NIS2 vs ISO 27001: what do customers actually require?
Many assume an ISO 27001 certification solves NIS2. It helps, but they are not the same, and customers often ask for both.
The difference in short
ISO 27001 is a voluntary international standard for an information security management system. NIS2 (transposed into national law across the EU, for example Denmark 1 July 2025 and Sweden 15 January 2026) is binding law with specific requirements for risk management, incident reporting and supply-chain security.
Where they overlap
A mature ISO 27001 system covers a large part of NIS2's technical and organizational measures. If you are already certified, you are well on your way.
Where ISO 27001 falls short
- Incident reporting: NIS2 has specific deadlines (early warning within 24 hours, notification within 72 hours) to the authority.
- Supply chain: NIS2 Article 21 sets explicit requirements that customers pass on to you.
- Provability: the customer often wants concrete, verifiable evidence, not just a certificate.
What customers ask for in practice
A certificate if you have one, plus a completed security questionnaire, incident procedures and evidence specific to their requirements. An answer without documentation is not provable in practice.
How PowerQuant helps
- Take the free 2-minute scope check to see where your gaps are.
- Quick Scan (fixed price): a signed readiness report to complement a certification.
Indicative overview, not legal advice. Verified against Directive (EU) 2022/2555 and national transposition status as of 1 July 2026.