Marcin PajdzikCISOADVISORY
ISO CertificationNIS24-minute readMarch 2026

ISO 27001 Certification and NIS2 Supervisory Scrutiny

ISO 27001 certification demonstrates that a management system was in place and conformed to the standard at the point of audit. NIS2 supervisory scrutiny asks a different set of questions: whether specific obligations under the directive are met at the time of inspection, including management body accountability, incident notification readiness and supply chain security in the form the directive requires.

For boards of NIS2 in-scope organisations that hold ISO 27001 certification, the certificate does not address the questions a supervisory authority will ask. The certification audit was designed to a different standard for a different purpose.

What ISO 27001 certification demonstrates

The certification process audits a management system against the ISO 27001 standard. An accredited certification body confirms that the management system conformed to the standard on the date of the audit. Surveillance audits follow annually and recertification occurs every three years, but these maintain the certificate rather than provide continuous assurance that controls are effective or that the organisation's regulatory position is current.

ISO 27001 and NIS2 overlap in significant areas. The standard's controls map to many of Article 21's ten security measure categories, and an organisation that has implemented ISO 27001 seriously will have addressed a meaningful portion of the NIS2 technical requirements. The question is what remains.

Where the gaps are

The gaps are in the areas NIS2 treats as governance obligations rather than technical controls.

Article 20
The certification audit examines top management involvement in the ISMS. What it leaves unverified is whether the management body formally approved the cybersecurity risk management measures, in what form approval was given, and what reporting the management body received on implementation.
Article 23
NIS2 requires notification to the competent authority within 24 hours of awareness of a significant incident, with a full report within 72 hours. Whether this specific capability has been built and tested falls outside the certification audit's scope.
Article 21(2)(d)
Supply chain security under NIS2 carries specific expectations about supplier security assessments and the security of direct supplier relationships. The ISO 27001 supplier management controls provide a foundation but leave those requirements partially covered.

These are three of the more significant gaps. The full picture requires a NIS2-specific gap assessment.

What the board should take from its certification

ISO 27001 certification is a useful foundation for NIS2 compliance and a positive indicator of baseline maturity. A supervisory authority will treat it as such. The board's question is which obligations remain uncovered, because those are the areas where the compliance position is weakest and where management body accountability under Article 20 is most exposed.

A gap assessment that takes the certified management system as its starting point maps the obligations that certification does not address and gives the management body a clear picture of the work and investment required to close them. That picture is the basis for the compliance decisions the board is required to make.

How this affects your organisation

For board members of ISO 27001-certified organisations in NIS2 scope, the certificate shifts the question rather than answering it. The starting position is stronger than an organisation without certification. The gaps that remain are the management body's responsibility to identify and address.

A supervisory authority investigating an incident will assess compliance with the directive's specific obligations. Article 20 accountability applies to those obligations regardless of certification status.

If your organisation holds ISO 27001 certification and wants to understand its NIS2 compliance position, an advisory call is a useful starting point.

Book a 20 minute advisory callAll briefings