Notification obligations under the GDPR, German NIS2 Transposition Law (draft), DORA, CRA and AI Act
1. Overview of selected digital laws
The most recent EU digital legislation is rather diverse. While the (not so new) European General Data Protection Regulation (GDPR) focuses on the protection and free movement of personal data, the German NIS2 Transposition Law (currently only in draft form) primarily aims to create greater resilience of critical infrastructure against cyber risks. Similarly, the Digital Operational Resilience Act (DORA) aims to improve digital resilience in the financial sector in particular, whereas the Cyber Resilience Act (CRA) sets forth special regulations and cybersecurity requirements for the manufacture and marketing of products with digital elements. Finally, the EU Artificial Intelligence Act (AI Act) creates a general legal framework for the use of artificial intelligence that is both compatible with fundamental rights and trustworthy.
2. Notification and information obligations
Although these new laws of the EU digital rulebook pursue the common goal of raising safety standards, they differ significantly in terms of their scope of application and their addressees. However, all these legal acts have one thing in common: They all include specific notification and/or information obligations for security breaches which are either imminent or have already occurred. Whether a notification and/or information must be provided is determined by the legal benchmark of the respective legal act. Under the GDPR, the "trigger" for the notification obliga-tion is, for example, a personal data breach, whereas under the CRA, an actively exploited vulnerability in a product with digital elements leads to a notification obligation. It is important for companies to realize that they can be subject to several notification and/or information obligations for the same incident. It is therefore crucial in practice to keep an eye on all relevant reporting obligations. In the PDF-attachment to this newsletter, we outline which reporting and notification obligations exist under the different digital laws and when they apply.
