If your organisation holds an ISO 27001:2013 certification and operates within NIS2 scope, you are sitting on one of the most efficient compliance investments available in 2026. The transition to ISO 27001:2022 and the implementation of NIS2 Article 21 measures share so much common ground that doing them in parallel saves roughly 30-40% of the effort compared to tackling them sequentially. The catch is that this window is closing, and organisations that have not yet begun the transition are running out of comfortable runway.
This is not a theoretical claim. The overlap between ISO 27001:2022's restructured Annex A controls and NIS2's cybersecurity risk-management measures is structural and specific. Both frameworks emerged from the same threat landscape, both address the same organisational capabilities, and both demand the same categories of evidence. An organisation that builds its control framework once — designed to satisfy both sets of requirements — avoids the rework, redundant documentation, and duplicated audit preparation that plague sequential implementation.
The Transition Timeline
The original transition deadline for ISO 27001:2022 was 31 October 2025. Organisations with existing 2013 certifications were given a three-year window from the publication of the 2022 edition to transition. As of early 2026, some certification bodies have granted limited extensions for organisations demonstrating good-faith transition progress, but these are not guaranteed and vary by accreditation body.
For organisations that missed the October 2025 deadline, the practical reality is urgent but not hopeless. Certification bodies are conducting transition audits throughout 2026, and most will accommodate organisations that begin the transition process now, provided the scope of changes is well-documented and a credible timeline is presented. However, any organisation still operating under a 2013 Statement of Applicability is carrying both certification risk and a missed efficiency opportunity.
The NIS2 timeline adds pressure. With transposition deadlines having passed in October 2024 and member state enforcement regimes now operational — unevenly, but operational — the need to demonstrate NIS2-aligned measures is not hypothetical. Supervisory authorities in several member states have begun preliminary assessments of essential entities. Those assessments ask for evidence of implemented measures under Article 21. Having ISO 27001:2022 certification does not automatically satisfy NIS2 requirements, but it provides a substantial evidence base and a recognised assurance signal.
ISO 27001:2022 Changes That Matter for NIS2
The 2022 edition restructured Annex A from 14 domains with 114 controls to 4 themes with 93 controls. But the real significance lies not in the restructuring — that is largely organisational — but in the 11 new controls introduced. Several of these new controls map directly to NIS2 concerns that had no clear ISO 27001:2013 equivalent.
A.5.7 — Threat intelligence. This new control requires organisations to collect, analyse, and act on threat intelligence relevant to their information security. NIS2 Article 21(2)(e) requires "vulnerability handling and vulnerability disclosure," and Recital 58 explicitly references threat intelligence sharing. Under the 2013 edition, threat intelligence was an implicit good practice. Under the 2022 edition, it is an explicit control with auditable requirements. Implement it once, and it serves both purposes.
A.5.23 — Information security for use of cloud services. The 2013 edition predated the current cloud dependency landscape. This new control requires specific security measures for cloud service adoption, use, management, and exit. It maps to NIS2 Article 21(2)(d) on supply chain security and, for financial entities also subject to DORA, to Articles 28-29 on ICT third-party risk. For any organisation that relies on cloud infrastructure — which is nearly every organisation — this control fills a gap that previously required custom implementation.
A.5.30 — ICT readiness for business continuity. This control explicitly requires that ICT services are recoverable within required timeframes after disruption. NIS2 Article 21(2)(c) requires "business continuity, such as backup management and disaster recovery, and crisis management." The 2013 edition addressed business continuity broadly through A.17. The 2022 edition's A.5.30 sharpens the requirement to focus on ICT recovery specifically — aligning precisely with what NIS2 supervisors evaluate.
A.7.4 — Physical security monitoring. The new control requires continuous monitoring of premises for unauthorised physical access. While NIS2 does not heavily emphasise physical security, Article 21(2)(i) references "physical and environmental security" as part of the baseline measures. Implementing A.7.4 as part of the transition satisfies both the ISO auditor and the NIS2 supervisory assessment.
A.8.9 — Configuration management. Secure configurations for hardware, software, services, and networks must be established, documented, implemented, monitored, and reviewed. NIS2 Article 21(2)(e) references "security in network and information systems acquisition, development and maintenance, including vulnerability handling." Proper configuration management is foundational to that requirement.
A.8.12 — Data leakage prevention. A new explicit control addressing data loss prevention measures. While NIS2 does not name DLP specifically, the general requirement for "appropriate and proportionate" security measures under Article 21(1) encompasses controls that prevent unauthorised data exfiltration — particularly for essential entities handling sensitive data.
