Artifact GuideEU

NIS2 vs ISO/IEC 27017 legal duties and cloud control evidence

Separate NIS2 statutory duties from ISO/IEC 27017 cloud-service control guidance, then decide which cloud policies, supplier files, logs, incident records, and assurance evidence can be reused.

Grounded in the NIS2 directive, Commission and ENISA implementation context, and the ITU-T X.1631 / ISO/IEC 27017 cloud-control text.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
5

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

NIS2 and ISO/IEC 27017 can point to overlapping cloud-security evidence, but they answer different questions. Use this comparison to separate NIS2 entity scope, Article 21 cybersecurity risk-management measures, Article 23 incident reporting, and national supervision from ISO/IEC 27017 cloud-service controls for customers and providers, shared-responsibility records, monitoring, incident coordination, and assurance evidence.

Side-by-side comparison

NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits

Use this comparison to decide when NIS2 controls the legal obligation, when ISO/IEC 27017 controls cloud-security evidence, and which records can be reused without merging different duties.

Review all sources
First framework
NIS2

Use the NIS2 side to confirm covered entity facts, Annex I or Annex II sector scope, Article 21 measures, Article 23 incident clocks, management-body accountability, registration, supervision, and enforcement exposure.

Second framework
ISO/IEC 27017

Use the ISO/IEC 27017 side to confirm cloud-service customer/provider roles, cloud-specific controls, shared responsibilities, monitoring, incident coordination, provider evidence, and assurance records.

Comparison row 1

Scope and covered activity

NIS2

Essential and important entities in NIS2 sectors, including digital infrastructure, ICT service management, and digital providers where the directive and national rules bring the entity into scope.

Directive (EU) 2022/2555 (NIS2)Sources 1European Commission - NIS2 Directive overviewSources 2
ISO/IEC 27017

Information-security controls for the provision and use of cloud services, extending ISO/IEC 27002 guidance for cloud service customers and cloud service providers.

ITU-T X.1631 / ISO/IEC 27017 cloud security controlsSources 1
Operational implication

Write two scope findings first: legal entity/service scope for NIS2, and cloud customer/provider control scope for ISO/IEC 27017.

Directive (EU) 2022/2555 (NIS2)Sources 1ITU-T X.1631 / ISO/IEC 27017 cloud security controlsSources 2
Comparison row 2

Who must act

NIS2

Management bodies, security leaders, incident-response teams, supplier-risk owners, legal/compliance teams, and country or sector operations owners for the NIS2-scoped entity.

Directive (EU) 2022/2555 (NIS2)Sources 1ENISA - NIS2 technical implementation guidanceSources 2
ISO/IEC 27017

Cloud service customers and cloud service providers, with role-specific responsibilities for policies, controls, monitoring, event reporting, evidence, and service termination.

ITU-T X.1631 / ISO/IEC 27017 cloud security controlsSources 1
Operational implication

Assign legal accountability and cloud operational ownership separately; one register can coordinate both, but each evidence item needs the right owner.

Directive (EU) 2022/2555 (NIS2)Sources 1ITU-T X.1631 / ISO/IEC 27017 cloud security controlsSources 2
Comparison row 3

Trigger or threshold

NIS2

Entity classification, sector inclusion, size-cap or special-case rules, national transposition, and significant incidents trigger NIS2 workstreams.

Directive (EU) 2022/2555 (NIS2)Sources 1European Commission - NIS2 Directive overviewSources 2
ISO/IEC 27017

Use or provision of cloud services triggers ISO/IEC 27017 mapping when cloud-specific risks, customer/provider responsibilities, or cloud control evidence must be defined.

ITU-T X.1631 / ISO/IEC 27017 cloud security controlsSources 1
Operational implication

Do not use cloud-control adoption as a shortcut for NIS2 applicability; run the legal scope test and the cloud control test separately.

