SaaSFort “We’re GDPR compliant — isn’t that enough for NIS2?”
It’s the most common question SaaS vendors ask when NIS2 comes up in a procurement conversation. The answer is no, and the gap is larger than most compliance teams expect.
GDPR and NIS2 share some vocabulary — risk management, incident notification, technical measures — but they are separate laws with different regulators, different scope criteria, and different specific requirements. Treating NIS2 as a GDPR extension is the fastest way to fail an audit.
This guide covers exactly what differs, where evidence overlaps, and what a GDPR-compliant SaaS vendor typically still needs to add for NIS2.
Who Each Law Applies To
The scope difference is the first place teams go wrong. GDPR applies to any organization that processes EU personal data, regardless of size or sector. A 5-person startup with EU customers is in GDPR scope.
NIS2 applies to organizations in 18 specific sectors — energy, transport, healthcare, digital infrastructure, managed services, financial markets, and others — that meet size thresholds: 50+ employees OR €10M+ annual revenue. A 30-person SaaS company typically falls outside NIS2 scope. A 50-person company providing managed IT services to German hospitals does not.
| Criterion | GDPR | NIS2 |
|---|---|---|
| Who it covers | Any org processing EU personal data | 18 sectors, 50+ employees or €10M+ revenue |
| Size threshold | None | 50+ employees or €10M+ revenue |
| Regulator | Data Protection Authority (e.g., BfDI in Germany) | CSIRT + competent authority (e.g., BSI in Germany) |
| Enforcement started | May 2018 | December 2025 (Germany via NIS2UmsuCG) |
| Max fine | 4% of global turnover or €20M | 2% of global turnover or €10M (essential entities) |
| Personal liability | No direct management liability | §38 BSIG: management bodies personally liable |
The personal liability row matters. GDPR fines go to the organization. NIS2 — specifically Germany’s §38 BSIG implementation — creates direct personal liability for managing directors. They must approve, supervise, and monitor cybersecurity measures. That liability cannot be delegated. For a full breakdown, see our guide on §38 BSIG and personal liability for SaaS CEOs.
Security Requirements: Where GDPR Is Vague, NIS2 Is Specific
GDPR Article 32 requires “appropriate technical and organizational measures” — deliberately vague and risk-based. There is no GDPR-mandated list of controls. A company can satisfy Article 32 in many ways as long as the measures are proportionate to the risk.
NIS2 Article 21 takes the opposite approach: it specifies 10 mandatory control categories that all in-scope organizations must implement. The measures are not optional, and proportionality applies only to the depth of implementation, not to whether controls exist.
| Control Category | GDPR Article 32 | NIS2 Article 21 |
|---|---|---|
| Encryption in transit | Implied — “appropriate measures” | Explicit: Article 21(2)(d) |
| Access control | Implied | Explicit: Article 21(2)(e) |
| Incident response | Implied | Explicit: Article 21(2)(b) — detailed procedures required |
| Business continuity | Not specified | Explicit: Article 21(2)(c) — backup + recovery testing |
| Network security monitoring | Not required | Explicit: Article 21(2)(i) — external attack surface |
| Supply chain security | Data processors only (Art. 28) | Broader: any third party that could disrupt services |
| Vulnerability management | Not specified | Explicit: Article 21(2)(f) — documented remediation process |
| DNSSEC, security headers, DMARC | Not mentioned | Covered under Article 21(2)(i) technical controls |
| Cybersecurity training for management | Not required | §38 BSIG: mandatory, records required |
The rows in bold are where GDPR-compliant companies most commonly have gaps when NIS2 arrives. Network security monitoring, supply chain breadth, vulnerability management programs, and management training are NIS2-specific requirements with no GDPR analog.
Incident Reporting: Two Different Clocks
Both laws require incident notification. The timelines, thresholds, and recipients are entirely different.
GDPR Article 33:
- Trigger: personal data breach only
- Timeline: 72 hours to the Data Protection Authority
- Recipient: DPA (e.g., BfDI in Germany, CNIL in France)
- Final report: No fixed deadline — cooperate with the DPA
NIS2 Article 23:
- Trigger: any “significant incident” affecting service continuity — not just data breaches
- Timeline: 24-hour early warning → 72-hour incident notification → 1-month final report
- Recipient: CSIRT + competent authority (BSI in Germany)
- What counts: ransomware that disrupts operations, DDoS causing unavailability, supply chain compromise, credential theft affecting service delivery
The critical difference: a ransomware attack that encrypts your servers but does not expose personal data requires NIS2 Article 23 notification within 24 hours. It requires nothing under GDPR alone.
This also means double reporting for incidents that combine service disruption and personal data exposure — you report to BfDI under GDPR and to BSI under NIS2. On different timelines.
For a step-by-step guide to building an Article 23-compliant workflow, see the NIS2 incident reporting setup guide for SaaS vendors.
Supply Chain: Broader Than Data Processors
GDPR Article 28 covers data processors — vendors who process personal data on your behalf. Your cloud database provider, your email service, your analytics platform. These require data processing agreements.
NIS2 Article 21(2)(d) and (h) extend supply chain security to any third party whose compromise could disrupt your services. This includes:
- Your CDN provider (can affect availability even if they hold no personal data)
- Your DNS provider (compromise could redirect traffic before any personal data is involved)
- Your CI/CD toolchain (supply chain attack could introduce malicious code)
- Your domain registrar (hijacking your domain disrupts services entirely)
A GDPR-compliant vendor assessment covers data processors. A NIS2-compliant supply chain assessment covers the full set of vendors who touch your availability, integrity, or confidentiality — regardless of data flows.
