At present only public telecommunications providers are required by European law to notify their customers of security breaches affecting their privacy, including breaches that the confidentiality, integrity or availability of personal data. In the UK the Information Commissioner has published recommendations on handling privacy breaches, including when to notify those affected.
ENISA have published an interesting report on cyber incident reporting. Their scope is wide – incidents range from the failure of a certificate agency to storms creating widespread power (and therefore connectivity) outages.
The European Commission have proposed a draft eIdentity Regulation, to replace the current eSignatures Directive (99/93/EC). While the proposal is mostly concerned with inter-operability of national electronic IDs and improving the legal significance of digital signatures, timestamps, documents, etc.
