Long “lagging” behind the US in the specific area of breach notification (in contrast to privacy rules), Europe is getting a new network security/breach notification regime called the Network Information Security (NIS) directive. This comes on on top of the notification already required in the General Data Protection Regulation (GDPR, which contains the Data Protection Directive, or DPD) which covers compromised PII. More at IAPP, with the following excerpt explaining the “triggering” of the new NIS breach notification (emphasis ours):
Unlike the GDPR, which mandates notification only when there is a risk to personal data, the Directive requires operators to notify competent authorities whenever there is a substantial impact on the provision of the operator’s service.
The NIS is actually pretty narrowly-tailored (more so than US breach notification rules), to (1) essential service providers (think: infrastructure) and (2) “digital service providers” with more than 50 employees or an annual balance sheet over 10 mln EUR. “Digital service providers” may sound fairly broad, but it actually specific in the NIS to (a) online marketplaces, (b) online search engines, and (c) cloud computing services — so apparently something like a web publisher or the web site of a company or organization in general wouldn’t be covered.
The final rule is expected to be formally passed sometime in the Spring, and the member states will then have 21 months to pass implementing legislation. More details in the IAPP post.
Kudos to the EU for passing a balanced and non-duplicative network information security and breach notification rule.