Understanding the relationships between GDPR and NIS2
NIS and the GDPR are different but overlap. It is important to understand the relationships between them both.
Risk-based security measures
Both include the classic information security concept of confidentiality, integrity and availability when analysing risks. To mitigate risk, it is necessary to carry out a risk analysis and apply appropriate measures to guarantee the security of data processing (Article 32 GDPR) and manage the risks posed to the security of networks and information systems (Article 21 NIS2).
Detecting, managing, and mitigating security incidents/personal data breaches
It is entirely possible that a NIS2 incident could be, or become, a personal data breach as defined by the GDPR:
-
- Firstly, although NIS concerns "digital data" related to the operation, use and maintenance of IT systems, this data could include personal information of customers or employees, depending on circumstances. This could mean that the NIS incident would simultaneously be a personal data breach.
-
- Secondly, a NIS incident can lead to a personal data breach - for example, when a cyber attacker has carried out an initial attack on a service and subsequently compromises the personal data that the service processes, such as customer information.
Incident notifications (who to Report to?)
- Depending on the context, the organization may have to report an incident to both the "competent authorities or the single points of contact" (under the NIS2) and the "control authority" (under the GDPR) if personal data has also been compromised.
- It will be imperative to make both notifications without undue delay and within 72 hours of becoming aware, whenever possible.
Application of fines
- You may be subject to regulatory measures under both GDPR and NIS2. However, any action could be related to different aspects of the incident and potential offences against the specific laws in question. The "control authority" (under the GDPR) works in collaboration with the "competent authorities or the single points of contact" (under the NIS 2), so it seems that they adopt a common approach in these cases.
Cyber threats
Cyber threats (such as phishing, ransomware) generate security incidents. These are on the increase and constitute a major threat:
- to the functioning of networks and information systems or the interruption of the operation of systems: scope of the NIS2
- if personal data is compromised (possible personal data breaches resulting from incidents): scope of the GDPR