If these attacks are not disclosed, it is mainly due to the lack of legal framework. But this is changing. In recent years, countries, aware of the magnitude and certain increase in risk, have begun to legislate in this direction. For example, the European Union adopted in April 2016 its General Data Protection Regulation (GDPR), which has been in force since 25 May 2018. Its scope, which is not limited to member countries, is also extraterritorial. This means that any business whose activities affect one of its citizens or one of its businesses must comply with it. In law, the failure to do so constitutes negligent negligence, and the delay in correcting a situation as quickly as possible is one of failure to act with due diligence. It is not long ago when companies will have an obligation of means in terms of data protection, with a disclosure obligation in case of successful attacks.