GDPR and NIS2: How They Overlap and Where They Don't

For tech companies in scope of both GDPR and NIS2, the two frameworks impose related but distinct obligations. Companies subject to both need a coordinated compliance program rather than two separate functions. This page covers what each framework requires, where they overlap, and how to sequence and integrate the work.

What each framework is

GDPR is EU privacy law applicable from 2018. It regulates the processing of personal data of EU residents and is enforced by member state supervisory authorities. Maximum fines of 20 million euros or 4 percent of global annual turnover.

NIS2 is the EU Network and Information Security Directive (Directive (EU) 2022/2555). It entered into force in January 2023 with a transposition deadline of October 17, 2024. NIS2 substantially expands the scope of EU cybersecurity regulation. Maximum fines of at least 10 million euros or 2 percent of total worldwide turnover for essential entities, lower for important entities.

GDPR is a regulation directly applicable across EU member states. NIS2 is a directive transposed into national law in each member state, with some variation in implementation.

What each framework covers

GDPR covers the lawful processing of personal data. Obligations include lawful basis, transparency, data subject rights, RoPA, DPIAs, DPO appointment, security of processing, breach notification, and international transfers.

NIS2 covers cybersecurity of essential and important entities in 18 sectors. Obligations include risk management measures, incident handling and reporting, business continuity, supply chain security, security in system acquisition and development, encryption and access management, training, and management body accountability.

Where they overlap

The overlap is substantial in the security and incident response domains:

  • Risk-based security measures. Both frameworks require risk-based security measures appropriate to the nature, scope, context, and purposes of processing or the cybersecurity risk profile.

  • Encryption and access control. Both require encryption appropriate to risk and access control measures.

  • Incident response capability. Both require incident detection, response, and recovery capability.

  • Supply chain risk management. Both require management of risks from third-party suppliers and processors.

  • Training and awareness. Both require relevant training for personnel.

  • Documentation. Both require documented policies, procedures, and evidence of compliance.

  • Senior management accountability. NIS2 specifically requires management body approval and oversight. GDPR places accountability on the controller and processor as legal entities, with internal accountability assigned to senior leadership in practice.

Where they do not overlap

GDPR-specific obligations not covered by NIS2:

  • Lawful basis for processing personal data. NIS2 does not address lawful basis.

  • Privacy notices and transparency to data subjects. NIS2 does not require GDPR-specific notices.

  • Data subject rights operational capability. NIS2 does not require capability to handle DSARs, deletion, portability, or other GDPR rights.

  • DPO appointment. NIS2 does not address DPO requirements.

  • International data transfers. NIS2 does not regulate transfers of personal data outside the EU.

  • DPIA for high-risk processing. NIS2 requires risk assessment generally; GDPR Article 35 requires DPIAs with specific content.

NIS2-specific obligations not covered by GDPR:

  • Specific cybersecurity measures in Article 21. NIS2 has prescriptive cybersecurity requirements that go beyond GDPR Article 32's general appropriate technical and organizational measures.

  • Management body cybersecurity training. NIS2 requires management body members to undergo cybersecurity training. GDPR does not have an equivalent.

  • Incident reporting on cybersecurity incidents. NIS2 has specific timelines for cybersecurity incident reporting (24 hours early warning, 72 hours notification, 1 month final report) that apply to all major cybersecurity incidents, whether or not personal data is involved.

  • Multi-factor authentication. NIS2 specifically requires consideration of MFA or continuous authentication. GDPR does not specifically address this.

  • Cyber hygiene practices. NIS2 specifically requires basic cyber hygiene practices including patching, secure communications, and asset management.

  • Supply chain security with specific contractual requirements. NIS2 has specific contractual requirements for supply chain security that are broader than GDPR Article 28 processor obligations.

Incident reporting coordination

For incidents that affect both cybersecurity and personal data, both NIS2 and GDPR notification obligations apply:

  • NIS2 timeline: early warning within 24 hours, notification within 72 hours, final report within 1 month.

  • GDPR timeline: notification to supervisory authority without undue delay and not later than 72 hours, communication to affected data subjects without undue delay where the breach is likely to result in a high risk.

For coordinated incidents, companies must report to the relevant cybersecurity authority (under NIS2) and to the data protection supervisory authority (under GDPR). The two authorities are typically different entities.

Documentation, root cause analysis, and remediation work serve both notifications but the legal frameworks and authority engagement strategies are separate.

How to integrate the two

For tech companies in scope of both frameworks, integration approaches include:

  • Combined risk and incident management. A single risk management function covering both cybersecurity and privacy risks. Combined incident response with parallel notification streams.

  • Coordinated security control framework. A single set of security controls mapped to both NIS2 Article 21 requirements and GDPR Article 32 expectations.

  • Coordinated vendor management. A single vendor risk management process addressing both NIS2 supply chain security and GDPR Article 28 processor obligations.

  • Coordinated training. A combined privacy and cybersecurity training program for personnel and management body.

  • Coordinated documentation. Shared documentation infrastructure for policies, RoPA, asset inventory, and risk assessments.

  • Coordinated authority engagement. A documented strategy for engaging the relevant cybersecurity authority and data protection supervisory authority, with clear escalation procedures.

How Engage Compliance helps

For tech companies in scope of both NIS2 and GDPR, we provide GDPR fractional DPO services and coordinate with NIS2 cybersecurity compliance work. Specific support includes:

  • GDPR compliance work including DPO function, RoPA, DPIA, and supervisory authority engagement.

  • Coordinated incident response covering both GDPR breach notification and NIS2 incident reporting.

  • Vendor management coordinated across GDPR Article 28 and NIS2 supply chain requirements.

  • Management body privacy and cybersecurity reporting.

  • For specialist NIS2 cybersecurity implementation including specific Article 21 measures, threat-led penetration testing, and supply chain security implementation, we coordinate with cybersecurity consultancies and managed security service providers.

Get started

If you are a tech company evaluating combined GDPR and NIS2 compliance, book a consultation.