The NIS2 Overlap Map
The following mapping demonstrates why parallel implementation is so efficient. Each NIS2 Article 21(2) measure has substantial coverage from ISO 27001:2022 Annex A controls.
| NIS2 Article 21(2) Measure | ISO 27001:2022 Annex A Controls |
|---|---|
| (a) Risk analysis and information system security policies | A.5.1 (Policies), A.5.2 (Roles), A.8.1-A.8.34 (Technology controls) |
| (b) Incident handling | A.5.24 (IR planning), A.5.25 (Assessment), A.5.26 (Response), A.5.27 (Learning), A.6.8 (Event reporting) |
| (c) Business continuity, backup management, disaster recovery, crisis management | A.5.29 (BC during disruption), A.5.30 (ICT readiness), A.8.13 (Backup), A.8.14 (Redundancy) |
| (d) Supply chain security | A.5.19-A.5.22 (Supplier relationships), A.5.23 (Cloud services) |
| (e) Security in acquisition, development, maintenance; vulnerability handling | A.8.25-A.8.31 (Secure development), A.8.8 (Technical vulnerabilities), A.8.9 (Configuration management) |
| (f) Policies to assess effectiveness of measures | A.5.35-A.5.36 (Compliance review, independent review) |
| (g) Basic cyber hygiene practices and training | A.6.3 (Awareness training), A.6.5 (Termination responsibilities) |
| (h) Policies on cryptography and encryption | A.8.24 (Cryptography) |
| (i) Human resources security, access control, asset management | A.5.9-A.5.18 (Identity/access), A.5.9 (Asset inventory), A.6.1-A.6.8 (People controls) |
| (j) Multi-factor authentication, secured communications | A.5.14 (Information transfer), A.5.17 (Authentication), A.8.5 (Secure authentication) |
The coverage is not perfect — NIS2's supply chain requirements extend beyond ISO 27001's supplier relationship controls, particularly regarding cascading obligations and sector-specific coordination. And NIS2's incident reporting timelines (24-hour early warning, 72-hour incident notification) have no ISO 27001 equivalent because they are supervisory process requirements, not control requirements. But the evidence produced for ISO 27001:2022 compliance covers approximately 70-80% of what NIS2 supervisory assessments require.
Efficiency Gains From Parallel Implementation
The 30-40% efficiency gain comes from specific, identifiable areas of overlap. Here is where you avoid doing work twice.
Risk assessment. ISO 27001 requires a formal information security risk assessment as the basis for control selection. NIS2 Article 21(1) requires risk-management measures based on an "all-hazards approach." The risk assessment methodology, threat catalogue, and risk treatment plan can be built once to serve both frameworks. The scope may differ slightly — ISO 27001's scope is defined by the ISMS boundary, while NIS2 applies to the entity's network and information systems supporting essential or important services — but the methodology, tooling, and governance structure are shared.
Policy framework. The policies required under ISO 27001:2022 A.5.1 and those expected under NIS2 Article 21(2)(a) are substantially the same documents. Information security policy, access control policy, incident response policy, business continuity policy, supplier management policy, cryptography policy — write each one with both frameworks in mind and you produce one set of policies, not two.
Control implementation. The technical and organisational controls implemented to satisfy Annex A requirements simultaneously satisfy NIS2 Article 21 measures. Multi-factor authentication (A.5.17 / Art. 21(2)(j)), backup management (A.8.13 / Art. 21(2)(c)), vulnerability management (A.8.8 / Art. 21(2)(e)) — each is implemented once and evidenced for both purposes.
Evidence collection. This is where the largest efficiency gain lies. Both ISO 27001 audits and NIS2 supervisory assessments require evidence of control operation — not just design, but ongoing effectiveness. Access review logs, penetration test reports, incident response records, business continuity test results, training completion records. Implementing automated evidence collection once produces the evidence base for both frameworks.
Audit preparation. Internal audit programmes that assess ISO 27001 controls against both the Annex A requirements and NIS2 Article 21 measures produce a single assurance output serving dual purposes. The compliance automation approach — mapping controls to multiple framework requirements simultaneously — eliminates the duplicated preparation that plagues organisations treating each framework independently.
The Certification Advantage for NIS2 Supervision
NIS2 Recital 79 explicitly recognises the role of international standards, including ISO 27001, as a basis for implementing cybersecurity risk-management measures. Article 25 allows member states to require essential and important entities to use "particular ICT products, ICT services and ICT processes, either developed by the entity or procured from third parties, that are certified under European cybersecurity certification schemes." While ISO 27001 is not a European cybersecurity certification scheme in the ENISA sense, its role as a recognised baseline is embedded in NIS2's architecture.
Practically, this means that ISO 27001:2022 certification affects the supervisory approach in several ways.
