BLOG

NIS2 and the EU AI Act: where they overlap, where they don't

By PowerQuant | Updated June 2026 | Reading time: ~8 minutes

Two EU regimes now ask broadly similar questions of HR-tech vendors and the enterprises that deploy them: the NIS2 Directive on cybersecurity (Directive (EU) 2022/2555) and the EU AI Act (Regulation (EU) 2024/1689). They are not the same regulation, they have different scopes, and their penalty regimes are different — but they collide in the same control room. This article explains where they overlap, where one stops and the other starts, and how to build a single evidence base that satisfies both rather than duplicating work.

Quick reorientation: what each regulation actually does

NIS2 — cybersecurity baseline + incident reporting

NIS2 raised the EU's baseline for cybersecurity risk management and incident reporting. Its core mechanic is Articles 21 and 23: risk-management measures (governance, supply-chain security, incident handling, business continuity, vulnerability handling, basic cyber hygiene, MFA, encryption, asset management, training, etc.) and a staged incident-reporting timeline.

Scope: NIS2 applies to essential and important entities across eighteen sectors — energy, transport, banking, financial-market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management (B2B), public administration, space, postal, waste, chemicals, food, manufacturing (incl. medical devices), digital providers (incl. online marketplaces, search engines, social networks), and research. The Member State transposition deadline was 17 October 2024; national implementations vary in scope of who is captured.

The incident-reporting cadence under Art. 23: 24 hours for an early warning, 72 hours for an incident notification, and a one-month final report.

EU AI Act — product-safety regime for AI

The AI Act is a product-safety regulation. It classifies AI systems by risk (prohibited, high-risk, limited-risk, minimal/no-risk) and attaches obligations accordingly. For high-risk systems, providers carry the design-time stack (risk management, technical documentation, data governance, transparency, human oversight, accuracy, robustness, cybersecurity — Arts. 9–15 — plus conformity assessment and CE marking). Deployers carry Art. 26 (use according to instructions, oversight, monitoring, log retention, worker information, etc.). Most application from 2 August 2026; AI literacy and prohibitions in force since 2 February 2025.

Where the two regimes overlap

1. Cybersecurity as a design property of AI systems

AI Act Article 15 requires that high-risk AI systems be designed and developed in such a way that they achieve an appropriate level of accuracy, robustness, and cybersecurityand that they perform consistently in those respects throughout their lifecycle. It explicitly addresses resilience against attempts by unauthorised third parties to alter their use, outputs or performance — including adversarial manipulation (data poisoning, model poisoning, evasion, model flaws and confidentiality attacks).

NIS2 Article 21 requires essential and important entities to take appropriate and proportionate measures to manage the risks to the security of the network and information systems they use — which in practice covers the same control surface for the deployer of an AI system. If your HR AI runs inside a NIS2-regulated entity, the system's cybersecurity is in scope of both regimes simultaneously.

2. Supply-chain due diligence on AI vendors

NIS2 Art. 21(2)(d) makes supply-chain security an explicit risk-management area — relationships with direct suppliers and service providers, including security practices of those suppliers. AI Act Art. 25 and Art. 26 push deployers to gather evidence from providers (instructions for use, DoC, EU-database entry, human-oversight design). The procurement evidence overlaps almost completely: a single vendor-evidence pack can serve both NIS2 supply-chain due diligence and the AI Act provider-artefact collection.

3. Incident reporting

Both regimes require deployers and providers to report. They do not, however, report the same incidents to the same authorities on the same clock:

  • NIS2 (Art. 23): "significant incidents" affecting the provision of services — 24h early warning, 72h notification, 1-month final report — to the national CSIRT or competent authority.
  • AI Act (Art. 73): providers of high-risk AI systems must report "serious incidents" — those that lead or could lead to death, serious harm to health, serious harm to fundamental rights, serious damage to property or the environment, or a serious and irreversible disruption of critical infrastructure — to the market-surveillance authority of the Member State of occurrence. Reporting windows are tied to awareness of the incident, with shorter clocks for certain categories.
  • If a single event qualifies as both — say, a model-confidentiality attack that exposes candidate data inside a NIS2 entity — you owe both notifications, on both clocks, to potentially different authorities. Your incident-management runbook needs to pre-classify on intake.

    4. Governance and accountability

    NIS2 puts ultimate accountability on management bodies (Art. 20): they must approve the cybersecurity risk-management measures, oversee implementation, and undertake training. The AI Act assigns accountability through the provider/deployer roles and, for deployers, through Art. 26 (named human oversight, worker information). Mature programmes route both into a single AI & Cyber Risk Committee with management-body sign-off, rather than two parallel governance stacks.

