The NIS2 Directive is currently putting a lot of pressure on many companies. Those that already operate an information security management system in accordance with ISO 27001 are particularly concerned: What is actually changing now? Is NIS2 just a rebranding, or is there a real tightening of regulations behind it?
In short:
ISO 27001 lays the foundation for structured security management, but NIS2 specifies, tightens, and, above all, operationalizes these requirements. The directive therefore not only demands the existence of processes and policies, but also requires verifiable evidence, faster response times, and greater responsibility at management level.
Before we discuss later how to implement these requirements in a technically sensible way, let’s take a clear look at the differences.
Here is an overview of the contents:
ISO 27001 and NIS 2 in comparison
There is considerable overlap between ISO 27001 and NIS 2. Both focus on risk management, documented processes, continuous improvement, and technical protective measures.
Nevertheless, NIS 2 goes deeper in key areas and requires greater transparency and operational evidence.
|
area |
ISO27001 |
NIS2 – additional requirements |
|
risk management |
Standardized risk analysis with derivation of measures |
Must be aligned with EU/industry risks, including the supply chain |
|
Incident Management |
Processes for handling security incidents
A.5.24 – 5.28 Planning, detection, response, learning, evidence |
Obligation to report:
|
|
Supply chain / Third parties |
A.5.19 / A.5.20 mandatory |
Supervision & stricter expectations; additional details may apply under Regulation 2024/2690 for digital sectors. |
|
Governance |
Roles and responsibilities in the ISMS |
Management personally liable for violations, stronger management obligations & sanctions framework |
|
Monitoring & Detection |
A.8.15 Logging A.8.16 Monitoring |
Appropriate measures (Art. 21) – and specific logging/redundancy requirements for certain sectors (Regulation 2024/2690). |
|
Business Continuity |
Part of the ISMS |
Explicitly in Art. 21(c); tests/drills as required evidence in guidelines/regulations. |
In short: ISO27001 creates the basis – NIS2 requires proof.
NIS2 compliance: Why ISO27001 alone is not enough
This is precisely where it is decided whether a company truly meets the NIS2 requirements. ISO27001 provides structure and methods. NIS2, on the other hand, expects continuous monitoring, ongoing documentation, forensic traceability, and responsive processes that prove their worth within a few hours in an emergency.
A few practical examples:
- An incident management process is no longer sufficient. It must be measurable, rehearsed, and documented.
- Logging and monitoring should no longer be “best effort.” Centralized analysis, alerting, and archiving are required.
- The supply chain requires not only contracts, but also proof that risks are identified, assessed, and monitored.
NIS2 is a “show me the data” framework. It demands operational security, not just management security.
This makes it clear that the gap between ISO27001 and NIS2 does not arise in terms of “what” but rather “how.”
From directive to reality: technical implementation
After the theoretical classification, the question arises:
How can these verification and monitoring obligations be implemented in practice without sinking into Excel chaos or introducing a new tool every week? This is where the technical level comes into play:
A central security tool helps to
• collect logs
• correlate alerts
• automatically detect vulnerabilities
• check configurations against standards
• generate reports for auditors and authorities
In the next step, we will look at how exactly these tasks can be solved with an integrated system such as Wazuh. But how do you achieve clarity, priority, and traceability in your security processes?
A pragmatic roadmap could look like this:
Inventory:
Which systems, processes, and service providers are critical in terms of NIS2?
Tip: Don’t set the scope too narrowly.
Gap analysis:
Check which NIS2 requirements are already covered by your ISMS and where technical evidence is lacking.
Wazuh Pilot:
Start with a PoC. Find out which alerts are relevant and which can be filtered out.
Integration:
Connect Wazuh to your existing systems: Active Directory, M365, firewalls, specialist applications, cloud providers, ticketing. This is the only way to create a consistent picture.
Governance & Processes:
Define who evaluates alerts, when they are reported, and how responses are documented. This is the part that turns logs into real compliance.
Wazuh as the technical basis for NIS2 implementation
Wazuh provides exactly the modules that NIS2 requires for operations: continuous monitoring, file integrity monitoring, vulnerability analysis, configuration checks, and audit reporting. This not only enables ISO27001 and NIS2 requirements to be met, but also provides verifiable evidence of compliance.
1. Monitoring & Detection – making visible what is happening
Wazuh combines SIEM, IDS, and endpoint monitoring in one platform.
Whether it’s Windows servers, Linux systems, containers, or cloud workloads, events are collected, correlated, and evaluated centrally.
Practical benefits for NIS2:
- Compliance with the obligation to continuously monitor (“security event logging”)
- Automatic alerts for policy violations or suspicious activities
- Forensic evaluability through log archiving
2. File Integrity Monitoring (FIM) – Protection against manipulation
Tamper protection is crucial, especially for critical infrastructures.
