Understanding reporting requirements under EU data protection and cybersecurity laws – a practical perspective

This article was co-authored by Josh Curzon and Ed Le Gassick, Trainee Solicitors.

The notification maze: navigating GDPR, NIS2, DORA, CRA and the EU AI Act reporting obligations

Navigating the complex landscape of EU data protection and cybersecurity laws is critical for organisations operating within the European Union (EU). Over the last decade, the evolution of EU horizontal and vertical legislation has introduced strict and diverse reporting obligations, posing challenges not only to EU-based organisations but also to non-EU entities operating within the EU.

Our annexed table also provides a side-by-side overview of key aspects of these regulations such as enforcement dates, key reporting bodies, notification timelines, reporting thresholds, and communication obligations with affected individuals.

The Evolution of reporting obligations

The EU has progressively developed its cybersecurity and data protection frameworks to address the challenges posed by rapid technological advancements and the increasing prevalence of cyber threats.

EU data protection and cybersecurity framework

In 2016, the EU introduced the NIS Directive, marking its first comprehensive legislative effort to enhance cybersecurity across member states. This directive aimed to improve the security of network and information systems by requiring Member States to develop national cybersecurity strategies and mandating that operators of essential services and digital service providers implement appropriate security measures and report significant incidents.

The EU’s landmark General Data Protection Regulation (GDPR), which became enforceable on 25 May 2018, introduced stringent requirements for the processing of personal data. Its emphasis on transparency, security, data breach reporting obligation and the rights of individuals reinforced the EU's commitment to protecting personal data in an increasingly digital world.

This novel approach to strict reporting requirements ensured that measures to protect network and information systems are aligned with efforts to safeguard personal data, reflecting the EU's commitment to a holistic digital security strategy.

More broadly, the EU's approach to cybersecurity and data protection has been characterised by a deliberate effort to harmonise these areas with the aim to:

Enhance personal data protection.
Strengthen cyber risk management, especially for critical sectors.
Foster regulatory cooperation across Member States.

This approach ensures that the integrity and confidentiality of personal data are maintained, even as digital infrastructures become more complex and interconnected. This synergy is evident in the way subsequent regulations have been designed to complement and reinforce each other, creating a robust framework for digital security.

The EU digital strategy

From a tech policy perspective, the EU has strategically developed its data protection, cybersecurity and AI legislations as integral components of its broader digital agenda. This approach aims to foster a secure and resilient digital environment, promoting innovation while safeguarding fundamental rights.

In February 2020, the European Commission unveiled its digital strategy, "Shaping Europe's Digital Future," outlining plans to strengthen digital sovereignty and set global standards in data and technology.

In December 2020, the EU introduced a new Cybersecurity Strategy for the Digital Decade to bolster Europe's collective resilience against cyber threats. This initiative is a key component of the EU's efforts to shape its digital future and ensure the security of its digital infrastructure.

Building on these strategic frameworks, the EU has introduced several legislative measures which all include strict and comprehensive new reporting regimes:

NIS2 Directive (2024)	Enhances the security requirements for network and information systems across the EU, expanding the scope of sectors and introducing stricter supervisory measures.
Digital Operational Resilience Act (DORA) (2025)	Establishes a comprehensive framework to ensure the digital operational resilience of the financial sector, mandating that firms can withstand, respond to, and recover from ICT-related disruptions. Read more here.
Cyber Resilience Act (CRA) (2024)	Sets common cybersecurity standards for products with digital elements, aiming to reduce vulnerabilities and protect consumers from cyber threats.
EU AI Act (2026)	Proposes a legal framework for AI, categorizing AI systems based on risk and imposing corresponding regulatory requirements to ensure safety and compliance with fundamental rights.

These legislative measures are designed to operationalise the EU's digital and cybersecurity strategies, translating high-level policy objectives into concrete obligations for organisations operating within the EU.

Expanding regulatory reporting obligations

The EU’s notification requirements have grown increasingly complex in the last 10 years.

Complexity of new reporting requirements

While many organisations are familiar with the GDPR’s obligation to notify supervisory authorities within 72 hours of a personal data breach, newer regulations impose additional and varied notification requirements. The result is a substantial administrative burden, particularly for organisations operating in multiple EU jurisdictions.

