Ransomware encrypts a hospital’s systems. In the following hours, the legal team faces two clocks running in parallel: the NIS2 deadline to notify the national CSIRT and the GDPR deadline to notify the supervisory authority if patient data has been compromised. These are two distinct obligations, with different content, addressed to different authorities, and with different consequences if missed. Confusing the two is one of the most costly mistakes healthcare organizations make when managing an incident under pressure.
NIS2 and GDPR coexist in the healthcare sector as simultaneously applicable frameworks. The NIS2 Directive entered into force at European level on 16 January 2023, with a transposition deadline of 17 October 2024. The transposing law is still under parliamentary procedure in Spain, but the directive’s obligations are the operational reference that any hospital should be working towards now. For most hospitals, diagnostic centres and medical device manufacturers, this means having two active regulatory frameworks simultaneously, with distinct logic, but with overlap zones that must be managed with precision.
What each framework regulates: objectives and underlying logic
GDPR protects the fundamental rights of natural persons in relation to the processing of their personal data. Its logic is one of data subject protection: ensuring that health data is processed with a legitimate legal basis, that the patient can exercise their rights, that the controller implements technical and organizational measures proportionate to the risk, and that any breach likely to affect the rights of data subjects is notified.
NIS2 protects the resilience and security of networks and information systems in sectors critical to the economy and society. Its logic is one of operational continuity: ensuring that essential and important entities have the capacity to prevent incidents, detect them, respond and recover. It is not directly concerned with who owns the compromised data; it is concerned with healthcare services functioning and threats being reported to the national cyber threat intelligence system.
These are complementary frameworks, not redundant ones. GDPR applies when personal data is involved. NIS2 applies when there is a significant incident affecting the entity’s systems, regardless of whether personal data is affected or not.
Who is obligated in the healthcare sector
GDPR applies to any organization processing patient, employee or supplier personal data, from a two-person dental practice to a major university hospital. Scale does not exempt from the obligation to have a legal basis, records of processing activities and proportionate security measures.
NIS2 applies to a more specific subset of the sector. Hospitals exceeding the size thresholds defined by the directive (generally medium and large organizations) are classified as essential entities. Diagnostic service providers, clinical laboratories and medical device manufacturers of a certain size are classified as important entities. Both categories have obligations, though essential entities are subject to proactive supervision and important entities to reactive supervision.
The practical reality is that most relevant-sized public and private hospitals in Europe are simultaneously obligated by both frameworks.
5 Key differences between NIS2 and GDPR
- Object of protection. GDPR protects personal data. NIS2 protects information systems and service continuity. An incident affecting only system availability without compromising personal data triggers NIS2 but not GDPR. An improper processing of personal data without a security incident triggers GDPR but not NIS2.
- Supervisory authority. GDPR is supervised by national data protection authorities (the ICO in the UK, the CNIL in France, AEPD in Spain). NIS2 is supervised by national cybersecurity authorities and CSIRTs. These are distinct institutions with distinct investigative powers.
- Focus of obligations. GDPR requires security measures proportionate to the risk for personal data processed, with particular attention to special category data such as health data. NIS2 requires a cybersecurity risk management framework with specific components: security policies, incident management, business continuity, supply chain security, staff training and specific technical controls.
- Management accountability. GDPR establishes accountability of the controller, which can be a legal entity. NIS2 adds direct personal accountability of board-level management for non-compliance with cybersecurity obligations, including the possibility of temporary disqualification from management functions.
- Maximum penalties. GDPR sets fines of up to 20 million euros or 4% of global annual turnover for the most serious infringements. NIS2 sets fines of up to 10 million euros or 2% of global annual turnover for essential entities. In practice, an incident triggering both frameworks can accumulate penalties from both authorities independently.
