How Does Article 35 Rewrite the Rules for Personal Data Breaches-and Who Actually Pays the Price?
It’s no longer good enough to keep compliance in the background. Since Regulation (EU) 2024/2690 took effect, Article 35 of NIS 2 eliminates the patchwork of divergent national rules-setting the same high bar for every organisation, no matter industry or location. A personal data breach is judged by a single playbook; you must show your response is evidence-driven, synchronised across legal, IT, and executive layers, and capable of standing up under an auditor’s direct scrutiny. If you believe “it’s just IT’s issue” or think a face-saving email thread will cover your board’s accountability, the new regime proves otherwise.
Today, a missing record in incident logging risks the same scrutiny-and fine-as a technical security failure.
What’s shifted is not just the pace, but the expectation: evidence before expertise, and board demonstration before back-office workaround. In the past, many organisations waited for a local regulator’s nudge, then scrambled to produce meeting minutes or audit logs after the fact. Now, if you can’t show provable, system-recorded joint action from detection to board-level closure, your evidence gap has become the breach, and enforcement is swift. This isn’t just theory: in the last year, over 40% of major personal data breach fines in the EU cited inadequate board involvement, not simply missing IT paperwork.
The new reality? “Reasonable” isn’t determined by intent but by audit-ready proof-timelines, hand-offs, outcomes. If there’s a gap in your incident process, if roles are vague, or if logged evidence is stuck in email instead of a system, the fine lands at the top. For boards, DPOs, and IT leadership alike, Article 35 has converted breach readiness into a team sport where nobody gets to watch from the stands.
Why Is “Process Failure” Now Legally a Data Breach-And What Does That Mean for You?
Under Article 35, a missed notification deadline, incomplete log, or undocumented incident is now itself a notifiable breach of the rulebook-no longer a side issue. This elevates the stakes: it’s not simply technical security that matters, but your operational discipline-the granular, live trail of decisions, reviews, and sign-offs.
Fail to log, fail to retain, or fail to assign-the chain of trust is broken, no matter how small the technical fix.
Why? Because the real risk with personal data is not just in the hack or accidental disclosure, but in the organisational blind spot. A “completed” incident, rushed through without complete attribution or time-stamped evidence, now stands as the regulator’s first indicator of neglect. If it can’t be mapped from detection to closeout, and if the board cannot show in real time where its oversight began and ended, non-compliance is baked into the corporate record.
For practitioners-legal, compliance, and IT-the message is blunt. Legacy notes, informal chats, or jurisdiction-specific “exceptions” are less than worthless: they create evidence of inattention. Instead, joint logs, auditable workflows, and system-driven reminders have become the baseline. Executives are now directly accountable for demonstrating that every breach, regardless of outcome, was handled through a trail that withstood review-no exceptions.
The cost of getting this wrong? Fines no longer calibrated merely by lost records, but often driven by gaps in hand-off, unacknowledged escalations, or failure to update that final lessons-learned log. Systemise your incident process now, or the next notification lapse might be the one that accelerates a full-scope compliance investigation.
Master NIS 2 without spreadsheet chaos
Centralise risk, incidents, suppliers, and evidence in one clean platform.
How Is Fragmentation Putting Your Organisation at Direct Risk of Penalties?
Personal data breaches don’t stop at your city’s limits-and neither do regulatory actions. Under Article 35, regulators searching for cause dig rapidly into any fragmentation of response, role, or log. Gone are the days where a “good story” in Ireland could patch a paperwork hole in Germany. If your breach process leaves logs or actions scattered across departments or jurisdictions, you have essentially multiplied your exposure.
Every delay rooted in ownership confusion or manual hand-off is a compliance risk as real as the initial attack.
What do auditors expect now? A timeline: who knew, who acted, who signed, and when. This record must tie every territory, business unit, and legal stakeholder into a single stream-no splits, no missing branches. The moment an incident crosses borders-of business line or country-the burden is on you to maintain a comprehensive, single account of detection, notification, and closure. Anything less invites both missed deadlines and conflicting disclosures, doubling regulatory jeopardy.
Most delays in breach response come from unclear roles, offline records, and redundant tracking. Platforms like ISMS.online reveal, through real incident data, that over half of incident lifecycle slowdowns result from manual, multi-owner processes (https://www.isms.online/incident-management-platform). The cost? Days lost, investigations triggered, fines compounded-not by technical failure, but by operational drag.
