NIS2 vs. ISO 27001: What Is the Difference?

ISO 27001 covers roughly 70% of NIS2 requirements. The remaining 30% determine whether you face fines up to EUR 10 million. Missing from the ISO standard: incident reporting under §32 BSIG, personal management liability under §38 BSIG, and BSI registration. NIS2 has been in force since December 2025. NIS2Compass shows in the free Pre-Check which gaps exist in your organization.

What Is the Fundamental Difference Between NIS2 and ISO 27001?

NIS2 is a legal obligation for approximately 29,500 companies in Germany. Violations carry fines of up to EUR 10 million. ISO 27001 is a voluntary international standard for information security management systems (ISMS). While NIS2 prescribes what must be implemented, ISO 27001 shows how to build a structured security system.

What Is the Legal Difference?

NIS2 is an EU Directive that was transposed into German national law as the NIS2UmsuCG. The core obligations are set out in §30 BSIG (technical and organizational measures) and §38 BSIG (management duties). These provisions have been in force since December 2025 with no transition period.

ISO 27001 is an international standard published by ISO/IEC. Certification is voluntary and granted by accredited auditing bodies. There is no authority that sanctions violations. Certification does, however, signal a high level of security to customers and partners.

Who Does Each Framework Apply To?

NIS2 applies to companies in 18 defined sectors above certain thresholds: at least 50 employees or more than EUR 10 million in annual revenue. The BSI oversees compliance and can impose fines.

ISO 27001 has no sector or size restrictions. Any organization can pursue certification, from startups to large corporations. Globally, there are over 96,700 ISO 27001 certificates (ISO Survey 2024, published in October 2025). Consolidated certificate counts for Germany are not publicly available, because the German accreditation body DAkkS does not submit its data to the international IAF database. The number of certified organizations is, however, significantly lower than the approximately 29,500 companies that fall under NIS2.

What Happens in Case of Non-Compliance?

The consequences differ fundamentally. Under NIS2, companies face fines of up to EUR 10 million or 2% of global annual revenue. In addition, management is personally liable under §38 BSIG. The BSI can request evidence and conduct on-site inspections.

Under ISO 27001, there are no government-imposed sanctions. In the worst case, a company loses its certification, which can have business consequences if customers or partners require a valid certificate. The standard itself, however, is not legally binding.

The key takeaway: an ISO 27001 certification is a competitive advantage. Compliance with NIS2 is a legal obligation. The two are not mutually exclusive; quite the opposite. How ISO 27001 serves as a foundation for NIS2 compliance is explained in the article NIS2 in Germany: What Do Companies Need to Know in 2026?.

What Does §30 BSIG Require, and Where Does ISO 27001 Overlap?

§30 BSIG defines ten minimum measures for NIS2 compliance, ranging from risk analysis and incident response to supply chain security. According to the NIS2Compass mapping, an existing ISO 27001 certification already covers approximately 70% of these requirements. The remaining 30% require targeted additions.

The BSI lists ten mandatory risk management measures that every affected company must implement. For organizations with an existing ISO 27001 certification, the critical question is: Which of these measures are already covered, and where do gaps remain?

What Does the Mapping of the Ten Measures Look Like?

The NIS2Compass Knowledge Hub contains a detailed comparison. Here is an overview of all ten measures under §30 BSIG:

• Risk analysis and IT security concepts: covered by ISO 27001 A.5 through A.8. Systematic risk assessment is at the core of every ISMS.
• Incident handling: covered by ISO 27001 A.5.24 through A.5.28. However, ISO 27001 does not include statutory reporting deadlines. This is where §32 BSIG adds specific requirements.
• Business continuity and crisis management: covered by ISO 27001 A.5.29 through A.5.30. Backup concepts and disaster recovery are standard components of an ISMS.
• Supply chain security: partially covered by ISO 27001 A.5.19 through A.5.23. NIS2 goes significantly further: §30 para. 2 no. 4 BSIG requires a cybersecurity assessment of each individual supplier.
• Secure procurement, development, and maintenance: covered by ISO 27001 A.8.25 through A.8.31. Secure Development Lifecycle is embedded in the standard.
• Effectiveness assessment: covered by ISO 27001 Chapter 9. Internal audits and management reviews fulfill this requirement.
• Cyber hygiene and training: partially covered by ISO 27001 A.6.3. NIS2 explicitly requires training for senior management under §38 BSIG, which goes beyond the ISO standard.
• Cryptography and encryption: covered by ISO 27001 A.8.24. Cryptographic controls are an integral part of Annex A.
• Access controls: covered by ISO 27001 A.5.15 through A.5.18 and A.8.2 through A.8.5. Role-based access control is standard practice.
• Multi-factor authentication and secure communication: covered by ISO 27001 A.8.5. The technical implementation depends on the scope of the ISMS.

