Browse how the thirteen NIS2 cybersecurity-requirement areas in Commission Implementing Regulation (EU) 2024/2690 align with eight major control frameworks: ISO/IEC 27001, NIST CSF 2.0, ETSI EN 319 401, CEN/TS 18026:2024, SOC 2 Type II, CIS Controls v8, NIST SP 800-53, and ISO/IEC 22301.
Four frameworks are sourced directly from ENISA's NIS2 TIG Mapping Table v1.0 (June 2025) — ISO 27001, NIST CSF 2.0, ETSI EN 319 401, and CEN/TS 18026:2024. The granular crosswalk is in ENISA's XLSX file, which also indexes the national frameworks ENISA cites (Belgium, Finland, Greece, Spain, France) — listed for reference under the picker. The other four (SOC 2, CIS Controls v8, NIST 800-53, ISO 22301) are practitioner-curated assessments at the same depth, anchored to their published source standards.
→Jump to supply-chain·NIS2 Article 21(2)(d)A practitioner's navigation aid for the NIS2 cybersecurity-measures regulation, organised by the thirteen thematic areas in Implementing Regulation 2024/2690.
If your organisation already runs an ISMS aligned to ISO 27001 or NIST CSF, find the NIS2 area, read the summary, scan the mapped controls, then jump to ENISA's XLSX for the exact requirement-level mapping.
ENISA's own note: the mapping should not be interpreted as a measure of equivalence between frameworks. Standards address the same concerns with different language and depth. Reviewer judgement still required — for every control, every audit.
Pick the framework you run today. We'll show you which NIS2 thematic areas your existing controls cover well, which ones are partially covered with NIS2-specific gaps to close, and which ones are net-new work. Click any area to jump down to its full forward mapping below.
Belgian national cybersecurity framework published by the Centre for Cybersecurity Belgium (CCB). NIST CSF–derived maturity model with three tiers (Foundation / Important / Vital) calibrated to NIS2 entity classification.
Finnish national cyber-maturity self-assessment tool published by Traficom (NCSC-FI). NIST CSF-aligned, used by Finnish entities for organisational cybersecurity benchmarking against NIS2 expectations.
Greek national NIS2-implementation instrument issued in 2025. Codifies cybersecurity-measure baselines for NIS2-scope entities in Greece. Refer to the Greek NCSA / national gazette for the authoritative text.
Spanish national security scheme governing public-sector and contracted IT systems. 73 security measures across organisational, operational, and protective categories, at three levels (Low / Medium / High). Comparable in scope to ISO 27001 Annex A; widely adopted beyond the strict public-sector mandate.
French national cybersecurity guidance published by ANSSI (Agence nationale de la sécurité des systèmes d'information). Refer to the ENISA mapping table for the specific document and edition cited against each NIS2 thematic area.
All entries are reviewer guidance, not a compliance verdict. ISO 27001, NIST CSF 2.0, ETSI EN 319 401, and CEN/TS 18026 derive from ENISA's NIS2 TIG Mapping Table v1.0 (June 2025) and the NIS2 directive itself. The other four are practitioner-curated at the same depth, anchored to their published source standards. National frameworks above are listed for orientation — refer to ENISA's XLSX for the per-control alignment.
Direct or near-direct alignment — your existing controls already address what NIS2 expects here.
A.5.4, A.5.10, A.5.12, A.5.13 cover risk management. NIS2 expectations align directly.
A.5.29, A.5.30, A.8.13, A.8.14 cover BCP, backup, and disaster recovery. Direct alignment.
A.8.25–A.8.32 cover secure development, vulnerability handling, and acquisition. NIS2 SBOM expectations align.
A.6.3, A.8.7, A.8.8 cover awareness, training, and the basic-hygiene baseline. Direct alignment.
A.8.24 covers cryptographic controls. NIS2 does not add framework-specific cryptography requirements beyond this.
A.6.1–A.6.6 cover the joiner / mover / leaver process, terms of employment, and disciplinary handling.
A.5.9, A.5.15–A.5.18, A.8.2–A.8.3 cover identity, access, and asset management. Strong alignment.
A.5.17, A.8.5, A.8.20, A.8.21 cover authentication and secured communications. NIS2 makes MFA explicit; ISO 27001 implies it through risk-based authentication.
A.7.1–A.7.14 cover physical and environmental security comprehensively.
Your framework touches this area but NIS2 adds specific requirements that may not be covered. Review the note for what to add.
Annex A.5.1–A.5.3 covers the security-policy framework. NIS2 Article 20 adds explicit personal accountability for the management body, mandatory cybersecurity training for them, and oversight obligations — wire those into your governance separately.
A.5.24–A.5.28 cover incident response operations. NIS2 Article 23 adds specific regulator-reporting deadlines (24h early-warning, 72h incident notification, 1-month final report) and the ENISA / national CSIRT notification machinery — these are NIS2-specific and not in the standard.
