The General Data Protection Regulation has been in force across the EU since May 2018. It governs how personal data is collected, used, stored, transferred, and erased, and gives data subjects rights (access, rectification, erasure, portability, objection) that organisations must operationalise.
GDPR is not a security framework, but security is one of its requirements. Article 32 obliges controllers and processors to apply appropriate technical and organisational measures, and the regulation explicitly cites pseudonymisation, encryption, confidentiality, integrity, availability, and resilience. ISO 27001 is one of the most common ways European organisations evidence Article 32 compliance, and the certificate is often referenced in customer contracts and DPA addenda as the operative control regime.
The crossover with NIS2 is sharper than people expect. NIS2 incident reporting deadlines (24 hours initial, 72 hours follow-up) sit alongside GDPR's 72-hour personal-data-breach notification. An incident that triggers both regimes hits both clocks, often through different supervisory authorities. Building the response runbook once, with the right notifications to the right regulators, is faster than discovering the overlap during the incident itself.