And what if we finally stopped filling out three notification forms for a single cyber incident?
French companies are evolving in a real regulatory maze, marked by the multiplication of notification obligations to the competent authorities.
For example, a personal data breach triggers the obligation to notify the CNIL under the GDPR. Operators of vital importance (OIV) must, for their part, alert ANSSI without delay as soon as an incident affects their critical information systems. At the European level, the NIS directive requires the entities concerned to notify certain security incidents (with provisions reinforced and extended by the new NIS 2 directive). Similarly, the eIDAS regulation strictly governs trust service providers, while the financial sector is preparing for the upcoming entry into force of the DORA regulation. On top of this, there are finally sector-specific regimes (health, payment services, etc.).
CISOs, DPOs and other practitioners know that in the middle of managing a cyber crisis, having to chase after forms adds a Kafkaesque layer of bureaucracy to an already critical situation. The Commission’s initiative therefore aims to ease this burden without undermining collective security.
On 16 September 2025, the European Commission launched a call for contributions to simplify these obligations to report cyber incidents and breaches.
It finally acknowledges that companies bear too heavy a burden due to the multiplicity of these notifications, and sets itself the objective of minimizing costs by simplifying and harmonizing notification processes.
Why do all these notification obligations exist?
Despite their weight, notifications pursue objectives of general interest.
By requiring companies to report attacks suffered and vulnerabilities discovered, authorities can collect valuable data on the threat landscape, attack methods, most affected sectors, and so on. This notably makes it possible to improve coordination between authorities and to help other entities anticipate similar attacks.
For example, an operator in the energy sector that notifies an intrusion attempt will alert its entire sector via the competent authority, which may prevent the attack from spreading.
In addition, certain notifications benefit citizens directly: notifying the persons concerned (as provided by the GDPR or eIDAS) allows them to take measures to protect themselves (change their passwords, monitor their bank accounts, etc.) following an incident.
However, the accumulation of the regimes described above generates a heavy administrative burden. Each framework has its own scope, format, criteria…
For international groups, the situation is even more complex, with potentially different obligations depending on the country.
For SMEs and smaller players, this complexity can become discouraging: it is costly to master all the texts, to set up internal processes and tools to comply, and to maintain legal monitoring of each new evolution.
In short, too many notifications kill notification.
The initiative launched by the European Commission to simplify and harmonize the rules is therefore very positively received by our law firm.
What could be changed?
The current complexity of notification obligations in cybersecurity results from a progressive construction, by piling up standards each addressing a specific aspect (personal data, service continuity, financial stability, digital trust…).
While each obligation taken in isolation is justified, their accumulation has become a systemic problem.
The European Commission’s call for contributions, open until 14 October 2025, is a unique opportunity for stakeholders to make their voices heard on this subject: which notifications could be merged? which deadlines adjusted? how to avoid redundancies between GDPR/NIS/DORA?
One idea could be, for example, that a company could, via a single portal, report an incident by filling out just one form, which would then be routed to the relevant authorities (CNIL, ANSSI, sectoral regulators, etc.) according to the nature of the incident, without duplicating information. This type of mutualization would reduce the administrative burden while maintaining the level of information required for each authority.
Of course, setting up such a common system raises legal and technical challenges (interoperability of reporting platforms, legal basis for information sharing between authorities, etc.), but the Commission’s current initiative opens the way for these discussions.
At Entropy, we are closely following this development and stand ready to assist you in drafting your submissions for this consultation.
After all, it would be a pity to suffer the complexity of the texts without seizing the opportunity to simplify them – and, who knows, finally stop filling out three forms for a single incident…
About the Author
Jocelyn Pitet is an attorney at the Paris Bar (France) and co-founder of Entropy, a law firm dedicated to advanced technologies. His practice focuses on areas such as cybersecurity, data protection, IT contracts, blockchain, artificial intelligence, and other disruptive technologies. For over ten years, Jocelyn has been advising innovative startups, leading tech companies, as well as major international groups in managing complex legal challenges related to digital and innovation.
Alongside his work at the law firm, Jocelyn Pitet also holds teaching positions at the University of Paris Panthéon-Assas and the Leonard de Vinci Institute, where he teaches courses on blockchain law, data protection law, and cybersecurity law.
view our expertise