Comparative overview of reporting requirements under EU data protection and cybersecurity laws

Date in force

Entered into force on 25 May 2016.

Full application of the Regulation’s provisions applied from 25 May 2018.

17 October 2024.

As of November 2024, 23 member states had failed to meet this deadline.

DORA entered into force on 17 January 2025

Relevant technical standards relating to reporting and notification of incidents is subject to delegated legislation to be published in the Official Journal of the EU.

CRA entered into force on 10 December 2024.

Full application shall be 36 months after that date – however Article 11 (relating to Reporting Obligations) shall apply 21 months from the date in force of the Regulation.

AI Act entered into force on 1 August 2024.

Full application of the majority of the AI’s provisions (including provisions relating to the reporting of serious incidents) will commence on 2 August 2026.

Key Reporting Body

Data controller

Operators of highly critical and critical services (as listed in Annex 1 and Annex 2 of the Directive)

Financial entities within the scope of Article 2

Manufacturers

  1. Providers of high-risk AI systems
  2. Deployers of AI systems (users) if incident affecting health, safety, or fundamental rights.
  3. Providers of General Purpose AI (GPAI) models with systemic risk

Notification timeline to regulatory body

Article 33(1):

Report to data protection supervisory authority to be made 72 hours from when controller first aware of incident – if not made within 72 hours to be accompanied with reasons for the delay.

Under Article 23, entities must report significant incidents as follows :

  1. an early warning shall be submitted within 24 hours of becoming aware of the incident;
  2. Incident notification within 72 hours an incident notification including an initial assessment detailing its severity and impact and any indicators of compromise;
  3. Intermediate report, upon the request of a CSIRT or a competent authority, on relevant status updates;
  4. final report to be issued one month after the submission of the 72 hour incident notification (or within one month of incident handling and completion if ongoing).

Article 19:

Financial entities to report major ICT-related incidents to the relevant competent authority as follows:

  1. an initial notification;
  2. an intermediate report as soon as the status of the original incident has changed significantly or the handling of the incident has changed based on new information;
  3. Followed by updated notifications every time a relevant status update is available (as well as upon a specific request of a competent authority);
  4. A final report when the root cause analysis has been completed – regardless of whether mitigation measures have already been implemented, and when the actual impact figures available to replace estimates.

Article 14:

Manufacturer to notify designated CSIRT and ENISA of :

  1. any actively exploited vulnerability or
  2. severe incident impacting the security of the product

Requirements:

  • an initial early warning notification without undue delay and within 24 hours;
  • (unless already provided) a vulnerability or incident notification within 72 hours;
  • if the notification concerns an exploited vulnerability final report to be provided no later than 14 days after a mitigating measure is available;

if the notification is a security incident the final report is due within one month of the 72 hour incident notification.

Article 73:

  1. General Reporting Timeline:

Report to be provided immediately after the provider:

  • Has established a causal link between the AI system and the serious incident (or the reasonable likelihood of such a link);
  • No later than 15 days after the provider or deployer becomes aware of the serious incident
  1. Exceptions for Specific Incidents:
  • critical infrastructure impact: the report shall be provided immediately and no later than 2 days after the provider / deployer becomes aware of the incident;
  • the death of a person the report shall be provided immediately after the provider or the deployer has established, or suspects a causal relationship between the high risk AI system and the serious incident; and no later than 10 days after becoming aware of the serious incident.
  1. Interim Reporting:

A provider or deployer may submit an initial report that is incomplete to ensure timely reporting, followed by a complete report.

Providers of GPAI models to report serious incidents to the AI Office without undue delay.

Reporting threshold for notification to regulatory body

Required to report unless there is unlikely to be a high risk to rights and freedoms of individuals.

An incident shall be considered significant if:

  • it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned;
  • it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

Financial entities shall report:

  1. major ICT related incidents to the relevant competent authority. A major ICT related incident is defined as:

“an ICT related incident that has a high adverse impact on the network and information systems that support critical or important functions of the financial entity”;

  1. major operational or security payment-related incidents -defined as:

“an operational or security-related incident that has a high adverse impact of the payment-related services provided”.

Notification to be made in respect of:

  • any actively exploited vulnerability contained in the product with digital elements;
  • any severe incident having impact on the security of the product with digital elements. A security incident is defined as “severe” where it
  • (a) negatively affects (or is capable of negatively affecting) the ability of a digital product to protect the availability, authenticity, integrity or confidentiality of sensitive or important data or functions; or
  • (b) it has led to (or is capable of leading to) the introduction or execution of malicious code in a product or in the network and information systems of a user of the digital product.

