NIS2 and ISO/IEC 27001: the same obligation or two different requirements?

Date: May 28, 2026 Author: Editor

NIS2 and ISO/IEC 27001: the same obligation or two different requirements?

NIS2 and ISO/IEC 27001 share a common vocabulary: risk, controls, incidents, responsibilities. But they do not have the same nature or the same purpose. Treating one as a substitute for the other is one of the most frequent misunderstandings, with practical consequences for organisations and professionals.

⏱️ Estimated reading time: 6 minutes

The entry into force of NIS2 reinforced an idea that many organisations already knew, but did not always treat with the necessary priority: cybersecurity is no longer merely a technical concern and has become a requirement of governance, risk management, operational continuity and management accountability.At the same time, many entities already had, or are preparing, information security management systems based on ISO/IEC 27001. This raises a frequent question:Is complying with ISO/IEC 27001 the same as complying with NIS2?The answer is clear: no. NIS2 and ISO/IEC 27001 are not the same obligation. But they are deeply related.

NIS2 establishes legal requirements

Directive (EU) 2022/2555, known as NIS2, establishes measures intended to ensure a high common level of cybersecurity across the European Union. Its focus is on essential and important entities in sectors considered critical or relevant to the economy, society and the functioning of the internal market.

In Portugal, NIS2 was transposed by Decree-Law no. 125/2025 of 4 December, which approved the new Legal Framework for Cybersecurity, entering into force on 3 April 2026.

For the entities covered, this means that NIS2 is not an option or a good practice to adopt if it makes sense. It represents a framework of legal requirements, with concrete obligations in matters of governance, cybersecurity risk management, including the implementation of technical and organisational measures, incident reporting, supervision and accountability.

The organisation cannot limit itself to demonstrating that it has security controls. It must evidence context, risks, proportionate measures, response capability and documented decisions.

ISO/IEC 27001 is a management system standard

ISO/IEC 27001 is an international standard for Information Security Management Systems. It defines requirements for establishing, implementing, maintaining and continually improving an ISMS.

Unlike NIS2, ISO/IEC 27001 is not, in itself, a law. It is a voluntary standard, although it may become mandatory through contractual, regulatory or sectoral requirements, or by strategic decision of the organisation.

Its logic differs from the logic of a legal obligation. ISO/IEC 27001 does not merely ask “what security controls exist?”. It requires a systematic approach: context, leadership, planning, risk assessment, risk treatment, objectives, resources, competences, documentation, operation, performance evaluation, internal audit, management review and continual improvement.

In other words, ISO/IEC 27001 helps organise information security as a management system and not as a dispersed set of technical measures.

Where is the difference?

The main distinction lies in the nature of the requirement. While NIS2 defines the regulatory obligations and supervisory expectations of a legal framework applicable to certain entities, ISO/IEC 27001 provides a management structure to protect information, manage risks and demonstrate control in a systematic way.

In practice, the two approaches look at security from different perspectives:

  • NIS2 assesses compliance: does the entity comply with the cybersecurity legal obligations applicable to it?
  • ISO/IEC 27001 assesses effectiveness: does the organisation have a management system capable of identifying, treating and mitigating information security risks?

These approaches intersect, but they are not the same:

  • An organisation certified to ISO/IEC 27001 still needs to adapt its system to respond to the specific requirements of NIS2.
  • An organisation may ensure compliance with NIS2 without holding ISO/IEC 27001 certification, although it benefits significantly from adopting a structured approach based on this standard.
  • Both dimensions can and should coexist, playing distinct and complementary roles in security governance.

The role of ISO/IEC 27001 in NIS2 compliance

ISO/IEC 27001 provides a solid foundation for structuring a significant part of the response to NIS2 requirements. This is because the international standard addresses the fundamental pillars of any cybersecurity strategy: risk management, leadership, definition of responsibilities, documentation, controls, monitoring, audit, continual improvement and evidence collection.

Having a certified Information Security Management System (ISMS) demonstrates maturity, management discipline and internal control. In practice, this ecosystem facilitates the production of evidence, supports security governance, structures responsibilities and clarifies the alignment between identified risks and the measures adopted.

Therefore, organisations that already operate effectively under ISO/IEC 27001 are better positioned to respond to NIS2, reducing duplication of effort and demonstrating method to interested parties and competent authorities.

However, it is crucial to avoid an automatic equivalence. NIS2 introduces specific requirements associated with its legal scope — such as categories of entities, sectors covered, strict incident reporting obligations and direct interaction with authorities — dimensions that require their own mapping, regardless of the level of maturity in ISO/IEC 27001.

Ultimately, the concrete application of NIS2 must always be assessed according to the national framework in force, the sector, the size and the category of the entity, in accordance with the guidance of the competent authorities.

The risk of confusing certification with compliance

One of the most common misunderstandings in the market is assuming that certification automatically resolves a legal obligation.

ISO/IEC 27001 certification constitutes significant evidence of maturity in information security. However, it should not be presented, without further and detailed analysis, as a complete response to NIS2 requirements.

Compliance with NIS2 requires the formal validation of the following aspects:

  • whether the entity is covered by the framework and what its classification is, essential or important;
  • which specific obligations apply to it;
  • which technical, organisational and governance measures must actually be demonstrated;
  • which processes are implemented for the detection, response and reporting of incidents to the authorities;
  • how the involvement and direct accountability of management bodies are documented;
  • which evidence supports decisions made in relation to risk;
  • how risks associated with supply chain security and relevant third parties are assessed.

