Summary statistics
Overlaps: 2 · Conflicts: 0 · Gaps: 2
4 article-level crossrefs catalogued between Data Act and NIS2 Directive from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.
All crossrefs between these regulations
| Article (A) | Article (B) | Type | Severity | Description |
|---|---|---|---|---|
| Data Act Art 19 | NIS2 Directive Art 21 | overlap | medium | [entity affected: Public sector bodies and essential/important entities] Both regulations require entities handling data or ICT systems to implement technical and organisational measures to ensure sec |
| Data Act Art 11 | NIS2 Directive Art 23 | overlap | low | [entity affected: Data recipients and essential/important entities] Both regulations impose obligations to respond to unauthorized access or incidents, including erasing data or mitigating risks, thou |
| Data Act Art ? | NIS2 Directive Art ? | gap | high | [entity affected: Data holders providing services to critical infrastructure] Neither regulation explicitly defines the cybersecurity resilience requirements for the data sharing interfaces themselves |
| Data Act Art ? | NIS2 Directive Art ? | gap | medium | [entity affected: Dispute settlement bodies] Dispute settlement bodies mandated by the Data Act are not explicitly classified as essential or important entities under NIS2, leaving a gap in their mand |
Overlaps explained
No conflict-type crossrefs were catalogued for this pair, but the 2 overlaps below mean a single control can be designed to satisfy both regulations at once. Plan the controls jointly to avoid duplicate effort:
- Data Act Art 19 vs NIS2 Directive Art 21 (medium severity) — [entity affected: Public sector bodies and essential/important entities] Both regulations require entities handling data or ICT systems to implement technical and organisational measures to ensure security, confidentiality, and integrity.
- Data Act Art 11 vs NIS2 Directive Art 23 (low severity) — [entity affected: Data recipients and essential/important entities] Both regulations impose obligations to respond to unauthorized access or incidents, including erasing data or mitigating risks, though NIS2 focuses on incident reporting and Data Act on contractual breach remedies.
Which regulation takes precedence
EU law does not lay down a universal precedence rule between Data Act and NIS2 Directive. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.
What this means for your compliance team
Treat the 2 overlaps as design opportunities — one control, two regulatory anchors. Treat the 0 conflicts as escalation paths to legal: the regulations themselves don't resolve them, you do, and you document the reasoning. The 2 gaps point at scenarios where one regulation is silent while the other speaks — assume the regulator who has the explicit rule will win.
Related Fontvera pages
- data act article 37 commission
- data act obligations data services
- data act vs data governance act comparison
- data act vs dma comparison
Check your full compliance exposure with the 5-minute Fontvera diagnostic →