Infringements entailing a personal data breach
Directive on the security of network and information systems · UE 2022/2555
Infringements entailing a personal data breach
1. Where the competent authorities become aware in the course of supervision or enforcement that the infringement by an essential or important entity of the obligations laid down in Articles 21 and 23 of this Directive can entail a personal data breach, as defined in Article 4, point (12), of Regulation (EU) 2016/679 which is to be notified pursuant to Article 33 of that Regulation, they shall, without undue delay, inform the supervisory authorities as referred to in Article 55 or 56 of that Regulation.
2. Where the supervisory authorities as referred to in Article 55 or 56 of Regulation (EU) 2016/679 impose an administrative fine pursuant to Article 58(2), point (i), of that Regulation, the competent authorities shall not impose an administrative fine pursuant to Article 34 of this Directive for an infringement referred to in paragraph 1 of this Article arising from the same conduct as that which was the subject of the administrative fine under Article 58(2), point (i), of Regulation (EU) 2016/679. The competent authorities may, however, impose the enforcement measures provided for in Article 32(4), points (a) to (h), Article 32(5) and Article 33(4), points (a) to (g), of this Directive.
3. Where the supervisory authority competent pursuant to Regulation (EU) 2016/679 is established in another Member State than the competent authority, the competent authority shall inform the supervisory authority established in its own Member State of the potential data breach referred to in paragraph 1.
In Luxembourg, the competent NIS 2 authority is the ILR and the GDPR supervisory authority is the CNPD. The law of 28 July 2023 on cybersecurity, amended by the law of 28 July 2025, transposes this bridging mechanism: the ILR informs the CNPD without undue delay as soon as a notified incident may amount to a personal data breach, and does not cumulate its administrative fine with the one imposed by the CNPD for the same conduct.
Luxgap practice: set up in advance a cross-notification procedure between the ILR and the CNPD with a single crisis contact point, so that both filings stem from the same timestamped file and avoid any contradiction between the two authorities.