ISO 27001 certification, a lever for NIS 2 compliance
40% of companies surveyed as part of CESIN's annual barometer report having suffered at least one significant cyber attack in 2025. For 81% of them, this cyber attack has had an impact on their business: disruption to production, damage to image, data compromise, loss of sales, etc.
The ANSSI now describes the cyber threat as "systemic". To limit its exposure to these risks and raise the overall level of security, Europe is adopting a common framework for cyber risk management, with the NIS 2 directive. The requirements of the European directive apply to entities whose activities are considered essential or important.
An international standard already exists on the subject of risk management: ISO 27001, a management system standard that is the global benchmark for information security management. The ISO 27001 standard and the European NIS 2 directive share many points of convergence, notably a risk-based approach, a requirement for governance and a logic of continuous improvement. So much so, in fact, that ISO 27001 certification provides a recognized methodological foundation for structuring an NIS 2 compliance approach.
NIS 2, a European directive that resonates strongly with ISO 27001
Enhanced security requirements for 15,000 entities in France
The scope of the NIS 2 directive is unprecedented. Some 15,000 French entities ("entités essentielles" and "entités importantes") are concerned, which considerably widens the scope compared with OIVs (Opérateurs d'importance vitale). The enhanced security requirements set out in the text are no longer aimed solely at large organizations or IT players, but affect 18 sectors of activity.
NIS 2 does more than simply require each entity to secure its own systems. By imposing risk management across an organization's entire value chain, it aims to develop global resilience. The European directive sets high standards for supplier risk management, with the obligation to identify supplier rankings and criticality. In this sense, NIS 2 broadens the framework of digital trust. It makes information security a shared responsibility, transcending the boundaries of individual organizations. From now on, this trust must permeate all relationships within an ecosystem.
ISO 27001, a common set of requirements with NIS 2
Transposition of the European NIS 2 directive into national law is progressing at different rates in different EU member states. Belgium is the first European country to have completed its transposition, with a law adopted in April 2024. This text recognizes that obtaining ISO/IEC 27001 certification, issued by an accredited body, is one of three ways of demonstrating NIS 2 compliance. ISO 27001 certification is presumed to be NIS 2 compliant under Belgian law, reflecting the close relationship between the two texts.
Beyond the Belgian example, several European countries make direct reference to ISO 27001 in their national transposition. This is the case in Finland, Croatia and Slovenia, as indicated by the European Cyber Security Organisation (ECSO) in its tool for monitoring national transposition of the NIS 2 directive.
In France, transposition of the European directive is underway. ANSSI is anticipating the task of compliance. It has developed ReCyf, the French cyber reference framework listing the measures recommended to achieve the security objectives set by NIS 2. This repository constitutes a technical roadmap that French entities can follow to structure their compliance, in close liaison with existing standards.
As each EU member state is responsible for its own transposition, ISO 27001 provides a framework for homogenizing security practices across the continent, through compliance with a set of common requirements.
What are the links between the requirements of ISO 27001 and the NIS 2 directive?
ISO 27001, an information security management standard
Since its first publication in 2005, and with its regular updates, ISO 27001 has established itself as the global benchmark for information security and risk management. Demanding and proven, ISO 27001 is supported by a mature ecosystem, training courses and recognized auditors.
ISO 27001 certification attests to the maturity of an organization's Information Security Management System (ISMS). It is based on three fundamental pillars: confidentiality, integrity and availability of information. The framework established by this standard covers risk management, governance and management, with a view to continuous improvement.
ISO 27001 lists 93 controls, divided into four categories (organizational, people-related, physical and technological). The controls implemented are selected on the basis of a risk analysis specific to each sector and context. All choices made are documented in a declaration of applicability.
85% correspondence between ISO 27001 and NIS 2
The NIS 2 directive does not explicitly require ISO 27001. It does, however, impose specific requirements in terms of risk management, security policies, incident management, business continuity, supplier security, auditing and governance. These requirements correspond closely to those of an ISO 27001-compliant ISMS.
