NIS2 and the GDPR — How the New Cybersecurity Directive Impacts Data Protection

On 3 April 2026, the amended Act on the National Cybersecurity System (KSC) entered into force in Poland, implementing the EU’s NIS2 Directive (Directive (EU) 2022/2555). This is a fundamental change — the previous legislation covered approximately 400 operators of essential services, while the new rules extend to over 42,000 entities.

For many organisations, NIS2 means new, extensive cybersecurity obligations — obligations that substantially overlap with the requirements of the GDPR. This article explains how NIS2 and the GDPR interact, what new obligations NIS2 imposes, and how organisations should integrate compliance with both regulations.

What Is NIS2?

NIS2 (Network and Information Security Directive 2) is an EU directive aimed at raising the level of cybersecurity across key sectors of the EU economy. It replaces the original NIS Directive from 2016 and significantly expands its scope.

Unlike the GDPR, which is a regulation (directly applicable), NIS2 is a directive requiring transposition into national law. In Poland, this was achieved through an amendment to the Act on the National Cybersecurity System, signed by the President on 19 February 2026 and effective from 3 April 2026.

Who Does NIS2 Apply To?

The scope of NIS2 is far broader than its predecessor. The new rules divide entities into two categories:

Essential entities — organisations in sectors of the highest importance: energy, transport, banking and financial market infrastructure, healthcare, drinking water and wastewater, digital infrastructure, ICT service management (B2B), public administration, and space.

Important entities — organisations in sectors of significant importance: postal and courier services, waste management, manufacture and distribution of chemicals, food production and distribution, manufacturing (including medical devices, computers, vehicles), digital service providers (online platforms, search engines, social networks), and research.

As a general rule, NIS2 applies to medium and large enterprises — those with more than 50 employees or EUR 10 million in annual turnover. However, there are exceptions — certain entities are subject to NIS2 regardless of size (e.g., DNS service providers, domain registries, trust service providers).

Key Implementation Deadlines in Poland

The Act entered into force on 3 April 2026. Organisations must observe the following deadlines:

By 3 October 2026 (6 months) — self-identification and submission of an application for registration in the register of essential or important entities via the S46 system.

By 3 April 2027 (12 months) — full implementation of cybersecurity risk management measures and integration with the S46 system.

From 3 April 2028 (24 months) — commencement of full enforcement of administrative fines. Until then, a so-called “grace period” applies — a deliberate legislative choice designed to support companies in learning the new procedures.

The first mandatory audit for new essential entities is required from 3 April 2028.

How NIS2 and the GDPR Overlap

NIS2 and the GDPR are two separate regulations, but their requirements overlap significantly. Both concern information security — NIS2 from the perspective of cybersecurity of systems and networks, the GDPR from the perspective of personal data protection.

Risk management NIS2 (Article 21) requires the implementation of cybersecurity risk management measures, including risk analysis policies, incident handling, business continuity, supply chain security, and staff training. The GDPR (Article 32) requires the implementation of appropriate technical and organisational measures to ensure the security of personal data processing. Synergy: An organisation that implements a risk management system compliant with NIS2 will largely meet the requirements of Article 32 GDPR at the same time.

Incident reporting NIS2 requires significant cybersecurity incidents to be reported to the relevant CSIRT within strict timeframes: an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month. The GDPR (Article 33) requires personal data breaches to be notified to the supervisory authority (UODO) within 72 hours. Synergy: A single incident may require dual notification — to the CSIRT (NIS2) and to UODO (GDPR). Organisations should have an integrated incident response procedure that covers both notification obligations.

Security measures NIS2 requires, among others: information system security policies, incident handling procedures, business continuity plans, supply chain security, encryption, access control, and multi-factor authentication. The GDPR (Article 32) requires, among others: pseudonymisation and encryption, the ability to ensure the confidentiality, integrity, and availability of systems, the ability to restore access to data promptly, and regular testing of security measures. Synergy: The lists of security measures in both regulations largely overlap. ISO 27001 is an ideal framework that simultaneously meets the requirements of both NIS2 and the GDPR.

Management liability NIS2 introduces personal liability for members of management bodies for ensuring compliance with cybersecurity regulations. Managers may bear financial liability — up to 600% of their remuneration. The GDPR imposes responsibility on the data controller but does not expressly provide for personal liability of the board. Difference: NIS2 is stricter in this respect — the board must personally approve risk management measures and undergo cybersecurity training.

