Maria Grazia Porcedda, The GDPR as a cyber risk management system: the ECJ cautiously tackles data breaches in the NAP case

Abstract

When the Bulgarian National Revenue Agency (Natsionalna agentsia za prihodite or the ‘NAP’) suffered a malicious data leak in 2019, it joined the growing ranks of organizations affected by cyberattacks. With security often being an afterthought in cyberspace, data breaches have become a drawback/reality of networking. Beneath the glitter of digitalization and the data economy lie illicit markets, “the central commodity of which is stolen data”. The NAP data breach, which affected 6 million Bulgarians and foreign citizens, sparked several actions to recover damages such as the proceedings that led to the Natsionalna agentsia za prihodite (NAP) case. While Breyer was technically the first ECJ judgment linked to a cybersecurity incident, the NAP case is the first to deal with data breaches and ‘cyberoffending’ in the context of the GDPR. Its importance cannot be overstated: proceedings brought by individuals against the Irish Health Service Executive in the aftermath of a 2021 HSE ransomware attack have been stayed pending the outcome of this and similar cases.