A.5.19–A.5.23 cover supplier relationships and contractual requirements. NIS2 Article 21(2)(d) and Recital 85 are explicit about looking beyond direct suppliers — sub-processors, supply-chain depth, re-review on material change. ISO 27001 does not mandate that depth or that cadence.
A.5.35–A.5.37 cover internal audit and management review. NIS2 Article 23 reporting and competent-authority interaction sit beyond the ISMS — those need their own procedures.
The cards below summarise each Implementing Regulation thematic area and its prominent control references in ISO/IEC 27001:2022, ISO/IEC 27002:2022, and NIST CSF 2.0. Where ETSI EN 319 401 is in scope, that mapping is shown too. Supply-chain security (Implementing Reg, Annex §5) is highlighted — it is the area Supply Chain Assurance is built around.
A documented top-level information security policy approved by the management body, reviewed at planned intervals or after material change, and communicated to staff and relevant third parties.
A risk management framework that identifies, analyses, evaluates, and treats cybersecurity risks across people, processes, and technology, with documented risk acceptance criteria and management-body sign-off.
Documented procedures to detect, classify, respond to, and recover from cybersecurity incidents — including the early-warning, incident, and final NIS2 reporting milestones (24 / 72 hours / 1 month).
Backup and recovery policy with tested restoration procedures, business-continuity plans for critical services, and crisis-management arrangements that survive a cyber incident.
Information security in supplier and service-provider relationships. Covers supplier risk-tiering, contract clauses, evidence collection, sub-processor disclosure, and re-review on material change. This is the area Supply Chain Assurance is built around.
What the directive says“supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers”
NIS2 Directive 2022/2555 · Article 21(2)(d)Read on EUR-Lex
NIST CSF 2.0 added an entire Govern → Supply Chain Risk Management category (GV.SC) — the most explicit alignment between NIST and the NIS2 supply-chain clause across any major framework.
Secure development lifecycle, vulnerability handling, change management, and security in the acquisition of products and services. Includes coordinated vulnerability disclosure and SBOM expectations.
Documented procedures for measuring whether the cybersecurity risk-management measures are working — internal audits, management review, KPI / KRI tracking, and corrective-action loops.
Awareness and training for all personnel including the management body, plus the basic-hygiene baseline — software updates, malware protection, secure default configurations, password discipline.
Cryptographic controls policy — algorithm selection, key management, hardware-backed key storage where required, certificate lifecycle management.
Background checks proportionate to role, terms of employment, joiner / mover / leaver process, return of assets, disciplinary process for security violations.
Asset inventory and ownership, identity and access management, privileged access governance, segregation of duties, periodic access reviews.
Multi-factor and continuous authentication for sensitive access, secured voice / video / text communications, secured emergency communications.
Physical security of premises, secure areas, equipment protection, supporting utilities, environmental monitoring, secure disposal.
What you see here — ENISA's mapping made browseable — is a navigation aid. Useful, but it's a static reference. Real assurance work is doing the mapping for your suppliers, with your evidence, in a way that holds up under audit.
Supply Chain Assurance V1 — the version shipping today — is built around NIS2 Article 21(2)(d). It captures supplier evidence, extracts the relevant facts, signs the reviewer's decision, and exports an audit-ready dossier.
The V2 release — on the product roadmap for 2027+ — extends the same evidence model into cross-framework crosswalks. One supplier evidence record, routed automatically into your NIS2, ISO 27001, DORA and SOC 2 audit contexts simultaneously, each with reviewer sign-off. ENISA's mapping table is the foundation; the platform layer is what we add on top.
Common questions about NIS2 and the major control frameworks. If you're looking for the area-by-area mapping, the reverse search and forward mapping above are the answer; this section covers the framing questions practitioners ask before they get into the controls.
ISO/IEC 27001:2022 covers most of the technical and organisational controls NIS2 expects — Annex A.5.1 through A.8.34 align with the thirteen thematic areas in Commission Implementing Regulation (EU) 2024/2690. Three NIS2 obligations sit outside ISO 27001 and need separate procedures: Article 23 reporting deadlines (24-hour early-warning, 72-hour incident notification, 1-month final report to ENISA / national CSIRT); Article 20 personal accountability for management bodies, including mandatory cybersecurity training and named oversight; and the supply-chain depth Article 21(2)(d) and Recital 85 expect, which goes beyond the Tier-1 supplier relationships ISO 27001 covers in A.5.19–A.5.23.
NIST Cybersecurity Framework 2.0's six functions (Govern, Identify, Protect, Detect, Respond, Recover) align well with the thirteen NIS2 thematic areas across the board. The Govern function, added in 2.0, maps particularly closely to NIS2's governance expectations under Article 20. The dedicated GV.SC subcategory (Cybersecurity Supply Chain Risk Management — ten subcategories) is the most explicit framework alignment with NIS2 Article 21(2)(d) of any major framework. Use the reverse-search tool above with NIST CSF 2.0 selected to see the area-by-area mapping with practitioner notes.
