top of page
Search

NIS2 Compliance: Leveraging ISO 27001

Updated: Feb 25

As cybersecurity regulations evolve to address growing threats, organizations must align their risk management practices with multiple regulatory frameworks. One key regulation in the European landscape is the NIS2 Directive (Network and Information Security Directive 2).


This article provides a brief overview of NIS2, while exploring how the Clauses and Annex controls defined by ISO 27001 can be leveraged to enhance your organization’s risk management processes to comply with these regulations.


About NIS2 and ISO 27001


The NIS2 Directive establishes a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU. These 18 critical sectors are defined within Annex I & Annex II of the regulation and include Essential Entities (NIS2 - Annex I) and Important Entities (NIS2 - Annex II). Medium-sized and large entities in these critical sectors have to take appropriate cybersecurity risk-management measures and notify relevant national authorities of significant incidents.


In addition to expanding the scope of impacted entities, NIS2 Article 20 introduces accountability of top management for non-compliance, and Article 21 introduces cybersecurity risk-management measures with an integrated "all hazards approach" that aims to provide a minimum level of protection from incidents for network and information systems and the physical environment of those systems.


ISO/IEC 27001:2022, the globally recognized standard for information security management systems (ISMS), provides a risk-based approach to information security management that can help your organization meet the requirements of NIS2. By leveraging ISO 27001 clauses to establish an effective governance function, and by applying the 93 Annex A controls specified by the standard, organizations can be confident they comply with NIS2 with minimal additional lift regarding certain prescriptive requirements of the regulation.




Enforcement Note: NIS2 came into force January 2023, with member states having until 17 October 2024 to transpose the NIS2 Directive into law. NIS2 repealed NIS1 as of 18 October 2024.




ISO 27001 Mapping for Required Cybersecurity Measures Under NIS2 Directive:


"Cyber hygiene practices," while mentioned multiple times within the NIS2 Directive, are not directly defined by the European Commission. However, a best practices approach would be to look at the 93 Annex A controls in ISO 27001 for guidance.


Prescriptive enhancements to ISO 27001 controls noted above for NIS2 include:


Article 23: Incident Reporting Requirements (A.5.24 – A.5.28)


  • Significant Incidents – Incidents must be reported if they cause severe operational disruption, data loss, or financial damage.


  • 24 Hours – Entities must provide an early warning notification to CSIRT, or competent authority.


  • 72 Hours – A more detailed incident notification must be submitted to CSIRT, or competent authority.


  • 1 Month – A final incident report must include root cause analysis & mitigation actions to CSIRT, or competent authority.


Additional Enforcement Measures Under NIS2 Directive


Article 32: Essential Entity Enforcement Measures


  • Article 32(a): On-site inspections and off-site supervisions – including random checks conducted by trained professionals.


  • Article 32(b): Regular and Targeted Security Audits based on risk assessments conducted by competent authorities.


  • Article 32(c): ad hoc audits, including where justified on the grounds of a significant incident or an infringement of the NIS2 Directive by an Essential Entity.


  • Article 32(d): Security Scans based on objective, non-discriminatory, fair and transparent risk assessment criteria.


  • Article 32(e)(f)(g): Information Requests include policies, evidence of implementation of policies, access to data necessary to carry out supervisory tasks, results of security audits, and underlying audit evidence.


Article 33: Important Entity Enforcement Measures


  • Article 33(a): On-site inspections and off-site ex post supervisions conducted by trained professionals.


  • Article 33(b): Targeted Security Audits carried out by independent body or competent authority.


  • Article 33(c): Security Scans based on objective, non-discriminatory, fair and transparent risk assessment criteria.


  • Article 33(d)(e)(f): Information Requests – Requests include policies, evidence of implementation of policies, access to data necessary to carry out supervisory tasks, results of security audits, and underlying audit evidence.


Registration of Entities Under NIS2 Directive:


  • Article 24: Entities that must register with a member states Single Point of Contact (A.5.4 & A.5.31) include DNS service providers, TLD name registries, entities providing domain name registration services, cloud computing service providers, data center service providers, content delivery network providers, managed service providers, managed security service providers, as well as providers of online marketplaces, of online search engines and of social networking services platforms.


  • Article 27(2)(a-f): Registration information required to be submitted to competent authorities by 17 January 2025: Name, Relevant Sector, subsector, and type of entity (Annex I and II), Address, Point of Contact information, jurisdiction(s), and entity IP ranges.


Administrative Fines on Essential and Important Entities


  • Article 34(4): Essential Entities infringement of Articles 21 or 23 shall incur fines of EUR 10,000,000 or 2% of world-wide annual turnover for the preceding financial year, whichever is higher.


  • Article 34(5): Important Entities infringement of Articles 21 or 23 shall incur fines of EUR 7,000,000 or 1.4% of world-wide annual turnover for the preceding financial year, whichever is higher.


  • Article 34(6): Additional penalties may be imposed to compel an essential or important entity to cease an infringement of the NIS2 Directive.


Defining Essential Entities and Important Entities


  • Annex I: Sectors of High Criticality (Essential Entities) include Energy, Transport, Banking, Financial markets, Health, Water supply, Digital infrastructure, ICT service management, Public Administration, and Space.


  • Annex II: Other Critical Sectors (Important Entities) include Postal and courier services, Waste management, Chemicals, Food, Manufacturing, Digital providers, and Research.


Frequently Asked Questions (FAQ)

What is NIS2?

NIS2 is an EU directive providing harmonized EU-wide legislation on cybersecurity. NIS2 is an update to the previous NIS Directive, repealed 18 October 2024.

Who needs to comply with NIS 2?

What are the penalties for noncompliance with NIS2?

What are NIS2 breach notification rules?

What is NIS2 vs NIS?



If you've made it this far, thank you for reading our article on Leveraging ISO 27001 to Comply with the European Union NIS2 Directive.


ARORA Solutions LLC specializes in compliance readiness and internal audits, with an emphasis on cybersecurity. We help ensure your organization is conforming to a variety of compliance frameworks, such as SOC2, ISO 27001, ISO 27701, ISO 42001, CMMC, NIS2, DORA, GDPR, EU AI Act, and more!


Contact us if you have questions related to internal audits, regulatory compliance, or other management system needs:





留言

USA Location:

ARORA Solutions LLC

3469 N 168th Ave., Holland, MI USA 49424

Asia-Pacific Location:

ARORA Solutions Limited

No. 9 Narpow Point, Port Vila, Vanuatu, South Pacific

Call: +1 855 960 4885

We're always looking to work with passionate partners and people. Contact us about opportunities working with or for us.

© Copyright 2023 ARORA Solutions LLC (Michigan, USA) & ARORA Solutions Limited (Vanuatu, South Pacific)

bottom of page