Irish businesses subject to NIS2 are inevitably also subject to GDPR. The two frameworks are separate laws with separate regulators — the NCSC for NIS2, the Data Protection Commission (DPC) for GDPR — but they regulate overlapping terrain: both are about security, both involve incident notification, and a single cyber incident can trigger obligations under both simultaneously.
Understanding how the two frameworks relate — and where they diverge — prevents missed notifications, duplicate effort, and compliance gaps.
The Core Difference
GDPR and NIS2 are solving different problems.
GDPR is fundamentally about personal data. It governs how organisations collect, process, store, and protect information about individuals. Its security requirements exist to protect personal data. Its breach notification obligation is triggered when personal data is compromised.
NIS2 is about operational resilience and the security of networks and information systems. It applies to organisations in designated sectors, regardless of whether personal data is involved. An incident that disrupts an industrial control system with no personal data may still be a NIS2 significant incident. A personal data breach at a small retailer not in scope for NIS2 is a GDPR matter only.
Both frameworks require appropriate security measures. Both require incident notification. But they do so from different angles, with different regulators, and with different triggers and timelines.
Where the Frameworks Align
Risk-Based Security Requirements
Both GDPR and NIS2 require organisations to implement security measures that are appropriate to the risk. Neither prescribes a specific list of mandatory controls — both take a risk-based approach, requiring the organisation to assess its specific risks and implement proportionate measures.
In practice, implementing NIS2-compliant security controls (access management, patch management, encryption, incident response capability, backup procedures, supply chain security) will also satisfy most of GDPR's technical security requirements. This is the most significant alignment: a single, well-designed cybersecurity programme can address both frameworks simultaneously.
Accountability and Documentation
Both frameworks require organisations to demonstrate compliance — not just to be compliant, but to be able to show they are compliant. Under GDPR, this is the accountability principle. Under NIS2, it is the expectation of documented risk management.
Maintaining a register of processing activities, a risk assessment, and records of security controls serves both purposes. These are not separate exercises.
Supply Chain Security
Both GDPR and NIS2 require attention to the security of third parties who have access to your data or systems. Under GDPR, this is the data processor agreement framework — you must have written agreements with any processor handling personal data on your behalf. Under NIS2, it is supply chain security more broadly.
Where your suppliers are also GDPR processors, your NIS2 supply chain risk assessment and your GDPR processor management should be co-ordinated, not run as separate programmes.
Where the Frameworks Diverge
Scope
GDPR applies to virtually any organisation that processes personal data of individuals in the EU. NIS2 applies to organisations in designated sectors — digital infrastructure, energy, transport, healthcare, financial services, and others — above defined size thresholds (50+ employees or €10m+ turnover as a general rule for Important Entities).
Many Irish SMEs are subject to GDPR but not NIS2. Only organisations in NIS2 sectors above the thresholds need to manage both.
Incident Notification: Two Clocks, One Incident
This is where dual-framework compliance becomes most complex. A ransomware attack that encrypts systems and exfiltrates customer data triggers obligations under both frameworks simultaneously — with different deadlines, different regulators, and different notification content.
Under GDPR: If personal data has been breached, you have 72 hours from becoming aware to notify the DPC, if the breach is likely to result in a risk to individuals. You must also notify affected individuals if the breach is likely to result in a high risk to them.
Under NIS2: If your business is in scope and has suffered a significant incident, you must submit an early warning to the NCSC within 24 hours of becoming aware, followed by a fuller incident notification within 72 hours, and a final incident report within one month.
The two notifications are not the same. They go to different recipients (DPC vs NCSC), cover different scope (personal data breach vs significant security incident), and require different information. In a major incident, your organisation may need to make parallel notifications to two regulators simultaneously, while also managing the incident itself.
This requires advance planning. Your incident response plan must identify who is responsible for each notification, what information each requires, and how the 24-hour NIS2 early warning timeline interacts with the investigative work that is still ongoing in the first hours of an incident.
Management Accountability
NIS2 Article 20 makes management bodies — the board — directly accountable for cybersecurity governance, with personal liability provisions. GDPR's accountability sits primarily with the organisation itself, with Data Protection Officers required for certain organisations.
Under NIS2, the board must actively govern cybersecurity. Under GDPR, the board must understand and manage data protection risk, but the specific personal liability provisions of Article 20 are unique to NIS2.
Building a Unified Compliance Approach
Running two separate compliance programmes — one for GDPR, one for NIS2 — is unnecessary and inefficient. The appropriate approach is a single, integrated programme that addresses both:
Unified risk assessment. A single risk assessment covering both cybersecurity risks (NIS2) and personal data risks (GDPR) is more efficient and more coherent than two separate ones. Most risks involve both — a misconfigured cloud storage bucket creates a cybersecurity vulnerability and a personal data exposure simultaneously.
Integrated policy framework. Security policies, access control procedures, patch management, and incident response plans serve both frameworks. Write them once, structured to address both sets of requirements.
Co-ordinated incident response. Your incident response plan must address NIS2 notification timelines (24-hour early warning), GDPR notification timelines (72-hour DPC notification), and the investigative work needed to feed both. Draft notification templates in advance.
Aligned supply chain management. Combine your NIS2 supplier risk assessment with your GDPR data processor register. Many of the same suppliers will appear in both.
Board reporting. A single cybersecurity and data protection briefing for the board is more effective than two separate updates. The board needs a consolidated picture of the organisation's risk exposure.
What the Regulators Expect
The DPC and NCSC are separate bodies, but they co-ordinate. An organisation that reports an incident to the DPC under GDPR can expect that the NCSC is aware. An organisation that notifies the NCSC under NIS2 of an incident involving personal data should expect DPC involvement.
In a post-incident regulatory context, the question both bodies will ask is the same: did this organisation have appropriate security measures in place, were they implemented, and were they effective? A well-documented, integrated compliance programme answers that question in your favour regardless of which regulator is asking.
If you want to map your current position across both GDPR and NIS2 and identify what an integrated compliance programme needs to address, get in touch.
James McGee, CISA, CISSP, CISM, is the founder of Pragmatic Security. He advises Irish SMEs on integrated cybersecurity compliance including NIS2 and GDPR.