Awareness Training - Save 60% on Yearly Plan.
Start Training

Article 35

Infringements entailing a personal data breach

1.   Where the competent authorities become aware in the course of supervision or enforcement that the infringement by an essential or important entity of the obligations laid down in Articles 21 and 23 of this Directive can entail a personal data breach, as defined in Article 4, point (12), of Regulation (EU) 2016/679 which is to be notified pursuant to Article 33 of that Regulation, they shall, without undue delay, inform the supervisory authorities as referred to in Article 55 or 56 of that Regulation.

2.   Where the supervisory authorities as referred to in Article 55 or 56 of Regulation (EU) 2016/679 impose an administrative fine pursuant to Article 58(2), point (i), of that Regulation, the competent authorities shall not impose an administrative fine pursuant to Article 34 of this Directive for an infringement referred to in paragraph 1 of this Article arising from the same conduct as that which was the subject of the administrative fine under Article 58(2), point (i), of Regulation (EU) 2016/679. The competent authorities may, however, impose the enforcement measures provided for in Article 32(4), points (a) to (h), Article 32(5) and Article 33(4), points (a) to (g), of this Directive.

3.   Where the supervisory authority competent pursuant to Regulation (EU) 2016/679 is established in another Member State than the competent authority, the competent authority shall inform the supervisory authority established in its own Member State of the potential data breach referred to in paragraph 1.

Frequently Asked Questions

If authorities discover that a required entity, like an important company or organization, does not comply with NIS2 rules and that failure causes a personal data breach, they must quickly inform the responsible data protection authorities as described under EU data protection regulations, ensuring coordinated oversight and proper management of the incident.
No, organizations will not face double penalties from both NIS2 and the data privacy rules for the same issue; if an administrative fine is already given under the data protection law, NIS2 authorities cannot issue another monetary fine for the exact same violation, though they may still apply other non-financial enforcement actions.
If the responsible supervisory authority on data protection is located in a different EU country, then the authority managing NIS2 compliance must inform their own country’s data protection body about the potential data breach, ensuring coordination and awareness between authorities in different Member States to effectively handle the incident.
Under NIS2, authorities can apply various enforcement actions other than fines, such as warnings, instructions to correct the violation, mandatory actions to improve cybersecurity measures, audits, or ongoing monitoring processes, making sure entities follow the rules to prevent future cybersecurity incidents and protect personal data.

NIS2 Training

Start Training

Get Started within 24 hours.

Once you have submitted your details, you’ll be our top priority!