Article 35: Infringements entailing a personal data breach

Article 35 requires you to be ready for regulator-to-regulator escalation when NIS 2 noncompliance could trigger a GDPR-reportable personal data breach. Operationally, treat it as a coordination requirement: align your NIS 2 security controls (Articles 21 and 23) with GDPR breach assessment and notification workflows so your evidence, roles, and records withstand parallel scrutiny. (Directive (EU) 2022/2555, Article 35)

Key takeaways:

• Build a single incident decision path that covers both NIS 2 incident handling and GDPR personal data breach assessment. (Directive (EU) 2022/2555, Article 35)
• Maintain exam-ready evidence that your Articles 21 and 23 obligations are implemented, owned, and tested. (Directive (EU) 2022/2555, Article 35)
• Assume your cybersecurity supervisor and your data protection authority may coordinate; your narratives and timestamps must reconcile. (Directive (EU) 2022/2555, Article 35)

“Article 35: infringements entailing a personal data breach requirement” matters because it connects two supervisory lanes that many organizations run separately: NIS 2 cybersecurity supervision and GDPR personal data breach oversight. If a competent authority discovers, during supervision or enforcement, that your infringement of NIS 2 obligations (specifically Articles 21 and 23) can entail a personal data breach that is notifiable under GDPR Article 33, that authority must inform the relevant GDPR supervisory authority without undue delay. (Directive (EU) 2022/2555, Article 35)

You do not control whether authorities notify each other. You control whether your program is coherent when they do. That means your control mapping, incident triage, legal analysis, and communications trail must be consistent across security and privacy. You also need evidence that you are operating the security measures and reporting processes required under NIS 2, because Article 35 is triggered by an infringement of those obligations, not by a breach alone. (Directive (EU) 2022/2555, Article 35)

This page gives requirement-level, operator guidance: who should own what, what to implement, and what proof to retain so you can move quickly when an inquiry arrives.

Regulatory text

What the law says (excerpt): Where competent authorities learn, during supervision or enforcement, that an essential or important entity’s infringement of obligations in Articles 21 and 23 “can entail a personal data breach” (as defined in GDPR) that must be notified under GDPR Article 33, they must, without undue delay, inform the GDPR supervisory authorities referenced in GDPR Articles 55 or 56. (Directive (EU) 2022/2555, Article 35)

Operator interpretation (what you must be ready to do):

• Expect cross-authority coordination. A NIS 2 authority can alert the GDPR authority if your NIS 2 failures could lead to a GDPR-notifiable personal data breach. Your incident record and your compliance evidence may be reviewed by both. (Directive (EU) 2022/2555, Article 35)
• Treat Articles 21 and 23 as breach-relevant controls. Article 35 explicitly points to infringements of Articles 21 and 23. If your security measures and incident handling/reporting duties are weak or poorly evidenced, that weakness can become a privacy enforcement vector. (Directive (EU) 2022/2555, Article 35)
• Prepare “two lenses” documentation. One set of facts will be examined through NIS 2 (cyber risk management and incident obligations) and GDPR (personal data breach notification). You need a reconciled timeline, decision log, and control narrative. (Directive (EU) 2022/2555, Article 35)

Source: NIS 2 Directive, Article 35 on EUR-Lex. (Directive (EU) 2022/2555, Article 35; Directive (EU) 2022/2555)

Plain-English requirement (practical)

If your organization is regulated under NIS 2 and you fail to meet key security or incident obligations, regulators may treat that failure as relevant to GDPR personal data breach risk. Your job is to (1) prevent infringements of Articles 21 and 23, and (2) run incident triage so any personal data breach assessment and notification decisions are timely, consistent, and provable. (Directive (EU) 2022/2555, Article 35)

Who it applies to (entity and operational context)

In scope entities

• Essential and important entities under NIS 2, because Article 35 is written for supervision/enforcement involving those entity types. (Directive (EU) 2022/2555, Article 35)

In scope operational contexts

• Security program governance and control operation tied to NIS 2 obligations, especially measures and oversight expected under Articles 21 and 23. (Directive (EU) 2022/2555, Article 35)
• Incident response and reporting where cybersecurity incidents may involve personal data and trigger GDPR Article 33 notification duties. (Directive (EU) 2022/2555, Article 35)
• Third-party incidents where a third party compromise affects your systems or data. Article 35 is authority coordination, but the operational trigger often starts with supply chain and shared responsibility gaps. (Directive (EU) 2022/2555, Article 35)

What you actually need to do (step-by-step)

1) Assign joint ownership and escalation paths

1. Name a single accountable owner for “security incident to personal data breach” decisions (often Security + Privacy joint ownership with a documented decision authority). Record who can declare an incident, who can declare a personal data breach, and who approves external notifications. (Directive (EU) 2022/2555, Article 35)
2. Document regulator communications routing. If your NIS 2 supervisor contacts you, define how you notify your DPO/privacy counsel and incident commander the same day, with a required handoff package. (Directive (EU) 2022/2555, Article 35)
3. Create a conflict-resolution rule. If Security believes “no breach” and Privacy believes “likely breach,” define who breaks the tie and what minimum evidence is required either way. (Directive (EU) 2022/2555, Article 35)

