NIS 2 and GDPR: the overlap that is not a merger
Article 32 GDPR and Article 21 NIS 2 ask for many of the same security measures. Article 33 GDPR and Article 23 NIS 2 are separate reporting tracks with separate clocks and separate authorities. Recital 14 NIS 2 spells out that the two regimes complement each other. They do not collapse into one filing.
The short version
GDPR (Regulation (EU) 2016/679) protects the rights and freedoms of natural persons whose personal data you process. NIS 2 (Directive (EU) 2022/2555) protects the operational continuity of network and information systems in essential and important sectors. Two regimes, two protected interests, mostly shared technical and organisational controls.
The control set overlaps strongly. Article 32 GDPR asks for appropriate technical and organisational measures for the security of personal data. Article 21 NIS 2 asks for risk management measures for the security of network and information systems. A mature access control, a working backup, a tested incident response procedure usually serves both at once.
The reporting tracks do not overlap. Article 33 GDPR sends a personal data breach notice to the data protection supervisory authority within 72 hours. Article 23 NIS 2 sends an early warning to the CSIRT or the competent authority within 24 hours, a full notification within 72 hours, and a final report within one month. Different recipient, different content, different clock. There is no merged filing.
Article 32(1) GDPR (Regulation (EU) 2016/679)
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
The GDPR security clause. Risk-based, proportionate, attached to the rights and freedoms of natural persons. Article 32(2) lists pseudonymisation, encryption, confidentiality, integrity, availability, resilience and a regular testing process as the kind of measures the controller and processor have to consider. The wording is deliberately close to Article 21(2) NIS 2.
Article 21 NIS 2 + Recital 14 (Directive (EU) 2022/2555)
Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems which those entities use for their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of their services and on other services. [Article 21(1)] / This Directive is without prejudice to Regulation (EU) 2016/679 of the European Parliament and of the Council. [Recital 14]
Article 21 sets the security duty for network and information systems. Article 21(2) then lists the ten measure areas (risk policy, incident handling, business continuity, supply chain, secure acquisition and development, vulnerability handling, training, cryptography, access control and asset management, multi-factor authentication). Recital 14 confirms the GDPR is not displaced. The two regimes sit side by side.
§30 + §32 BSIG vs Article 33 GDPR (Germany)
§30 BSIG transposes Article 21 NIS 2 into the catalogue of cybersecurity risk management measures. §32 BSIG transposes Article 23 NIS 2 into the 24h / 72h / one month cascade to the BSI. Article 33 GDPR sits unchanged in the Regulation and applies directly to the data protection supervisory authority (BfDI for federal bodies and certain regulated sectors, the Land authorities for everyone else).
Two German rule books, two German recipients. §30 BSIG and §32 BSIG go to the BSI. Article 33 GDPR goes to the BfDI or the LfDI. The two authorities cooperate under Article 23(11) NIS 2 but they do not merge their case files. You file twice when an incident touches both regimes.
Shared control set
Article 32 GDPR and Article 21(2) NIS 2 ask for the same families of measures: access control, encryption, backup and restore, incident response, training, vulnerability management, supplier security. A single set of technical and organisational measures usually satisfies both. The wording differs, the substance does not.
Two reporting clocks
Article 33 GDPR: 72 hours to the data protection supervisory authority once you become aware of a personal data breach, with content defined in Article 33(3). Article 23 NIS 2: 24 hours early warning, 72 hours full notification, one month final report to the BSI or the national CSIRT. Different recipient, different threshold (personal data breach vs significant incident), different template. They run in parallel.
Documentation has to stand on its own in each file
The BfDI or LfDI will read your file under Article 32 and Article 33 GDPR. The BSI will read your file under §30 and §32 BSIG. Each authority expects its own legal basis cited, its own timeline documented, its own evidence on file. One incident log can feed both, but the two filings stay separate.
Complementary protected interests, not redundant duties
GDPR protects the rights and freedoms of natural persons whose personal data is processed. NIS 2 protects the operational continuity of the systems on which essential and important entities depend. The security measures overlap because both regimes need the same kind of controls. The duties do not become redundant. A ransomware attack that locks up a hospital's patient record system is both a personal data breach under Article 33 GDPR and a significant incident under Article 23 NIS 2. Both files have to be opened.
Authorities cooperate, filings do not merge
Article 23(11) NIS 2 obliges competent authorities under NIS 2 and data protection supervisory authorities to cooperate when an incident involves personal data. They share information, they may coordinate their handling. They do not run one combined investigation and they do not issue one combined decision. The entity files twice, on two different clocks, with two different sets of facts the authorities care about.
