Not the most technical/legal explanation of the new EU regs, but this Daily Mail piece by Ben Ellery does convey some of what is concerning businesses:
Computer hacking victims will be able to claim thousands of pounds in compensation under new laws – even if they do not lose any money.
The ‘distress’ they suffer will be enough to qualify for a payout regardless of whether their accounts have actually been raided.
And with the potential damages as high as £6,000 per person, companies with millions of customers could be left crippled by a cyber-attack.
Read more on The Daily Mail.
Now it would be great if businesses were so concerned that they: (1) collected and stored less data, and (2) provided better security for the data they do collect and store, but as Ellery notes, what happens if companies just decide to take a risk and not report breaches for fear of penalties? Hmmm…