Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLยทEN
Explainer

Does my ISO 27001 certification cover the NIS2 duty of care?

Adopted 2026-06-16 ยท ≈ 2 min read ยท Dirk Baaijen

ISO 27001 covers much of the NIS2 risk-management measures, but is not automatic compliance. Incident reporting, management accountability, supply-chain risk and registration must be addressed separately.

Short answer: An ISO 27001 certification gives you a strong foundation for the NIS2 duty of care, but it does not automatically cover it in full. NIS2 imposes some requirements that fall outside the standard scope of an ISMS certificate, such as the statutory incident-reporting duty and explicit management accountability. You need to close those gaps separately.

Where do they overlap?

ISO/IEC 27001 is the international standard for an information security management system (ISMS): a systematic approach to identifying, controlling and continually improving information risks. NIS2 (Directive (EU) 2022/2555, Art. 21) requires a set of risk-management measures that, on essential points, aligns with what a 27001 ISMS already does.

Well covered by ISO 27001:

  • Risk management: a systematic risk assessment and associated controls form the core of the standard.
  • Access policy: identity and access management are a standard part of the ISMS.
  • Encryption: policies for cryptography and data protection.
  • Business continuity: continuity and recovery measures for incidents.

So if you hold a current 27001 certification, the heaviest foundation is already in place.

Which gaps remain?

NIS2 adds obligations that a 27001 certificate does not automatically demonstrate. At a minimum, account for:

  • Statutory incident reporting: for a significant incident, an early warning is due within 24 hours and a more detailed notification within 72 hours to the competent authority. This is a legal deadline, not merely an internal procedure.
  • Management accountability and training: management must approve and oversee the measures and undergo training themselves. NIS2 places responsibility explicitly with leadership.
  • Supply-chain risk: you must manage security across your supply chain and service providers, often broader than a 27001 scope covers.
  • Registration: entities in scope of NIS2 must register with the competent authority.

What does this mean for transport and logistics?

Many logistics players fall within scope of NIS2. Use your 27001 ISMS as the base and run a targeted gap analysis: map the 27001 controls against Art. 21 and the reporting, governance and registration duties, then fill the differences. This avoids the assumption that a certificate exempts you from the NIS2 duty of care.

Read more: the Transport & Logistics overview. Take the scan.

Sources

  1. https://eur-lex.europa.eu/eli/dir/2022/2555/oj
    Directive (EU) 2022/2555 (NIS2), Art. 21: risk-management measures.

Share on LinkedIn

Read next

U

NIS2 duty of care: the security measures

Article 21 of the NIS2 Directive requires essential and important entities to implement ten concrete, risk-based security measures for which management bears ultimate responsibility.

U

The Dutch Cybersecurity Act: how NIS2 becomes law in the Netherlands

The Cybersecurity Act transposes NIS2 into Dutch law: a duty of care, a reporting duty and management liability. The bill is still pending and is expected to enter into force later than the EU deadline.

U

NIS2: which measures must I take as a minimum?

NIS2 requires appropriate risk-management measures โ€” from risk analysis, backups and supply-chain security to access control, training and encryption โ€” plus board accountability. A practical checklist for transport and logistics.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

Monthly Transport & Logistics alerts

Once a month: the EU developments that affect transport and logistics, briefly interpreted โ€” with sources. No spam, unsubscribe anytime.

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.