At a glance

  • If a security breach has a ‘significant impact’ you must notify the ICO within 24 hours.
  • You must also notify your users if they are likely to be affected.
  • In some circumstances you or the ICO may also need to inform the wider public about a breach.

In brief

What is a breach under eIDAS?

A breach under eIDAS is:

“any breach of security or loss of integrity that has a significant impact on a trust service provided or on the personal data maintained therein.”

A breach may occur if there is a deliberate attack compromising the integrity of your service. But a breach can also occur if there is an unauthorised access within your organisation or an accidental loss of integrity.

Not every incident relating to a lapse in security or integrity of a trust service is a breach. If there is no harm caused, or there is only a minimal effect, this will not qualify as a breach. However, you should still review your security measures.

What must we do if there is a breach?

If there is a breach, breach reporting rules are set out in article 19. You do not need to report every incident relating to a lapse in security or integrity of a trust service. However, where you have reason to believe that an incident has or is likely to have a significant (more than minimal) impact on the trust service or the personal data you hold, you need to:

  • notify the ICO;
  • consider whether to notify your users; and
  • consider whether to inform anyone else who might be affected.

If you are not sure about whether the impact of an incident is significant or not, it is safer to report the breach.

When and how do we notify the ICO?

You must notify the ICO within 24 hours of becoming aware of the breach, or sooner if it’s reasonable to do so.

Please use our eIDAS breach notification form.

If there has also been a personal data breach, there is no need to fill out a separate data protection security breach form as well. You should however include relevant details on the eIDAS breach notification form, and we may call you back if we need more information.

Please read the section Information security (Principle 7) in the ICO’s guide to Data Protection for more information on personal data breaches.

When and how do we notify those affected?

If the breach is likely to adversely affect your users, you will also need to notify them of the breach without undue delay.

You don’t need to use a specific format for this. You can choose how you prefer to communicate with your customers, as long as it reaches them promptly. We advise you to include:

  • your name and contact details;
  • the date of the breach;
  • a summary of the incident;
  • the likely effect on them;
  • any measures you have taken to address the breach; and
  • any steps they can take to protect themselves from harm.

You should also consider whether you can take measures to inform  other people of the effects of a security breach who may have been affected by a security incident but are not your direct customers. For example, any end users relying on the integrity of the trust service.

We may require you to disclose information to the public about a breach if we think it is in the public interest to do so.    

Will the ICO notify anyone else?

If a breach has an impact outside the UK we may need to inform the relevant overseas authorities, as well as ENISA if the breach concerns another EU country.

Once a year we will also send ENISA a summary of breach notifications we received in that year.

We may inform the public about the breach ourselves if we think it is in the public interest to do so.