Providers of high risk AI systems placed on the EU market must report any serious incident to the market surveillance authorities of the Member States where the incident occurred (reporting to multiple authorities may therefore be needed).

A serious incident is defined as an incident or malfunctioning of an AI system that directly or indirectly leads to:

  • death or serious harm to health;
  • a serious and irreversible disruption of the management of operation of critical infrastructure;
  • infringement of obligations under EU law intended to protect fundamental rights;
  • serious harm to property or the environment.

Deployers identifying a serious incident must:

  • immediately inform first the provider;
  • notify then the importer/distributor and relevant surveillance authority.

If they are not able to reach the provider the incident reporting obligations under Article 73 apply directly to the deployer (sensitive operational data as part of law enforcement AI systems is excluded).

Reporting requirements

The incident notification must describe:

  • the nature of the breach with details of data and number of affected data subjects;
  • likely consequences of the breach;
  • measures taken by controller to address the breach and mitigate its possible adverse effects.

The 72 hour incident notification should include an assessment of the severity and impact of the incident, as well as, where available, indicators of compromise.

The final report should include:

  • a detailed description of the incident, its severity and impact
  • the type of threat or root cause likely to have triggered the incident;
  • applied and ongoing mitigation measures;

where applicable, any cross-border impacts.

The detailed reporting requirements for financial entities and thresholds for determining major ICT-related incidents are set out within the technical standards delegated legislation.

Financial entities must include the following in their reports:

  1. Initial Notification:
    • Basic details about the incident and affected systems.
  2. Intermediate Reports:
    • Updates on incident status, response measures, and any new relevant information.
  3. Final Report:
    • Root cause analysis.
    • Actual impact figures (replacing initial estimates).
    • Details of mitigation measures implemented.
  1. 72 hour notification to include: - general information about the relevant product;
  • the general nature of the exploit/vulnerability concerned;
  • any corrective measures taken and
  • any measures that users can take.
  1. Final 14 day report to contain: - detailed description of the vulnerability (including severity and impact);
  •  information concerning the malicious actor exploiting the vulnerability;
  • details about the security update or other corrective measures that have been made available to remedy the vulnerability.

Further guidance on incident reporting obligations to be issued by the European Commission by 2 August 2025.

Communication with affected individuals / entities

Article 34:

Duty to notify data subjects of breach without undue delay.

Entities are required to notify without undue delay any recipients of their services where a significant incident has occurred, and any measures or remedies that those recipients are able to take in response.

Financial entities may also on a voluntary basis, notify significant cyber threats  to the relevant competent authority where the threat is deemed to be of relevance to the financial system, service users or clients.

Component-Level Reporting:

Manufacturers are required, upon identifying a vulnerability or a severe incident in a component which may be integrated into the digital product, to report the vulnerability to the person or entity maintaining the component and any mitigating measures.

Awaiting further guidance as above.

Reporting threshold for informing affected individuals / entities

Duty arises where the breach is likely to result in a high risk to the rights and freedoms of natural persons.

Entities must notify recipients where the incident is likely to:

  • adversely affect the provision of those services
  • impacts the financial interests or security of clients.

Entities must notify their clients where a major ICT-related incident has occurred  and has an impact on the financial interests of clients or their assets and of any appropriate protection measures.

Notifications must include:

  • Details of the incident.
  • Risks posed to clients.
  • Recommended protection measures or mitigation steps.

User Notification:

  • Manufactures to inform impacted users (and all users where appropriate) of any vulnerability or security incident impacting on the product, and
  • any risk mitigation measures.

Awaiting further guidance as above.

Any voluntary reporting requirements

None.

The Directive provides for any entity (whether or not falling within the scope of the Directive) to be able to submit notifications to CSIRTs/ competent authorities and exchange cyber security information on a voluntary basis through specific information sharing arrangements.

Financial entities may voluntarily notify

  • Significant cyber threats to the relevant competent authority deemed to be relevance to the financial system or service users or clients.
  • Threats or vulnerabilities that could impact the broader financial ecosystem.

Voluntary Reporting Options

Manufacturers (and any other persons) may voluntarily notify:

  • any vulnerability contained in a digital product;
  • any cyber threats which could affect the risk profile of a product;
  • any security incident impacting the security of the product;
  • any near misses that could have resulted in such an incident.

Awaiting further guidance as above.