NIS2 Directive — What DPOs Need to Know

NIS2 applies to two categories of entities: essential entities and important entities. Essential entities include sectors like energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, and public administration. Important entities cover sectors such as postal services, waste management, manufacturing, food production, chemicals, and digital providers. The size thresholds are straightforward: organizations with 50+ employees or EUR 10+ million annual turnover in these sectors are automatically in scope. However, certain entities are in scope regardless of size — such as DNS service providers, TLD registries, and providers of public electronic communications networks. For DPOs, this means many of your existing clients may now have NIS2 obligations on top of their GDPR requirements. Proactively identifying which clients fall under NIS2 positions you as a valuable strategic advisor, not just a compliance checkbox.

NIS2 requires affected organizations to implement a comprehensive set of cybersecurity risk management measures. These include: risk analysis and information system security policies, incident handling procedures, business continuity and crisis management, supply chain security, security in network and information system acquisition and development, policies for assessing the effectiveness of cybersecurity measures, basic cyber hygiene practices and training, policies regarding cryptography, human resources security, access control, and asset management. Organizations must also report significant incidents to their national authority within 24 hours for an early warning, 72 hours for a full notification, and one month for a final report. This three-tiered reporting obligation is more stringent than GDPR's 72-hour breach notification and requires well-prepared incident response procedures. The overlap between NIS2 security measures and GDPR's Article 32 (security of processing) is substantial. DPOs who already advise clients on technical and organizational measures under GDPR are well-positioned to extend this advice to NIS2 compliance.

The most significant change NIS2 introduces is personal liability for management. Article 20 requires that management bodies approve and oversee the implementation of cybersecurity measures. They must also undergo cybersecurity training. Importantly, management bodies can be held personally liable for infringements. Fines under NIS2 are substantial: up to EUR 10 million or 2% of global annual turnover for essential entities, and up to EUR 7 million or 1.4% of global turnover for important entities. These are in addition to — not instead of — GDPR fines. This personal liability aspect is what drives urgency among management. As a DPO, you can use this to secure budget and attention for compliance projects that might otherwise be deprioritized. Board members who previously viewed GDPR as a cost center are suddenly very interested in compliance when their personal assets are at stake.

As an external DPO, you already have deep knowledge of your clients' data processing landscape, security measures, and organizational structure. This makes you the natural advisor for NIS2 compliance — you do not need to start from scratch. Start by mapping the overlap between GDPR and NIS2 requirements. Many of the technical and organizational measures your clients already have for GDPR (encryption, access controls, incident response procedures) directly satisfy NIS2 requirements. Document this overlap to show clients they are not starting from zero. Offer NIS2 readiness assessments as an add-on service. A structured checklist that covers all NIS2 obligations, mapped against what the client already has in place, provides immediate value and positions you for ongoing compliance monitoring. Use a tool that supports both GDPR and NIS2 in a unified dashboard. Maintaining separate systems for GDPR compliance and NIS2 readiness doubles your workload and makes it harder to identify synergies. Trustee.eu combines both in one view, so you can advise holistically.