The Regulation 1725/2018 introduces a duty on all EU Institutions and bodies to report certain types of personal data breach to the EDPS. They must do this within 72 hours of becoming aware of the breach, where feasible.
If the breach is likely to result in a high risk of adversely affecting individuals’ rights and freedoms, they must also inform those individuals without undue delay. All EU institutions and bodies should ensure that they have the procedures that enable them to detect a breach, investigate, take the necessary corrective measures and report. They must keep a record of any personal data breaches, regardless of whether they are required to notify the EDPS.
ARETE is the first edition of the Assessment of Risk to individuals of pErsonal daTabrEaches (ARETE) training exercise. It follows the successful implementation of the PATRICIA I, II and III exercises, and the Data Breach Awareness campaign, continuing a series of EDPS initiatives aimed at strengthening data protection capabilities across EU institutions and bodies.
PATRICIA III is the third edition of a table-top cyberexercise, named “Personal dATa bReach awareness In Cybersecurity Incident hAndling” (PATRICIA). The exercise takes place on 25 March 2026, aimed to raise awareness about personal data breach management.
On 5 June 2025, the EDPS organised the second edition of PATRICIA - Personal dATa bReach awareness in Cybersecurity Incident Handling, a table-top exercise focusing on personal data breach management. It aimed to raise awareness among European Union Institutions, Bodies and Agencies' (EUIBAs) staff about personal data breach management in a cyber-attack context. This is an Executive Summary of the report.
The EDPS organises the second edition of PATRICIA - Personal dATa bReach awareness in Cybersecurity Incident Handling, a table-top exercise focusing on personal data breach management. The cyber exercise takes place on 5 June 2025 from 09:00 to 17:00 at the Info Hub and will bring together key stakeholders from selected EUIs to enhance incident response and collaboration.
On 3 October 2024, the European Union Agency for Cybersecurity (ENISA) and the European Data Protection Supervisor (EDPS) jointly organised a table-top exercise titled “Personal Data Breach Awareness In Cybersecurity Incident Handling” (PATRICIA). The event, hosted at the EDPS premises in Brussels, aimed to raise awareness among staff from European Union Institutions, Bodies, and Agencies (EUIs) on managing personal data breaches.