Skip to content
All articles
Law & regulation 9 min read· by Lars Zimmermann

NIS2 and ISO 27001: How SMEs Make the Obligation Manageable

NIS2 hits many mid-sized firms and suppliers. Why an ISO 27001 ISMS is the strongest foundation and turns the obligation into a competitive advantage.

In short

ISO/IEC 27001 is not automatically NIS2 compliance, but it is by far the strongest foundation: an ISMS structurally covers a large share of NIS2's risk-management requirements. Anyone who already has one holds a significant head start and only needs to add specific NIS2 elements such as reporting duties, registration with the authority, and management liability.

Auf Deutsch lesen: deutsche Fassung

In almost every conversation over the past few months I hear the same sentence: "We've heard NIS2 is coming our way and nobody knows exactly what we have to do now." Behind that there is rarely genuine knowledge, usually just a diffuse unease. That unease can be dissolved, and with a tool many people already know: an ISMS based on ISO/IEC 27001.

What NIS2 actually is

NIS2 is the EU Directive (EU) 2022/2555 on network and information security. It is designed to raise the level of cybersecurity across the EU and replaces the older NIS Directive. In Germany it is transposed into national law via the NIS2 Implementation Act (NIS2UmsuCG).

What matters in practice: in Germany the NIS2 Implementation Act (NIS2UmsuCG) has been in force since 6 December 2025. The original EU deadline (October 2024) was missed, but since December 2025 the requirements have been fully applicable, and registration of affected entities with the BSI is already under way (the BSI portal has been open since January 2026). If you are affected, you should act now rather than wait any longer.

Are you even affected?

NIS2 distinguishes between "essential" and "important" entities. Broadly speaking, it applies to medium-sized and large companies. As a rule of thumb, the directive names roughly 50 or more employees, or annual turnover of around EUR 10 million or more, each within specific sectors.

These sectors are broadly defined, around 18 in number. They include, among others:

  • energy, transport, and digital infrastructure
  • health, drinking water, and wastewater
  • banking and public administration
  • manufacturing in certain areas
  • providers of digital services

Many mid-sized firms underestimate whether they are affected. Even if you don't cross the thresholds directly, NIS2 can reach you through the back door: your customers, who are themselves affected, have to secure their supply chain. They pass the requirements on to their suppliers contractually. "We're too small" quickly turns into "our largest customer is demanding evidence."

NIS2 often reaches SMEs not through the statute itself, but through the procurement departments of their own major customers.

What NIS2 concretely requires of you

The central requirement is set out in Article 21 of the directive: appropriate and proportionate cybersecurity risk-management measures. This is deliberately framed on a risk basis, not as a rigid checklist. What counts as "appropriate" depends on your size, your risk, and your sector. In substance, it covers, among other things:

  • risk analysis and policies for the security of information systems
  • handling of security incidents (incident handling)
  • business continuity, backup management, and crisis management
  • supply chain security
  • access control and policies for the use of cryptography
  • staff training and awareness

On top of this come two things that go beyond pure risk management. First, the notification and reporting obligations for significant security incidents under Article 23, with staggered deadlines towards the competent authority. Second, and this is often overlooked, an explicit responsibility and liability of top management. NIS2 makes cybersecurity a matter for the boardroom, not merely a task for IT.

Why ISO 27001 is the strongest foundation

If you look at the list from Article 21 and then place an ISMS based on ISO/IEC 27001 alongside it, something stands out: most of it is exactly what an information security management system organises systematically anyway.

ISO 27001 brings a structured risk assessment, a catalogue of proven measures (the controls from Annex A), and the principle of continual improvement. Risk analysis, access control, cryptography, backup, incident handling, supplier management, awareness training: all of this is already built into an ISMS. Anyone running a living ISMS already meets a large share of NIS2's risk-management requirements structurally, without starting from scratch.

ISO 27001 turns NIS2 from a diffuse fear into a workable project with a clear beginning and end.

Where ISO 27001 ends and NIS2 goes further

Now the honest part that some providers prefer to keep quiet: an ISO 27001 certificate does not automatically mean NIS2 compliance. The two overlap heavily but are not identical. NIS2 has additional aspects that an ISMS does not cover one-to-one.

