What is the primary objective of **NIS2**?

**The primary objective of NIS2 is to establish a high common level of cybersecurity and resilience across EU member states by strengthening critical infrastructure and digital services against cyber threats.** It expands upon the original NIS Directive through a size-cap rule applying to medium and large entities in sectors like energy, transport, health, digital infrastructure, postal services, waste management, and food production, mandating risk management, incident reporting, supply chain security, and cross-border cooperation.

Who is legally or professionally required to comply with **NIS2**?

**NIS2 applies to all medium-sized and large entities classified as 'essential' or 'important' within specified EU sectors.** Essential entities typically have 250+ employees, €50M+ annual turnover, or €43M+ balance sheet; important entities have 50+ employees, €10M+ annual turnover, or €10M+ balance sheet. Criticality can override size if an entity is a sole provider of essential services; sectors include energy, transport, public administration, cloud computing, and online marketplaces, with member states required to transpose by October 17, 2024.

Does **NIS2** require an external audit or third-party certification?

**NIS2 does not mandate external audits or third-party certification but empowers national authorities for supervision, including registration, spot checks, and demands for real-time evidence of compliance.** Entities must register with central authorities providing details like name, contacts, sector, and operating states; enforcement varies by member state, with a shift to continuous assurance over static audits.

How often should an assessment for **NIS2** be performed?

**NIS2 requires ongoing, continuous risk assessments rather than fixed intervals, with dynamic risk registers and asset inventories updated quarterly.** Organizations must maintain proactive risk management, including regular vulnerability identification, supply chain reviews, and closed-loop improvements to ensure resilience, supporting strict incident reporting timelines like 24-hour early warnings.

What are the consequences of non-compliance with **NIS2**?

**Non-compliance with NIS2 incurs fines up to €10 million or 2% of total global annual turnover for essential entities, and €7 million or 1.4% for important entities, plus potential business suspension and senior management liability.** National authorities enforce via spot checks, with measures effective from October 18, 2024, following transposition.

An **NIS2** be mapped to other international frameworks?

**Yes, EU member states incorporate standards like ISO 27001 and NIST CSF into national NIS2 frameworks to support compliance.** This alignment aids risk management and controls, though mappings must address NIS2-specific requirements like incident timelines and supply chain security.

What is the first step to begin implementing **NIS2**?

**The first step for NIS2 implementation is to determine applicability by assessing entity size, sector, and criticality against the size-cap rule.** Conduct a gap analysis of current risk management, register with national authorities, and establish governance with senior accountability to meet transposition deadlines by October 17, 2024.

What is the primary objective of **ISO 28000**?

**ISO 28000 specifies requirements for establishing, implementing, maintaining, and continually improving a security management system (SMS) for the supply chain.** The 2022 edition provides a risk-based framework to identify, assess, and treat security risks across supply chains, protecting people, assets, goods, infrastructure, and information through PDCA cycles (Plan-Do-Check-Act). It emphasizes leadership commitment, operational controls, performance evaluation, and continual improvement via Clauses 4-10.

Who is legally or professionally required to comply with **ISO 28000**?

**No organizations are legally required to comply with ISO 28000, as it is a voluntary international standard.** Professionally, it applies to any entity in supply chains—logistics, manufacturing, retail, pharmaceuticals, energy—regardless of size, from micro-enterprises to multinationals. Adoption is driven by contractual obligations, customs programs like C-TPAT, tenders, insurance demands, or risk priorities for COOs, CSOs, and compliance officers.

Does **ISO 28000** require an external audit or third-party certification?

**ISO 28000 does not require external audit or third-party certification; conformity can be verified internally or externally.** Certification is optional via accredited bodies per ISO 28003, involving Stage 1 (documentation) and Stage 2 (implementation) audits, followed by annual surveillance. It provides market credibility, with accreditation by bodies like ANAB ensuring auditor competence.

How often should an assessment for **ISO 28000** be performed?

**Risk assessments under ISO 28000 must be maintained continuously, with formal reviews at planned intervals such as annually or upon significant changes.** Internal audits occur per a risk-based program (Clause 9.2), considering prior results. Management reviews (Clause 9.3) happen at planned intervals, typically annually, evaluating performance, risks, and improvements.

What are the consequences of non-compliance with **ISO 28000**?

