CloudSoul
Resources · Blog · NIS2

Cybersecurity Certification and Standards Under NIS2

NIS2 certification and standards under Articles 24-25: EU schemes, ISO 27001, and security certification requirements for designated entities.

Daniel Grigorovich
Daniel Grigorovich
Founder · 18 May 2026 · 7 min read
NIS2
Cybersecurity Certification and Standards Under NIS2

Who should read this: Product Managers, Compliance Officers, Chief Information Security Officers.

The NIS2 Directive does not prescribe specific technologies or standards for cybersecurity; instead, it requires “proportionate” measures tailored to each entity’s risk profile. However, Articles 24 and 25 recognise that cybersecurity standards and certification schemes provide a common language for security practices and allow entities to demonstrate compliance through recognised benchmarks.

For many organisations, pursuing a recognised certification, such as ISO 27001 (Information Security Management) or participation in an EU-approved security scheme, provides a structured pathway to compliance and offers evidence of commitment to security. For product manufacturers, certification and standards compliance signal to customers that products meet security expectations. For service providers, certification demonstrates commitment to customer data and operational security.

This post unpacks Articles 24 and 25, clarifies the role of standards and certification in NIS2 compliance, and explores how certification can be leveraged as part of a comprehensive compliance strategy. The discussion covers recognised standards (ISO 27001, ISO 27002), EU security certification schemes, and the relationship between certification and NIS2 proportionality.

Articles 24 and 25: Standards and Certification

Article 24 recognises that Member States may adopt or recognise cybersecurity standards and certification schemes that align with EU or international standards. These schemes provide a framework against which entities can assess their security practices and obtain third-party certification.

Article 25 addresses cybersecurity certification for products and services, recognising that certification of products used by designated entities (e.g., cloud services, cybersecurity tools, network equipment) provides assurance regarding security properties.

Together, Articles 24 and 25 establish that:

Certification is optional but valuable: Entities are not required to obtain certification to comply with NIS2. Compliance can be demonstrated through documented implementation of proportionate measures without formal certification. However, certification provides a recognised framework and third-party assurance, which many entities choose to pursue.

Standards provide a structure: Standards such as ISO 27001 provide a structured framework for implementing security measures. An entity implementing ISO 27001 controls is implementing a recognised approach to security management, and can more easily demonstrate compliance with NIS2’s proportionality requirement.

Product and service certification matters: For products and services used by designated entities, certification provides assurance regarding security. An entity purchasing a cloud service certified to ISO 27001, or a network equipment manufacturer certified to a security scheme, has evidence of vendor security practices.

Member State discretion: Member States have discretion in which standards and schemes they recognise for NIS2 purposes. A Member State might recognise ISO 27001, particular EU certification schemes, or other national standards.

ISO 27001 and the ISO 27000 Series

The most widely recognised standard for information security management is ISO/IEC 27001, part of the ISO 27000 series. ISO 27001 defines a framework for establishing, implementing, maintaining, and continually improving information security management systems (ISMS).

ISO 27001 includes:

  • A set of security controls addressing access control, encryption, physical security, personnel security, supplier relationships, and many other areas. Organisations choose controls proportionate to their risk profile.
  • Requirements for risk assessment, identifying threats and vulnerabilities specific to the organisation.
  • Requirements for an information security policy defining the organisation’s approach to security.
  • Requirements for governance, including roles and responsibilities, training, and awareness.
  • Requirements for monitoring and incident management.
  • Requirements for periodic review and update.

An organisation implementing ISO 27001 undergoes a third-party audit to verify that the ISMS is properly implemented. Upon successful audit, the organisation receives an ISO 27001 certificate, valid for three years (with periodic surveillance audits required).

For NIS2 purposes, ISO 27001 is valuable because:

  • It provides a structured approach to implementing proportionate security measures, which aligns with NIS2’s requirement for “appropriate” and “proportionate” controls.
  • It includes risk assessment, governance, monitoring, and incident response, all elements of NIS2 compliance.
  • It is widely recognised internationally, providing a common language for security practices.
  • Certification provides third-party assurance to customers, regulators, and partners regarding the entity’s security practices.

Many organisations subject to NIS2 pursue ISO 27001 certification as a foundation for their compliance programme. Compliance officers can map ISO 27001 controls to specific NIS2 requirements, demonstrating how certification fulfils NIS2 obligations.

EU Cybersecurity Certification Schemes

Beyond ISO 27001, the EU has established cybersecurity certification schemes for specific product categories and services. These schemes are developed under Regulation (EU) 2019/881 (the Cybersecurity Act) and provide a framework for certifying products, services, and processes to defined EU security standards.

The Common Criteria Certification (CC) is a well-established scheme for evaluating the security of IT products. Products certified to Common Criteria have undergone rigorous evaluation of their security properties, and the evaluation results are published. A cloud service or network security appliance certified to Common Criteria provides assurance regarding its security.

The EU is developing additional certification schemes under the Cybersecurity Act, including:

EUCC (EU Cybersecurity Certification): A scheme for evaluating ICT products, services, and processes, with levels of assurance (basic, substantial, high) reflecting the rigour of evaluation. Products or services meeting EUCC standards provide assurance of security properties.

SECOC (Scheme for Certification of Cloud Services): A proposed scheme for certifying cloud services offered to European public administrations and essential service providers. SECOC certification would provide assurance that cloud services meet defined security standards.

These EU schemes are designed to provide recognised security certifications that facilitate procurement by essential service providers and enable manufacturers to demonstrate security to customers.

