Non-Lawyers Summary

EU cyber law is not one rule. GDPR is about personal data, NIS2 is about security duties and incident reporting, and the Budapest Convention helps countries cooperate on cybercrime investigations. One ransomware event can trigger all three at once.

Three Laws. One Attack. No Way Out.

In the middle of the night, a hospital's network went dark.

The ransomware moved with surgical precision — encrypting patient records, locking out radiology systems, shutting down the scheduling database that controlled the operating theater. By morning, surgeries were cancelled. Nurses were writing on paper. And somewhere in the hospital's legal and compliance department, phones were ringing from three different directions at once.

The cybersecurity regulators wanted their incident report. The data protection authority wanted to know about the patient records. And the patients themselves — whose health data had been copied before the encryption began — had to be told.

Three separate legal regimes. Three separate notification clocks. All triggered simultaneously, in the same attack, on the same morning.

This is the architecture the European Union built for cybersecurity law — and it is the world's most comprehensive framework. The European Union has built it through two parallel tracks that many practitioners incorrectly treat as the same law. NIS2 governs operational security and incident reporting — it asks "is your organization adequately defended and did you report the attack?" GDPR governs personal data protection and breach notification — it asks "was personal data compromised and did you tell the right people?" A single ransomware attack on a European bank triggers both tracks simultaneously. On top of these, the Budapest Convention creates the global cooperation framework that makes international cybercrime investigation possible — and the Second Additional Protocol (signed by the U.S. in 2022) is the most significant upgrade to that framework in two decades.

Key Concepts

Why NIS2 and GDPR Are Not the Same Law — The Mistake That Will Cost You Everything

This is the most common mistake practitioners make when advising clients on EU cyber incidents. The two laws ask completely different questions and report to completely different regulators. Confuse them and you miss a deadline. Miss a deadline and you face a fine. The fines are, in some cases, measured in billions.

QuestionGoverned by
Was your organization adequately secured against the attack?NIS2
Did you report the incident to the cybersecurity authority?NIS2
Was personal data of EU residents compromised?GDPR
Did you notify the data protection authority?GDPR
Do you need to notify affected individuals?GDPR
What fines apply to your security failures?Both — different regulators, different fine structures

The practical consequence: A ransomware attack that encrypts a hospital's patient database potentially triggers:

  • NIS2 24-hour early warning to the national competent authority (the hospital is an "essential entity")
  • NIS2 72-hour full incident notification
  • GDPR 72-hour notification to the supervisory authority (data protection authority) if patient data was likely accessed or exposed
  • GDPR notification to affected patients if there is a high risk to their rights and freedoms
  • Two different regulatory investigations
  • Two different fine proceedings

The "Double 72-Hour Clock" — Racing on Two Tracks at Once

Both NIS2 and GDPR have 72-hour notification obligations — but they run from different triggering events, to different regulators, with different content requirements:

  • NIS2: 72 hours from awareness of a significant incident — operational disruption or compromise
  • GDPR: 72 hours from awareness that a personal data breach has occurred — accessing, acquiring, or exposing personal data

In many incidents, these trigger simultaneously. In some cases, they may trigger at different times — the operational incident may be confirmed before the forensics team determines whether personal data was accessed. Counsel must track both clocks independently, in parallel, from the moment anything is confirmed.

NIS2 — Directive (EU) 2022/2555

Before the details: one critical procedural fact. NIS2 is a directive, not a regulation. This matters. EU regulations apply directly. Directives require Member States to transpose them into national law. Member States had to adopt and publish transposition measures by October 17, 2024 and apply them from October 18, 2024. Practitioners must therefore check the relevant Member State's implementing law — not just the directive text. The directive sets the floor. National law may go higher.

Scope: Essential vs. Important — Which Category You're In Determines Everything

NIS2 applies to medium and large organizations in specific sectors. The classification determines the level of oversight, the intensity of regulatory scrutiny, and the ceiling on the fine that can be imposed when something goes wrong.

