Quiz 1C — EU Frameworks: GDPR, NIS2, and the Budapest Convention | LawZeee

Question 1

A European hospital that is classified as an "essential entity" under NIS2 experiences a ransomware attack on Monday at 9am. By what time must the hospital submit the NIS2 early warning to its national competent authority?

ABy Tuesday 9am (24 hours later)BBy Thursday 9am (72 hours later)CBy the following Monday (1 week later)DWithin 30 calendar days

Question 2

The same hospital confirms that patient records were likely accessed during the attack. When must it notify the data protection authority under GDPR Article 33?

AWithin 24 hours of the ransomware attackBWithin 72 hours of becoming aware that a personal data breach occurredCWithin 30 days of confirming the scope of the breachDOnly if the patient data was actually exfiltrated (not just accessed)

Question 3

A cloud services company with €500 million annual worldwide turnover is classified as an "essential entity" under NIS2. What is the minimum maximum administrative fine the company could face for a serious NIS2 violation?

A€7 millionB€10 millionC€20 millionD€10 million or 2% of turnover — whichever is higher (= €10 million in this case, since 2% of €500M = €10M)

Question 4

Under GDPR Article 83 (upper tier), what is the maximum fine for a violation involving unlawful processing of personal data on a fundamental rights basis?

A€10 million or 2% worldwide annual turnover (whichever is higher)B€20 million or 4% worldwide annual turnover (whichever is higher)C€50 million flat fineD€7 million or 1.4% worldwide annual turnover (whichever is higher)

Question 5

Which of the following best describes the relationship between NIS2 and GDPR in the context of a ransomware attack on an EU bank that processes customer financial data?

ANIS2 supersedes GDPR for cybersecurity incidents — only NIS2 appliesBGDPR supersedes NIS2 for incidents involving personal data — only GDPR appliesCBoth NIS2 and GDPR may apply simultaneously — NIS2 for the operational/security incident, GDPR for the personal data breachDNeither applies if the bank is regulated under NIS2 because financial entities are exempt from GDPR

Question 6

Article 35 of the Budapest Convention establishes what mechanism?

AA mandatory 24-hour incident reporting obligation for signatory statesBA 24/7 point-of-contact network for immediate assistance in cybercrime investigations, particularly evidence preservationCA unified fine structure for cybercrime offenses across signatory statesDA framework for extraditing cybercrime suspects between signatory states

Question 7

What does the Budapest Convention's 24/7 contact network allow investigators to do that the formal MLAT process does NOT provide quickly?

ATransfer evidence for immediate use in court proceedingsBArrest suspects in foreign countries without an extradition treatyCPreserve volatile electronic evidence (such as server logs) on an emergency basis before it is deletedDAccess encrypted communications in real time

Question 8

Under NIS2, what is the reporting sequence for a significant ongoing cyber incident?

AFinal report only — one consolidated report within 1 monthBEarly warning (24h) → Incident notification (72h) → Final report (1 month after incident notification) + monthly progress reports if ongoingCIncident notification (72h) → Final report (30 days) — no early warning requiredDEarly warning (72h) → Final report (1 month) — no intermediate notification

Question 9

The Second Additional Protocol to the Budapest Convention, signed by the U.S. in 2022, primarily addresses which limitation of the original Convention?

AIt adds new criminal offenses not covered in the original ConventionBIt creates direct cooperation pathways with service providers and reduces MLAT latency for certain evidence typesCIt expands fine maxima for cybercrime offenses in signatory statesDIt creates a centralized EU database for cross-border cybercrime evidence

Question 10

A GDPR data controller notified the supervisory authority of a breach within 72 hours, but the initial notification was incomplete because the full scope wasn't known. Under GDPR, what should the controller do?

AThe 72-hour deadline cannot be met with an incomplete notification — the controller must wait until the full picture is clearBSubmit the incomplete notification within 72 hours and supplement it with additional information as it becomes availableCRequest a formal extension from the supervisory authority before the 72-hour deadline expiresDWait for the supervisory authority to request additional information