Topics covered: NIS2 compliance · GDPR accountability · digital risk governance · management systems · organizational model · ISO 19011 · data protection · cybersecurity governance
Treating data protection and cybersecurity as separate disciplines is an organizational fiction that weakens digital risk governance. In practice, data and systems share the same threat exposure and fall within the same sphere of leadership accountability.
Read together, GDPR and NIS2 do not describe distinct domains. They converge on the integration of strategic and operational layers inside a single management system, one in which leadership decisions translate into structured processes, effective controls, and clearly assigned responsibilities, with full traceability.
This third article concludes the trilogy on decision-making architecture for genuine digital protection. It shows why integrating strategic governance, operational execution, and organizational model design is both a legal requirement and an organizational necessity. Future compliance demands a unified structure capable of governing personal data, digital infrastructures, and risk in a coherent chain of accountability.
Read also: NIS2 and GDPR: strategic governance and compliance (part one) and GDPR and NIS2: turning strategy into operational execution (part two).
This third piece closes a trilogy on the decision-making architecture that GDPR and NIS2 require.
The first article established the role of the strategic level: the place where fundamental choices are made and accountability is consciously assumed. The second examined the operational level, where those decisions are translated into structured processes, effective controls, and verifiable actions.
The picture is now complete. On one side sits whoever sets the organization's direction and defines its acceptable risk threshold. On the other, whoever turns that direction into structures capable of functioning continuously.
That raises a decisive question: does it still make sense to treat GDPR and NIS2 compliance as separate tracks, governed by separate logics?
For years the division seemed almost natural. Data protection belonged to the legal function, associated with privacy notices, contractual clauses, registers, and formal obligations. Cybersecurity belonged to the technical domain, the province of infrastructure and systems specialists. Two languages, two professional silos, two separate decision chains.
That model has run out of road. A technical vulnerability can immediately become a personal data breach with significant legal consequences. The same digital processes affect network security and the protection of fundamental rights simultaneously. Both regulations address the same leadership bodies and occupy the same organizational accountability space.
The operational reality demands an integrated reading. GDPR and NIS2 converge in a single digital risk governance system, one in which data protection, systems security, and strategic threat management are components of the same architecture.
The goal is not to merge two models. It is to recognize that the organization is one, the risk is one, and the accountability is one. Only from that recognition can a coherent vision take shape, integrating law, technology, and governance inside a single command-and-control structure.
Every critical process today runs through a digital infrastructure. Most organizations operate within information systems that concentrate data, decisions, operations, and accountability in the same environment. Technology is not an external support layer. It is the environment in which organizational activity happens.
Every system processes data: personal data, but also strategically sensitive information such as proprietary know-how, industrial data, financial flows, commercial intelligence, and reputational assets. And every piece of data exists only inside a system that stores, processes, transmits, and protects it.
That interdependence makes any separation between protecting data and protecting systems structurally artificial. In operational practice, there is a single surface exposed to risk. When the system is vulnerable, data is immediately exposed. When data is inadequately protected, the system loses reliability and integrity.
Both regulations address digital risk governance from convergent angles. GDPR protects individuals and their fundamental rights by securing personal data, because data can translate into power, control, discrimination, and effects on freedom and dignity. NIS2 strengthens the security, continuity, and resilience of the systems on which essential services, critical infrastructures, and economic stability depend.
The two perspectives meet in organizational practice. Data and systems are mutually dependent and share the same risk exposure. The response must therefore be unified. If the risk is one, governance cannot fragment.
The principle running through both GDPR and NIS2 is accountability.
Accountability that belongs to the leadership, manifests in the quality of its decisions, and is measured by the ability to demonstrate them.
In GDPR, it takes the form of the accountability principle under Articles 5(2) and 24. In NIS2, it becomes direct responsibility for administrative and management bodies, which Article 20 of Directive (EU) 2022/2555 requires to approve, oversee, and direct cybersecurity risk management measures. In neither case is a purely formal delegation acceptable.
Adopting technical or organizational measures is not enough. Organizations must demonstrate why those specific measures were chosen.
Accountability resides in the process that precedes adoption. What matters is which risks were analyzed, which alternatives were considered, which criteria guided the decision, and how responsibilities were assigned. A measure is only valid when it is the documented outcome of a deliberate decision.
