Summary: Many organisations handle GDPR and the Swedish Cybersecurity Act/NIS2 in parallel. Splitting the work into two separate tracks often makes it more complex than necessary. Here we show where the regulations overlap and how to coordinate the work to avoid duplicate effort.
Many organisations working with the Swedish Cybersecurity Act/NIS2 are already handling GDPR requirements in parallel. If the work is split into two entirely separate tracks, it often becomes more complex than necessary.
There are differences between the regulations, but there are also clear overlaps. Both require a risk-based approach, clear procedures, incident handling, supplier governance and management engagement.
Where do GDPR and NIS2 overlap?
The most common overlaps are found in:
- risk analysis
- incident handling
- supplier management
- governance and accountability
- documentation
- follow-up and improvement
A data breach, for example, can both affect personal data and impact business-critical systems. The organisation then needs to quickly determine which processes to activate, who makes the decisions and which reporting paths apply.
Where do the regulations differ?
GDPR focuses on the protection of personal data and the rights of data subjects.
The Swedish Cybersecurity Act/NIS2 has a broader focus on the security of network and information systems and on the resilience of essential or specifically regulated operations.
This means the same incident may need to be assessed from several perspectives. Is personal data affected? Is an essential service impacted? Does the incident need to be reported under one or more processes? Which deadlines apply?
How we coordinate the work
Instead of building two parallel governance models, we often recommend that the organisation coordinates the work where possible.
For example, this can involve:
- a shared risk map for personal data, critical systems and essential services
- a single incident process with clear decision points
- shared supplier assessments
- coordinated reporting to management and the board
- clear roles between data protection, information security, IT and the business
That way compliance becomes easier to follow up and less dependent on individual people.
Do you handle GDPR and the Swedish Cybersecurity Act/NIS2 as two separate tracks today? Read more about our work with data protection and privacy and NIS2 and the Swedish Cybersecurity Act, or contact us and we will gladly help you see where the work can be coordinated.
This is an overview and not legal advice. Every organisation needs to be assessed based on its own operations, systems and requirements.