Under NIS2, organisations deemed essential or important must:

Provide a 24-hour early warning notification to the competent authority or Computer Security Incident Response Teams (CSIRT), outlining whether the incident was caused by unlawful activity or has cross-border implications.
Submit a 72-hour incident notification with an initial assessment of severity, impact, and indicators of compromise.
Deliver a final report, typically within one month, detailing the root cause, mitigation measures, and broader impacts.

Under DORA, financial entities must provide a sequence of initial notifications, intermediate updates, and final reports, while the AI Act introduces unique obligations for high-risk AI system providers to notify market surveillance authorities of serious incidents, including property or environmental damage.

Under the CRA, manufacturers must report vulnerabilities or security incidents within strict timelines, including a 14-day final report for exploited vulnerabilities.

Streamlining reporting obligations

Efforts to harmonise obligations and implement internal frameworks include:

Regulatory mechanisms

Lawmakers have implemented measures to streamline processes and reduce administrative burdens for organisations:

NIS2 Exemptions for Financial Entities: Financial entities subject to DORA are exempt from overlapping obligations under the NIS2 Directive. This ensures that sector-specific rules take precedence, preventing duplication and allowing financial institutions to adhere primarily to DORA's tailored requirements.
Cross-Border Coordination: Under NIS2, competent authorities and CSIRTs are empowered to share information across member states. This collaboration facilitates a more unified response to incidents, potentially alleviating the need for organisations to submit multiple reports for the same event in different jurisdictions.

As NIS2 does not establish a centralised supervisory mechanism akin to the GDPR's one-stop shop, entities may still be required to report incidents to multiple national authorities, depending on their operations and the jurisdictions involved.

In general, alignment is not universal across all regulations. For instance, the AI Act mandates that providers of high-risk AI systems report serious incidents to the market surveillance authorities in each member state where the incident occurred. This requirement can lead to multiple reports for a single event, increasing the reporting burden for organisations operating across multiple jurisdictions.

In summary, while efforts have been made to harmonise reporting obligations and reduce redundancies, particularly through exemptions and enhanced cross-border coordination, certain sector-specific regulations continue to necessitate multiple notifications. Organisations must remain vigilant in understanding and complying with the distinct requirements pertinent to their operations to ensure full regulatory compliance.

Establishing internal notification frameworks

To meet their obligations, organisations need robust protocols to determine whether an incident meets relevant notification thresholds. Criteria vary across frameworks:

GDPR: Focuses on risks to individuals’ rights and freedoms.
NIS2: Evaluates operational impacts on networks, information systems, or critical infrastructure.
AI Act: Takes a broader approach, including harm to individuals, property, the environment, or critical infrastructure.

Under the AI Act, for instance, providers must notify authorities if there is a reasonable likelihood of a causal link between an AI system and a serious incident. This encompasses harm to individuals, as well as property damage or environmental impact, representing a significant departure from other legislative approaches.

To assist with building policies and protocols, please see our guidance in the annexed table setting out the main reporting requirement under the different cybersecurity, data protection, digital and AI legislations.

Practical steps to mitigate reporting risks

To demonstrate compliance and effectively manage reporting obligations, organisations should:

Enhance cybersecurity measures: Regularly assess risks and implement technical and organisational safeguards for networks and systems and specific security measures for sensitive data and special category data.
Implement data breach and security incident framework policies: These policies should incorporate all applicable legal reporting requirements and tailored to your organisation.
Develop incident response plans and management protocols: Establish clear internal procedures to manage incidents and determine reporting thresholds. Ensure protocols cover:
- Identification of the appropriate regulatory body to notify.
- Whether a single notification suffices or multiple reports are required.
Engage leadership: Ensure senior management understands their responsibilities and is trained and equipped to oversee compliance with incident management and reporting requirements.

Organisations must proactively address the challenges arising from these complex reporting obligations by developing robust internal frameworks and staying informed about evolving regulations.

For further information and how we can help your company with reporting obligations and minimise regulatory risks to your business, please contact: Nathalie Moreno, Ben Pumphrey, Tom Pelham, Ollie Dent.