To break this chain:
- Assign clear, cross-functional incident managers from first notice.
- Use a log that force-tracks each business hand-off.
- Automate reminders and require receipt/acknowledgement at every step.
- Archive post-mortems as mandatory, not optional, with access for both IT and legal.
Master these mechanics, and instead of firefighting at the regulator’s pace, you can match Article 35’s single-source rule for every action, every time.
What Does “Operationalising” Article 35 Look Like? Discipline, Evidence, and Deadline Management
It’s not enough to own a policy; you must animate it. Article 35 asks for cross-team incident response routines that leave auditable footprints-real actors, strict deadlines, and live evidence links. Assigning a department is insufficient; now, specific people must be tied to each stage, with evidence mapped in real time.
Deadlines-the infamous 24-hour NIS 2 and 72-hour GDPR clocks-are enforced not by hope, but technology (https://www.isms.online/policy-documentation). At every event-first detection, escalation, board hand-off, closure-you need a role-based, timestamped log, or regulators will treat every gap as proof of neglect. “Almost on time” documentation, or after-the-fact reconciliation, leaves you fully open to enforcement.
Organisations that document in real time, with system-driven alerts for every stakeholder, pass audits and avoid fines-even when the breach itself is technically complex.
For those operating under one framework, simulate the other’s routine-GDPR teams should run 24-hour drills, NIS 2 operators should rehearse GDPR’s 72-hour model. The best-prepared teams normalise incident rehearsals across departments, so every weak link is spotted and sealed before a breach occurs.
Today’s best practise leverages incident management platforms that keep workflow evidence auditable, assign every actor, and automate review reminders before compliance deadlines hit (https://www.isms.online/incident-management-platform). With a system like ISMS.online, tasks lock at the source, and your audit pack becomes a direct mirror of Article 35’s legal requirement.
ISO 27001 Bridge Table: Mapping Article 35 Obligations to Operational and Audit Controls
Below, core regulatory requirements transform into clear operational actions and ISO 27001 control references:
| Expectation | Operationalisation Platform | ISO 27001 / Annex A Ref |
|---|---|---|
| Dedicated personal breach owner | Policy workflow with personal ID | A.5.24, A.8.13 |
| Timelapsed audit trail of every step | System-logged role + action chain | A.5.27, A.8.13 |
| Bidirectional multi-framework notification | Rules-based checklist sync | A.5.31, A.5.24 |
| Evidence of closure plus sign-off | Platform “evidence bank” synced to SoA | A.5.35, A.8.13 |
A mature ISMS puts these operational checks at the centre, letting you generate a Statement of Applicability (SoA) or auditor pack with just a click-proof for every conceivable review.
Be NIS 2-ready from day one
Launch with a proven workspace and templates – just tailor, assign, and go.
Why Does Modern Compliance Demand “Living Crosswalks”-and How Do They Work?
A checkbox policy adds zero value if it isn’t mapped to live actions. In today’s breach environment, “best practise” is what’s mapped, not merely what’s written. Regulators, and now most external auditors, seek to test: for every notification, is the trigger tied to a control? Is the sign-off captured with attribution? Without a mapping table and live evidence links, your process is invisible-and thus non-compliant.
If the evidence can’t be surfaced in a live trace, it’s as if it doesn’t exist to auditors and regulators alike.
Consider the typical incident: detection, initial owner assignment, 24-hour timer, escalation to DPO, closure, and review. At every point, you must log actions into your ISMS with mapped controls-A.5.24 for reporting, A.8.13 for evidence, A.5.31 for notification, A.5.35 for reviews.
Here’s what a “live crosswalk” looks like:
| Trigger | Risk update | Control / SoA link | Evidence logged |
|---|---|---|---|
| Breach detected | Risk register note | A.5.24 / A.8.13 | Detection + owner assigned |
| 24-hr deadline approached | Timer event | A.5.27 (NIS 2),… | Notification/Reason planner |
| Escalation to DPO | Handoff record | A.5.31 / A.8.13 | DPO acknowledgement |
| Incident resolved | Board review log | A.5.27 / A.5.35 | Lessons learnt + closure |
Running these as part of a continuous cycle-automated by your incident management system-transforms each breach event into an opportunity for proactive resilience. Forward-thinking organisations update every action, every time, so that preparing for audit or regulatory review is a by-product of daily work, not a scramble days before a deadline.
