PATRICIA II - Personal dATa bReach awareness in Cybersecurity Incident Handling
The EDPS organises the second edition of PATRICIA - Personal dATa bReach awareness in Cybersecurity Incident Handling, a table-top exercise focusing on personal data breach management. The cyber exercise takes place on 5 June 2025 from 08:45 to 16:00 at the EDPS premises and will bring together key stakeholders from selected EUIs to enhance incident response and collaboration.
When: 5 June 2025 from 08:45 to 16:00.
Where: EDPS premises, rue Montoyer 30, Brussels
PATRICIA aims to raise awareness about personal data breaches and foster collaborations among EU Institutions (EUIs) staff, including IT personnel, Data Protection Officers (DPOs) and Security Officers, to ensure proper mitigation of risks to individuals. By simulating cybersecurity incidents and exchanging knowledge and best practices, participants will be able to improve their incident response capabilities and risk mitigation strategies.
This year’s edition will expand up to seven teams from EUIs, who will engage in an evolving cyberattack scenario. Participants will exchange best practices, test response mechanisms, and refine coordination strategies in handling personal data breaches. PATRICIA participation is limited to invited EUIs.
Background:
The first edition of this exercise, piloted and co-organised with ENISA in 2024, involved six teams of EUIs and highlighted critical areas for improvement of personal data breach management within the EU Institutions, such as:
- Clarifying roles and responsibilities in breach management
- Enhancing collaboration between key stakeholders
- Strengthening training and awareness efforts
As a result, key recommendations were made, including greater involvement of senior management, improvement of inter-team communication, and reinforcing shared responsibility.
The exercise was highly appreciated, leading to a call for broader participation and continued capacity-building efforts.
In accordance with Articles 34 and 35 of the EUDPR, the legal framework applicable to the processing of personal data by EU Institutions, all EUIs are legally obliged to notify the EDPS whenever a security incident involving personal data poses a risk to data subjects’ rights and freedoms. In case of high risk, they must also inform the affected data subjects.
In an environment where cybersecurity incidents are on the rise, greatly affecting the processing of personal data, PATRICIA plays a crucial role in the EDPS’ efforts to enhance preparedness and safeguard personal data within the EU Institutions.