Sign up to save your podcasts
Or
Share What does 'without undue delay' ACTUALLY MEAN? IL v Veracash
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
What does 'without undue delay' ACTUALLY MEAN? IL v Veracash
All over EU and UK law, we see a requirement to report certain stuff "without undue delay", often coupled with a hard deadline period (e.g., within 72 hours). A CJEU case from last month explored what these dual obligations mean in practice.
IL v Veracash (Case C‑665/23, 1 August 2025) concerned the old Payment Services Directive (PSD).
The PSD requires cardholders (consumers) to notify payment services provider about suspected fraudulent transactions "without undue delay" upon becoming aware of the transaction and within no more than 13 months.
The complainant notified the provider within two months: Easily beating the "hard" 13 month deadline. But he was refused a refund for allegedly failing to meet the "without undue delay" requirement.
The case explores how these deadlines work and has broader implications.
For example, we see "without undue delay" provisions in the following laws:
GDPR Article 33 (1)
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority…”
AI Act Article 26 (5)
“Where deployers have reason to consider that the use of the high-risk AI system in accordance with the instructions may result in that AI system presenting a risk within the meaning of Article 79(1), they shall, without undue delay, inform the provider or distributor and the relevant market surveillance authority, and shall suspend the use of that system.”
Cyber Resilience Act Article 14 (2) (a)
“(The manufacturer shall submit) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it…”
Can you think of any others?
View all episodes
By treborjnametab1All over EU and UK law, we see a requirement to report certain stuff "without undue delay", often coupled with a hard deadline period (e.g., within 72 hours). A CJEU case from last month explored what these dual obligations mean in practice.
IL v Veracash (Case C‑665/23, 1 August 2025) concerned the old Payment Services Directive (PSD).
The PSD requires cardholders (consumers) to notify payment services provider about suspected fraudulent transactions "without undue delay" upon becoming aware of the transaction and within no more than 13 months.
The complainant notified the provider within two months: Easily beating the "hard" 13 month deadline. But he was refused a refund for allegedly failing to meet the "without undue delay" requirement.
The case explores how these deadlines work and has broader implications.
For example, we see "without undue delay" provisions in the following laws:
GDPR Article 33 (1)
“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority…”
AI Act Article 26 (5)
“Where deployers have reason to consider that the use of the high-risk AI system in accordance with the instructions may result in that AI system presenting a risk within the meaning of Article 79(1), they shall, without undue delay, inform the provider or distributor and the relevant market surveillance authority, and shall suspend the use of that system.”
Cyber Resilience Act Article 14 (2) (a)
“(The manufacturer shall submit) an early warning notification of an actively exploited vulnerability, without undue delay and in any event within 24 hours of the manufacturer becoming aware of it…”
Can you think of any others?