EU DSA + GDPR + NIS2 Combined Platform Compliance Stack 2026: SaaS Developer Guide
Post #4 in the sota.io EU DSA SaaS Compliance Series
Most SaaS compliance guides treat DSA, GDPR, and NIS2 as separate workstreams. They aren't. For a European platform operator in 2026, all three are simultaneously active — and they share significant underlying infrastructure. A unified compliance stack is not a nice-to-have: it's the only cost-efficient way to meet all three without burning your engineering budget three times over.
This guide maps the intersections, identifies shared obligations, and gives you a concrete implementation checklist that satisfies DSA, GDPR, and NIS2 with a single, coherent architecture.
The Three-Regulation Landscape in 2026
Before diving into the combined stack, a quick orientation:
| Regulation | Primary Focus | Enforcement Deadline | Lead Authority |
|---|---|---|---|
| GDPR (2016/679) | Personal data processing | In force since 2018 | National DPAs (e.g. BfDI, CNIL, ICO) |
| NIS2 (2022/2555) | Network & information security | Member State laws from Oct 2024 | NIS2 NCAs (e.g. BSI, ANSSI, NCSC-NL) |
| DSA (2022/2065) | Platform content & transparency | VLOP since Aug 2023; all platforms Feb 2024 | National DSAs (e.g. BNetzA, Ofcom) |
All three are binding today. All three carry significant penalties. And for most SaaS platforms, all three apply at the same time.
Where the Three Regulations Overlap
1. Data Records & Documentation
GDPR Art. 30 requires a Record of Processing Activities (RoPA).
NIS2 Art. 21 requires documented risk management measures.
DSA Art. 24 requires a publicly accessible statement of measures for content moderation.
Overlap: All three need structured, maintained documentation of how your platform handles data, security, and user-generated content. Build one documentation framework; populate it to satisfy all three.
2. Incident Response
GDPR Art. 33–34 mandates notification of personal data breaches to supervisory authority within 72 hours, and to affected users when high risk.
NIS2 Art. 23 mandates notification of significant incidents to the NCA within 24 hours (initial warning), 72 hours (assessment), and 1 month (final report).
DSA Art. 32 requires Very Large Online Platforms to maintain incident response capabilities for content-related crises.
Overlap: A single incident management system — with configurable notification templates for different authorities and timelines — handles all three. The NIS2 24h window is your binding constraint; GDPR 72h and DSA best-practices fit within it.
3. Vendor & Third-Party Risk
GDPR Art. 28 requires Data Processing Agreements with all processors.
NIS2 Art. 21(2)(d) requires supply chain security measures.
DSA Art. 26(1)(c) requires platforms to address systemic risks from recommender systems and third-party content sources.
Overlap: A supplier register with DPA status, security questionnaire results, and content-risk classification covers all three. You're already maintaining vendor records; extend them to include NIS2 security posture and DSA content risk fields.
4. User Rights & Transparency
GDPR Art. 12–23 establishes data subject rights: access, erasure, portability, objection.
NIS2 has no direct user rights provisions, but Art. 21 security obligations protect the data that GDPR rights apply to.
DSA Art. 17–20 establishes content-specific user rights: statement of reasons, internal complaint, out-of-court dispute, appeals.
Overlap: Build a unified "user rights portal" that handles both GDPR data subject requests and DSA content-decision appeals. The workflows are different, but the authentication, ticketing, and audit trail are shared infrastructure.
5. Risk Assessment
GDPR Art. 35 requires Data Protection Impact Assessments (DPIAs) for high-risk processing.
NIS2 Art. 21 requires ongoing risk management for network and information systems.
DSA Art. 34 (Very Large Online Platforms and VLOSEs only) requires Systemic Risk Assessments.
Overlap: A structured risk register with DPIA, security risk, and (where applicable) DSA systemic risk dimensions in a single tool — rather than three separate point-in-time exercises — reduces duplication dramatically.
The Combined Compliance Stack: Architecture
Here is a reference architecture for a SaaS platform that satisfies all three regulations simultaneously.
Layer 0: Identity & Access Control (NIS2 + GDPR)
All three regulations require that access to personal data and critical systems is controlled, logged, and auditable.
