Understanding GDPR & NIS-2 regulations, and make data protection part of your everyday worklife.
Why data protection matters more than ever
In an increasingly connected world with cyber threats and privacy risks, data protection is no longer optional. Protecting your business data is essential, and ensuring compliance with data protection laws is more important than ever.
Regulations such as GDPR and the updated NIS-2 Directive require businesses to safeguard sensitive and personal data responsiblyboth physical and digital. Non-compliance can lead to heavy fines, reputational damage, and even personal liability for senior leaders.
This guide provides an overview of both regulations, helping you understand your obligations and take confident steps toward compliance
WHAT IS NIS-2?
NIS-2: strengthening cybersecurity in Europe
The Network and Information Security Directive 2 (NIS-2) is the EU’s latest legislation to improve cybersecurity and resilience across critical sectors. It came into effect in 2023, with all EU member states required to implement it by October 2024.
NIS-2 recognises that modern economies depend on digital infrastructure, and that disruptions caused by cyber incidents can have devastating consequences. It therefore applies to both essential entities and important entities.
Is NIS-2 applicable to your business?
If your organisation plays a key role in the economy or society, even indirectly, there’s a good chance it falls under NIS-2. NIS-2 applies to products and services categorised as “essential” or “important” sectors.
Essential Entities
Important Entities
The two principles of NIS-2
For businesses falling within its scope, NIS-2 requires both preventive measures and response mechanisms.
Duty of care:
The first principle, known as the Duty of Care, obliges organisations to put in place proportionate technical, operational, and organisational measures to protect digital security and continuity. This might include securing IT systems, assessing vulnerabilities, managing supply chain risks, and ensuring accountability at senior management level.
Duty to report:
The second principle, the Duty to Report, requires organisations to notify the relevant national authority of significant incidents. Major service disruptions must be reported within 24 hours, while other incidents must be reported within 72 hours. A final, detailed report must be submitted within one month.
Penalties for non-compliance:
Failure to comply with NIS-2 can lead to severe financial and operational consequences.
FINES
€10 million € of up to or 2 % of annual global turnover for essential entities
€7 million € of up to or 1.4 % of annual global turnover for important entities
Company executives can be held individually liable for ensuring NIS-2 compliance. They also risk temporary or permanent bans from operating in specific sectors
The hidden risk: Paper data breaches
While NIS-2 is focused on digital resilience a data breach isn’t always a cyberattack, businesses must not ignore the physical side of data security. It’s any incident where personal data is lost, stolen, or disclosed improperly, including paper documents not securely destroyed. Think of contracts thrown in general waste, spreadsheets left on desks, HR records stored in unlocked cabinets, or invoices placed in open recycling bins. Each one of these scenarios could expose your business to fines and damage your reputation.
WHAT IS GDPR?
Protecting personal data
The General Data Protection Regulation (GDPR) has governed data protection across the EU and UK since 2018. It ensures personal data is handled lawfully, transparently, and securely.
The 6 principles of data protection
These six principles should be the core of any data protection strategy. Data shall be:
1. Processed lawfully, fairly and in a transparent way.
2. Collected for specified, explicit and legitimate purposes and not be subsequently processed in a way that goes against those initial purposes.
3. Adequate, relevant and limited to what is necessary.
4. Accurate and up-to-date; inaccuracies should be processed, erased or rectified without delay.
5. Kept for no longer than is necessary.
6. Processed securely.
When do you have to report data breaches?
Breaches must be reported to regulators within 72 hours, and in some cases, affected individuals must also be notified.
Penalties for non-compliance:
Failure to comply with GDPR can lead to severe financial consequences.
of up to or 4 % of global turnover, whichever is higher
NIS-2 vs GDPR
Understanding the differences
In summary here’s how the two distinct regulations compare at a glance:
Focus
Scope
Cybersecurity & digital resilience across essential and important sectors
Protection of personal data (digital & paper) for all organisations handling EU/UK citizens’ data
Essential & important entities (energy, transport, banking, health, digital infrastructure, etc.)
Key Principles Duty of Care & Duty to Report
Any organisation that collects, stores, or processes personal data
Six principles of data protection (lawfulness, purpose limitation, minimisation, accuracy, storage limitation, integrity & confidentiality)
Breach Reporting
Notify authorities within 24h for service disruption, 72h for other cases
Notify regulator within 72h, sometimes individuals as well
Penalties
Up to €10M or 2% of global turnover (essential entities) Up to €7M or 1.4% of global turnover (important entities)
Up to €20M or 4% of global turnover
Management Liability
Executives can be held personally liable, including bans from sectors
Organisation as a whole is fined, though accountability may extend to DPOs or managers
Practical actions
Strengthen your compliance
For most organisations, complying with NIS-2 and GDPR means combining strong policies, secure technology, and everyday employee awareness. Use this checklist to guide your approach:
1 Confirm your obligations
Check if your organisation is classified as an essential or important entity under NIS-2.
Review your GDPR responsibilities and ensure you understand what data you hold and why.
2 Strengthen security practices
Implement and regularly update firewalls, encryption, and incident response plans.
Don’t overlook physical risks - set controls for unattended printouts, filing, and secure disposal.
3 Define reporting procedures
Establish clear escalation paths for incidents.
Assign responsibility for reporting and documenting breaches.
Ensure your team can meet strict notification deadlines (24–72 hours).
4 Train employees regularly
Make data protection part of everyday culture, not just IT policy.
Cover both digital risks (on-screen) phishing, password hygiene) and paper handling (storage, shredding).
5 Control the document lifecycle
Introduce a shredding policy for outdated paper records.
Store sensitive documents securely until disposal.
Keep only what is necessary - review archives regularly and destroy expired files safely.
Fellowes solutions
Practical tools to strengthen compliance
From secure shredding to organised archiving and screen privacy, Fellowes solutions help you protect information at every stage of its lifecycle—supporting your efforts to stay compliant with NIS-2 and GDPR.
The challenge
Prevent data breaches from printed documents.
Your solution:
Paper Shredders: Making shredders a part of the document retention policy helps to minimise the risk of a data breach. Shred hard copies which are no longer required to keep, making it impossible for sensitive data to be retrieved or misused. This is an essential step in meeting compliance requirements around secure disposal and information lifecycle management.
Explore the full range of Shredders.
The challenge
Store physical records securely and systematically.
Your solution:
Archiving Solutions: Keep your archives in order with a clearly labelled and well organised system of BANKERS BOX® products as part of your document policy. The archive boxes enable you to securely transport your documents between locations, until it is time to destroy them.
Explore the full range of Archive Solutions.
The challenge
Protect on-screen data from prying eyes or access to your device.
Your solution:
Privacy Filters: Help prevent the risk of data breaches by visual hacking on employees’ screens. Ideal for hybrid workers, shared office spaces, and environments where sensitive information is accessed on-screen, filters help prevent theft and unauthorised access to sensitive business information.
Explore the full range of Privacy Filters.
The challenge
Secure your devices on the go and in shared spaces.
Your solution:
Laptop Protection: The Breyta™ two-in-one lockable Laptop Carry Case is designed to provide security for your laptop, important documents and accessories when working in shared or open spaces. The case also doubles as a laptop riser, making it an ideal security and ergonomic solution for hybrid working.
Explore the full range of Breyta™.
Data protection is no longer just an IT responsibility it is an organisation-wide commitment. By aligning with GDPR and NIS-2, and by embedding secure document and data practices into everyday processes, your business can avoid fines, build trust, and stay resilient.
Make data protection part of your everyday WorkLife
