What is the primary objective of NIS2?

The primary objective of NIS2 is to establish a high common level of cybersecurity and resilience across EU member states by strengthening critical infrastructure and digital services against cyber threats. It expands on the original NIS Directive through a size-cap rule applying to medium and large entities in sectors like energy, transport, health, digital infrastructure, postal services, waste management, and food production, mandating risk management, incident reporting, supply chain security, and cross-border cooperation.

Who is legally or professionally required to comply with NIS2?

NIS2 applies to all medium-sized and large entities classified as 'essential' or 'important' within specified EU sectors. Essential entities typically have 250+ employees, €50M+ annual turnover, or €43M+ balance sheet; important entities have 50+ employees, €10M+ annual turnover, or €10M+ balance sheet. Criticality can override size if an entity is a sole provider of vital services; sectors include energy, transport, public administration, cloud computing, and online marketplaces, with member states required to transpose by October 17, 2024.

Does NIS2 require an external audit or third-party certification?

NIS2 does not mandate external audits or third-party certification but empowers national authorities for spot checks and real-time evidence demands. Compliance shifts to continuous assurance via dynamic risk registers, OT/IT asset inventories, and verifiable controls, with senior management directly accountable; registration with central authorities is required, providing details like sector classification and operating member states.

How often should an assessment for NIS2 be performed?

NIS2 requires ongoing, continuous risk assessments rather than fixed intervals, with quarterly updates to risk registers and asset inventories recommended. Entities must maintain dynamic practices for vulnerability identification, supply chain reviews, and mitigation measures, supporting real-time evidence for regulatory spot checks and ensuring proactive resilience.

What are the consequences of non-compliance with NIS2?

Non-compliance with NIS2 incurs fines up to €10 million or 2% of total global annual turnover for essential entities, and €7 million or 1.4% for important entities. Additional penalties include business suspension, personal liability for senior management, and enforcement by national CSIRTs and authorities, effective post-October 18, 2024 transposition.

An NIS2 be mapped to other international frameworks?

Yes, EU member states incorporate standards like ISO 27001 and NIST CSF into national NIS2 frameworks to facilitate mapping and compliance. This alignment supports risk management, incident response, and supply chain security, enabling organizations to leverage existing controls for NIS2's continuous assurance model.

What is the first step to begin implementing NIS2?

The first step for NIS2 implementation is to determine applicability by assessing entity size, sector, and criticality against the size-cap rule. Conduct a gap analysis of current risk management, register with national authorities, and establish governance with senior management accountability, prioritizing incident reporting procedures and supply chain security.

What is the primary objective of ISO 37001?

ISO 37001 specifies requirements for establishing, implementing, maintaining, reviewing, and improving an Anti-Bribery Management System (ABMS) to prevent, detect, and respond to bribery. It enables organizations to demonstrate reasonable, proportionate measures aligned with anti-bribery laws and voluntary commitments, following the PDCA cycle across Clauses 4–10, without guaranteeing bribery will never occur.

Who is legally or professionally required to comply with ISO 37001?

ISO 37001 is voluntary and applicable to all organizations—public, private, or not-for-profit—regardless of size, type, or sector. No legal mandates exist, but it is professionally essential for high-risk entities like multinationals in extractives, construction, or public procurement, where third-party exposure (95% of cases) demands due diligence for regulatory defense and market access.

Oes ISO 37001 require an external audit or third-party certification?

ISO 37001 certification is optional but involves accredited third-party audits: Stage 1 (documentation) and Stage 2 (effectiveness), valid for 3 years with annual surveillance. Certification amplifies evidentiary value as "reasonable steps," though internal audits suffice for ABMS operation per Clause 9.

How often should an assessment for ISO 37001 be performed?

Bribery risk assessments under ISO 37001 Clause 4.5 and 6.1 must be conducted initially, then periodically and when changes occur, such as new markets or M&A. Mature programs perform onboarding due diligence (99% of firms), contract renewals, and independent reviews (56%), with internal audits at planned intervals per Clause 9.2.

