What is the difference between a GDPR breach and a NIS2 incident?

A GDPR breach concerns personal data where the confidentiality, integrity, or availability of personal data has been compromised. A NIS2 incident concerns network and information systems where the operation of critical services is disrupted or threatened. The same security breach can trigger requirements from both regulatory frameworks simultaneously.

When must a security breach be reported to the supervisory authority?

A personal data breach must be reported to the supervisory authority as soon as possible and no later than 72 hours after identifying the breach. If the breach is assessed as having no consequences for data subjects, notification is not required, but in practice you will often need to file a report. All breaches must be documented in a log regardless of notification.

What are the reporting deadlines under NIS2?

Under NIS2, an early warning must be submitted to the CSIRT within 24 hours. Within 72 hours of the incident, an updated notification with an assessment of severity and impact must be submitted. Within 1 month, a detailed report must be filed containing a thorough description of the incident, root cause, and mitigation measures.

Who must be notified following a personal data breach?

The supervisory authority must be notified within 72 hours. Additionally, the affected data subjects must be notified as soon as possible if the breach is assessed as likely to negatively affect them. The notification should enable those affected to protect themselves against the consequences of the breach.

What must be documented during a security breach?

You must document a description of the breach, the categories of affected personal data and the number of affected data subjects, the likely consequences for data subjects, and the measures your organisation has implemented or will implement to handle the breach. Under NIS2, you must also have documented procedures for risk management and incident handling.

Who in the organisation should be involved in a security breach?

The IT department should identify and contain the breach. Compliance officers must ensure proper documentation and authority notification. Management should be involved early, as the breach can affect operations, reputation, and finances. All employees with a role in handling the breach should know their responsibilities in advance.

How can organisations identify security breaches themselves?

According to IBM's Cost of a Data Breach 2024 report, organisations identified only 42% of security incidents themselves. To improve this, your organisation should implement technical and organisational monitoring measures, establish clear incident handling procedures, and train all employees to recognise and report potential security breaches.

Compliance › Compliance

Security Breach: GDPR, NIS2 and Incident Handling

Q: Can the same security breach trigger both GDPR and NIS2 requirements?

Yes. If a security breach involves both personal data and affects the operation of network or information systems, you must handle the requirements from both regulatory frameworks simultaneously. This means reporting to both the supervisory authority (GDPR) and the CSIRT (NIS2) as well as documenting the entire process.

A security breach can trigger requirements under both GDPR and NIS2. Understand the difference, learn the notification deadlines, and see how your organisation should handle security breaches in practice.

Illustration of a cracked security shield with warning symbols and a document, representing security breach management under GDPR and NIS2.

A security breach is an incident that compromises your organisation, whether it's an outsider slipping through the front door or an employee accidentally sending an email to the wrong recipient.

There are several perspectives on what constitutes a security breach.

In the context of IT security, a security breach is any incident that compromises your organisation's network and systems, whether it takes a server offline briefly or leaks all customer data.

When a security breach involves personal data, it's called a personal data breach and you must comply with the GDPR. If the breach instead compromises the company's network and disrupts operations or brings a critical service down, it's a cybersecurity incident covered by the NIS2 Directive.

The same security breach can be both a personal data breach under GDPR and an incident covered by NIS2, meaning you need to handle the requirements from both regulatory frameworks simultaneously and document the entire process.

Security breaches are therefore not just a technical problem but also a compliance challenge, because your organisation is subject to different regulations that must be followed when a breach occurs.

GDPR and Security Breaches

A personal data breach is a security incident under GDPR. It occurs when you lose control over the confidentiality, integrity, or availability of personal data, which can happen when personal data is lost, altered, destroyed, or shared with unauthorised parties.

Illustration of a GDPR document with checkboxes and a clock, symbolising the 72-hour notification deadline for personal data breaches.

In practice, a personal data breach can range from a hacking attack or ransomware (where data is locked and a ransom demanded) to an employee sending information to the wrong recipient or losing a laptop on a train. A personal data breach can also occur internally if an employee intentionally or inadvertently shares data that shouldn't have been shared.

