From 25 May 2011, providers of publicly available communication services will need to notify regulatory authorities and users if the provider suffers a security breach affecting personal data.

These new rules implement the amended E-Privacy Directive, adopted by the European Parliament in 2009.

The Commission had intended to issue guidelines before May 2011, setting common requirements across Member States as to when breaches should be notified and setting out common formats and procedures, as provided for in Article 4(5) of the amended Directive. These guidelines are important, to avoid providers being faced with multiple, possibly inconsistent, notification requirements, which would greatly add to the time and cost of dealing with security breach notifications.

The Commission has not yet started this process (which will likely take at least one year from when it is started), so it is clear that guidelines will not be ready in time. Ahead of Commission work in this area, ENISA has started to collate views of relevant stakeholders with a view to developing guidelines and will be chairing a meeting on 24 January in Brussels.

Providers who are interested in attending can find further details here: