When a cybersecurity incident occurs, the notification obligations resting on a company are generally multi-fold and weighty. Often, a company will have to comply with several legal and contractual incident reporting obligations at the same time and will be obliged to notify the same incident to several authorities and/or third parties.
On this page, you will find an overview of the most prominent incident reporting obligations for companies as well as some focal points to keep in mind in the event of a cyberincident.
A breach of security may trigger the application of the incident notification obligations introduced by the NIS Directive.
The NIS Directive is aimed at boosting the overall level of cybersecurity in the EU. As such, it imposes incident notification obligations on companies in vital sectors in the EU economy and society. These sectors include energy, transport, water, banking, financial market infrastructures, healthcare and digital infrastructure.
Considering that these rules are incorporated in a directive and are therefore not directly applicable in the Member States, it will be necessary to check the specific implementation of the NIS Directive in those jurisdictions relevant for your company’s business.
Under the NIS Directive,
Please note that the concepts of operators of essential services and digital service providers are defined precisely, and careful assessment is for example required to qualify a company as a digital services provider or not.
According to the NIS Directive, the notification provided should include information enabling the competent authority or CSIRT to determine any cross-border impact of the incident.
However, again, the national law applicable to your company may ask for specific additional information.
Whenever a breach of security has led to a personal data breach (i.e. the accidental or unlawful destruction, loss or alteration, unauthorised disclosure of, or access to, personal data processed), the notification obligations of the GDPR may apply.
Under the GDPR:
Whenever a breach affects the personal data of individuals in more than one Member State (e.g. cross-border processing) and notification is due, the controller will however need to notify the lead supervisory authority.
Please note that not only controllers, but also data processors are expected to notify personal data breaches. As soon as a data processor become aware of a breach in personal data processed on behalf of the controller, it should notify the controller without undue delay. Once the processor is aware of the personal data breach, the controller is considered to be aware as well (and as a consequence, the 72-hour countdown will start).
When a controller decides to notify a breach to the supervisory authority, he should describe at the minimum:
When notifying individuals, the controller shall at least provide the same information, with the exception of information about the nature of the personal data breach.
Besides the GDPR and the NIS Directive, sectoral regulations often include specific notification obligations in case of security incidents as well. More particularly, several EU (and Member State) sectoral regulations impose notification obligations that target companies in the telecommunications sector, financial sector, health sector…
Below are listed a handful of sectoral security breach notification duties that may apply to your sector:
Besides notification obligations arising from EU (or national) law, companies often also have taken on security incident reporting duties in their contracts with customers, suppliers and/or insurers.
For example, it is not unlikely that your companies’ cybersecurity liability insurance contract requires you to immediately report any security incident to the insurer for any damage to be recoverable. Moreover, your contracts with suppliers and customers may require you to notify any security incident which may infect their systems, impact their data or other assets, or may slow down your services towards them within a certain time limit. In case of a security incident, these contractual notification obligations should be known and complied with as well, as they may provoke penalties or other liabilities.
In order to prevent, detect, react to and address a security incident appropriately, it is advisable that companies check their legal and contractual obligations in advance and put in place internal processes and suitable measures (e.g. data flow and log analysers), including incident response plans.
If you need assistance in implementing these measures, please contact us.
Do you need immediate assistance? Call our cybersecurity hotline.
This article is part 3 of our cybersecurity series: