---
title: "NIS2 vs GDPR breach reporting: EU deadlines and overlap"
canonical_url: "https://www.sorena.io/artifacts/eu/nis2-directive/nis2-vs-gdpr-breach-reporting"
source_url: "https://www.sorena.io/artifacts/eu/nis2-directive/nis2-vs-gdpr-breach-reporting"
author: "Sorena AI"
description: "Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "NIS2 vs GDPR breach reporting"
  - "NIS2 incident notification"
  - "GDPR personal data breach"
  - "Article 23 NIS2"
  - "Article 35 NIS2"
  - "24 hour incident warning"
  - "72 hour breach notification"
  - "EU NIS2 Directive"
  - "NIS2"
  - "EU NIS2 Directive vs GDPR breach reporting"
  - "essential entities"
  - "important entities"
  - "Article 21"
  - "Article 23"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# NIS2 vs GDPR breach reporting: EU deadlines and overlap

Compare NIS2 significant-incident reporting with GDPR personal-data-breach reporting, including scope, 24-hour and 72-hour clocks, evidence, and overlap.

*Artifact Guide* *EU*

## NIS2 vs GDPR breach reporting

Separate NIS2 significant-incident reporting from GDPR personal-data-breach reporting before an incident clock starts.

Use this comparison to assign the right authority path, evidence pack, 24-hour or 72-hour deadline, and overlap review when a cyber incident may also involve personal data.

This page compares NIS2 significant-incident reporting with GDPR personal-data-breach reporting for teams that need to triage an incident without merging two legal tests. Use it to separate covered entity status, personal-data facts, authority notifications, evidence, deadlines, and the NIS2 Article 35 overlap rule.

## NIS2 vs GDPR breach reporting: practical compliance differences

Use this comparison to decide whether an incident needs NIS2 reporting, GDPR breach reporting, both, or a documented no-notification decision.

- **NIS2 incident reporting**: Use this column for NIS2 covered-entity status, significant-incident impact, Article 23 notification stages, competent-authority or CSIRT routing, and Article 21/23 enforcement exposure.
- **GDPR breach reporting**: Use this column for personal-data-breach assessment, controller and processor roles, supervisory-authority notification, affected-person communication, and evidence that stays separate from NIS2 service-impact reporting.

| Dimension | NIS2 incident reporting | GDPR breach reporting | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope and covered activity | Essential and important entities in NIS2 sectors must assess whether an incident has a significant impact on the provision of their services. | Controllers and processors assess whether the event is a personal data breach and whether GDPR notification or communication duties are triggered. | Write two scope findings first. A service outage can trigger NIS2 without a personal data breach; a personal data breach can trigger GDPR even when NIS2 entity scope is not met. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties. |
| Who must act | Management bodies, security leadership, incident response, service owners, supplier management, legal, compliance, and country operations must coordinate the NIS2 record. | Controllers, processors, privacy leads, DPOs where required, security, product owners, vendors, support, HR, and business process owners coordinate the GDPR breach record. | Assign one incident lead for facts and separate legal or privacy owners for notification thresholds; one record can coordinate both tracks only if responsibilities remain clear. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties. |
| Trigger or threshold | The NIS2 reporting trigger is a significant incident: one causing or capable of causing severe operational disruption, financial loss, or considerable material or non-material damage to others. | The GDPR trigger is a personal data breach assessed for supervisory-authority notification and, where the GDPR threshold is met, communication to affected data subjects. | Do not call an event reportable under both laws until the service-impact facts and the personal-data-breach facts each satisfy their own test. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties. |
| Core obligations | Requires Article 21 cybersecurity risk-management measures and Article 23 reporting stages: early warning, incident notification, intermediate updates when requested, and final reporting. | Requires a personal-data-breach assessment, supervisory-authority notification where required, communication to affected data subjects where required, and accountability evidence for the decision. | Convert the applicable duties into an incident playbook with owners, authority routing, customer or recipient communications, evidence capture, and update checkpoints. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties. |
| Evidence and records | Keep sector and entity classification, first-awareness timestamp, service-impact analysis, incident severity, indicators of compromise where available, mitigation actions, authority notices, and final report evidence. | Keep personal-data-breach assessment, affected data categories and people, controller or processor role analysis, notification rationale, supervisory-authority records, and affected-person communication evidence. | Use a shared incident file only if every log, analysis, draft notice, and authority communication is labelled by obligation and source. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties. |
| Timing and cadence | NIS2 Article 23 uses an early warning within 24 hours of becoming aware of a significant incident, an incident notification within 72 hours, and a final report not later than one month after the incident notification. | GDPR breach reporting uses its own personal-data-breach notification timing, including supervisory-authority notification without undue delay and, where feasible, within 72 hours after awareness when required. | Calendar the earliest awareness time and maintain separate NIS2 and GDPR clock entries, because the first 72-hour deadline may not answer both tests. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties. |
| Enforcement or assurance route | NIS2 uses CSIRTs or competent authorities for reporting and national competent authorities for supervision and enforcement, with Article 34 fines tied to Article 21 or Article 23 infringements. | GDPR breach reporting is handled through data-protection supervisory authorities, with GDPR corrective powers and administrative fines under the GDPR enforcement regime. | Escalate through the authority route that owns the breached duty, and use the NIS2 Article 35 rule when the same conduct can entail a notifiable personal data breach. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties. |
| Overlap and reuse | NIS2 expressly addresses overlap: when Article 21 or Article 23 infringements can entail a notifiable personal data breach, competent authorities must inform GDPR supervisory authorities without undue delay. | GDPR remains the personal-data-breach route; NIS2 overlap does not supersede the GDPR supervisory-authority assessment or affected-person communication analysis. | Reuse common incident facts, logs, impact assessments, and mitigation records, but keep the NIS2 authority path and GDPR authority path visible in the file. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties. |
| Practical decision rule | For NIS2, write the covered-entity finding, significant-incident finding, first-awareness time, authority route, notice status, and final-report owner. | For GDPR, write the controller or processor role, personal-data-breach finding, notification threshold, supervisory-authority status, affected-person communication status, and privacy owner. | The useful output is an incident decision record that security, privacy, legal, management, and audit reviewers can re-run from the same facts and sources. | [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.<br>[Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties. |

