1. Do the GDPR and the NIS2 Act apply to my organization?
To understand the obligation to report incidents under the GDPR and the NIS2 Act, it is necessary to to consider the scope of both regulations.
The GDPR has a very broad scope which can be summarized as being aimed at the protection of personal data of EU citizens and the processing of personal data by EU organizations or organizations that focus on the EU market.
The scope of the NIS2 Act is also broad and has been greatly expanded compared to its predecessor.
The NIS2 Act focuses on the security of network and information systems and applies to a wide array of organizations. An extensive description of the scope of the NIS2 Act can be found in our earlier newsletter (in Dutch) via the following hyperlink: https://monardlaw.be/nl/stories/ingelicht/nis2-cybersecurity-met-tanden/.
The scope of the GDPR and the NIS2 Act is therefore different, but interference is certainly possible. After all, any organization that falls within the scope of the NIS2 Act and processes personal data in the context of its activities is also subject to the provisions of the GDPR. It is therefore important for your organisation to take both regulatory frameworks into account.
2. What exactly is an “incident”?
Both regulations also use different but similar definitions of incidents. An incident under the GDPR – better known as a “data breach” – obviously involves personal data. The NIS2 Act applies the concept of “incident” in itself, where the term “significant” incident is relevant for the obligation to report incidents for organizations that fall within the scope of the NIS2 Act.
A personal data breach can occur frequently and in a variety of scenarios. The GDPR defines a data breach as “a breach of security that leads to the accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.”
In summary, we distinguish three types of data breaches, namely personal data that:
- is disclosed in an unauthorised or unlawfully manner by or accessed by a recipient who is not authorised to receive (or have access to) the data, or any other form of processing that violates the GDPR (breach of confidentiality);
- is inaccessible or destroyed in an accidental or unauthorised manner, where the non-accessibility may be either permanent or temporary to the extent that it has an impact on the rights and freedoms of natural persons (breach of availability);
- has been altered in an unintentional or unauthorised manner (breach of integrity).
A combination of two or more of the above elements is also considered to be a personal data breach.
As such, a personal data breach does not only occur where individuals intentionally or in bad faith (e.g. hackers) try to obtain personal data or prevent access to it. Less intrusive incidents may also constitute personal data breaches. Incidentally, data breaches may pertain to physical carriers of personal data or digital files.
Under the NIS2 Act, an “incident” is defined as an “event that compromises the availability, authenticity, integrity or confidentiality of data stored, transmitted, or processed or of the services offered by or accessible through network and information systems.”
In summary, we can conclude that the concepts of “incident” under the GDPR and the NIS2 Act both focus on security breaches and risks, with the GDPR focusing on incidents involving personal data and the NIS2 Act on incidents involving network and information systems.
3. Incident identified: what reporting obligations must my organisation comply with?
When we reflect on the actual obligation to report incidents under the GDPR and the NIS2 Act, once again we can identify both similarities and differences.
Obligation to report incidents under the GDPR
Under the GDPR, organisations acting as data controllers must report any data breach to the Belgian Data Protection Authority within 72 hours of becoming aware of it, insofar as the data breach poses a risk to the rights and freedoms of the data subjects. In addition, it is also possible that the data breach must be communicated to the data subjects, namely when the data breach poses a high risk to the rights and freedoms of data subjects.
When your organisation acts as a data processor and a data breach occurs, it must notify the data controller without undue delay after becoming aware of the data breach and communicate key information about the data breach.
Obligation to report incidents under the NIS2 Act
The NIS2 Act imposes an obligation on organizations that fall within its scope to report so-called “significant” incidents to the national computer security incident response team (CSIRT). The NIS2 Act defines “significant” incidents as any incident that has a significant impact on the provision of services in the very critical sectors or other critical sectors of Annexes I and II of the NIS2 Act and that:
- has caused, or is likely to cause, a serious operational disruption to the provision of services in those sectors, or has caused, or is likely to cause, financial losses to the entity concerned; or
- has affected or is likely to affect other natural or legal persons by causing significant material or non-material damage.
In the event of a “significant” incident, the NIS2 Act provides for a cascade of reporting obligations. The first reporting deadline is established at 24 hours after becoming aware of the significant incident. A clear cut and effective procedure for handling incidents is therefore indispensable in order to be able to comply with your organisation’s reporting obligations under the NIS2 Act.
4. Conclusion
While both the GDPR and the NIS2 Act contain reporting obligations aimed at protecting personal data and network and information systems, they differ in scope and specific requirements.
It is therefore essential for your organization to keep a clear overview of the requirements under both regulations and to make a concrete assessment for each incident. We recommend that your organizations prepares itself in advance by, among other things, developing a clear compliance procedure. In doing so, your organization has the necessary tools to take timely action avoid the far-reaching sanctions from both regulations. Our team of experts can assist you in that endeavour.
If your organization has questions about data breaches, cybersecurity incidents or other questions related to privacy and data protection and the NIS2 Act, please do not hesitate to contact the Monard Law team.