap analysis.
