Is ISO 27001 Enough for NIS2 Compliance?

No, says the BSI. ISO 27001 is a solid foundation, but scope freedom, risk acceptance, and §32/§38 BSIG duties remain open. How to close the gaps.
No. An ISO 27001 certification alone is not enough for NIS2 compliance. The BSI (Federal Office for Information Security) has clarified this on its official information page about ISO/IEC 27001 in the NIS2 context. The certification is a valuable foundation, but scope freedom, risk acceptance, and statutory duties such as BSI registration, the 24-hour notification deadline, and §38 management board liability remain open. The free NIS2Compass Pre-Check shows you which gaps your organization needs to close.
What does the BSI say about the ISO 27001 question?
No. The BSI states clearly on its official information page: "Eine Zertifizierung nach ISO/IEC 27001 bedeutet nicht automatisch, dass ein Unternehmen NIS-2-konform ist oder sämtliche Anforderungen nach § 30 BSIG erfüllt." (English: "A certification according to ISO/IEC 27001 does not automatically mean that a company is NIS-2 compliant or fulfills all requirements under § 30 BSIG.") In Germany, around 29,500 companies are subject to NIS2, but only about 16,000 are ISO certified. Both numbers overlap only in part.
This position is unambiguous and binding. The BSI has published a dedicated information page, ISO/IEC 27001 im Kontext NIS-2/BSIG, responding to one of the most frequently asked questions from its #nis2know webinars. The page is part of the central BSI NIS-2 information package collection, where the BSI bundles further topic packages for regulated entities. Anyone who treats an ISO certification as automatic compliance proof is arguing against the explicit position of the responsible supervisory authority.
The orders of magnitude make the gap visible. According to the BSI, around 29,500 companies in Germany fall under the NIS2 Umsetzungsgesetz. By comparison, the ISO Survey 2024 lists about 16,000 valid ISO 27001 certificates in the German market. Even if every certified company were subject to NIS2, which is not the case, a substantial gap would remain on a purely numerical basis. In practice, the picture shifts further because many certificates are held by large corporations, IT service providers, or cloud providers that do not match the typical NIS2 target group.
The message is therefore clear: ISO 27001 is a solid foundation, but not a free pass. Certified companies do not start from scratch and have a clear head start over organizations without an ISMS base. However, this lead replaces neither the BSI registration record, nor the notification cascade, nor the personal liability of the management board. This is exactly where NIS2Compass comes in: the Implementation Guide walks ISO-certified companies through closing the remaining gaps in a structured way, without questioning the existing ISMS.
Why does the BSI clearly say no?
The BSI cites two structural reasons: ISO 27001 lets companies define the scope of their ISMS freely and accepts risk acceptance as a legitimate treatment option. The BSIG, on the other hand, requires the implementation of risk management measures across the entire relevant entity operations and demands appropriate, effective, and proportionate measures, with no cherry-picking.
Problem 1: Scope freedom. ISO 27001 lets companies decide for themselves which scope their ISMS covers. A certification can be limited to a single site, a department, or a business unit. A corporate group might certify only its headquarters and leave the production sites out. The NIS2 Directive and the BSIG do not recognize this freedom of choice. On its information page on ISO/IEC 27001 in the NIS-2/BSIG context, the BSI puts it unmistakably: "das BSIG verlangt die Umsetzung der Risikomanagementmaßnahmen für den gesamten relevanten Einrichtungsbetrieb" (English: "the BSIG requires the implementation of risk management measures for the entire relevant entity operations"). Anyone who has certified only parts of their entity does not close a NIS2 gap, they merely shift it.
"Most ISO-certified companies underestimate the scope point. When the certification historically covers only the corporate IT, but the BSIG includes all plants and sites, a gap opens up that cannot be closed with a certificate alone." — Dr. Markus Hartmann, Senior Compliance Consultant at NIS2Compass
Problem 2: Risk acceptance. ISO 27001 allows four risk treatment options: reduction, avoidance, transfer, and acceptance. The BSI clarifies: "ISO/IEC 27001 erlaubt neben Risikoreduktion auch Risikoakzeptanz oder Risikotransfer als zulässige Behandlungsoptionen" (English: "Alongside risk reduction, ISO/IEC 27001 also permits risk acceptance or risk transfer as admissible treatment options"). NIS2 is structured differently. §30 (1) BSIG prescribes ten measure areas that require "angemessene, wirksame und verhältnismäßige technische und organisatorische Maßnahmen" (English: "appropriate, effective, and proportionate technical and organizational measures"). The statement "we accept the risk" is not enough here if the measure area is relevant for the entity. Risk acceptance remains permissible as a methodology, but it does not replace the statutory implementation duty. The BSI also addresses these two points regularly in its #nis2know webinar series.
What does ISO 27001 actually cover for NIS2?
