· Compliance  · 1 min read

Data Breach Notification Under NIS2 and GDPR

What data breach notification means under NIS2 and GDPR, who you must tell, and how fast the clock runs.

Data breach notification is one of the most time-pressured duties in EU regulation. When a significant incident hits, the clock starts immediately — and for many organisations two regimes apply at once.

Two overlapping clocks

Under NIS2, in-scope entities must submit an early warning within 24 hours and a fuller notification within 72 hours of becoming aware of a significant incident. Under GDPR, a personal-data breach must be reported to the supervisory authority within 72 hours where feasible. A single incident can trigger both.

What to prepare in advance

  • A defined incident classification so you can decide quickly whether a report is required.
  • Named roles and contact points for the relevant authorities.
  • A detection capability that actually surfaces incidents in time to report them.

Where this fits

Data breach notification is a core obligation for essential and important entities. For the full picture, read our critical infrastructure protection guide, and see how a SIEM provides the detection that reporting depends on.

Back to Blog

Related Posts

View All Posts »