Last review date: 30 December 2024

Yes.

☒         general obligation to take appropriate / reasonable technical, physical and/or organizational security measures
☒         obligation to take specific security measures e.g., encryption

Not a strict legal requirement, but encryption is considered by the Data Protection Act an appropriate technical and organizational measure.

☒          requirement to undertake third party due diligence (security assessment of third party providers)
☒        other

Pseudonymization; the ability to ensure the ongoing confidentiality; integrity; availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

Last review date: 30 December 2024

☒       health regulatory requirements

☒       financial services requirements

☒      telecommunication requirements

☒       providers of critical infrastructure

☒       other

Services in the fields of transport, energy and heat supply, water supply, and digital infrastructure are also defined as essential social and economic activities that are obligated to ensure the security of network and information systems from cyberattacks, according to Regulation No. 866/2020 on the Security of Network and Information Systems for Operators of Essential Services, which is based on the Network Security Act.

Last review date: 30 December 2024

☒       network information security

☒      telecommunications

On 20 March 2024, a decision No. 2/2024 was published by the ECOI regarding a security incident at a telecommunications company. The security incident occurred in the mobile and internet services, as well as parts of the company’s fixed-line networks in October 2021, during the implementation of an upgrade to the company’s telecommunications networks, resulting in service outages and disruptions affecting 150,000 users for a period of more than 30 minutes. An investigation revealed a direct link between the service outage and the network upgrade process which ECOI said could have been prevented with more robust risk management and adequate contingency planning.  The telecommunications company appealed the ECOI’s decision to the  Board of Appeal, which partially confirmed and partially annulled the decision.

Last review date: 30 December 2024

Yes.

"Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Last review date: 30 December 2024

☒        data protection authorities

• in case of a personal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
• without undue delay and, where feasible, not later than 72 hours after having become aware of it

  ☒       cybersecurity authorities

• in the event of a security breach in network and information systems containing personal data, essential service operators must promptly notify the Computer Emergency Response Team ("CERT-IS") at the ECOI through the government’s notification portal, email, or by phone, within 6 hours of identifying incidents or risks, that are considered serious.
• an electronic communication undertaking that operates a public telecommunications network or provides public telecommunications services must immediately notify the ECOI’s network security team CERTI-IS of all serious security incidents that threaten the safety or functionality of public telecommunications networks or public telecommunications services. The ECOI must be notified without delay if there is a risk that the security or confidentiality of information on electronic communications networks will be breached or if a breach has occurred.

   

  ☒        affected individuals

• without undue delay
• if a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, unless any of the following conditions are met:

• the controller has implemented technical and organizational protection measures and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption, or
• the controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialize

☒        other

There shall be public communication or similar measure whereby the data subjects are informed in an equally effective manner (instead of informing the data subjects) if the communication to the data subject would involve disproportionate effort.

Last review date: 30 December 2024

☒        controller/ owner

• in case of a personal data breach irrespective of a risk to the rights and freedoms of the data subjects
• without undue delay after becoming aware of it

☒       cybersecurity authorities

• In the event of a security breach in network and information systems containing personal data, essential service operators, given that the operator of the essential service is the processor/agent, must promptly notify the CERT-IS at the ECOI through the government’s notification portal, email, or by phone, within 6 hours of identifying incidents or risks, that are considered serious.
• an electronic communication undertaking that operates a public telecommunications network or provides public telecommunications services must immediately notify the ECOI’s network security team CERTI-IS of all serious security incidents that threaten the safety or functionality of public telecommunications networks or public telecommunications services. The ECOI must be notified without delay if there is a risk that the security or confidentiality of information on electronic communications networks will be breached or if a breach has occurred.

Last review date: 30 December 2024

Yes.

☒        cybersecurity authorities
☒        health regulatory requirements (e.g., to notify incidents affecting safety of medical devices)
☒        financial services requirements
☒        telecommunication requirements
☒        providers of critical infrastructure

Details regarding the identified data security breach notification requirements

Telecommunication requirements

Article 80 of Act No. 70/2022 on Electronic Communication provides for a general notification requirement, which states that an electronic communication undertaking that operates a public electronic communication network or provides public electronic communication services shall without delay notify the CERT-IS at the Electronic Communication Office of Iceland of all serious security incidents that threaten the security or operation of public electronic communications networks or public electronic communications services.

When assessing whether a security incident counts as serious, the undertaking shall consider the following a. number of users affected; b. how long the security incident lasts; c. geographical distribution and extent of the impact of a security incident; d. the extent to which the activity of the network or the provision of the service is affected; and e. the extent of the impact of the security incident on economic and social activities.

The Electronic Communication Office shall be notified without delay if there is a risk that the security or confidentiality of information on electronic communications networks will be interrupted or if there has been an interruption. The scope of notifications is determined by the content and circumstances of the notified incident.

Notifications of security incidents shall be made via the following link: https://oryggisbrestur.island.is/. (Icelandic only)

No time frame is provided for the notification, but we recommend that it is notified within 72 hours, if possible, from becoming aware of the incident.

If there is a special or large-scale threat to a telecommunications network or telecommunications service, telecommunications companies must on the basis of Article 81 of the Electronic Communication Act inform the users who may be affected by that threat. They must also inform about possible security measures and measures that can be taken. If applicable, they shall provide information about the alleged threat. If there is a risk that the security or confidentiality of electronic communications on a particular network will be breached, the service provider must inform users of the risk. The provision of information shall be free of charge.

Violations can result in fines or imprisonment of up to two years or three years if conducted for commercial purposes. Administrative fines can amount to up to 4% of the total turnover of the last operating year for each telecommunications undertaking, or other company involved in the violation. As for individuals, fines can range from ISK 10,000. to ISK 10 million (approx. EUR 65 to EUR 65,000.

Providers of critical infrastructure

The Network Security Act No. 78 of 25 June 2019 which incorporates Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union into Icelandic national legislation entered into force on 1 September 2020.

In accordance with Article 8 of the Network Security Act the operators of essential services are required to notify serious cybersecurity incidents to a computer security incident response team also known as the CERT-ÍS.  

When assessing the seriousness of an incident or risk, particular attention shall be paid to the number of users of the service affected by the incident; how long the incident lasts; the geographical distribution and extent of the impact of incident and the potential impact of an incident on other important infrastructure or economic and social activities or digital services. The notification shall include information on possible outsourcing arrangements, such as if important infrastructure relies on the services of a digital service provider in its operations and possible contagion effects, even across borders. The scope of the notification is otherwise determined by the content and circumstances in each case.

Administrative fines may be imposed on an individual or legal entity that violates to notify serious cybersecurity incidents. The fines may range from ISK 10,000 to ISK 10 million (approx. EUR 65 to EUR 65,000) but shall however not exceed 3% of the turnover of the last calendar year in the case of legal entities (Article 23 of the Network Security Act). Intentional failure to notify may result in a two-year prison sentence (Article 26 of the Network Security Act). Providing incorrect information to the response team intentionally or by culpable negligence may lead to fines and/or a prison sentence of up to three years as per Article 120a of the General Penal Code. 

Notifications to the security incident response team, CERT-ÍS, shall be submitted as soon as possible and no later than 6 hours after the incident or risk has been identified in the systems of the operator of the essential service. The operator of essential services shall furthermore, without undue delay, notify customers of interruptions or service interruptions. If the operator of essential services is a customer of another important infrastructure, he shall be notified separately.

Cybersecurity authorities, health regulatory requirements and financial services requirements

Regulation No. 866/2020 on the Security of Network and Information Systems of Operators of Essential Services, outlines specific security breach notification requirements. In accordance with Articles 4 and 5 of Regulation No. 866/2020, banking and financial market infrastructure services are deemed essential social and economic activities, imposing an obligation on service providers to ensure network security in alignment with the Network Security Act and the aforementioned regulation. Additionally, as per Article 7 of the regulation, health services share similar obligations, requiring the reporting of serious risks and incidents to cybersecurity authorities.

The same rules and requirements apply to notifications by the mentioned activities, as well as those mentioned earlier, concerning providers of critical infrastructure, cf. Article 25 of the Regulation No. 866/2020.