The latest edition of DLA Piper’s GDPR Fines and Data Breach Survey paints a clear picture of Europe’s data protection landscape in 2025: enforcement remains intense, monetary penalties remain historically high, and the volume of reported personal data breaches has reached levels not seen since the early years of the GDPR.
According to the survey, European supervisory authorities issued approximately EUR 1.2 billion in GDPR fines during 2025. While this figure broadly matches the total fines imposed in 2024, it marks a reversal of the downward trend seen in the prior year and confirms that regulators continue to view enforcement as a central tool for driving compliance.
Even more striking than the fine totals is the sharp increase in reported personal data breaches. Between late January 2025 and late January 2026, breach notifications across Europe rose by 22 percent, reaching an average of 443 notifications per day. This is the first time since 2018 that daily notifications have exceeded 400, ending several years of relative stability in reporting volumes.
Taken together, the findings suggest that European regulators are confronting a more volatile threat environment, while organizations face growing operational and legal pressure to strengthen security, governance, and incident response capabilities.
Enforcement Levels Remain Historically High
The aggregate GDPR fine total of approximately EUR 1.2 billion in 2025 underscores the sustained willingness of supervisory authorities to impose significant financial penalties. Although the total does not exceed 2024’s figure, it reverses the sense that enforcement intensity might be easing.
Since the GDPR became applicable on 25 May 2018, total fines across surveyed jurisdictions have now reached approximately EUR 7.1 billion. This cumulative figure reflects not only individual high-profile penalties, but also a steady stream of enforcement actions across a wide range of sectors and compliance failures.
The data reinforces a key reality for organizations operating in Europe: GDPR enforcement is no longer episodic or experimental. It is mature, consistent, and deeply embedded in regulatory practice.
Ireland’s Continued Dominance in GDPR Enforcement
Ireland once again leads Europe in cumulative GDPR fines. Since 2018, the Irish Data Protection Commission has imposed approximately EUR 4.04 billion in penalties, accounting for a substantial share of all GDPR fines issued to date.
This dominance is not coincidental. Ireland serves as the lead supervisory authority for many of the world’s largest technology and digital services companies due to their European headquarters being located there. As a result, cross-border investigations involving complex data processing operations frequently culminate in Irish enforcement decisions.
The largest fine imposed in 2025 further illustrates this role. In April 2025, the Irish Data Protection Commission issued a EUR 530 million penalty against a social media company for violations of GDPR restrictions on international data transfers. The decision reflects continued regulatory focus on cross-border data flows and the adequacy of safeguards following years of legal uncertainty around international transfer mechanisms.
Despite this, the largest GDPR fine on record remains the EUR 1.2 billion penalty imposed in 2023, also by the Irish authority, underscoring how enforcement against large multinationals continues to shape the GDPR landscape.
A Sharp Increase in Data Breach Notifications
While fines capture headlines, the most consequential finding in this year’s survey may be the dramatic increase in reported personal data breaches.
Between 28 January 2025 and 27 January 2026, the average number of daily breach notifications rose from 363 to 443, a 22 percent increase. This marks the first time since the GDPR’s introduction that breach notifications have exceeded an average of 400 per day.
For several years, breach reporting volumes had plateaued, suggesting that organizations had reached a steady state in incident detection and notification. The sudden break from that trend signals a material shift in the threat environment.
While the survey does not attribute the increase to a single cause, several converging factors appear to be driving the surge:
- Escalating geopolitical tensions increasing the frequency and sophistication of cyber-attacks
- Greater availability of advanced tools to threat actors, including automation and AI-driven techniques
- Expanded legal and regulatory notification requirements under newer cybersecurity and digital resilience laws
- Improved internal detection capabilities leading to more incidents meeting notification thresholds
The result is a reporting environment in which organizations are confronting both more incidents and greater scrutiny over how those incidents are handled.
Security of Processing Remains a Central Enforcement Focus
The sharp rise in breach notifications has been accompanied by continued enforcement around the GDPR’s integrity and confidentiality principle, commonly referred to as the security principle.
Across the jurisdictions surveyed, fines for inadequate security controls feature prominently. Regulators continue to emphasize that organizations must implement appropriate technical and organizational measures to protect personal data against unauthorized access, loss, or disclosure.