Sources for Scope and covered activity - NIS2 incident reporting:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Scope and covered activity - GDPR breach reporting:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties.
  - Quote: "protection of natural persons with regard to the processing of personal data"

Sources for Scope and covered activity - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
  - Quote: "high common level of cybersecurity across the Union"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties.
  - Quote: "protection of natural persons with regard to the processing of personal data"

Sources for Who must act - NIS2 incident reporting:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Who must act - GDPR breach reporting:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties.
  - Quote: "protection of natural persons with regard to the processing of personal data"

Sources for Who must act - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
  - Quote: "high common level of cybersecurity across the Union"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties.
  - Quote: "protection of natural persons with regard to the processing of personal data"

Sources for Trigger or threshold - NIS2 incident reporting:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Trigger or threshold - GDPR breach reporting:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties.
  - Quote: "protection of natural persons with regard to the processing of personal data"

Sources for Trigger or threshold - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
  - Quote: "high common level of cybersecurity across the Union"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties.
  - Quote: "protection of natural persons with regard to the processing of personal data"

Sources for Core obligations - NIS2 incident reporting:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Core obligations - GDPR breach reporting:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties.
  - Quote: "protection of natural persons with regard to the processing of personal data"

Sources for Core obligations - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
  - Quote: "high common level of cybersecurity across the Union"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties.
  - Quote: "protection of natural persons with regard to the processing of personal data"

Sources for Evidence and records - NIS2 incident reporting:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Evidence and records - GDPR breach reporting:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties.
  - Quote: "protection of natural persons with regard to the processing of personal data"

Sources for Evidence and records - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
  - Quote: "high common level of cybersecurity across the Union"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties.
  - Quote: "protection of natural persons with regard to the processing of personal data"

Sources for Timing and cadence - NIS2 incident reporting:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Timing and cadence - GDPR breach reporting:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties.
  - Quote: "protection of natural persons with regard to the processing of personal data"

Sources for Timing and cadence - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
  - Quote: "high common level of cybersecurity across the Union"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties.
  - Quote: "protection of natural persons with regard to the processing of personal data"

Sources for Enforcement or assurance route - NIS2 incident reporting:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Enforcement or assurance route - GDPR breach reporting:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties.
  - Quote: "protection of natural persons with regard to the processing of personal data"