Essential entities — stricter oversight, higher fines, no margin for error:

  • Energy (electricity, gas, oil, district heating/cooling, hydrogen)
  • Transport (air, rail, water, road)
  • Banking and financial market infrastructure
  • Health (hospitals, labs, pharmaceutical manufacturers)
  • Drinking water and wastewater
  • Digital infrastructure (internet exchange points, DNS service providers, TLD name registries, cloud computing services, data centers, content delivery networks, trust service providers, electronic communications networks and services)
  • Space
  • Public administration (central government)

Important entities — lighter oversight, lower fines (but the fines still scale with turnover):

  • Postal and courier services
  • Waste management
  • Manufacture of chemicals
  • Manufacture of food
  • Medical device and pharmaceutical manufacturers (when not "essential")
  • Digital providers (online marketplaces, search engines, social networking platforms)
  • Research organizations

Obligations — What You Owe Before the Attack Comes

Risk management measures (Article 21): Covered entities must implement measures addressing:

  • Policies on risk analysis and information system security
  • Incident handling
  • Business continuity (backup, disaster recovery, crisis management)
  • Supply chain security — because the attackers will find your weakest vendor
  • Security in network and information systems acquisition, development, and maintenance
  • Policies and procedures to assess the effectiveness of security measures
  • Basic cyber hygiene practices and cybersecurity training
  • Policies and procedures regarding the use of cryptography and, where appropriate, encryption
  • Human resources security, access control policies, and asset management
  • Multi-factor authentication or continuous authentication solutions

The Three-Stage Countdown — NIS2's Incident Reporting Timeline

When something goes wrong, NIS2 runs a gauntlet of escalating reporting obligations. Every stage has a hard deadline.

Stage 1 — Early Warning: 24 Hours from Awareness

The moment the entity becomes aware of a significant incident, it must submit an early warning to the national competent authority or CSIRT. This is not a full report. The organization does not need all the answers. But it must send the alert. Twenty-four hours from awareness — not from confirmation, not from scope determination. From awareness.

Stage 2 — Full Incident Notification: 72 Hours

Within 72 hours of becoming aware, the entity must submit a full incident notification that:

  • Provides an initial assessment of the incident (severity, estimated impact)
  • Indicates whether the incident is suspected to be caused by unlawful or malicious acts
  • Provides any information enabling cross-border impact assessment

Stage 3 — Final Report: One Month After Stage 2

A final report including:

  • A detailed description of the incident
  • The type of threat or root cause likely to have triggered the incident
  • Applied and ongoing mitigation measures
  • Where applicable, the cross-border impact

For incidents still ongoing at the one-month mark, progress reports are required monthly, with a final report within one month of the incident being handled. Some incidents become multi-month reporting obligations.

The Fines That Scale With Size

Entity TypeMaximum Administrative Fine
Essential entities≥ €10,000,000 OR ≥ 2% of total worldwide annual turnover (whichever is higher)
Important entities≥ €7,000,000 OR ≥ 1.4% of total worldwide annual turnover (whichever is higher)

"Minimum maxima": These figures are the minimum maxima that Member States must implement — national law may provide higher ceilings. The regulation mirrors GDPR's structure deliberately. For a global company with €10 billion in annual revenue, 2% is €200 million. The fine is not abstract — it is a percentage of everything the company earns, everywhere in the world.

Enforcement actors: National competent authorities (which vary by Member State; may be a cybersecurity agency, a sector regulator, or both) plus CSIRTs (Computer Security Incident Response Teams) plus EU-level coordination through ENISA.

GDPR — Regulation (EU) 2016/679

Breach Notification — The Rules That Changed How the World Handles Data

Article 33 — Notification to supervisory authority: In the event of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the competent supervisory authority — unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.

The risk threshold: This creates a professional judgment obligation. Low-risk breaches — for example, accidental disclosure of non-sensitive data to one unintended recipient who confirms deletion — may not require notification. High-risk breaches — exfiltration of health, financial, or credential data — almost always do. The organization makes this judgment under the shadow of a regulator who will review it afterward.

Article 34 — Notification to affected individuals: Where a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall communicate the breach to the data subject without undue delay. This is a higher threshold than Article 33. Not every breach requiring supervisory authority notification also requires individual notification. The organization must make two separate risk assessments, potentially reaching different conclusions.

Content of notification: Name of DPO or contact point; description of breach; categories and approximate number of data subjects and records; description of likely consequences; measures taken or proposed.

The processor's role: Data processors must notify the controller without undue delay after becoming aware of a personal data breach. Processors don't notify supervisory authorities directly — that's the controller's obligation. But if the processor sits on a breach, the controller's 72-hour clock is still ticking.

Fines — Article 83: The Two-Tier Structure of Consequences

GDPR creates a two-tier fine structure — and the tiers matter, because they lead to different regulators and different legal theories.

Tier 1 — up to €10M or 2% worldwide annual turnover: Violations of obligations relating to consent, data protection by design/default, processor requirements, and breach notification procedures. This is where most data breach cases land — failure to implement appropriate technical measures under Article 32.

