What Role Does the DPO Play in the Implementation of the NIS2 Directive within an Organisation?

ANSWER

The role of the Data Protection Officer (DPO) in the implementation of the NIS2 Directive within an organisation raises legitimate questions — particularly in the context of the risk of conflicts of interest.

In accordance with Article 38(6) GDPR, the DPO may perform other tasks and duties, but only on the condition that they do not give rise to a conflict of interest. In practice, this means that the DPO should not perform functions related to determining the purposes and means of processing personal data, as this would undermine their independence and objectivity.

The NIS2 Directive imposes numerous cybersecurity obligations on organisations, including conducting risk assessments, implementing technical and organisational measures, and reporting incidents. However, if the DPO is involved in these processes in a decision-making capacity, a problem arises: in practice, they would be evaluating actions that they themselves had previously planned or implemented. This is a classic example of a conflict of interest.

This is also confirmed by decisions of the President of the Personal Data Protection Office (UODO), which clearly indicate that assigning tasks to the DPO that may give rise to a conflict of interest constitutes a breach of the GDPR (see, for example, here). The DPO cannot simultaneously design solutions (e.g. in the area of cybersecurity) and subsequently act as their controller. Such a dual role undermines their impartiality and exposes the organisation to the risk of being found in breach of the regulations.

Therefore, the involvement of the DPO in an NIS2 project should be limited to an advisory and supervisory role — without assigning decision-making or executive responsibilities in the area of cybersecurity. Only in this way can an organisation ensure the DPO's independence while avoiding potential conflicts of interest.