An existing ISO 27001 certification covers around 70 to 80 percent of the ten §30 measure areas in the BSIG. The BSI itself puts it this way: "Sehr wohl aber bildet eine ISO/IEC 27001-Zertifizierung ein gutes Fundament auf dem sich im Sinne der Pflichten nach BSIG aufbauen lässt." (English: "An ISO/IEC 27001 certification does, however, form a good foundation on which to build in terms of the duties under the BSIG.") Certified companies therefore start NIS2 implementation with a clear head start.
In concrete terms, the ISO standard provides four structural building blocks that the BSIG also requires. These structures are not detailed measures but the framework on which all further requirements rest. Companies that have already established them typically save months in NIS2 implementation compared to a greenfield start.
What ISO 27001 covers for NIS2:
- Risk management framework (ISO Chapter 6, Annex A.5): Risk identification, assessment, and treatment are methodically anchored and documented.
- Documented responsibilities and leadership commitment (ISO Chapter 5): The management board takes formal responsibility for the ISMS, roles are named.
- Effectiveness assessment via internal audit and management review (ISO Chapter 9): Established review cycles that regularly verify the implementation of measures.
- Continuous improvement in the PDCA cycle (ISO Chapter 10): Structured corrective and improvement actions are part of standard operations.
- Asset management, access control, and cryptography (ISO Annex A): Central technical safeguards are integrated into the control catalogue.
The concrete coverage of around 70 to 80 percent comes from the openKRITIS NIS2 mapping, which systematically compares the ISO controls with the §30 requirements. You will find a detailed comparison of the ten §30 measures with the ISO controls in NIS2 vs. ISO 27001 — What Is the Difference?.
The message is clear: those who have ISO do not start from scratch, but they are not at the finish line. The remaining 20 to 30 percent concern exactly the NIS2-specific duties that the next section names.
Which NIS2 duties remain open even with an ISO certificate?
Even a valid ISO 27001 certificate does not replace five specific NIS2 duties: the BSI registration duty, the three-stage notification cascade under §32 BSIG, the personal liability of the management board under §38 BSIG, the mandatory training of the management board, and the full and binding implementation of all ten §30 measure areas without cherry-picking.
- BSI registration duty (§33 BSIG): Affected companies had to register with the BSI by March 6, 2026. ISO 27001 does not know this purely national duty, it has no counterpart in the international standard. Anyone who missed the deadline must register late and risks fines. A practical checklist on §30 BSIG shows the concrete approach for late registrants.
- Notification duties under §32 BSIG: §32 BSIG prescribes three fixed notification deadlines that ISO 27001 does not recognize: early warning within 24 hours after becoming aware of a significant security incident, initial report within 72 hours with assessment of the incident, and final report within one month with detailed evaluation. ISO incident management is methodically solid, but it does not know any statutory deadlines. The escalation chain to the BSI must be set up, technically tested, and documented separately.
- Personal liability of the management board (§38 BSIG): §38 BSIG puts it unambiguously: "Geschäftsleitungen, die ihre Pflichten nach Absatz 1 verletzen, haften ihrer Einrichtung für einen schuldhaft verursachten Schaden nach den auf die Rechtsform der Einrichtung anwendbaren Regeln des Gesellschaftsrechts." (English: "Members of management who violate their duties under paragraph 1 are liable to their entity for any culpably caused damage according to the corporate law rules applicable to the legal form of the entity.") ISO 27001 only requires "leadership commitment". A personal civil liability of the management board is not part of the international standard. The overview of NIS2 fines and penalties for violations shows what additional fines can apply.
- Training duty for the management board (§38 (3) BSIG): The law explicitly requires: "Die Geschäftsleitungen besonders wichtiger Einrichtungen und wichtiger Einrichtungen müssen regelmäßig an Schulungen teilnehmen" (English: "The management boards of essential and important entities must participate in training on a regular basis"). ISO 27001 demands general awareness measures for staff but names no training duty for the board or management level. Participation must be documented in a verifiable way.
- Full implementation of all §30 measure areas: §30 BSIG lists ten areas that must be implemented "appropriately, effectively, and proportionately". If an area is relevant for the entity, a risk acceptance under ISO methodology is not enough. Cherry-picking individual measures is incompatible with the BSIG.
Practical case: what does this mean for an ISO-certified SME?
A mid-sized mechanical engineering company with 220 employees has been certified to ISO 27001 since 2022, but only with a scope covering its corporate headquarters in Stuttgart. As an important entity in the "manufacturing" sector (NIS2 Annex II), the NIS2 duties have applied since December 2025 to the entire company, including the two plants in Saxony and Poland.
