ISO 27001 and NIS2:
is certification enough for compliance?

In recent months a recurring question has been coming from the boards of mid-market companies: “we are ISO/IEC 27001:2022 certified, is that enough for NIS2?”. The short answer is no, and it deserves to be argued through. Certification provides an organisational engine — the information security management system — that comes very close to what the legislation requires, but several areas remain uncovered. Some of these, as we will see, fall directly on senior individuals, not on the organisation.

Two different regulatory natures

ISO/IEC 27001:2022 is a voluntary international standard that certifies a management system (ISMS, Information Security Management System). The organisation defines the scope of its own ISMS, declares in the Statement of Applicability which Annex A controls are applicable while justifying exclusions, demonstrates in audit that it manages them continuously, and obtains a certificate issued by an accredited body.

The Directive (EU) 2022/2555 — transposed in Italy by Legislative Decree no. 138 of 4 September 2024 — is instead a binding sectoral law. It applies on objective criteria of sector and size (the so-called size-cap rule extended to 18 sectors, of which 11 highly critical (Annex I) and 7 other critical sectors (Annex II)), it imposes minimum technical and organisational obligations, and it provides for public oversight exercised by the ACN (Italian National Cybersecurity Agency), aligned to the GDPR in its sanctioning regime. The determination of the ACN Director General no. 379907 of 19 December 2025 sets out the baseline specifications for the obligations under articles 23, 24, 25, 29 and 32 of the NIS decree, organised according to the National Framework for Cybersecurity and Data Protection (FNCDP) 2025 edition.

Put plainly: ISO 27001 demonstrates that the organisation governs its own security within a perimeter it has chosen. NIS2 establishes that, if a company falls within the sectors covered by the decree and exceeds the size thresholds, it must adopt specific measures, report incidents within fixed timeframes and account for them to a public authority.

Where certification covers well

A well-implemented ISO 27001:2022 covers much of the work that NIS2 requires. The ENISA mapping published in June 2025 (Technical Implementation Guidance — Mapping table v1.0) shows that most ISO/IEC 27001:2022 controls map to the NIS2 requirements detailed by Commission Implementing Regulation (EU) 2024/2690: the overlap is broad and concerns security policies, risk management, incident management, ICT supply chain security (control A.5.21), business continuity, cryptography, access control, training and basic hygiene. For an organisation already operating a mature ISMS, building a NIS2 posture largely means realigning what already exists, not starting from scratch.

One area remains where the overlap is not automatic: it concerns elements that are substantially different in nature from a management-system standard. These are the seven gaps we examine in the following sections, before addressing a frequent misunderstanding — the one between a NIS2 entity and a supplier of a NIS2 entity — and the personal liability of company top management.

Seven real gaps between ISO 27001 and NIS2

1. Scope of application

ISO 27001 certifies the scope declared by the organisation. A holding company may choose to certify only the parent company, excluding subsidiaries; a manufacturer may limit the perimeter to its headquarters, excluding peripheral plants. It is a legitimate choice within the standard: certification applies to what was submitted to audit.

NIS2, by contrast, applies to the legal entity as a whole, as a function of sector and size. If the organisation falls within the scope of the decree, the obligations apply to the entire entity: the ISO scope is not a defensive argument before the ACN. It is one of the first misalignments to emerge during the gap analysis, and it requires a re-reading of the existing Statement of Applicabilityin light of the decree’s actual scope of application.

2. Personal liability of the administrative bodies

Article 23 of Legislative Decree 138/2024 introduces a paradigm shift compared with the certification logic: it assigns to company top management — the «administrative and management bodies» — the personal obligation to approve the way risk-management measures are implemented, to oversee the fulfilment of the Chapter IV obligations and to undergo specific training in information security. It is training, not mere awareness-raising: the obligation requires acquiring competences proper to the role, not a one-hour seminar.

To this is added paragraph 5 of article 38, which establishes cumulative liability: «any natural person responsible for an essential entity or acting as its legal representative… may be held liable for the failure in the event of a breach of this decree by the entity it represents». We will explore this figure in a dedicated section, but the point is worth noting here: Italian NIS2 marks the end of delegation without oversight. ISO 27001 contains nothing equivalent.

3. Significant incident notification

Article 25 of the decree sets precise timeframes: an early warning to the Italian CSIRT within 24 hours of becoming aware of the incident, a full notification with technical details within 72 hours, a final report within one month. The key word is awareness: the deadline runs from the moment the entity acquires objective awareness of the incident, not from the moment the incident materially occurred. On this specific point the ACN provided a clarification at the Clusit event of 29 April 2026, recalling that the organisation must be able to clearly distinguish five moments: occurrence, detection, awareness, significance assessment, triggering of the early warning.

