The recent regulatory focus on cyber-security and data protection can be seen in a number of new requirements on firms to notify regulators – and in some cases affected individuals – of data and security breaches and other operational incidents. This briefing looks across these requirements and highlights areas of overlap as well as differences between the regimes.