Is Your Audit Trail Real-Time, Seamless, and Evidence-Driven-or at Risk for “Inactive Compliance”?
No longer is “compliance” solely about the breach itself. It’s about readiness, logging, review, and improvement in every response. Gaps, scattered records, manual logs-these are the fast lane to fine country. It’s safer, and smarter, to err on extreme diligence. Nobody is ever penalised for tracking too much; nearly all major fines cite documentation gaps (https://www.isms.online/incident-management-platform).
Every closed loop in your audit trail-detection, role, evidence, review-multiplies your chance of avoiding not just fines, but reputational fallout.
Today, compliance officers and IT managers can leverage ISMS platforms that auto-log every step and offer an electronic, immutable timeline-across technical and non-technical roles. The model is simple: the more feedback loops you demonstrate, the more credit and trust you win, both with auditors and inside your boardroom. Post-mortem reviews, evidence uploads, and management sign-offs each become routine entries-multiplying assurance and drastically reducing the cost of audit preparation.
Instead of fearing regulatory investigation, savvy organisations treat every incident response as fuel for long-term improvement. And, with automation, your compliance doesn’t stand still-it evolves to meet the standard before regulators force you to catch up.
All your NIS 2, all in one place
From Articles 20–23 to audit plans – run and prove compliance, end-to-end.
Evidence-Driven Compliance: Building a Trust Loop, Not a Checklist
Market leaders are defined not by process manuals, but by live, adaptive logs integrating evidence, team learning, and board oversight. ISMS.online customers who shift compliance from “pass audit” to “prove daily improvement” see their cost, recovery time, and incident rates all shrink (https://www.isms.online/case-studies/). Audit logs aren’t just defensive-shared dashboards give every director or manager the real-time view regulators expect.
Compliance is less a destination than a launchpad-one you reset and strengthen after every breach, every drill.
A client handling sensitive EU healthcare data managed cross-jurisdictional breach drills on ISMS.online. Each assignment, evidence post, notification, and review step was centrally logged; every lesson immediately available for the next cycle. When auditors came, the board presented a simple report: no exceptions, no missing links, no panic. The outcome? Zero findings, enhanced customer trust, and a board cited as “market-ready” for the next wave of regulatory expectations.
To reach this level: centralise your audit trail, automate hand-offs, drive management reviews, and update your incident playbook after every real or simulated breach. So, when the next challenge or regime arrives, resilience is already business as usual.
What’s Next: From Article 35 to the Full Resilience Spectrum-Is Your System Ready?
Article 35 is a preview, not the finale. With DORA, sectoral frameworks, and the emerging EU AI Act, evidence-driven, platformised compliance is already the expectation. New mandates will multiply timelines, hand-offs, and overlapping accountabilities. In the end, it’s not ambition but repeatability and proof that defines “best in class.”
Your ability to show live improvement-quarterly drills, updating playbooks, board reviews-is already the differentiator.
Build rhythms of review, improvement logging, and next-threat simulation into your ISMS today (https://www.isms.online/policy-documentation). Boards are now tracked by the actions they endorse, not the slide decks they view. Be ready to anchor every strategic risk discussion in real evidence-demonstrate your drill logs and your improvement cycles as a living system.
Resilient, audit-ready businesses tie bonus and board strategy to evidence-not ambition. They visualise compliance cycles as performance dashboards, not annual headaches. And the market is watching: regulated buyers and investors value organisations that map tomorrow’s threats before they’re forced to react.
The ISMS.online Model: Always-On Compliance, Auditable Resilience, Trusted Improvement
No organisation achieves resilience through paperwork or muscle memory. In this era, compliance means always-on, systemised, evidence-rich readiness. From incident workflows to board sign-offs, ISMS.online provides a platform audited and trusted across the full lifecycle-incident response, personal data breach management, and continuous improvement (https://www.isms.online/incident-management-platform).
Incidents are not one-and-done; your management system lives and breathes with every event. Whether updating control status, coaching a new manager, or assimilating the feedback from an audit, the ISMS.online evidence record is live, unified, and reviewable by any authority, anytime.
