TL;DR
NIS2 and GDPR are two separate EU laws that apply at the same time. NIS2 protects networks and services. GDPR protects personal data. A single cyberattack can trigger reporting obligations under both laws, to different authorities and on different timelines.
Many organisations believe that GDPR compliance and NIS2 compliance are the same thing. They are not. Both frameworks have different protection objectives, different supervisory authorities, and different requirements. At the same time, there are substantial overlaps that make a coordinated implementation both possible and worthwhile.
This article explains the differences, where the two laws meet, and how to build a unified compliance strategy that covers both.
NIS2 and GDPR: Direct Comparison
| Criterion | NIS2 | GDPR |
|---|---|---|
| Legal form | Directive (transposed into national law) | Regulation (directly applicable) |
| Protection objective | Security of networks and information systems | Protection of personal data |
| Scope | 18 critical sectors, medium and large organisations | All organisations processing personal data |
| Supervisory authority | National competent authority (e.g. BSI, CCB, ANSSI) | Data protection authority (e.g. BfDI, ICO, Datatilsynet) |
| Incident reporting | 24h early warning, 72h full notification to CSIRT/authority | 72h notification to DPA (personal data breach only) |
| Maximum fine | €10M or 2% turnover (EE); €7M or 1.4% (IE) | €20M or 4% of global annual turnover |
| Personal liability | Yes (Art. 20: management bodies personally liable) | Limited (mainly organisational sanctions) |
| Security requirements | 10 specific Article 21 measures | Article 32: appropriate technical/organisational measures |
When One Incident Triggers Both Laws at Once
A ransomware attack on a hospital hits both frameworks at the same time. The hospital is registered as an Essential Entity under NIS2 and processes thousands of patient records daily under GDPR as a health service provider. The attack affects network availability (a NIS2 trigger) and may result in unauthorised access to patient data (a GDPR trigger).
In this case, two parallel notification obligations arise with different recipients:
- ▸24h early warning to CSIRT or competent authority
- ▸72h full notification with incident classification
- ▸1 month: final report with root cause analysis
- ▸Trigger: significant impact on service availability
- ▸72h notification to data protection authority
- ▸Notification to affected individuals (high risk)
- ▸Trigger: personal data breach
- ▸Documentation in the internal records of processing
The critical detail: the NIS2 early warning deadline of 24 hours is shorter than the GDPR deadline of 72 hours. An organisation that identifies a combined incident must prioritise the NIS2 early warning, even if no definitive assessment of the data breach is available yet.
The Security Requirements Compared
GDPR Article 32 requires controllers and processors to implement 'appropriate technical and organisational measures' to achieve a level of security appropriate to the risk. That wording is deliberately open-ended. NIS2 Article 21, by contrast, names ten specific measure categories.
In practice, the NIS2 Article 21 requirements cover most GDPR Article 32 requirements. An organisation that fully implements NIS2 will generally also have covered the technical and organisational measures required by GDPR. The reverse does not hold: GDPR compliance does not automatically cover all NIS2 requirements, because NIS2 adds obligations like authority registration, incident notification, and management training.
| NIS2 Article 21 Measure | GDPR Equivalent | Coverage |
|---|---|---|
| Risk analysis and security policies | Art. 32(1)(b), Art. 35 DPIA | Largely overlapping |
| Incident handling | Art. 33–34 (data breaches) | Partial (GDPR covers data breaches only) |
| Business continuity and backup | Art. 32(1)(c) availability | Overlapping |
| MFA and access control | Art. 32(1)(b) access controls | Overlapping |
| Authority registration | No equivalent | NIS2 exclusive |
| Management liability (Art. 20) | Limited (Art. 83) | NIS2 goes further |
Find out if your company is in scope
Does your organisation fall under Annex I (Essential) or Annex II (Important) entities?
When Does Only NIS2 Apply, and When Only GDPR?
Not every incident touches both laws. Here are typical scenarios:
A DDoS attack that takes your website offline for 6 hours but does not affect any personal data. Reporting obligation under NIS2 (if 'significant'), no GDPR notification required.
Accidental email sending of personal data to wrong recipients. No impact on service availability (no NIS2 trigger), but a GDPR personal data breach.
Ransomware encryption of patient records at a hospital. Service availability affected (NIS2) and personal health data compromised (GDPR).
Hardware failure of an internal server with no data loss and no impact on critical services. Resolve internally, no external reporting required.
Building a Combined Incident Response
Because many incidents touch both laws, handling them separately is inefficient. A better approach is a unified incident response process that accounts for both notification paths from the start.
The DPO and NIS2: Who Is Responsible?
Many organisations already have a Data Protection Officer (DPO). NIS2 has no equivalent mandatory role, but the DPO function and a NIS2 responsible person (often a CISO or IT security officer) overlap considerably.
In practice, a sensible split looks like this: the DPO handles GDPR notifications to the data protection authority and communication with affected individuals. The CISO or IT security officer handles NIS2 early warnings to the CSIRT and competent authority. Both work within the same incident response team with shared access to the incident log.
Where do you stand on NIS2 and GDPR?
First check whether NIS2 applies directly to your organisation, then assess your Article 21 measures.