BSI (NIS 2 competent authority)
The BSI runs the NIS 2 supervisory cycle in Germany. §30 BSIG measures, §32 BSIG incident reporting, §33 BSIG registration. The BSI is the recipient of the 24h / 72h / one month cascade. It does not review your Article 32 GDPR file and it does not coordinate your data subject notification under Article 34 GDPR.
BfDI and the Land authorities (LfDI)
Data protection supervision is split. The BfDI handles federal bodies, post and telecoms operators and some other regulated areas. Each Land has its own data protection authority (LfDI Baden-Württemberg, LDI NRW, BlnBDI Berlin and so on) for everyone else. The data protection authority is the recipient of the Article 33 GDPR notification and the addressee for fines under Article 83 GDPR.
ENISA and the European Data Protection Board
ENISA coordinates the cybersecurity layer across member states under the NIS 2 framework. The European Data Protection Board (EDPB) coordinates the data protection layer under the GDPR. The two work side by side. They issue separate guidance: ENISA on incident reporting and risk management, the EDPB on Article 33 and Article 34 GDPR. The two strands do not merge into one EU instrument.
RDI and Autoriteit Persoonsgegevens (Netherlands)
The Dutch split mirrors the German one. The Rijksinspectie Digitale Infrastructuur (RDI) and sector-specific competent authorities handle the NIS 2 track. The Autoriteit Persoonsgegevens (AP) handles the GDPR track. Belgium, France, Austria run a similar pattern. The two-authority structure is the default across the EU.
We are GDPR-compliant, so NIS 2 is covered too.
GDPR covers personal data. NIS 2 covers network and information systems independently of whether personal data is involved. Plant control systems, OT, an outage that does not touch personal data at all are still NIS 2 incidents. A clean GDPR file does not file your §32 BSIG notification and does not satisfy §30 BSIG on systems that hold no personal data.
We are NIS 2-compliant, so GDPR is covered too.
NIS 2 secures systems. GDPR secures the rights and freedoms of the people whose personal data those systems process. A well-built §30 BSIG control set still has to be documented in the Article 32 GDPR file, the records of processing activities under Article 30 GDPR, the data protection impact assessments under Article 35 GDPR. The BfDI or LfDI reads its own legal basis, not the BSIG.
One incident, one report. We file with the BSI and we are done.
An incident that affects personal data triggers both regimes. Article 33 GDPR runs to the data protection authority on its 72-hour clock. Article 23 NIS 2 runs to the BSI on the 24h / 72h / one month cascade. The thresholds are not identical and the recipients are not the same. You open two files in parallel, with cross-references, not one merged filing.
One control set, two reporting playbooks. A typical 200-person essential entity does not maintain two separate technical and organisational measures catalogues. The same access control policy, the same encryption standard, the same incident response procedure shows up in the Article 32 GDPR file and in the §30 BSIG file with different cover pages. The work happens once. The cited legal basis differs.
Where the two regimes diverge is the reporting drill. The incident response runbook has to ask three questions in the first hour: is there a personal data breach in the Article 4(12) GDPR sense, is there a significant incident in the Article 23(3) NIS 2 sense, are both. If the answer is both, two parallel timers start. The data protection officer and the CISO open separate files, share facts, do not consolidate the filings. The clean version of this runbook fits on one page.
The platform models the NIS 2 obligation register: registration under Article 27, risk management measures under Article 21, incident reporting under Article 23, management training under Article 20. It does not model the GDPR processing register and it does not run your data protection impact assessments. Those stay in your data protection tooling, run by your data protection officer, supervised by your data protection authority.
Where the two regimes share evidence (technical and organisational measures, supplier security clauses, training records) we expose those as exportable artefacts you can attach to your Article 32 GDPR file as well. The §32 BSIG incident cascade has its own workflow on the platform. The Article 33 GDPR notification stays where it has always lived, in your data protection breach register.
- Regulation (EU) 2016/679 (GDPR), Articles 4(12), 32, 33, 34, 83 — eur-lex.europa.eu/eli/reg/2016/679/oj
- Directive (EU) 2022/2555 (NIS 2), Articles 20, 21, 23, 27 and Recital 14 — eur-lex.europa.eu/eli/dir/2022/2555/oj
- BSI Act (BSIG), §30 and §32 as amended by the NIS2 Implementation and Cybersecurity Strengthening Act — gesetze-im-internet.de/bsig_2009
- European Data Protection Board, Guidelines 9/2022 on personal data breach notification — edpb.europa.eu
- ENISA, Technical Implementation Guidance on Article 21 NIS 2 measures — enisa.europa.eu