Where Are the Biggest Gaps?

According to an analysis by OpenKRITIS, the additions concentrate on three areas: supply chain security, incident reporting obligations, and management training. These three areas require additional measures even at certified organizations.

The good news: approximately seven of the ten measures are already solidly covered by a functioning ISMS based on ISO 27001. The remaining gaps are clearly defined and can be closed with manageable effort.

Which NIS2 Requirements Does ISO 27001 Not Cover?

The largest gaps between ISO 27001 and NIS2 lie in incident reporting obligations (24-hour early warning to the BSI), personal management liability under §38 BSIG, and extended supply chain requirements. These three areas require targeted action at every company, regardless of ISO certification status.

Even with a valid ISO 27001 certificate, there are five critical gaps that you need to address specifically:

1. Why Is ISO Incident Management Insufficient for NIS2 Reporting Obligations?

§32 BSIG prescribes a three-stage reporting procedure with fixed deadlines. Within 24 hours of detecting a significant security incident, an early warning must be sent to the BSI. Within 72 hours, an initial report with an assessment of the incident must follow. A detailed final report is due within one month at the latest. ISO 27001 requires a functioning incident management process but does not include statutory reporting deadlines.

2. What Does Personal Management Liability Under §38 BSIG Mean?

Senior management must personally approve risk management measures and oversee their implementation. In case of a breach of these duties, they are liable with their personal assets. For essential entities, fines of up to EUR 10 million or 2% of global annual revenue apply. ISO 27001 only requires "Leadership Commitment." Personal liability of management does not exist in the standard. What financial consequences are at stake is detailed in the overview of NIS2 fines and penalties for violations.

3. What Other NIS2 Obligations Are Missing From ISO 27001?

§38 BSIG requires senior management to participate in cybersecurity training. ISO 27001 only includes general awareness requirements for employees. An explicit training obligation for the management level is absent.

In addition, there are extended supply chain security requirements. NIS2 demands explicit security requirements for direct service providers and suppliers, which must be contractually secured. ISO 27001 Annex A.5.19–A.5.23 addresses supplier relationships but remains considerably more general.

Finally, there is a BSI registration obligation: affected companies were required to register with the BSI by March 6, 2026. According to dpa reporting on the deadline, only about 11,500 out of an estimated 29,500 affected companies had registered by the deadline, a rate of roughly 38%. There is no ISO equivalent for this purely national obligation. According to industry reporting, the BSI has been actively reviewing since May 2026 and had already sent 47 formal notices for missing registration in the fourth quarter of 2025. There are no publicly known fines under the NIS2UmsuCG so far.

Is an ISO 27001 Certification Sufficient for NIS2 Compliance?

No, an ISO 27001 certification alone is not sufficient for NIS2 compliance. It covers approximately 70% of the requirements and provides an excellent foundation. It does not, however, replace statutory obligations such as reporting processes, management liability, and BSI registration. ISO 27001 is a springboard, not a free pass.

Why Is Certification Alone Not Enough?

A common misconception is: "We are certified, so we are NIS2-compliant." But ISO 27001 demonstrates a functioning ISMS, not conformity with the NIS2 transposition law. There are structural differences between the two that cannot be bridged by a certificate alone.

It starts with the scope problem: an ISO certification can be limited to specific locations or business units. NIS2, on the other hand, applies to the entire affected entity, with no exceptions. Then there is the temporal dimension: ISO audits take place periodically, typically annually. NIS2 obligations apply continuously, particularly the 24-hour deadline for initial reports to the BSI.

Where Does an Existing Certification Provide an Advantage?

Despite these gaps, ISO 27001 provides a significant structural head start. Certified organizations already have documented processes, established responsibilities, and a risk management framework in place. These building blocks can be systematically extended to include NIS2-specific requirements.

"In our work with mid-sized companies, we regularly see that an existing ISO 27001 certification significantly accelerates NIS2 implementation, but the reporting processes and the liability question need to be addressed separately," says Dr. Markus Hartmann, Senior Compliance Consultant at NIS2Compass.

Which specific gaps exist between ISO 27001 and NIS2 is explored in the article NIS2 and ISMS: What Your Existing System Doesn't Cover. The NIS2 Guide from NIS2Compass helps you systematically close the remaining requirements, building on what your ISMS already provides.

How Do Companies Use ISO 27001 as a Springboard for NIS2?

An ISO 27001-certified company can close the NIS2 gaps with targeted measures in three areas: establish reporting processes, conduct management training, and add NIS2 clauses to supplier contracts. The NIS2Compass Guide supports this process across 8 chapters and approximately 124 steps.

What Does This Look Like in Practice?

A mid-sized mechanical engineering company with 180 employees has been ISO 27001-certified since 2023. As a company in the NIS2 sector "Manufacturing," additional obligations have applied since December 2025. The ISMS covers many requirements, but not all of them.