What are the consequences of non-compliance with ISO 37001?

Non-conformance with ISO 37001 risks certification suspension, but as a voluntary standard, primary consequences are indirect: heightened bribery liability, fines under laws like FCPA/UK Bribery Act, reputational damage, and lost contracts. It offers no absolute prosecution immunity but provides mitigating evidence of due diligence.

An ISO 37001 be mapped to other international frameworks?

Yes, ISO 37001 aligns with the Harmonized Structure (HS) for seamless integration with ISO management systems like quality or information security standards. Its PDCA architecture and Clause 4–10 structure enable mapping to broader compliance frameworks, reducing duplication while focusing on bribery-specific controls.

What is the first step to begin implementing ISO 37001?

The first step is determining organizational context and scope per Clause 4, including bribery risk assessment (Clause 4.5). Secure leadership commitment (Clause 5), appoint an anti-bribery compliance function, and conduct a gap analysis against Clauses 4–10 to prioritize proportionate controls.

Standards Comparison

NIS2 vs ISO 37001

NIS2

Mandatory

2022

EU directive for high cybersecurity across critical sectors

ISO 37001

Voluntary

2025

International standard for anti-bribery management systems

Quick Verdict

NIS2 mandates cybersecurity resilience for EU essential entities with strict reporting and fines, while ISO 37001 offers voluntary anti-bribery certification globally. Companies adopt NIS2 for regulatory compliance, ISO 37001 for ethical governance and risk mitigation.

Cybersecurity

NIS2

Directive (EU) 2022/2555 (NIS2 Directive)

Cost

€€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Expands scope via size-cap rule to medium/large entities
Mandates strict multi-stage incident reporting timelines
Imposes direct senior management accountability
Requires continuous risk and supply chain management
Levies fines up to 2% global annual turnover

Anti-Bribery/Compliance

ISO 37001

ISO 37001 Anti-Bribery Management Systems

Cost

€€€

Complexity

Medium

Implementation Time

6-12 months

Key Features

Risk-based bribery risk assessments
Third-party due diligence requirements
Leadership commitment and anti-bribery policy
Financial and non-financial controls
PDCA cycle with audits and improvement

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

NIS2 Details

What It Is

NIS2 Directive (EU) 2022/2555 is an EU regulation expanding the original NIS Directive to achieve a high common level of cybersecurity resilience across member states. It targets essential and important entities in 18 sectors like energy, transport, and digital infrastructure via a size-cap rule (50+ employees or €10M turnover). Adopts a risk-based, continuous assurance approach shifting from static compliance to proactive measures.

Key Components

Four pillars: risk management, business continuity, incident reporting, corporate accountability.
Strict reporting: 24-hour early warning, 72-hour notification, one-month final report.
Requirements include supply chain security, access controls, encryption, and dynamic risk registers.
Builds on standards like ISO 27001, NIST CSF; no formal certification but national enforcement.

Why Organizations Use It

Mandatory for covered entities to avoid fines up to €10M or 2% global turnover. Enhances cyber resilience, ensures service continuity, builds stakeholder trust, and mitigates threats like supply chain attacks. Provides competitive edge through robust governance and cross-border cooperation.

Implementation Overview

Involves risk assessments, incident procedures, management training, and supplier audits. Applies EU-wide to medium/large entities post-October 2024 transposition. Features spot checks, real-time evidence demands by national CSIRTs and authorities; ongoing maintenance required.

ISO 37001 Details

What It Is

ISO 37001 is the international standard for Anti-Bribery Management Systems (ABMS), a certifiable framework published in 2016. It provides requirements to prevent, detect, and respond to bribery risks across organizations, focusing on direct/indirect bribery involving personnel and business associates. It follows a risk-based, PDCA (Plan-Do-Check-Act) approach aligned with the ISO Harmonized Structure for integration with other standards.

