Cyber security and data protection: joining forces to comply with the NIS2 Directive

NIS2 Directive: new cyber security requirements 

Adopted in late 2022, the European NIS2 Directive aims to significantly raise the level of cyber security within Member States.  

In France, it is estimated that the number of regulated organisations will increase to nearly 10,000, broadening the scope of the NIS1 Directive, which only concerned specific entities. Across the European Union, more than 160,000 organizations may be affected. In other words, most large groups, as well as many other essential or important organisations, will fall within the scope of this directive. 

Under NIS2, new regulatory requirements now apply to corporate leadership. Some of these were already part of the ISO 27001 standard. From now on, executives and board members will have to be actively involved in digital risk management, through monitoring key indicators of cyber risk and participation in dedicated training courses.  

In the event of serious non-compliance, these leaders may be held personally liable. For example, the Italian transposition of the NIS2 Directive provides for the temporary suspension of senior executives of non-compliant entities until adequate corrective measures are put in place. 

When the CISO and DPO form a strategic duo 

Historically, the roles of Chief Information Security Officer (CISO) and Data Protection Officer (DPO) had distinct mandates. Now, with the NIS2 directive, the boundary between cyber security and data protection is blurred, and close collaboration is becoming an essential asset in mitigating a wide range of digital risks.  

In practice, these two players must coordinate and harmonise their procedures, such as management of security and privacy requirements, supplier audits, risk analysis of new projects or processing activities and handling cyberattacks involving personal data. Similarly, the NIS2 Directive strengthens the requirements for maintaining compliance documentation, which will be familiar to DPOs. Raising awareness among senior management also appears to be a desirable area for collaboration. 

The DPO must also be integrated into the cyber crisis management system alongside the CISO, in order to ensure effective collaboration and messaging consistency in the event of a significant personal data breach. 

How can effective collaboration be established? 

Perhaps the most effective way to establish collaboration is through a joint governance steering committee for Cyber security & Data Protection which brings together the CIO, CISO, DPO, Risk Manager, Head of Legal and a sponsor from senior management. This committee can work to align decisions, clarify roles and responsibilities and standardise reporting lines and deliverables.  

In the same spirit, using a single dashboard – one that consolidates cyber security metrics and GDPR compliance indicators – effectively provides corporate management with an unified view of digital risks. Organisations can also improve readiness by running joint crisis simulations that include both cyber security and data protection components. These exercises train stakeholders to work together under pressure while revealing potential friction points between cyber security and privacy procedures.  

It is also useful to identify scenarios in which technology risks and compliance risks overlap. In the event of a ransomware attack, for instance, the CISO and the DPO can set up a joint crisis unit to assess both the technical impacts (systems, availability, containment) and regulatory implications (personal data exposure, notification thresholds, communication obligations). With a shared operating picture, it becomes easier to notify the relevant authorities and inform stakeholders in a coordinated and timely manner. 

By effectively meeting the requirements of GDPR and the NIS2 Directive, companies that adopt this approach significantly reduce the risk of operational disruption and legal sanctions. 

Supplier and subcontractor management must reflect the same logic. Partners should be subject to a compliance review that evaluates both security and data protection criteria: security policies, certifications obtained, data residency, GDPR contractual clauses, etc. Finally, training and awareness initiatives aimed at all employees or members of the executive committee should cover best practices in cyber security as well as the protection of personal data. Including a focused module on managers’ GDPR responsibilities gives decision-makers a clearer and more complete understanding of their organisation’s digital risk landscape. 

To best prepare for the NIS2 Directive, the organisational aspect matters just as much as the technical or compliance ones. Clearer role alignment, dedicated joint governance and redesigned reporting channels will be what separates superficial compliance from truly effective and sustainable implementation. By combining their expertise, the CISO and the DPO provide organisations with broader protection across the digital domain and deliver tangible operational and legal value.