Organisations that hardwire real-time compliance show their mettle not in ambition, but in practise. Proof is not the burden-it’s the shield. When Article 35 or the next legislative wave lands, your team can point not to good intentions, but living results.
Operational excellence is not born in the aftermath; it’s written, day by day, in logs, reviews, and live dashboards. When your evidence can move as fast as threats, resilience is automatic.
Frequently Asked Questions
What triggers an “infringement entailing a personal data breach” under Article 35 of NIS 2?
Any failure to meet NIS 2’s core obligations that results in personal data being compromised-whether by loss, unauthorised access, or illegal disclosure-counts as an “infringement entailing a personal data breach” under Article 35. Crucially, this breach can be triggered not just by cyber-attacks, but by breakdowns in security routines, late notifications, unclear role assignments, missing logs, or incomplete documentation. If such lapses directly lead to a data breach, the NIS 2 competent authority must escalate the event to the data protection authority (DPA). This dual exposure means compliance gaps in process, record-keeping, or incident response pull your organisation under both NIS 2 and GDPR regulatory scrutiny.
Missed deadlines, vague roles, or poor records can turn a routine error into a legal breach-placing your team under the spotlight of two regulators, not just one.
Key triggers for a regulatory breach
- Untested, outdated, or incomplete NIS 2-mandated controls (e.g., unpatched vulnerabilities or skipped risk assessments).
- Late or missing incident notifications-especially if not sent within the 24-hour window.
- Failing to assign named individuals for reporting, escalation, or documentation.
- Reliance on unstructured evidence-spreadsheets, scattered logs, email chains.
- Neglecting documentation of both “near misses” and repeated low-level incidents.
Regulators, including ENISA, treat process gaps resulting in data loss as full-scale breaches-bolstering the demand for systematic, role-attributed compliance.
How do Article 35 (NIS 2) and the GDPR interact for notification and penalty?
Article 35 tightly integrates NIS 2 and GDPR by requiring immediate dual notification if a personal data breach arises from a NIS 2 failure. This means you’re obligated to notify the NIS 2 competent authority within 24 hours and the DPA within 72 hours-each using formal processes and forms. The authorities coordinate their investigation, but enforcement and penalties are harmonised: if the DPA fines you under GDPR, the NIS 2 authority cannot also impose a financial penalty for the same breach, though it may issue warnings or mandate remedial actions.
The joint notification process, step by step
- 24 hours: Initial notice to NIS 2 authority (even if facts are incomplete).
- 72 hours: Detailed report to DPA under GDPR.
- Cross-border?: Every affected jurisdiction’s authorities are involved, compelling harmonisation of your notifications and records.
- No double fines, but enhanced oversight: NIS 2 may order process changes, suspend certifications, or require new audits, even when the fine comes only from the DPA (NIS 2, Art. 35(4)).
Authorities expect not just proof of action, but evidence of real-time, role-based organisation. Automation and process discipline aren’t ‘nice to have’-they’re now mandatory.
What is the step-by-step ISMS process for breach detection and reporting under Article 35 and GDPR?
To remain compliant and audit-ready, your incident management system (ISMS) must tightly orchestrate response the moment a breach is suspected-especially when process exposures are involved:
Stepwise incident workflow
- Event Logging: Securely log the breach in your ISMS. Record the time, reporter, systems affected, impact, and initial risk rating (ISO 27001: A.5.24, A.8.13).
- Workflow Activation: Trigger pre-approved incident playbooks with precise timestamping and individual assignment for each step.
- Notify NIS 2 authority: Use the country’s dedicated portal or prescribed channel within 24 hours, regardless of investigation status.
- Notify DPA: Provide all GDPR-required breach and context details within 72 hours-including types of data, number of data subjects, and outcome threats.
- Assign named roles: Clearly document who is responsible for investigation, communication (internal and external), and mitigation activities.
- Communicate with affected individuals: If the breach poses risks to data subject rights, notify them promptly and record all communication.
- Centralise records: Track every update, conversation, system change, and mitigation action in a secure, audit-proof system (A.5.27, A.5.35).
- Post-incident review and improvement: Conduct a lessons-learned session, link findings to risk and control updates, and update your Statement of Applicability (SoA).