First, it establishes a presumption of baseline maturity. A certified organisation has undergone independent assessment of its information security management system. Supervisory authorities typically calibrate their examination intensity based on existing assurance evidence. Certification does not exempt an entity from NIS2 requirements, but it shifts the supervisory conversation from "do you have controls?" to "are your controls adequate for the specific risks you face?"
Second, it provides structured evidence. ISO 27001 certification requires documented policies, risk assessments, control implementations, internal audit results, and management review records. These artefacts directly serve NIS2 supervisory requests. An organisation without certification must produce equivalent evidence ad hoc — a significantly more expensive and time-consuming exercise.
Third, it signals governance maturity. The management system requirements of ISO 27001 — top management commitment, defined roles and responsibilities, regular review, continual improvement — align with NIS2 Article 20's requirement for management body approval and oversight of cybersecurity risk-management measures. Certification evidence demonstrates that governance structures exist and function.
For organisations considering how to approach multi-framework compliance strategically, the ISO 27001:2022 transition is the natural starting point. For those wanting to understand how NIS2 and ISO 27001 compare in detail, the control-level mapping above provides the specific reference points.
Common Transition Mistakes
Having observed numerous transition projects, several failure patterns recur.
Treating the transition as a documentation exercise. Organisations that simply re-map their existing 2013 controls to the 2022 Annex A structure without evaluating the new controls miss the point. The 11 new controls exist because the threat landscape evolved. Threat intelligence (A.5.7), cloud security (A.5.23), and data leakage prevention (A.8.12) are not bureaucratic additions — they address real capability gaps that the 2013 edition did not cover. Implementing them properly strengthens your security posture. Papering over them with existing documentation weakens your certification and your NIS2 evidence.
Gap analysis shortcuts. Some organisations perform a cursory gap analysis that identifies the new controls as "partially met" based on tangential existing activities. A SIEM that ingests threat feeds does not satisfy A.5.7's requirement for threat intelligence that informs risk decisions. A cloud usage policy does not satisfy A.5.23's requirement for specific cloud security controls including exit planning. Honest gap analysis — acknowledging where genuine gaps exist — leads to genuine improvement. Optimistic gap analysis leads to audit findings and, worse, supervisory concerns.
Ignoring the NIS2 mapping opportunity. Organisations that transition to ISO 27001:2022 without simultaneously mapping their controls to NIS2 Article 21 requirements leave efficiency on the table. The transition project already involves reviewing every control, updating documentation, and collecting new evidence. Adding the NIS2 mapping layer at this stage costs perhaps 10-15% additional effort. Adding it later, as a separate project, costs 50-60% of a standalone NIS2 implementation.
Evidence re-mapping failures. The transition requires not just mapping controls but also mapping evidence. If your access review evidence was structured around A.9 (Access control) under the 2013 edition, it needs to be reorganised to serve A.5.15-A.5.18 and A.8.2-A.8.5 under the 2022 edition. Organisations that update their Statement of Applicability without updating their evidence management structures create a disconnect that auditors identify immediately.
Underestimating the Annex A attribute tagging. ISO 27001:2022 introduced five attributes for each control: control type, information security properties, cybersecurity concepts, operational capabilities, and security domains. These attributes are not mandatory for certification, but they provide a powerful cross-referencing mechanism — particularly for NIS2 mapping. Organisations that implement them gain the ability to query their control framework by capability domain rather than just by control number, which is exactly how NIS2 supervisory assessments are structured.
Key Takeaways
The transition window is narrowing. Organisations still on ISO 27001:2013 need to begin now. Certification bodies are conducting transition audits throughout 2026, but the comfortable planning horizon has passed.
Parallel implementation saves 30-40% effort. The overlap between ISO 27001:2022 Annex A and NIS2 Article 21 is specific and substantial. Organisations that implement both simultaneously avoid duplicate risk assessments, duplicate policy frameworks, duplicate evidence collection, and duplicate audit preparation.
New Annex A controls align directly with NIS2 gaps. Threat intelligence (A.5.7), cloud security (A.5.23), and ICT readiness for business continuity (A.5.30) address precisely the areas where ISO 27001:2013 fell short of NIS2 expectations. Implementing them properly fills both the certification gap and the NIS2 evidence gap.
Certification shifts the supervisory conversation. ISO 27001:2022 certification does not satisfy NIS2 requirements, but it provides a recognised baseline, structured evidence, and governance maturity signals that affect how supervisory authorities approach examination.
Honest gap analysis is non-negotiable. Treating the transition as a re-mapping exercise rather than a genuine capability improvement leads to audit findings, weakened certification, and NIS2 evidence that does not withstand supervisory scrutiny. The new controls exist because the old framework had gaps. Close them.