Source: OJ L 333, 27.12.2022, p. 80–152Current language: EN
- High common level of cybersecurity for entities
Basic legislative acts
- NIS 2 directive
Article 35 Infringements entailing a personal data breach
Summary What does Article 35 of the NIS 2 directive say?
This article acts as an important coordination and anti-duplication bridge between this Directive and the GDPR (Regulation (EU) 2016/679).
It addresses the specific scenario where a cybersecurity infringement by an essential or important entity also triggers a personal data breach.
It establishes a notification duty between competent authorities under this Directive and data protection supervisory authorities, and critically, it prevents an entity from being hit with an administrative fine under both regimes for the same underlying conduct.
Important points:
- Competent authorities are required to notify the relevant data protection supervisory authority without undue delay when a cybersecurity infringement could also constitute a notifiable personal data breach.
- Where a data protection supervisory authority has already imposed an administrative fine for the same conduct, competent authorities under this Directive cannot additionally impose an administrative fine under Article 34 — though other enforcement measures remain available.
- Where the relevant data protection supervisory authority sits in a different Member State, the competent authority must also inform the data protection supervisory authority within its own Member State of the potential breach.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Where the competent authorities become aware in the course of supervision or enforcement that the infringement by an essential or important entity of the obligations laid down in Articles 21 and 23 of this Directive can entail a personal data breach, as defined in Article 4, point (12), of Regulation (EU) 2016/679 which is to be notified pursuant to Article 33 of that Regulation, they shall, without undue delay, inform the supervisory authorities as referred to in Article 55 or 56 of that Regulation.
Where the supervisory authorities as referred to in Article 55 or 56 of Regulation (EU) 2016/679 impose an administrative fine pursuant to Article 58(2), point (i), of that Regulation, the competent authorities shall not impose an administrative fine pursuant to Article 34 of this Directive for an infringement referred to in paragraph 1 of this Article arising from the same conduct as that which was the subject of the administrative fine under Article 58(2), point (i), of Regulation (EU) 2016/679. The competent authorities may, however, impose the enforcement measures provided for in Article 32(4), points (a) to (h), Article 32(5) and Article 33(4), points (a) to (g), of this Directive.
Where the supervisory authority competent pursuant to Regulation (EU) 2016/679 is established in another Member State than the competent authority, the competent authority shall inform the supervisory authority established in its own Member State of the potential data breach referred to in paragraph 1.
Relevant recitals
Recital 136 Cooperation rules for GDPR infringements
This Directive should establish cooperation rules between the competent authorities and the supervisory authorities under Regulation (EU) 2016/679 to deal with infringements of this Directive related to personal data.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
entity