Notification to the Supervisory Authority

When a personal data breach occurs, you must notify the supervisory authority as soon as possible and no later than 72 hours after identifying the breach. If the breach is assessed as having no consequences for the data subject, notification isn't required, but in practice you'll often need to file one.

All identified personal data breaches must be documented in a log, regardless of whether they are reported to the supervisory authority. Your documentation should include:

A description of the personal data breach.
The categories of personal data and the approximate number of affected data subjects.
A description of the likely consequences of the breach for the data subjects.
A description of the measures your organisation has implemented or will implement to handle the breach and limit the potential adverse effects for the data subjects.

You can record this in a spreadsheet, GDPR compliance system, or similar tool.

Notification of Data Subjects

You must also notify the affected individuals of a personal data breach if it's assessed that they will be negatively affected. This notification must be made as soon as possible so those affected can protect themselves against the consequences of the breach.

NIS2 and Security Breaches

Under the NIS2 Directive, security breaches are viewed as incidents affecting network or information systems that disrupt or threaten to disrupt the operation of those systems.

Significant Incident

An incident is considered significant if it has caused or is capable of causing severe operational disruptions to services or financial losses for the affected entity. It's also a significant incident if it has affected or is capable of affecting other persons or organisations by causing considerable damage.

Illustration of a security shield with a network pattern and warning symbols, representing NIS2 requirements for cybersecurity incidents.

Reporting Significant Incidents

Significant incidents must be reported to the national CSIRT (Computer Security Incident Response Team). In Denmark, this is the Centre for Cyber Security.

An early warning must be submitted within 24 hours of becoming aware of the significant incident. The warning should indicate whether the incident is suspected to be a deliberate act and whether it could have cross-border impact.

Within 72 hours of the significant incident, an updated notification must be submitted to the CSIRT, providing an initial assessment of the severity and impact and describing the indicators of the incident.

Within 1 month of the previous notification, a detailed report of the incident must be submitted, containing:

A detailed description of the incident, including its severity and impact.
The type of threat or root cause that likely triggered the incident.
The applied and ongoing mitigation measures.
The cross-border impact of the incident.

Deadline	GDPR	NIS2
Within 24 hours	No specific requirement	Early warning to CSIRT
Within 72 hours	Notification to supervisory authority	Updated notification to CSIRT
As soon as possible	Notification of data subjects	–
Within 1 month	–	Detailed incident report
Documentation	All breaches logged, regardless of notification	Documented procedures for risk management and incident handling

Near-miss Incident

A near-miss incident is an event that could have endangered the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data, or of the services offered by or accessible via network and information systems, but was successfully prevented from materialising or did not materialise.

Reporting Near-miss Incidents

Essential and important entities may voluntarily submit notifications about near-miss incidents to the national CSIRT. This isn't a requirement but can be beneficial, as it provides an opportunity to consult with the national CSIRT to prevent similar incidents in the future.

This option also applies to organisations that are otherwise not covered by NIS2.

NIS2 Requirements for Handling Security Breaches

NIS2 also places a specific requirement on covered organisations to have documented procedures for both risk management and incident handling, so that incidents can be identified and managed.

This also means that measures must be implemented to prevent security breaches in network and information systems or to reduce their harmful effects.

Handling Security Breaches

According to the IBM "Cost of a Data Breach 2024" report, organisations identified just 42% of security incidents on their own, while external partners (e.g. authorities, ethical hackers) identified 34% on their behalf. The remaining 24% of security incidents were brought to organisations' attention by the attackers themselves.

When a company learns of a security breach from an external source, and particularly from the attackers themselves, the breach is typically more costly. Attackers only publicise their attacks after they've achieved their objective, which makes the breach more expensive to handle.

Illustration of an incident response dashboard with a checklist and notifications, symbolising internal handling and documentation of security breaches.

This is just one of several reasons why it's important to be able to identify security breaches internally.

