The bar is being raised; are you ready for the new reality?

Author: Mr.drs. Jelmer Garretsen, Business Development Manager DEKRA

May 13, 2026Information security management system / Cyber Security / Audit

What does this mean for your organization?

The world around us is changing rapidly, and organizations are facing an increasingly complex operating environment. For example, the new Cybersecurity Act, which will soon come into effect, presents a significant challenge for organizations seeking to ensure their digital resilience. In addition, the National QHSE Survey, published in late April, provided valuable insights into the current state of affairs regarding quality, health, safety, and the environment. In this blog, we discuss what these developments mean for your organization. Is your organization prepared for what lies ahead?

Humans as the greatest vulnerability

The National QHSE Survey shows that organizations themselves cite “employees” (66%) as their greatest vulnerability when it comes to cyber threats and attacks. This closely aligns with DEKRA’s experience: the human factor is also systematically assessed within our ISO 27001 audits. Our People-Based Auditing approach plays a key role in this, as it helps us understand how behavior, awareness, and culture contribute to—or, conversely, undermine—an organization’s digital resilience.

Continuous improvement as a foundation

Many organizations are actively engaged in continuous improvement, a core principle of all ISO standards, including ISO 27001. Questions such as “How do you perceive the culture of continuous improvement within your organization?” and “Which approach has been most helpful to you?” are directly aligned with the Plan-Do-Check-Act principle on which ISO management systems are based. NIS2 further reinforces this necessity: organizations must demonstrate that they are and remain in control. Continuous improvement is therefore not only an ISO requirement but also a prerequisite for compliance with the new legislation.

Digital Resilience with NIS2 and ISO 27001

With the implementation of the new Cybersecurity Act (Cbw), based on the European NIS2 Directive, organizations must professionalize their cybersecurity and risk management processes. ISO 27001 provides a logical foundation for this. This international standard helps organizations manage risks in a structured manner and demonstrate that their security measures are in order. Many of the mandatory measures within NIS2, such as incident management and access control, are already part of a mature Information Security Management System (ISMS). Organizations that have implemented ISO 27001 therefore have a solid foundation, but that does not mean they are automatically fully compliant with NIS2. NIS2 imposes stricter requirements and introduces additional obligations.

What are the differences?

Feature	ISO 27001	NIS2
Governance	Sets requirements for governance, but they are less strict.	Places strong emphasis on active involvement by the board, with the possibility of personal liability.
Incident Report	Requires an incident management process.	Requires a strict reporting procedure: an early warning within 24 hours, a detailed report within 72 hours, and a final report within one month.
Supply Chain Management	Lays the groundwork for supplier security.	Require thorough due diligence, contractual requirements, and periodic reviews of critical partners.
Supervision & Sanctions	Involves audits and certifications, without direct legal enforcement.	Involves active oversight by authorities and can result in heavy fines for noncompliance.

A future-proof cybersecurity framework

Start with this combination

Combining ISO 27001 with the additional NIS2 requirements creates a future-proof cybersecurity framework. ISO 27001 provides structure and risk management, while the NIS2 obligations ensure management commitment, rapid incident reporting, and more robust supply chain security. Organizations that seriously implement this combination not only comply with the law but also strengthen their digital resilience. This contributes to the trust of customers, partners, and regulators. The National QHSE Survey shows that certification is already common practice within many organizations, but that only 20 percent hold ISO 27001 certification. This indicates that there is still a significant step to be taken toward professional information security.