A notable trend in 2025 is increased attention on supply chain security. Supervisory authorities are scrutinizing not only controllers, but also processors and service providers whose failures contribute to data breaches.
Importantly, regulators are demonstrating a willingness to impose fines directly on processors. This reflects the GDPR’s clear allocation of responsibility and reinforces that processors cannot rely on contractual relationships alone to shield themselves from enforcement.
In practical terms, organizations are expected to:
- Conduct rigorous vendor and processor risk assessments
- Implement and document robust access controls and security monitoring
- Ensure contractual obligations align with actual technical practices
- Regularly test incident response and breach containment procedures
Security failures are increasingly treated not as isolated technical issues, but as systemic governance shortcomings.
International Data Transfers Continue to Attract Regulatory Scrutiny
International data transfers remain one of the most complex and enforcement-prone areas of GDPR compliance. The significant fine imposed in 2025 for unlawful transfers highlights that regulators continue to view this issue as a priority.
Organizations are expected to assess transfer mechanisms on an ongoing basis, taking into account evolving legal interpretations, supplementary measures, and country-specific risks. Transparency and accountability around transfer decisions are critical, particularly where large-scale or sensitive data processing is involved.
For multinational organizations, this reinforces the importance of maintaining detailed transfer inventories, impact assessments, and documented safeguards that can withstand regulatory review.
The Growing Importance of GDPR Compensation Claims
Regulatory fines are only part of the compliance risk equation. The survey highlights increasing attention on GDPR-related compensation claims, particularly claims seeking damages for non-material harm.
Recent rulings from European courts, including the Court of Justice of the European Union, have clarified aspects of the threshold for compensation claims. While claimants must demonstrate harm, courts have made clear that non-material damage, such as distress or loss of control over personal data, can be compensable under certain circumstances.
This evolving jurisprudence raises the stakes for organizations responding to data breaches. Even where regulatory fines are limited or avoided, follow-on civil claims can expose organizations to additional financial and reputational risk.
As a result, breach response strategies must account for both regulatory engagement and potential litigation exposure.
Leadership Perspectives on the 2025 Enforcement Landscape
Commenting on the survey findings, DLA Piper leadership emphasized the severity of the current cybersecurity and data protection environment.
The sharp increase in breach notifications was described as a clear signal that organizations are operating in unprecedented conditions. Heightened geopolitical instability, combined with rapid technological change and expanding regulatory obligations, has created an environment where data incidents are more frequent and more consequential.
Of particular concern is the growing body of cybersecurity legislation that introduces personal accountability for members of management bodies. This development raises the stakes for boards and senior executives, who are increasingly expected to oversee cybersecurity and data protection as core enterprise risks.
At the same time, the persistence of high aggregate fines confirms that regulators remain active across multiple areas, including information security, international data transfers, transparency obligations, and the intersection of AI innovation with data protection law.
Implications for Privacy, Security, and Compliance Teams
The survey’s findings carry several practical implications for organizations operating under the GDPR:
- Incident readiness is critical: Rising breach volumes mean organizations must invest in detection, containment, and notification processes that function under pressure.
- Security governance must be demonstrable: Regulators expect evidence of decision-making, risk assessments, and continuous improvement, not just technical controls.
- Third-party risk is front and center: Supply chain failures can trigger enforcement even where the controller was not directly compromised.
- Litigation risk is increasing: Breach response must consider downstream compensation claims, not only regulatory penalties.
- AI and emerging technologies add complexity: As organizations deploy advanced analytics and AI systems, transparency and lawful processing become more challenging and more scrutinized.
2026 edition of DLA Piper’s GDPR Fines and Data Breach Survey
The 2026 edition of DLA Piper’s GDPR Fines and Data Breach Survey confirms that Europe’s data protection regime remains firmly in an enforcement phase. Monetary penalties remain substantial, breach notifications are rising sharply, and regulators are increasingly focused on security, supply chain resilience, and international data transfers.
For organizations, the message is clear. GDPR compliance is no longer about avoiding rare enforcement events. It is about building resilient systems, mature governance structures, and credible operational controls capable of withstanding both regulatory scrutiny and an increasingly hostile cyber threat landscape.
As breach volumes rise and enforcement expectations continue to evolve, the cost of underinvestment in privacy and security has never been higher.
