Art. 23 NIS 2 + Art. 33 DSGVO

Data breach: NIS 2 and GDPR in parallel

Two reporting frameworks sit on the same incident. Article 33 GDPR runs to the data protection authority. Article 23 NIS 2 runs to the cybersecurity authority. They do not replace each other.

Simon OrzelSimon Orzel·

Why one incident triggers two clocks

A ransomware attack that exfiltrates an employee database is one event. Under Article 33 GDPR it is a personal data breach. Under Article 23 NIS 2 it is a significant cybersecurity incident if it disrupts service delivery, causes financial loss, or harms third parties. The two regimes can apply to the same facts at the same time.

Recital 14 NIS 2 is explicit. NIS 2 does not affect the application of the GDPR. The cybersecurity report under Article 23 NIS 2 does not discharge the controller obligation under Article 33 GDPR, and the GDPR breach notice does not discharge the cybersecurity report.

This page describes the two frameworks side by side. It is not legal advice. An entity facing a data breach that meets both Article 23 NIS 2 and Article 33 GDPR thresholds typically files in parallel, with the data protection officer and the security lead coordinating on a shared factual basis.

Legal anchor
Two EU regulations, one transposition layer in Germany.

Article 33(1) GDPR

In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The 72-hour clock starts when the controller becomes aware of the breach, not when the incident occurs. The risk threshold is rights and freedoms of natural persons, not operational impact.

Article 23(4) NIS 2 cascade

Member States shall ensure that the essential and important entities concerned submit to the CSIRT or, where applicable, the competent authority: (a) without undue delay and in any event within 24 hours of becoming aware of the significant incident, an early warning; (b) without undue delay and in any event within 72 hours of becoming aware of the significant incident, an incident notification; (c) a final report not later than one month after the submission of the incident notification under point (b).

Three steps to BSI in Germany, ANSSI in France, RDI in the Netherlands. The 24-hour early warning is the distinctive item. GDPR has no equivalent first-hour reporting duty.

BSIG section 32 (Germany)

Important and essential entities shall report significant security incidents to the Federal Office without undue delay, following the cascade set out in Article 23(4) of Directive (EU) 2022/2555.

BSIG transposes the NIS 2 cascade into German law. It does not change the GDPR clock. Article 33 GDPR is directly applicable EU regulation and runs alongside BSIG.

What the two reports actually contain
Detect once, classify against two thresholds, file two reports if both are met.
Step 1

Detect and triage

Incident response identifies that personal data was accessed, exfiltrated, or rendered unavailable. The same facts feed both legal assessments. Forensic logs, affected systems, affected categories of data, and affected data subjects are the shared evidence base.

Step 2

Classify against two thresholds

GDPR significance turns on risk to rights and freedoms of natural persons (Article 33 GDPR). NIS 2 significance turns on operational continuity, financial loss, or material or non-material damage to third parties (Article 23(3) NIS 2, specified by CIR section 11.6). One incident may cross one threshold, the other, both, or neither.

Step 3

File in parallel if both thresholds are met

If both thresholds are met, the cybersecurity authority receives the Article 23 NIS 2 cascade and the data protection authority receives the Article 33 GDPR notice. Two recipients, two formats, two timelines. The 24-hour NIS 2 early warning is usually the first thing out the door.

Two clocks, shared facts
Same incident, two legal assessments, two parallel processes.

Two clocks run independently

Article 23(4) NIS 2 starts the 24-hour early warning and 72-hour notification clock at awareness of the significant incident. Article 33 GDPR starts a 72-hour clock at awareness of the personal data breach. The two awareness points often coincide but the deadlines and recipients differ. Waiting for the GDPR clock before filing the NIS 2 early warning misses the 24-hour window.

Shared facts, different thresholds

Both authorities want what happened, when, what systems, what data, and what mitigation. The legal questions are different. GDPR asks whether natural persons face a risk to their rights and freedoms. NIS 2 asks whether the incident causes operational disruption, financial loss, or material damage. The same factual paragraph can be reused; the significance assessment cannot.

Who receives what
Different recipients, coordination duty between them.
DE

BSI: Federal Office for Information Security

Cybersecurity authority under BSIG. Receives the Article 23 NIS 2 cascade: 24-hour early warning, 72-hour incident notification, one-month final report. Reporting channel is the BSI portal for important and essential entities.

DE

BfDI / LfDI: data protection authorities

BfDI for federal bodies and telecoms / postal sector controllers. LfDI of the controller's state for everyone else. Receives the Article 33 GDPR notice within 72 hours. Article 34 GDPR notification to affected data subjects runs in addition where the breach is likely to result in a high risk to rights and freedoms.

EU

Article 23(11) NIS 2 coordination duty

Where an incident involves personal data, the CSIRT or competent authority cooperates with the data protection authority. This means the two authorities can share information about the same incident, but it does not relieve the entity of either reporting duty. The duty to coordinate sits with the authorities, not the entity.

Three common mistakes
Each one is observable in published enforcement decisions or DPA guidance.
  • We filed with the BfDI within 72 hours, so we are done.

    Article 33 GDPR addresses the data protection authority. Article 23 NIS 2 addresses the cybersecurity authority. Filing with one does not satisfy the other. Recital 14 NIS 2 confirms the two regimes apply independently. If both thresholds are met, both reports are typically filed.

  • We can paste the same notification text into both forms.

    Factual paragraphs about what happened, when, and what systems are affected can be shared. The legal classification is different. GDPR requires a description of likely consequences for data subjects and measures to address risk to rights and freedoms. NIS 2 requires severity, impact, and indicators of compromise. The forms ask different questions.

  • We will wait for the data protection officer to finish the GDPR notice before we file with BSI.

    The Article 23(4) NIS 2 early warning is due within 24 hours of awareness. The GDPR 72-hour clock is longer. Sequencing the NIS 2 cascade behind the GDPR notice typically misses the 24-hour window. Most response playbooks start the NIS 2 early warning first and the GDPR notice in parallel.

What practitioners actually do

Run one incident triage. Capture the facts once: timeline, affected systems, affected data categories, number of data subjects, mitigation. Then split into two assessment tracks. Security lead drives the Article 23 NIS 2 cascade. Data protection officer drives the Article 33 GDPR notice. Both report into the same incident commander.

If the breach is likely to result in a high risk to rights and freedoms of natural persons, Article 34 GDPR adds a notification to affected data subjects on top of the supervisory authority notice. NIS 2 has its own public communication duty under Article 23(2) where the incident can affect service recipients.

How the platform supports parallel reporting

The incident module captures the shared factual basis once. Severity, affected systems, affected data categories, timeline, and mitigation feed both the NIS 2 cascade view and the GDPR notice draft. The 24-hour and 72-hour deadlines are tracked separately with their own reminders.

Roles are split. Security lead owns the NIS 2 path. Data protection officer owns the GDPR path. Both see the same source of truth on the incident. Audit trail logs which authority received what and when.

Primary sources
  • Regulation (EU) 2016/679 (GDPR), Articles 33 and 34
  • Directive (EU) 2022/2555 (NIS 2), Article 23 and Recital 14
  • Commission Implementing Regulation (EU) 2024/2690, section 11.6 (significance of incidents)
  • BSIG section 32 (transposition of Article 23 NIS 2 in Germany)
  • EDPB Guidelines 9/2022 on personal data breach notification under GDPR
  • BSI guidance on reporting significant incidents under BSIG
Check whether NIS 2 applies to you
Before the incident is the time to know which reporting channels apply. The applicability check takes about three minutes.