Reporting a breach: DPA, NCSC and data subjects

Reporting clocks run in parallel: GDPR, sector rules and contracts. This page separates them so you do not miss a deadline.

Last updated: mei 26, 2026

Book an informal conversation

ISO Ready helps you align policy, risk, and evidence — without endless document churn.

Check your NIS2 gaps

Part 2: reporting obligations (Netherlands-focused).

Dutch DPA — 72 hours

Notify within 72 hours of awareness unless the breach is unlikely to pose a risk. Initial notification may be incomplete; update later.

NCSC — NIS2 / Cbw

Essential and important entities may need early NCSC reporting (often cited as ~24 hours for significant incidents). See NIS2 and Cyber Security Act NL.

Data subjects & contracts

Inform individuals when likely high risk. Notify processors, customers and suppliers per contracts.

Next: content & register

Key takeaways

DPA: within 72 hours of awareness when required under GDPR.
NCSC: early reporting may apply under NIS2 / Dutch Cyber Security Act.
Inform data subjects when high risk — plain language.
Notify counterparties per contracts and DPAs.

Run the ISO 27001 readiness scan

See where you stand before investing in documents or consultants.

Start the readiness scan