Skip to main content

Latest EU Proposal Will Force More Companies to Disclose Data Breaches

Written by Susan Foster

(LONDON)  The European Commission recently published a draft “Cybersecurity Directive” which aims to increase the level of preparedness across the EU to deal with threats to network and information security.  The Directive provides for information-sharing and cooperation between the governments of Member States of the EU to tackle cybersecurity threats.

As for companies, the Cybersecurity Directive will extend the regime that currently applies to telecommunications providers to other players who facilitate internet access and services.  The Directive will apply to all providers of internet-related infrastructure, from the providers of basic internet access to ancillary services such as payment processing.  The affected services providers are referred to in the Directive as “market operators.”

Private market operators will want to pay particular attention to the proposed security breach notice requirements in Article 14.  Market operators will have to notify national authorities of any security breaches, and the national authorities will have the power disclose the breach to the public – or to require the market operator to disclose the breach – if the national authority deems it to be in the public interest to do so.

The draft Directive is not yet in final form, and once in final form it will have an implementation period.  We’ll keep an eye on this and provide updates as the Directive progresses from draft to implementation.

The draft Directive is available here:


Subscribe To Viewpoints


Cynthia J. Larose

Member / Chair, Privacy & Cybersecurity Practice

Cynthia J. Larose is Chair of the firm's Privacy & Cybersecurity Practice, a Certified Information Privacy Professional-US (CIPP-US), and a Certified Information Privacy Professional-Europe (CIPP-E). She works with clients in various industries to develop comprehensive information security programs on the front end, and provides timely counsel when it becomes necessary to respond to a data breach.