Key Components

Clauses 4-10 cover context, leadership, planning, support, operations, evaluation, and improvement.
Core controls: anti-bribery policy, risk assessments, due diligence, financial/non-financial controls, training, reporting, audits.
Built on proportionality to bribery risks; optional third-party certification with annual surveillance.

Why Organizations Use It

Mitigates legal risks (e.g., FCPA, UK Bribery Act) via evidentiary 'reasonable steps'.
Drives efficiencies (up to 15% compliance cost reduction), reputational trust, ESG alignment.
Enables market access, stakeholder confidence in high-risk sectors like extractives, finance.

Implementation Overview

Phased: gap analysis, risk assessment, control design, training, audits, certification.
Scalable for all sizes/sectors; 6-12 months typical; requires leadership commitment, documentation.

Key Differences

Aspect	NIS2	ISO 37001
Scope	Cybersecurity risk management, incident reporting	Anti-bribery management, corruption prevention
Industry	Essential/important EU sectors (energy, transport)	All sectors worldwide, any organization size
Nature	Mandatory EU regulation with fines	Voluntary certifiable management standard
Testing	National authority oversight, spot checks	Third-party certification audits, internal audits
Penalties	Up to 2% global turnover or €10M fines	Loss of certification, no legal penalties

Scope

NIS2

Cybersecurity risk management, incident reporting

ISO 37001

Anti-bribery management, corruption prevention

Industry

NIS2

Essential/important EU sectors (energy, transport)

ISO 37001

All sectors worldwide, any organization size

Nature

NIS2

Mandatory EU regulation with fines

ISO 37001

Voluntary certifiable management standard

Testing

NIS2

National authority oversight, spot checks

ISO 37001

Third-party certification audits, internal audits

Penalties

NIS2

Up to 2% global turnover or €10M fines

ISO 37001

Loss of certification, no legal penalties

Frequently Asked Questions

Common questions about NIS2 and ISO 37001

NIS2 FAQ

ISO 37001 FAQ

You Might also be Interested in These Articles...

What is DORA and which Requirements does the Standard define?

Discover DORA requirements for info security, strict authority monitoring, and steps to achieve compliance. Build a resilient organization with our detailed gui

Beyond the Boardroom: 5 Ways Modern Compliance Software Elevates Every Department

Discover 5 ways modern compliance software boosts HR, IT, finance & more: automate risks, enhance efficiency, ensure data integrity, stay audit-ready. Elevate y

NIST 800-53 Private Sector ROI Reality Check: Isolating Control Family Impacts on 2024 Breach Costs

Discover NIST 800-53 ROI in private sector: control families like RA, SI, SR reduce median breach costs from $100K to under $50K. Get benchmarks to prioritize i

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Explore More Comparisons

See how NIS2 and ISO 37001 compare against other standards

Other NIS2 Comparisons

Other ISO 37001 Comparisons

What It Is

Key Components

Four pillars: risk management, business continuity, incident reporting, corporate accountability.

Strict reporting: 24-hour early warning, 72-hour notification, one-month final report.

Requirements include supply chain security, access controls, encryption, and dynamic risk registers.

Builds on standards like ISO 27001, NIST CSF; no formal certification but national enforcement.

What It Is

Key Components

Clauses 4-10 cover context, leadership, planning, support, operations, evaluation, and improvement.

Core controls: anti-bribery policy, risk assessments, due diligence, financial/non-financial controls, training, reporting, audits.

Built on proportionality to bribery risks; optional third-party certification with annual surveillance.

Aspect

NIS2

ISO 37001

Scope

Cybersecurity risk management, incident reporting

Anti-bribery management, corruption prevention

Industry

Essential/important EU sectors (energy, transport)

All sectors worldwide, any organization size

Nature

Mandatory EU regulation with fines

Voluntary certifiable management standard

Testing

National authority oversight, spot checks

Third-party certification audits, internal audits

Penalties

Up to 2% global turnover or €10M fines

Loss of certification, no legal penalties