Sources for Enforcement or assurance route - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
  - Quote: "high common level of cybersecurity across the Union"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties.
  - Quote: "protection of natural persons with regard to the processing of personal data"

Sources for Overlap and reuse - NIS2 incident reporting:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Overlap and reuse - GDPR breach reporting:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties.
  - Quote: "protection of natural persons with regard to the processing of personal data"

Sources for Overlap and reuse - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
  - Quote: "high common level of cybersecurity across the Union"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties.
  - Quote: "protection of natural persons with regard to the processing of personal data"

Sources for Practical decision rule - NIS2 incident reporting:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
  - Quote: "high common level of cybersecurity across the Union"

Sources for Practical decision rule - GDPR breach reporting:

- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties.
  - Quote: "protection of natural persons with regard to the processing of personal data"

Sources for Practical decision rule - operational implication:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
  - Quote: "high common level of cybersecurity across the Union"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties.
  - Quote: "protection of natural persons with regard to the processing of personal data"

### How should teams decide between NIS2 and GDPR breach reporting?

- Start with the incident facts, first-awareness time, affected service, affected data, and affected recipients.
- Run the NIS2 significant-incident test and the GDPR personal-data-breach test separately.
- Track NIS2's 24-hour, 72-hour, and final-report sequence separately from GDPR's breach notification clock.
- Escalate overlap cases under the NIS2 Article 35 coordination rule instead of assuming one authority notice satisfies both laws.

Sources for the practical decision rule:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
  - Quote: "high common level of cybersecurity across the Union"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties.
  - Quote: "protection of natural persons with regard to the processing of personal data"

## How to compare NIS2 and GDPR breach reporting without mixing obligations

NIS2 reporting starts from a significant incident affecting services provided by an essential or important entity. GDPR breach reporting starts from a personal data breach assessed by the controller under the GDPR breach rules.

Use the rows to decide whether the same event needs a NIS2 notice, a GDPR notice, both notices, or a documented no-notification decision with separate evidence for each test.

- Run the NIS2 significant-incident test and the GDPR personal-data-breach test separately.
- Reuse logs, timelines, impact analysis, and mitigation evidence only after tagging the obligation each item supports.
- Escalate overlap cases because NIS2 requires competent authorities to inform GDPR supervisory authorities when Article 21 or Article 23 infringements can entail a notifiable personal data breach.

Sources for this answer:

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Supports the NIS2 side of this breach-reporting comparison by grounding covered-entity classification, Article 21 controls, and Article 23 reporting clocks.
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties.

## What decision should teams make during NIS2 vs GDPR incident triage?

Start with three facts: whether the organization is in NIS2 scope, whether the event is a NIS2 significant incident, and whether personal data was breached in a way that may trigger GDPR reporting.

The output should be a short incident decision record with separate conclusions, clocks, recipients, and evidence links for NIS2 and GDPR.

- Confirm covered-entity and sector facts before opening a NIS2 notification workflow.
- Confirm controller or processor role and personal-data-breach facts before opening a GDPR workflow.
- Record the first awareness time for each clock because NIS2 uses early-warning and incident-notification stages.
- Save the decision in an incident register, authority-notification log, or post-incident evidence pack.

Sources for this answer:

- [Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj?ref=sorena.io) - Commission implementing regulation for cybersecurity risk-management measures in covered digital sectors.
- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
- [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/NIS2-directive?ref=sorena.io) - Commission overview for NIS2 scope, sectors, obligations, and policy context.

## When should teams apply the comparison, and what should be excluded?

Apply this comparison to incident-response playbooks, tabletop exercises, supplier incidents, product outages, and security events where a service disruption may overlap with personal data exposure.

Exclude broad privacy governance questions that are not breach reporting decisions. Exclude general NIS2 control design unless the evidence is needed to decide or support an incident notice.

- Write separate no-notification reasons when only one framework is triggered.
- Add the Member State, sector, service, affected recipients, personal-data categories, supplier, and first-awareness timestamp when they affect the answer.
- Use a reassessment trigger when impact, data exposure, affected recipients, cross-border facts, or authority guidance changes.
- Keep national transposition notes separate from the EU-level comparison because NIS2 is implemented through Member State law.

