Global law firm DLA Piper has published the eighth edition of its annual GDPR Fines and Data Breach Survey, revealing a sustained high level of data enforcement activity across Europe throughout 2025, with European supervisory authorities issuing fines totalling approximately EUR1.2 billion, closely matching the 2024 total fines issued.

Significantly, the analysis of data from Europe's data protection supervisory bodies reveals a 22% annual increase in notified personal data breaches, amounting to an average of 443 per day. This significant increase follows several years of plateauing breach notification figures, and the first time since 2018 the average daily breach notifications have exceeded 400.

Ireland once again leads the enforcement tables, with aggregate fines issued by the Irish Data Protection Commission now reaching EUR4.04 billion since the GDPR came into force in May 2018.

A new era of cyber threat realised

Between 28 January 2025 and 27 January 2026, the average number of personal data breach notifications per day increased to 443, a 22% rise from 363 the previous year. While not strictly causal, set against the past year's backdrop of geopolitical unrest, evolving AI-enabled threat actors, and a string of headline cyber events causing significant operational downtime for global organisations, this stark rise in notified personal data breaches goes some way to confirm an unprecedented new level of cyber threat and in turn the need for prioritising security and operational resilience. 

EUR1.2 billion in GDPR fines consistent with those of 2024

For the year beginning 28 January 2025, GDPR fines across Europe matched the previous year’s total of approximately EUR 1.2 billion. While this represents no year-on-year increase, it is indicative of a sustained high level of enforcement rather than a slowdown. The level of enforcement underlines the continued willingness of data protection authorities to impose substantial monetary penalties despite criticisms from outside the EU.

As in previous years, enforcement action remained heavily concentrated on large technology and social media companies, with nine of the ten largest GDPR fines to date imposed on organisations in this sector.

Commenting on the survey results, Irina Macovei, Head of the Intellectual Property and Technology practice in Romania stated: "Security has always been at the heart of GDPR, but with NIS2, DORA and the CRA, the regulatory spotlight on cybersecurity has become far sharper. These frameworks raise the bar on operational resilience and supply‑chain security at a time when data breach notifications have already jumped by 22% to an average of 443 per day. The message is unmistakable: organisations must strengthen their entire digital infrastructure - not just to comply, but to keep pace with an environment where cyber‑attacks are more frequent, more disruptive, and more costly than ever."

Andrei Stoica added: "With the Digital Omnibus, the Commission is reopening some of the most sensitive questions about how far GDPR should reach, with a particular focus in the AI space. The new AI related exceptions and the push to ‘simplify’ rules are meant to give businesses more breathing room, but some critics already warn of a ‘death by a thousand cuts’ and a fast-track assault on GDPR. The real test will be whether lawmakers can dial back perceived overreach and legal uncertainty without dialling down the protection individuals have come to expect in Europe."

Corina Bădiceanu concluded: "In line with the European trends, we expect that data breaches will continue to receive increased attention in Romania as well, and that the number of data breaches notifications will continue to rise in 2026."

About DLA Piper

DLA Piper is a global law firm helping our clients achieve their goals wherever they do business. Our pursuit of innovation has transformed our delivery of legal and tax services.  With offices in the Americas, Europe, the Middle East, Africa and Asia Pacific, we deliver exceptional outcomes on cross-border projects, critical transactions and high-stakes disputes.

DLA Piper's office in Bucharest supports clients with a team of more than 50 internationally trained lawyers and tax consultants combining industry knowledge built on local projects with international experience gained while advising major global clients.

Our legal and tax services cover Corporate, Employment, Competition, Finance, Intellectual Property and Technology, Real Estate, Tax, Litigation and Regulatory. Every day we help trailblazing organizations seize business opportunities and successfully manage growth and change at speed. Visit dlapiper.com to discover more.