Who should read this: Data Protection Officers, Legal Teams, Compliance Officers.
The EU’s regulatory framework for protecting sensitive information is layered. The General Data Protection Regulation (GDPR) establishes comprehensive obligations for the processing of personal data: consent, transparency, data subject rights, and security measures to prevent unauthorised or unlawful processing. NIS2 establishes cybersecurity obligations for entities managing critical infrastructure and essential services.
These two regimes overlap. Both require cybersecurity measures to protect sensitive information. Both require incident notification when breaches occur. Both impose obligations on organisations and their third-party service providers. Yet their approaches differ: GDPR focuses on personal data and the rights of individuals; NIS2 focuses on network and information systems security and the continuity of essential services.
For data protection officers and compliance teams, understanding the NIS2-GDPR relationship is essential. The two regimes are complementary, not contradictory, but they impose distinct obligations that must both be satisfied. This post unpacks the overlap, clarifies where NIS2 and GDPR converge and diverge, and provides practical guidance on designing a compliance framework that satisfies both.
Scope: Personal Data vs. Critical Infrastructure
The primary distinction between GDPR and NIS2 lies in their scope and purpose.
GDPR applies to all organisations processing personal data of EU residents, regardless of whether the organisation is in the EU. Personal data is any information relating to an identified or identifiable natural person (an individual). GDPR’s purpose is to protect the rights of individuals: their privacy, autonomy, and control over their information.
GDPR applies narrowly (only to organisations processing personal data) but broadly across sectors (all sectors handle personal data). A small e-commerce company selling goods is subject to GDPR if it collects customer email addresses. A healthcare provider, a financial institution, a government agency: all are subject to GDPR.
NIS2 applies narrowly to organisations managing critical infrastructure and essential services, but with specific sector designations. NIS2’s purpose is to protect the continuity and security of essential services: energy, healthcare, transport, digital infrastructure, and others. A local bakery is not subject to NIS2 (it is not critical infrastructure); a major energy provider is.
The scopes only partially overlap. Some organisations (e.g., a hospital, a financial institution) are subject to both GDPR (because they process personal data) and NIS2 (because they are essential service providers). Others are subject to only one: a multinational e-commerce company is subject to GDPR but may not be NIS2-designated; a telecommunications provider managing network infrastructure but not personal data (e.g., a backbone operator) is subject to NIS2 but might not be subject to GDPR.
Security Obligations: Article 32 (GDPR) and Article 21 (NIS2)
Both regimes impose security obligations, though with different language and emphasis.
GDPR Article 32 requires appropriate technical and organisational measures to protect personal data against unauthorised or unlawful processing, accidental loss, destruction, or damage. These measures include, as appropriate, encryption, pseudonymisation, access controls, availability assurance, and incident response procedures.
NIS2 Article 21 requires proportionate technical and organisational measures to manage cybersecurity risk in network and information systems. These measures should address threats, vulnerabilities, and impacts on essential services, and should include incident response, business continuity, and supply chain risk management.
Both impose similar controls: access controls, encryption, monitoring, and incident response. However, their focus differs. GDPR focuses on protecting personal data from misuse; NIS2 focuses on protecting systems from compromise and service disruption.
In practice, an organisation subject to both regimes should develop a security programme that satisfies both. GDPR’s Article 32 requirements (encryption of personal data, access controls limiting access to those with a legitimate need, monitoring of data access) are foundational and address personal data protection. NIS2’s Article 21 requirements (proportionate risk management across all systems, business continuity planning, third-party risk management) extend beyond GDPR to address systemic resilience.
A hospital, for example, must implement GDPR-required protections for patient data (access controls ensuring only clinicians with a need-to-know can access records, encryption of data in transit and at rest, audit logs of data access). It must simultaneously implement NIS2-required cybersecurity measures protecting all systems used in healthcare delivery, including non-personal-data systems like clinical equipment interfaces, laboratory information systems, and imaging networks. The combination satisfies both regimes.
Incident Notification: GDPR Articles 33-34 and NIS2 Article 23
Both regimes require notification when incidents occur, but with different triggers and procedures.
GDPR requires notification of “personal data breaches” (incidents where personal data is accessed, disclosed, or destroyed without authorisation or by accident) within specific timelines. The organisation must notify data protection authorities (usually within 72 hours, or without undue delay in some cases) and, in cases of high risk to individuals, the affected individuals.
NIS2 requires notification of “significant incidents” affecting critical infrastructure within 24 hours to competent authorities and CSIRTs. The focus is on service disruption and system compromise, not specifically on data exposure.
The triggers differ. A personal data breach is significant for GDPR purposes if it has high risk to individuals (e.g., exposure of financial data, health data, or data enabling identity theft). A significant incident under NIS2 may or may not involve personal data; it may involve disruption to service (e.g., ransomware affecting an energy system, with no personal data compromised).
For organisations subject to both regimes, the incident notification frameworks should be integrated but distinct. A single cybersecurity incident may trigger both GDPR and NIS2 notification, or it may trigger only one. For example:
A ransomware attack on a hospital’s EHR system meets the significance threshold under NIS2 (disruption of clinical operations) and would likely qualify as a personal data breach under GDPR (patient records at risk). The hospital must notify competent authorities under NIS2 within 24 hours and data protection authorities under GDPR within 72 hours (or at different timescales depending on jurisdiction).