  • The specific statutory reporting obligations and deadlines towards the authority are governed by NIS2, not by the standard.
  • Registration of the entity with the competent body is a NIS2-specific obligation.
  • The explicit responsibility and liability of top management is anchored in law and is not discharged by a certificate.
  • Certain supply chain requirements may go beyond what you implemented for certification.

The honest assessment is therefore: ISO 27001 is a very strong foundation and a significant head start, but not complete fulfilment at the push of a button. That is not bad news. It simply means that, on a solid foundation, you add the last, clearly nameable building blocks rather than rebuilding the entire house.

Turning the obligation into an advantage

The decisive shift in perspective: NIS2 is not just a cost factor. A functioning ISMS is a selling point. In tenders and customer audits you are already being asked about your security level today. Anyone who can present an ISO 27001 certificate answers that question with robust evidence rather than a self-declaration.

In practice I regularly see that an ISMS opens doors that stay closed without evidence. Large clients, especially in regulated industries, favour suppliers who have done their homework. So anyone who takes NIS2 as the occasion to build an ISMS not only meets an obligation but also secures a competitive advantage that reaches beyond mere compliance.

How to start concretely

My practical advice, and none of this can constitute legal advice: first clarify soberly whether you are affected. Do you fall directly under NIS2, or does the pressure come via your customers? In both cases the next step is the same.

  • Take stock: which security measures are already running today, often more than you think?
  • Gap analysis against the ISO 27001 structure and the NIS2 requirements from Article 21.
  • Build an ISMS, or consolidate existing efforts into a system.
  • Fill the NIS2-specific gaps: reporting processes, registration, supply chain, management responsibilities.

Anyone wanting to build the necessary competence in-house is well advised to start with an understanding of the standard. An ISO/IEC 27001 Foundation course conveys the basics; the lead auditor path enables you to audit an ISMS robustly, including your own and that of suppliers. Precisely this audit competence becomes more valuable under NIS2, because supply chain security does not work on trust alone but on verifiable evidence.

The most important sentence to close on: you don't have to fear NIS2, you just have to organise it. An ISMS is the ordering system that turns a directive into a project. And unlike fear, a project has an end.

Share: LinkedIn E-Mail

Frequently asked questions

Does an ISO 27001 certificate automatically fulfil NIS2?+

No. ISO/IEC 27001 structurally covers a large share of NIS2's risk-management requirements from Article 21 and is a very strong foundation. But NIS2 has additional, non-identical obligations: specific reporting duties and deadlines, registration with the authority, particular supply chain requirements, and the explicit liability of top management. These gaps have to be filled.

When does NIS2 apply in Germany?+

NIS2 is based on the EU Directive (EU) 2022/2555 and is transposed in Germany via the NIS2 Implementation Act (NIS2UmsuCG). The act has been in force since 6 December 2025; the requirements have been fully applicable since then, and registration of affected entities with the BSI is already under way. Anyone who falls under NIS2 should act now rather than wait any longer.

Is my mid-sized company affected by NIS2?+

As a rule of thumb, NIS2 applies to medium-sized and large companies with roughly 50 or more employees or around EUR 10 million or more in annual turnover, across about 18 sectors such as energy, health, digital infrastructure, or manufacturing. Many smaller suppliers are also indirectly affected because affected customers pass the requirements down the supply chain. A sober affectedness check is the first step.

Is an ISMS worthwhile if I'm only indirectly affected via customers?+

In practice, yes. An ISMS based on ISO 27001 answers the security questions in tenders and customer audits with robust evidence rather than a self-declaration. That opens doors with large clients and turns an imposed requirement into a competitive advantage. You not only meet the supply chain expectation, you measurably raise your own security level.

Author & expert review: Lars Zimmermann · ISO/IEC 42001 Senior Lead Auditor & Senior Lead Implementer · ISO/IEC 27001 Lead Auditor & Lead Implementer (PECB)

Last updated: 16 July 2026. Researched and reviewed to the best of our knowledge; not a substitute for individual legal advice.

Sources & further reading

Questions about your own case?

In a free 15-minute intro call we assess where you stand on ISO 42001, ISO 27001 and the EU AI Act, honestly and without a sales pitch.

Continue reading