GDPR Article 33: The 72-Hour Breach Notification Rule (2026 Guide)

GDPR Article 33: The 72-Hour Breach Notification Rule

GDPR Article 33 requires a data controller to notify the competent supervisory authority of a personal data breach without undue delay and, where feasible, within 72 hours of becoming aware of it — unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons. The 72-hour clock starts at awareness, not at the end of your investigation. Missing the deadline is a separate, fineable infringement.

Average daily breach notifications across the EEA rose sharply in 2025 to 443 per day, a 22% increase according to the DLA Piper GDPR Fines and Data Breach Survey: January 2026. For most B2B companies, the hard part of Article 33 is not knowing the rule — it is starting the clock correctly and assembling a defensible notification while the incident is still unfolding.

Key Takeaways

• The deadline is 72 hours from awareness, not from breach occurrence or from the completion of forensics.
• "Awareness" is a defined trigger. Under EDPB Guidelines 9/2022, it begins when you have a reasonable degree of certainty that personal data was compromised.
• Not every breach is notifiable. You notify only when the breach is likely to result in a risk to individuals — but you must always document it internally.
• Notification can be phased (Article 33(4)) when you cannot establish all facts within 72 hours.
• Processors must alert controllers without undue delay (Article 33(2)) so the controller can meet its deadline.
• Failure to notify is independently fineable — up to EUR 10 million or 2% of global turnover under Article 83(4).

Jump to:

• What Article 33 Requires
• When the 72-Hour Clock Starts
• What Goes in the Notification
• Phased Notification
• The Processor's Duty
• Internal Breach Documentation
• When You Don't Have to Notify
• Fines and Enforcement
• The UK and Norway Position
• Operationalising Article 33

---

What Article 33 Requires

Article 33(1) of Regulation (EU) 2016/679 sets the core obligation in a single sentence:

"In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons."

Three elements control everything that follows. First, the trigger is becoming aware of a breach. Second, the deadline is 72 hours, qualified by "where feasible" and by the overriding standard of "without undue delay." Third, the threshold is a likely risk to individuals — below that threshold, no notification to the authority is due.

A "personal data breach" is defined broadly in Article 4(12): a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. That includes ransomware (a loss of availability), a misdirected email (an unauthorised disclosure), and a lost laptop (an unauthorised access risk) — not only deliberate external attacks.

---

When the 72-Hour Clock Starts

This is where most organisations get Article 33 wrong. The 72 hours do not begin when the incident happened, nor when your investigation concludes. They begin when you become aware.

The EDPB Guidelines 9/2022 define awareness as the point at which the controller has "a reasonable degree of certainty that a security incident has occurred that has led to personal data being compromised." Full forensic certainty is not required — a reasonable belief that personal data was affected is enough.

In practice:

• An automated SIEM or intrusion-detection alert does not by itself start the clock — but only if no one acts on it. Organisations are expected to have procedures so alerts are triaged promptly. You cannot delay awareness by ignoring your own monitoring.
• The clock starts when a responsible person reviews a credible signal and concludes a breach has likely occurred.
• A short period of investigation to confirm whether a breach actually happened is acceptable before awareness crystallises — but it must be proportionate, not a stalling tactic.

The practical consequence: your incident-response process needs a clear, logged moment of "we now believe personal data is affected," because that timestamp is what a supervisory authority will scrutinise. The same awareness discipline underpins the even tighter 24-hour early-warning deadline under NIS2, which many companies must satisfy in parallel.

---

What Goes in the Notification

Article 33(3) specifies the minimum content of the notification to the supervisory authority:

Element	What to include
Nature of the breach	A description of the breach, including, where possible, the categories and approximate number of data subjects and of personal data records concerned
Contact point	The name and contact details of the data protection officer or other contact from whom more information can be obtained
Likely consequences	A description of the likely consequences of the personal data breach
Measures taken	A description of the measures taken or proposed to address the breach, including, where appropriate, measures to mitigate its possible adverse effects

Most EU and EEA supervisory authorities provide an online form mirroring these four headings. The information you can realistically provide within 72 hours of awareness is rarely complete — which is exactly why Article 33 anticipates phased reporting.

