AI Act vs NIS2: where they overlap

Side-by-side

Where they overlap

• Annex III §2 critical infrastructure AI. The AI Act's substantive controls apply to the AI itself; NIS2 Article 21 applies to the entity that runs the AI. Both regimes address robustness and incident handling but at different layers.
• Cybersecurity controls. Article 15 of the AI Act sets the floor for the AI system's own cybersecurity. NIS2 Article 21(2) sets the floor for the entity's overall security posture, including how it operates the AI. Article 15 evidence does not satisfy NIS2 21; NIS2 21 evidence does not satisfy Article 15.
• Supply chain. NIS2 Article 21(2)(d) requires supply-chain risk management. When the AI vendor is the third party, the AI Act provider's Article 13 instructions and Annex IV documentation feed the NIS2 supply-chain due diligence.
• Incident reporting. Both regimes require it. The clocks differ. The information differs (NIS2 focuses on operational impact; AI Act on the AI failure mode). Most operators end up running parallel reports through both channels.

Where they conflict (in practice)

There is no doctrinal conflict — the regulations address different addressees and different obligations. The friction is operational:

• The 24-hour NIS2 early warning is materially shorter than the AI Act's 15-day serious-incident window. Operators must triage during the first 24 hours whether the event is reportable under NIS2 only, AI Act only, or both — and start the NIS2 clock immediately.
• NIS2 competent authorities (CSIRTs, BSI, ANSSI) are not yet AI Act market surveillance authorities in most Member States. Cross-authority coordination is still being built.
• The Article 21(2) NIS2 measures and Article 15 robustness measures must both be evidenced in the technical file but use different vocabularies and audit expectations.

Practical compliance for an entity in both

• Maintain a unified incident-response runbook keyed to the 24-hour NIS2 clock, with an AI Act overlay for any incident touching the AI system.
• Cross-reference your NIS2 Article 21 self-assessment with the AI Act provider's Article 13 instructions for use; document any gaps.
• Include AI providers in the NIS2 supply-chain register and the DORA register where applicable.
• For dual-supervised entities, request a joint inspection plan from the NIS2 competent authority and the AI Act market surveillance authority — both supervisors have the legal authority to inspect the same system.

Which regulation takes precedence

Neither. Both apply simultaneously. Where they address the same outcome from different angles (cybersecurity, incident reporting), the stricter requirement controls in practice. The Recital 64 of the AI Act and Recital 90 of NIS2 confirm the regimes are complementary.

Cross-regulatory data update

Auto-merged from the Fontvera archetype dataset on 2026-05-12. The sections below are extracted verbatim from the `obligations` and `obligation_crossrefs` tables; the page itself was last reviewed manually before this update.

Summary statistics

Overlaps: 3 · Conflicts: 0 · Gaps: 2

5 article-level crossrefs catalogued between AI Act and NIS2 Directive from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.

All crossrefs between these regulations

Overlaps explained

No conflict-type crossrefs were catalogued for this pair, but the 3 overlaps below mean a single control can be designed to satisfy both regulations at once. Plan the controls jointly to avoid duplicate effort:

• AI Act Art 15 vs NIS2 Directive Art 21 (high severity) — [entity affected: Provider of high-risk AI systems / Essential or important entity] Both regulations require entities to implement technical and organizational measures to ensure cybersecurity, robustness, and resilience of their systems against errors, faults, and cyber threats.
• AI Act Art 12 vs NIS2 Directive Art 21 (medium severity) — [entity affected: Provider of high-risk AI systems / Essential or important entity] Both regulations mandate logging and monitoring capabilities to record events, facilitate incident response, and maintain situational awareness regarding system operations and security.
• AI Act Art 11 vs NIS2 Directive Art 21 (medium severity) — [entity affected: Provider of high-risk AI systems / Essential or important entity] Both regulations require the maintenance of technical documentation and records to demonstrate compliance with security and risk management requirements for regulatory authorities.

Which regulation takes precedence

EU law does not lay down a universal precedence rule between AI Act and NIS2 Directive. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.

Fontvera maps the wider EU digital rulebook alongside this comparison, including AI Act vs Cyber Resilience Act comparison, AI Act vs DSA comparison, NIS2 April 2025 deadline, NIS2 January 2025 deadline, NIS2 October 2024 deadline, NIS2 October 2027 deadline, Data Act vs NIS2 comparison, Data Governance Act vs NIS2 comparison, DMA vs NIS2 comparison, DSA vs NIS2 comparison, ePrivacy vs NIS2 comparison, GDPR vs NIS2 comparison, NIS2 Article 14 on the cooperation group, NIS2 Article 32 on competent authorities, NIS2 Article 33 on competent authorities, NIS2 Article 7 for member states, NIS2 DNS obligations, NIS2 online platforms obligations, and NIS2 vs DORA comparison.