Don't tell them now (or at all) - responsible disclosure of security incidents under NIS Directive and GDPR

摘要

In this article, we critically analyse the timeline for notifications of third parties under the NIS Directive and the GDPR in the case of security and privacy incidents from a legal and technical perspective. While a need to mitigate an immediate risk of damage for an individual would call for prompt notification of data subjects, there are scenarios which may justify a delay in communication, for instance where a service provider needs to analyse the current attack to prevent further attacks and assess the full impact. Further, we argue that notification duties in the GDPR and NISD have different protection goals which may conflict in the context of a given incident. Since they are triggered by the same incident, they may contain redundancies, which bears potential for synergies which should be capitalised by the competent authorities.