2) Build a unified incident triage workflow (NIS 2 + GDPR)

1. Add “personal data involvement” gates to your incident intake: systems affected, data types, data subjects, exposure likelihood, and whether confidentiality/integrity/availability impacts could imply unauthorized disclosure. (Directive (EU) 2022/2555, Article 35)
2. Create a structured breach assessment memo template that links facts to the GDPR personal data breach definition and the notification decision. Keep it short, but complete enough for a regulator file review. (Directive (EU) 2022/2555, Article 35)
3. Require a single source of truth timeline (ticketing system + incident log) with immutable timestamps for: detection, triage start, containment actions, decision points, notifications sent, and closure. Article 35 increases the chance those timestamps get compared across authorities. (Directive (EU) 2022/2555, Article 35)

3) Make Articles 21 and 23 “exam-ready” with an obligation register

1. Maintain a NIS 2 obligation register that lists each applicable obligation, the control owner, the implemented control(s), and the evidence location. This addresses a common supervisory failure mode: controls exist but are not provable on demand. (Directive (EU) 2022/2555, Article 35)
2. Add jurisdictional applicability notes for where you operate and where supervision occurs, because NIS 2 is transposed nationally and supervisory posture may vary. Track which sites, subsidiaries, and business lines are covered. (Directive (EU) 2022/2555, Article 35)
3. Link obligations to incident playbooks. For obligations related to incident handling/reporting, point directly to the runbook section, the on-call rota, and the evidence logs you will produce during an inquiry. (Directive (EU) 2022/2555, Article 35)

4) Integrate third-party dependencies into the control and incident story

1. Maintain an inventory of critical third parties supporting essential services, core IT, security tooling, and data processing. Map them to systems in your incident response scope. (Directive (EU) 2022/2555, Article 35)
2. Contract for incident cooperation: notification timelines, log sharing, forensics support, and breach facts you need for GDPR assessment. If a third party delay blocks your analysis, you need to show you required prompt cooperation and escalated appropriately. (Directive (EU) 2022/2555, Article 35)
3. Run a joint tabletop with at least one high-impact third party scenario and produce a corrective action plan that closes handoff gaps between Security and Privacy. Keep the tabletop outputs as audit artifacts. (Directive (EU) 2022/2555, Article 35)

5) Prepare for parallel supervisory questions

1. Pre-draft a regulator response pack: org chart, RACI, incident policy, breach assessment template, evidence index, and last incident postmortem. (Directive (EU) 2022/2555, Article 35)
2. Define consistency checks: communications to customers, to the NIS 2 authority, and to the GDPR authority must share the same core facts and timelines. In practice, inconsistencies drive follow-up requests and widen scope. (Directive (EU) 2022/2555, Article 35)

Required evidence and artifacts to retain

Keep these artifacts in a controlled repository with retention aligned to your legal and regulatory needs:

• NIS 2 obligation register with owners, applicability notes, and milestones. (Directive (EU) 2022/2555, Article 35)
• Incident triage SOP and runbooks, including explicit “personal data involvement” decision gates. (Directive (EU) 2022/2555, Article 35)
• Breach assessment memos (including “not a breach” decisions) with approvers and supporting facts. (Directive (EU) 2022/2555, Article 35)
• Incident timelines and case logs: detection source, escalation timestamps, containment actions, and closure rationale. (Directive (EU) 2022/2555, Article 35)
• Regulatory communications log: who contacted whom, what was shared, and when. (Directive (EU) 2022/2555, Article 35)
• Third-party dependency inventory and third-party incident clauses / cooperation procedures. (Directive (EU) 2022/2555, Article 35)
• Post-incident reviews and remediation tracking tied back to infringed obligations (especially where an infringement could “entail a personal data breach”). (Directive (EU) 2022/2555, Article 35)

Common exam/audit questions and hangups

Expect questions like:

• “Show how Articles 21 and 23 obligations are implemented, owned, and tested, and where the evidence is stored.” (Directive (EU) 2022/2555, Article 35)
• “Walk us through your incident decision path from detection to personal data breach assessment to notifications.” (Directive (EU) 2022/2555, Article 35)
• “Provide a recent incident file with the timeline, approvals, and decision rationale, including why you did or did not notify under GDPR.” (Directive (EU) 2022/2555, Article 35)
• “How do you ensure the security team’s incident narrative matches the privacy team’s breach narrative?” (Directive (EU) 2022/2555, Article 35)
• “What happens when a third party is the source of the incident and you lack details?” (Directive (EU) 2022/2555, Article 35)

Common hangup: teams can describe the process, but cannot produce a clean, timestamped record that reconciles across systems (SIEM, ticketing, email approvals, counsel memos). Article 35 increases the chance that mismatch is observed by authorities. (Directive (EU) 2022/2555, Article 35)

Frequent implementation mistakes (and how to avoid them)

• Mistake: Treating Article 35 as “nothing to do because regulators talk to each other.”
  Fix: Build readiness for cross-authority review. Your deliverable is coherence: one timeline, one fact set, mapped to both NIS 2 obligations and GDPR breach assessment. (Directive (EU) 2022/2555, Article 35)

