Skip to content
NIS2 vs ISO 27001

NIS2 or ISO 27001? Most companies need to answer both questions, not pick one.

NIS2 is a legal obligation for companies in specific sectors. ISO 27001 is a voluntary certification that enterprise customers increasingly require. They overlap significantly, but they are not the same thing. Here is how to think about it.

Quick answer

The short version.

NIS2 is regulation. ISO 27001 is certification.

NIS2 is a legal requirement under EU directive 2022/2555 (transposed into Danish law, in force 1 July 2025). It applies to specific sectors and entity sizes. ISO 27001 is a voluntary international standard that any company can pursue. Enterprise customers and procurement teams often require it.

If NIS2 applies to you, you must comply regardless of ISO 27001 status.

Having ISO 27001 does not automatically mean NIS2 compliance. NIS2 has specific requirements around incident reporting, management liability, supply chain security, and registration that ISO 27001 does not cover.

If your customers require ISO 27001, NIS2 compliance alone is not enough.

NIS2 compliance does not produce an ISO 27001 certificate. If your procurement pipeline requires certification, you need the certification process regardless of NIS2 status.

In practice, the overlap is roughly 60-70%.

Both require risk assessment, access control, incident management, business continuity, and supplier management. If you build one well, the incremental effort for the other is significantly reduced. The key is sequencing: start with whichever has the harder deadline.

When NIS2 applies

You likely need NIS2 if:

  • You operate in a sector covered by NIS2 Annex I or II (energy, transport, health, digital infrastructure, ICT service management, and others)
  • You meet the size threshold (50+ employees or 10M+ EUR turnover, though some sectors have no threshold)
  • You provide services to NIS2-covered entities and they are flowing obligations to their supply chain
  • The Danish competent authority has classified you as an essential or important entity
When ISO 27001 matters

You likely need ISO 27001 if:

  • Enterprise customers require it as a condition of doing business (increasingly common for B2B SaaS)
  • You are entering regulated markets where certification provides a trust signal
  • Your competitors are certified and you are losing deals on the security comparison
  • You want a structured framework to build your security programme on, regardless of regulatory pressure
When you need both

Many Danish SaaS companies need both.

If you sell B2B SaaS to enterprise customers AND operate in a NIS2-covered sector (or provide ICT services to entities that do), you likely need both. The smart approach: build one programme that satisfies both, not two parallel efforts. Start with whichever has the harder deadline, then extend to the other.

How Accel Comply helps

One assessment covers both.

The readiness assessment (25-35K DKK, 5-10 business days) maps your current posture against both NIS2 and ISO 27001. You get a single gap register, a clear view of the overlap, and a sequenced roadmap that avoids duplicate work. If you only need one, the assessment will tell you.

Start with the free NIS2 scope checklist.

A quick self-assessment to figure out whether NIS2 applies to your company before you talk to anyone.

Open the NIS2 scope checklist

Not sure which applies to your company?

That is exactly what the scoping call is for. Thirty minutes, no commitment.

Book a scoping call

Typically responds within 24 hours