**Non-compliance with ISO 28000 incurs no direct legal penalties, as it is voluntary.** Indirect consequences include supply chain disruptions from theft, sabotage, or incidents; financial losses from outages, penalties, or insurance hikes; reputational damage; and exclusion from contracts or programs requiring security credentials.

An **ISO 28000** be mapped to other international frameworks?

**Yes, ISO 28000:2022 aligns with the High Level Structure (HLS) for easy mapping to frameworks like ISO 9001, ISO 14001, ISO 22301, and ISO/IEC 27001.** Clause structure (4-10) enables integrated management systems, sharing risk registers, audits, and reviews; it references ISO 31000 for risk processes and ISO 22301 for security plans.

What is the first step to begin implementing **ISO 28000**?

**The first step is Phase 0: secure executive sponsorship, define SMS scope, and charter the program (0-6 weeks).** Conduct supply-chain mapping, appoint a Senior Responsible Owner, allocate resources, and produce a project charter with timeline and boundaries, per the PDCA-aligned framework.

NIS2 vs ISO 28000

Standards Comparison

NIS2

Mandatory

2022

EU directive for cybersecurity resilience in critical sectors

ISO 28000

Voluntary

2022

International standard for supply chain security management systems.

Quick Verdict

NIS2 mandates cybersecurity resilience for EU critical sectors with strict reporting and fines, while ISO 28000 offers voluntary supply chain security certification globally. Companies adopt NIS2 for regulatory compliance; ISO 28000 for risk reduction and market trust.

Cybersecurity

NIS2

Directive (EU) 2022/2555 (NIS2)

Cost

€€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Expands scope to medium/large entities across sectors
Mandates strict 24/72-hour incident reporting timelines
Enforces direct senior management accountability
Requires continuous risk and supply chain management
Imposes fines up to 2% global turnover

Supply Chain Security

ISO 28000

ISO 28000:2022 Security management systems — Requirements

Cost

€€€

Complexity

High

Implementation Time

12-18 months

Key Features

Risk-based supply chain security management system
PDCA cycle for continual improvement and audits
Supplier interdependency and third-party governance
Integration with ISO 27001, 22301 standards
Incident response and recovery planning

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

NIS2 Details

What It Is

NIS2 Directive (Directive (EU) 2022/2555) is an EU regulation expanding the original NIS to achieve high cybersecurity across member states. It targets essential and important entities in 18 sectors via a size-cap rule (50+ employees or €10M turnover). Adopts a risk-based, continuous assurance approach over static compliance.

Key Components

Four pillars: risk management, incident reporting, business continuity, corporate accountability.
Strict timelines: 24-hour early warning, 72-hour notification, one-month final report.
Measures include supply chain security, access controls, encryption, training.
Aligns with ISO 27001, NIST; enables spot checks, no formal certification.

Why Organizations Use It

Mandatory compliance avoids fines up to €10M or 2% global turnover.
Builds resilience against threats, protects infrastructure.
Enhances trust, reputation; drives strategic cyber maturity.
Supports cross-border cooperation, incident sharing.

Implementation Overview

Applies EU-wide to medium/large entities in critical sectors. Involves risk assessments, policies, reporting setup, management training. Member states transposed by Oct 2024; ongoing audits, spot checks required. Enterprise-wide transformation leveraging existing standards.

ISO 28000 Details

What It Is

ISO 28000:2022 is an international management system standard titled Security and resilience — Security management systems — Requirements. It provides a risk-based framework for establishing, implementing, maintaining, and improving a security management system (SMS) focused on supply chain protection against threats like theft, sabotage, and disruptions.

Key Components

Core clauses: Context, leadership, planning, support, operation, performance evaluation, improvement (PDCA-aligned).
10 main clauses emphasizing risk assessment, controls, supplier governance, incident response.
Built on ISO High Level Structure (HLS) for integration with ISO 9001, 27001, 22301.
Optional certification via accredited bodies per ISO 28003.

Why Organizations Use It

Reduces incident costs, insurance premiums; enables trade facilitation.
Meets contractual/regulatory drivers (e.g., C-TPAT equivalents).
Enhances resilience, stakeholder trust, competitive edge in logistics, manufacturing.

Implementation Overview

Phased: Gap analysis, risk assessment, controls deployment, audits (6-36 months).
Scalable for all sizes/industries; requires supply chain mapping, training, continual improvement.