What GDPR Misses: External Security Posture
NIS2 Article 21(2)(i) requires organizations to maintain “the security of network and information systems.” Combined with Article 21(2)(d) on system acquisition and maintenance, this creates a requirement to actively monitor external attack surface — what attackers and auditors see from outside your perimeter.
GDPR has no equivalent requirement. A company with strong internal controls and compliant data processing can still fail NIS2 because their external domain shows missing HSTS headers, a DMARC policy set to p=none, or DNSSEC not enabled.
These are the checks that show up in our German SMB Security Posture Benchmark: 87% of German SMBs fail DMARC enforcement, 79% are missing Content-Security-Policy, 71% have not enabled DNSSEC. None of these would trigger a GDPR finding. All of them appear in a NIS2 Article 21 technical audit.
Check your external security posture against NIS2 requirements — 60 seconds, free, no account needed: saasfort.com/scan. New accounts get a 14-day Growth trial (50 scans/month, multi-domain, NIS2 export) — no credit card required.
Where Evidence Overlaps (Efficiency Wins)
Not everything needs to be rebuilt. Several GDPR investments directly support NIS2 compliance with minor additions.
| Evidence | GDPR Coverage | NIS2 Coverage | Status |
|---|---|---|---|
| Encryption in transit documentation | Article 32 | Article 21(2)(d) | Reuse |
| Access control policy + audit logs | Article 32 | Article 21(2)(e) | Reuse |
| Incident response procedure | Article 33/34 | Article 23 — extend for service incidents | Extend |
| Vendor/processor security reviews | Article 28 | Article 21(2)(d) — add non-data vendors | Extend |
| Risk assessment documentation | Article 32 | Article 21 — adapt for NIS2 scope | Adapt |
| External security scan (e.g., SaaSFort) | Not required | Article 21(2)(i) | New |
| Management cybersecurity training records | Not required | §38 BSIG | New |
| Business continuity testing records | Not required | Article 21(2)(c) | New |
| DNSSEC + DMARC + security headers | Not required | Article 21(2)(i) | New |
The reuse/extend items are work you have mostly done. The “New” items are the actual gap for GDPR-compliant companies moving to NIS2.
The NIS2 Gap Checklist for GDPR-Compliant Companies
If your organization already passes GDPR audits, these are the items most commonly missing for NIS2:
- External security posture scan documented (Article 21(2)(i)) — run free scan (14-day Growth trial on signup, no credit card)
- DNSSEC enabled on primary domain
- DMARC policy set to
quarantineorreject(notp=none) - HTTP security headers deployed (CSP, HSTS, X-Frame-Options, Referrer-Policy)
- Supply chain assessment expanded beyond data processors to availability-critical vendors
- NIS2 Article 23 incident reporting workflow established (24h/72h/1-month timeline)
- BSI registration completed (Germany — MELDUNG portal)
- Management cybersecurity training documented (§38 BSIG — participants, content, duration)
- Business continuity plan with recovery time objectives tested
- Vulnerability management program with documented remediation timelines
The NIS2 compliance checklist for German SMBs maps each item to the specific Article 21 control, with implementation steps. The NIS2 technical security requirements guide covers the implementation detail for CTOs.
For the complete compliance evidence package — external scan + NIS2 PDF export + audit trail — start at saasfort.com/scan. New accounts get a 14-day Growth trial (50 scans/month, multi-domain, full NIS2 export) — no credit card required. The NIS2 compliance report maps every finding to Article 21 controls and generates a downloadable PDF for auditors.
Frequently Asked Questions
Q: Do I need to report the same breach to both BSI (NIS2) and BfDI (GDPR)?
Yes, if the incident involves both service disruption and personal data exposure. Report to BSI/CSIRT under NIS2 within 24 hours (early warning) and to BfDI under GDPR within 72 hours. These are parallel obligations with different timelines and different recipients.
Q: Does my GDPR Data Processing Agreement cover NIS2 supply chain requirements?
Partially. GDPR Article 28 DPAs cover data-handling obligations. NIS2 Article 21(2)(d) requires broader security assessments for vendors who can affect service availability or integrity — including CDN providers, DNS providers, and CI/CD tools that hold no personal data. You need to extend your vendor assessment process beyond the DPA scope.
Q: If I’m not in NIS2 scope (under 50 employees), do I still need to worry?
Indirectly, yes. Your enterprise customers who are in NIS2 scope will cascade security evidence requirements to their vendors. Even out-of-scope SaaS companies regularly receive security questionnaires from NIS2-affected buyers. A strong external security posture protects deals regardless of direct regulatory scope.
Q: Can I use my GDPR risk assessment for NIS2 compliance?
You can use it as a starting point. GDPR risk assessments focus on data protection risks. NIS2 risk assessments cover a broader set of threats to service availability, integrity, and confidentiality — including operational disruption scenarios that have no data protection dimension. Adapt and expand your existing documentation rather than starting from scratch.
Q: What happens under NIS2 if I have a GDPR-compliant data breach but didn’t report to BSI?
You face separate enforcement under NIS2. GDPR compliance does not provide a defense to NIS2 obligations. If the breach constituted a “significant incident” under NIS2 Article 23 (service disruption, financial impact, or cross-border effect), failure to notify BSI within 24 hours is an independent violation — potentially fined up to €10M or 2% of global turnover.
Ready to put this into practice?
Run a free OWASP scan on your domain. First results in under 10 seconds — no signup required.