BDO: Data Protection and NIS2 Directive Are Inextricably Linked

BDO AG, a firm specializing in auditing and advisory services, emphasized on December 18, 2025, that the implementation of Germany's NIS2 directive has closely aligned data protection and cybersecurity requirements. This legal development introduces significant new obligations for affected entities.

The directive mandates that companies classified as "particularly important" or "important entities" implement substantially enhanced cybersecurity measures. Concurrently, the obligations under the EU's General Data Protection Regulation (GDPR) for protecting personal data remain in effect. BDO suggests that integrating NIS2 and GDPR compliance efforts can help companies avoid redundant structures and build a robust, efficient compliance architecture.

Germany's NIS2 implementation broadens requirements for "particularly important" and "important entities." While technical cybersecurity often receives primary attention, the close legal and organizational interplay between NIS2 and GDPR is frequently underestimated. Many obligations under the German Act on Information Security (BSIG) directly overlap with GDPR stipulations.

According to BDO, achieving NIS2 compliance in isolation is challenging without structured information and IT security management. Conversely, merging these regulatory frameworks presents an opportunity to strategically develop existing GDPR, Information Security Management Systems (ISMS), and IT governance structures. Companies should identify how NIS2 requirements—such as risk management, technical and organizational measures, and supply chain security—connect with established GDPR practices.