Cybersec Update: Does the implementation of ISO standards mean that a company will meet NIS2/KSC2 requirements?
Many companies that hold ISO 27001 and 22301 certificates believe they are already prepared for NIS2. This is a dangerous illusion that may result not only in high penalties but also in management liability. We present what has changed in the draft act and why ISO alone is not enough.
ISO 27001 and NIS2 – what happened to the exemption provision?
In April 2024, in the first version of the draft act implementing NIS2, there was a provision that could have significantly simplified the situation for many organizations. This provision stated directly that the requirement to implement an Information Security Management System (ISMS) would be considered fulfilled if the organization’s ISMS complied with the Polish Standards PN-EN ISO/IEC 27001 (information security) and PN-EN ISO/IEC 22301 (business continuity).
However, since then, none of the subsequent versions of the draft, including the latest one approved by the government on 21 October 2025, contained such a provision. This means that there will be no legal basis for exempting entities holding ISO certificates from implementing NIS2.
The short answer, therefore, is: definitely not, but it can help.
Why can having ISO 27001 and 22301 help?
The mentioned standards create a certain framework of requirements for the ISMS, which, in terms of assumptions and even specific solutions, are consistent with the NIS2/KSC2 requirements. Both systems are based on a risk-based approach, and both require, among other things, an information security policy, appropriate thematic policies, business continuity plans, and other safeguards against data loss or loss of access (for example, due to a ransomware attack).
What do ISO standards not cover in the context of NIS2/KSC2?
These similarities, however, are not sufficient to ensure compliance with the new regulations. NIS2/KSC2 also contains a number of requirements that are not included in the mentioned ISO standards. These include:
- requirements for reporting cybersecurity incidents – the legislator defines and categorizes types of security incidents and provides specific timelines and other obligations regarding how to report them;
- requirements regarding the role and responsibility of the organization’s management (in capital companies, this will be the management board) – the new regulations strongly emphasize management duties and sanctions for non-compliance;
- specific timelines for conducting security audits and training;
- obligations to register and update data in the list of important and essential entities;
- obligations regarding cooperation with other entities of the national cybersecurity system – relevant CSIRTs, supervisory authorities, and other important and essential entities.
What should be done if you have ISO and need to implement NIS2?
As a result, even if ISO 27001 and 22301 standards are implemented, organizations must, within the timeframes provided in the act, take appropriate actions to verify compliance with NIS2/KSC2 requirements and implement the necessary measures.
What exactly and when should be done – we will explain in the next part of the series.
