EDPB-EDPS Joint Opinion 4/2026 on the Proposal for a Cybersecurity Act 2 and the Proposal on amendments to the NIS 2 Directive

AI Analysis

The European Data Protection Board and European Data Protection Supervisor have issued a joint opinion on the proposed Cybersecurity Act 2 and amendments to the NIS 2 Directive. This opinion provides a critical assessment from a data protection perspective, focusing on the interplay between new cybersecurity obligations and existing EU data protection law, particularly the GDPR.

The opinion is primarily relevant to entities already within the scope of the NIS 2 Directive, including essential and important entities across sectors like energy, transport, banking, and digital infrastructure. It also concerns EU institutions and bodies that would be subject to the new Cybersecurity Act 2 framework.

Compliance teams should review this joint opinion to understand the supervisory authorities' key concerns regarding jurisdictional overlap, incident reporting, and potential conflicts of law. The next step is to monitor the legislative process for these proposals, as the opinion will inform upcoming negotiations and final texts. Teams should prepare to integrate these future cybersecurity requirements with existing data protection compliance programs.