Directive (EU) 2022/2555 (NIS2)Sources 1ITU-T X.1631 / ISO/IEC 27017 cloud security controlsSources 2
Comparison row 4

Core obligations and controls

NIS2

Article 21 cybersecurity risk-management measures, Article 23 incident reporting, management-body accountability, supply-chain controls, and applicable registration or authority communication duties.

Directive (EU) 2022/2555 (NIS2)Sources 1Implementing Regulation (EU) 2024/2690 for NIS2 technical measuresSources 2ENISA - NIS2 technical implementation guidanceSources 3
ISO/IEC 27017

Additional implementation guidance for ISO/IEC 27002 controls and cloud-specific controls, including shared roles, supplier relationships, monitoring, incident coordination, and provider/customer evidence.

ITU-T X.1631 / ISO/IEC 27017 cloud security controlsSources 1
Operational implication

Convert legal duties and cloud controls into owner assignments, product requirements, supplier clauses, monitoring procedures, incident playbooks, and evidence requests.

ENISA - NIS2 technical implementation guidanceSources 1ITU-T X.1631 / ISO/IEC 27017 cloud security controlsSources 2
Comparison row 5

Evidence and records

NIS2

Entity classification, country notes, Article 21 control evidence, policy approvals, incident logs, authority notifications, supplier files, and management-body records.

Directive (EU) 2022/2555 (NIS2)Sources 1ENISA - NIS2 technical implementation guidanceSources 2
ISO/IEC 27017

Cloud policy, shared-responsibility matrix, provider capability evidence, cloud monitoring records, incident contact procedures, configuration evidence, audit reports, and asset return or deletion records.

ITU-T X.1631 / ISO/IEC 27017 cloud security controlsSources 1
Operational implication

Reuse cloud evidence only after labelling the NIS2 article or national duty it supports and the ISO/IEC 27017 cloud responsibility it proves.

ENISA - NIS2 technical implementation guidanceSources 1ITU-T X.1631 / ISO/IEC 27017 cloud security controlsSources 2
Comparison row 6

Timing and cadence

NIS2

NIS2 timing depends on Member State transposition, applicable registration duties, risk-management review triggers, and the Article 23 incident sequence including early warning, notification, and final report steps.

Directive (EU) 2022/2555 (NIS2)Sources 1European Commission - NIS2 Directive overviewSources 2
ISO/IEC 27017

ISO/IEC 27017 timing follows cloud risk assessment, customer/provider agreement, implementation, monitoring, event-reporting procedures, audit or assurance requests, and termination or asset-removal events.

ITU-T X.1631 / ISO/IEC 27017 cloud security controlsSources 1
Operational implication

Calendar the earliest legal or operational clock and add reassessment triggers for product, cloud provider, supplier, country, incident, system, and contract changes.

Directive (EU) 2022/2555 (NIS2)Sources 1ITU-T X.1631 / ISO/IEC 27017 cloud security controlsSources 2
Comparison row 7

Enforcement or assurance route

NIS2

National competent authorities supervise and enforce NIS2, with differentiated supervision for essential and important entities and penalties under the directive and national law.

Directive (EU) 2022/2555 (NIS2)Sources 1European Commission - NIS2 Directive overviewSources 2
ISO/IEC 27017

ISO/IEC 27017 is assurance-oriented: customers, providers, auditors, contracts, independent evidence, and internal governance decide whether cloud controls are implemented and operated.

ITU-T X.1631 / ISO/IEC 27017 cloud security controlsSources 1
Operational implication

Escalate through the route that owns the actual source: regulator for NIS2, and customer/provider governance, contract management, or audit assurance for ISO/IEC 27017.

Directive (EU) 2022/2555 (NIS2)Sources 1ITU-T X.1631 / ISO/IEC 27017 cloud security controlsSources 2
Comparison row 8

Overlap and reuse

NIS2

NIS2 can reuse cloud inventories, logs, supplier records, business-continuity evidence, vulnerability records, and incident procedures when they prove the specific NIS2 duty.

