NIS2 and ISO 27001:
How companies can make their ISMS fit for the new requirements
How companies can make their ISMS fit for the new requirements
The NIS2 Implementation Act (NIS2UmsuCG) has been in force in Germany since December 6, 2025. Compliance and data protection officers who thought they were on the safe side with an existing ISO 27001 certification are now faced with an uncomfortable question: Is that really enough?
The short answer is: No, not completely. The longer answer explains why a well-established ISMS in accordance with ISO 27001 is nevertheless the best starting point and where specific improvements are needed.
What the NIS2 directive really requires of companies
The EU’s NIS2 Directive is not a recommendation, but applicable law. In the German NIS2 Implementation Act, Section 30 BSIG-neu specifies ten minimum measures for risk management that are directly based on Article 21 of the NIS2 Directive. These include concepts for risk analysis, incident response processes, business continuity management including backup strategies, supply chain security and the use of cryptographic procedures and multi-factor authentication.
This is particularly important for compliance officers: The law expressly obliges management to implement and monitor these measures and can be held personally liable in the event of violations. Fines can amount to up to 10 million euros. In addition, “particularly important” and “important” institutions must register with the BSI. The corresponding portal has been activated since January 6, 2026.
Significant security incidents must be reported within 24 hours, an extended report follows within 72 hours and a final report after one month. This is not a bureaucratic side issue, but an operational requirement that affects processes and documentation in equal measure.
ISO 27001 as a foundation – but not a free pass
Those who already operate an ISMS in accordance with ISO 27001 have a real head start. Both sets of rules follow a risk-based approach: identify, assess and treat risks and continuously review the effectiveness of the measures. The mapping between NIS2 Article 21 and the ISO 27001 controls is solid. Areas such as risk management, asset management, incident management, supply chain security and business continuity are well anchored in the ISO standard.
Nevertheless, there are structural differences that should not be ignored. ISO 27001 is a voluntary, internationally recognized standard. NIS2 is binding EU law with sectoral requirements, specific reporting deadlines and state supervision by the BSI. While ISO 27001 allows exceptions with justification for certain controls, NIS2 leaves much less leeway. Many requirements are simply mandatory, regardless of the internal risk assessment.
In short: a certified ISMS provides the structure. But it does not automatically cover the NIS2-specific obligations relating to reporting, registration and governance.
Where the gaps typically lie
In practice, a GAP analysis between the existing ISO ISMS and NIS2 repeatedly reveals similar weaknesses. Three of them stand out in particular.
From standard to proof: Why Excel is reaching its limits
Many organizations start their NIS2 compliance journey exactly as they know it from the ISO 27001 implementation: with Excel lists, loose document collections and manually maintained mapping tables. This works to get started, but it doesn’t scale.
As soon as risk registers, action statuses, supplier assessments, incident logs and management decisions live in different files and directories, versioning problems, responsibility gaps and a nightmare arise with every audit sprint. The BSI expects an “appropriate documented security level” – and that means: traceable, versioned, consistent.
What authorities and auditors want to see is not a folder full of PDFs. It is a living register that shows which risks are known, which measures have been taken, who is responsible for them and when which decision was made. All in one consistent system, not spread across a dozen files.
How BAYOOSOFT supports Themis in this process
If you want to use your ISMS in accordance with ISO 27001 as the basis for NIS2 compliance, you face a very specific challenge: the documentation must not only be available, it must be audit-ready. Standard requirements must be linked to actual processes, roles and responsibilities and this must be verifiable, versioned and retrievable at any time.
This is precisely the approach of BAYOOSOFT Themis. As a process-led platform for QM and ISMS documentation, Themis closes the gap between the standard and the actual process. The integrated ISO 27001 guide links standard chapters directly with the company’s SOPs. Roles, responsibilities and approval steps are stored in a structured manner. A complete audit trail documents who decided or approved what and when, without having to manually search through various files.
What this means for NIS2: If you set up and maintain your ISO 27001 ISMS in a structured way with Themis, you have the evidence base that auditors and – in the NIS2 context – authorities expect. No gaps between the standard chapter and the actual process, no outdated documents in loose folders, no audit sprint just before the deadline.
Themis deliberately positions itself not as a scanner tool or pure document archive, but as a platform for procedural excellence: the discrepancy between the standard and actual practice is the greatest audit risk and this is precisely where Themis comes in.