Sources for this answer:

- [Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj?ref=sorena.io) - Commission implementing regulation for cybersecurity risk-management measures in covered digital sectors.
- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
- [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/NIS2-directive?ref=sorena.io) - Commission overview for NIS2 scope, sectors, obligations, and policy context.
- [ENISA - NIS2 technical implementation guidance](https://www.enisa.europa.eu/publications/NIS2-technical-implementation-guidance?ref=sorena.io) - ENISA technical guidance context for implementing NIS2 cybersecurity requirements.

## Who should own the comparison, and what evidence should they maintain?

Ownership should combine incident response, security, legal, privacy, compliance, supplier-risk, communications, and country operations. The owner must be able to notify authorities, preserve evidence, and coordinate updates as the facts change.

For NIS2, keep covered-entity analysis, service-impact assessment, incident clock log, Article 21 control evidence, Article 23 notification drafts, CSIRT or competent-authority correspondence, supplier evidence, and management-body approvals. For GDPR, keep the personal-data-breach assessment and supervisory-authority or data-subject communication record where applicable.

- Assign one incident lead for facts and one legal or privacy lead for notification thresholds.
- Give security responsibility for technical evidence and legal or compliance responsibility for source citations.
- Keep approvals, rejected notification paths, authority contacts, and timeline updates with the same record.
- Make the evidence usable by incident response, product, engineering, procurement, security, support, privacy, and compliance teams.

Sources for this answer:

- [Implementing Regulation (EU) 2024/2690 for NIS2 technical measures](https://eur-lex.europa.eu/eli/reg_impl/2024/2690/oj?ref=sorena.io) - Commission implementing regulation for cybersecurity risk-management measures in covered digital sectors.
- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
- [European Commission - NIS2 Directive overview](https://digital-strategy.ec.europa.eu/en/policies/NIS2-directive?ref=sorena.io) - Commission overview for NIS2 scope, sectors, obligations, and policy context.

*Recommended next step*

*Placement: before sources*

## Use this comparison as a cited notification workflow

Sorena can turn the decisions on this page into incident triage questions, clock tracking, authority-routing steps, owner assignments, and reusable evidence requests.

- [Open Research Copilot for NIS2](/solutions/research-copilot.md): Ask source-linked questions about NIS2 breach reporting scope, Article 23 deadlines, GDPR overlap, and incident evidence using the cited sources on this page.
- [Talk through implementation](/contact.md): Review your NIS2 and GDPR breach reporting workflow, source gaps, notification clocks, and next implementation steps with Sorena.

## Primary sources

- [Directive (EU) 2022/2555 (NIS2)](https://eur-lex.europa.eu/eli/dir/2022/2555/oj?ref=sorena.io) - Official NIS2 directive text for covered entities, Article 21 risk-management duties, Article 23 incident reporting, and Article 35 GDPR overlap.
  - Quote: "high common level of cybersecurity across the Union"
- [Regulation (EU) 2016/679 (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj?ref=sorena.io) - Official GDPR regulation text for personal-data-breach concepts and supervisory-authority reporting duties.
  - Quote: "protection of natural persons with regard to the processing of personal data"

