The evolution of European cybersecurity regulations, with the recent entry into force of the NIS 2 Directive (Directive (EU) 2022/2555), represents a step forward in the protection of critical infrastructure, but also poses significant implications for the management and protection of personal data.
In an environment where cybersecurity and data protection are increasingly intertwined, this new regulation requires organizations to be more mature in cyber risk management and to integrate more closely with the General Data Protection Regulation (GDPR).
In this article, we'll explore how the NIS 2 Directive impacts personal data protection, the compliance challenges it poses for organizations, and the opportunities it offers to strengthen information security and protect the rights of European citizens.
The NIS 2 Directive and its Connection to Data Protection
The NIS 2 Directive aims to establish a high and common level of cybersecurity in the European Union, extending security requirements to more sectors and entities. Although its primary focus is not the protection of personal data, its provisions have a direct impact on this area, as a cybersecurity incident can compromise the confidentiality, integrity, and availability of personal data. Some key points of the NIS 2 Directive that directly affect data protection include:
- Risk Management and Security Measures:
The Directive requires organizations to implement appropriate technical and organizational measures to manage risks related to the security of their information systems. These measures must ensure the protection not only of systems and infrastructure, but also of the personal data stored or processed.
- Incident Notification:
Organizations must report significant incidents to the relevant authorities within 24 hours. If these incidents involve personal data, they must also comply with the reporting obligations under the GDPR. This creates a double reporting burden and requires coordination between cybersecurity and data protection departments.
- Expanding the Scope:
The inclusion of new critical sectors, such as telecommunications, digital services, and the space sector, also expands data protection obligations in these sectors, where the volume and sensitivity of the data processed are particularly high.
- Penalties for Non-Compliance:
The Directive introduces significant sanctions for organizations that fail to comply with security requirements, which may be complementary to those already provided for by the GDPR in the event of personal data breaches.
1. Coordination between NIS 2 and the GDPR
The coexistence of the NIS 2 Directive and the GDPR forces organizations to manage a complex regulatory framework. While both regulations share similar security objectives, they differ in terms of timelines, notification requirements, and the powers of the authorities involved.
For example, while the NIS 2 Directive requires cybersecurity incidents to be reported within 24 hours, the GDPR allows a maximum of 72 hours for reporting personal data breaches. This difference requires adequate planning to comply with both regulatory frameworks simultaneously.
2. Management of Security Incidents Affecting Personal Data
A cyberattack can have a significant impact on the protection of personal data. According to data from the ENISA report, 90% of organizations expect an increase in cyberattacks next year. This poses a high risk to the confidentiality and privacy of personal data.
Detecting, responding to, and reporting these incidents requires integrated systems that can quickly identify and respond to whether a cybersecurity incident has implications for personal data.
3. Shortage of Human and Technical Resources
The ENISA report also highlights the shortage of cybersecurity talent, which represents an obstacle to the implementation of the measures required by the Directive. In the area of data protection, this shortage translates into a lack of experts capable of handling complex incidents affecting both system security and data privacy.
Find out more related posts in our DPO blog
