norppa.io
Guides

NIS2 Guide · 9 min

GDPR vs NIS2: how they overlap, where they differ, and when one incident triggers both

GDPR and NIS2 both touch security and both carry heavy fines, so they get conflated, but they protect different things and answer to different authorities. The risk isn't choosing the wrong one; it's missing that a single incident can trigger both, on different clocks. This guide draws the line between them, shows where they overlap, explains how they interact (cooperation, and no double fine), and gives a straight answer for the teams who end up serving customers under both.

Key takeaways

  • GDPR protects personal data and applies to almost any organisation; NIS2 protects cyber-resilience and applies only to designated essential and important entities.
  • One incident can require two notifications: a 72-hour personal-data breach notice to your DPA (GDPR Art. 33) and a 24h/72h/1-month report to your CSIRT (NIS2 Art. 23).
  • They're designed to dovetail: authorities cooperate (NIS2 Art. 35) and you can't be fined twice for the same conduct, but you still assess and notify under each where it applies.

What each one governs

GDPR and NIS2 are both EU laws that touch security, and they get conflated, but they protect different things. GDPR protects personal data; NIS2 protects the continuity and security of essential services. An organisation can easily be subject to both at once.

The cleanest way to keep them apart: GDPR asks “are you protecting people's personal data?” and applies to almost any organisation that processes it. NIS2 asks “is your organisation operationally and cyber-resilient?” and applies only to designated essential and important entities in specific sectors.

GDPR: personal data, almost everyone

Regulation (EU) 2016/679, applicable since 2018. Governs the processing of personal data by controllers and processors: lawful basis, data-subject rights, and security of processing (Art. 32). Enforced by data protection authorities (DPAs).

NIS2: cybersecurity, designated entities

Directive (EU) 2022/2555, transposed into national law (deadline 17 October 2024). Governs cybersecurity risk management (Art. 21) and incident reporting (Art. 23) for essential and important entities. Enforced by national cybersecurity authorities and CSIRTs.

The trap: one incident, two notifications

A single breach can trigger both regimes. To different authorities, on different clocks. Know both:

GDPR Art. 33

If a security incident involves personal data, notify your DPA without undue delay and, where feasible, within 72 hours of becoming aware: unless the breach is unlikely to risk individuals' rights and freedoms.

NIS2 Art. 23

If it's a significant incident, send your CSIRT a 24-hour early warning, a 72-hour incident notification, and a final report within one month.

Both at once

A ransomware attack that encrypts personal data is, simultaneously, a NIS2 significant incident and a GDPR personal-data breach: two filings, two authorities, two timelines.

Where they overlap

Implement one well and parts of the other follow. Both require:

  • Security of processing / risk-management measures: proportionate technical and organisational controls.
  • Incident or breach notification on defined timelines, with documentation of what happened and how you responded.
  • Accountability: leadership must own it, and both regimes carry significant administrative fines.
  • Records and evidence. You must be able to demonstrate, not merely assert, that controls exist and work.
  • Third-party assurance: GDPR through processor contracts (Art. 28), NIS2 through supply-chain security (Art. 21(2)(d)).

The key interaction: cooperation, and no double fine

NIS2 was written to dovetail with GDPR, not duplicate it. Under NIS2 Article 35, where a cybersecurity authority becomes aware that an incident at an entity may involve a personal-data breach notifiable under GDPR Art. 33, it must inform the data protection authority without undue delay. The two authorities cooperate and exchange information.

Critically, you won't be fined twice for the same conduct: where a DPA imposes a GDPR fine for an infringement, the NIS2 authority must not also impose a NIS2 fine (Art. 34) arising from the same conduct. But that's protection against a double penalty for one act. It does not merge the two obligations. You still assess, document and notify under each regime wherever it applies.

Which obligations apply depends on the facts: was personal data involved, and are you an essential or important entity? Confirm the specifics with your DPA, your national cybersecurity authority and qualified advice.

Which applies to you?

Most organisations answer to one; many to both:

You process personal data but aren't an essential/important entity

GDPR applies; NIS2 does not apply directly: though a NIS2 customer's supply-chain due diligence may still reach you through your contracts.

You're an essential/important entity that processes little personal data

NIS2 applies in full; GDPR applies to whatever personal data you do process (employees, customers).