Supply chain security NIS2 requires managing risk in supplier and subcontractor relationships — supplier security assessments, contractual requirements, and monitoring. The GDPR (Article 28) requires the verification of processors and the conclusion of data processing agreements. Synergy: An organisation that properly manages processors under Article 28 GDPR has a solid foundation for meeting NIS2 supply chain requirements — and vice versa.

NIS2 Fines vs GDPR Fines

Fines for NIS2 violations are comparable to GDPR fines:

NIS2 — essential entities: up to EUR 10 million or 2% of annual global turnover (whichever is higher). Minimum fine: PLN 15,000.

NIS2 — important entities: up to EUR 7 million or 1.4% of annual global turnover.

GDPR: up to EUR 20 million or 4% of annual global turnover (for the most serious violations).

Key difference: NIS2 introduces personal liability for management — up to 600% of remuneration. The GDPR does not provide for such a mechanism.

A single cybersecurity incident may result in fines under both regulations simultaneously — for example, a ransomware attack that leads to a network security breach (NIS2) and a personal data breach (GDPR).

ISO 27001 as the Common Denominator

ISO 27001 provides an ideal framework for integrating NIS2 and GDPR requirements. The standard covers risk management, security controls, incident management, business continuity, and supply chain security — the core requirements of both regulations.

Article 21(5) of the NIS2 Directive expressly encourages the use of European and international standards, including ISO 27001, as a basis for implementing risk management measures.

Organisations that already hold ISO 27001 certification (particularly with the ISO 27701 privacy extension) have the easiest path to simultaneous NIS2 and GDPR compliance. Those planning to implement a security management system for the first time should design it from the outset to meet the requirements of both regulations.

The Cascade Effect — NIS2 and Smaller Companies

Even if your company is not directly an essential or important entity under NIS2, the new rules may affect you indirectly. Entities subject to NIS2 are required to manage risk in their supply chains — meaning they will require their suppliers and subcontractors to meet certain security standards.

In practice, smaller companies that supply goods or services to essential or important entities may be required to implement additional safeguards, undergo security audits, accept new contractual requirements, or obtain certification (e.g., ISO 27001) as a condition of maintaining the business relationship.

This cascade effect means that NIS2 indirectly raises cybersecurity standards across the entire economy — not just in the sectors formally covered by the directive.

How to Prepare Your Organisation — An Integrated NIS2 + GDPR Approach

Rather than treating NIS2 and the GDPR as two separate compliance projects, organisations should adopt an integrated approach:

1. One security management system — based on ISO 27001/27701, simultaneously meeting the requirements of NIS2 (cybersecurity) and the GDPR (personal data protection).

2. One risk assessment — an integrated risk analysis covering both risks to systems and networks (NIS2) and risks to the rights and freedoms of natural persons (GDPR/DPIA).

3. One incident procedure — accounting for the dual notification obligation: to the CSIRT (NIS2, 24h early warning + 72h notification) and to UODO (GDPR, 72h).

4. One supply chain approach — verifying suppliers for both cybersecurity (NIS2) and data protection (GDPR/Article 28).

5. One training programme — covering cybersecurity (required by NIS2), data protection (required by the GDPR), and AI literacy (required by the AI Act).

Checklist — NIS2 and the GDPR

1. Determine whether your organisation is an essential or important entity under NIS2.
2. If so — submit an application for registration in the S46 system (deadline: 3 October 2026).
3. Conduct a risk assessment covering both cybersecurity (NIS2) and data protection (GDPR).
4. Implement risk management measures — encryption, access control, MFA, backups, business continuity plan.
5. Prepare an integrated incident response procedure — with dual notification (CSIRT + UODO).
6. Manage supply chain security — verify suppliers, update contracts.
7. Train management — NIS2 requires management bodies to approve security measures and undergo training.
8. Train staff — on cybersecurity awareness and data protection.
9. Consider ISO 27001 certification — as the common denominator of NIS2 and the GDPR.
10. Plan audits — first mandatory audit for essential entities: from 3 April 2028.
11. Monitor regulatory developments — implementing acts, technical standards, authority guidelines.

Need Support With NIS2 and the GDPR?

NIS2 and the GDPR require the simultaneous fulfilment of legal and technical requirements — from risk analysis, through incident procedures, to supply chain management. At the Law Office of Dr Joanna Maniszewska-Ejsmont, we advise companies on the legal aspects of NIS2 and GDPR compliance — helping to identify obligations, integrate management systems, and prepare documentation meeting the requirements of both regulations.