• Mistake: No obligation register; everything lives in scattered policies.
  Fix: Maintain a single obligation register with owners and evidence pointers so you can answer supervision requests quickly. (Directive (EU) 2022/2555, Article 35)

• Mistake: Privacy is brought in late.
  Fix: Add a mandatory “privacy on-call” trigger at intake when personal data might be involved, even before full scoping is complete. (Directive (EU) 2022/2555, Article 35)

• Mistake: Third party incidents are handled as procurement problems, not incident problems.
  Fix: Include third parties in technical triage, facts gathering, and breach analysis. Contractual cooperation is part of operational readiness. (Directive (EU) 2022/2555, Article 35)

Enforcement context and risk implications

No public enforcement cases were provided in the available source catalog for this requirement, so this page does not list specific Article 35 enforcement outcomes.

Operational risk remains clear from the text: if a NIS 2 authority detects infringements of your cybersecurity obligations that can entail a GDPR-notifiable personal data breach, you should expect cross-notification and parallel scrutiny. That creates real exposure from inconsistencies, weak evidence, or delayed decisioning, even when the underlying incident is technically complex or third-party driven. (Directive (EU) 2022/2555, Article 35)

Practical execution plan (30/60/90)

Use this as an execution sequence, not a calendar promise.

First 30 days (stabilize and align)

• Stand up the NIS 2 obligation register with owners and evidence locations for Articles 21 and 23 obligations in scope. (Directive (EU) 2022/2555, Article 35)
• Publish an incident-to-breach RACI covering Security, Privacy/DPO, Legal, and Communications, including tie-break rules. (Directive (EU) 2022/2555, Article 35)
• Implement a minimum incident evidence bundle (timeline, containment actions, personal data gate answers, approvals). (Directive (EU) 2022/2555, Article 35)

Next 60 days (prove it works)

• Update runbooks to include structured personal data involvement gates and the breach assessment memo template. (Directive (EU) 2022/2555, Article 35)
• Run a tabletop that forces Security + Privacy coordination and produces a tracked remediation plan. (Directive (EU) 2022/2555, Article 35)
• Build a regulator response pack and test retrieval speed of evidence from your systems of record. (Directive (EU) 2022/2555, Article 35)

By 90 days (make it repeatable)

• Integrate critical third-party dependencies into incident response and breach assessment, including contractual cooperation checks. (Directive (EU) 2022/2555, Article 35)
• Add management reporting: open remediation items tied to Articles 21/23 controls, and incident readiness metrics that are evidence-backed (avoid vanity metrics). (Directive (EU) 2022/2555, Article 35)
• Operationalize continuous improvement: each incident/postmortem updates the obligation register evidence pointers and runbooks. (Directive (EU) 2022/2555, Article 35)

Where Daydream fits (practitioner value)

If you manage NIS 2 obligations across jurisdictions and want exam-ready traceability, Daydream can serve as the system to maintain your obligation register, map owners to controls, and link each obligation to the exact evidence artifacts and incident workflows you will need during supervision. Keep the implementation grounded: treat it as your evidence index and execution tracker for Articles 21/23 readiness and incident workflow proof. (Directive (EU) 2022/2555, Article 35)

Frequently Asked Questions

Does Article 35 create a new breach notification duty for companies?

Article 35 describes an authority-to-authority notification when NIS 2 infringements can entail a GDPR-notifiable personal data breach. Your company’s breach notification duty remains under GDPR Article 33; Article 35 raises the likelihood of coordinated scrutiny. (Directive (EU) 2022/2555, Article 35)

What triggers Article 35 in practice?

The trigger is an authority becoming aware, during supervision or enforcement, of an infringement of Articles 21 and 23 that can entail a GDPR personal data breach that should be notified. Treat any finding on incident handling or security measures as potentially relevant to GDPR breach risk analysis. (Directive (EU) 2022/2555, Article 35)

What should my incident record include to survive dual review?

Keep a reconciled timeline, decision log, containment evidence, and a breach assessment memo that ties facts to the personal data breach definition and notification decision. Make sure Security and Privacy records match on core facts and timestamps. (Directive (EU) 2022/2555, Article 35)

We have strong security controls, but weak evidence. Is that a problem for Article 35?

Yes. Article 35 is engaged through supervision or enforcement, and supervision runs on what you can demonstrate. Build an obligation register that points to concrete artifacts, not policy statements. (Directive (EU) 2022/2555, Article 35)

How do third parties change the Article 35 readiness picture?

Third party incidents often delay facts needed for GDPR breach assessment. Contract for cooperation, maintain a dependency inventory, and embed third-party notification and log-sharing steps in your incident runbooks. (Directive (EU) 2022/2555, Article 35)

What should the CCO or GRC lead ask for from Security and Privacy this quarter?

Ask for the obligation register with named owners and evidence links, the unified incident triage workflow with personal data gates, and one completed tabletop with tracked remediation. Those deliverables reduce the chance of inconsistent regulator-facing narratives. (Directive (EU) 2022/2555, Article 35)