Wazuh detects any changes to system files, configurations, or registry keys.
Practical benefits:
- Audit-proof proof of system integrity
- Early warning for ransomware or insider activity
- Basis for audit reports (A.8.15 Logging, A.8.16 Monitoring Activities, optional A.8.9 Configuration Management, ISO27001)
3. Vulnerability Detection – Automated monitoring of vulnerabilities
NIS2 explicitly requires continuous vulnerability management.
Wazuh regularly scans installed software and operating systems for CVEs, prioritizes them according to criticality, and generates alerts.
Practical benefits:
- Comparison against regularly updated feeds / CVE databases
- Integration into patch management or ticketing systems
- Documented evidence of risk treatment
4. Security Configuration Assessment (SCA) – Systematic hardening
A poorly configured server can bypass any firewall.
The SCA module from Wazuh checks systems against defined baselines (e.g., CIS benchmarks).
Practical benefits:
- Identification of unsafe settings
- Proof of technical hardening for audit & compliance
- Can be combined with central policies (e.g., Ansible, Puppet)
5. Reporting & Audit Integration – Documentation without Excel madness
Probably the most underestimated NIS2 requirement: documentation obligations.
Wazuh generates detailed reports and can automatically map compliance frameworks such as ISO27001, PCI DSS, or NIST.
Practical benefits:
- Exportable reports for auditors or authorities
- Automatic rule checks per host/system
- Timely verification in the event of incidents or audits
Wazuh as the technical basis for ISO27001
Even though Wazuh is often the star in the context of NIS2, it plays an equally important role for ISO27001. Many companies underestimate how many controls of ISO-27001:2022 can not only be mapped with Wazuh, but also objectively verified.
Precisely because ISO27001 is highly process-oriented, technical support is needed in the right places to properly map monitoring, logging, configuration checks, and vulnerability management. This is where Wazuh excels, because it offers a unified platform that centralizes all relevant technical evidence.
One advantage is that Wazuh is not just “another security tool,” but fits directly into the logic of an ISMS:
• Continuous improvement
• Reproducible measurability
• Documentable controls
• Audit-proof evidence
This makes Wazuh a kind of technical backbone that reliably supports ISO-critical processes.
|
ISO 27001:2022 Control |
Exemplary implementation with Wazuh |
|
A.8.15 Logging |
Central collection, protection, and evaluation of logs |
|
A.8.16 Monitoring Activities |
Correlation/detection of anomalous events, dashboards/alerts |
|
A.8.8 Management of Technical Vulnerabilities |
CVE detection, prioritization, reporting |
|
A.8.9 Configuration Management |
SCA checks against baselines (e.g., CIS) |
|
A.5.24 – A.5.28 Incident Management |
Alert handling, ticket flows, response, lessons learned, preservation of evidence |
|
A.5.9 Asset Inventory |
Agent rollout, inventory (Syscollector), comparison with policies |
Conclusion: Less policy, more reality
NIS2 is not an additional bureaucratic hurdle, but rather an impetus to finally operationalize security consistently. With a structured ISMS (ISO27001) and a strong technical foundation (Wazuh), you can achieve exactly that: transparency, responsiveness, and reliable evidence.
If you want to know how to implement NIS2 compliance properly from a technical and organizational perspective, we will be happy to assist you.
We can assist with:
- the integration of Wazuh into your environment
- the mapping of ISO 27001 controls to NIS 2 requirements
- the establishment of monitoring, logging, and reporting processes that are suitable for auditing
NIS2 checklist for compliance with the new EU directive
Practical guide to implementing the new EU requirements
The paper not only provides a concise overview of the legal requirements, but also includes a practical checklist that you can use to check the status of your company step by step and determine the necessary measures. In addition, we recommend a tool that will help you implement the requirements in a transparent and future-proof manner.
More IT security, less risk with Wazuh
This white paper provides a comprehensive introduction to the key features of Wazuh—from securing individual endpoints to protecting complex cloud environments. It will equip you to fend off cyberattacks early on and reliably meet your compliance requirements.
Request now for free:
Wazuh Fact Sheet
The open source security platform
Wazuh combines threat detection, monitoring and response in one powerful solution. With SIEM functionalities, host intrusion detection and an active community, it offers comprehensive protection for your IT infrastructure. Flexible, reliable and versatile, Wazuh provides the ideal basis for a holistic security strategy.
Download now for free!
becon blog
More articles on this topic
Contact
Get in touch with us!
We look forward to hearing from you.
Do you have any questions or are you facing a particular challenge? Our dedicated team will be happy to provide you with a no-obligation consultation.