Read our latest insights on digital governance and cybersecurity.

Cybersecurity is no longer merely a technical issue. In the new European regulatory environment, it has become a pillar that structures regulatory compliance itself.

Directive (EU) 2022/2555, known as NIS2, represents the most significant European reform in the field of network and information systems security since Directive (EU) 2016/1148 (NIS1). It marks a turning point for all organisations that depend—directly or indirectly—on digital services, technological infrastructures, or data-driven critical processes.

Although NIS2 is not a legal instrument specifically aimed at the protection of personal data, as is the case with the General Data Protection Regulation (GDPR), its impact on privacy is undeniable. The reason is simple: where cybersecurity obligations increase, so do guarantees for data protection, because security incidents almost always become privacy incidents. Moreover, the Directive emphasises in its recitals that its application does not affect the competences of data protection and privacy supervisory authorities, meaning that both frameworks must coexist and reinforce one another.

In Spain, transposition is still pending. The Draft Law on the Coordination and Governance of Cybersecurity, approved by the Council of Ministers in January 2025, lays the foundations of the future national cybersecurity system and will be the key instrument for implementing NIS2. Although the text must still go through several legislative stages, the European standard already sets the direction: risk management, active supervision, cyber resilience, and strengthened oversight of suppliers.

Security: the regulatory bridge between NIS2 and the GDPR

Both the GDPR and NIS2 are based on the same core principle: security is not an optional requirement or a technical add-on, but an essential legal obligation that must be adapted to the level of risk.

Under the GDPR, Article 32 requires organisations to implement “appropriate technical and organisational measures,” taking into account factors such as the state of the art, the costs of implementation, the nature of the processing, and the risks to individuals’ rights and freedoms. This accountability-based approach requires organisations to anticipate threats, prevent failures, and demonstrate compliance.

NIS2 reinforces and specifies this approach. Article 21 requires essential and important entities to adopt technical, operational, and organisational measures proportionate to risk and lists a minimum set of elements that must be addressed: risk analysis and information security policies, incident management, business continuity and disaster recovery, supply chain security, vulnerability management, encryption policies, cyber hygiene measures and training, multi-factor authentication, access controls, among others.

As a result, any cybersecurity incident that compromises the confidentiality, integrity, or availability of personal data will, in principle, constitute a “personal data breach” within the meaning of the GDPR, even if it is not always subject to notification. For example, if a ransomware attack paralyses a hospital’s systems, the incident will be relevant under NIS2 due to its impact on continuity of care, but it may also constitute a GDPR breach if medical records are encrypted or rendered inaccessible.

In such cases, the data protection authority will assess whether the security measures were appropriate under Article 32 GDPR. It is reasonable to anticipate that NIS2 standards will serve as a relevant benchmark, even where the Directive does not directly apply to the affected entity, as they establish the expected level of diligence at the European level.

More regulated sectors: more security… and more data at stake

One of the most significant changes introduced by NIS2 is the expansion of its scope compared to the framework established by NIS1. Annexes I and II add new essential and important sectors, including, among others: digital infrastructure, energy, transport, banking and financial market infrastructures, healthcare, drinking water and wastewater, public administration, postal and courier services, waste management, critical food sector activities, certain industrial sectors, and digital service providers (such as cloud services, hosting, and certain online platforms).

This expansion has a direct impact on privacy. Many of these sectors process massive volumes of personal data—often highly sensitive—rely on critical systems, or provide services whose unavailability can lead to data breaches and serious harm to users. For example, a public transport company that digitalises its fleet processes geolocation data relating to employees and users; if a cyberattack disrupts the service, the incident affects both operational continuity (NIS2) and personal data protection (GDPR).

Consequently, the larger the regulated digital surface, the greater the obligation to strengthen security, and therefore the greater the protection against incidents that compromise privacy. GDPR compliance will increasingly depend on alignment with the cybersecurity standards set by NIS2, especially for organisations providing essential or important services within the meaning of the Directive.

Incident notification: two frameworks, a single response system

NIS2 establishes a strict, phased, and demanding incident notification regime. Article 23 introduces a three-stage reporting obligation for significant incidents:

an early warning within a maximum of 24 hours from when the entity becomes aware of the incident;

a more complete notification within a maximum of 72 hours, including an initial assessment of severity, impact, and possible indicators of compromise.

a final report within one month of the initial notification, providing a detailed analysis of causes, impact, and remedial measures, with interim reports where necessary.