Directive (EU) 2022/2555 (NIS2)Sources 1ENISA - NIS2 technical implementation guidanceSources 2
ISO/IEC 27017

ISO/IEC 27017 can reuse NIS2 evidence when it proves the cloud customer/provider responsibility and remains tied to the relevant cloud service, control, and risk assessment.

ITU-T X.1631 / ISO/IEC 27017 cloud security controlsSources 1
Operational implication

Reuse common evidence, but label each record by legal duty, cloud role, control purpose, owner, and review trigger.

Directive (EU) 2022/2555 (NIS2)Sources 1ITU-T X.1631 / ISO/IEC 27017 cloud security controlsSources 2
Comparison row 9

Practical decision rule

NIS2

For NIS2, record the entity and sector conclusion, Member State assumptions, article or national duty, owner, evidence artifact, and reassessment trigger.

Directive (EU) 2022/2555 (NIS2)Sources 1European Commission - NIS2 Directive overviewSources 2ENISA - NIS2 technical implementation guidanceSources 3
ISO/IEC 27017

For ISO/IEC 27017, record the cloud customer/provider role, cloud service boundary, control or guidance point, owner, evidence artifact, and reassessment trigger.

ITU-T X.1631 / ISO/IEC 27017 cloud security controlsSources 1
Operational implication

The first useful output is a short decision record that legal, security, cloud, procurement, incident-response, and audit reviewers can re-run from the same sources.

Directive (EU) 2022/2555 (NIS2)Sources 1ITU-T X.1631 / ISO/IEC 27017 cloud security controlsSources 2
Practical decision rule

How should teams decide between NIS2 and ISO/IEC 27017 for cloud compliance planning?

  • Start with the fact pattern: entity, sector, Member State, cloud role, cloud service, provider, and system boundary.
  • Run NIS2 legal scope and ISO/IEC 27017 cloud-control scope separately, then save the cited source for each answer.
  • Reuse evidence only after the owner confirms it satisfies both the NIS2 duty and the cloud customer/provider responsibility.
  • Escalate when a product, incident, supplier, cloud provider, customer group, country rule, or contract changes the answer.
Directive (EU) 2022/2555 (NIS2)Sources 1European Commission - NIS2 Directive overviewSources 2ENISA - NIS2 technical implementation guidanceSources 3ITU-T X.1631 / ISO/IEC 27017 cloud security controlsSources 4
Section 2

What decision should teams make when ISO/IEC 27017 cloud evidence is available?

The practical question is not whether ISO/IEC 27017 is useful for NIS2. It can support cloud evidence, but the decision record must say which NIS2 duty the cloud record supports and which duty still needs legal, country, incident-response, or management-body work.

A useful decision record names the NIS2 scope basis, the cloud service customer or provider role, the cloud service boundary, the evidence owner, the source citation, and the gap that cannot be closed by a cloud-control mapping alone.

  • Classify the entity, sector, Member State, and service before mapping cloud controls.
  • Mark whether the evidence is a cloud policy, shared-responsibility matrix, supplier assessment, configuration record, monitoring record, incident procedure, audit artifact, or provider assurance package.
  • Separate statutory notifications and competent-authority communications from customer/provider operational reporting or independent assurance.
  • Record the reuse decision in a durable register with the NIS2 article, ISO/IEC 27017 evidence type, owner, and review trigger.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Binding NIS2 directive text for entity classification, Article 21 cybersecurity risk-management measures, Article 23 incident notification, supervision, and enforcement.
European Commission - NIS2 Directive overview
Commission overview for NIS2 sector scope, transposition timing, risk-management and reporting obligations, supervision, and policy context.
Implementing Regulation (EU) 2024/2690 for NIS2 technical measures
EU-level technical and methodological cybersecurity risk-management requirements for covered digital infrastructure, ICT service management, and digital provider entities.
ITU-T X.1631 / ISO/IEC 27017 cloud security controls
Grounded ITU-T handle for the identical ITU-T X.1631 / ISO/IEC 27017 text on cloud-service information-security controls for cloud service customers and providers.
Section 3

When should teams apply this comparison, and what should be excluded?