What the ISO certification provides:
- Risk management methodology is established and documented
- Documentation structures for policies and evidence are in place
- Internal audit and management review run annually
- Responsibilities are clarified, an information security officer (ISB) is named
What is still missing:
- Scope extension to the plants in Saxony and Poland, since the BSIG requires the entire entity operations
- BSI registration under §33 BSIG, which was due in March 2026
- Notification process under §32 BSIG with 24-hour early warning, 72-hour initial report, and final report
- Training plan for the management board under §38 (3) BSIG
- Supplier mapping for the plants, since supply chain security applies entity-wide
The NIS2Compass Pre-Check identifies these gaps in 15 minutes. The Implementation Guide then walks management through the closure in 8 structured chapters. The Template Library delivers ready-made templates for the notification process, training plan, and supplier assessment.
What do ISO-certified companies need to do now in concrete terms?
The BSI recommends five steps for ISO-certified companies: review the scope of the certification against the NIS2 entity definition, conduct a structured gap analysis against §30 BSIG, build the notification process under §32 BSIG, involve the management board under §38 BSIG, and document the bridge between ISO and NIS2 in writing.
- Scope review: Check whether the certified scope covers the entire NIS2-affected entity. If not, extend the scope or build complementary structures outside the certification. This step is the most important strategic decision.
- Structured gap analysis against §30 BSIG: Go through the ten measure areas and check for each whether the ISO implementation covers it appropriately, effectively, and proportionately. The Pre-Check delivers this gap analysis in 18 structured steps.
- Build notification process under §32 BSIG: Define the escalation chain for the 24-hour early warning, 72-hour initial report, and final report after one month. Establish responsibilities and document the BSI notification channels. The Template Library provides ready-made templates for this.
- Involve the management board: §38 BSIG requires the active implementation and supervision of the risk management measures by the management board, as well as regular training. Document the training plan and verify attendance.
- Extend documentation: Which §30 measures are covered through ISO, which are built separately? This bridge must be available in writing and is part of the evidence duty toward the BSI.
The NIS2Compass Guide typically walks ISO-certified companies through the closure of the NIS2-specific gaps in 4 to 6 weeks, compared to 6 to 12 months without an ISMS base. The Knowledge Hub contains further specialist articles on §30 BSIG, ISMS, and management board liability. If you want to dive deeper into the ISMS tool discussion, NIS2 and ISMS: What Your Existing System Does Not Cover offers a complementary perspective on the typical tool gaps.
Frequently Asked Questions
Does an ISO 27001 certification automatically make my company NIS2 compliant?
No. The BSI has officially clarified in its FAQ that an ISO 27001 certification does not replace NIS2 compliance. The standard covers around 70 to 80 percent of the §30 requirements. Specific duties such as BSI registration, the §32 notification cascade, and §38 management board liability must be set up and documented separately.
Does the BSI accept an ISO 27001 certification as proof of NIS2 compliance?
No. The BSI puts it unambiguously: "Eine solche Zertifizierung kann nicht als Nachweis der NIS-2-Konformität betrachtet werden." (English: "Such a certification cannot be considered proof of NIS-2 conformity.") ISO 27001 is recognized as a methodological foundation, not as compliance evidence. In a BSI audit, you must fulfill all NIS2 duties separately and demonstrably, regardless of your certification.
What happens to my ISO scope if I am subject to NIS2?
ISO 27001 allows a deliberate scope limitation to individual sites or business units. The BSIG, however, requires the entire relevant entity operations. If your ISO scope does not cover the complete entity, you must either extend it or close and document the remaining gaps outside the ISMS in a targeted way.
As an ISO-certified company, do I need a separate NIS2 notification process?
Yes. ISO 27001 does require incident management, but it does not recognize statutory notification deadlines. §32 BSIG demands a 24-hour early warning, a 72-hour initial report, and a final report within one month. You must additionally build the escalation chain to the BSI, test it technically, and integrate it into your incident process.
What action steps does the BSI recommend for ISO-certified companies?
The BSI recommends four steps: review the scope of the ISO certification against the NIS2 entity definition, conduct a gap analysis against the ten §30 measure areas, document complementary measures, and separately set up NIS2-specific duties on notification, liability, and training. The NIS2Compass Pre-Check supports you in a structured way with the gap analysis.
Implement NIS2 step by step
NIS2Compass guides you step by step through implementation – with guide, templates and knowledge hub.
Get startedÄhnliche Artikel
The KRITIS Umbrella Act and NIS2: What Applies to Whom?
Since July 2026, around 2,000 KRITIS operators must register in addition to NIS2. Who needs to comply with NIS2, the KRITIS Umbrella Act, or both — sectors, deadlines, and fines explained.
7 Min. Lesezeit
NIS2 ISO 27001 Mapping: Excel Checklist Download
ISO 27001 covers approximately 70% of NIS2 requirements. The mapping Excel shows at a glance what is already covered — and where the regulatory gap remains.
6 Min. Lesezeit
NIS2 BSI Registration: Missed the Deadline — What Now?
The statutory NIS2 registration deadline has expired, but the BSI is granting an extended deadline until 31 July 2026. How to complete your registration in the BSI portal step by step.
9 Min. Lesezeit