NIS2 and ISO 27001 in Belgium: How They Work Together

Belgian organizations subject to the NIS2 Directive face a pressing question: what is the most efficient path to compliance? For many, the answer lies in ISO 27001 — the international standard for information security management systems (ISMS). While NIS2 and ISO 27001 are distinct frameworks, they share significant overlap, and leveraging one to satisfy the other can save time, budget, and effort. This article explains how the two frameworks align and how Belgian companies can use them together strategically.

NIS2 Requirements at a Glance

The NIS2 Directive establishes a baseline of cybersecurity obligations for essential and important entities across the EU. In Belgium, the Centre for Cybersecurity Belgium (CCB) oversees implementation and enforcement. The directive requires organizations to implement measures covering:

• Risk analysis and information security policies — documented, systematic approaches to identifying and managing cyber risks.
• Incident handling — detection, response, and reporting of significant incidents to the CCB within 24 hours.
• Business continuity and crisis management — backup management, disaster recovery, and continuity plans.
• Supply chain security — risk assessment of direct suppliers and service providers.
• Vulnerability management — regular testing, patching, and coordinated vulnerability disclosure.
• Cybersecurity training — awareness programs for all staff, including management accountability.
• Encryption and access control — appropriate use of cryptography and multi-factor authentication.

Organizations in scope range from energy and healthcare to digital infrastructure and manufacturing. See our guide on NIS2 sectors in Belgium for a complete breakdown of who must comply.

ISO 27001 Framework Overview

ISO 27001:2022 is the globally recognized standard for establishing, implementing, maintaining, and continually improving an ISMS. It provides a structured, risk-based approach to information security through two main components:

• Clauses 4-10 — define the management system requirements, including context of the organization, leadership commitment, planning, support, operation, performance evaluation, and continual improvement.
• Annex A — contains 93 controls organized into four categories: organizational (37 controls), people (8 controls), physical (14 controls), and technological (34 controls).

An ISO 27001 gap analysis is typically the first step toward certification, identifying where current practices fall short of the standard's requirements.

Mapping NIS2 Articles to ISO 27001 Controls

A significant portion of NIS2's security requirements maps directly to ISO 27001 controls. Here is how the key NIS2 obligations align:

• Risk analysis (NIS2 Art. 21.2a) — maps to ISO 27001 Clause 6.1 (risk assessment) and Annex A controls A.5.1 (policies for information security) and A.8.8 (management of technical vulnerabilities).
• Incident handling (NIS2 Art. 21.2b) — maps to Annex A controls A.5.24 (information security incident management planning), A.5.25 (assessment and decision on events), A.5.26 (response to incidents), and A.6.8 (event reporting).
• Business continuity (NIS2 Art. 21.2c) — maps to Annex A controls A.5.29 (information security during disruption) and A.5.30 (ICT readiness for business continuity).
• Supply chain security (NIS2 Art. 21.2d) — maps to Annex A controls A.5.19-A.5.23 covering supplier relationships, including agreements, monitoring, and managing changes.
• Vulnerability management (NIS2 Art. 21.2e) — maps to A.8.8 (management of technical vulnerabilities) and A.8.34 (protection of information systems during audit testing).
• Cybersecurity hygiene and training (NIS2 Art. 21.2g) — maps to A.6.3 (information security awareness, education and training) and A.5.4 (management responsibilities).
• Cryptography and access control (NIS2 Art. 21.2h-j) — maps to A.8.24 (use of cryptography), A.5.15-A.5.18 (access control policies), and A.8.5 (secure authentication).

How ISO 27001 Certification Helps with NIS2 Compliance

While ISO 27001 certification does not automatically guarantee NIS2 compliance, it provides a substantial foundation. The Belgian CCB has acknowledged that organizations with an established ISMS based on ISO 27001 are significantly better positioned for NIS2 compliance. Specifically, ISO 27001 helps in these ways:

1. Structured risk management — ISO 27001's mandatory risk assessment process directly satisfies NIS2's requirement for risk analysis and security policies.
2. Documented controls — the standard requires documented implementation of security controls, which serves as evidence of NIS2 compliance.
3. Management commitment — ISO 27001 requires top management involvement, aligning with NIS2's requirement for management body accountability.
4. Continuous improvement — the Plan-Do-Check-Act cycle ensures security measures are regularly reviewed and improved, meeting NIS2's ongoing compliance expectations.
5. Third-party validation — certification by an accredited body provides independent assurance that security measures meet internationally recognized standards.