For entities and product manufacturers, pursuing EU certification provides recognition that products and services meet defined EU security standards, facilitating procurement by critical infrastructure organisations and demonstrating commitment to security.

Certification as Evidence of NIS2 Compliance

How does certification relate to NIS2 compliance? An entity can use certification (ISO 27001, Common Criteria, or EU schemes) as evidence that it has implemented proportionate security measures satisfying NIS2 requirements.

For example:

An organisation can demonstrate ISO 27001 certification, and map the certified controls to NIS2 operational requirements (access control, encryption, monitoring, incident response), arguing that the ISMS satisfies NIS2’s requirement for proportionate measures.

A cloud service provider can obtain ISO 27001 certification and advertise this to essential service provider customers as evidence of security practices compliant with NIS2 Article 22 (third-party security requirements).

A medical device manufacturer can pursue Common Criteria or EUCC certification, demonstrating that products meet security standards, facilitating procurement by healthcare essential service providers.

This approach has advantages for both entities and regulators:

For entities, pursuing certification provides a structured pathway to compliance, third-party assurance, and recognition that security practices meet established standards.

For regulators, certification provides evidence of compliance without requiring the regulator to conduct detailed technical audits of every entity. A certified ISMS is evidence that the entity has implemented proportionate measures.

However, certification does not replace NIS2 compliance. An entity might pursue ISO 27001 certification and still not fully comply with NIS2 if the entity fails to implement risk assessments, incident response procedures, or third-party management as required. Certification is evidence supporting compliance, but compliance requires implementation of all applicable obligations.

Sector-Specific Standards and Guidance

Different sectors have developed sector-specific standards and best practices reflecting sector-specific risks and regulatory requirements. For example:

Healthcare has developed standards addressing medical device security, electronic health record security, and healthcare incident response.

Finance has developed standards for operational resilience, business continuity, and financial system security (many of which are now incorporated in DORA).

Energy has developed standards for industrial control system security, addressing the unique risks of OT systems.

These sector-specific standards often align with and complement ISO 27001, adding sector-specific requirements. An entity might pursue ISO 27001 certification and simultaneously implement sector-specific standards reflecting the entity’s sector.

For compliance purposes, entities should check whether their Member State has published sector-specific guidance clarifying which standards or certifications it recognises as evidence of NIS2 compliance in particular sectors.

Proportionality and Certification

A common question is whether certification is required for NIS2 compliance. The answer is no: Article 21 requires proportionate measures, not certification. A small entity can comply with NIS2 without certification, provided it implements proportionate controls documented in its security policies and procedures.

However, proportionality must be genuine. An entity claiming to be in compliance with NIS2 whilst failing to implement basic controls (access controls, monitoring, incident response) would be in violation, regardless of size. Certification is not a substitute for actual implementation.

For larger entities and those handling highly sensitive information or critical infrastructure, certification often provides practical evidence of proportionate implementation. The investment in certification and audit is justified by the credibility and assurance it provides to customers, regulators, and partners.

Key Takeaways

  • Articles 24-25 recognise cybersecurity standards and certification schemes as mechanisms for demonstrating NIS2 compliance, but do not require certification.
  • ISO 27001 is a widely recognised framework for implementing proportionate security measures, including risk assessment, governance, controls, monitoring, and incident response. ISO 27001 certification provides evidence of systematic implementation.
  • EU cybersecurity certification schemes (EUCC, Common Criteria, SECOC) provide recognised standards for products, services, and processes, facilitating procurement by essential service providers and demonstrating security to customers.
  • Certification supports compliance by providing a structured approach to implementing proportionate measures and third-party assurance of security practices, but does not replace actual implementation of NIS2 obligations.
  • Sector-specific standards (healthcare, finance, energy, transport) often complement ISO 27001, addressing sector-specific risks and requirements. Entities should check their Member State’s sector-specific guidance.
  • For larger entities and those handling critical infrastructure or sensitive data, certification often provides practical evidence of proportionate implementation and credibility to customers and regulators.
  • Proportionality is not eliminated by size: small entities can comply with NIS2 without certification, provided they implement proportionate controls, but genuinely proportionate implementation is still required.
Daniel Grigorovich

Daniel Grigorovich · Founder

I believe that no business should suffer from "compliance checklists" or navigating vague regulatory text. While I still stand by the principle that all software products should be reliable and secure, I want to give companies a way to overcome the challenges faced when implementing these requirements.

Related reading

More from the blog.

NIS2 in Germany: How the New BSI-Gesetz Transposes the EU Directive
NIS2 · 4 Jun 2026

NIS2 in Germany: How the New BSI-Gesetz Transposes the EU Directive

Germany transposed NIS2 through the NIS2UmsuCG of 5 December 2025, replacing the BSI-Gesetz in full. Scope, BSI authority, KRITIS rules, incident reporting, fines and what to do this quarter.
NIS2 in Belgium: How the Law of 26 April 2024 Transposes the EU Directive
NIS2 · 2 Jun 2026

NIS2 in Belgium: How the Law of 26 April 2024 Transposes the EU Directive

Belgium transposed NIS2 through the Law of 26 April 2024, designating the CCB, NCCN and sectoral regulators as the institutional pillars. What every essential and important entity needs to know after twenty months in force.
NIS2 in Luxembourg: How the Law of 5 May 2026 Transposes the EU Directive
NIS2 · 31 May 2026

NIS2 in Luxembourg: How the Law of 5 May 2026 Transposes the EU Directive

Luxembourg transposed NIS2 through the Law of 5 May 2026, designating ILR, HCPN and CIRCL as the institutional pillars. What every essential and important entity needs to know.