The European Union’s principal data privacy regulators have taken a formal position on the ongoing debate over cybersecurity compliance in the 27-nation bloc, and their answer carries important implications for how the EU’s complex regulatory architecture may evolve. The regulators — responsible for enforcing GDPR across member states — have indicated support for streamlining the compliance and reporting requirements under NIS2, the directive that sets cybersecurity obligations for operators of essential and important entities across Europe.
At the same time, they have issued a clear warning: coordination between data protection authorities and the EU’s cybersecurity agency, ENISA, needs to improve substantially. The absence of strong structural cooperation between these two regulatory pillars leaves organizations subject to both frameworks navigating requirements that are not fully aligned and enforcement postures that are not well coordinated.
The Problem That Prompted the Statement
Organizations operating in Europe have long faced the challenge of satisfying overlapping regulatory requirements from multiple directions simultaneously. GDPR imposes data protection obligations on virtually any entity that processes personal data belonging to EU residents. NIS2 imposes cybersecurity obligations on entities in critical sectors — energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, and space — as well as on digital providers and other important entities.
The two frameworks share common ground. Both require risk assessment, incident management, supply chain security, and governance accountability. Both impose reporting obligations when incidents occur. Both carry significant penalties for noncompliance. But they were developed separately, implemented separately, and enforced by different authorities — national data protection authorities under GDPR, and national cybersecurity authorities under NIS2.
For organizations that are subject to both, the practical consequence has been maintaining parallel compliance programs that serve overlapping purposes but cannot be fully merged because the specific requirements, timelines, and documentation standards differ. A significant cybersecurity incident, for example, may trigger separate reporting obligations under NIS2 (to the national cybersecurity authority, within 24 hours for early warning and 72 hours for an incident notification) and GDPR (to the supervisory data protection authority, within 72 hours of becoming aware of a personal data breach), with different reporting formats, different contact points, and different downstream obligations.
What the Regulators Are Supporting
The data protection regulators’ support for streamlining compliance requirements reflects a recognition that the current dual-track system imposes costs on organizations — particularly smaller operators — that do not always produce commensurate security benefits.
The regulators have indicated that they favor efforts to reduce duplicative reporting requirements, align timelines and definitions where the frameworks overlap, and create clearer guidance for organizations on how to satisfy both sets of obligations through coordinated rather than parallel compliance programs.
This support does not signal that data protection authorities are willing to cede oversight of cybersecurity practices to cybersecurity authorities. Personal data protection remains their core mandate, and the intersection of cybersecurity failures with personal data breaches means that data protection authorities have a direct and ongoing interest in cybersecurity governance. What the regulators appear to be supporting is better coordination — shared frameworks, joint guidance, coordinated enforcement — rather than consolidation.
The ENISA Coordination Gap
The regulators’ call for stronger cooperation with ENISA addresses what has been an acknowledged structural weakness in the EU’s cybersecurity governance architecture.
ENISA — the European Union Agency for Cybersecurity — is the bloc’s primary technical authority on cybersecurity matters. It develops guidance, conducts threat assessments, supports member states in implementing NIS2, and plays a central role in the EU’s response to major cyber incidents. But ENISA’s relationship with the data protection supervisor ecosystem has historically been limited. The two communities operate largely in parallel, producing guidance and standards that may overlap without explicit coordination.
The data protection regulators’ call for stronger ENISA cooperation is significant because it comes from the GDPR enforcement community. When data protection authorities say they need better structural ties to ENISA, they are identifying a gap that creates real compliance uncertainty for organizations subject to both frameworks.
Without that coordination, guidance from ENISA on NIS2 cybersecurity controls may not fully account for how those controls interact with GDPR requirements. Conversely, guidance from data protection authorities on managing cybersecurity incidents may not align with the technical standards and implementation guidance that ENISA produces for the same events. Organizations in the middle absorb the cost of that misalignment.
The Broader EU Regulatory Landscape for Cybersecurity
The data protection regulators’ statement comes at a moment when the EU’s cybersecurity regulatory framework is unusually active. Several major initiatives are either in recent implementation or approaching key milestones.
NIS2 reached its national transposition deadline in October 2023, though member states varied significantly in how and when they completed transposition. The directive expanded the scope of covered entities compared to its predecessor NIS1, introduced stricter governance requirements including board-level accountability for cybersecurity, and imposed more prescriptive incident reporting obligations.
