NIS2 Directive: Mapping the Interplays with the GDPR
This resource maps the interplays between the EU AI Act and the GDPR.
Contributors:
Müge Fazlioglu
CIPP/E, CIPP/US
Principal Researcher, Privacy Law and Policy
IAPP
This infographic is part of a series that maps different EU digital laws with the GDPR. The full series can be accessed here.
Additional Insights
- NIS2 Directive: 101 (Chart)
- EU Digital Laws Report
- European Strategy for Data Overview (Chart Series)
The NIS2 Directive (Directive (EU) 2022/2555) is an EU-wide legislation on cybersecurity that aims to further improve the resilience of public and private entities against cybersecurity threats and disruptions of IT systems and networks.
The Network and Information Security Directive 2 and the GDPR intersect across numerous domains, including incident reporting and transparency requirements around personal data breaches, processing of personal data to ensure the security of network and information systems, and the use of artificial intelligence and other innovative technologies that rely on processing personal data to prevent cyberattacks. Namely, numerous obligations applicable to essential and important entities and others within the scope of NIS2 may require processing of personal data. Such processing must be done in a way that accords with the protections provided by the GDPR.
This resource maps interplays between the NIS2 Directive and the GDPR.
NIS2 Directive and GDPR interplay mapping
NIS2 Directive
- Articles 23(1-2), 23(5-9), 29(1), 30(1-2) and 35(1)
Upon becoming aware of a significant incident, cyber threat or near miss, essential and important entities, as well as other entities, must inform recipients of their services, law enforcement authorities, the public and computer security incident response teams and/or other competent authorities (e.g., data protection authorities).
GPDR
- Articles 4(12), 33(1), 33(2), 34(1) and 34(4)
Upon becoming aware of a personal data breach, processors must inform controllers; controllers must inform supervisory authorities and data subjects without undue delay.
NIS2 Directive
- Article 21 and Recital 121
Essential and important entities may need to process personal data for the purpose of ensuring the security of network and information systems.
GPDR
- Articles (6)(1)(c/e), 6(1)(f) and 6(3)
Such processing by important and essential entities may constitute a legal obligation within the meaning of GDPR Article 6(1)(c/e) and/or may be necessary for legitimate interests pursuant to GDPR Article 6(1)(f).
NIS2 Directive
- Articles 21 and 29 and Recital 51
The use of AI and other innovative technologies to improve the detection and prevention of cyberattacks should comply with the data protection principles of data accuracy, data minimization, fairness, transparency, data security and data protection by design and by default.
GPDR
- Article 25
Controllers must establish appropriate technical and organizational measures to ensure that, by default, processing is limited to that personal data which is necessary for each specific purpose.
NIS2 Directive
- Article 28 and Recital 109
Top-level domain name registries and entities providing domain name registration services may need to process personal data to collect, verify and provide lawful access to WHOIS data.
GPDR
- Article (6)(1)(c)
Such processing may constitute a legal obligation within the meaning of GDPR Article 6(1)(c).
NIS2 Directive
- Article 10(7-8) and Recital 45
While exchanging personal data with national security incident response teams or competent authorities of third countries for the purpose of international cooperation, CSIRTs must adhere to the protections for international transfers of personal data under the GDPR.
GPDR
- Article 49
GDPR Article 49 establishes the conditions for when transfers of personal data to third countries or international organizations may occur in the absence of an adequacy decision.
This content is eligible for Continuing Professional Education credits. Please self-submit according to CPE policy guidelines.
Submit for CPEsContributors:
Müge Fazlioglu
CIPP/E, CIPP/US
Principal Researcher, Privacy Law and Policy
IAPP
Tags:
