Summary statistics
Overlaps: 2 · Conflicts: 1 · Gaps: 2
5 article-level crossrefs catalogued between ePrivacy Directive and NIS2 Directive from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.
All crossrefs between these regulations
| Article (A) | Article (B) | Type | Severity | Description |
|---|---|---|---|---|
| NIS2 Directive Art 13 | ePrivacy Directive Art 4 | overlap | medium | [entity affected: Member State / Provider of publicly available electronic communications service] Both regulations require the establishment of mechanisms for incident notification and security risk |
| NIS2 Directive Art 11 | ePrivacy Directive Art 4 | overlap | medium | [entity affected: CSIRT / Provider of publicly available electronic communications service] Both regulations mandate the implementation of appropriate technical and organizational measures to ensure s |
| NIS2 Directive Art ? | ePrivacy Directive Art ? | gap | high | [entity affected: Essential and Important Entities in Telecom Sector] Entities classified as essential or important under NIS2 that are also electronic communications providers must reconcile NIS2's b |
| NIS2 Directive Art 13 | ePrivacy Directive Art 5 | conflict | high | [entity affected: Competent Authorities / CSIRTs] NIS2 encourages the exchange of incident information and cyber threats among authorities and CSIRTs, while ePrivacy strictly prohibits the interceptio |
| NIS2 Directive Art ? | ePrivacy Directive Art ? | gap | medium | [entity affected: Service Providers] There is a gap in guidance on how service providers should balance the NIS2 obligation to report significant incidents to CSIRTs with the ePrivacy obligation to ma |
Conflicts explained
The 1 article-level conflicts between ePrivacy Directive and NIS2 Directive mean a control that satisfies one can pull the wrong way on the other:
- NIS2 Directive Art 13 vs ePrivacy Directive Art 5 — [entity affected: Competent Authorities / CSIRTs] NIS2 encourages the exchange of incident information and cyber threats among authorities and CSIRTs, while ePrivacy strictly prohibits the interception or storage of communications and traffic data without user consent, potentially limiting the data available for sharing under NIS2.
Which regulation takes precedence
EU law does not lay down a universal precedence rule between ePrivacy Directive and NIS2 Directive. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.
What this means for your compliance team
Treat the 2 overlaps as design opportunities — one control, two regulatory anchors. Treat the 1 conflicts as escalation paths to legal: the regulations themselves don't resolve them, you do, and you document the reasoning. The 2 gaps point at scenarios where one regulation is silent while the other speaks — assume the regulator who has the explicit rule will win.
Related Fontvera pages
- eprivacy obligations electronic communications
- eprivacy vs gdpr comparison
- ai act art 17 provider obligations
- ai act art 70 commission obligations
Check your full compliance exposure with the 5-minute Fontvera diagnostic →