Skip to content

NIS2 vs ISO 27001: not alternatives — complementary frameworks with different functions

Comparison between the NIS2 Directive and ISO 27001 certification in 2026: what each covers, where they overlap, sanctions and why they are complementary frameworks for companies operating in Spain.

NIS2 (EU Directive 2022/2555)

Advantages

  • Mandatory legal compliance: Spain's transposition will impose binding requirements with direct sanctions for essential and important entities
  • Harmonised EU-wide framework: simplifies alignment of multinational groups under a single security policy reference
  • Standardised mandatory incident notification protocol: 24-hour early warning, 72-hour notification, 30-day final report to the competent authority
  • Explicit supply chain coverage: requires assessment and management of security risks from critical suppliers and third parties
  • Personal liability of management: governing bodies must approve and supervise cybersecurity measures — creates genuine executive accountability

Disadvantages

  • Sanctions of up to EUR 10 million or 2% of global annual turnover for essential entities — up to EUR 7 million or 1.4% for important entities
  • Scope still being defined: Spain's transposition may modify entity thresholds and specific requirements
  • Not a certification: NIS2 compliance generates no externally verifiable mark that clients or commercial partners can independently check
  • Concentrated on critical sectors (energy, transport, health, water, digital) — for other companies, practical application is less direct
  • Governance obligation: management liability requirements demand specific training for board members and executives, which can face internal resistance

ISO 27001:2022

Advantages

  • Internationally recognised certification: verifiable by clients, partners, banks and auditors as evidence of information security maturity
  • Flexible scope: the company defines the certification boundary around its critical assets, systems and processes
  • Market differentiator: in public tenders and contracts with large corporations, ISO 27001 certification is increasingly a selection criterion or scoring preference
  • Voluntary but demonstrates due diligence: in the event of an incident, an ISO 27001-certified ISMS is the strongest defence against third-party claims or regulatory scrutiny
  • Comprehensive control structure: Annex A of ISO 27001:2022 covers 93 controls across four domains that include the majority of NIS2's technical requirements
  • Foundation for other compliance frameworks: ISO 27001 policies, procedures and controls are directly reusable for GDPR, ENS, SOC 2 and other regulatory frameworks

Disadvantages

  • Certification cost of EUR 15,000-40,000 for a first certification in a mid-sized company (implementation consulting + accredited certification audit)
  • Annual surveillance audits and triennial renewal: maintenance costs approximately EUR 5,000-15,000 per year
  • Does not automatically equal NIS2 compliance: ISO 27001 covers approximately 70% of NIS2's technical controls but omits incident notification to the authority, supply chain governance and personal management liability
  • Risk of superficial certification: an ISO 27001 obtained through minimal implementation can be a badge without meaningful security improvement

Our verdict

NIS2 and ISO 27001 are not alternatives — they are complementary with distinct functions. ISO 27001 provides the management system (the technical and organisational controls) and the externally verifiable certification. NIS2 adds incident notification obligations, supply chain governance and personal liability of senior management. The optimal strategy is to implement ISO 27001 first as the foundation — it covers approximately 70% of NIS2's technical requirements — and then layer the specific NIS2 obligations on top. Companies that achieve ISO 27001 and then ignore NIS2 will have excellent security posture but will be sanctioned for legal non-compliance.

Two frameworks that people wrongly treat as alternatives

One of the most frequent questions we receive in cybersecurity engagements is: “We need to comply with NIS2 — should we get ISO 27001 certified or go directly to NIS2?”

The question contains a flawed premise. NIS2 and ISO 27001 are not alternatives to choose between: they have different natures, different objectives and complement each other in a specific way. Treating them as alternatives is one of the most expensive mistakes a company can make in its cybersecurity strategy.

Definitions: what each actually is

ISO 27001 is a voluntary international standard that specifies requirements for establishing, implementing, maintaining and continually improving an Information Security Management System (ISMS). It is a private certification issued by accredited bodies. Annex A of ISO 27001:2022 lists 93 controls across four domains: organisational, people, physical and technological.

NIS2 (EU Directive 2022/2555) is a legally binding norm for essential and important entities operating in critical sectors of the EU. It does not generate a certification — it generates legal obligations with administrative sanctions for non-compliance.

The overlap map

AreaISO 27001NIS2
Risk managementYes (Clause 6)Yes (Article 21)
Access control and authenticationYes (A.5, A.8)Yes (Article 21.2.j)
Incident managementYes (A.5.24-26)Yes + legal timelines (Article 23)
Business continuityYes (A.5.29-30)Yes (Article 21.2.c)
Supply chain securityPartial (A.5.19-22)Mandatory and detailed (Article 21.2.d)
CryptographyYes (A.8.24)Yes (Article 21.2.h)
Senior management trainingNoMandatory (Article 20)
Notification to competent authorityNoMandatory — 24h/72h/30 days
Personal liability of board membersNoYes (Article 20.4)
Externally verifiable certificationYesNo

ISO 27001 covers approximately 70% of NIS2’s technical controls. The three fundamental gaps — incident notification, senior management governance and personal liability — are not covered by ISO 27001 and require specific additional measures.