Components:
- Identity Provider: Keycloak (EU-hosted), Authentik, or ZITADEL — OIDC/SAML, MFA enforcement
- RBAC: Role definitions that map to both NIS2 privileged access requirements and GDPR purpose-limitation
- Audit Logging: Immutable logs of who accessed what, when — satisfies GDPR Art. 5(2) accountability and NIS2 Art. 21(2)(i) access control logging
- Privileged Access Management: CyberArk, HashiCorp Vault, or Teleport for just-in-time access to production systems
Shared value: One IAM layer. GDPR, NIS2, and DSA internal investigations all require the same audit trail.
Layer 1: Data Protection (GDPR Core)
Components:
- RoPA System: Operational registry of all processing activities — purpose, legal basis, retention, transfers
- Consent Management Platform: Iubenda, Usercentrics, or Didomi — GDPR-compliant consent with DSA-compatible transparency notices
- Data Minimisation Controls: Automated PII detection (Presidio, AWS Macie equivalent) and retention enforcement
- Encryption: At-rest (AES-256) and in-transit (TLS 1.3 minimum) — baseline for both GDPR and NIS2
- DPIA Process: Templated DPIA workflow for new features; linked to the risk register
NIS2 connection: The data classified and protected by GDPR controls is the same data that NIS2 security measures protect. Shared classification schema reduces duplicate effort.
Layer 2: Security Operations (NIS2 Core)
Components:
- SIEM/SOAR: Wazuh (open source, EU-deployable), Microsoft Sentinel, or IBM QRadar — ingests logs from all layers
- Vulnerability Management: Regular scanning (OWASP ZAP, Trivy, Snyk) with remediation SLAs mapped to severity
- Patch Management: Defined patching cadence; critical patches within 24-72h of disclosure
- Business Continuity: Tested backup/recovery procedures with documented RTO/RPO
- Incident Response Plan: Step-by-step playbook with GDPR 72h, NIS2 24h, and (if VLOP/VLOSE) DSA notification paths all documented
GDPR connection: NIS2 security obligations directly protect personal data. Breaches in security systems (NIS2 scope) often trigger GDPR breach notifications. Design both workflows together.
Layer 3: Content & Platform Governance (DSA Core)
Components:
- Notice & Action System: (See Post #2 in this series) Implements DSA Art. 16 for hosting services; Art. 17 for platforms
- Recommender System Transparency: (See Post #3 in this series) Art. 27 labelling and Art. 38 opt-out for VLOP/VLOSE
- Terms of Service & Acceptable Use Policy: Updated for DSA Art. 14 compliance — clear, plain language, annual review cycle
- Content Moderation Workflow: Ticketing system for notices, with Statement of Reasons output linked to DSA Art. 17
- Trusted Flagger Integration: API or webhook for Trusted Flagger organisations (DSA Art. 22); elevated processing SLA
GDPR connection: Content moderation decisions involve personal data. Ensure your Notice & Action system has a lawful basis under GDPR Art. 6, and that Statement of Reasons logs are subject to appropriate retention limits and access controls.
Layer 4: Reporting & Governance (All Three)
Components:
- Compliance Dashboard: Single pane showing GDPR data subject request queue, NIS2 incident register, DSA notice queue, and risk register status
- DSA Transparency Report: For platforms in scope, Art. 24 annual (or semi-annual) report; links to content moderation metrics
- GDPR Annual Review: DPA-facing reports where required; DPIA refresh trigger on material system changes
- NIS2 Registration: Registered with the relevant NCA(s) in each Member State where you provide essential or important services; annual self-assessment or audit evidence maintained
- Supplier Register: Combined DPA tracker + NIS2 security questionnaire + DSA content-risk classification; reviewed annually
Scope Determination: Does Each Regulation Apply to You?
Not every SaaS platform faces the same obligations under all three. Work through the scoping questions first.
GDPR Scope
Applies if: You process personal data of EU residents in the context of offering goods/services or monitoring behaviour (Art. 3).
Practically: Almost every B2C SaaS and most B2B SaaS (employee data, contact data) are in scope. Purely internal tools with no EU user data are the rare exception.
NIS2 Scope
Applies if: You are a medium or large entity (≥50 employees or ≥€10M turnover) and fall into an "essential" or "important" sector listed in Annex I or II — or you are a DNS provider, TLD registry, cloud service, data centre, CDN, or managed service provider regardless of size.
