The EU has brought in new regulations that force ISPs and telcos serving European customers to confess any security or data breach within 24 hours of the event happening.
According to an EU statement, any telecom operators or ISPs operating in Europe who suffer from a data breach that leads to loss of personal data or theft of such data is compromised in any way will have to notify national data protection authorities within 24 hours.
Telcos or ISPs will have to reveal the nature and size of the breach within the first 24 hours. If they can't provide that information straight away they must give "initial information" and provide all the details within three days.
They will have to tell the world+dog what information has been compromised and the steps they plan to take to fix it.
It seems that the companies will not have to make a public statement unless the breach "is likely to adversely affect" personal information or privacy. Then it has to take steps to warn affected businesses and consumers.
This appears pretty much like the status quo in the EU. Rules like this have existed since 2011.
However, these new regulations are more specific about the timeframes within which such incidents have to be reported. The new regulations require companies to pay specific attention to the type of data compromised.
There are still get out of jail free cards. ISPs and telcos will not be required to pass on the data in cases where there are "justified national security reasons". If data is encrypted the companies will not have to tell anyone.