---

Phased Notification (Article 33(4))

Article 33(4) is the safety valve that makes the 72-hour rule workable:

"Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay."

The EDPB confirms that notification "does not need to be postponed until the risk and impact surrounding the breach has been fully assessed." The full risk assessment can run in parallel to notification, with new information provided to the authority in phases. This is most relevant for complex cyber incidents where in-depth forensics are needed to establish the scope.

The practical playbook: file an initial notification within 72 hours containing what you know — even if that is "we are aware of unauthorised access affecting an estimated X records; investigation ongoing" — and supplement it as facts firm up. Article 33(1) requires you to give reasons for any delay beyond 72 hours; phased notification removes the need to choose between speed and accuracy.

---

The Processor's Duty (Article 33(2))

Article 33(2) places the obligation on processors to support the controller:

"The processor shall notify the controller without undue delay after becoming aware of a personal data breach."

The GDPR sets no fixed deadline for the processor-to-controller notification — but the EDPB Guidelines 9/2022 recommend processors aim to notify controllers within their own 72 hours of awareness, because the controller's clock can only start once it is informed. For B2B SaaS companies that act as processors for their customers, this is a contractual as well as a regulatory point: your Data Processing Agreements under Article 28 typically commit you to a tighter notification window (often 24–48 hours) so the controller has time to meet its own obligation.

---

Internal Breach Documentation (Article 33(5))

Even when a breach is not notifiable, Article 33(5) imposes a record-keeping duty:

"The controller shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken."

This internal breach register must be sufficient to let the supervisory authority verify compliance. The accountability principle in Article 5(2) makes this non-negotiable: if you decide a breach was below the notification threshold, you need a documented, defensible record of why. A risk assessment you cannot reconstruct after the fact is, for enforcement purposes, a risk assessment that never happened.

---

When You Don't Have to Notify

The threshold in Article 33(1) is "unlikely to result in a risk to the rights and freedoms of natural persons." Assessing this is the controller's call, made within the 72-hour window, and it determines two separate decisions:

1. Notify the supervisory authority? Required when the breach is likely to result in a risk (Article 33).
2. Notify the affected individuals? Required only when the breach is likely to result in a high risk — the higher threshold of Article 34.

The two thresholds are deliberately different. Many breaches clear the Article 33 bar (notify the authority) without clearing the Article 34 bar (notify individuals). The EDPB's example guidelines treat the risk of identity theft, financial loss, and exposure of special-category data as strong indicators that the high-risk threshold is met. Encryption that renders the data unintelligible to an attacker is a key mitigating factor that can pull a breach below the notification thresholds.

---

Fines and Enforcement

Violations of Article 33 sit in the lower fine tier under Article 83(4): up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. Crucially, failure to notify is treated as a standalone infringement — you can be fined for the late or missing notification independently of any fine for the underlying security failure under Article 32. Failure to notify can also feed into an Article 5(2) accountability finding, which sits in the upper tier.

Enforcement specifically for notification failures is real and growing:

• Poland (2025): The Polish supervisory authority fined the County Hospital in Września EUR 6,800 for infringement of Articles 33 and 34, and the National Public Prosecutor's Office EUR 19,800 for infringement of Articles 6, 33 and 34 (EDPB national news).
• Norway: Datatilsynet fined a US company NOK 2.5 million specifically for failing to notify within 72 hours, confirming that the clock starts at awareness — not when the business has a full overview (DLA Piper Norway).
• Volume: Germany and Poland remain among the highest-reporting member states, and EEA-wide notifications now average 443 per day (DLA Piper, January 2026).

The signal from regulators is consistent: a clean, timely notification is treated as a mitigating factor under Article 83(2), while concealment or delay is an aggravating one.

---

The UK and Norway Position

Article 33 is a European obligation, not just an EU-27 one — and the breach-notification mechanics are remarkably consistent across the wider European compliance landscape.

