Who do I need to notify, what are my legal obligations?

Author info

 

 

 

 

When a cybersecurity incident occurs, the notification obligations resting on a company are generally multi-fold and weighty. Often, a company will have to comply with several legal and contractual incident reporting obligations at the same time and will be obliged to notify the same incident to several authorities and/or third parties. 

On this page, you will find an overview of the most prominent incident reporting obligations for companies as well as some focal points to keep in mind in the event of a cyberincident.

A. Legal obligations

1. The NIS Directive

A breach of security may trigger the application of the incident notification obligations introduced by the NIS Directive. 

The NIS Directive is aimed at boosting the overall level of cybersecurity in the EU. As such, it imposes incident notification obligations on companies in vital sectors in the EU economy and society. These sectors include energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure. 

Considering that these rules are incorporated in a directive and are therefore not directly applicable in the Member States, it will be necessary to check the specific implementation of the NIS Directive in those jurisdictions relevant for your company’s business. 

1.1 Obligations

Under the NIS Directive, 

  • Operators of essential services (such as electricity suppliers, airlines, railway infrastructure operators, financial institutions…) must notify, without undue delay, the competent authority or the Computer Security Incident Response Team (CSIRT) of incidents having a significant impact on the continuity of the essential services they provide. 
  • Digital service providers (being online marketplaces, online search engines and cloud computing service providers) must notify the competent authority or the CSIRT without undue delay of any incident having a substantial impact on the provision of the services they offer within the EU. The thresholds for whether an incident has a substantial impact have been determined by the European Commission in an executive Regulation.  

Please note that the concepts of operators of essential services and digital service providers are defined precisely, and careful assessment is for example required to qualify a company as a digital services provider or not.  

1.2 Which information?

According to the NIS Directive, the notification provided should include information enabling the competent authority or CSIRT to determine any cross-border impact of the incident.  

However, again, the national law applicable to your company may ask for specific additional information. 

2. The General Data Protection Regulation

Whenever a breach of security has led to a personal data breach (i.e. the accidental or unlawful destruction, loss or alteration, unauthorised disclosure of, or access to, personal data processed), the notification obligations of the GDPR may apply.    

2.1. Obligations

Under the GDPR: 

  • A personal data breach must be notified to the competent supervisory authority without undue delay and within 72 hours after the controller having become aware of the personal data breach, unless the breach is unlikely to put the rights and freedoms of natural persons at risk. 

Whenever a breach affects the personal data of individuals in more than one Member State (e.g. cross-border processing) and notification is due, the controller will however need to notify the lead supervisory authority. 

  • A personal data breach that is likely to result in a high risk to the rights and freedoms of individuals must also be communicated by the controller to the data subjects without undue delay, unless one of the exceptions listed in art. 34.3 applies. 

Please note that not only controllers, but also data processors are expected to notify personal data breaches. As soon as a data processor become aware of a breach in personal data processed on behalf of the controller, it should notify the controller without undue delay. Once the processor is aware of the personal data breach, the controller is considered to be aware as well (and as a consequence, the 72-hour countdown will start).  

2.2. Which information? 

When a controller decides to notify a breach to the supervisory authority, he should describe at the minimum: 

  • The nature of the personal data breach (e.g. amount of data subjects and number of personal data records concerned…)
  • The name and contact details of the data protection officer (DPO) or another information contact point 
  • The likely consequences of the personal data breach 
  • The measures taken/proposed to address the personal data breach and its possible adverse effects

When notifying individuals, the controller shall at least provide the same information, with the exception of information about the nature of the personal data breach.

3. Sectoral regulations

Besides the GDPR and the NIS Directive, sectoral regulations often include specific notification obligations in case of security incidents as well. More particularly, several EU (and Member State) sectoral regulations impose notification obligations that target companies in the telecommunications sector, financial sector, health sector… 

Below are listed a handful of sectoral security breach notification duties that may apply to your sector: 

  • For the telecommunications sector, please refer to art. 13a of the Framework Directive, art. 2.4.c. of Directive 2009/136 and art. 2.2 of Commission Regulation (EU) 611/2013.
  • For trusted services sector, please refer to art. 19.2 of the eIDAS Regulation (EU) No 910/2014.
  • For the medical devices sector, please refer to art. 87 and 88 of the Medical Devices Regulation (EU) 2017/745.
  • For the financial sector, please refer to art. 96 of the PSD2 Directive (EU) 2015/2366 (and corresponding EBA guidelines) as well as ECB/Target 2 and the ECB cyber incident reporting framework. 

B. Contractual obligations

Besides notification obligations arising from EU (or national) law, companies often also have taken on security incident reporting duties in their contracts with customers, suppliers and/or insurers. 

For example, it is not unlikely that your companies’ cybersecurity liability insurance contract requires you to immediately report any security incident to the insurer for any damage to be recoverable. Moreover, your contracts with suppliers and customers may require you to notify any security incident which may infect their systems, impact their data or other assets, or may slow down your services towards them within a certain time limit. In case of a security incident, these contractual notification obligations should be known and complied with as well, as they may provoke penalties or other liabilities. 

In order to prevent, detect, react to and address a security incident appropriately, it is advisable that companies check their legal and contractual obligations in advance and put in place internal processes and suitable measures (e.g. data flow and log analysers), including incident response plans.  

If you need assistance in implementing these measures, please contact us.

Do you need immediate assistance? Call our cybersecurity hotline.

Related

This article is part 3 of our cybersecurity series:

  1. Help! I’ve been hacked.
  2. Your service provider goes down. What now?
  3. Who do I need to notify, what are my legal obligations?