DORA — the Digital Operational Resilience Act — entered full application in January 2025, imposing detailed cybersecurity and operational resilience requirements specifically on financial entities and their critical technology service providers. DORA introduced its own incident reporting framework, with requirements distinct from both NIS2 and GDPR.
The Cyber Resilience Act established cybersecurity requirements for products with digital elements, imposing security-by-design obligations on manufacturers and introducing conformity assessment requirements. The CRA is in implementation with deadlines running into 2027.
The AI Act introduced risk-based requirements for AI systems, including cybersecurity requirements for high-risk AI applications that interact with other compliance frameworks.
For organizations operating in Europe — particularly in financial services, healthcare, critical infrastructure, and technology — this regulatory stack means that compliance programs must address multiple overlapping frameworks simultaneously. The prospect of any simplification or coordination that reduces the overhead of managing that complexity is significant.
Practical Implications for Organizations Subject to Both Frameworks
For organizations that currently navigate both GDPR and NIS2, the data protection regulators’ statement creates cautious optimism about eventual regulatory simplification but changes nothing about current obligations. The frameworks remain as they are. The compliance burden remains as it is.
In the near term, organizations should focus on building integration into their existing compliance programs rather than waiting for regulatory reform that may be years away.
Unified incident response is the most immediate opportunity. Organizations can build incident response procedures that address the notification requirements of both GDPR and NIS2 simultaneously, using a single incident classification and escalation process that routes appropriate notifications to both data protection authorities and national cybersecurity authorities on the required timelines.
Shared risk assessment infrastructure can serve both frameworks. NIS2 requires cybersecurity risk assessments that evaluate threats to the availability, integrity, and confidentiality of network and information systems. GDPR requires data protection impact assessments for processing activities that present high risks to individuals. These overlap significantly, and organizations that maintain separate processes for each are doing duplicative work that can be rationalized into a single risk management program.
Consolidated supply chain security governance addresses a requirement that appears explicitly in both frameworks. NIS2 requires covered entities to assess and manage cybersecurity risks in their supply chains. GDPR requires appropriate technical and organizational measures to protect personal data processed by processors on behalf of controllers. Building a vendor risk management program that satisfies both requirements is more efficient than maintaining separate supplier assessment processes.
Coordinated staff training can address the compliance education requirements of both frameworks. Security awareness training that covers both cybersecurity and data protection obligations reduces administrative overhead while ensuring that staff understand the regulatory context they operate in.
The Member State Implementation Gap
NIS2’s transposition into national law has been uneven across EU member states, and that variability creates an additional compliance complexity for organizations operating in multiple jurisdictions. The core requirements of NIS2 are set at the EU level, but implementation details — which entities are classified as essential versus important, the specific penalties applicable to violations, the procedural requirements for national competent authorities — vary by member state.
Organizations with operations in multiple EU jurisdictions must track not only the EU-level frameworks but also the national implementing measures in each jurisdiction where they operate. In some cases, member states have gone beyond the directive’s minimum requirements, creating more stringent local obligations.
The call for better coordination between data protection authorities and ENISA, if acted upon, could also help address some of this member state variability by producing more consistent joint guidance that national authorities can implement consistently.
What the EU’s Regulatory Trajectory Signals
The data protection regulators’ support for streamlining and coordination signals something broader about where EU regulatory thinking on cybersecurity is heading. The era of building new cybersecurity frameworks independently without careful attention to how they interact with existing requirements appears to be giving way to a more deliberate approach to regulatory coherence.
The EU’s regulatory production in cybersecurity and data protection over the past decade has been prodigious. GDPR, NIS1, NIS2, DORA, CRA, AI Act — the list represents a substantial investment in legal infrastructure designed to improve security and protect individuals. The challenge now is ensuring that this infrastructure works together efficiently enough that organizations can actually implement it without being overwhelmed by compliance overhead that diverts resources from genuine security investment.
The direction of the data protection regulators’ statement is consistent with that trajectory: support for simplification where it doesn’t compromise protection, and a call for the structural cooperation between regulatory bodies that is necessary for coherent oversight to actually work.
For organizations operating in European markets, that trajectory suggests that compliance programs built around integrated risk management and unified governance — rather than siloed compliance tracks for each individual framework — will be better positioned as the regulatory landscape continues to mature.
This article is provided for informational purposes only and does not constitute legal or regulatory advice. Organizations subject to EU cybersecurity and data protection requirements should consult qualified legal counsel regarding their specific obligations under NIS2, GDPR, and related frameworks.