Key SaaS-relevant categories:
- Cloud computing services (IaaS/PaaS/SaaS) — Annex II, Category 8
- Online marketplace / search engine / social networking platform — Annex II, Category 7
- Managed security service providers — Annex I, Sector 8
- Digital infrastructure (DNS, IXPs) — Annex I, Sector 8
Small enterprises (<50 employees AND <€10M turnover) are generally out of NIS2 scope unless they provide DNS/TLD/cloud/CDN/MSP services.
DSA Scope
Applies if: You are an "intermediary service" offering services to EU recipients — which includes:
- Hosting services (cloud storage, web hosting, SaaS with user-generated content)
- Online platforms (hosting user content accessible to others)
- Very Large Online Platforms (VLOPs) or VLOSEs (>45M EU monthly active users)
Most SaaS platforms are at minimum "hosting services" and face the Art. 16 Notice & Action obligation.
Practical scope matrix:
| Platform type | GDPR | NIS2 | DSA |
|---|---|---|---|
| B2B SaaS (no UGC, <50 staff) | ✅ Full | ❌ Likely out | Minimal |
| B2C SaaS with UGC (any size) | ✅ Full | ✅ If ≥50 staff | ✅ N&A + Art. 14 |
| Cloud/MSP/DNS provider | ✅ Full | ✅ All sizes | ✅ Hosting scope |
| VLOP/VLOSE (>45M MAU) | ✅ Full | ✅ Full | ✅ Full DSA scope |
Combined Incident Response: The Critical Path
Incident response is where the timing mismatches between regulations can cause compliance failures. Design your playbook around the tightest deadline.
Step-by-Step Combined Incident Playbook
Hour 0–4: Detection & Classification
- SIEM alert triggers; on-call engineer confirms incident
- Initial classification: Is personal data affected? (GDPR trigger) Are essential services impaired? (NIS2 trigger) Is platform content/availability affected? (DSA trigger)
- Incident Commander assigned; War Room opened in Slack/Teams with dedicated channel
Hour 4–24: NIS2 Initial Warning
- If NIS2-scoped: send initial warning to NCA before 24h mark
- Content: incident detected, initial description, whether cross-border impact suspected
- Template pre-approved by legal, auto-populated from incident ticket
Hour 24–72: GDPR Assessment + NIS2 Assessment
- GDPR DPO completes breach assessment: data types involved, likely risk to individuals, mitigation measures taken
- If "likely high risk to natural persons": notify DPA before 72h mark (GDPR Art. 33)
- NIS2 assessment report to NCA within 72h: update on incident impact, preliminary cause, initial mitigation
Hour 72+: User Notification + NIS2 Final Report
- If GDPR "high risk" confirmed: notify affected users without undue delay (Art. 34)
- NIS2 final report to NCA within 1 month: root cause, full impact assessment, cross-border effects, recommended remediation
- If VLOP/VLOSE and content-related: DSA Art. 32 crisis response documentation
Key tool: A single incident management platform (e.g. PagerDuty, Jira Service Management, or OpsGenie) with pre-configured notification workflows for each regulation's authority and timeline.
Data Retention: The Cross-Regulation Matrix
| Data type | GDPR retention | NIS2 retention | DSA retention |
|---|---|---|---|
| Access/audit logs | Shortest necessary for purpose (typically 6-24 months) | Minimum 12 months for security incident analysis | Not specified (apply GDPR default) |
| Incident records | Duration of risk + statute of limitations | Minimum 12 months | 6 months for Notice & Action decision records (Art. 17(8)) |
| User content moderation decisions | Duration of content availability + appeals period | N/A (not security data) | 6 months minimum (Art. 17(8)) |
| Security event logs | Minimum for threat analysis (typically 12 months) | Minimum 12 months | N/A |
| DPA/vendor agreements | Duration of agreement + 3 years | Duration + evidence of security assessment | N/A |
Practical rule: Apply the longest retention requirement that applies to each data type, then ensure appropriate access controls and purge automation. Do not retain beyond the longest required period.
Transfer Impact Assessments: GDPR + DSA + NIS2 Alignment
If you transfer personal data outside the EEA, GDPR requires a Transfer Impact Assessment (TIA). NIS2 requires that your supply chain security measures address third-country providers. DSA (for VLOPs) requires disclosure of significant outsourced services.
