EDPB data breach notification template: one EU form and the UK position
In short: The EDPB data breach notification template, adopted in draft on 8 June 2026 and in public consultation until 5 August 2026, gives data controllers one structured form for notifying personal data breaches to EU supervisory authorities under Article 33 GDPR. UK reporting to the ICO is unchanged; the template matters where a breach touches EU establishments or EU data subjects.
A personal data breach that touches both the United Kingdom and the European Union means one set of facts and many different forms. The UK data controller reports to the ICO through its online service, then reports the same incident to each relevant EU supervisory authority on whatever national form that authority prescribes. The European Data Protection Board wants to collapse the EU side of that exercise into a single structured form.
The EDPB adopted its common template for personal data breach notification in draft on 8 June 2026 and announced it on 10 June 2026 at the plenary at which the Board met Commissioner Michael McGrath. The public consultation closes on 5 August 2026. The template prescribes the form in which data controllers discharge the notification duty in Article 33 of the GDPR. The UK GDPR carries the same duty in identical terms, owed to the Information Commissioner, so the document is also a free benchmark for every UK incident response plan.
What the EDPB data breach notification template contains
The EDPB data breach notification template is a structured form of around 120 numbered fields across seven sections, with predefined answer sets, tooltips and conditional logic, designed for implementation by every EU Data Protection Authority (DPA). The EDPB, the body of EU supervisory authorities established under the GDPR, frames it as part of its Helsinki Statement programme to make GDPR compliance easier and more consistent, with time and cost savings aimed particularly at smaller organisations without a dedicated data protection officer.
The structure follows Article 33(3): identity of the data controller and reporting person, the facts of the personal data breach, its likely consequences, and the measures taken or proposed. The detail goes well beyond the statutory minimum. The template prescribes more than twenty predefined incident types, from ransomware and phishing to misdirected post and e-waste; a confidentiality, integrity and availability classification; twenty categories of breached data; a severity self-assessment; and an attachments list that includes the ransomware note and the phishing message. A new or follow-up notification can be marked complete, incomplete or withdrawn, reflecting the phased notification permitted by Article 33(4). A dedicated cross-border section asks for the lead supervisory authority, the EEA countries affected and data subject numbers per country.
How the EDPB data breach notification template compares with the ICO process
UK data controllers already have what the EDPB data breach notification template is trying to build: one regulator, one online service, one form. The ICO’s report a breach service consolidates UK GDPR breach reporting with the parallel regimes for telecoms providers under PECR, trust service providers under eIDAS and relevant digital service providers under the NIS Regulations 2018. The substance is identical on both sides: notification to the authority without undue delay and where feasible within 72 hours of awareness, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons, with communication to affected individuals under Article 34 where the risk is high, and a documentation duty under Article 33(5).
The differences are machinery, and they matter most for UK data controllers caught by EU GDPR Article 3. A UK group with an EU establishment notifies its lead supervisory authority for cross-border processing. A UK data controller with no EU establishment that targets EU residents has no lead supervisory authority at all: it notifies the DPA in every member state where affected data subjects are located; its Article 27 representative is the local contact point, but the notification duty sits with the data controller. The template carries a dedicated section for exactly that case, asking non-EEA controllers to list each affected country, data subject numbers per country and every DPA notified. The renewed UK adequacy decision, covered in our analysis of inbound EU-to-UK transfers, keeps the data flowing; it does not remove that notification burden.
| Issue | UK position | EU position |
|---|---|---|
| Legal duty | UK GDPR Article 33: notify the ICO without undue delay, where feasible within 72 hours, unless unlikely to result in a risk | EU GDPR Article 33: same test, owed to the competent supervisory authority |
| Where to report | One regulator, one online service covering UK GDPR, PECR, eIDAS and NIS reporting | One DPA per member state, each with its own national form until the template is implemented |
| Form content | ICO guided online form collecting the Article 33(3) particulars | Template prescribes structured taxonomies: incident types, data categories, severity, cross-border detail |
| Cross-border breaches | No one-stop-shop; the ICO is the sole UK authority | Lead supervisory authority for EEA-established controllers; every affected member state’s DPA for non-EEA controllers |
| Status | In force | EDPB data breach notification template in consultation until 5 August 2026; implementation timeline to follow |
Sector security reporting: the TSA 2021, NIS and DORA
A single incident can engage both the UK and EU data protection reporting regimes and, separately, one or more sector-specific security regimes. The personal data breach notification answers for the personal data. The security regimes ask what happened to the network, the service or the firm, each carries its own clock, and none of those notifications substitutes for any other.
Download the diagram as a one-page PDF: Breach reporting duties: UK and EU (PDF).
Telecoms operators have three layers of reporting to consider. A provider of a public electronic communications network or service must inform Ofcom of a security compromise with a significant effect on the network or service as soon as reasonably practicable under section 105K of the Communications Act 2003, inserted by the Telecommunications (Security) Act 2021, which can mean well inside 72 hours. The same provider must notify the ICO of every personal data breach under regulation 5A of PECR, without undue delay and where feasible within 72 hours, and there is no risk threshold: every breach is notifiable and an inventory must be kept. The general UK GDPR duty then applies to the same facts. Operators of essential services must notify their competent authority within 72 hours of awareness of an incident with a significant impact under regulation 11 of the NIS Regulations 2018, and relevant digital service providers owe a parallel duty to the ICO under regulation 12.