Apply the comparison when a NIS2-scoped or potentially scoped service uses, provides, or depends on cloud services. It is especially useful for Article 21 control baselines, supply-chain security, incident handling, business continuity, access control, asset management, monitoring, and management-body evidence.

Exclude claims that ISO/IEC 27017 alone proves NIS2 compliance. Also exclude cloud controls outside the relevant service, customer/provider role, contract, jurisdiction, or evidence boundary unless the organization can show they are implemented and maintained for the NIS2-relevant network and information systems.

  • Write the NIS2 entity conclusion and the ISO/IEC 27017 cloud role as separate findings.
  • Record national transposition, registration, supervision, and incident-notification assumptions separately from cloud assurance assumptions.
  • Add service, country, cloud deployment model, provider, supplier chain, system boundary, and launch date when they affect the answer.
  • Reassess after material changes to the service, sector classification, Member State footprint, cloud provider, supplier chain, incident process, or cloud-control implementation.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Binding NIS2 directive text for entity classification, Article 21 cybersecurity risk-management measures, Article 23 incident notification, supervision, and enforcement.
European Commission - NIS2 Directive overview
Commission overview for NIS2 sector scope, transposition timing, risk-management and reporting obligations, supervision, and policy context.
Implementing Regulation (EU) 2024/2690 for NIS2 technical measures
EU-level technical and methodological cybersecurity risk-management requirements for covered digital infrastructure, ICT service management, and digital provider entities.
ENISA - NIS2 technical implementation guidance
ENISA implementation guidance with practical advice, examples of evidence, and mappings for entities covered by the NIS2 implementing regulation.
ITU-T X.1631 / ISO/IEC 27017 cloud security controls
Grounded ITU-T handle for the identical ITU-T X.1631 / ISO/IEC 27017 text on cloud-service information-security controls for cloud service customers and providers.
Section 4

Who should own the comparison, and what evidence should they maintain?

Legal or compliance should own the NIS2 applicability conclusion; security and risk owners should own the control and incident evidence; procurement and cloud owners should own customer/provider responsibilities; management bodies should approve the NIS2 governance evidence where required. The same person can coordinate the register, but accountability should not collapse into one generic compliance owner.

Maintain an evidence pack that joins NIS2 entity classification, national transposition notes, Article 21 control evidence, Article 23 incident logs, authority registration records, supplier risk files, cloud policies, shared-responsibility matrices, cloud monitoring evidence, provider assurance records, and termination or asset-removal procedures.

  • Assign a NIS2 legal owner, cloud security owner, incident-response owner, supplier-risk owner, and management-body approver.
  • Keep the source citation beside each evidence item so later reviewers can see whether it supports NIS2, ISO/IEC 27017, or both.
  • Keep rejected mappings, provider limitations, management approvals, audit findings, and corrective actions with the same record.
  • Make the register usable by product, engineering, procurement, security, support, compliance, legal, and management reviewers.
Sources for this answer
Directive (EU) 2022/2555 (NIS2)
Binding NIS2 directive text for entity classification, Article 21 cybersecurity risk-management measures, Article 23 incident notification, supervision, and enforcement.
European Commission - NIS2 Directive overview
Commission overview for NIS2 sector scope, transposition timing, risk-management and reporting obligations, supervision, and policy context.
Implementing Regulation (EU) 2024/2690 for NIS2 technical measures
EU-level technical and methodological cybersecurity risk-management requirements for covered digital infrastructure, ICT service management, and digital provider entities.
ENISA - NIS2 technical implementation guidance
ENISA implementation guidance with practical advice, examples of evidence, and mappings for entities covered by the NIS2 implementing regulation.
ITU-T X.1631 / ISO/IEC 27017 cloud security controls
Grounded ITU-T handle for the identical ITU-T X.1631 / ISO/IEC 27017 text on cloud-service information-security controls for cloud service customers and providers.
Recommended next step

Use this comparison as a cited cloud evidence workflow

Sorena can turn the NIS2 and ISO/IEC 27017 decisions on this page into cited answers, owner assignments, cloud evidence requests, and reusable review steps for legal, security, supplier, cloud, and incident-response teams.