A denial-of-service attack on an energy provider’s billing system disrupts service (significant under NIS2) but does not compromise customer data (no personal data breach under GDPR, unless the system contains personal information and the attack enables unauthorised access). The provider must notify under NIS2; GDPR notification depends on whether personal data was breached.
A breach of a healthcare provider’s patient portal exposing patient contact information is a personal data breach under GDPR (affecting individuals’ privacy) but may not be significant under NIS2 (if service to patients is not widely disrupted). Notification to data protection authorities is required under GDPR; notification under NIS2 depends on whether service disruption or system compromise meets the significance threshold.
Organisations should have integrated incident response procedures that assess incidents against both frameworks and determine which notification is required.
Third-Party Risk Management: GDPR Article 28 and NIS2 Article 22
Both regimes require management of third-party risk, though with different terminology and focus.
GDPR Article 28 requires that organisations ensure data processors (third parties processing personal data on their behalf) implement appropriate security measures. Organisations must establish data processing agreements with processors, audit their practices, and ensure they are subject to appropriate legal and technical safeguards.
NIS2 Article 22 requires that organisations ensure suppliers and service providers implement proportionate cybersecurity measures. Organisations must establish contractual requirements for cybersecurity, monitor compliance, and ensure rapid incident notification.
For organisations managing both personal data and critical infrastructure, these obligations should be consolidated. Contracts with cloud providers, managed service providers, and other vendors should:
- Include cybersecurity requirements satisfying both GDPR (for data processors) and NIS2 (for service providers managing critical systems).
- Require security assessments or certifications demonstrating compliance.
- Establish incident notification requirements, allowing the organisation to meet both GDPR and NIS2 reporting timelines.
- Reserve audit and inspection rights, allowing the organisation to verify compliance.
- Specify subprocessor controls: GDPR requires that data processors not engage subprocessors without explicit authorisation; NIS2 requires that supply chain dependencies be managed. These requirements should both be addressed in contracts.
Interaction with Broader Regulatory Frameworks
It is important to note that organisations may be subject to additional regulations beyond GDPR and NIS2. DORA (Digital Operational Resilience Act) applies to financial services; sector-specific regulations apply to healthcare, energy, and telecoms. All of these may have overlapping security and incident notification requirements.
An entity subject to GDPR, NIS2, and DORA must design compliance frameworks addressing all three. The good news is that these frameworks are complementary: a compliance programme satisfying the stringent requirements of all three typically satisfies each individually.
For compliance teams, the strategy is to map overlapping requirements, identify the most stringent in each area, and design controls and procedures satisfying the union of all requirements. A single security governance structure, a single incident response framework, and integrated third-party management can accommodate multiple regulatory regimes.
Practical Alignment Strategy
For organisations subject to both NIS2 and GDPR (and potentially other regimes), the alignment strategy should include:
Unified governance framework: Establish a single cybersecurity and data protection governance structure with accountability at board level. The CISO (chief information security officer) and DPO (data protection officer) should coordinate.
Integrated risk assessment: Conduct risk assessments addressing both GDPR risks (risks to individuals’ privacy and rights) and NIS2 risks (risks to system availability, integrity, and service continuity). Identify controls addressing both.
Unified incident response: Design incident response procedures that assess incidents against all applicable frameworks and determine which regulatory notifications are required. Cross-train incident response teams on both frameworks.
Standardised third-party contracts: Develop templates for vendor contracts, data processing agreements, and service provider agreements that address requirements of all applicable regimes.
Consolidated security measures: Implement security controls that, where possible, satisfy multiple regimes. Access controls and encryption, for example, address both GDPR data protection and NIS2 cybersecurity requirements.
Documentation and transparency: Maintain documentation of compliance with both frameworks. Privacy policies and security disclosures should address both personal data protection and cybersecurity risk management.
Key Takeaways
- GDPR and NIS2 overlap in scope for organisations subject to both: those processing personal data (GDPR) and managing critical infrastructure or essential services (NIS2).
- Security obligations under Article 32 (GDPR) and Article 21 (NIS2) are complementary: GDPR focuses on protecting personal data; NIS2 focuses on systemic cybersecurity and service continuity. A unified security programme can satisfy both.
- Incident notification frameworks differ: GDPR requires notification of personal data breaches within 72 hours (or without undue delay) to data protection authorities and affected individuals; NIS2 requires notification of significant incidents within 24 hours to competent authorities and CSIRTs. Both may be triggered by a single incident.
- Third-party risk management must satisfy both frameworks: contracts with vendors and service providers should establish cybersecurity requirements, reserve audit rights, and specify incident notification timelines satisfying both GDPR and NIS2.
- Organisations subject to both regimes (and potentially others like DORA) should adopt a unified compliance strategy: integrated governance, unified risk assessment, standardised third-party contracts, and consolidated security measures that address requirements across all applicable regimes.
