Security & GDPR
GDPR and data: a practical guide for leadership
What the GDPR requires when exploiting data, what responsibility falls on leadership and how to work with sensitive data without losing control or compliance.
Read articleKey takeaways
- NIS2 raises cybersecurity requirements for essential and important sectors.
- It widens the number of obliged companies versus the original NIS.
- It requires risk management, incident reporting and management accountability.
- It affects how data is protected and governed.
- Leadership is accountable for compliance.
Cybersecurity has stopped being a purely technical matter and become a legal obligation with direct management accountability. The NIS2 directive is one of the rules driving that change across the EU.
What it is
NIS2 (Directive EU 2022/2555) is the update of the European directive on the security of network and information systems. It aims to raise and harmonise cybersecurity for entities providing essential and important services in the EU.
Who it applies to
NIS2 considerably widens scope versus the original directive. It covers energy, transport, banking, health, digital infrastructure, public administration, waste, food and critical manufacturing, distinguishing "essential" and "important" entities by size and criticality.
What it requires
- Risk management: technical and organisational measures proportionate to risk.
- Incident reporting: report significant incidents within set deadlines.
- Management accountability: governing bodies answer for compliance.
- Supply-chain security: including suppliers and partners.
Wider scope
More sectorsEssential + important
Requirements
Risk mgmtIncident reporting
Accountability
Managementanswers
Its relation to data
Although NIS2 is a cybersecurity rule, its impact on data is direct: it requires protecting the systems that store and process data, controlling access, encrypting sensitive information and being able to trace and report incidents. A data architecture with encryption, access control and traceability eases compliance.
NIS2 makes cybersecurity a board-level responsibility, not just a technical task.
In summary
NIS2 raises and harmonises cybersecurity across essential and important EU sectors, requiring risk management, incident reporting and management accountability. Its data impact is direct: encryption, access control and traceability — a well-governed data architecture eases compliance.
Sources & further reading
Frequently asked questions
Does NIS2 apply to my company?
It depends on sector and size. NIS2 widens scope to many essential and important sectors; a formal assessment of whether you are in scope is advisable.
How does NIS2 relate to the GDPR?
They are complementary. The GDPR protects personal data; NIS2 requires network and system security. Good data management with security by design helps meet both.
Who is accountable for compliance?
NIS2 places accountability on management bodies, which must approve and oversee risk-management measures.
What does NIS2 require in practice?
Proportionate risk-management measures, timely incident reporting, supply-chain security and management oversight.
How does it affect data?
Directly: it requires protecting the systems handling data, with access control, encryption and traceability to report incidents.
How do I prepare?
Assess if you are in scope, identify critical assets and data, implement risk management and set up incident reporting — ideally on infrastructure with security by design.
Turn this data into results
Tell us what you want to achieve. Data Layer connects, processes and delivers the result up and running, with no infrastructure for you to manage.