This system is designed to ensure early detection of significant incidents affecting service continuity or the security of networks and information systems.

The interaction between this notification regime and the GDPR’s breach notification obligations is direct. When personal data are affected, the organisation must assess whether the requirements of Articles 33 and 34 GDPR are met, including notification to the supervisory authority within 72 hours and, where applicable, communication to affected individuals when there is a high risk to their rights and freedoms.

For example, if a school’s cloud service provider suffers a breach that temporarily disables services and exposes student records, the incident may fall under NIS2 for the provider itself, while for the school it will have GDPR implications only. The educational institution must assess the breach under Articles 33 and 34 GDPR, while the provider—if within NIS2 scope—will have its own notification obligations to the competent authority.

This means that cybersecurity, data protection, and business continuity teams must operate under an integrated procedure capable of:

assessing the nature and scope of the incident;

determining whether it is a NIS2 incident, a GDPR incident, or both;

documenting incident management and decisions taken;

activating the relevant notifications within the required timeframes;

ensuring consistency between communications to the CSIRT or competent NIS2 authority and to the Spanish Data Protection Authority.

Notification thus becomes a core element of compliance. An organisation that cannot demonstrate its ability to detect, report, and respond to incidents will be failing both the spirit of NIS2 and the GDPR’s security and notification obligations.

The supply chain: beyond the GDPR

If there is one area where NIS2 represents a qualitative leap, it is in the regulation of suppliers and the supply chain. The Directive requires essential and important entities to integrate supply chain security into their risk management measures, including relationships with direct ICT product and service providers, and reinforces this approach through coordinated assessments of critical supply chains at EU level.

The GDPR regulates the role of the processor in Article 28 and requires contracts that ensure an adequate level of security and processing in accordance with instructions.

However, NIS2 goes further. It does not limit itself to personal data protection but requires a broader assessment of cybersecurity risks associated with critical products, services, and suppliers, including aspects such as service continuity, technical resilience, and exposure to geopolitical threats.

In practice, organisations will need to:

demand enhanced cybersecurity guarantees from suppliers;

incorporate NIS2-aligned requirements into procurement and third-party approval processes;

periodically verify compliance through audits, reviews, or certifications;

be prepared to limit or suspend the use of services that fail to meet minimum security standards.

For example, if an ICT service provider suffers a breach that compromises service availability and the organisation has not adequately assessed the provider’s security level or does not have an up-to-date contract, the authority may conclude that the organisation has failed to exercise the diligence required under the GDPR. In addition, if the provider falls within the scope of NIS2, it must comply with the Directive’s security and notification obligations.

Security therefore ceases to be an exclusively internal matter and becomes a shared responsibility throughout the entire supply chain. Where third-party risk has not been properly managed, the organisation remains responsible for the consequences—including from a GDPR perspective.

What does all this mean for organisations?

The convergence between NIS2 and the GDPR has immediate effects on organisations, even those not yet formally within the scope of the Directive:

Security becomes a structural element. It is no longer just about reacting to incidents, but about adopting preventive measures embedded in corporate policies, risk analyses, system design, and business continuity planning.

Documentation gains evidentiary value. While the GDPR already required evidence of compliance, NIS2 adds obligations to maintain risk management policies, continuity plans, supplier management procedures, vulnerability management programmes, and records that demonstrate the effectiveness of measures.

Teams must coordinate. Incident response can no longer be divided into “IT incidents” and “privacy incidents.” In practice, most incidents are technical and have privacy implications. This requires close coordination between IT, cybersecurity, legal, compliance, and the Data Protection Officer (DPO), with clear protocols and communication channels.

Conclusion: cybersecurity and data protection move forward together

The entry into force of NIS2 marks a profound shift in how security and privacy are understood in Europe. The Directive establishes reinforced obligations that, while not directly regulating the processing of personal data, decisively shape the application of the GDPR—particularly with regard to technical security measures, incident management, and the supply chain.

Security, resilience, and data protection are no longer parallel domains, but part of an integrated compliance system based on risk management and proactive accountability.

Pending Spanish transposition, organisations should prepare now: review their risk assessments, strengthen security measures, align supplier contracts, and adapt incident response procedures. The European model is moving towards a more demanding standard in which security is inseparable from the fundamental right to data protection.

The NIS2 era is not only transforming cybersecurity; it is redefining the very scope of regulatory compliance and the way organisations must demonstrate that they protect the data and services on which our digital lives depend.