How to Avoid Making News in Europe for a Data Breach

How to Avoid Making News in Europe for a Data Breach

Blog WilmerHale Privacy and Cybersecurity Law

Until recently, cybersecurity rules in the EU have by and large been governed by a patchwork of national laws containing cybersecurity requirements applied by different EU member countries. That is changing, with cybersecurity now being addressed more systematically at the EU level, as illustrated by the recent entry into force of the EU General Data Protection Regulation (“GDPR”). EU rules in some cases harmonize national rules and in other cases provide an overlay on top of them. It is up to EU member countries to designate which regulator (national competent authority) deals with cybersecurity rules. This may vary, depending on the specific rules at issue. The designated authority could be a communications regulator, a data protection authority, or a cybersecurity agency.

While most companies have focused their attention on the GDPR, the regulatory framework at the EU level is composed of several different regulations or directives with differing goals and varying scope:

  • The GDPR imposes cybersecurity obligations on all companies that process personal data.
  • The ePrivacy Directive currently complements the GDPR and provides more specific rules that apply to providers of electronic communications services.
  • The planned ePrivacy Regulation, which will replace the ePrivacy Directive once it is finalized and adopted, would no longer contain such rules, since they have been moved to a proposed directive intended to establish a European Electronic Communications Code (“EECC”). A separate directive on network and information systems security (“NIS Directive”) applies to critical infrastructure in specific sectors. The EECC and the NIS Directive cover processing activities generally, not just those involving personal data.
  • Finally, the Cybersecurity Act refines the institutional framework for safeguarding cybersecurity in the EU.

We discuss each of these legislative measures in our “8-in-8 Recent Trends in European Law and Policy Alert Series: Cybersecurity and the EU: How to avoid making news in Europe for a data breach?” client alert.


More from this series


Unless you are an existing client, before communicating with WilmerHale by e-mail (or otherwise), please read the Disclaimer referenced by this link.(The Disclaimer is also accessible from the opening of this website). As noted therein, until you have received from us a written statement that we represent you in a particular manner (an "engagement letter") you should not send to us any confidential information about any such matter. After we have undertaken representation of you concerning a matter, you will be our client, and we may thereafter exchange confidential information freely.

Thank you for your interest in WilmerHale.