NIS2 vs GDPR for Tech Companies: Key Differences and Where They Overlap

GDPR and NIS2 are two of the most significant EU regulations affecting technology companies — and they are frequently confused, conflated, or addressed independently when they should be addressed together. Understanding the core difference, where they diverge, and where they overlap is foundational to building an efficient compliance programme.

The Core Difference

GDPR (Regulation 2016/679) protects personal data — its confidentiality, integrity, and availability, and the rights of individuals whose data is processed. Every organisation processing EU personal data is subject to GDPR.

NIS2 (Directive 2022/2555, transposed into national law by October 2024) protects the operational security of networks and information systems — ensuring essential services remain available and resilient against cyber threats. NIS2 applies only to entities in specified sectors and above certain size thresholds.

The objectives are different. GDPR is fundamentally about individual rights and data governance. NIS2 is fundamentally about operational resilience and societal continuity. The same security team typically handles both — which is why a unified approach matters.

Who Faces Both?

Any tech company processing EU personal data faces GDPR. Whether they also face NIS2 depends on sector and size.

Tech companies most likely to face both:

• Managed service providers (MSPs) and managed security service providers (MSSPs) — explicitly listed in NIS2 Annex II as "important entities"
• Cloud service providers — listed in NIS2 Annex II
• Data centre service providers — listed in NIS2 Annex II
• Content delivery network providers — listed in NIS2 Annex II
• DNS service providers, TLD registries, domain registration services — listed in NIS2 Annex II
• Online marketplaces, online search engines, social networking platforms — listed in NIS2 Annex II

Medium and large entities (≥50 employees or >€10M turnover) in these categories are covered. Micro and small enterprises are generally excluded unless they are the sole provider of a service critical to societal or economic activity in a Member State.

Comparison: GDPR vs NIS2

| Dimension | GDPR | NIS2 | |-----------|------|------| | What's protected | Personal data | Networks and information systems | | Scope | Any organisation processing EU personal data | Specific sectors, medium/large entities only | | Legal basis | EU Regulation (directly applicable) | EU Directive (transposed into national law) | | Supervisory authority | Data Protection Authority | National NIS authority (e.g. BSI in Germany, ANSSI in France) | | Breach notification | 72 hours to DPA | 24h early warning; 72h to national CSIRT; 1 month final | | Max fine | €20M or 4% of global annual turnover | €10M or 2% (important entities); €7M or 1.4% (essential entities — reversed) | | Security measures | Art. 32: principles-based ("appropriate technical and organisational measures") | Art. 21: prescriptive list of 10 specific measure categories |

Breach Notification: Running in Parallel

For a tech company that is both a GDPR controller and a NIS2-covered entity, a cybersecurity incident involving personal data triggers parallel notification obligations:

• GDPR Art. 33: Notify the DPA within 72 hours of becoming aware of a personal data breach (if it is likely to result in a risk to natural persons)
• NIS2 Art. 23: Early warning to national CSIRT/authority within 24 hours; incident notification within 72 hours; final report within 1 month

If a ransomware attack compromises systems and personal data simultaneously, both clocks start. Incident response processes must be designed to handle both notification threads simultaneously, with appropriate escalation paths to both the DPA and the national NIS authority.

Security Measures: NIS2 Art. 21 Covers More Ground Than GDPR Art. 32

GDPR Art. 32 requires "appropriate technical and organisational measures" — a principle-based standard calibrated to risk. NIS2 Art. 21 specifies 10 required measure categories:

1. Risk analysis and information security policies
2. Incident handling
3. Business continuity and crisis management
4. Supply chain security (security in supplier and service provider relationships)
5. Security in network and information systems acquisition, development, and maintenance — including vulnerability handling and disclosure
6. Policies and procedures to assess the effectiveness of cybersecurity measures
7. Basic cyber hygiene practices and cybersecurity training
8. Policies on use of cryptography and encryption
9. Human resources security, access control policies, and asset management
10. Use of multi-factor authentication and secure communications

A security programme that satisfies NIS2 Art. 21 in full largely satisfies GDPR Art. 32 for the same systems — the NIS2 requirements are more prescriptive and demanding. However, GDPR Art. 32 also covers the security of personal data specifically, including pseudonymisation, ongoing confidentiality testing, and processes to restore availability after incidents. These are not entirely subsumed by NIS2.