ISO/IEC 27001 can help structure and respond to many of these points. Carrying out the precise mapping between the existing management system and the applicable legal requirements is precisely the differentiating competence that professionals in the area need to master.

The essential point: integration

The most effective approach is not to treat NIS2 and ISO/IEC 27001 as separate worlds. NIS2 should not be managed merely as a legal checklist, just as ISO/IEC 27001 should not be reduced to a mere certification project.

Organisations maximise value when they integrate both perspectives: the regulatory requirement of NIS2 and the management discipline of ISO/IEC 27001. This synergy makes it possible to transform compliance into real operational capability. Instead of creating parallel documentation to respond to competent authorities, the organisation uses its ISMS to structure responsibilities, risks, controls, evidence, audits, management review and continual improvement.

In short, ISO/IEC 27001 provides a relevant operational foundation to support NIS2 requirements, while the latter acts as a catalyst for raising information security to the level of governance, the level where it should always have been.

In summary

  • NIS2 and ISO/IEC 27001 operate in distinct dimensions: the former is a legal obligation for the entities covered; the latter is an international management system standard.
  • NIS2 constitutes a framework of mandatory legal requirements for the entities covered.
  • ISO/IEC 27001 is an international reference framework for information security management systems.
  • The law defines regulatory obligations, while the standard offers a practical structure for managing risks, controls, responsibilities and continual improvement.
  • ISO/IEC 27001 certification can strongly accelerate preparation for NIS2, but it does not remove the need to assess the legal scope, the specific reporting obligations and the evidence required by the authorities.

The right question, therefore, is not whether the organisation should choose between NIS2 and ISO/IEC 27001. The fundamental question is another one: how can the organisation use ISO/IEC 27001 to demonstrate, with greater consistency, maturity and evidence, its ability to respond to NIS2 requirements?

Ultimately, cybersecurity compliance is not proven merely by the existence of isolated documents or controls. It is demonstrated by the ability to govern risks, make decisions, respond to incidents, learn from operations and evidence that security is an integral part of organisational management.

At Behaviour, these topics are developed in the areas of Information Security and Cybersecurity and Digital Compliance, with learning paths that cover both the normative and regulatory dimensions, adapted to different profiles and levels of responsibility.

Reference frameworks related to this topic

The Directive (EU) 2022/2555 – NIS2 establishes measures intended to ensure a high common level of cybersecurity across the European Union, reinforcing governance, risk management, incident reporting and supervision obligations for the entities covered.

The Decree-Law no. 125/2025 of 4 December transposes the NIS2 Directive into national law and establishes the new Legal Framework for Cybersecurity, in force since 3 April 2026.

The ISO/IEC 27001:2022 defines the requirements for establishing, implementing, maintaining and continually improving an Information Security Management System, with a risk-based approach.

The ISO/IEC 27005 supports information security risk management in alignment with ISO/IEC 27001.

The ISO 31000 provides principles and guidance for organisational risk management, useful for framing the relationship between risk, decision, control and responsibility.

Frequently asked questions about NIS2 and ISO/IEC 27001

What is NIS2 and who does it apply to in Portugal?
NIS2 is Directive (EU) 2022/2555, transposed into Portuguese law by Decree-Law no. 125/2025 of 4 December, which approved the new Legal Framework for Cybersecurity. It applies to essential and important entities in sectors considered critical or relevant, including energy, transport, healthcare, banking, digital infrastructures, public administration, among others. The framework entered into force on 3 April 2026.
Are ISO/IEC 27001 and NIS2 the same thing?
No. ISO/IEC 27001 is an international standard for information security management systems, whereas NIS2 is a European cybersecurity directive transposed into national law. Although they address related topics, such as risk, controls, incidents and responsibilities, they have different natures, scopes and purposes.
Is complying with ISO/IEC 27001 the same as complying with NIS2?
No. NIS2 and ISO/IEC 27001 do not represent the same obligation. ISO/IEC 27001 provides a management structure for organising information security. NIS2 establishes a legal framework with its own legal obligations for the entities covered. Having a certified ISMS is a highly relevant foundation, but it does not replace the analysis of the specific legal obligations applicable to the organisation.
Does ISO/IEC 27001 certification help address NIS2?
Yes, it can help significantly. A well-implemented Information Security Management System, focused on risk management, controls, documentation, internal audit and continual improvement, supports a relevant part of the response to NIS2 and facilitates the demonstration of maturity. Even so, NIS2 includes its own regulatory requirements that require specific analysis, such as legal scope, entity classification, reporting obligations and interaction with the competent authorities.
What should professionals know about NIS2 and ISO/IEC 27001?
Information security, compliance, audit, risk and governance professionals need to understand both dimensions: the normative dimension, structured by ISO/IEC 27001, and the regulatory dimension, introduced by NIS2. Knowing how to articulate an Information Security Management System with the requirements of a cybersecurity legal framework, identifying overlaps, gaps and priorities, is an increasingly valued competence in the market.
What training covers NIS2 and ISO/IEC 27001?
Behaviour develops training in the areas of information security, cybersecurity and regulatory compliance. The learning paths cover both the normative dimension, implementation and auditing of Information Security Management Systems according to ISO/IEC 27001, and the regulatory dimension, including the European cybersecurity framework and its practical application for different profiles and levels of responsibility.

You can explore Behaviour’s training areas or consult the Training by Needs page to identify the most suitable path for your profile and objectives.

Do you have a training question related to this topic?

If you want to understand in which Behaviour course, area or learning path this content can be addressed, consult the Training by Needs page.

View Training by Needs

 

Date: 26 May 2026
Author: Behaviour
Copying or reproduction of this article is not authorised.