Key Differences

Aspect	NIS2	ISO 28000
Scope	Cybersecurity risk management, incident reporting for critical sectors	Supply chain security management system, risk-based controls
Industry	Essential/important entities in EU sectors like energy, transport	Logistics, manufacturing, any supply chain organizations globally
Nature	Mandatory EU regulation with national transposition	Voluntary international certification standard
Testing	Incident reporting, national authority oversight, spot checks	Internal audits, management reviews, third-party certification audits
Penalties	Fines up to 2% global turnover or €10M	Loss of certification, no legal fines

Scope

NIS2

Cybersecurity risk management, incident reporting for critical sectors

ISO 28000

Supply chain security management system, risk-based controls

Industry

NIS2

Essential/important entities in EU sectors like energy, transport

ISO 28000

Logistics, manufacturing, any supply chain organizations globally

Nature

NIS2

Mandatory EU regulation with national transposition

ISO 28000

Voluntary international certification standard

Testing

NIS2

Incident reporting, national authority oversight, spot checks

ISO 28000

Internal audits, management reviews, third-party certification audits

Penalties

NIS2

Fines up to 2% global turnover or €10M

ISO 28000

Loss of certification, no legal fines

Frequently Asked Questions

Common questions about NIS2 and ISO 28000

NIS2 FAQ

ISO 28000 FAQ

You Might also be Interested in These Articles...

CIS Controls v8.1, Operationalized: Top 10 Reasons Compliance Monitoring Software Accelerates Real-World Implementation

Operationalize CIS Controls v8.1 with compliance monitoring software. Turn checklists into dashboards, tickets, and audit-proof workflows. Top 10 reasons it acc

Beyond Reactive: Transforming Compliance into Real-Time Threat Prevention

Discover how modern compliance monitoring tools leverage continuous, real-time oversight and automated alerts to shift organizations from reactive problem-solving to proactive threat detection and prevention, safeguarding against emerging risks before they escalate.

How to Implement CIS Controls v8.1 as a ‘Control Backbone’ for NIS2 & DORA (Step-by-Step Implementation Guide)

Deploy CIS Controls v8.1 as a control backbone for NIS2 & DORA compliance. Step-by-step roadmap (IG1→IG2), deliverables, metrics & evidence model for hybrid/clo

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

COPPA vs C-TPAT

Compare COPPA vs C-TPAT: Child privacy law meets supply chain security. Decode rules, fines ($170M YouTube case), compliance tips for apps & trade. Boost protection now!

PIPEDA vs AS9100

Compare PIPEDA vs AS9100: Canada's privacy law meets aerospace QMS standards. Uncover differences, compliance tips & strategies for seamless integration. Boost your ops now!

ISO 9001 vs HIPAA

ISO 9001 vs HIPAA: Compare global QMS standard for quality excellence with healthcare privacy rules. Discover ISO 9001 benefits, PDCA principles, certifications & adaptations like ISO 13485. Boost compliance now!

NIS2

ISO 28000

Quick Verdict

NIS2

Key Features

ISO 28000

Key Features

Detailed Analysis

NIS2 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

ISO 28000 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

NIS2 FAQ

What is the primary objective of NIS2?

Who is legally or professionally required to comply with NIS2?

Does NIS2 require an external audit or third-party certification?

How often should an assessment for NIS2 be performed?

What are the consequences of non-compliance with NIS2?

An NIS2 be mapped to other international frameworks?

What is the first step to begin implementing NIS2?

ISO 28000 FAQ

What is the primary objective of ISO 28000?

Who is legally or professionally required to comply with ISO 28000?

Does ISO 28000 require an external audit or third-party certification?

How often should an assessment for ISO 28000 be performed?

What are the consequences of non-compliance with ISO 28000?

An ISO 28000 be mapped to other international frameworks?

What is the first step to begin implementing ISO 28000?

You Might also be Interested in These Articles...

CIS Controls v8.1, Operationalized: Top 10 Reasons Compliance Monitoring Software Accelerates Real-World Implementation

Beyond Reactive: Transforming Compliance into Real-Time Threat Prevention

How to Implement CIS Controls v8.1 as a ‘Control Backbone’ for NIS2 & DORA (Step-by-Step Implementation Guide)

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

COPPA vs C-TPAT

PIPEDA vs AS9100

ISO 9001 vs HIPAA