## Related Topic Guides

- [Are managed service providers in scope of NIS2?](/artifacts/eu/nis2-directive/faq/managed-service-provider-scope.md): NIS2 scope answer for managed service providers and managed security service providers, including service definition, size-cap checks, entity status, and jurisdiction evidence.
- [EU NIS2 Directive applicability test for entity scope](/artifacts/eu/nis2-directive/applicability-test.md): Stepwise NIS2 applicability test for Annex I and Annex II sectors, medium and large entities, size-independent cases, essential or important classification, jurisdiction, and evidence.
- [EU NIS2 Directive deadlines and compliance calendar | Article 23 clocks](/artifacts/eu/nis2-directive/deadlines-and-compliance-calendar.md): source-linked NIS2 compliance calendar covering 17 October 2024 transposition, 18 October 2024 application, Article 27 registry data, Article 3 entity lists, Article 23 incident-reporting clocks, and Member State transposition watch items.
- [FAQ: NIS2 essential vs important entity classification and registration obligations](/artifacts/eu/nis2-directive/faq/essential-vs-important-entities.md): Plain-English FAQ comparing NIS2 essential entities and important entities, with Article 3 classification rules, shared Article 21 and 23 duties, supervision differences, and evidence to keep.
- [NIS2 24-hour early warning: what to send and when](/artifacts/eu/nis2-directive/faq/24-hour-early-warning.md): Under NIS2 Article 23, covered essential and important entities submit an early warning within 24 hours of becoming aware of a significant incident.
- [NIS2 72-hour incident notification FAQ](/artifacts/eu/nis2-directive/faq/72-hour-incident-notification.md): Direct answer on the NIS2 72-hour incident notification: when it is due, what it updates, what it must include, and how to preserve evidence.
- [NIS2 Annex I and Annex II Sector Scoping Guide](/artifacts/eu/nis2-directive/annex-i-and-ii-sector-scoping.md): Map NIS2 Annex I and Annex II sectors, entity types, size-cap rules, and essential versus important entity classification with official EU sources.
- [NIS2 Article 21 control baseline and evidence checklist](/artifacts/eu/nis2-directive/article-21-control-baseline.md): Build a NIS2 Article 21 control baseline from the Directive's minimum cybersecurity risk-management measures, proportionality test, supplier duties, and evidence expectations.
- [NIS2 Article 21 control-by-control evidence checklist](/artifacts/eu/nis2-directive/article-21-control-by-control-evidence.md): Map NIS2 Article 21 risk-management measures to evidence records for governance, incident handling, continuity, supply chain, testing, cyber hygiene, cryptography, access, assets, and authentication.
- [NIS2 Article 21 Gap Assessment Workflow: controls, evidence, and owners](/artifacts/eu/nis2-directive/article-21-gap-assessment-workflow.md): Assess NIS2 Article 21 cybersecurity risk-management gaps by mapping current controls to Article 21(2), ownership, evidence, supplier risk, and management review.
- [NIS2 Article 23 incident notification workflow](/artifacts/eu/nis2-directive/article-23-notification.md): Map NIS2 Article 23 reporting duties for significant incidents: 24-hour early warning, 72-hour notification, intermediate reports, final report, recipients, and evidence.
- [NIS2 Compliance Checklist: scope, controls, reporting](/artifacts/eu/nis2-directive/checklist.md): Use this NIS2 compliance checklist to confirm scope, entity classification, management-body duties, Article 21 controls, Article 23 reporting, and evidence.
- [NIS2 Compliance Guide: scope, controls, reporting, and evidence](/artifacts/eu/nis2-directive/compliance.md): A practical NIS2 compliance guide for mapping entity scope, Article 21 risk measures, Article 23 incident reporting, management accountability, and evidence records.
- [NIS2 Country Transposition Tracker: EU Status Workflow](/artifacts/eu/nis2-directive/country-transposition-tracker.md): Track NIS2 Directive transposition by EU country with Commission status pages, Article 41 deadlines, reasoned-opinion flags, source URLs, and review controls.
- [NIS2 Entity Classifier Workflow: essential vs important entity scoping](/artifacts/eu/nis2-directive/entity-classifier-workflow.md): Classify whether an EU service is out of scope, an important entity, an essential entity, or needs national-authority review under the NIS2 Directive.
- [NIS2 essential vs important entities: Article 3 scope and supervision guide](/artifacts/eu/nis2-directive/scope-essential-vs-important.md): Classify NIS2 essential and important entities using Article 3, Annex I and II sector scope, size-cap rules, registration evidence, and the Article 32/33 supervision split.
- [NIS2 essential vs important entities: supervision regime and audit evidence requirements](/artifacts/eu/nis2-directive/essential-vs-important-supervision.md): Compare NIS2 essential and important entities by scope, Article 21 and 23 duties, Article 32 and 33 supervision, evidence, jurisdiction, and penalties.
