The European Commission presented a new online tool for small and medium-sized enterprises on Wednesday ahead of the new General Data Protection Regulation that will come into force on May 25.

The new statutes must be applied by all companies offering such services within the bloc even if they are not located in the EU. The Commission reported in December that Denmark, Estonia, France, Hungary, Malta, Ireland, Lithuania, Luxembourg, Latvia, Poland, Sweden, Slovenia, and the UK have either submitted or plan to submit draft laws to their respective parliaments to come into line with the new regulations.

According to the Commission, citizens’ rights would be protected and even strengthened if the regulations are violated.

The new regulation states that any company within the EU that could be facing a data breach attack that could endanger individuals is obliged to report it to the competent data protection authorities within 72 hours.

The EU Commissioner for Justice, Consumers and Gender Equality, Vera Jourová, said Austria and Germany are the only member states that have already implemented the data protection rules, but by 25 May the other 26 countries should follow suit.

Brussels will then monitor how the member states apply the new rules over the first year of the implementation process, after which the Commission will convene a meeting with regulators to assess the overall progress of the programme.