Not just an IT task: You must implement technical, organizational, and documented measures across the entire company.
Check applicability in time: The decisive factors are primarily your industry, company size, and in many cases, your role in the supply chain.
ISO 27001 helps, but is not enough on its own: Many requirements overlap (e.g., risk analysis, security concepts). However, you must additionally address statutory reporting obligations, BSI registration, and management responsibilities.
Management is personally liable: Executive management must approve and monitor the measures and undergo verifiable training themselves.
Act now: Those who build an ISMS early, document assets, and establish security processes reduce liability risks and build trust with customers and partners.
NIS 2 and ISO 27001: What You Really Need to Know Now
Cybersecurity has long ceased to be a voluntary IT project for your company. With the NIS 2 regulation, it becomes a clear compliance requirement—and thus a central topic for executive management, legal, IT, procurement, and operations.
The German NIS 2 Implementation Act has comprehensively modernized cybersecurity law. The central regulations can be found in the amended BSI Act. They primarily concern risk management measures, registration obligations, extremely tight reporting deadlines, and the personal responsibility of management.
For many companies, the decisive question now arises: Do we have to start completely from scratch—or can we utilize existing structures like ISO 27001?
The good news: ISO 27001 is an extremely strong foundation. The less comfortable truth: An ISO certificate does not automatically mean you meet all NIS 2 requirements.
In this article, we show you how to approach NIS 2 pragmatically, where ISO 27001 helps, and which gaps you should specifically close.
Prefer watching over reading? This article is based on our exclusive heyData webinar "NIS 2 and ISO 27001: Implementing Cybersecurity Efficiently". If you prefer to watch our experts' explanations in video format and dive deeper into practice, watch the recording here:
Table of Contents:
What is NIS 2?
NIS 2 is a European directive aimed at strengthening cybersecurity across the EU. It obligates specific companies and entities to implement appropriate technical and organizational measures to protect their IT systems.
The goal: Your company should become more resilient against cyberattacks, detect security incidents faster, and better mitigate damage. In Germany, the Federal Office for Information Security (BSI) is the central authority for implementation and supervision.
Important for you: NIS 2 is not just an issue for classic critical infrastructure (KRITIS) operators (such as electricity or water suppliers). The scope is significantly broader. It affects the upper-mid market, digital services, SaaS providers, the manufacturing sector, and numerous service providers embedded in relevant supply chains.
Whitepaper on the NIS2 Law
Who is affected by NIS 2?
Whether your company falls directly under NIS 2 depends essentially on two main factors: sector and company size.
1. The Sectors (Is your company included?)
There are a total of 18 regulated sectors. These include, among others:
Digital services (important for providers of online marketplaces, search engines, and social platforms)
Research institutions (Note: Universities are generally exempt)
2. The Thresholds (Size of the company)
As a rule, you are affected if your sector matches and your company:
has at least 50 employees OR
has an annual turnover of over 10 million euros (or a balance sheet total of over 10 million euros).
Special case:Certain providers (e.g., in the areas of DNS services, trust services, or TLD registries) are regulated from the very first employee, regardless of their size.
Why NIS 2 also hits you through the supply chain
Many companies only check for direct applicability. This is a fatal mistake. Even if your company is formally too small or does not belong to the regulated sectors, NIS 2 can hit you with full force through your customers.
The law obligates directly affected corporations and large enterprises to secure their entire supply chain. In practice, this means for you as a service provider or SaaS vendor:
You will receive significantly stricter and more detailed security questionnaires from your customers.
You must contractually and organizationally prove IT security measures.
Certificates such as ISO 27001 or proof of a functioning ISMS will become mandatory in tenders and B2B contracts.
In short: If you cannot prove your cybersecurity, you risk being dropped from the supply chain in the worst-case scenario. NIS 2 is therefore not just a compliance issue, but safeguards your market access.
