Compare with different regulatory event:
On 2 February 2023, the Information Commissioner's Office (ICO) reviewed and updated its statement on the obligations of public electronic communications service providers (CSPs) under Regulation 5A of the Privacy and Electronic Communications Regulations 2003 (PECR). Regulation 5A PECR implements the UK GDPR obligations, and it requires CSPs to notify the ICO of any personal data breach within 24 hours, otherwise, they may be fined GBP 1'000. However, in practice, the ICO notes that this produces a very high number of reports concerning small incidents that affect a limited number of users and are resolved by the CSPs. Therefore, in order to minimise the regulatory burden on CSPs, the ICO has announced that it will use its discretion not to fine CSPs that fail to report breaches within 24 hours, extending that limit to 72 hours. The extension of the reporting requirement does not apply to incidents that are likely to affect a high number of users.
Original source