    5. Logging and traceability

    AI Act Arts. 12 + 26(6) require automatic logging for high-risk systems and ≥6-month retention by deployers. NIS2 Art. 21(2) implicitly relies on logging and monitoring as part of an effective incident-handling capability. A single logging design — capturing AI-system operational logs alongside security telemetry, with consistent retention — satisfies both. Two parallel logging programmes will drift apart and you will be the one debugging the gap during a regulator's audit.

    Where they don't overlap

  • Fundamental rights — purely an AI Act concern (Arts. 26(7), 27, 86). NIS2 does not address bias, transparency to affected persons, or the right to explanation.
  • Annex III classification — AI-Act-only. Whether your HR system is high-risk under Annex III has nothing to do with whether you are an essential or important NIS2 entity.
  • Sector scope — most HR-tech vendors are not NIS2 entities themselves (unless they sit in digital infrastructure / ICT service management). The deployer often is. The AI Act applies to both regardless of sector.
  • Penalty structure — NIS2 sets maximum fines of €10 million for essential entities and €7 million for important entities (the higher of the flat amount or, respectively, 2% and 1.4% of total worldwide annual turnover applies). AI Act max fines: €35M/7% (prohibitions), €15M/3% (other obligations including Art. 26), €7.5M/1% (incorrect info). Both can apply to the same organisation.
  • Conformity assessment / CE marking — AI-Act-only product-safety mechanic (Arts. 43, 47, 48). NIS2 has no equivalent.
  • A single evidence base for both regimes

    The simplest way to keep the overlap manageable is to design your evidence base to serve both regimes from one source. For an HR-tech deployer that is also a NIS2 important or essential entity, that means maintaining:

  • One AI inventory — covers AI Act classification and contributes to NIS2 asset management.
  • One vendor evidence pack per AI system — provider DoC + Art. 13 instructions + Art. 14 oversight description + security questionnaire + sub-processor list + log-retention configuration. Serves both AI Act Art. 26 and NIS2 supply-chain due diligence.
  • One incident runbook — single intake, parallel notification paths (NIS2 CSIRT, AI-Act market-surveillance authority, GDPR DPA where personal data is involved), with pre-defined classification rules.
  • One logging policy — covers Art. 12/26(6) AI-system logs and NIS2 security telemetry, with consistent ≥6-month retention as a floor.
  • One governance forum — AI & Cyber Risk Committee that reports into the management body and signs off both AI Act readiness and NIS2 measures.
  • One training register — Art. 4 AI literacy + NIS2 Art. 20 management-body cyber training, with role-based coverage.
  • The goal is not regulatory minimalism — it is to avoid two parallel programmes that, when audited independently, contradict each other. Single source of truth, two reporting views.

    A note on national variation

    NIS2 transposition has not been uniform. Some Member States transposed on time, some late, some with broader sectoral scope. The Danish implementation has its own designated competent authorities for essential and important entities. The AI Act is a Regulation and applies directly, but Member States designate their own market-surveillance authorities under Art. 70. Before you finalise the incident runbook, confirm the competent authorities for every Member State where you operate — they may not be the same body.

    What to do this month

  • Identify whether your organisation is an essential or important NIS2 entity (or both, for groups with mixed sectors), and whether any AI Act high-risk obligations apply to your HR systems.
  • Map your existing cybersecurity controls and AI controls into a single matrix and look for duplicate work — that is your consolidation backlog.
  • Combine vendor questionnaires. Two separate procurement questionnaires (security + AI) confuse vendors and waste your reviewers' time.
  • Stand up an incident runbook that classifies on intake and routes to all applicable authorities, with the strictest applicable clock as the default.
  • Sources

  • Directive (EU) 2022/2555 (NIS2), Articles 20, 21, 23, 34.
  • EU AI Act (Regulation (EU) 2024/1689), Articles 12, 15, 25, 26, 27, 70, 73, 86, 99.
  • ENISA — NIS2 guidance and the EU CSIRT network reporting framework.
  • European Commission — AI Act Service Desk guidance on Art. 73 serious-incident reporting.
  • One evidence base, two regulations covered.

    PowerQuant builds AI inventory + Article 4 register + NIS2-compatible vendor evidence in 5–21 days — fixed fee, source-cited, no double work.

    Start with M1 — 10.999 kr