The cumulative-application principle
The European Data Protection Board confirmed in Guidelines 9/2022 (and earlier in WP29 guidance) that GDPR continues to apply alongside sectoral cybersecurity regulation. Recital 14 of NIS2 echoes this: the directive is "without prejudice" to GDPR. The practical consequences:
- An entity in scope of NIS2 still has a DPO, still complies with Articles 5–6 lawfulness principles, still answers data-subject rights requests.
- A controller that experiences a personal-data breach still notifies the DPA under Article 33, even if the underlying event is also a NIS2 significant incident.
- Authority cooperation: NIS2 Article 13(5) requires CSIRTs to inform DPAs when an incident involves personal data; some Member States have built joint reporting portals.
Side-by-side: substantive controls
| Topic | GDPR Article 32 | NIS2 Article 21 |
|---|---|---|
| Risk basis | Risk to rights and freedoms of natural persons. | Risk to network and information systems. |
| Encryption | "As appropriate." | Required as part of cryptographic policies (Art 21(2)(h)). |
| Resilience and continuity | "Ability to ensure ongoing confidentiality, integrity, availability and resilience." | Business continuity and crisis management explicitly required (Art 21(2)(c)). |
| Supply-chain security | Indirectly via processor obligations (Art 28). | Directly required (Art 21(2)(d)). |
| Incident handling | Implied; explicit in Art 33–34 reporting. | Explicit incident-handling capability (Art 21(2)(b)). |
| Vulnerability handling | Not explicit. | Required (Art 21(2)(g)). |
| Training and awareness | Implicit through TOM evidence. | Cybersecurity training and awareness (Art 21(2)(g)). |
The breach-reporting choreography
A ransomware event affecting a hospital's patient-records system illustrates the dual reporting:
- T+0: Detection. Internal triage.
- T+24h: NIS2 Article 23(4) early warning to the CSIRT — preliminary information about the incident.
- T+72h: GDPR Article 33 notification to the supervisory authority — controller's awareness clock starts at "become aware" which case law puts close to detection. NIS2 Article 23(4) incident notification — assessment, severity, indicators of compromise.
- T+72h to communication: GDPR Article 34 communication to data subjects if the breach is likely to result in high risk.
- T+1 month: NIS2 Article 23(4) final report.
Penalty stacking
- GDPR Article 83: up to EUR 20M or 4% of global turnover.
- NIS2 Article 34: up to EUR 10M or 2% (essential); up to EUR 7M or 1.4% (important).
- Both can be imposed for the same underlying event by different authorities. The principle of ne bis in idem applies on the same legal basis but the two regimes are different bases.
Practical compliance
- One control framework: design TOM evidence so a single set of controls satisfies GDPR Article 32 and NIS2 Article 21. Map ISO/IEC 27001:2022 controls to both.
- Joint runbook: pre-write the 24h NIS2 early warning, the 72h GDPR Article 33 notification, and the 72h NIS2 Article 23 notification templates. Do not draft them at 3 AM.
- Authority coordination: identify the lead DPA and the lead NIS2 authority; ask whether they have a joint inspection arrangement.
- Records: incident logs serve both regimes' supervision; keep them accessible for both.
- DPO + CISO alignment: clarify decision rights between the DPO and the CISO at incident time.
Cross-regulatory data update
Auto-merged from the Fontvera archetype dataset on 2026-05-12. The sections below are extracted verbatim from the `obligations` and `obligation_crossrefs` tables; the page itself was last reviewed manually before this update.
Summary statistics
Overlaps: 3 · Conflicts: 1 · Gaps: 2
6 article-level crossrefs catalogued between GDPR and NIS2 Directive from the Fontvera EU regulatory corpus. Article numbers are verbatim from the underlying obligation_crossrefs table; descriptions are extracted, not paraphrased.
All crossrefs between these regulations
| Article (A) | Article (B) | Type | Severity | Description |
|---|---|---|---|---|
| GDPR Art 5 | NIS2 Directive Art 21 | overlap | medium | [entity affected: Essential and Important Entities] Both regulations require entities to implement appropriate technical and organizational measures to ensure security; GDPR focuses on personal data s |
| GDPR Art 24 | NIS2 Directive Art 21 | overlap | medium | [entity affected: Essential and Important Entities] Both regulations mandate the implementation of technical and organizational measures to ensure and demonstrate compliance with security principles, |
| GDPR Art 33 | NIS2 Directive Art 23 | overlap | high | [entity affected: Essential and Important Entities] Both regulations require entities to notify competent authorities of incidents; GDPR requires notification of personal data breaches within 72 hours |
| GDPR Art 33 | NIS2 Directive Art 23 | conflict | high | [entity affected: Essential and Important Entities] GDPR mandates notification within 72 hours of becoming aware of a breach, whereas NIS2 requires an initial notification within 24 hours of becoming |
| GDPR Art ? | NIS2 Directive Art 21 | gap | medium | [entity affected: Supply Chain Partners] NIS2 requires supply chain security measures, but neither regulation clearly defines the specific data protection obligations for third-party suppliers who pro |
| GDPR Art ? | NIS2 Directive Art 20 | gap | medium | [entity affected: Management Bodies] NIS2 imposes personal liability on management bodies for cybersecurity failures, but GDPR does not explicitly address the personal liability of executives for data |
Conflicts explained
The 1 article-level conflicts between GDPR and NIS2 Directive mean a control that satisfies one can pull the wrong way on the other:
- GDPR Art 33 vs NIS2 Directive Art 23 — [entity affected: Essential and Important Entities] GDPR mandates notification within 72 hours of becoming aware of a breach, whereas NIS2 requires an initial notification within 24 hours of becoming aware of a significant incident, creating a stricter timeline conflict for overlapping incidents.
Which regulation takes precedence
EU law does not lay down a universal precedence rule between GDPR and NIS2 Directive. In practice three resolution approaches apply: lex specialis (the more specific provision wins when both purport to govern the same conduct); regulator guidance (EDPB, EBA, ESMA and the AI Office have all issued joint readings on overlapping articles — check the most recent applicable opinion); and document the choice (when the regulations leave the call to the controller, the audit defence is your written reasoning, not the regulator's silence). Where the corpus surfaces a conflict rather than an overlap, treat that as an escalation path to legal — not a control-design question.