Your IT department is primarily responsible for identifying security breaches by implementing appropriate technical and organisational measures, but what should everyone else in the organisation do?

First and foremost, your company should establish a procedure for how security breaches are handled, so you're not acting blindly when a breach occurs. Instead, you can take decisive action to contain the negative consequences.

The procedure should set guidelines for all employees who have a role in handling the breach. These employees should also be familiar with their role in advance.

Compliance During a Security Breach

It's important that employees responsible for compliance are involved in handling the breach from the start, so that all regulatory requirements are met immediately rather than as an afterthought. As outlined earlier, there are specific requirements in both GDPR and NIS2 that your organisation must comply with in the event of a security breach.

The compliance officer must ensure that the necessary documentation of the security breach and the company's response is prepared. This documentation is also used for reporting to the authorities and informing those affected by the breach (e.g. customers, users).

It's also important to involve management early, as the breach can have a significant impact on the company's operations, stakeholders, reputation, and finances. Quick decisions are critical in a crisis, so management should be kept informed and closely involved in the response.

Summary

A security breach can trigger both GDPR and NIS2 requirements, depending on whether personal data and/or business-critical systems are affected. It's crucial to be able to identify the breach and then document all actions before, during, and after the breach to comply with the applicable regulatory requirements.

To ensure your organisation is prepared to handle security breaches correctly, you should review your GDPR compliance checklist and make sure procedures are in place for both personal data breaches and cybersecurity incidents.

Want to see how .legal can help you document and manage security breaches across GDPR and NIS2? Book a demo and see the platform in action.

Frequently asked questions about Security Breaches

What is a security breach under GDPR?

Under GDPR, a security breach (personal data breach) is a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data. This covers a wide range of incidents from cyberattacks to accidental data exposure.

What are you required to do when a security breach occurs?

Organizations must assess the breach's severity, document all details, notify the relevant supervisory authority within 72 hours if the breach poses a risk to individuals' rights, and notify affected individuals without undue delay if the breach poses a high risk to their rights and freedoms.

How do you assess the severity of a security breach?

Assess severity by evaluating the type and sensitivity of data affected, number of individuals impacted, potential consequences for those individuals, whether data was encrypted, the likelihood of identification, and any special circumstances that could amplify the impact.

What information must a breach notification to authorities contain?

The notification must describe the nature of the breach, categories and approximate number of individuals affected, categories and approximate number of records concerned, name and contact details of the DPO, likely consequences of the breach, and measures taken or proposed to address it.

What are the most common causes of security breaches?

Common causes include phishing attacks, malware and ransomware, weak or compromised credentials, unpatched software vulnerabilities, human error such as misdirected emails, insider threats, improper data disposal, misconfigured systems, and third-party vendor compromises.

How can organizations prevent security breaches?

Prevention strategies include implementing strong access controls, regular security training, encryption of data at rest and in transit, regular vulnerability assessments, incident response planning, network monitoring, multi-factor authentication, patch management, and vendor security assessments.

What fines can result from a security breach under GDPR?

GDPR fines for security breaches can reach up to 10 million euros or 2% of global annual turnover for inadequate security measures, and up to 20 million euros or 4% of global turnover for violations of data processing principles. Actual fines depend on the breach circumstances and organizational response.

How should you document a security breach?

Document the breach timeline, how it was discovered, data types and volume affected, individuals impacted, root cause analysis, immediate containment actions, long-term remediation measures, communication with authorities and affected individuals, and lessons learned. This documentation is required even for breaches not reported to authorities.

What is the role of a breach response team?

A breach response team coordinates the organization's response to security incidents. It typically includes IT security, legal, communications, management, and the DPO. The team manages containment, investigation, notification, remediation, and post-incident review to minimize damage and ensure regulatory compliance.

How can compliance software help manage security breaches?

Compliance software provides incident management workflows, breach assessment tools, notification templates, deadline tracking, documentation management, communication logs, and reporting capabilities. It helps organizations respond quickly, meet regulatory deadlines, and maintain comprehensive records of breach handling.