Where they overlap: the scenario that activates both frameworks simultaneously
The most critical and most frequent overlap is a cybersecurity incident with compromised health data. A ransomware attack encrypting hospital systems and exfiltrating patient records simultaneously triggers:
Under NIS2: obligation to notify the CSIRT within 24 hours (early warning), within 72 hours (formal notification with preliminary incident assessment) and within one month (final report). The notification content is technical: which systems were affected, what impact on service, what containment measures were taken.
Under GDPR: obligation to notify the supervisory authority within 72 hours of the controller becoming aware of the breach, if there is a likelihood that the breach will affect the rights and freedoms of data subjects. Health data is special category data, so the notification threshold is low. The notification content is different: what data was affected, how many data subjects, what likely consequences for patients, what corrective measures.
If the breach affects more than a significant number of patients or involves health data with high risk, the data subjects themselves must also be directly notified, with clear information about what data was compromised and what they can do to protect themselves.
The two notifications run in parallel, have different content and go to different recipients. Managing them as one is an error that supervisory authorities have documented in their incident response guidelines.
Notification deadlines: the double-clock trap
In practice, the incident occurs at 3am, the IT team detects it at 6am and management becomes aware at 9am. From that moment:
The NIS2 24-hour deadline for the early warning starts running from detection of the significant incident. The GDPR 72-hour deadline starts running from the moment the controller becomes aware of the breach. If the organization has no clear definition of the “awareness” moment, the deadline may start earlier than the legal team assumes, and a late notification automatically becomes an additional infringement.
The key to managing this situation is having an incident response protocol that defines: who has the authority to declare the “moment of awareness”, who notifies which authority with what content, and how the cybersecurity team, DPO and management coordinate in the first hours. Without that documented and rehearsed protocol, the pressure of an incident leads to procedural errors that complicate the situation before supervisors.
For organizations building this protocol from scratch, staying compliant with NIS2 provides practical guidance on the ongoing operational requirements that the framework imposes beyond the initial implementation.
Penalties: which applies in each case and how they accumulate
NIS2 and GDPR penalties are independent of each other. A breach generating penalties from both authorities means the sum of two separate sanctioning procedures, with different limitation periods and different grading criteria.
What determines which penalty applies is not the incident itself, but the framework under which the non-compliance is assessed. If the non-compliance is failing to implement adequate cybersecurity risk management measures, the NIS2 supervisor sanctions. If the non-compliance is failing to notify the data breach to the supervisory authority within 72 hours, the data protection authority sanctions. If both non-compliances exist simultaneously, both supervisors can act independently.
Sanctioning doctrine from European data protection authorities in recent years shows progressive tightening in the healthcare sector, with decisions applying aggravating criteria for the special sensitivity of health data. The entry into force of NIS2 adds a second sanctioning front with supervisors who have active inspection powers for essential entities.
How to build a program that covers both frameworks
The temptation is to manage NIS2 and GDPR as two separate projects with two distinct teams. This is the most expensive approach and the one generating the most duplication. The efficient approach is to identify common controls and build them once.
Risk assessment as the central axis. Both GDPR and NIS2 require a risk assessment. They are assessments with different methodologies (GDPR uses the concept of Data Protection Impact Assessment, NIS2 uses cybersecurity risk management) but they can share the information asset inventory and threat identification. A well-structured risk assessment approach reduces duplicated work between the two frameworks.
DPO and security officer coordinated. GDPR may require a DPO (mandatory for hospitals under Article 37 of the GDPR). NIS2 requires an information security officer with competences to manage the cybersecurity program. In small or medium hospitals, these functions can overlap in the same person or the same external team. An external DPO can cover the privacy dimension while a cybersecurity team covers the NIS2 dimension, with formal coordination between both.
A single incident register. The security incident register required by NIS2 and the breach register required by GDPR (Article 33.5) can be maintained in a single system with specific fields for each framework, reducing administrative work and facilitating audit by both authorities.
Unified notification policy with different recipients. The incident response protocol must explicitly identify which events trigger only NIS2, which trigger only GDPR and which trigger both simultaneously, with notification recipients, deadlines and responsible parties for each communication. This policy needs annual review and testing.
