SaaSFort NIS2 vs ISO 27001
NIS2 is law. ISO 27001 is a standard. They overlap heavily on technical controls but they answer to different masters — your national regulator (BSI, ANSSI…) and your certification body, respectively. The right move for a regulated EU SaaS is rarely "pick one"; it is "run both, with the crosswalk in mind so you do not duplicate work". Here is the axis-by-axis breakdown.
Axis-by-axis comparison
| Axis | NIS2 | ISO 27001:2022 |
|---|---|---|
| Type | EU Directive (regulation) — 2022/2555 transposed into national law. | International standard for an Information Security Management System (ISMS). |
| Mandatory? | Yes for in-scope entities (Annex I + II) — non-compliance is a legal infraction. | Voluntary — but expected as a market signal by enterprise buyers and procurement. |
| Geography | EU + member-state transposition. In Germany: NIS-2-Umsetzungsgesetz / BSIG. | Global. Same standard text across jurisdictions; accredited certification bodies are regional. |
| Who enforces | National regulator (BSI in Germany; ANSSI in France; …) + national CSIRT for incidents. | Accredited certification body (UKAS, DAkkS, etc.) — annual surveillance, 3-year recertification. |
| What it requires | Article 21 — 10 cybersecurity risk-management measures + Article 23 incident reporting (24h/72h/30d). | A documented ISMS plus the 93 Annex A controls in the Statement of Applicability (2022 edition). |
| Penalties | Up to €10M or 2% global turnover (essential entities); §38 BSIG adds personal liability for management bodies. | No direct fine. Certification revocation or major-non-conformity findings during surveillance audits. |
| Audit cadence | Supervisory authority can audit on-demand (Art. 32) — essential entities face proactive supervision. | Internal audits annually + external surveillance annually + full recertification every 3 years. |
| Best paired with… | ISO 27001 — Annex A controls produce ~70% of the evidence Article 21(2) requires. | NIS2 — turns the voluntary ISMS into a legally-binding compliance baseline for EU operations. |
Common confusion
"ISO 27001 certified means NIS2-compliant — I am done."
False, on two axes. (1) ISO 27001 evidence covers most but not all of Article 21(2) — the incident-reporting cadence of Article 23 and the management-body training of Article 20 are NIS2-specific. (2) ISO 27001 is between you and your certification body; NIS2 is between you and your national regulator. Your certificate has no legal weight at the BSI Meldeportal; you must file separately. Run both in parallel; do not assume one substitutes the other.
Get the external-posture evidence for both, in 60 seconds
SaaSFort scans the externally-observable portion of NIS2 Art. 21(2) AND ISO 27001 Annex A.8.* (technological controls). One PDF, two frameworks. Auditor-addressed.
Frequently asked questions
Do I need NIS2 if I already have ISO 27001?
Yes if you are in NIS2 scope. ISO 27001 is voluntary, NIS2 is law. The good news: ISO 27001:2022 Annex A controls produce roughly 70% of the documentary evidence NIS2 Article 21(2) requires. The gap is the NIS2-specific obligations — Article 23 incident reporting timelines (24h/72h/30d), Article 20 management-body training records, and Article 21(2)(d) supply-chain risk assessment. You keep the ISO 27001 certificate, you add the NIS2-specific filings.
Does ISO 27001 satisfy NIS2 Article 21 by itself?
Mostly, not entirely. The 2022 revision of Annex A explicitly maps to NIS2-relevant areas — A.5 (organisational), A.6 (people), A.7 (physical), A.8 (technological). But NIS2 Art. 21(2)(b) incident handling has stricter cadence requirements than ISO's A.5.24-A.5.26, and Art. 21(2)(d) supply-chain has more granular obligations than A.5.19-A.5.23. Treat ISO 27001 as the 70% baseline and bolt on NIS2-specific evidence for the remaining 30%.
Which one should an EU SaaS start with?
Depends on your trigger. If you have an enterprise buyer asking for a SOC 2 or ISO 27001, start with ISO 27001 — it is the most-recognised certificate. If your trigger is a NIS2 registration deadline or BSI Prüfungsanordnung, start with NIS2 Article 21 implementation. Many SaaS vendors run both tracks in parallel: ISO 27001 for the certificate, NIS2 for the regulatory filing.
Can a SaaSFort external scan produce evidence for both?
Yes for the externally-observable portion of both. The 60-check engine maps every finding to NIS2 Art. 21 sub-clauses AND ISO 27001 Annex A control IDs (A.8.20 network security, A.8.23 web filtering, A.8.24 cryptography, etc.). The same scan PDF is auditor-acceptable for the BSI under NIS2 and for an ISO 27001 surveillance auditor reviewing A.8.* technical controls.
How does the NIS2 vs ISO 27001 timeline differ?
NIS2 obligations are continuous — once you are in scope, you must comply now (BSIG transposed in Germany March 2026; full enforcement October 2026 deadline). ISO 27001 certification is a project: 6-12 months to first certificate, then a 3-year recertification cycle with annual surveillance. Most teams discover they have been operating informally under NIS2 obligations for months before they realise the ISO 27001 audit they had planned was actually the easier deadline.
Related: NIS2 Article 21 — the 10 measures · ISO 27001:2022 cert guide for SaaS · NIS2 / BSI / ISO 27001 glossary · SaaSFort vs Vanta · NIS2 Article 23 incident response