In the framework of the GDPR, companies that provide services in the region must notify authorities before leaks of clients’ personal data in no more than 72 hours; if the seriousness of the attack deserves it, they will even have to inform the affected users; and sanctions for non-compliance can reach 4% of annual global revenues, or € 20 million.