The IT manager starts with the NIS2Compass Pre-Check. The gap analysis identifies five specific gaps that the existing ISMS does not cover. This produces a clear action plan.

What Steps Close the Gaps?

• Establish a reporting process: The company implements the three-stage reporting cascade under §32 BSIG. The initial report to the BSI is filed within 24 hours, the confirming report within 72 hours, and the final report within one month. The Template Library provides ready-made templates for each reporting step.
• Document management training: Under §38 BSIG, senior management must regularly participate in cybersecurity training. The engineering firm documents training content, attendance, and intervals in an auditable manner.
• Amend supplier contracts: Existing contracts with IT service providers are supplemented with NIS2-specific security clauses, including reporting obligations, minimum security standards, and audit rights.
• Complete BSI registration: The company registers as an affected entity with the BSI. The registration deadline expired on March 6, 2026. Retroactive registration remains mandatory.

What Does the ISMS Foundation Actually Deliver?

The result: all compliance gaps are closed within four to six weeks. Without an existing ISMS foundation, the same process typically takes six to twelve months. The existing structures, including risk management, access controls, and documentation, provide a solid foundation.

According to Capgemini, ISO 27001 alone is no longer sufficient to fully meet NIS2 requirements. But as a springboard, certification significantly shortens the path to NIS2 compliance.

What Does This Mean for Companies Without ISO 27001?

Companies without an ISMS are not starting from zero with NIS2, but the effort is considerably higher. According to the Bitkom study „Wirtschaftsschutz 2025", only around 50% of German companies consider themselves sufficiently prepared against cyberattacks, so the need for a structured NIS2 implementation is high across all sectors. The good news: NIS2 does not require ISO 27001 certification. The ten measures of §30 BSIG can also be implemented without a formal ISMS, provided a structured guide and appropriate templates are in place.

Does NIS2 Prescribe a Specific Framework?

No. The NIS2 transposition law does not reference any specific standard as mandatory. §30 BSIG defines ten areas of measures. How companies implement them is left to their discretion. ISO 27001 is a recognized approach, but not the only one.

BSI IT-Grundschutz also provides a solid foundation. Many German SMEs are already familiar with the framework from other regulatory requirements. Both paths lead to NIS2 conformity. What matters is consistent implementation.

Is ISO 27001 Certification Worth It for SMEs?

An initial ISO 27001 certification typically costs SMEs EUR 15,000–50,000. On top of that come annual surveillance audits and internal resources for maintaining the ISMS. For companies that need to meet customer requirements for a certified ISMS, the investment makes sense.

For many SMEs, a more pragmatic approach is more efficient: directly implement the ten §30 measures without the detour of a full certification. The NIS2 Implementation Guide from NIS2Compass supports companies through this process in 8 chapters and approximately 124 steps, including ready-made templates for policies, risk analyses, and documentation. A detailed cost comparison between consulting and self-implementation outlines the financial differences.

Where Should You Start Without an ISMS?

The first step is to determine whether you are affected at all. Not every company falls under the NIS2 transposition law. The article Am I Affected by NIS2? explains the criteria: company size, revenue, and sector affiliation.

Once you have confirmed that you are affected, the BSI recommends a gap analysis as the starting point. The Pre-Check from NIS2Compass delivers an initial assessment within minutes. From there, you get an individual implementation plan tailored to what is already in place and what still needs to be done.

Frequently Asked Questions

Does an ISO 27001 Certification Automatically Make Me NIS2-Compliant?

No. An ISO 27001 certification covers approximately 70% of NIS2 requirements. However, reporting obligations with statutory deadlines (§32 BSIG), personal management liability (§38 BSIG), and BSI registration must be implemented separately.

Do I Need ISO 27001 to Comply With NIS2?

No. NIS2 does not prescribe a specific framework. The ten measures of §30 BSIG can be implemented without ISO 27001 certification, for example using BSI IT-Grundschutz or a structured guide like the NIS2 Guide from NIS2Compass.

Which NIS2 Obligations Are Completely Missing From ISO 27001?

Three areas are entirely absent: the statutory reporting deadlines to the BSI (24-hour early warning, 72-hour initial report, one-month final report), personal management liability under §38 BSIG, and the BSI registration obligation.

How Long Does NIS2 Implementation Take With Existing ISO 27001?

With an existing ISO 27001 certification, the NIS2-specific gaps can typically be closed in 4–6 weeks. Without an ISMS foundation, companies should plan for 6–12 months for full implementation.

Is ISO 27001 Certification Worth It Solely for NIS2?

Not necessarily. If NIS2 compliance is the only goal, the direct implementation path via the §30 measures often leads to results faster and more cost-effectively. ISO 27001 is additionally worthwhile if customer requirements, tenders, or long-term ISMS maturity are objectives.