Incident Reporting Requirements under the Key Digital Laws: Comparison
by Streamlex 26 March 2025
The comparison table offers a summary of the incident & data breach reporting requirements under the key EU digital laws: GDPR, NIS2, Cyber Resilience Act (CRA) and AI Act. It offers general overview and simplifies complex details. Use this table as a supplementary reference, not as a primary source of legal guidance and always consult the actual legal texts.
REQUIREMENTS | ||||||
|---|---|---|---|---|---|---|
Relevant articles | ||||||
Covered entities | Data controllers | Essential and important entities | Manufacturers of the products with digital elements | Providers and, in some cases, deployers of high-risk AI systems | Providers of GPAI with systemic risk | |
Reporting threshold | A personal data breach likely to result in a risk to the rights and freedoms of natural persons | Significant incident | An actively exploited vulnerability | A severe incident having an impact on the security of the product with digital elements | Serious incident | Serious incident |
Trigger | When a covered entity becomes aware of a data breach | When a covered entity becomes aware of a significant incident | When a covered entity becomes aware of an actively exploited vulnerability | When a covered entity becomes aware of a severe incident | When a covered entity establishes a link between the AI system and the serious incident or the reasonable likelihood of such a link | Not specified |
General reporting/notificati on timeline | Without undue delay but not later than within 72 hrs | Early warning without undue delay and in any event within 24 hours of becoming aware. Followed by a notification within 72 hrs and a final report within 1 month. | Early warning without undue delay and in any event within 24 hours of becoming aware. Followed by a notification within 72 hrs and a final report within 14 days. | Early warning without undue delay and in any event within 24 hours of becoming aware. Followed by a notification within 72 hrs and a final report within 1 month. | Immediately after but no later than within 15 days of becoming aware. | Without undue delay |
Shortened reporting /notification obligations | N/A | Incident notification within 24 hours for significant incidents impacting trust services. | N/A | N/A | Incident reporting within 10 days in the event of a person’s death. Incident reporting within 2 days for a widespread infringement or as serious incident leading to irreversible | N/A |
Authorities receiving reports / notifications | Supervisory authorities | CSIRT or competent authorities | CSIRT designated as coordinatorand ENISA | Market surveillance authorities | AI Office and national competent authorities | |