PATRICIA III - Personal dATa bReach awareness In Cybersecurity Incident hAndling

Mar

2026

PATRICIA III - Personal dATa bReach awareness In Cybersecurity Incident hAndling

PATRICIA III is the third edition of a table-top cyberexercise, named “Personal dATa bReach awareness In Cybersecurity Incident hAndling” (PATRICIA. The exercise takes place on 12 March 2026 from 08:30 to 16:45 at the European Commission, aimed to raise awareness among European Union Institutions, Bodies and Agencies (EUIBAs) staff about personal data breach management.

When: 12 March 2026 from 08:30 to 16:45

Where: European Commission, Rue Philippe Le Bon 3, 1000 Brussels

PATRICIA aims to raise awareness about personal data breaches and foster collaborations among EU Institutions (EUIs) staff, including IT personnel, Data Protection Officers (DPOs) and Security Officers, to ensure proper mitigation of risks to individuals. By simulating cybersecurity incidents and exchanging knowledge and best practices, participants will be able to improve their incident response capabilities and risk mitigation strategies.

This is the third iteration of the exercise, for 13 teams from the European Commission to play the scenario (training/awareness raising action) and discuss on cybersecurity incidents and personal data breach management. Participants will exchange best practices, test response mechanisms, and refine coordination strategies in handling personal data breaches. PATRICIA participation is limited to invited EUIs.

Background:

The first edition of this exercise, piloted and co-organised with ENISA in 2024, involved six teams of EUIs and highlighted critical areas for improvement of personal data breach management within the EU Institutions, such as:

Clarifying roles and responsibilities in breach management
Enhancing collaboration between key stakeholders
Strengthening training and awareness efforts

As a result, key recommendations were made, including greater involvement of senior management, improvement of inter-team communication, and reinforcing shared responsibility.

The exercise was highly appreciated, leading to a call for broader participation and continued capacity-building efforts.

In accordance with Articles 34 and 35 of the EUDPR, the legal framework applicable to the processing of personal data by EU Institutions, all EUIs are legally obliged to notify the EDPS. whenever a security incident involving personal data poses a risk to data subjects’ rights and freedoms. In case of high risk, they must also inform the affected data subjects.

The second edition brought together the IT managers, Data Protection Officers (DPOs) and Security Officers (LISO, LCO) from eight EUIBAs that would be responsible for collaborating and managing a cyber-incident resulting in a personal data breach. A total of thirty-six staff members from eight EUIBAs took part in the event, whereas CERT-EU joined as an observer.

Recommendations to improve existing processes and procedures aim to improve coordination and shared understanding, enhance information exchange, streamline internal processes and promote interdisciplinary training and awareness.

Participant feedback was highly positive. The scenarios were considered realistic, and the discussions directly relevant to daily work.

Topics

Data Breach

+ View more news

News

EDPS strengthens DPO role

13 February 2026

New guidance and binding rules to protect DPO independence across EU institutions.

Read the press release

Read the Supervisory Guidelines

Data takes flight: Navigating privacy at the airport

12 February 2026

On 12 February 2026, the European Data Protection Supervisor (EDPS) and the European Data Protection Board (EDPB) Trainees organise the conference Data takes flight: Navigating privacy at the airport. The conference will raise awareness about what happens to personal data when traveling by air and encourage a critical and informed discussion about data protection, security, and the usage of personal data in this context.

More information

EDPB-EDPS Joint Opinion on Digital Omnibus

11 February 2026

EDPB and EDPS support simplification and competitiveness while raising key concerns. On 10 February 2026, the Joint Opinion on the Proposal for a Regulation as regards the simplification of the digital legislative framework (Digital Omnibus) was adopted.

Read the Press Release

Read the Joint Opinion

+ View full agenda

Agenda

12 February 2026

"Data takes flight: Navigating privacy at the airport", Opening remarks by Wojciech Wiewiórowski at event organised by EDPS and EDPB trainees, Brussels, Belgium

12 February 2026

Meeting of the Polish legal community and EU justice stakeholders, organised by the Representation of the National Bar of Attorneys-at-Law (KIRP), Participation of Wojciech Wiewiórowski, Brussels, Belgium

10 February 2026

3rd meeting of the AI Act correspondent network, Welcome address by Wojciech Wiewiórowski, Brussels, Belgium

10 February 2026 - 11 February 2026

114th EDPB Plenary, Participation of Wojciech Wiewiórowski, Brussels, Belgium

7 February 2026

Wojciech Wiewiórowski attends “Lawyers’ Ball”, Gala in support of the Pomeranian Children’s Hospice, organised by the Faculty of Law and Administration of the University of Gdańsk and professional legal associations, Gdańsk, Poland