United Kingdom. UK GDPR (as retained and amended via the Data Protection Act 2018) preserves the same 72-hour deadline, reporting to the Information Commissioner's Office (ICO) rather than an EU authority. The Data (Use and Access) Act 2025, which received Royal Assent on 19 June 2025, did not loosen the GDPR breach timeline — and, from 20 August 2025, it actually aligned the separate PECR breach-reporting window for telecoms providers from 24 hours up to the same 72-hour standard. The European Commission concluded its review and moved to renew the UK's adequacy decision, so EU–UK data flows continue uninterrupted. UK ICO enforcement history includes the British Airways (£20 million) and Marriott (£18.4 million) breach fines, both of which centred on inadequate security as well as breach handling.

Norway and the EEA. Norway is not an EU member but applies the GDPR through the EEA Agreement (the GDPR became applicable in Norway in July 2018). Controllers report personal data breaches to Datatilsynet, the Norwegian Data Protection Authority, within the same 72-hour window. As the Datatilsynet enforcement action above shows, Datatilsynet interprets the awareness trigger strictly. Companies operating across the EU, EEA, and UK should treat 72 hours as the single planning baseline — the deadline does not get longer by crossing a border.

---

Operationalising Article 33 in a Trust Center

Knowing the rule is the easy part. Meeting it under pressure — at 2 a.m., mid-incident, with incomplete facts — requires the workflow to exist before the breach. Three capabilities turn Article 33 from a scramble into a process:

1. A pre-built notification template mapped to the four Article 33(3) headings, so the initial filing is a fill-in exercise, not a drafting exercise.
2. A logged awareness timestamp and decision trail, so you can show when you became aware and why you assessed the risk the way you did — the heart of an Article 33(5) record.
3. A processor alerting chain with contractual deadlines, so that when a sub-processor is the source of the breach, your clock starts as early as possible.

This is where breach readiness meets continuous monitoring: the same evidence that proves your Article 32 security measures were appropriate is the evidence a supervisory authority will ask for after a breach. Orbiq's Trust Center platform keeps that evidence — security measures, sub-processor lists, DPAs, and breach-response documentation — in one always-current place, so your "measures taken" narrative is ready before you need it. For legal and DPO teams that own the notification decision, our guide on the Trust Center for legal teams explains how to keep the breach register and notice workflow auditable.

Article 33 rewards organisations that have done the unglamorous work in advance. The 72-hour clock is unforgiving — but it is entirely beatable when awareness, assessment, and notification are a rehearsed sequence rather than an improvisation.

---

Sources & References

1. Regulation (EU) 2016/679 (GDPR) — Full Text — Official Journal of the European Union.
2. gdpr-info.eu — Article 33 (Notification to Supervisory Authority) — Article text and recitals.
3. EDPB Guidelines 9/2022 on personal data breach notification under GDPR (Version 2.0) — Authoritative interpretation of "awareness," phased notification, and risk assessment.
4. DLA Piper GDPR Fines and Data Breach Survey: January 2026 — 443 breach notifications per day across the EEA, up 22%.
5. Polish SA: administrative fine for failure to notify a personal data breach (€19,800) — EDPB national news, 2025.
6. Polish SA: administrative fine of €6,800 for failure to notify (County Hospital Września) — EDPB national news, 2025.
7. Norway: NOK 2.5 million fine for failure to notify within 72 hours — DLA Piper Norway, Datatilsynet enforcement.
8. ICO — Personal data breaches: a guide — UK GDPR 72-hour breach reporting.
9. Data (Use and Access) Act 2025 — UK data protection reform overview — Norton Rose Fulbright analysis.
10. Datatilsynet — Norwegian Data Protection Authority — Breach notification guidance (Norway / EEA).

---

Related Reading

• GDPR Compliance: Complete Guide for 2026 (Articles 28, 32, 33, 34)
• GDPR Article 34: Communicating a Breach to Data Subjects
• Subprocessor Management under GDPR Article 28
• NIS2 Incident Reporting: The 24-Hour Deadline
• Continuous Monitoring