The 10 core obligations of NIS 2 at a glance
NIS 2 requires affected companies to take "appropriate, proportionate, and effective technical and organizational measures." The law specifies 10 minimum measures that you must implement:
Measure
What you concretely need to do
1. Risk analysis & policies
You must know your business-critical systems, data, and processes, assess risks systematically, and document information security concepts in writing.
2. Incident handling
You need clear processes for detecting, containing, and resolving cyberattacks. Important: Significant incidents must be reported to the BSI within 24 hours (early warning) and 72 hours (full report).
3. Business Continuity (BCM)
What happens in the event of a total failure? You must be able to demonstrate contingency plans, backup management, and crisis structures to restore operations as quickly as possible.
4. Supply chain security
You must actively evaluate and contractually demand the security level of your own service providers and suppliers (e.g., cloud providers, IT service providers).
5. Security in development & IT
When you develop software or procure IT systems, security must be thought of from the very beginning (Security by Design, vulnerability management).
6. Effectiveness testing
Your measures must not just exist on paper. You must verify through regular audits, penetration tests, or reviews whether your protective measures actually work in reality.
7. Training & Cyber Awareness
Phishing remains the number one entry point. You must regularly sensitize your workforce. New: Executive management must also complete verifiable cybersecurity training.
8. Cryptography & Encryption
You must encrypt sensitive data during storage and transmission according to the current state of the art.
9. Personnel & Access controls
Who is allowed to access what? You require strict authorization concepts (least-privilege principle) as well as secure processes for employee onboarding and offboarding.
10. Multi-factor authentication
The use of MFA (e.g., via authenticator app) becomes mandatory—especially for admin accounts, remote work, and logging into business-critical cloud systems.
What role does ISO 27001 play?
ISO 27001 is the internationally recognized standard for an Information Security Management System (ISMS). An ISMS ensures that you treat IT security not as a one-off project, but as a continuous process (Plan-Do-Check-Act).
If your company is already certified according to ISO 27001, you have a massive head start. According to estimates by ENISA (European Union Agency for Cybersecurity), you already cover approx. 70 to 80% of the NIS 2 requirements with a functioning ISO standard.
ISO 27001 provides you with the perfect structural framework for:
Systematic risk analyses
Asset management (inventory of your IT landscape)
Role definitions and responsibilities
Documentation logic for authority audits
Direct comparison: Where ISO 27001 is not enough
An ISO 27001 certificate is a strong signal to the market, but it does not exempt you from the specific statutory additional obligations of NIS 2. There are fundamental differences you need to know:
Here are the critical gaps where you must sharpen your focus despite ISO certification:
The statutory registration obligation: Affected entities must actively register in the BSI portal. Missing the deadline risks immediate fines.
The ultra-tight reporting obligations: While ISO 27001 only requires you to manage incidents internally, NIS 2 demands compliance with statutory deadlines (24 hours for the initial report to the BSI).
The obligations of executive management: NIS 2 holds management personally accountable. Executive management must not only approve the measures but actively monitor them and undergo training themselves. Delegating this entirely to the IT department is legally ruled out.
Liability and sanctions: In case of ISO violations, you lose the certificate in the worst-case scenario. With NIS 2 violations, the company faces fines of up to 10 million euros (or 2% of global turnover) and management faces personal recourse liability with their private assets.
Practical implementation in 6 steps
Whether you are starting from scratch or expanding an existing ISO system—this roadmap will help you with pragmatic implementation:
Step 1: Check applicability water-tightly
Determine your sector affiliation and your key metrics. Are you in a legal gray area or are you indirectly affected as a B2B service provider via the supply chain? Document the result of this assessment carefully.
Step 2: Create a complete asset register
You can only protect what you know. Systematically record all IT systems, software applications, cloud services, critical datasets, and external service providers.
Step 3: Conduct a risk assessment
Analyze your assets: What threats exist? What impact would a failure of a specific SaaS tool or cloud hoster have on your core business?
Step 4: Build or expand your ISMS
Utilize the structure of ISO 27001 to set up security policies and assign responsible persons within the team. A digital compliance platform helps you manage all evidence and deadlines centrally.
