Data Breach Notification Timelines by Country: What Every Business Needs to Know in 2026
The Clock Starts the Moment You Find Out
A data breach is discovered at 11pm on a Thursday. By the time your IT team has confirmed it's real, your legal team has been briefed, and your CEO has been woken up, it's Friday morning. In some jurisdictions you have less than 72 hours from that Thursday night moment to file a formal notification with a regulator. In others you have 30 days. In a few, the timeline depends on which sector you operate in, which state your customers live in, or how many people were affected.
For any business with customers, employees, or operations across more than one country, data breach notification has become one of the most operationally demanding compliance obligations there is. The rules are genuinely different across jurisdictions, the deadlines are hard, and the penalties for missing them are no longer theoretical.
Here is where the major jurisdictions stand as of 2026.
European Union: The 72-Hour Benchmark
The EU's General Data Protection Regulation set the standard that most of the world has since benchmarked against. Under Article 33, controllers must notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach, where the breach is likely to result in a risk to individuals' rights and freedoms. If notification happens after 72 hours, it must be accompanied by a reasoned explanation for the delay.
The 72-hour clock starts at the point of awareness, not at the point of confirmed investigation. That distinction has caught organisations out repeatedly: beginning a full forensic investigation before filing anything, on the assumption that the clock hasn't started yet, is not how supervisory authorities interpret the rule.
By January 2026, the average number of breach notifications filed across Europe had grown to 443 per day, a 22% increase year on year, according to DLA Piper's annual survey. The volume reflects both the scale of incidents and the fact that enforcement has become real enough to discourage sitting on notifications.
Where the breach is serious enough to risk high harm to individuals, organisations must also notify affected individuals directly, promptly and in plain language, under Article 34.
United Kingdom: Broadly Aligned, Separately Enforced
Post-Brexit, the UK retained a version of the GDPR framework through the UK GDPR and the Data Protection Act 2018. The notification standard is the same in principle: 72 hours to the Information Commissioner's Office for a breach likely to result in a risk to individuals.
The practical difference is that a company operating in both the EU and UK now has two separate regulators to notify, on the same timeline, under two separate legal frameworks. That operational reality is worth building into any incident response plan explicitly rather than discovering it during an actual breach.
India: No Fixed Hours, but Real Penalties
India runs a two-track system right now, which creates some confusion for businesses trying to build a single compliance framework.
Under the Digital Personal Data Protection Act 2023, organisations must notify both the Data Protection Board of India and affected individuals without undue delay following a breach. There is no fixed hour or day specified in the statute, and the DPDP Rules are expected to add more specificity on format and method once they are finalised. The penalties for non-compliance are significant: fines can reach up to Rs 250 crore (approximately USD 30 million) for the most serious breaches, assessed on a case-by-case basis by the Board.
Running in parallel, CERT-In directions issued in April 2022 require organisations to report certain categories of cyber incidents to India's Computer Emergency Response Team within six hours of becoming aware. That six-hour window applies to a specific list of incident types including data breaches involving personally identifiable information, and it is entirely separate from the DPDP Act obligations. For a company that suffers a qualifying breach, both obligations can apply simultaneously, to different bodies, on different timelines.
United States: A Patchwork With No Single Answer
The US has no single federal data breach notification law covering all industries. Instead, businesses face a combination of sector-specific federal rules and a patchwork of 50 state laws, all of which apply simultaneously based on where affected individuals reside.
At the federal level, the main sector-specific rules are as follows. HIPAA gives healthcare organisations and their business associates 60 days from discovery to notify the Department of Health and Human Services and affected individuals, with a shorter window for larger breaches. The SEC's cybersecurity disclosure rule, which came into force in late 2023, requires publicly listed companies to disclose material cybersecurity incidents in an 8-K filing within four business days of determining that an incident is material. Banking regulators including the FDIC require notification within 36 hours for certain computer security incidents that materially disrupt operations.
At the state level, all 50 states now have breach notification laws. Timelines differ substantially: California, New York, Colorado, Florida, and Washington require notification within 30 days. Alabama, Arizona, Indiana, and Ohio allow 45 days. Connecticut, Delaware, and Texas allow 60 days. Many states use qualitative language such as "without unreasonable delay" rather than a fixed number. When a breach affects residents across multiple states, the most stringent applicable state law typically drives the response timeline in practice.
Australia: Enforcement-Driven and Getting Stricter
Australia's Notifiable Data Breaches scheme under the Privacy Act 1988 requires organisations to notify the Office of the Australian Information Commissioner and affected individuals as soon as practicable, and no later than 30 days after becoming aware of a suspected eligible data breach. An eligible data breach is one that is likely to result in serious harm.
A separate obligation under the Security of Critical Infrastructure Act requires operators of critical infrastructure assets, including energy, water, and healthcare, to notify the Australian Signals Directorate of significant cyber incidents within 12 hours, and other incidents within 72 hours.
Since the Fair Work Commission began accepting right-to-disconnect applications in August 2024, Australia has been moving consistently toward stricter enforcement of worker and consumer protections more broadly, and data breach compliance sits in that same direction of travel.
Singapore: 3 Days to Assess, 30 Days to Notify
Singapore's Personal Data Protection Act requires organisations to notify the Personal Data Protection Commission within three calendar days of assessing that a breach is notifiable, which itself must be assessed as soon as reasonably practicable after discovery. Affected individuals must be notified as soon as practicable. A notifiable breach is one that results in, or is likely to result in, significant harm to affected individuals, or that affects 500 or more individuals.
The three-day assessment window is narrower than it sounds: organisations cannot use ongoing investigation as a reason to delay beginning the notification process indefinitely.
What This Means in Practice
For any business with a cross-border footprint, a few conclusions are hard to avoid.
The fastest legal clock in any jurisdiction you operate in is effectively your global incident response deadline. If CERT-In's six-hour window applies to your Indian operations, that timeline shapes how quickly your entire response machine needs to activate, even if other applicable rules give you longer.
The definition of when the clock starts varies: most regimes run from awareness of the breach, not from confirmation of its full scope. Building an incident response plan that assumes the clock starts at initial discovery, rather than at the end of the investigation, is the only safe approach.
A breach affecting customers in multiple jurisdictions simultaneously triggers multiple parallel notification obligations, to different regulators, on different timelines, in different formats. Mapping those obligations in advance rather than during an active incident is the difference between a manageable response and a regulatory disaster.
This Blog is for general informational purposes and does not constitute legal advice. For guidance specific to your organisation's data breach response obligations, please contact our team.