European Commission In Favor Of Security Breach Requirements
Client Alert | 1 min read | 09.15.06
The European Commission recently announced in a public consultation concerning the review of the EU telecom regulations that it favors adopting security breach notification requirements for network operators and electronic service providers, similar to the requirements contained in laws passed by more than 30 states in the U.S. in the last two years. If the Commission proposal finds acceptance within the broader political community, it could have important consequences for the communications sector, create important compliance issues and expose the sector to adverse publicity and associated liabilities. Analogous obligations may spill over to other business sectors, particularly to businesses that process sensitive personal information, such as, for instance, the banking and insurance industry, as well as the health-care sector.
The current EU Directive 2002/58 on privacy in the electronic communication sector (the E-Privacy Directive) imposes a notification requirement upon electronic communication service providers "in case of a particular risk of a breach of the security of the network […]" (Article 4 (2) of the E-Privacy Directive, stress added). An existing Directive does not directly require such service providers to notify of [or "in the event of"] actual security breaches. The general EU Data Protection Directive 1995/46 does not contain a security breach notification obligation either, as it only sets forth only general technical and organizational security and confidentiality requirements.
The Commission believes that "a requirement to notify [individuals of] security breaches would create an incentive for providers to invest in security but without micro-managing their security policies." If the proposal becomes effective, network operators and electronic service providers will be required to: (i) notify the National Regulatory Agency (NRA) of any security breach resulting in the loss of personal data and/or that may cause the interruption of the services', and (ii) notify customers of any security breach leading to the loss, modification or destruction of, or unauthorized access to, personal customer data.
Corporations and stake-holders can participate in the public consultation until October 27, 2006 by sending their opinions or position papers to the European Commission.
Insights
Client Alert | 4 min read | 05.01.26
Federal Court Blocks Trump Administration Policies Restricting Wind and Solar Permitting
A coalition of regional clean energy trade associations — including RENEW Northeast, Alliance for Clean Energy New York, Southern Renewable Energy Association, and Interwest Energy Alliance — along with the Green Energy Consumers Alliance (GECA), filed suit in December 2025 against the Department of the Interior (DOI), the Bureau of Land Management, the Bureau of Ocean Energy Management, the U.S. Fish and Wildlife Service (USFWS), and the Army Corps of Engineers. The complaint alleged that five agency actions, issued in response to a series of executive orders and presidential memoranda beginning on January 20, 2025, violated the Administrative Procedure Act (APA) by arbitrarily halting or restricting federal permitting for wind and solar energy projects. Plaintiffs sought a preliminary injunction to halt enforcement of these policies while the litigation proceeds. See Renew Northeast, et al. v. U.S. Dep’t of Interior, et al., No. 25-cv-13961-DJC, (D. Mass. Apr. 21, 2026) ECF Dkt. 89.
Client Alert | 2 min read | 05.01.26
New Executive Order Promoting Fixed Price Contracting: What It Means for Federal Contractors
Client Alert | 8 min read | 05.01.26
Pre-Approved: ICO Publishes Guidance on "Recognised Legitimate Interests”
Client Alert | 6 min read | 04.29.26
CMS Seeks to Expand Interoperability Requirements to Drug Pre-Authorization (FAQ)