The optimal implementation strategy

Phase 1: ISO 27001 as foundation (months 1-18)

Implement the full ISMS, obtain certification and stabilise controls. This covers the majority of NIS2’s technical requirements and generates the market-verifiable certification.

Phase 2: NIS2 gap analysis on top of ISO 27001 (month 12)

Once the ISMS is operational, conduct a specific NIS2 gap analysis: identify requirements that ISO 27001 does not cover (notification, governance, specific supply chain) and design the implementation plan for the gaps.

Phase 3: NIS2 layer on the ISO 27001 foundation (months 15-24)

Implement NIS2-specific requirements: incident notification protocols to the competent authority, board training programme, security clauses in critical supplier contracts, and update the incident registry with NIS2 legal timelines.

This sequential approach is more efficient than attempting to implement both frameworks in parallel, and generates compliance evidence faster (ISO 27001 certification as the first visible milestone).

The cost of doing nothing

NIS2 sanctions are the highest in the history of European cybersecurity regulation:

  • Essential entities: up to EUR 10 million or 2% of global annual turnover (whichever is higher)
  • Important entities: up to EUR 7 million or 1.4% of global annual turnover

On top of sanctions, NIS2 allows member states to impose direct penalties on governing body members of essential entities for systemic non-compliance. Spain has room to implement this provision in its transposition.

The cost of ISO 27001 certification plus a NIS2 layer — typically EUR 30,000-70,000 in total for a mid-sized company — is a fraction of any of these sanction scenarios.

FAQ

Frequently asked questions

NIS2 distinguishes between essential entities and important entities. Essential entities include operators in critical sectors with more than 250 employees or EUR 50 million in turnover: energy (electricity, gas, oil, heating), transport (air, rail, maritime, road), banking and financial market infrastructure, healthcare, drinking water and waste water, digital infrastructure (IXPs, DNS providers, domain name registries, cloud service providers, CDNs, data centres) and public administration. Important entities include postal services, waste management, manufacturing of critical products (pharmaceutical, medical, chemical, electronic) and digital providers (search engines, social networking platforms, online marketplaces) with 50-250 employees or EUR 10-50 million in turnover. Spain's transposition may extend these thresholds.
The complete process from implementation start to certification audit typically takes 9-18 months for a mid-sized company. The phases are: initial gap analysis (1-2 months), ISMS design and implementation (4-8 months), system operation and measurement (3-6 months, generating the evidence required for the audit) and Stage 1 + Stage 2 audit by an accredited certification body (2-3 months). Factors that extend the timeline include a complex certification scope, cultural resistance to procedural change and the availability of key personnel for audit interviews.
The three main gaps between ISO 27001 and NIS2 are: first, incident notification — NIS2 imposes strict timelines (24/72 hours/30 days) for notification to the competent authority and specific procedures that ISO 27001 does not prescribe; second, supply chain — NIS2 goes further than ISO 27001 in requiring the assessment of critical suppliers and mandatory security clauses in contracts; and third, governance — NIS2 requires specific cybersecurity training for governing body members and establishes direct personal liability for board members, which falls outside ISO 27001's scope. A specific NIS2 gap analysis performed on an existing ISO 27001 ISMS typically identifies 15-30 additional requirements to implement.
The National Security Framework (Esquema Nacional de Seguridad — ENS) is the cybersecurity reference framework for Spanish public sector entities and their technology suppliers. A private company providing IT services to the Spanish public administration needs ENS compliance for the scope of that service. Its relationship with ISO 27001 and NIS2 involves partial overlap: all three share common technical controls (access control, vulnerability management, continuity) but each has its own specific requirements. For companies that supply the public sector and operate in NIS2 sectors, the most efficient path is ISO 27001 certification first, followed by gap analysis audits for ENS and NIS2 built on that foundation.
Yes, in two practical ways. First, as a commercial differentiator: a growing number of large companies and public bodies require their suppliers to demonstrate cybersecurity maturity — ISO 27001 is the standard evidence. Second, as genuine risk reduction: 60% of SMEs that suffer a significant cyberattack do not recover financially within the following 12 months. A basic ISMS — even without formal certification — dramatically reduces the risk of critical incidents. For SMEs not covered by NIS2, implementing ISO 27001 without certification (known as conformance with ISO 27001) is a middle path that provides structure without the cost of a certification audit.

Related service

nis2-compliance →

Request a personalized consultation

Our experts are ready to analyze your situation and provide tailored solutions.

Free consultation
Call Contact