Research workflow
Open Research Copilot for NIS2 cloud evidence

Ask source-linked questions about NIS2 scope, Article 21 controls, incident reporting, ISO/IEC 27017 cloud responsibilities, and reuse limits using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through NIS2 and ISO/IEC 27017 implementation

Review your NIS2 applicability, cloud control map, shared-responsibility evidence, source gaps, and next implementation steps with Sorena.

Explore next step
Primary sources

References and citations

Directive (EU) 2022/2555 (NIS2)
eur-lex.europa.eu
Referenced sections
  • Binding NIS2 directive text for entity classification, Article 21 cybersecurity risk-management measures, Article 23 incident notification, supervision, and enforcement.
"high common level of cybersecurity across the Union"
ENISA - NIS2 technical implementation guidance
enisa.europa.eu
Referenced sections
  • ENISA implementation guidance with practical advice, examples of evidence, and mappings for entities covered by the NIS2 implementing regulation.
"examples of evidence"
European Commission - NIS2 Directive overview
digital-strategy.ec.europa.eu
Referenced sections
  • Commission overview for NIS2 sector scope, transposition timing, risk-management and reporting obligations, supervision, and policy context.
"wider scope, clearer rules and stronger supervision tools"
ITU-T X.1631 / ISO/IEC 27017 cloud security controls
handle.itu.int
Referenced sections
  • Grounded ITU-T handle for the identical ITU-T X.1631 / ISO/IEC 27017 text on cloud-service information-security controls for cloud service customers and providers.
"cloud service providers and cloud service customers"
Related guides

Explore more topics

Are managed service providers in scope of NIS2?
NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
EU NIS2 Directive applicability test for entity scope
Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks
source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
FAQ: NIS2 essential vs important entity classification and registration obligations
Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
NIS2 24-hour early warning: what to send and when
Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
NIS2 72-hour incident notification FAQ
Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
NIS2 Annex I and Annex II Sector Scoping Guide
Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
NIS2 Article 21 control baseline and evidence checklist
Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
NIS2 Article 21 control-by-control evidence checklist
Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners
Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
NIS2 Article 23 incident notification workflow
Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
NIS2 Compliance Checklist: scope, controls, reporting
Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
NIS2 Compliance Guide: scope, controls, reporting, and evidence
A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
NIS2 Country Transposition Tracker: EU Status Workflow
Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
NIS2 Entity Classifier Workflow: essential vs important entity scoping
Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
NIS2 essential vs important entities: Article 3 scope and supervision guide
Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
NIS2 essential vs important entities: supervision regime and audit evidence requirements
Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties
source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
NIS2 incident clock triage workflow
Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps
Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
NIS2 Management Body Accountability: board duties, training, and evidence
source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
NIS2 Member State Transposition: What Teams Must Check
How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
NIS2 National Transposition Tracker: EU Member State Evidence Register
Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
NIS2 penalties and fines: Article 34 caps for essential and important entities
NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
NIS2 Registration and Authority Notification Guide
Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
NIS2 Requirements: scope, Article 21 controls, reporting, and evidence
Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
NIS2 Size Cap Rule and Special Scope Cases
Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
NIS2 size-cap rule: when medium and large entities are in scope
Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
NIS2 supply chain security program: Article 21 controls, contracts, and evidence
Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience
Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance
Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
NIS2 vs GDPR breach reporting: EU deadlines and overlap
Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.
NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits
Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
NIS2 vs NIS1: what changed in EU cybersecurity compliance
Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.