Staff training as a shared control. Both GDPR (Article 39) and NIS2 require staff training in security and privacy. A well-designed training program can cover the obligations of both frameworks with a single annual training plan, reducing cost and ensuring consistent messaging. A GDPR audit of the existing privacy program is often a useful starting point to identify where NIS2 obligations can be layered on top without rebuilding from scratch.
How PrivaLex helps
PrivaLex works with hospitals, diagnostic centres and medical device manufacturers on the integrated implementation of NIS2 and GDPR. The starting point is always a gap analysis identifying which controls required by each framework already exist, which are missing and which can be built once to cover both.
The result is a compliance program that does not duplicate work, that generates evidence reviewable by the supervisory authority, national CSIRT and external auditors, and that includes the incident response protocol with both notification clocks already calibrated. For organizations without an internal DPO, PrivaLex can take on that function externally while coordinating the NIS2 cybersecurity program with the client’s technical team.
For organizations already managing NIS2 implementation in Spain or at the European level, understanding how it intersects with GDPR obligations specific to healthcare is where the most compliance risk tends to concentrate.
Conclusion
NIS2 and GDPR are not competitors or substitutes: they are complementary frameworks that are triggered by different events but in the healthcare sector frequently converge on the same incident. The key is not choosing which to comply with first, but building a program that manages them in a coordinated way, with a single asset inventory, a single incident register, a notification protocol that differentiates the two clocks and a clear assignment of responsibilities between the DPO, the security officer and management.
If you want to understand where your healthcare organization’s gaps are with respect to NIS2 and GDPR, request your free risk assessment. If you already have a defined scope, book a session with our team.
Frequently Asked Questions
It depends on size and service criticality. NIS2 directly applies to hospitals exceeding the size thresholds defined by the directive (generally medium and large organizations). Small hospitals and small private clinics may fall outside the direct scope of NIS2, though they remain fully obligated by GDPR for processing health data. Each Member State’s transposition may specify additional thresholds or sector-specific criteria, so verifying the exact scope with up-to-date legal advice is advisable.
No. NIS2 and GDPR have distinct objectives and their obligations are not interchangeable. Complying with NIS2 (cybersecurity measures, incident management, CSIRT notification) does not substitute GDPR obligations: legal basis for each processing activity, records of processing activities, processor contracts, data subject rights, impact assessments and notification to the supervisory authority in the event of a breach. They are two distinct programs, though they can share common controls and baseline documentation.
The CSIRT is notified when there is a significant incident in information systems under NIS2: maximum 24 hours for early warning and 72 hours for formal notification. The supervisory authority is notified when there is a personal data breach likely to affect the rights of data subjects: maximum 72 hours from awareness of the breach. If the incident affects both systems and patient data (the most common scenario in a hospital ransomware attack), both notifications are mandatory independently, with different content and different recipients.
Yes. Article 37 of the GDPR establishes the mandatory nature of the DPO for organizations whose core activity consists of large-scale processing of special categories of data, which includes health data. Hospitals, clinics with relevant patient volumes and diagnostic centres fall under this provision. The DPO may be internal or external but must have the necessary specialist knowledge and the organizational position to act independently.
Yes. They are independent sanctioning procedures from different authorities. A cybersecurity incident with compromised patient data can result in a penalty from the NIS2 supervisory authority for failing to implement adequate risk management measures, and simultaneously in a penalty from the data protection authority for failing to notify the data breach within the 72-hour deadline or for having insufficient security measures for special category data. The accumulation is not limited by either framework.
Medical device manufacturers of a certain size may be classified as important entities under NIS2, with cybersecurity obligations that extend to the security of their software and hardware supply chain. This means the hospital purchasing and operating a medical device can contractually require the manufacturer to provide NIS2 compliance evidence as part of the procurement relationship. Simultaneously, if the manufacturer processes patient health data (for example, through telemetry or cloud diagnostics platforms), GDPR applies in full to that processing.
