Do I have to inform the data subjects about a breach?
Only if the breach is likely to result in a high risk to their rights and freedoms. With strong encryption or limited impact you can skip it, but you must justify why.
Try this first
- 1Assess the risk. What data, what consequences, how many people. Identity fraud, financial loss, reputational damage, discrimination are classic high-risk markers.
- 2Document why you do or do not inform. It is your call, but you must defend it to the AP.
- 3If informing: plain language, what leaked, what risk, what you are doing, what the subject can do, DPO or contact point.
- 4Use a channel you already use: email or letter. A site banner alone is not a direct notification under GDPR.
- 5Log the communication in the register: when, how, how many recipients.
When to bring us in
Doubt about high risk on medical or financial data? Default to informing. For large groups (>1000), get communications-specialist advice.
See also
- Does NIS2 apply to my company?Two questions decide it: are you in a listed sector, and do you meet the threshold from Recommendation 2003/361/EC (more than 50 FTE and more than EUR 10M turnover or balance sheet). Below that you are only indirectly in scope, via your customers. The threshold determines whether you are an important or essential entity depending on sector.
- What changes with the Dutch Cyber Security Act?The Cyberbeveiligingswet is the Dutch implementation of NIS2. Track NCSC for the exact effective date and the lower regulations.
- Am I personally liable as a director under NIS2?Yes. The board is accountable for approving and overseeing the cyber measures. Severe negligence can become personal.
None of the above fits?
Describe your situation below. We pass your input plus the steps you already saw to our AI and return tailored next-step advice. If it's too risky to DIY, we'll say so.
Or skip the DIY entirely
Our Managed IT clients do not look these things up. One point of contact, a fixed monthly price, resolved within working hours.