Information Security 6 min read

Integrating NIS2, ISO/IEC 27001, and KSZI requirements

Combining NIS2 directives, ISO/IEC 27001 processes, and KSZI requirements without redundant workflows. A practical approach to security architecture.

By 2026, cybersecurity compliance has ceased to be a mere formality. According to the ENISA Threat Landscape 2025 report, which analyzed 4,875 incidents between July 1, 2024, and June 30, 2025, 53.7% of affected organizations fall into the category of essential entities. This makes aligning corporate systems with the NIS2 directive and modern international standards a critical business task.

However, in practice, Ukrainian companies working with European partners face synchronization challenges. They must simultaneously meet strict EU directives (NIS2), undergo process certification for ISO/IEC 27001, and maintain a comprehensive information protection system (KSZI) for domestic regulators. Attempting to implement these requirements in isolation leads to chaos, redundant audits, and "paper-based security" that fails to stop real cyberattacks.

Three dimensions of regulation: Distinguishing NIS2, ISO/IEC 27001, and KSZI

To build an effective and rational security architecture, it is essential to understand the different nature of these three regulatory frameworks. They do not replace each other, but with the right approach, they integrate perfectly:

  • NIS2 (EU Directive): A mandatory directive for critical sectors. It focuses on management responsibility, supply chain security, and urgent incident reporting (within 24 and 72 hours). Non-compliance carries significant fines and risks for company management.
  • ISO/IEC 27001: An international standard describing Information Security Management System (ISMS) processes. An ISO/IEC 27001 certificate does not automatically equate to full NIS2 compliance. It provides a solid foundation, but additional gap analysis is required for EU directive compliance.
  • KSZI: The Ukrainian regulatory framework focusing on the technical protection perimeter, hardware solutions, and documentary proof of system security. KSZI and ISO/IEC 27001 are not methodologically equivalent, as KSZI addresses state-level technical certification rather than flexible corporate risk management.

Anatomy of threats: Why paper-based compliance won't stop phishing

Perfectly documented policies are useless if not technically implemented. According to the ENISA report, the digital infrastructure and services sector accounted for approximately 27.7% of all data breaches. Primary initial access vectors remain targeted phishing and supply chain attacks, where attackers compromise companies through trusted contractors.

Moving from formal checklists to real protection requires modeling attacker behavior. The MITRE ATT&CK knowledge base allows for structuring attacker tactics and techniques. Integrating the MITRE ATT&CK matrix into Security Operations Center (SOC) processes helps tune anomaly detection to the current threat landscape, ensuring monitoring protects infrastructure continuously, not just during audits.

Cross-mapping requirements: Building a unified system based on NIST CSF 2.0

Resource duplication can be avoided using a unified risk management framework. NIST Cybersecurity Framework (CSF) 2.0 is an effective tool. While voluntary, it enables cross-mapping of requirements to ISO/IEC 27001 and other standards. Specifically, the Govern (GV) function in NIST CSF 2.0 emphasizes cyber risk as part of overall corporate governance.

Security criterionNIS2 (EU Directive)ISO/IEC 27001 (Standard)KSZI (Ukraine)NIST CSF 2.0 (Framework)
Risk managementArt. 21 (Risk management)Sections 6 and 8General ISMS requirementsGovern (GV) function
Supply chainSupplier securityControl A.5.19 - A.5.23Not directly coveredGV.SC (Supply Chain)
Incident responseArt. 23 (24/72h reporting)Control A.5.24 - A.5.28Response instructionsRespond (RS) function

Built-in security: Translating requirements into technical architecture

To ensure a system meets all three regulations (NIS2, ISO/IEC 27001, KSZI), security principles must be embedded at the architecture and code level (Security by Design). Access control, authentication, and audit tools must be part of the technology platform.

An example of such an architectural foundation is the UnityBase platform—a joint development by companies within the Intecracy Group alliance (where InBase acts as a key, but not sole, developer). This full-stack JavaScript low-code platform integrates data, UI, and API through a unified domain model (Domain metadata), ensuring centralized access control.

For high-load systems or those with strict regulatory requirements, the official platform documentation recommends Enterprise (EE) or Defence (DE) commercial editions. They support Access Control Lists (ACL), attribute-based security, Row-Level Security (RLS), and immutable audit trails. Note that while an open version, OpenUB (under Apache License 2.0), exists, it has official restrictions regarding use in organizations related to the Ukrainian public sector.

UnityBase's technical mechanisms allow for the creation of secure products. For instance, the Megapolis.DocNet electronic document management system operates on this basis and has received a G2-level information security certificate, directly covering KSZI requirements. Another example is DealsSign, a system for secure, legally binding external document exchange with counterparties. Using such solutions allows engineering teams to focus on business logic while leaving low-level security and audit concerns to a reliable platform.

For comprehensive implementation, experts from the Intecracy Group (specifically Softengi) help integrate the technical protection perimeter at the enterprise level: from designing Zero Trust architecture and network segmentation to developing secure software.

Practical preparation steps: From gap analysis to monitoring

  1. Gap analysis: Determine which NIS2 articles and KSZI requirements are already covered by your ISO/IEC 27001 processes and where technical reinforcement is needed.
  2. Risk synchronization: Use the NIST CSF 2.0 methodology to create a shared threat register that aligns IT, security, and business management perspectives.
  3. Supply chain audit: Assess third-party vulnerabilities. Ensure base software and contractors meet strict access criteria.
  4. Zero Trust implementation: Introduce network segmentation, mandatory multi-factor authentication (MFA), and data access controls (RLS, ACL).
  5. Continuous monitoring: Configure security event log collection (audit trail) and processing in a SIEM to ensure the capability to report incidents within the 24-hour window required by the directive.

FAQ

Does an ISO/IEC 27001 certificate cover all requirements of the NIS2 directive?

No. ISO/IEC 27001 is a process framework for security management, whereas NIS2 contains specific directive and legal obligations (e.g., strict incident reporting deadlines within 24/72 hours and specific supply chain security requirements). Having the certificate significantly simplifies integration but does not eliminate the need for additional gap analysis.

How can Ukrainian KSZI requirements be combined with international security standards?

Integration is achieved by separating the process and technical levels. Process management (risk assessment, incident management) is built according to international frameworks (ISO/IEC 27001, NIST CSF 2.0), while technical KSZI requirements are implemented through the use of certified platforms and tools with built-in access control mechanisms (RLS, ACL, logging).

What are the consequences for companies failing to comply with the European NIS2 directive?

The directive provides for significant financial penalties for organizations designated as essential or important entities, and introduces the possibility of personal liability for top management regarding the failure to fulfill established cyber risk management obligations and the concealment of incidents.

Data sources

Sources & materials

Materials and sources used in this article.

  1. ENISA Threat Landscape 2025 — enisa.europa.eu
  2. NIST Cybersecurity Framework (CSF) 2.0 — nist.gov
  3. MITRE ATT&CK — attack.mitre.org
  4. NIST: Artificial Intelligence Risk Management Framework (AI RMF 1.0) — nist.gov