Cybersecurity

Reading time: 6 minutes

With the rise of digitalization and data-driven decision-making, the volume of sensitive information has increased, along with the associated cyber risk. It has become necessary to establish a regulatory framework that provides guidance on managing expectations, responsibilities, and approaches shaped by the technological environment. Its two main pillars are the European Parliament and Council Directive (EU) 2022/2555 (14 December 2022) (general EU cybersecurity directive, hereinafter: “NIS2 Directive”), implemented in Hungary through Act LXIX of 2024 on Cybersecurity (“Cybersecurity Act”), and the European Parliament and Council Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, repealing Directive 95/46/EC (“GDPR”), which ensures data protection compliance.

The NIS2 Directive, the resulting national cybersecurity regulations, and GDPR apply different perspectives; however, the affected areas often overlap in practice, particularly in electronic information systems that process personal data. Therefore, aligning the requirements of these two regulatory frameworks is essential for the lawful and secure operation of the affected organizations. This article outlines the relationship between the NIS2 Directive and national regulations with GDPR, their overlaps, conflicts, and practical resolutions.

Scope of NIS2 and GDPR: Dual obligations

The GDPR applies to all organizations that qualify as data controllers, meaning they determine the purposes and means of processing personal data either independently or jointly with others. The scope of NIS2 is determined based on a complex set of criteria, which may include various enterprises depending on their activities, size, and revenue. Consequently, if an entity falls under both NIS2 and GDPR, it must comply with the rules of both frameworks simultaneously. For example, a medium- or large-sized company in the manufacturing sector may be subject to cybersecurity regulations based on its activities and size, and in the course of its activities, it typically processes at least employee and supplier data as a data controller, thus requiring the application of both the GDPR and NIS2 provisions.

In practice, electronic information systems often process personal data, such as HR systems or customer databases. In the event of an incident, both GDPR and NIS2 impose obligations on the organization. A data protection incident involves a breach of security that results in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data, whereas a cybersecurity incident refers to an event that threatens the availability, integrity, or confidentiality of data stored, transmitted, or processed in electronic information systems, or the services provided or accessible through such systems. Therefore, if a cybersecurity incident involves personal data—for example, data loss or leakage due to a phishing email or a ransomware attack—it simultaneously constitutes a data protection incident. Consequently, incident handling must comply with both regulations, and notifications to the competent authorities must be made when conditions are met. For this purpose, it is advisable to establish an internal procedure that accounts for the obligations required by both frameworks.

Proper classification of incidents is particularly important, as different types of incidents have distinct notification obligations, content requirements, and deadlines. In a data protection incident, the organization must first assess whether the event poses a risk to the rights and freedoms of natural persons. If such a risk is likely, the incident must be reported to the National Authority for Data Protection and Freedom of Information within 72 hours, and, in case of high risk, the affected individuals must also be notified. Cybersecurity incidents, on the other hand, follow a different procedure: the organization must report the incident within 24 hours based on the available information, submit a detailed report within 72 hours, and, after completing the investigation, submit a final report to the national cybersecurity incident handling center no later than 30 days. Since GDPR and cybersecurity rules define incidents and related obligations differently, situations may arise where an event qualifies as a cybersecurity incident but does not require a data protection incident report.

The practical significance of dual compliance is illustrated by a medium- or large-sized company engaged in “other machinery manufacturing,” which falls under the scope of the NIS2 Directive. If the company suffers an incident as a result of which the attacker gains unauthorized access to a server containing employees’ personal data, the event must be assessed not only from a data protection perspective but also under the Cybersecurity Act. According to the law, any threat, near-incident, or actual incident—including operational cybersecurity incidents—that causes severe disruption or financial loss to the organization or significant material or immaterial harm to others must be reported without undue delay, but no later than 24 hours, to the competent cybersecurity incident handling center. This example highlights that organizations must comply with both legal frameworks simultaneously and design incident handling accordingly.

Aligning processes at the documentation and operational levels

If an organization falls under both GDPR and cybersecurity regulations, the documentation and operational processes required by both frameworks must be aligned for dual compliance. GDPR requires that the organization maintain a data protection policy, provide a privacy notice to data subjects, and, in some cases, conduct a data protection impact assessment. Similarly, cybersecurity rules require the establishment of an information security policy. In addition, both frameworks require regulation of incident management processes and training to raise awareness among relevant staff.

The organization’s leadership is responsible for complying with NIS2 and GDPR requirements, while the data protection officer and the professional responsible for the security of electronic information systems play a key role in ensuring compliance. To avoid parallel, isolated processes, it is essential for information security and data protection officers to collaborate actively on a daily basis. Aligning the requirements of both frameworks is not merely an administrative task: its significance lies in the fact that both areas rely on the same information systems, data flows, and risks, even if they examine them from different perspectives. When an organization designs its processes in a unified, coherent manner, overlaps can be avoided, error risks reduced, and both cybersecurity and data protection requirements can be ensured. Incident management processes should be designed to ensure that any potential event is handled in a way that fulfills the obligations of both frameworks. This approach is not only resource-efficient but also strengthens legal compliance, system security, and the trust of clients, partners, and employees.

NIS2 and GDPR serve different purposes and approach the same events differently. GDPR’s primary objective is to protect the rights and freedoms of natural persons, whereas NIS2 focuses on strengthening information system security, safeguarding service continuity, and increasing resilience against cyber threats. Accordingly, the two frameworks impose different expectations on organizations: GDPR emphasizes data minimization and purpose limitation, while NIS2 specifically requires detailed logging, continuous monitoring, and retention of log files. This often results in NIS2 compliance requiring the storage of large volumes of technically processed personal data, which must be handled carefully from a data protection perspective.

Apparent conflicts between the two regulations can be resolved in practice through a coordinated approach. One key step is integrating information security risk assessments with GDPR data protection impact assessments, as both assess the same systems, data flows, and risk factors from different perspectives. Equally important is designing internal policies that simultaneously comply with mandatory cybersecurity measures and GDPR provisions.

Both NIS2 and GDPR require that organizations properly train all personnel who have access to information systems or process personal data. Therefore, it is advisable to align the strategic planning and content of training programs, considering risk assessment results, previous incidents, regulatory changes, and the professional opinions of the organization’s security experts. True alignment between the two regulatory areas is important not only for legal compliance but also for operational security, risk reduction, and maintaining internal and external trust.

Conclusion

GDPR and the NIS2 Directive serve different purposes but converge on many points regarding information security requirements. Dual compliance therefore requires careful alignment: interpreting the regulations consistently and integrating related procedures can ensure that an organization meets the expectations of both frameworks simultaneously. Coherent revision of professional documentation and operational processes, coordination of internal responsibilities, and alignment of regular training and audits facilitate achieving both GDPR data protection and NIS2 cybersecurity goals. Compliance with these requirements strengthens the organization’s information security and data protection resilience, meeting the relevant EU and national legal obligations.

Photo source: pexels.com, Kevin Ku