Legacy IT, NIS2 and ISO 27001: Why Digital Resilience Can No Longer Wait

Why Legacy IT Has Become a Business Risk and How ISO 27001 Helps You Prepare for NIS2

Legacy IT is no longer just a technical issue. It has become a board-level business risk.

A recent article on Consultancy.nl discussed Marcel Wanningen’s book How to Fix the Company before it’s Broke, in which CIOs and executive teams are warned that organizations can no longer afford to postpone the modernization of legacy IT. The article links geopolitical instability, energy pressure, inflation, supply chain disruption and rising capital costs to a simple but uncomfortable business reality: inefficient IT organizations become dangerously expensive when external conditions deteriorate.

Whether every scenario unfolds exactly as predicted is not the point. The underlying message is highly relevant.

Many organizations still operate with outdated systems, fragmented processes, unclear ownership, manual controls and supplier dependencies they do not fully understand. In a stable market, this may already be inconvenient. In a volatile market, it becomes a strategic risk.

With the arrival of NIS2, the European cybersecurity directive, this risk is no longer only operational or financial. For many organizations, digital resilience becomes a legal and managerial responsibility.

This is exactly where ISO 27001 becomes valuable. Not as a certificate on the wall, but as a practical management system for information security, risk ownership, supplier control and continuous improvement.

NIS2 Turns Digital Resilience into a Board-Level Responsibility

The NIS2 Directive raises the bar for cybersecurity and resilience across essential and important sectors in the European Union. Organizations are expected to take appropriate measures to manage cyber risks, prevent incidents and limit the impact of disruptions.

This has direct consequences for legacy IT.

Under NIS2, it is no longer sufficient to say that certain systems are old, complex or difficult to replace. Organizations must be able to demonstrate that they understand the risks, assign responsibilities and take appropriate measures.

This includes topics such as:

• risk management
• incident handling
• business continuity
• crisis management
• supply chain security
• access control
• asset management
• vulnerability management
• management responsibility
• reporting obligations

These are exactly the areas where legacy IT often creates exposure.

A legacy system with unclear ownership is not just a technical problem.

A critical supplier without proper risk assessment is not just a procurement issue.

An undocumented recovery process is not just an operational weakness.

A missing incident response procedure is not just a security gap.

Under NIS2, these become governance issues.

For boards and senior management teams, the question becomes much sharper:

Can we demonstrate that we are taking reasonable and appropriate measures to manage our digital risks?

ISO 27001 as a practical Foundation for NIS2 Readiness

NIS2 tells organizations what they need to take seriously. ISO 27001 provides a practical structure for doing so.

This does not mean that ISO 27001 automatically guarantees NIS2 compliance. NIS2 is a legal and regulatory framework, while ISO 27001 is an international management system standard for information security. But there is a strong practical overlap.

ISO 27001 helps organizations build the management discipline required to prepare for NIS2. It supports organizations in:

• identifying information assets
• assessing risks
• defining controls
• assigning ownership
• managing suppliers
• preparing for incidents
• documenting decisions
• collecting evidence
• reviewing effectiveness
• driving continuous improvement

In other words, ISO 27001 gives organizations a structured way to move from intention to implementation.

For many businesses, this is the missing link. They know that cybersecurity and resilience matter, but they lack a practical operating model to manage them consistently.

ISO 27001 provides that operating model.

How ISO 27001 helps Address Key NIS2 Themes

ISO 27001 can help organizations prepare for several important NIS2 themes.

1. Risk Management

NIS2 expects organizations to manage cybersecurity risks in a structured way. ISO 27001 starts with risk assessment and risk treatment. This helps organizations identify where legacy systems, integrations, suppliers or data flows create unacceptable exposure.

Legacy IT is often full of hidden dependencies. Systems may be poorly documented, business-critical processes may rely on manual workarounds, and accountability may be unclear. A structured risk assessment makes these weaknesses visible and turns them into managed improvement actions.

2. Incident Preparedness

Legacy environments often make incident response harder. Systems may be poorly documented, ownership may be unclear, and technical dependencies may not be fully understood.

ISO 27001 helps organizations define incident management procedures, escalation paths, roles and responsibilities. This does not remove all risk, but it does ensure that organizations are better prepared when something goes wrong.

Under NIS2, incident handling is not only about technical response. It also involves escalation, reporting, communication and decision-making. ISO 27001 helps create the structure needed to manage this properly.

3. Business Continuity

NIS2 places strong emphasis on continuity and resilience. Organizations need to understand how disruptions could affect critical services and how they would recover.

ISO 27001 supports this by requiring organizations to consider availability, recovery and continuity measures for critical information and systems.

This is especially important in legacy environments. Older systems are often difficult to restore, hard to replicate and dependent on specific people or suppliers. Without clear continuity planning, a technical outage can quickly become a business crisis.

4. Supply Chain Security

Many organizations rely heavily on software vendors, cloud providers, managed service providers and niche implementation partners. In legacy environments, these dependencies are often poorly documented and weakly governed.

ISO 27001 helps structure supplier risk management, contractual controls and periodic supplier reviews.

