NIS2, GDPR, nDSG: What European Businesses Need to Know in 2026

If you run a business in Europe, you're operating under one of the most complex cybersecurity regulatory environments in the world. GDPR has been the baseline since 2018. Switzerland's revised Data Protection Act (nDSG) came into force in September 2023. And the NIS2 directive, adopted by the EU in January 2023, is now being transposed into national laws across member states.

For many businesses, especially those operating across borders, the question is not whether these regulations apply, it's how to comply with all of them simultaneously.

The General Data Protection Regulation remains the cornerstone of data protection in Europe. If you process personal data of EU residents, GDPR applies, regardless of where your company is headquartered. Key requirements include lawful processing, data minimization, breach notification within 72 hours, and the right to erasure.

What's changed in 2026: enforcement has tightened significantly. The European Data Protection Board has increased cross-border cooperation, and fines are no longer reserved for big tech. Mid-sized businesses are now regularly subject to audits and penalties.

Switzerland's revised Federal Act on Data Protection (nDSG) aligns closely with GDPR but has its own nuances. It applies to all data processing that has an effect in Switzerland. Key differences include a broader definition of sensitive data, mandatory data protection impact assessments, and specific rules for data transfers outside Switzerland.

For Swiss businesses with EU customers (or EU businesses with Swiss operations), dual compliance is not optional, it's a legal requirement.

While GDPR and nDSG focus on data protection, the NIS2 directive targets cybersecurity directly. It expands the scope of the original NIS directive to cover more sectors and imposes stricter security requirements, including risk management measures, incident reporting obligations, and supply chain security.

The practical takeaway: even if your business isn't directly in scope, your clients or partners likely are. Supply chain compliance is becoming a competitive requirement.

The WAARD assessment considers all three frameworks. Your maturity report identifies compliance gaps across GDPR, nDSG, and NIS2, so you know exactly where to focus.