Traceability snapshot
| Trigger event | Risk update | Control/SoA ref | Evidence logged |
|---|---|---|---|
| SOC flags unauthorised access | Risk escalated | A.5.24, A.8.13 | ISMS incident record |
| Missed 24h deadline | Nonconformity filed | A.5.35 | Audit log, email alert |
| Notifications sent to authorities | Incident closed | A.5.27, A.5.31 | Workflow & review logs |
A fully logged, role-attributed, and immutable incident record is your strongest defence against regulatory risk and audit exposure.
Can you be fined under both NIS 2 and GDPR for the same breach-and how are penalties calibrated?
No-Article 35(4) of NIS 2 and the GDPR enshrine a “no double jeopardy” principle for monetary fines on the same breach. The DPA’s penalty blocks concurrent NIS 2 fines for the incident, but the NIS 2 authority can still impose non-monetary measures: warnings, mandatory remediation, suspensions, and enhanced future audits. Penalties depend on your entity’s classification:
| Entity | Max financial penalty | Legal reference |
|---|---|---|
| Essential | €10M or 2% global turnover | NIS 2 / GDPR |
| Important | €7M or 1.4% global turnover | NIS 2 / GDPR |
- Fines are more severe when incidents go unreported, deadlines are missed, or records are incomplete, late, or manual.
- A systematised record and fast, thorough response routinely reduce or preempt maximum sanctions (Skillcast, 2025).
- Non-monetary actions-for instance, requiring new audits or suspending certifications-are common supplements if process failings are found.
What counts most isn’t just fixing the breach, but how quickly, transparently, and systematically you prove your process in the eyes of both authorities.
What does a typical “parallel investigation” include after an Article 35 breach?
Modern enforcement almost always leads to both a technical and a procedural investigation: regulators demand to see not only how the breach occurred, but how your response system functioned in real time.
- Meta Platforms: was fined €91 million after a security breach was compounded by slow, fragmented notifications and missing logs.
- TikTok: received a €530 million penalty, combining transfer failings with a lack of systemized record-keeping.
- Vodafone Germany: (€45 million) was cited for lack of documented cross-border process compliance and poor assignment of incident response roles.
Live audit examiner focuses
- Review of every handoff-who was assigned what, and when.
- Demand for immutable, role-attributed workflow records.
- Scrutiny of tools: spreadsheets and email fragments consistently invite deeper probes.
- Examination of both technical data flow and the procedure chain-with “soft” gaps elevated to serious findings.
In today’s regulatory world, the first thing questioned is the clarity and completeness of your audit trail-missing context or late logs are immediate red flags for double scrutiny.
What frameworks and tools keep you compliant and resilient after Article 35?
- Incident automation: Use a dedicated incident and records management system which embeds role assignments, automated notifications, workflow escalation, and real-time logs directly mapped to ISO 27001/Annex A controls ((https://www.isms.online/incident-management-platform)).
- Centralization: Store all event, workflow, and review logs in an immutable, central location-no scattered files or email trails.
- Live mapping: Tie every regulatory obligation to your operational playbooks and Statement of Applicability (SoA) for traceability.
- Routine drills: Quarterly run-throughs of “breach + notification” cycles, updating controls and practises using real outcomes (ENISA, 2024).
- Individual assignment: For each incident phase (detection, reporting, communication, closure), name the responsible person, not just the department.
- Continuous improvement: Post-incident reviews must flow directly into your SoA updates and risk reviews, proving you learn and adapt.
ISO 27001 bridge: expectation → operationalisation → audit reference
| Expectation | Operationalisation | ISO 27001/Annex A reference |
|---|---|---|
| 24h/72h regulatory notifications | Workflow automation, tracked deadlines | A.5.31, A.5.24, A.5.35 |
| Role-specific audit trail | Immutable logs, assigned personnel | A.5.27, A.8.13 |
| Dual authority engagement | Evidence trail connects to SoA | A.5.31, A.5.35 |
| Lessons learned, controls improved | Documented review, SoA/risk logging | A.5.27, A.5.35 |
Move forward by making your ISMS the frontline of both technical defence and procedural resilience-so every notification, review, and handoff is already mapped before auditors ever ask.
Identity CTA: For leadership, risk managers, and ISMS owners, true Article 35 compliance isn’t about pass or fail. It’s the mark of a system where process, evidence, and accountability work in lock-step-making your reputation defensible before anything goes wrong.
