Summary statistics
Overlaps: 2 · Conflicts: 1 · Gaps: 2
5 article-level crossrefs catalogued between DSA and NIS2 Directive from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.
All crossrefs between these regulations
| Article (A) | Article (B) | Type | Severity | Description |
|---|---|---|---|---|
| DSA Art 11 | NIS2 Directive Art 13 | overlap | low | [entity affected: Member States / Providers of intermediary services] Both regulations require the designation of single points of contact to facilitate communication between entities and authorities, |
| DSA Art 10 | NIS2 Directive Art 13 | overlap | low | [entity affected: Member States / Authorities] Both regulations mandate mechanisms for authorities to transmit orders or notifications to designated contacts, ensuring structured communication channel |
| DSA Art ? | NIS2 Directive Art ? | gap | high | [entity affected: Providers of intermediary services classified as essential/important entities] Entities providing intermediary services that are also classified as essential or important under NIS2 |
| DSA Art ? | NIS2 Directive Art ? | gap | medium | [entity affected: Hosting service providers] Hosting providers must report criminal threats under DSA Art 18 and cybersecurity incidents under NIS2, but there is no clear guidance on how to distinguis |
| DSA Art 17 | NIS2 Directive Art 12 | conflict | medium | [entity affected: Providers of hosting services / ICT product providers] DSA requires providers to disclose reasons for content restrictions including notifier identity if strictly necessary, while NI |
Conflicts explained
The 1 article-level conflicts between DSA and NIS2 Directive mean a control that satisfies one can pull the wrong way on the other:
- DSA Art 17 vs NIS2 Directive Art 12 — [entity affected: Providers of hosting services / ICT product providers] DSA requires providers to disclose reasons for content restrictions including notifier identity if strictly necessary, while NIS2 emphasizes anonymity for vulnerability reporters, creating tension in disclosure practices when a content restriction is based on a reported vulnerability.
Which regulation takes precedence
EU law does not lay down a universal precedence rule between DSA and NIS2 Directive. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.
What this means for your compliance team
Treat the 2 overlaps as design opportunities — one control, two regulatory anchors. Treat the 1 conflicts as escalation paths to legal: the regulations themselves don't resolve them, you do, and you document the reasoning. The 2 gaps point at scenarios where one regulation is silent while the other speaks — assume the regulator who has the explicit rule will win.
Related Fontvera pages
- dsa obligations online advertising
- dsa obligations online platforms
- dsa vs eprivacy comparison
- dsa vs gdpr comparison
Check your full compliance exposure with the 5-minute Fontvera diagnostic →