The Legal/Compliance layer of the system. Every incident that carries active legal flags (AI Act, GDPR, NIS2) starts reporting clocks toward the competent authorities. This board shows the cases, their flags, the applicable deadlines, the owner (Legal/DPO/AI Safety Officer) and the status of the legal decision โ from open to reported/closed.
Setting the NIS2_RELEVANT, GDPR_BREACH or AI_SERIOUS_INCIDENT flag is not an informational label โ it starts a counted reporting obligation. The system tracks the running deadline and requires an artefact confirming that notification was filed.
| case | flags | authority deadline | owner | decision status | prio |
|---|---|---|---|---|---|
LGL-3011customer data leak |
GDPR_BREACHPERSONAL_DATANIS2_RELEVANT | GDPR 72h โ 18h left NIS2 24h โ sent |
Legal/DPO | GDPR art.33 IN PROGRESS | P0 |
LGL-3009serious AI system incident (scoring) |
AI_HIGH_RISKAI_SERIOUS_INCIDENTLAW_ENFORCEMENT? | AI Act art.73 โ without undue delay | AI Safety Officer | QUALIFICATION ANALYSIS | P0 |
LGL-3006ransomware โ essential service |
NIS2_RELEVANTCRITICAL_INFRAKSC_RELEVANT | NIS2 early 24h โ sent 72h report โ 44h left |
Operator + Legal | 24h FILED | P0 |
LGL-3002phishing โ mailbox takeover |
PERSONAL_DATAAI_ACT? | GDPR risk assessment โ in progress | Legal/DPO | ASSESSING IF BREACH | P1 |
LGL-2998voice deepfake โ fraud attempt |
FALSE_IDENTITYLAW_ENFORCEMENT | notification to law enforcement | Legal + CISO | REPORTED | P1 |
LGL-2990misconfig โ log exposure |
PERSONAL_DATA? | art.34 assessment (notifying individuals) | Legal/DPO | NO PROOF OF SCOPE | P2 |
The "decision status" column inherits evidentially from the Evidence Board โ a case cannot be marked "REPORTED as breach" while the data scope is still in GAP status.
Below: obligation frameworks derived from the publicly known text of the regulations. Character: norm / framework, not a description of an incident. Always verify against the current text of the act and its national implementation.
Providers of high-risk AI systems report a serious incident to the market surveillance authority of the state in which the incident occurred, without undue delay after establishing a causal link (or the reasonable likelihood of one) between the AI system and the incident.
Triggering flags: AI_HIGH_RISK + AI_SERIOUS_INCIDENT. Note the specific deadlines that depend on the type of effect (e.g. fatal events โ shorter). Subject to the AI Act's entry into force and transitional provisions.
Addressee: the competent CSIRT / national authority. In PL this is linked to KSC_RELEVANT (the National Cybersecurity System Act). Flag: NIS2_RELEVANT; for essential services also CRITICAL_INFRA.
Flags: GDPR_PERSONAL_DATA, GDPR_BREACH. Maintain a breach register (art.33(5)) regardless of whether notification was required.
| flag | obligation (framework) | deadline | addressee | owner |
|---|---|---|---|---|
| AI_SERIOUS_INCIDENT | report a serious AI incident | without undue delay | market surveillance authority | AI Safety Officer |
| NIS2_RELEVANT | 3-stage notification | 24h / 72h / 1 month | CSIRT / national authority | Operator + Legal |
| KSC_RELEVANT | KSC obligations (PL) | per the KSC Act | national-level CSIRT | Operator + Legal |
| GDPR_BREACH | art.33 notification | โค 72h | Data Protection Authority | Legal/DPO |
| PERSONAL_DATA + high risk | art.34 communication | without undue delay | the data subjects | Legal/DPO |
| LAW_ENFORCEMENT | notification of a crime | promptly | law enforcement | Legal + CISO |
The legal decision status inherits from the evidence โ a GAP blocks breach qualification.
Notifying an authority is an action with a due_at deadline and proof of filing.
Templates and a register of letters to authorities (DPA, CSIRT, market surveillance).
The path for qualifying a serious AI incident and filing the art.73 report.
The art.33 clock starts from establishing the breach, but whether to notify depends on the risk assessment. DPO decision checklist:
| Question | Consequence |
|---|---|
| Is this a personal data breach? | No โ outside GDPR art.33/34 |
| Is there a risk to the rights and freedoms of individuals? | Yes โ notify the DPA โค72h (art.33) |
| Is the risk high? | Yes โ communicate to individuals (art.34) |
| When did "establishing the breach" occur? | Start of the 72h clock |
| Was the data encrypted / unreadable? | May lower the duty to notify individuals |
| Who made the decision (DPO)? | Register entry + justification |
| Is the data retention justified? | Verify the legal basis and period |
| Field | Values |
|---|---|
| Covered sector | yes / no / undetermined |
| Entity size | medium / large / other |
| Essential entity | yes / no / undetermined |
| Important entity | yes / no / undetermined |
| Competent CSIRT | NASK / GOV / MON / sectoral |
| Registration obligation | yes / no / undetermined |
| Notification status | early warning (24h) / notification (72h) / final (1 month) |
| Responsible | board / manager / security owner |
Normative framework, not legal advice. Classifying the entity is up to the organisation and its advisors. See Law Change Watch.