NIS2 is the EU Network and Information Security Directive, effective from October 2024. It requires essential and important organisations to implement cybersecurity controls and report incidents.

Who needs to comply with NIS2?

NIS2 applies to organisations in essential sectors (energy, transport, banking, healthcare, digital infrastructure) and important sectors (postal services, waste management, manufacturing, food, digital providers) with more than 50 employees or €10 million in turnover. Member states may extend the scope.

What is the difference between red teaming and penetration testing?

A penetration test systematically evaluates vulnerabilities within a defined scope. Red teaming simulates a real adversary with specific objectives, without a predefined scope, over an extended period.

How long does ISO 27001 certification take?

The timeline depends on the organisation's size and existing security maturity. For most mid-sized organisations, the process from gap analysis to certification audit takes between 6 and 12 months. Thorough planning and structured evidence collection can significantly reduce that timeline.

What is MDR (Managed Detection and Response)?

MDR is a managed cybersecurity service combining threat detection technology with human analysts available 24/7. Unlike a traditional SIEM, MDR includes active response — containment, investigation, and remediation when a threat is detected, not just alerts.

DORA (Digital Operational Resilience Act) is mandatory for EU financial entities from January 2025. It requires ICT risk management, resilience testing, and incident reporting.

What should we do if we experience a security breach?

If you suspect an active breach, immediately call your incident response team. Do not take premature containment actions as they can destroy forensic evidence. Under NIS2, essential and important organisations must notify significant incidents to the competent authority within 24 hours of becoming aware.

ISO 27001, NIS2 and ENS: one project, three frameworks

If your organisation needs ISO 27001, NIS2, or ENS, most of the foundation is the same. All three frameworks require the same core controls. The mistake is treating them as three separate projects when they are three layers of the same structure.

All insights

Compliance13 May 2026

ISO 27001, NIS2 and ENS: one project, three frameworks

Author

Jaime Dordio

Post on X Share on LinkedIn

Many organisations operating in regulated environments are running ISO 27001, NIS2, and ENS projects simultaneously — with different teams, different consultants, and separate budgets, with nobody coordinating the work between them.

The result is always the same: three nearly identical asset inventories, three risk analyses reaching similar conclusions, and three incident response plans that differ only in format.

This approach is expensive and unnecessary. The three frameworks are not independent projects, but layers that point to the same core.

ISO 27001 as the starting point

ISO 27001 is the reference framework — not because it is older or better known, but because it defines the control architecture on which NIS2 and ENS build their specific requirements.

NIS2 did not invent risk management. ENS did not invent access control. Both depart from the same logic that ISO 27001 formalises: a security management system with identified assets, assessed risks, implemented controls, and continuous improvement.

Read what each framework requires side by side:

ISO 27001 requires an information security management system with risk assessment, operational controls over information assets, and continuous improvement.

NIS2 requires risk management, operational continuity, incident response, supply chain security, and governance.

ENS requires asset management, access control, activity logging, continuity, and protection measures by security category.

All three frameworks are saying the same thing. The core is identical:

Knowing what assets you have
Assessing the risk over them
Controlling who accesses what
Detecting incidents and knowing how to respond
Keeping operations running under adverse conditions
Controlling what your suppliers do with your information

The difference between frameworks is not in the fundamentals, but in the domain they apply to and the specific additional requirements of each regulation.

Requirement	ISO 27001	NIS2	ENS
Risk management	✓	✓	✓
Incident response	✓	✓	✓
Operational continuity	✓	✓	✓
Access control	✓	✓	✓
Third-party management	✓	✓	✓
Management system (ISMS)	✓	—	—
Regulatory notification	—	✓	—
Security categories	—	—	✓

The mistake of treating them as independent projects

When an organisation addresses ISO 27001, NIS2, and ENS separately, it usually does the same work three times: three asset inventories, three risk analyses, three incident response plans with minor differences in format.

The reason is usually structural: each project has its own consultant, its own deadline, and its own internal owner, with nobody connecting the dots.

The result is accumulated inefficiency and, more dangerously, a false sense of compliance. The organisation has passed paper audits, but has built nothing real underneath.

How to read compliance correctly

The right question is not "what does this regulation require?" — it is "what foundation do I need to build so that ISO 27001, NIS2, and ENS are covered with minimal additional effort?"

That foundation has five components, and the order in which they are built matters.

1. Asset inventory and classification. This is the mandatory starting point. Without knowing what you have, you cannot manage risk over it, and nothing is auditable without this foundation.

2. Documented and live risk management. Once you know your assets, you need a process that continuously evaluates, prioritises, and makes decisions — not a point-in-time analysis that becomes obsolete within six months.

3. Access control with least privilege principle. Who accesses what, from where, and with what level of verification. This control cuts across all three frameworks and directly reduces your exposure surface.

4. Operational incident response. A tested procedure with clear roles, notification timelines, and real exercises — not a document sitting in a folder. NIS2 requires notification within 24 hours for significant incidents; ENS sets thresholds by system category. The underlying procedure is the same in both cases.

5. Third-party management. Suppliers are part of the attack surface. All three frameworks require it, and it is the control most organisations have least resolved.

With that foundation built in this order, the differential work for each framework reduces to its specific requirements: ENS security categories, NIS2 notification deadlines, ISO 27001's additional controls for formal certification. 70–80% is already done.

Component	What it means in practice	Frameworks requiring it
Asset inventory	Know what you have before you can protect it	All three
Risk management	Ongoing process, not a one-off assessment	All three
Access control	Least privilege, verification per access	All three
Incident response	Tested procedure with clear roles and timelines	NIS2, ENS
Third-party management	Suppliers are part of your attack surface	NIS2, ISO 27001

Implications for leadership

Compliance is not a technical problem: it is a governance decision.

The question a board of directors should be asking is not "are we complying with NIS2?" or "when will we get ISO 27001 certified?", but "have we built the foundation that makes us resilient and that, as a consequence, also covers what the regulation requires?" Those are different questions: the first is answered with an audit report; the second, with operational evidence.

Organisations that build the foundation well do not experience each new regulation as a threat, but as an adjustment to something that already exists. Those that haven't built it will keep opening new projects with every standard that appears without being genuinely prepared.

Perspective

ISO 27001, NIS2, and ENS are not three separate projects. They are three views of the same structure.

Enterprise cybersecurity is not built standard by standard, but layer by layer, on a solid foundation that addresses all of them. When that foundation exists, compliance is a consequence, not an end in itself.

The relevant question is not when you will comply with NIS2 or get certified in ISO 27001. It is when you will build the foundation.

Next step

Do you know how much of that foundation you already have?

We conduct a review to understand your actual level of readiness against ISO 27001, NIS2, and ENS.

Talk to Dasenda

Solutions

Company

Sectors