SOC 2 Type II is the most-cited evidence artefact when EU buyers ask cloud / SaaS suppliers for cybersecurity posture. The AICPA Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality, Privacy — align with most NIS2 thematic areas. Strongest where NIS2 expects technical and operational controls (CC6 access, CC7 system operations, CC8 change management, A1 availability). Gaps to wire in separately: NIS2 Article 23 reporting deadlines (regulator-facing, outside SOC 2 scope), Article 20 management body accountability (not addressed in TSC), and supply-chain depth beyond Tier-1 vendors. A current SOC 2 Type II report is a defensible substitute for many NIS2 21(2)(d) supplier-assurance evidence requests, but not framework-equivalent.
Three things specifically. (1) Regulatory reporting deadlines under Article 23: 24-hour early-warning, 72-hour incident notification, and 1-month final report to your national CSIRT and ENISA. ISO 27001 A.5.24–A.5.28 cover incident-response operations, but the regulator-facing reporting machinery is NIS2-specific. (2) Personal accountability for management bodies under Article 20 — board members can be personally liable for cybersecurity failures, must complete cybersecurity training, and are named on signed approvals. (3) Supply-chain depth — Article 21(2)(d) and Recital 85 expect you to look beyond direct suppliers (sub-processors, supply-chain visibility, re-review on material change). ISO 27001 A.5.19–A.5.23 cover supplier relationships at the contractual level but don't mandate that depth.
No — and to be clear, Cyber Essentials isn't the UK's substitute for NIS2 either. Cyber Essentials and Cyber Essentials Plus are NCSC-backed voluntary certification schemes (administered by IASME) covering five core technical controls: firewalls, secure configuration, user access control, malware protection, and security update management. They're a defensible baseline that EU NIS2 buyers commonly accept as a substitute for the NIS2 Article 21(2)(d) evidence they're collecting from UK suppliers — but they don't cover the full NIS2 control set. For UK organisations actually under NIS2 obligations (rare, given UK is post-Brexit and outside NIS2 scope), broader coverage is required.
Yes — ISO/IEC 22301:2019 is the international Business Continuity Management System standard and maps directly to NIS2's business-continuity area (Implementing Regulation Annex §4). Strong on backup, recovery, disaster-management, and crisis arrangements. ISO 22301 is narrow in scope — it doesn't cover access control, cryptography, HR security, or general information-security policy. Most useful as a complement to ISO 27001 or NIST CSF 2.0 for organisations where business continuity is a critical concern (utilities, financial market infrastructure, healthcare). It exceeds the NIS2 baseline for BCP specifically.
ENISA published an official NIS2 Technical Implementation Guidance Mapping Table (XLSX, v1.0, June 2025) alongside the main NIS2 TIG document. The table maps each Commission Implementing Regulation (EU) 2024/2690 cybersecurity-requirement to control references in ISO/IEC 27001:2022, ISO/IEC 27002:2022, NIST CSF 2.0, ETSI EN 319 401 V3.1.1, CEN/TS 18026:2024, and selected national frameworks (Belgium's CyBer® 2023, Finland's Kybermittari, Greece's Ministerial decision 1689/2025, Spain's ENS / Royal Decree 311/2022, and a French ANSSI national framework). ENISA's own caveat: the mapping is a navigation aid, not a measure of equivalence between frameworks — standards address the same concerns with different language and depth. The hub above sources its ISO 27001, NIST CSF 2.0, ETSI, and CEN/TS 18026 assessments directly from this table, supplemented with practitioner-curated assessments for SOC 2, CIS Controls v8, NIST 800-53, and ISO 22301 (frameworks ENISA's table doesn't cover). The five national frameworks are listed under the picker for orientation. Practitioners doing detailed gap analysis should download the XLSX from ENISA directly.
No single framework gets you to NIS2 compliance — NIS2 is a regulation, not a control framework. The practitioner question is: which framework do you already run? Then add the NIS2-specific overlay (regulatory reporting under Article 23, Article 20 governance, supply-chain depth) on top. ISO/IEC 27001:2022 and NIST CSF 2.0 are the closest single-framework matches across the thirteen NIS2 thematic areas. NIST SP 800-53 r5 is the most comprehensive but heaviest. CIS Controls v8 maps strongly to the basic-cyber-hygiene baseline (Article 21(2)(g)) but is thin on governance and HR — best as a complement. ISO 22301 is BCP-specific. SOC 2 Type II is common in supplier-evidence contexts but not framework-equivalent. Pick what your organisation already operates against, then layer the NIS2-specific procedures on top.
The official spreadsheet maps every Implementing Regulation requirement to specific control references in ISO 27001 / 27002, NIST CSF 2.0, ETSI EN 319 401, CEN/TS 18026:2024, and selected national frameworks. It is the source of truth.
Download the ENISA XLSX