EU cyber security Directive would create a stronger breach notification regime

The EU Commission issued on 7 February a draft Directive for cyber security. The draft, entitled Directive on Network and Information Security, would oblige market operators and public administrations to report incidents that have a significant impact on the security of the core services provided by them. The competent national authority could, in turn, order these controllers to notify the relevant indviduals.

The notification requirement would apply to public administrations, key Internet companies (e.g. large cloud providers, social networks, e-commerce platforms, search engines), the banking, health, energy and transport sectors. It is proposed that organisations could use a single notification template to notify cyber security incidents that also involve personal data breaches.

Read more about this topic in Privacy Laws & Business International Report, issue 121, February 2013.