Report a breach
Trust Service Providers and Qualified Trust Service providers must report notifiable breaches of the eIDAS regulation, pursuant to Article 19 (2) of the Regulation.
At a glance
- If a security breach has a ‘significant impact’ you must notify the ICO within 24 hours.
- You must also notify your users if they are likely to be affected.
- In some circumstances you or the ICO may also need to inform the wider public about a breach.
In brief
- What is a breach under eIDAS?
- What must we do if there is a breach?
- When and how do we notify the ICO?
- When and how do we notify those affected?
- Will the ICO notify anyone else?
What is a breach under eIDAS?
A breach under eIDAS is:
“any breach of security or loss of integrity that has a significant impact on a trust service provided or on the personal data maintained therein.”
A breach may occur if there is a deliberate attack compromising the integrity of your service. But a breach can also occur if there is an unauthorised access within your organisation or an accidental loss of integrity.
Not every incident relating to a lapse in security or integrity of a trust service is a breach. If there is no harm caused, or there is only a minimal effect, this will not qualify as a breach. However, you should still review your security measures.
What must we do if there is a breach?
Breach reporting rules are set out in UK eIDAS Regulation Article 19. You do not need to report every incident relating to a lapse in security or integrity of a trust service. However, where you have reason to believe that an incident has or is likely to have a significant (more than minimal) impact on the trust service or the personal data you hold, you need to:
- notify the ICO;
- consider whether to notify your users; and
- consider whether to inform anyone else who might be affected.
If you are not sure about whether the impact of an incident is significant or not, it is safer to report the breach.
When and how do we notify the ICO?
You must notify the ICO within 24 hours of becoming aware of the breach, or sooner if it’s reasonable to do so.
Please use our eIDAS breach notification form.
If there has also been a personal data breach, there is no need to fill out a separate data protection security breach form as well. You should however include relevant details on the eIDAS breach notification form, and we may call you back if we need more information.
Please read the ICO’s guide to UK GDPR for more information on personal data breaches.
When and how do we notify those affected?
If the breach is likely to adversely affect your users, you will also need to notify them of the breach without undue delay.
You don’t need to use a specific format for this. You can choose how you prefer to communicate with your customers, as long as it reaches them promptly. We advise you to include:
- your name and contact details;
- the date of the breach;
- a summary of the incident;
- the likely effect on them;
- any measures you have taken to address the breach; and
- any steps they can take to protect themselves from harm.
You should also consider whether you can take measures to inform other people of the effects of a security breach who may have been affected by a security incident but are not your direct customers. For example, any end users relying on the integrity of the trust service.
We may require you to disclose information to the public about a breach if we think it is in the public interest to do so.
Will the ICO notify anyone else?
If a breach has an impact outside the UK we may choose to inform relevant overseas authorities.
We may require the trust service provider to inform the public about the breach or we may inform the public of a breach ourselves if we think it is in the public interest to do so.