Determination 379907/2025 further articulates four categories of significant incident (IS-1: loss of confidentiality towards the outside; IS-2: loss of integrity with external impact; IS-3: breach of the expected service levels based on the SLs defined by measure DE.CM-01 of the National Framework, dedicated to continuous monitoring of service levels; IS-4: unauthorised access or abuse of privileges). The first three apply to important and essential entities, IS-4 to essential entities only. The baseline notification obligation runs from January 2026 for entities that received the first communication of inclusion in the NIS list last April, and from later dates for entities added in 2026 (Determination 127434/2026). ISO 27001 prescribes an incident-management process, but it does not impose these timeframes or this taxonomy.

4. Minimum mandatory technical measures

Article 24 lists ten areas of binding measures ranging from risk analysis to incident management, from business continuity to supply chain security, from secure development and vulnerability management to cryptography policies, from access control to multi-factor authentication, through to basic hygiene practices and staff training. These are absolute obligations, not controls to be selected on the basis of scope as happens in Annex A of ISO 27001.

Determination 379907/2025 translates the ten areas into operational measures structured according to the FNCDP 2025 edition — organised by functions, categories, subcategories and requirements — and differentiated for important entities (Annex 1) and essential entities (Annex 2), the latter being more extensive. Full adoption is due within 18 months of receiving the communication of inclusion in the list — a deadline which, for entities notified in the first wave, falls in October 2026. ISO 27001:2022 addresses most of these topics but with a different approach: the Annex A controls are «relevant as a function of the SoA» and the organisation selects them; article 24 imposes them all.

5. Supply chain security

ISO 27001:2022 dedicates controls A.5.19, A.5.20, A.5.21 and A.5.22 to the supply chain — management of supplier relationships, security agreements in contractual clauses, security management in the ICT supply chain, monitoring of the services provided. Article 24, letter d) of the NIS decree is more prescriptive: it explicitly includes «security aspects concerning the relationships between each entity and its direct suppliers or service providers». The obligation is not to choose the level of depth on the basis of the SoA, but to guarantee coverage.

At the Clusit event of 29 April 2026 the ACN further clarified that the category of «relevant supplier» also includes non-ICT, non-fungible suppliers — a manufacturer of an exclusive component, a critical logistics service — whose absence would compromise the continuity of the organisation’s NIS activities. It is a broader reading than the one typically adopted in supplier relationship governance in the ISO context.

6. Registration and maintenance of the ACN listing

Article 7 of Legislative Decree 138/2024 requires entities within scope to register on the ACN platform, appoint a point of contact and a deputy, and keep the information up to date. Determination 127437/2026 governs the terms, methods and procedures for accessing the platform and for designating the NIS representatives. Determination 155238/2026 also introduces the model for categorising activities and services: ten predefined macro-areas, four relevance categories (minimal, low, medium, high impact), a filing window from 1 May to 30 June 2026 for the first wave of entities.

These are obligations with no counterpart in ISO 27001: the standard requires the organisation to manage relationships with competent authorities, but it does not impose a public registration, a formal point of contact towards a state agency, or a structured categorisation on a prescribed model.

7. Public oversight and sanctions

The ACN exercises enforcement, verification and inspection powers that the legislator has aligned to those of the GDPR. The administrative fines for failure to comply with the risk-management and incident-notification obligations (articles 23, 24, 25) reach up to 10 million euro or 2% of the total worldwide annual turnover of the previous financial year for essential entities, and up to 7 million or 1.4% for important entities, with proportional minimums.

It is worth recalling that the ACN follows principles of proportionality: the maximum amounts represent the statutory ceiling, not the typical sanction. Case-by-case modulation takes into account gravity, duration, any precedents, harm caused, intent or negligence, mitigation measures adopted, the level of cooperation with the authority. The first significant formal challenges are expected between late 2026 and early 2027, but monitoring activity has been under way for months. An ISO audit does not impose administrative sanctions: it identifies non-conformities that are closed with corrective actions agreed with the certification body.

NIS2 entity or supplier of a NIS2 entity?

A distinction that frequently causes confusion: being a supplier of a NIS2 entity does not automatically make you a provider of essential services within the meaning of the decree. Formal qualification as a NIS entity depends on your own sector and size, not on the identity of your clients.

