MIND THE (NIS2) GAP

The Network and Information Security Directive 2 or NIS2 and the corresponding national legislations are finally becoming a reality. Many organisations may be tempted to lean back and trust that their ISO 27001 certifications will be enough to meet the requirements of NIS2.

Not so. NIS2 imposes stricter demands on governance, accountability, and reporting, and covers more sectors than before. To avoid costly surprises when the directive takes effect this year, it’s business critical to understand where your gaps are and what is required for full compliance.

ISO 27001: a strong foundation, but not the entire solution
Being ISO 27001 certified is indeed a very strong foundation when it comes to working with information security in a systematic way. The certification also covers many of the technical and organisational requirements that NIS2 addresses. But having an ISO 27001 certificate is not the same as being fully compliant with NIS2 and can lull you into a false sense of security.

That’s because NIS2 covers areas that is not within the scope of ISO 27001. For example, NIS2 introduces:
– Clear management responsibility – the board and executive team have explicit legal accountability.
– Reporting requirements – serious incidents must be reported within 24 hours.
– Sanctions – organisations risk significant fines and even personal penalties.

Several critical parts of NIS2 lie outside the ISO 27001 framework and require additional efforts, such as:
– Regulatory inspections and audits – preparation for external supervision.
– Supplier and third-party risks – strengthened control over the entire supply chain.

ISO 27001, in other words, does not go all the way which can make non-compliance an expensive wake-up call.

Start with a gap analysis
Regardless of whether your organisation is ISO 27001 certified or not, a NIS2 gap analysis is the most effective way to understand your current state and what actions are required. The analysis provides a clear picture of strengths and where additional measures are needed to achieve full compliance. Simply put, a gap analysis enables you to take control to define a way forward, stay compliant, and protect your business.

The way forward will involve establishing the right processes and implementing the right tools that will provide overview and control when it comes to governance, routines, and how you work with cybersecurity over time. The Nexer Cybersecurity team can help when it comes to:
– Conducting gap analyses against NIS2.
– Following up on actions and implementation.
– Providing continuous oversight and insight for your leadership and operations.

Take control today
ISO 27001 is an excellent foundation for systematic information security work. But to meet NIS2’s full requirements, organisations must conduct a thorough analysis, identify gaps, and establish routines that include technical, organisational, and legal aspects. With the right support, you will not only achieve compliance but also create a robust and long-term security culture.

Read more about NIS2 and how the Nexer Cybersecurity team can support you:
https://nexergroup.com/sv/konsulter-och-team/nis2-direktivet/
https://nexergroup.com/consulting-and-teams/nis2-directive/nis2-explained/

About the author
Linda Sundvall is an experienced Security Operations Center (SOC) and Managed Security Service Provider (MSSP) operator identifying and addressing vulnerabilities. At Nexer she focuses on Information Security and Third-Party Risk Management to strengthen organisations’ security culture.