- [NIS2 FAQ: scope, Article 21 controls, incident reporting, and penalties](/artifacts/eu/nis2-directive/faq.md): source-linked NIS2 FAQ for teams deciding whether they are in scope, whether they are essential or important entities, which Article 21 cybersecurity measures apply, how Article 23 incident reporting works, and what penalties and evidence records to plan for.
- [NIS2 incident clock triage workflow](/artifacts/eu/nis2-directive/incident-clock-triage-workflow.md): Triage a possible NIS2 significant incident by recording awareness time, severity, impact, authority route, recipient communications, and Article 23 reporting clocks.
- [NIS2 Incident Reporting Workflow: 24-hour, 72-hour, and final report steps](/artifacts/eu/nis2-directive/incident-reporting-workflow.md): Build a NIS2 Article 23 incident reporting workflow with significance triage, CSIRT or authority notification steps, recipient communication, cross-border checks, and evidence records.
- [NIS2 Management Body Accountability: board duties, training, and evidence](/artifacts/eu/nis2-directive/management-body-accountability.md): source-linked guide to NIS2 Article 20 management body accountability: approval of Article 21 measures, oversight, liability, training, reporting lines, and evidence.
- [NIS2 Member State Transposition: What Teams Must Check](/artifacts/eu/nis2-directive/faq/member-state-transposition.md): How to handle NIS2 Member State transposition: use Article 41 as the EU baseline, then verify national law, authority routing, registration, and incident-reporting details.
- [NIS2 National Transposition Tracker: EU Member State Evidence Register](/artifacts/eu/nis2-directive/national-transposition-tracker.md): Track NIS2 national transposition with Commission country pages, Article 41 dates, reasoned-opinion flags, source wording, authority contacts, and legal review triggers.
- [NIS2 penalties and fines: Article 34 caps for essential and important entities](/artifacts/eu/nis2-directive/penalties-and-fines.md): NIS2 penalties and fines explained for EU essential and important entities, including Article 34 fine ceilings, Article 21 and 23 triggers, national transposition, and evidence to keep.
- [NIS2 Registration and Authority Notification Guide](/artifacts/eu/nis2-directive/registration-and-authority-notification.md): Map NIS2 Article 3 entity-list duties, Article 27 registry submissions, competent-authority contacts, and national registration portal evidence without inventing country deadlines.
- [NIS2 Requirements: scope, Article 21 controls, reporting, and evidence](/artifacts/eu/nis2-directive/requirements.md): Map NIS2 requirements for essential and important entities: scope classification, management-body duties, Article 21 cybersecurity measures, Article 23 incident reporting, and evidence records.
- [NIS2 Size Cap Rule and Special Scope Cases](/artifacts/eu/nis2-directive/size-cap-and-special-cases.md): Determine whether NIS2 applies under the medium-size rule, regardless-of-size special cases, critical entity rule, and Member State registration lists.
- [NIS2 size-cap rule: when medium and large entities are in scope](/artifacts/eu/nis2-directive/faq/size-cap-rule.md): Plain-language FAQ on the NIS2 size-cap rule: medium and large Annex I or II entities, SME thresholds, regardless-of-size exceptions, and evidence to keep.
- [NIS2 supply chain security program: Article 21 controls, contracts, and evidence](/artifacts/eu/nis2-directive/supply-chain-security-program.md): Build a NIS2 Article 21 supply chain security program for direct suppliers and service providers: policy, supplier criteria, contract clauses, monitoring, registry evidence, and source-linked checks.
- [NIS2 vs CER Directive comparison: cyber obligations and critical-entity resilience](/artifacts/eu/nis2-directive/nis2-vs-cerc.md): Compare NIS2 and the CER Directive using grounded rows for scope, triggers, evidence, incident handling, supervision, and shared critical-entity work.
- [NIS2 vs DORA: scope, overlap, and evidence for EU cyber compliance](/artifacts/eu/nis2-directive/nis2-vs-dora.md): Compare NIS2 and DORA for EU cyber compliance: covered entities, when DORA replaces NIS2 duties for financial entities, incident reporting, evidence, and supervisory handoffs.
- [NIS2 vs ISO/IEC 27001: legal duties, ISMS evidence, and reuse limits](/artifacts/eu/nis2-directive/nis2-vs-iso-27001.md): Compare NIS2 legal obligations with ISO/IEC 27001 ISMS requirements: scope, Article 21 controls, incident clocks, SoA evidence, audits, and certification reuse.
- [NIS2 vs ISO/IEC 27017: legal duties, cloud controls, and reuse limits](/artifacts/eu/nis2-directive/nis2-vs-iso-27017.md): Compare NIS2 legal obligations with ISO/IEC 27017 cloud-service controls: entity scope, Article 21 measures, incident clocks, shared responsibility, evidence, and assurance limits.
- [NIS2 vs NIS1: what changed in EU cybersecurity compliance](/artifacts/eu/nis2-directive/nis2-vs-nis1.md): Compare NIS2 with the repealed NIS1 Directive: expanded sectors, essential and important entities, management-body duties, Article 21 controls, Article 23 reporting, and supervision.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/nis2-directive/nis2-vs-gdpr-breach-reporting