This is where the management system becomes essential. It is not a set of documents. It is the structure that makes visible the link between assessed risk and adopted measure, between strategic decision and operational execution.
That is where GDPR and NIS2 truly converge. The regulatory categories differ, but the underlying principle is identical: governing means deciding with method and being able to demonstrate what was decided and how it was carried out.
If governing means making deliberate decisions and being able to prove them, accountability cannot remain a stated principle or depend on individual initiative. It must be structured, made stable, and maintained over time.
A decision is genuinely accountable only when it sits inside a structure that keeps it coherent with other choices, traceable, verifiable, and improvable. That requires a structure: an organization of accountability.
In technical terms, that organization is what ISO standards define as a management system. ISO 19011:2018, "Guidelines for Auditing Management Systems," defines it as a set of interrelated or interacting elements to establish policies and objectives and to achieve those objectives. Not a document, but a dynamic structure of elements operating in a coordinated way.
In the context of data protection and cybersecurity, a management system encompasses policies approved by leadership, defined objectives, assigned roles, activated processes, applied procedures, executed controls, conducted audits, and corrective actions taken. It is the organization's actual functioning when governing risk, alive in decisions and their execution.
In that interplay between strategy and operations, accountability gains substance and becomes method.
For that method to be effective, responsibilities must be assigned with precision. There must be no ambiguity about who decides, who receives delegated authority, who executes, who oversees, and to whom each level is accountable. Without that clarity, the structure breaks apart and loses governing capacity.
From that requirement emerges the organizational model. The term is often used interchangeably with management system, but the two are not the same thing.
The organizational model is the formalized expression of the management system: the structured set of documents that fix internal rules and make the governance framework visible. It encompasses policies, regulations, procedures, appointment instruments, registers, risk analyses, and operational guidelines.
If the management system is the organization's concrete functioning over time — the daily cycle of analyzing risks, making decisions, implementing measures, and verifying outcomes — the organizational model is the architecture that makes that functioning readable and auditable.
The system is dynamic because it lives in processes, operational choices, and daily controls. The model is predominantly static because it takes form in documents that describe roles, rules, and responsibilities.
Put another way: the management system is the exercise of accountability. The organizational model is its formal configuration, the structure that allows it to be understood, assessed, and audited.
Read through the lens of accountability, GDPR and NIS2 converge on this construction: leadership decides and is accountable; the management system ensures coherent execution; the organizational model guarantees traceability and demonstrability. In that integration, accountability becomes organized governance.
The value of a management system lies in the quality of the decisions it can orient.
A system is real when it reliably guides risk analysis, defines priorities, disciplines the adoption of measures, and maintains coherence between strategic direction and operational execution. Its solidity depends on persistent alignment between what leadership decides and what the organizational structure delivers.
The organizational model makes that functioning possible by defining the chain of responsibilities and the authority required to exercise them. Without a clear accountability architecture, the system is ungovernable. Without an effectively operating system, the model remains a formal construct.
In an integrated GDPR and NIS2 framework, the system must evolve as threats change; the documentary structure must be updated as the regulatory context, the organization, or the technology shifts. The system provides operational continuity. The model provides structural coherence.
Management systems weaken when responsibilities blur, decisions are not made explicit, and functions overlap. When that happens, even complete documentation cannot compensate for an absent governance function. When the alignment between decision, execution, and control breaks down, even a formally impeccable model loses effectiveness.
GDPR and NIS2 do not ask for compliance. They require governance.
Producing well-drafted policies, signed delegations, or updated registers is not enough. Organizations must be able to demonstrate that a clear direction exists; that decisions stem from deliberate analysis; that accountability is legible across the entire organizational chain; and that operational action is coherent with what leadership approved.
Governing means proving that every choice has a foundation and that every control fits within a broader design. The integrated organizational model, aligning NIS2 and GDPR requirements, becomes the condition for credible compliance precisely because it makes the underlying management system visible and auditable.
That is where the entire argument converges. GDPR and NIS2 point toward a single objective: building an organization capable of integrating strategy and operations, data protection and systems security. Not an organization that follows the rules. A structure capable of governing risk deliberately and continuously.
The distinction is not between GDPR and NIS2. It is between organizations that govern risk and those that absorb it.
The regulations provide the architecture. Whether an organization truly inhabits it is a leadership decision.