Step 5: Implement statutory special processes
Supplement your system with specific NIS 2 requirements: Set up access to the BSI portal, integrate the 24-hour reporting obligation into your incident response manual, and schedule the mandatory training for your executive management.
Step 6: Continuous effectiveness testing
Cybersecurity is not a state, but a process. Regularly review your measures (e.g., once a quarter) for their actual functionality and adapt them to new threat landscapes.
Common mistakes in NIS 2 implementation
Mistake 1: Shifting the topic entirely to IT. NIS 2 demands holistic governance. Procurement (supplier contracts), HR (employee training), and executive management must sit at the table.
Mistake 2: Blind activism with isolated tools. Buying a new security tool is useless if the organizational processes, contingency plans, and policies behind it are lacking.
Mistake 3: Underestimating supply chain inertia. Many attacks occur via seemingly insignificant interfaces to service providers. If you do not audit your suppliers, you leave the back door wide open.
How heyData can support your company with NIS2
The flood of regulations like GDPR, ISO 27001, and now NIS 2 can quickly feel overwhelming. That is exactly where we come in. heyData is your digital operating system for compliance.
We support you in implementing regulatory requirements efficiently, transparently, and without bureaucratic frustration:
Smart applicability check & orientation: We clarify together with you which specific obligations apply to you.
Pragmatic ISMS setup: Through our digital platform, you manage your assets, risks, and security measures centrally.
ISO 27001 & NIS 2 from a single source: We help you seamlessly extend existing ISO processes to include statutory NIS 2 requirements.
Efficient vendor management: Use our extensive database of over 6,000 already evaluated software providers and service providers to secure your supply chain in no time.
Automated training: Sensitize your entire team—including the legally required specialized training for your executive management—directly via our platform.
With heyData, you do not view NIS 2 as an isolated compliance mountain, but integrate it seamlessly into your existing business processes. This is how you turn regulatory pressure into a genuine competitive advantage.
Conclusion: NIS 2 is the duty – ISO 27001 is your lever
NIS 2 finally elevates cybersecurity to the management level. What used to be a purely technical protective measure in the IT department is today a statutory obligation for corporate leadership.
ISO 27001 provides you with the perfect foundation and structure to fulfill these duties efficiently. Those who specifically supplement specific additional requirements such as reporting obligations and BSI registration now minimize not only liability risks but position themselves as a trustworthy and secure partner in the market.
FAQ – Frequently Asked Questions
What is NIS 2 explained simply?
NIS 2 is an EU-wide statutory directive that obligates companies to massively improve their IT and information security, actively manage risks, and report serious security incidents to state authorities (in Germany, the BSI) lightning-fast.
Is our ISO 27001 certification sufficient for NIS 2?
No, unfortunately not completely. ISO 27001 covers approx. 70–80% of the technical and organizational measures. However, statutory obligations such as registering with the BSI, the extremely short 24-hour reporting deadlines, and the personal training and liability obligations of management must be implemented additionally.
What happens if my company ignores NIS 2?
Drastic consequences loom: Official fines in the millions, the loss of major customers because you cannot provide security verification in the supply chain, as well as personal recourse liability of executive management in case of breaches of duty.
Does NIS 2 also affect smaller companies with fewer than 50 employees?
Directly by law only in rare exceptional cases (e.g., with DNS services). However, indirect impact via the supply chain applies here: If your customers are subject to NIS 2, they will contractually require that you, as a supplier or SaaS service provider, also demonstrate these security standards.
How do I best get started?
First, perform a clean applicability analysis and subsequently record your critical IT assets. If you want to accelerate the process and document it legally securely, a digital compliance platform like heyData supports you through every single step.
Important: The content of this article is for informational purposes only and does not constitute legal advice. The information provided here is no substitute for personalized legal advice from a data protection officer or an attorney. We do not guarantee that the information provided is up to date, complete, or accurate. Any actions taken on the basis of the information contained in this article are at your own risk. We recommend that you always consult a data protection officer or an attorney with any legal questions or problems.