On 25 August 2013, EU Regulation 611/2013 (the Notification Regulation) came into force. The Notification Regulation sets out new rules governing when and how electronic communication providers and internet service providers (i.e. telcos and ISPs) must notify the regulatory authorities in their host member state if they have suffered a data security breach. Of key importance, telcos and ISPs must now notify the authorities within 24 hours of a breach occurring.
Following the implementation of the Notification Regulation, the UK Information Commissioners Office (the UK regulatory authority), has now published its guidance to businesses on the new rules (the Guidance).
As an EU regulation, the Notification Regulation is directly effective in every EU member state and, unlike an EU directive, does not need to be implemented through further national law. As such, the Guidance does not supersede the Notification Regulation, rather it is a way of helping organisations understand the new requirements as well as adopt best practice.
The Notification Regulation and the Guidance should be of interest not only to telcos and ISPs, but potentially to all data controllers, given that similar notification requirements for all data controllers may yet be introduced throughout the EU under the draft EU Data Protection Regulation.
The full Guidance can be found here.