Tier 2 — up to €20M or 4% worldwide annual turnover: Violations of the basic principles of processing (including purpose limitation, data minimization), conditions for consent, data subjects' rights, and transfers to third countries. If the breach exposes years of unlawfully retained data, or data processed without a legal basis, Tier 2 may apply. At 4% of Meta's worldwide annual turnover, this fine is measured in billions.

Irish Data Protection Commission — Where Platform Accountability Happens

For large cross-border platform matters, the Irish Data Protection Commission often acts as the lead supervisory authority. The DPC's public fines registry is required reading for any practitioner advising global platforms — because it shows not only the headline fine amounts, but also the current enforcement posture.

OrganisationDecision dateFineCurrent status on DPC registry
TikTok Technology Limited2025-04-30€530,000,000Pending Appeal
Meta Platforms Ireland Limited2024-12-17€251,000,000Pending Appeal
LinkedIn2024-10-24€310,000,000Pending Appeal
TikTok Technology Limited2023-09-01€345,000,000Pending Appeal
Meta Platforms Ireland Limited2023-05-12€1,200,000,000Pending Appeal
WhatsApp Ireland Ltd.2023-04-19€5,500,000Pending Appeal
WhatsApp Ireland Ltd.2021-08-20€225,000,000Pending Appeal

Here is what the table conceals — and what you must understand before citing it. The DPC's own registry reports more than €4 billion levied in total, but only about €20 million collected to date. Every major fine in the table above is labeled Pending Appeal. Under the DPC's published explanation, a fine does not become payable until confirmed in court. If an appeal is filed, the fine cannot be collected while that appeal is pending.

A DPC announcement is a major regulatory signal — a statement of liability, a declaration of what the regulator believes the company did wrong. But it is not a final cash outcome on the day of publication.

The TikTok distinction matters: TikTok appears twice in the DPC's enforcement history for different issues. The 2023 €345 million decision concerned child-user default-public settings, Family Pairing, age verification, and transparency. The 2025 €530 million decision concerned EEA-user transfers to China and Article 13/46 GDPR issues. One case is about child-safety and privacy-by-default design. The other is about cross-border transfer controls and transparency. They are legally distinct. Cite them correctly.

Budapest Convention on Cybercrime — The International Framework That Makes Cross-Border Cases Possible

The Problem It Was Built to Solve

In 2001, the internet had no legal borders. A hacker in Romania could attack a bank in New York, steal credentials for accounts in Tokyo, and launder proceeds through servers in Hong Kong — and by the time any country's law enforcement got involved, the evidence had been deleted, moved, or encrypted. International investigations moved at the speed of diplomacy. Diplomacy moved at the speed of months. Evidence survived for hours.

The Convention on Cybercrime (CETS No. 185), opened for signature in Budapest on November 23, 2001, was the first answer: a multilateral treaty to harmonize cybercrime law and create mechanisms for cross-border investigation. Sixty-five-plus countries have ratified it, including the United States in 2007. It remains open for accession by non-Council of Europe members.

Two core functions:

  1. Substantive harmonization: Requires Parties to adopt criminal laws covering illegal access, illegal interception, data interference, system interference, misuse of devices, computer-related fraud, computer-related forgery, and child sexual abuse material online
  2. Procedural cooperation: Creates mechanisms for cross-border evidence collection, preservation, and sharing in cybercrime investigations

Article 35 — The 24/7 Network: Emergency Lines That Cross Borders

Every Party must designate a point of contact available 24 hours a day, 7 days a week to ensure the provision of immediate assistance for:

  • Technical advice
  • Data preservation
  • Evidence collection
  • Real-time collection of traffic data
  • Interception of content data

What the 24/7 network does in practice: When a U.S. prosecutor needs to preserve volatile electronic evidence in Germany before a suspect can delete it, the U.S. DOJ contacts the German 24/7 point and requests emergency preservation. This can happen in hours, compared to months through formal MLAT channels. The evidence is frozen in place while the formal process catches up.

What the 24/7 network does NOT do: It does not allow evidence to be used in proceedings without the formal legal process (MLAT or direct orders under national law). Preservation buys time. Formal request is still required to actually obtain the preserved evidence. The difference between preserving and obtaining is where investigations stall.

The MLAT Problem — Why Justice Still Moves at Diplomatic Speed

The Budapest Convention's 24/7 network addresses evidence preservation speed. But the actual transfer of evidence for use in prosecution still typically requires a Mutual Legal Assistance Treaty (MLAT) request — and MLAT processing times average months to years. During that wait, investigations stall, witnesses become unavailable, and suspects continue operating.

Why MLATs are slow:

  • Formal diplomatic channels that move at bureaucratic speed
  • Dual criminality requirements — the conduct must be criminal in both countries
  • Translation requirements for all documents
  • Judicial authorization requirements in the requested country
  • Resource constraints at treaty processing offices in every government

Second Additional Protocol (2022) — The Most Significant Upgrade in Two Decades

The Second Additional Protocol to the Budapest Convention, signed by the U.S. in 2022, is the closest thing to a structural fix the international community has produced for the MLAT latency problem. It creates:

  1. Voluntary direct cooperation with service providers: Parties may authorize their competent authorities to request subscriber information and traffic data directly from service providers in other Parties — bypassing MLAT in certain limited circumstances
  2. Emergency disclosure provisions: Service providers may voluntarily disclose data to foreign authorities in emergencies involving immediate risk to life
  3. Video conferencing for witnesses and experts: Reduces the need for physical presence in foreign proceedings
  4. Joint investigation teams: Enhanced framework for multinational investigations

Practical significance: For basic investigative steps — subscriber information, traffic data — investigators may now be able to work directly with service providers in cooperating countries rather than waiting months for formal MLAT processing. It is a partial answer. Not a complete one.

The CLOUD Act — America's Parallel Architecture

The U.S. CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 2018) creates a parallel framework for cross-border data access that operates alongside Budapest:

  • Requires U.S. service providers to produce data stored abroad when lawfully ordered to do so by U.S. courts — even if the data is stored in another country
  • Allows the U.S. to enter "executive agreements" with foreign governments to allow direct access to data held by providers in each country's jurisdiction
  • Designed to resolve the conflict between U.S. legal demands and foreign data protection laws

Relationship to Budapest Convention: The CLOUD Act and Budapest's Second Additional Protocol work in parallel — the CLOUD Act governs U.S. domestic law and executive agreements; the Second Additional Protocol creates the international framework. Both are designed to reduce the latency that has historically hampered cross-border cybercrime investigations. Together, they represent the best cooperative architecture currently in existence. It is still not fast enough.

Comparative Timeline Table — Every Deadline, Every Framework

FrameworkTriggering EventStage 1Stage 2Stage 3
NIS2Awareness of significant incidentEarly warning: 24 hoursFull notification: 72 hoursFinal report: 1 month after Stage 2
GDPRAwareness of personal data breachSupervisory authority: 72 hours (where applicable)Individual notification: without undue delay (if high risk)
U.S. CIRCIACovered cyber incident (critical infrastructure)Covered entity report: 72 hoursRansom payment report: 24 hours
CA Civil Code § 1798.82Discovery of breach of CA resident PINotification: within 30 calendar days
NY GBS § 899-aaDiscovery of breach of NY resident PINotification: within 30 days

Practitioner Takeaways

1. Treat NIS2 and GDPR as two separate compliance checklists triggered by the same incident. Your incident response plan for any EU-touching incident must have two tracks: one for NIS2 (operational/security regulators) and one for GDPR (data protection authorities). Different regulators, different timelines, different content requirements, potentially different penalties.

2. The 24-hour NIS2 early warning is a design constraint for your IR process. Your organization must be capable of making a preliminary determination that a "significant incident" occurred within 24 hours of detection. This is not a final assessment — it is a brief alert. Build your IR process to produce this alert automatically.

3. The Budapest Convention is why cross-border cases are possible at all — but evidence preservation ≠ evidence transfer. When advising on international cybercrime investigations, help clients understand that emergency preservation through the 24/7 network buys time, but the evidence still needs to come through formal channels (MLAT or direct production under national law). The Second Additional Protocol reduces but does not eliminate this gap.

4. GDPR's 72-hour clock is not satisfied by "we're still investigating." The 72-hour deadline runs from when the controller "becomes aware" of the breach. Regulators have found that companies "became aware" when their security team detected anomalous activity — not when they completed their investigation. Counsel must advise clients to make the notification (even if incomplete) and supplement it as the investigation continues.

5. Fine exposure scales with size. A 4% worldwide annual turnover fine applies to the global enterprise, not just EU operations. For large multinationals, GDPR fine exposure can exceed the total damages from the breach itself.

6. Treat announced DPC fines as both enforcement signals and procedural posture markers. When the Irish Data Protection Commission lists a marquee Meta, TikTok, or WhatsApp matter as Pending Appeal, the legal and business significance is immediate, but the payment posture is not final. Track both the size of the announced fine and whether the case is still moving through appeal channels.

Quiz

See: artifacts/quizzes/quiz-01c.md

Test your knowledge

Ready to check what stuck?

10 questions — cases, statutes, and the practical move for each. Takes 5 minutes.

Take the quiz now →