You're subject to both (the common case)

Run one incident-response process that satisfies both clocks. Your DPA within 72h for personal-data breaches, your CSIRT on the 24h/72h/1-month track for significant incidents.

You're a supplier or processor

Expect both GDPR processor terms (Art. 28) and NIS2 supply-chain scrutiny (Art. 21(2)(d)) from your customers: questionnaires, evidence requests and continuous monitoring.

Sources: Regulation (EU) 2016/679 (GDPR) and Directive (EU) 2022/2555 (NIS2), in particular Art. 35 on the interaction with the GDPR. Confirm how both apply to your situation with your DPA and national cybersecurity authority.

How norppa.io helps

Both regimes now expect continuous, evidence-backed assurance over your suppliers and processors: GDPR through Art. 28 processor oversight, NIS2 through Art. 21(2)(d) supply-chain security. norppa.io monitors every supplier domain across more than a hundred control points daily, with each finding mapped to the NIS2 article it touches and exportable for your records.

Self-assessment questionnaires capture the contractual and process controls that neither a DPA nor a cybersecurity auditor can see from the outside, and each answer is set against the live technical profile, so whether the question comes from a data-protection or a NIS2 angle, you can show current, corroborated evidence instead of assertions.

One source of supplier evidence for both regimes

See a sample supplier report (findings, article mapping and evidence) in about two minutes.

View sample report
See the sample dashboard

Related guides

How to comply with NIS2: a step-by-step roadmap

The steps to NIS2 compliance in order: confirm scope, register, management accountability (Art. 20), the Article 21(2) measures, supply-chain security, incident reporting (Art. 23) and continuous, evidenced assurance.

Who is in scope for NIS2? Essential vs important entities, sectors and size thresholds

Determine whether NIS2 applies to you: the two tiers, the Annex I/II sectors, the size thresholds, size-independent exceptions, and how the supply chain pulls you in even if you're not designated.

NIS2 and the supply chain requirement: what it means in practice

NIS2 requires significant and important entities to assess their supply chain cyber risks. Supplier tiering, 4th-party risk, Art. 23 notification, and what auditors look for.

Supplier cyber risk assessment: what automated NIS2 monitoring checks

All check categories explained: ransomware, dark web leaks, TLS/DNSSEC, cookie security, CVE/EPSS, sanctions, MX blacklists and SAQ. Finding lifecycle and NIS2 article mapping.

NIS2 Art. 21(2): supplier security checklist

Checklist for procurement and security teams: what to ask, what evidence to collect, and how to respond when a supplier falls short. Includes suggested evidence documents.

NIS2 supplier questionnaire (SAQ): what to ask, how to score it, and a free template

What to ask suppliers under Art. 21(2)(d), how to score answers and respond to gaps, why self-attestation needs verification, and a free copy-paste questionnaire template.

NIS2 incident reporting: the 24- and 72-hour deadlines explained

What counts as a significant incident, the Article 23 timeline (24-hour early warning, 72-hour notification, one-month final report), and when a supplier's incident becomes your obligation.

NIS2 and management responsibility: what boards and leadership must know

What NIS2 expects of the management body: approval and oversight duties, personal liability (Art. 20), training, board reporting KPIs, and the penalties under Art. 34.

ISO 27001 and NIS2: what your ISMS already covers, and the gaps it doesn't

If you hold ISO 27001, what carries over to NIS2 and what does not: statutory incident reporting, management liability, registration, and continuous supply-chain assurance: plus how to close the gap.

NIS2 vs DORA: how they differ, where they overlap, and which one applies to you

How the two EU regimes differ and overlap, why DORA is lex specialis for financial entities, which applies to you, and what both mean for third-party and supply-chain risk.

The EU Cyber Resilience Act (CRA): scope, timeline and what it means for your supply chain

What the CRA requires, its phased dates (in force 2024, reporting Sept 2026, full compliance Dec 2027), who is in scope and why pure SaaS often isn't, how it complements NIS2, and what it means for procurement and supplier due diligence.

The EU AI Act: risk tiers, the timeline, and what deployers must do (Article 26)

What the EU AI Act requires: the risk tiers, the phased dates (in force 2024, prohibited Feb 2025, GPAI Aug 2025, high-risk Aug 2026), the Article 26 deployer obligations, how it stacks with NIS2 and the GDPR, and what it means for AI procurement.