This matters because NIS2 puts more attention on supply chain security. Organizations must understand not only their own internal risks, but also the risks created by third parties that support their critical processes.

5. Management Responsibility

NIS2 increases the importance of senior management involvement. Cybersecurity and resilience are no longer topics that can be delegated entirely to IT.

ISO 27001 includes leadership involvement, management review and documented decision-making. This helps bring information security governance to board and executive level.

For CIOs, CFOs and management teams, this is crucial. It creates a rhythm for reviewing risks, priorities, progress and evidence. It also helps ensure that cybersecurity decisions are connected to business priorities, not treated as isolated technical activities.

6. Evidence and Auditability

One of the biggest practical challenges in NIS2 readiness is evidence.

It is not enough to say that controls exist. Organizations need to show what has been assessed, decided, implemented, reviewed and improved.

ISO 27001 creates the discipline to maintain this evidence. It helps organizations document risks, controls, actions, owners, reviews and management decisions.

This is where many organizations struggle. They may have policies, tools or controls in place, but they cannot easily prove how these are managed. ISO 27001 helps turn informal practice into a controllable management system.

Legacy IT Is No Longer Just Technical Debt

For years, legacy IT has often been described as technical debt. That term is useful, but it can also make the issue sound too narrow.

Legacy IT is not only about outdated technology. It is about organizational fragility.

It creates risk when:

• nobody clearly owns a system
• documentation is outdated or missing
• key knowledge sits with a few individuals
• suppliers are critical but not properly governed
• manual workarounds keep processes alive
• security controls are inconsistent
• recovery procedures are untested
• data flows are unclear
• business continuity depends on assumptions

In a calm environment, organizations may tolerate this. In a more volatile environment, the cost of this fragility increases quickly.

NIS2 makes that fragility harder to ignore.

The issue is not only whether legacy systems should be replaced. The first question is whether the organization understands and controls the risks they create.

Conclusion

The warning behind How to Fix the Company before it’s Broke is not only about geopolitical shocks or economic pressure. It is about organizational readiness.

Companies that understand their critical systems, manage their suppliers, reduce technical debt and control their risks will be better positioned than companies that continue to rely on fragmented legacy environments and informal controls.

NIS2 makes this even more urgent. Digital resilience is no longer only an internal IT priority. It is becoming a legal, operational and board-level responsibility.

ISO 27001 is not the complete answer to legacy modernization or NIS2 compliance. But it is one of the most practical frameworks for creating the control, ownership, evidence and continuous improvement needed to move in the right direction.

For CIOs, CFOs and executive teams, the question is no longer whether legacy IT should be addressed.

The real question is whether the organization can demonstrate that it is in control.

How Oosterwal Consultancy Can Help

Oosterwal Consultancy helps organizations bring structure, control and momentum to complex initiatives around digital transformation, ISO readiness and NIS2 readiness.

We -via ISO-ready.nl support companies with:

• ISO 27001 preparation and implementation
• NIS2 gap analysis and improvement planning
• digital transformation management
• legacy modernization roadmaps
• risk and control frameworks
• supplier and technology dependency analysis
• portfolio and program governance
• practical management systems for audit readiness

Our approach is pragmatic: no unnecessary complexity, no paper-based compliance theatre, but a clear route from risk to action, evidence and measurable progress.

For organizations dealing with NIS2, ISO 27001 can provide a solid foundation. It helps turn abstract regulatory pressure into a manageable system of risks, controls, owners, actions and evidence.

Want to understand where your organization stands today?
Start with a structured ISO/NIS2 readiness assessment and turn uncertainty into a practical roadmap for improvement.

FAQ

Does ISO 27001 make an organization NIS2 compliant?

Not automatically. ISO 27001 and NIS2 are not the same. NIS2 is a legal framework, while ISO 27001 is a management system standard for information security.

However, ISO 27001 provides a strong practical foundation for many NIS2 requirements, especially around risk management, supplier control, incident management, business continuity and evidence.

Why is NIS2 relevant for legacy IT?

NIS2 increases the pressure on organizations to understand and manage cyber and continuity risks. Legacy IT often creates exactly the type of risks NIS2 focuses on: unclear ownership, weak documentation, outdated systems, supplier dependency, poor recoverability and limited monitoring.

Is NIS2 only relevant for IT departments?

No. NIS2 is relevant for senior management, risk, legal, procurement, operations and business leadership.

Cyber resilience depends on the organization as a whole, not only on the IT department. Decisions about suppliers, investments, continuity, risk appetite and accountability all sit beyond IT alone.

How can an organization prepare for NIS2?

A practical starting point is to map critical processes, systems, suppliers and data flows. Then assess the most important risks, define control gaps, assign ownership and create a prioritized improvement roadmap.

ISO 27001 can provide the management structure to keep this process manageable, evidence-based and auditable.

What is the link between legacy modernization and ISO 27001?

ISO 27001 does not prescribe a specific modernization strategy. But it helps organizations identify and manage the risks created by legacy systems.

This makes modernization more focused. Instead of replacing systems based on technical age alone, organizations can prioritize based on business criticality, security exposure, supplier dependency, continuity risk and regulatory relevance.