Change language:
Get a quote

NIS2 and ISO 27001: What is mandatory and what makes sense?

Apr, 30 2026
NIS2 and ISO 27001: What is mandatory and what makes sense?

Whenever NIS2 is discussed these days, the term ISO 27001 inevitably comes up as well. Many companies are therefore wondering whether the new requirements automatically oblige them to implement a corresponding management system.

 

ISO 27001 is an internationally recognized standard for an information security management system (ISMS). Put simply, the standard describes how companies can proactively protect their data and systems—such as IT infrastructure and networks. At the same time, it defines how processes related to information security are documented, monitored, and continuously improved.

 

First things first: Anyone looking in the NIS2 Directive for an explicit requirement to implement an ISMS will not find such a statement.

 

Instead, NIS2 requires companies to establish structured risk management, implement appropriate technical and organizational measures, and define clear responsibilities. The real challenge, therefore, is not whether an ISMS must be introduced, but how the NIS2 requirements can be implemented in a structured, sustainable, and traceable way.

 

This is exactly where ISO 27001 comes into play. The standard provides a well-established framework for systematically structuring, documenting, and—most importantly—demonstrating compliance with NIS2 requirements, whether to management, authorities, or internal stakeholders.

 

In practice, the value of such an approach becomes particularly evident when it comes to structured process documentation and the implementation of security measures. Companies are compelled to thoroughly examine their existing infrastructure. This often reveals vulnerabilities that were previously unnoticed. For example, during asset inventory processes, systems or software may be identified that are no longer needed but are still in operation or remain unpatched, thus posing a security risk. It is also common for maintenance contracts to continue for years even though the associated software is no longer in use. Especially in larger organizations, this increased transparency can uncover significant cost-saving potential.

 

Another key advantage of an ISMS is its auditability. In practice, a fundamental issue frequently arises: security measures may exist, but they are not sufficiently documented. In the event of an incident, this makes it difficult for companies to prove which measures were actually implemented. In the context of NIS2, this aspect becomes even more critical, as authorities will assess whether appropriate measures were in place and how they were implemented. A common principle applies here: what is not documented is considered not implemented.

An ISMS creates structure and simplifies the documentation of the IT landscape

Conclusion: There is no legal obligation under NIS2 to implement ISO 27001. However, the standard is a proven and practical approach to implementing the required measures in a structured way and making them verifiable. Ultimately, it is not the certification itself that matters most, but how consistently the requirements are embedded in the organization. A management system only delivers value if it is supported by top management and actively applied by employees in their daily work.

Tags

ISO27001NIS2Compliance

Recent articles

ai-powered-automation-of-cybercrime

Apr, 2 2024

AI-Powered Automation of Cybercrime

In Germany, businesses are experiencing an unprecedented wave of cyberattacks, with damages reaching €206 billion in 2022. Artificial Intelligence (AI) plays a dual role, being utilized for both defense and as a tool in cybercrime. AI aids in detecting anomalies and preventing attacks, but it is also used by cybercriminals to automate attacks....

starsstars
line
line