Industry estimates suggest that ISO 27001 covers approximately 70-75% of NIS2 requirements directly. The remaining gaps typically relate to NIS2-specific obligations such as incident notification timelines, sector-specific requirements, and the directive's governance provisions.

Gap Analysis: From ISO 27001 to Full NIS2 Compliance

Organizations that already hold ISO 27001 certification — or are pursuing it — should conduct a targeted gap analysis to identify what additional measures are needed for NIS2. The typical gaps include:

• Incident notification timelines — NIS2 requires reporting significant incidents to the CCB within 24 hours (early warning), 72 hours (full notification), and one month (final report). ISO 27001 requires incident management but does not prescribe specific timelines.
• Supply chain security depth — NIS2 demands more rigorous assessment of supplier cybersecurity posture than ISO 27001's Annex A controls typically require.
• Management body accountability — NIS2 holds management personally accountable and requires them to undergo cybersecurity training, going beyond ISO 27001's leadership requirements.
• Sector-specific obligations — depending on your sector, additional technical or organizational measures may apply beyond the ISO 27001 baseline.

Understanding how NIS2 interacts with other regulations is also important. Our guide on GDPR vs NIS2 in Belgium covers how these two major EU frameworks overlap and where they diverge. A comprehensive security audit can help quantify the effort and investment required to close remaining gaps.

The CCB Perspective: Belgium's Approach

The Centre for Cybersecurity Belgium plays a central role in NIS2 implementation. The CCB has developed the CyberFundamentals framework, which aligns with ISO 27001 and provides a structured path for Belgian organizations to demonstrate NIS2 compliance. The framework defines assurance levels (Basic, Important, Essential) that correspond to the organization's risk profile and NIS2 classification.

Organizations certified to ISO 27001 can leverage their existing ISMS documentation and audit results when demonstrating compliance through the CyberFundamentals framework. This reduces duplication of effort and provides a streamlined compliance path that the CCB actively encourages.

Implementation Roadmap

For Belgian organizations looking to combine NIS2 compliance with ISO 27001 certification, we recommend the following phased approach:

1. Phase 1: Assessment (months 1-2) — conduct a combined gap analysis against both ISO 27001 and NIS2 requirements. Identify your NIS2 classification (essential or important entity) and determine the applicable CyberFundamentals assurance level.
2. Phase 2: ISMS foundation (months 2-5) — establish the core ISMS structure following ISO 27001, including risk assessment methodology, security policies, and the Statement of Applicability. Address NIS2-specific requirements in parallel.
3. Phase 3: Control implementation (months 4-8) — implement technical and organizational controls to address gaps identified in Phase 1. Prioritize controls that satisfy both frameworks simultaneously.
4. Phase 4: Incident response and supply chain (months 6-9) — build or enhance incident response capabilities to meet NIS2's strict notification timelines. Implement supply chain security measures and supplier assessment processes.
5. Phase 5: Internal audit and certification (months 8-12) — conduct internal audits, management reviews, and pursue ISO 27001 certification. Register with the CCB and complete any NIS2-specific compliance requirements.

The total timeline for most Belgian SMEs ranges from 9 to 15 months, depending on the organization's starting maturity and available resources.

How ICTLAB Can Help

ICTLAB's cybersecurity team specializes in helping Belgian organizations navigate the intersection of NIS2 and ISO 27001. We conduct combined gap analyses that assess your posture against both frameworks, develop integrated implementation roadmaps, and provide hands-on support through certification and CCB registration. Our approach ensures you build a single, coherent security program that satisfies multiple compliance obligations without duplicating effort.

Whether you are starting from scratch or building on an existing ISO 27001 ISMS, contact our Brussels-based team for a pragmatic assessment of your NIS2 readiness and a clear path forward.