Financial services firms have their own reporting layers. In the EU, DORA, Regulation (EU) 2022/2554, applicable since 17 January 2025, requires financial entities to classify ICT-related incidents and report major ones to their competent authority through staged initial, intermediate and final reports under Article 19. In the UK, the FCA’s Policy Statement PS26/2 of 18 March 2026 introduces operational incident reporting rules in SUP 15.18, in force from 18 March 2027, under which a firm reports as soon as practicable and in any event within 24 hours of determining that an incident meets a notification threshold. A payment firm that loses customer data in an outage faces the FCA clock and the ICO clock on the same morning.
The two systems used to match, but since Brexit divergence has increased. On PECR the UK moved while the EU stood still: section 111 of the Data (Use and Access) Act 2025, in force from 20 August 2025, replaced the 24-hour telecoms breach clock set by Commission Regulation (EU) 611/2013 with the 72-hour formulation, aligning PECR with UK GDPR Article 33; the EU’s unamended Regulation 611/2013 keeps EU providers on 24 hours. On network security the EU moved while the UK stood still: NIS2 replaced the original NIS Directive from 18 October 2024 with a staged 24-hour early warning, 72-hour notification and one-month final report, and absorbed telecoms security reporting; the UK was under no obligation to transpose it, retains the NIS Regulations 2018, and is updating them through the Cyber Security and Resilience (Network and Information Systems) Bill, now in its final Commons stages.
Commercial and operational implications for UK data controllers
A UK data controller whose incident response plan cannot populate the EDPB data breach notification template from its own logs and records inside 72 hours has a gap that the form will expose, whether or not the form is ever filed. The fields define what a complete breach record looks like at hour 72: dates of occurrence, detection and awareness; discovery route; systems and infrastructure affected and where they are located; categories and numbers of data subjects and records; the measures in place when the breach occurred; and the risk assessment methodology. The same logic applies to processor arrangements: Article 33(2) requires the data processor to notify the data controller without undue delay, and the Article 28 contract is where the controller secures the data points the form demands. The accuracy questions raised by AI-driven incidents make this harder, as we set out in our analysis of the Cyber Security Breaches Survey and Article 32.
The consultation closes on 5 August 2026 and is open to UK respondents; the cross-border processing sections are the part that matters most for a UK group with EU establishments. Regulator notification under time pressure is a core part of breach work; the investigations and enforcement support page covers regulator engagement, and the data protection page sets out the wider practice.
Viewpoint
This is the second standardised compliance artefact the EDPB has produced in two months, after the DPIA template of April 2026, which I examined in a practitioners guide for UK controllers. The direction is deliberate: the Board’s announcement ties the template to its Helsinki Statement commitment to simplification, and standard forms are the cheapest simplification available.
In our experience advising on breach response, the form is rarely what consumes the 72-hour window. The time goes on establishing what happened, in which systems, to whose data, with enough confidence to sign the risk assessment, and the template’s incomplete-notification logic recognises that. The template’s predefined taxonomies will pull EU breach records towards a common evidential standard, which is the discipline a system of more than thirty supervisory authorities currently lacks.
For UK data controllers the substance of Article 33 is the same in London as in Dublin or Paris; the EDPB data breach notification template harmonises machinery that the ICO consolidated into a single service years ago. After 5 August 2026 the EDPB has said it will decide the timeline for implementation by all DPAs. That is the point at which the template stops being a benchmark and becomes the form on which EU regulators read your breach.
Frequently asked questions
Is the EDPB data breach notification template mandatory?
Not yet. The EDPB data breach notification template is in public consultation until 5 August 2026. Following the consultation, the EDPB will decide on the timeline for practical implementation of the template by all EU Data Protection Authorities. The notification duty itself, in Article 33 GDPR, already applies.
Does the template change UK breach reporting?
No. UK data controllers continue to notify the ICO under UK GDPR Article 33 through the ICO’s existing online service. The template applies to notifications to EU supervisory authorities, which is relevant to UK organisations with EU establishments or those caught by EU GDPR Article 3(2) because they target EU residents.
What does Article 33 GDPR require?
A data controller must notify a personal data breach to the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it, unless the breach is unlikely to result in a risk to individuals. The notification must describe the breach, the likely consequences and the measures taken, and may be provided in phases.
What other UK reporting duties can a single incident trigger?
A telecoms provider may owe Ofcom a security compromise report under section 105K of the Communications Act 2003 and the ICO a PECR regulation 5A notification. Operators of essential services and digital service providers report under the NIS Regulations 2018. FCA-regulated firms will report operational incidents under SUP 15.18 from 18 March 2027.
For advice on personal data breach notification across the UK and EU regimes, contact Rob Bratby at Bratby Law.