In fact, ENISA, the European cybersecurity agency, has carried out a mapping exercise between NIS 2 requirements and ISO 27001 controls. Although the two texts do not overlap, there are many similarities between them.
For its part, ANSSI has set up a tool designed to compare the requirements of the ReCyf standard with those of other standards, including ISO 27001. According to this tool, ISO 27001 has over 85% correspondence with NIS 2. Obtaining ISO 27001 certification therefore makes it possible to accomplish a large part of the work required to achieve NIS 2 compliance, based on a recognized methodological framework and risk analysis.
What is the difference between ISO 27001 and the NIS 2 directive?
ISO 27001 is a voluntary standard. An organization can apply for ISO 27001 certification for just one part of its activity (information system, software, etc.). NIS 2 applies to essential and important entities, defined according to their sector of activity, size, status and turnover. The requirements of the European directive apply to the entire organization.
Once ISO 27001 certification has been obtained, the additional points to be addressed to achieve NIS 2 compliance mainly concern legal obligations that ISO 27001 does not cover. These include timely incident notification, cyber crisis management and resilience. NIS 2 also introduces enhanced supply chain security requirements, financial penalties for non-compliance, and personal liability for managers. The European directive thus requires cyber governance issues to be brought to the level of management bodies.
Why ISO 27001 certification is an advantage over NIS 2
ISO 27001, an international benchmark of trust
Regulatory compliance is rarely seen as an opportunity. Often perceived as a constraint and reduced to its cost, it is often suffered. However, information security management can be approached differently.
ISO 27001 certification meets a growing market demand. It is increasingly requested in invitations to tender, as a condition of access to certain markets and as a supplier selection criterion. ISO 27001 certification is the fourth most widely issued management standard in the world. According to the ISO Survey, the number of certificates issued has grown by 107% from 2023 to 2024.
ISO 27001 certification is proof of a company's maturity in managing and controlling digital risks. In this sense, it sends a signal of confidence to customers, prospects and the whole of the company's ecosystem. It represents a major asset for a company wishing to evolve in an international environment.
ISO 27001, NIS 2: strengthening resilience on an ecosystem scale
One of the most structuring challenges of the NIS 2 directive is to impose risk management at the level of all value chains. An organization's security is highly dependent on that of its ecosystem, understood in the broadest sense. The 15,000 French entities affected by the European directive will require their subcontractors and service providers to demonstrate solid control of their digital risks. In this context, ISO 27001, as a shared and internationally recognized standard, can play the role of a common base.
ISO 27001 certification enables companies to meet three converging challenges: to protect their organization and its assets against cyber-attacks, to structure their NIS 2 compliance approach by covering the essential technical and organizational requirements, and to send a signal of maturity in digital risk management to their market and ecosystem.
ISO 27001 certification lays the foundations for NIS 2 compliance. Moving from ISO 27001 to NIS 2 compliance is a logical progression, a sign of maturity, as well as a signal of confidence to the market. It's a step that transforms a regulatory obligation into a confidence-building initiative for your ecosystem.
FAQ
-
Is ISO 27001 certification mandatory for NIS 2 compliance?
No, the NIS 2 directive does not explicitly require organizations to become ISO 27001 certified. However, it does require the implementation of risk management measures and security policies that correspond to over 85% of the standard's controls. Certification is therefore the preferred methodological framework for demonstrating compliance, and is recognized by several member states, such as Belgium. -
What are the main points of NIS 2 not covered by ISO 27001?
While ISO 27001 covers the essential technical and organizational measures, it does not deal natively with certain legal obligations specific to NIS 2. These include strict deadlines for reporting incidents to national authorities (ANSSI in France), specific cyber crisis management procedures, as well as financial sanctions and the legal liability of managers. -
Why choose a certification body like LSTI for your ISO 27001 audit?
For ISO 27001 certification to be a guarantee of confidence and a lever towards NIS 2, it must be issued by an independent, accredited third-party organization. As a certification body ac-credited by Cofrac (N°4-0063 scope available on cofrac.fr), LSTI carries out rigorous audits that attest to the real maturity of your ISMS, sending a strong signal of confidence to your ecosystem and your principals.