The cumulative-application principle
The European Data Protection Board confirmed in Guidelines 9/2022 (and earlier in WP29 guidance) that GDPR continues to apply alongside sectoral cybersecurity regulation. Recital 14 of NIS2 echoes this: the directive is "without prejudice" to GDPR. The practical consequences:
- An entity in scope of NIS2 still has a DPO, still complies with Articles 5–6 lawfulness principles, still answers data-subject rights requests.
- A controller that experiences a personal-data breach still notifies the DPA under Article 33, even if the underlying event is also a NIS2 significant incident.
- Authority cooperation: NIS2 Article 13(5) requires CSIRTs to inform DPAs when an incident involves personal data; some Member States have built joint reporting portals.
Side-by-side: substantive controls
| Topic | GDPR Article 32 | NIS2 Article 21 |
|---|---|---|
| Risk basis | Risk to rights and freedoms of natural persons. | Risk to network and information systems. |
| Encryption | "As appropriate." | Required as part of cryptographic policies (Art 21(2)(h)). |
| Resilience and continuity | "Ability to ensure ongoing confidentiality, integrity, availability and resilience." | Business continuity and crisis management explicitly required (Art 21(2)(c)). |
| Supply-chain security | Indirectly via processor obligations (Art 28). | Directly required (Art 21(2)(d)). |
| Incident handling | Implied; explicit in Art 33–34 reporting. | Explicit incident-handling capability (Art 21(2)(b)). |
| Vulnerability handling | Not explicit. | Required (Art 21(2)(g)). |
| Training and awareness | Implicit through TOM evidence. | Cybersecurity training and awareness (Art 21(2)(g)). |
The breach-reporting choreography
A ransomware event affecting a hospital's patient-records system illustrates the dual reporting:
- T+0: Detection. Internal triage.
- T+24h: NIS2 Article 23(4) early warning to the CSIRT — preliminary information about the incident.
- T+72h: GDPR Article 33 notification to the supervisory authority — controller's awareness clock starts at "become aware" which case law puts close to detection. NIS2 Article 23(4) incident notification — assessment, severity, indicators of compromise.
- T+72h to communication: GDPR Article 34 communication to data subjects if the breach is likely to result in high risk.
- T+1 month: NIS2 Article 23(4) final report.
Penalty stacking
- GDPR Article 83: up to EUR 20M or 4% of global turnover.
- NIS2 Article 34: up to EUR 10M or 2% (essential); up to EUR 7M or 1.4% (important).
- Both can be imposed for the same underlying event by different authorities. The principle of ne bis in idem applies on the same legal basis but the two regimes are different bases.
Practical compliance
- One control framework: design TOM evidence so a single set of controls satisfies GDPR Article 32 and NIS2 Article 21. Map ISO/IEC 27001:2022 controls to both.
- Joint runbook: pre-write the 24h NIS2 early warning, the 72h GDPR Article 33 notification, and the 72h NIS2 Article 23 notification templates. Do not draft them at 3 AM.
- Authority coordination: identify the lead DPA and the lead NIS2 authority; ask whether they have a joint inspection arrangement.
- Records: incident logs serve both regimes' supervision; keep them accessible for both.
- DPO + CISO alignment: clarify decision rights between the DPO and the CISO at incident time.