Jump to Navigation


4.5 [DETAILS] Data Breach Reporting Obligations

In this section we provide background information on obligations to report data breaches, as ancillary information to the section above, in which accounts for data breach reporting are discussed.

This section provides a brief overview of current and forthcoming EU data breach notification requirements, focusing on the Framework Directive, the ePrivacy Directive, the General Data Protection Regulation (GDPR) and the upcoming Network and Information Security (NIS) Directive. Currently, the telecommunications sector aside, before the GDPR comes into force, data breach notifications are in general not mandatory in most countries in the European Union; nonetheless it is important to note that some countries (e.g. in Spain and Germany) have introduced data breach notification requirements into local legislation and regulatory codes of practice (e.g. Ireland). Different data breach notification requirements (personal data breaches and breaches involving operators in critical sectors and public operators) are foreseen in both the upcoming GDPR and in the NIS Directive. Bear in mind that national legislation or sector-specific regulations might be applicable as well in some specific cases, even if not considered in this overview.