There is, however, a contractual cascade that should not be underestimated. Article 24, letter d) requires the NIS entity to manage the security of relationships with its direct suppliers, and the ACN — in the relevant-supplier census model provided by the platform — distinguishes between ICT supply, non-fungible supply and non-fungible ICT supply. In practice, this means that in the 2026 and 2027 contract renewals NIS2 clients will pass on, by contract, more stringent security requirements: clauses on patching timeframes, vulnerability reporting, support duration, required certifications, sample audits, incident confidentiality. Typical examples already seen in 2026 contracts: patching of critical vulnerabilities within predefined timeframes, the right to periodic supplier audits, the obligation to report to the client any incidents impacting the service within 24 hours, maintenance of the security certifications declared at the time of award.

For those who are suppliers of a NIS entity without being one themselves, an ISO 27001:2022 posture becomes a relevant commercial argument and a faster operational base to extend to the new contractual requests. It is not a NIS obligation, but it is a market reality that is consolidating rapidly.

The personal liability of the board

We come to the element that requires the most attention from top management: the personal liability of the administrative and management bodies. Article 23 of Legislative Decree 138/2024 — a direct transposition of article 20 of the NIS2 Directive — does not merely require the organisation to organise itself: it requires that top management itself approve the way the measures are implemented, oversee their implementation, receive periodic or timely information on notified incidents, and undergo personal training.

The Italian legislator has reinforced the framework with article 38, paragraph 5, which establishes cumulative liability: the organisation remains liable and the authority may, in addition, hold the senior natural person liable. The most immediate parallel, in Italian legal culture, is article 17 of Legislative Decree 81/2008 on workplace safety: some obligations cannot be delegated. Technical delegation to the CISO or to an external provider is permissible and necessary, but it does not relieve top management of the duty of oversight, and it implies that the delegate has effective means — human and material resources — to fulfil the role. For senior public officials, profiles of managerial, disciplinary and administrative-accounting liability are added.

In short: the company leader who approaches NIS2 with the mindset of «we have IT, we have ISO, we should be fine» is underestimating an aspect that concerns them personally.

A three-horizon adaptation roadmap

For organisations already ISO 27001:2022 certified, the path of adaptation to NIS2 reasonably unfolds over three time horizons:

• 1Immediate (within 30 days)— verification of registration on the ACN platform and completion of the categorisation of activities and services by 30 June 2026 (the window opened on 1 May 2026, Determination 155238/2026), a binding and non-deferrable deadline; scheduling of cybersecurity training for the administrative and management bodies under article 23, with a realistic calendar and content that goes beyond awareness-raising, consistent with the personal obligation of top management; mapping of the decree’s actual scope of application, comparing it with the existing ISO Statement of Applicability to highlight the areas outside the ISO scope but inside NIS.
• 2Short term (3-6 months)— definition and testing of incident-management and notification procedures, consistent with the 24-hour, 72-hour and one-month timeframes and with the four IS types of Determination 379907/2025; technical gap analysis between implemented ISO 27001:2022 controls and Annex 1 (important entities) or Annex 2 (essential entities) of the same determination; structured mapping of relevant suppliers with a distinction between ICT, non-fungible and non-fungible ICT supply, and design of contractual clauses for the cascade.
• 3Strategic (9-12 months)— full implementation of the baseline security measures by October 2026 for entities notified in the first wave, with consistent timing for those added in 2026; integration of the FNCDP 2025 edition into the corporate risk-management framework, avoiding duplication with the existing ISMS; preparation of structured documented evidence ahead of ACN audit and inspection activities, capitalising on the documentary discipline already matured through ISO certification audits.

A complementary ecosystem, not an alternative

ISO/IEC 27001:2022 and NIS2 are not in competition: they are different pieces of the same picture. Certification provides the management system, process discipline, the culture of continuous improvement, independent third-party verification. NIS2 adds the public perimeter — the sectors critical to the community, structured categorisation on the ACN model, the personal liability of top governance bodies, external supervision with sanctioning power. For those already certified, the competitive advantage along the path exists and is significant: the organisational engine is already assembled, it needs to be realigned and completed. For those who are not, NIS2 becomes the occasion to build it in a structured way, ideally seizing the opportunity to obtain the certification as an effect of the adaptation work.

Looking ahead, the European cybersecurity certification schemes under construction at ENISA — EUCC for ICT products and EUCS being adopted for cloud services — will be able to offer additional tools for demonstrating conformity, integrating with the NIS2 framework. But the principle stands: certification does not replace regulatory compliance. It is an excellent precondition, rarely a point of arrival.