Combined approach:
- Maintain a data flow map (GDPR Art. 30 scope) that includes all third-country transfers
- For each third-country vendor: document the legal transfer mechanism (SCC/BCR/adequacy), the NIS2 security questionnaire result, and (if VLOP) the DSA outsourced service disclosure
- Review annually or on material change
This triple-use data flow documentation replaces three separate exercises.
The sota.io Advantage: EU-Sovereign Infrastructure Removes the Stack Complexity
The combined compliance burden is substantially lower when your underlying infrastructure is EU-sovereign:
| Risk | US-hosted SaaS | EU-sovereign SaaS |
|---|---|---|
| GDPR transfer risk (CLOUD Act) | Transfer impact assessment + SCCs required for every US sub-processor | No third-country transfer; SCCs not required |
| NIS2 supply chain risk | Must assess US cloud provider's security posture against NIS2 Art. 21 for every service | EU-regulated providers; NIS2 posture assessable under EU law |
| DSA Art. 26 systemic risk (VLOPs) | Risk from US law enforcement access to content moderation data | No CLOUD Act exposure on content moderation records |
sota.io runs on 100% EU infrastructure (Hetzner Frankfurt, OVHcloud Strasbourg) with no US sub-processors in the data path. For SaaS teams building the combined compliance stack described in this guide, that eliminates the most complex cross-regulation risk: US government access under CLOUD Act affecting GDPR-protected data.
Implementation Checklist: Combined DSA + GDPR + NIS2
Phase 1: Scoping (Week 1)
- Confirm GDPR scope (data subjects, processing activities, DPA appointment)
- Confirm NIS2 scope (sector, size thresholds, registration obligation in each Member State)
- Confirm DSA scope (intermediary service type, VLOP/VLOSE threshold check)
- Map regulation intersections for your specific platform type
Phase 2: Documentation Foundation (Weeks 2–4)
- Create/update RoPA (GDPR) — extend with NIS2 security measures fields and DSA transparency fields
- Create combined risk register with DPIA, NIS2 risk, and (if applicable) DSA systemic risk dimensions
- Draft combined incident response playbook with NIS2 24h, GDPR 72h, and DSA timelines
- Establish supplier register with DPA status, security questionnaire, and DSA content-risk classification
Phase 3: Technical Controls (Months 1–3)
- Deploy IAM with MFA and audit logging (shared NIS2/GDPR/DSA requirement)
- Configure SIEM with retention policies aligned to combined matrix above
- Implement Notice & Action system (DSA Art. 16/17)
- Configure consent management platform (GDPR Art. 7)
- Run first vulnerability scan and patch critical findings
Phase 4: Governance & Reporting (Month 3 onward)
- NIS2 registration with relevant NCA(s)
- DSA transparency report (if annual reporting applies to your platform size)
- GDPR annual review cycle established
- Supplier audits scheduled
- Staff training on combined obligations complete
Key Takeaways
The EU regulatory stack in 2026 is not three separate compliance programmes — it is one unified risk management framework seen from three different angles: data (GDPR), security (NIS2), and platform governance (DSA). Build the infrastructure once, map it to all three, and your audit responses become straightforward.
The highest-ROI move is to centralise documentation, incident management, and vendor tracking into systems that satisfy all three simultaneously. The lowest-ROI move is to treat each regulation as an isolated workstream with separate tools and separate teams.
Running on EU-sovereign infrastructure removes the hardest cross-regulation risk: CLOUD Act exposure that triggers GDPR transfer assessments, NIS2 supply chain concerns, and DSA content-data confidentiality concerns all at once.
What's Next
Post #5 (Finale) covers the full DSA SaaS compliance stack: every tool, every checklist, and the implementation roadmap for platforms of all sizes — from solo-founder apps to VLOPs.
Related posts in this series:
- EU DSA 2026: Complete SaaS Developer Compliance Guide — #1 in this series
- EU DSA Notice & Action System 2026 — #2: Art. 16/17 implementation
- EU DSA Recommender System Transparency 2026 — #3: Art. 27/38 opt-out
For the underlying regulations:
- NIS2 SaaS Compliance 2026: Germany BSIG Developer Guide
- EU GDPR Data Sovereignty: Why EU Hosting Matters in 2026
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.