Combined Compliance Opportunities

Where both apply, the following can be addressed jointly:

• Incident response procedures — a single playbook with GDPR notification appendix (DPA, 72h) and NIS2 notification appendix (CSIRT, 24h/72h/1 month)
• Security documentation — a single information security policy library that references both Art. 32 GDPR and Art. 21 NIS2 requirements
• Vendor risk management — GDPR requires Data Processing Agreements with processors (Art. 28); NIS2 requires supply chain security measures (Art. 21(3)(d)). A unified vendor security assessment covers both
• Training — cyber hygiene training (NIS2 Art. 21(2)(g)) combined with GDPR data protection training for staff
• Audit and review — annual security effectiveness reviews satisfy NIS2's requirement for policies and procedures to assess effectiveness, and provide evidence of GDPR Art. 32 ongoing review

Practical Table: Which Applies, and What to Prioritise

| Company Type | GDPR | NIS2 | Priority Actions | |--------------|------|------|-----------------| | SaaS startup, <50 employees, no special category data | Yes | Likely not yet | GDPR: ROPA, lawful bases, privacy policy, Art. 32 security review | | Cloud infrastructure provider, 100 employees | Yes | Yes (Annex II) | Both: implement Art. 21 measures; build dual notification workflow; DPA + CSIRT registration | | Payment processor, >250 employees | Yes | Possibly (financial sector — check NIS2/DORA overlap) | GDPR + assess DORA applicability; if DORA applies, it is lex specialis for ICT risk | | Healthcare IT system vendor, 75 employees | Yes | Yes (if healthcare sector, essential entity) | Both: prioritise Art. 21 supply chain security; GDPR DPIA for health data; management body accountability under NIS2 |

---

Last updated: April 2026. For informational purposes only — not legal advice.

Frequently Asked Questions

Can a single incident trigger both NIS2 and GDPR reporting obligations?

Yes, and this is common for tech companies. A ransomware attack that encrypts systems and exfiltrates personal data triggers NIS2 Article 23 (early warning to national CSIRT within 24 hours, incident notification within 72 hours) and GDPR Article 33 (notification to the DPA within 72 hours if the breach poses a risk to individuals). Both clocks start from the moment of awareness. The notifications go to different authorities — the national CSIRT or NIS competent authority for NIS2, and the national DPA for GDPR — and must be prepared in parallel with different content requirements.

Is NIS2 cybersecurity documentation enough to satisfy GDPR Article 32?

A security programme that fully implements NIS2 Article 21's ten measure categories will largely satisfy GDPR Article 32 for the same systems, because NIS2 is more prescriptive and demanding. However, GDPR Article 32 focuses specifically on protecting personal data — it requires pseudonymisation where appropriate, ongoing testing of the confidentiality, integrity, and availability of processing systems, and procedures to restore access to personal data after an incident. These personal-data-specific requirements are not entirely covered by NIS2 and must be addressed separately in your GDPR security documentation.

Do NIS2 and GDPR have the same penalty thresholds?

No. GDPR fines reach up to €20 million or 4% of global annual turnover, whichever is higher, for the most serious infringements. NIS2 fines are lower: up to €10 million or 2% of global annual turnover for important entities, and up to €7 million or 1.4% for essential entities. Enforcement approaches also differ — GDPR fines are issued by DPAs based on investigation of data protection failures, while NIS2 penalties are issued by national NIS authorities and may include orders to implement specific security measures, temporary prohibitions on management functions, and public disclosure of non-compliance.

Sources

• Directive (EU) 2022/2555 — NIS2 Directive — Full text of NIS2, including Article 21 (security measures), Article 23 (incident reporting), and Annex II (covered entity categories).
• Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR) — Full text of the GDPR, including Article 32 (security of processing) and Article 33 (breach notification to supervisory authority).
• ENISA — NIS2 Implementation Guidance for Operators — ENISA guidance on transposing NIS2 obligations and implementing Article 21 security measure categories.
• European Commission — NIS2 Directive overview and national transposition tracker — Commission overview of NIS2 scope, national transposition status, and key obligations for covered entities.