Resource Center / Tools and Trackers / Incident Notification and Information Sharing Requirements: EU Digital Laws
Incident Notification and Information Sharing Requirements: EU Digital Laws
This chart is meant as a guide to provide an overview of digital incident notification and information sharing requirements across several EU digital laws.
Published: April 2025
Contributors:
A number of EU laws require some form of reporting in the event of a data breach or other cybersecurity incident. Such notification requirements differ depending on many variables, such as the entity in question and the type of incident at hand. Hence, many organizations are faced with the challenge of navigating a complex legal environment to identify whether a certain law applies in their case, what reporting obligations it entails, and whether, and how, they may overlap with obligations under other EU digital legislation.
This chart is meant as a guide to provide an overview of digital incident notification and information sharing requirements across several EU digital laws, namely the General Data Protection Regulation, the Law Enforcement Directive, the e-Privacy Directive, the Data Governance Act, the Data Act, the Network and Information Security Directive 2, the Digital Operational Resilience Act, the Payment Services Directive 2, the Cyber Resilience Act and the Artificial Intelligence Act. The first iteration of this chart does not capture all EU laws with similar requirements; rather, it focuses on laws that either have broad material scope or have sectoral significance.
