NIS2 vs ISO/IEC 27001 legal duties and ISMS evidence

NIS2 scope turns on whether the entity is essential or important, whether its activities fall in Annex I or Annex II, and whether size-cap, special-case, registration, risk-management, incident-reporting, or supply-chain duties apply.

ISO/IEC 27001 scope is the boundary and applicability of the organization's information security management system, including the information, processes, sites, services, and controls the organization places inside that ISMS.

Write the NIS2 entity conclusion and the ISO/IEC 27001 ISMS boundary separately before reusing any risk assessment, SoA, supplier, or incident evidence.

NIS2 work needs legal or compliance ownership for applicability and national duties, management-body accountability for approving and overseeing cybersecurity risk management, and operational owners for controls, suppliers, and incident reporting.

ISO/IEC 27001 work needs top management, ISMS owners, risk owners, control owners, internal auditors, corrective-action owners, and certification stakeholders.

Assign accountability by duty: a single evidence register can coordinate work, but NIS2 legal accountability and ISMS conformity accountability should stay visible.

The NIS2 trigger is a covered entity and activity under the directive and national transposition, followed by specific duties such as Article 21 measures, Article 23 reporting, registration, and supervision.

The ISO/IEC 27001 trigger is the organization's decision, contract, customer assurance requirement, or other obligation to establish, implement, maintain, improve, or certify an ISMS for a defined scope.

Do not describe ISO/IEC 27001 certification as the NIS2 trigger; use it only as evidence after the NIS2 scope and duty have been identified.

NIS2 requires appropriate and proportionate cybersecurity risk-management measures, significant-incident notification, management-body approval and oversight, supply-chain security, and national registration or information duties where applicable.

ISO/IEC 27001 requires an ISMS with context and scope, leadership, risk assessment, risk treatment, selected controls compared with Annex A, documented information, performance evaluation, internal audit, management review, correction, corrective action, and continual improvement.

Map each NIS2 duty to an ISO/IEC 27001 evidence item only when the record proves the specific duty; otherwise create a NIS2-specific action, notification, approval, or country record.

NIS2 evidence should include entity and sector classification, size-cap or special-case analysis, Article 21 control evidence, incident notification logs, authority communications, supplier security files, management-body approvals, and registration records.

ISO/IEC 27001 evidence should include ISMS scope, risk assessment criteria and results, risk treatment plan, SoA with Annex A inclusion and exclusion rationale, control evidence, documented information, audit reports, corrective actions, and management-review outputs.

Use a shared register, but label every item by duty so a regulator can see the NIS2 basis and an auditor can see the ISMS conformity basis.

NIS2 timing depends on Member State transposition, registration or information duties, supervisory requests, and incident reporting that can require an early warning without undue delay and within 24 hours, an incident notification within 72 hours, and a final report within one month.

ISO/IEC 27001 timing follows planned and change-triggered risk assessments, risk treatment, monitoring, internal audits, management reviews, corrective actions, and certification or surveillance cycles.

Calendar NIS2 incident clocks separately from ISMS audit cycles, then add reassessment triggers for service, supplier, country, risk, incident, and ISMS-scope changes.

NIS2 is supervised and enforced by national competent authorities, with different supervisory models for essential and important entities and administrative fines for Article 21 or Article 23 infringements.

ISO/IEC 27001 assurance comes through internal governance, internal audit, management review, corrective action, customer assurance, and certification audits rather than direct statutory NIS2 fines.

Escalate regulator-facing NIS2 issues through legal, management, and authority workflows; escalate ISO/IEC 27001 issues through ISMS governance, audit, certification, and customer-assurance workflows.

NIS2 can reuse ISO/IEC 27001 records for risk analysis, policies, incident handling, business continuity, supply-chain security, access control, asset management, and cryptography when those records cover the NIS2-relevant service and duty.

ISO/IEC 27001 can absorb NIS2 requirements as interested-party or legal requirements inside the ISMS, then reflect them in risk treatment, SoA rationale, monitoring, audit scope, and management review.

Reuse inventories, logs, supplier clauses, risk registers, SoA entries, and control tests only after marking the NIS2 article or national duty and the ISO/IEC 27001 clause or control evidence they support.

For NIS2, write the entity classification, Member State assumption, applicable duty, management owner, evidence artifact, notification trigger, and reassessment trigger.

For ISO/IEC 27001, write the ISMS boundary, risk owner, risk treatment or SoA entry, control evidence, audit or management-review touchpoint, and corrective-action owner.

The output should be a short mapping record that legal, security, procurement, incident-response, management, customer-assurance, and audit reviewers can re-run from the same sources.