Legal Duties for Cybersecurity
Organisations across the EU and UK must take basic steps to protect personal data—covering information about both customers and employees—by implementing strong technical and organisational safeguards. This includes any business that processes personal data, and even those without a physical presence in the region but with users there.
Specific sectors—like finance, healthcare, and digital infrastructure—face stricter legal obligations. They must guard against cyber-attacks and promptly report data breaches to regulators.
Data Protection and DPDP Act Readiness: Hundreds of Senior Leaders Sign Up for CDPO Program
Incident Reporting and Consequences
Under both GDPR laws, organisations must notify authorities within 72 hours of discovering a breach, sharing details on:
- The nature and impact of the breach
- The number and types of people affected
- What caused it, and how they’re responding
Failing to comply can lead to hefty penalties: up to 20 million euros or 4% of global revenue, whichever is higher.
In the UK, entities deemed essential—like energy, health, or online services—must also report attacks that disrupt services to regulators within 72 hours.
New Rules under the NIS 2 Directive
The updated NIS 2 Directive enforces tougher standards for incident reporting and preparedness. Affected organisations must:
- Notify authorities within 24 hours of major attacks
- Provide a full report within 72 hours
- Issue a final follow-up within one month
They must also communicate with users about risks and remedial steps. Noncompliance can result in penalties of up to 10 million euros or 2% of global annual turnover.
Why This Matters
With cyber-attacks increasing in frequency and severity, these legal requirements help organisations stay prepared and transparent. By enforcing minimum security standards and clear reporting timelines, regulators aim to minimise harm to individuals, maintain trust, and avoid unchecked data security failures.