A data breach is the event that converts a security incident into a regulatory and legal obligation. Under GDPR Article 33, a personal data breach must be notified to the relevant supervisory authority within 72 hours of the organisation becoming aware of it, unless the breach is unlikely to result in risk to the rights and freedoms of individuals. Under NIS2, operators of essential and important entities have similar notification windows for significant incidents. Missing those windows is itself a regulatory violation, separate from the underlying breach.
The definition matters for scoping. Not every unauthorised access is a personal data breach in the GDPR sense: the data must relate to identified or identifiable natural persons. A system compromise that exposes only anonymised analytics data may not trigger Article 33. One that exposes employee records, customer contact details, or payment information almost certainly does. The same incident may simultaneously trigger GDPR obligations to the supervisory authority, NIS2 obligations to the national competent authority, and contractual obligations to affected customers. Incident response plans that treat these as a single notification process frequently miss a deadline on at least one.
The 72-hour clock runs from "becoming aware," not from the moment of breach, which creates a different kind of operational pressure. An organisation that detects an anomaly on Friday evening and determines by Monday morning that personal data was accessed has used most of its window before anyone has had a full night's sleep. Maintaining a documented, tested incident response process that explicitly covers the notification decision tree is the difference between a managed regulatory interaction and a fine with an enforcement notice attached. The Askara Solutions agent pre-populates the notification obligation map for your regulatory footprint, so when a potential breach is detected the decision of whether and to whom to notify runs from your documented policy rather than from a crisis discussion at midnight.