Abstract

The article analyses the relation between the provisions of the GDPR and the NIS2 Directive, with particular emphasis on their complementary nature in the fields of personal data protection and cybersecurity. Both regulations use a risk-based approach; however, the GDPR focuses on protecting the rights of individuals, while the NIS2 addresses operational risks in the context of network and system security. The author discusses similarities in the definitions of incidents and personal data breaches, and highlights the opportunities for optimizing the management processes for such events within organizations required to comply with both regulations. The article also addresses the issue of avoiding double penalties for the same event.