EU Compliance Statistics 2026: Fines, Enforcement & Market Data
March 28, 2026
18 min read
Compliance
EU compliance statistics track the enforcement, costs, and market impact of European regulations including GDPR, NIS2, DORA, and the AI Act. As of 2026, EU data protection authorities have issued over EUR 5.9 billion in GDPR fines, NIS2 covers 160,000+ entities across 18 sectors, and the EU compliance consulting market exceeds EUR 10 billion annually.
Last updated: March 2026. This page is regularly updated with the latest enforcement data, survey findings, and market research.
Key Takeaways
EU data protection authorities have issued EUR 5.9 billion+ in GDPR fines since May 2018 (GDPR Enforcement Tracker, March 2026).
The top 10 GDPR fines alone account for over EUR 4.5 billion of total penalties.
NIS2 brings 160,000+ entities across 18 sectors into scope for mandatory cybersecurity requirements (European Commission).
The average cost of a data breach in the EU reached EUR 4.57 million in 2025 (IBM Cost of Data Breach Report 2025).
Only 34% of organisations report full GDPR compliance eight years after enforcement (Cisco Data Privacy Benchmark Study 2025).
DORA applies to approximately 22,000 financial entities and their critical ICT providers across the EU (European Commission).
The global regulatory compliance market is projected to reach USD 45.3 billion by 2027, growing at 10.1% CAGR (Grand View Research, 2024).
Since 25 May 2018, EU and EEA data protection authorities have steadily increased the volume and severity of GDPR enforcement. The following statistics capture the scale of that enforcement activity.
Total GDPR Fines by Year
Year
Number of Fines
Total Fines Issued
Notable Trend
2018
4
EUR 0.4 million
Enforcement begins (partial year)
Share article
Need help with compliance?
Contact us for a free consultation
2019
190
EUR 72 million
First large fines issued
2020
340
EUR 172 million
Enforcement acceleration
2021
434
EUR 1.28 billion
Amazon EUR 746M fine
2022
487
EUR 832 million
Meta fines dominate
2023
527
EUR 2.09 billion
Meta EUR 1.2B record fine
2024
562
EUR 1.06 billion
Broader sectoral enforcement
2025
498
EUR 390 million
Enforcement diversification
Total
3,042+
EUR 5.9 billion+
Trend: more frequent, wider scope
Source: GDPR Enforcement Tracker (enforcementtracker.com), CMS Law, March 2026.
Largest GDPR Fines Ever Issued
Rank
Company
Fine Amount
Country
DPA
Year
Violation
1
Meta (Facebook)
EUR 1.2 billion
Ireland
DPC
2023
Unlawful transfer of personal data to the US without adequate safeguards
Data breaches remain the most visible trigger for GDPR enforcement and a primary driver of compliance investment.
Data Breach Costs in the EU
Metric
Value
Source
Average total cost of a data breach (EU)
EUR 4.57 million
IBM Cost of Data Breach Report 2025
Average cost per compromised record (EU)
EUR 169
IBM Cost of Data Breach Report 2025
Average time to identify a breach
194 days
IBM Cost of Data Breach Report 2025
Average time to contain a breach
69 days
IBM Cost of Data Breach Report 2025
Average total breach lifecycle (identify + contain)
263 days
IBM Cost of Data Breach Report 2025
Cost savings from incident response plan and testing
EUR 1.49 million (reduction vs. orgs without)
IBM Cost of Data Breach Report 2025
Cost savings from extensive use of security AI and automation
EUR 1.76 million (reduction vs. orgs without)
IBM Cost of Data Breach Report 2025
Cost increase from non-compliance with regulations
+EUR 930,000 average
IBM Cost of Data Breach Report 2025
Data Breach Volume and Trends
Metric
Value
Source
Data breach notifications to EU DPAs (2024)
approximately 160,000
DLA Piper GDPR Fines and Data Breach Survey 2025
Cumulative breach notifications since May 2018
340,000+
DLA Piper GDPR Fines Survey 2025
Average breach notifications per day (2024)
approximately 440
DLA Piper GDPR Fines Survey 2025
Percentage of breaches reported within 72 hours
63%
EDPB Annual Report 2024
Breaches involving personal data exfiltration
41%
ENISA Threat Landscape 2025
Year-over-year change in breach notifications (2024 vs 2023)
+9%
DLA Piper GDPR Fines Survey 2025
Most Common Breach Vectors (EU)
Attack Vector
Share of Breaches
Average Cost
Compromised credentials
19%
EUR 4.81 million
Phishing
16%
EUR 4.76 million
Cloud misconfiguration
13%
EUR 4.14 million
Business email compromise
9%
EUR 5.01 million
Vulnerability in third-party software
8%
EUR 4.55 million
Malicious insider
7%
EUR 4.99 million
Social engineering (non-phishing)
6%
EUR 4.48 million
Physical security compromise
4%
EUR 3.78 million
Other/unknown
18%
Varies
Source: IBM Cost of Data Breach Report 2025; ENISA Threat Landscape 2025.
Most Breached Sectors in the EU
Sector
Average Breach Cost
Breach Frequency Rank
Healthcare
EUR 5.8 million
1
Financial services
EUR 5.5 million
2
Pharmaceuticals
EUR 4.9 million
3
Technology
EUR 4.7 million
4
Energy
EUR 4.6 million
5
Source: IBM Cost of Data Breach Report 2025.
NIS2 Statistics
The NIS2 Directive (Directive (EU) 2022/2555), applicable since 18 October 2024, represents the most significant expansion of EU cybersecurity regulation.
NIS2 Scope and Coverage
Metric
Value
Source
Total entities in scope
160,000+
European Commission Impact Assessment
Sectors covered
18 (up from 7 under NIS1)
NIS2 Directive, Annexes I and II
Essential entities (high criticality sectors)
approximately 67,000
European Commission estimates
Important entities (other critical sectors)
approximately 93,000
European Commission estimates
Member states that transposed NIS2 by October 2024 deadline
6 out of 27
European Commission, December 2024
Member states with draft legislation in progress (as of March 2026)
25 out of 27
European Commission NIS2 Transposition Tracker
New sectors added in NIS2
11 (including food, waste, postal, space, public admin, ICT service management, manufacturing, chemicals, research)
NIS2 Directive
NIS2 Penalties
Entity Type
Maximum Fine
Alternative Calculation
Essential entities
EUR 10 million
or 2% of total worldwide annual turnover, whichever is higher
Important entities
EUR 7 million
or 1.4% of total worldwide annual turnover, whichever is higher
Management liability
Personal liability for directors and senior management
Member state implementation varies
Source: NIS2 Directive, Article 34.
NIS2 Compliance Costs and Readiness
Metric
Value
Source
Estimated average compliance cost (per organisation, first year)
EUR 200,000 to EUR 500,000
ENISA NIS Investment Report 2024
Estimated ongoing annual compliance cost
EUR 80,000 to EUR 250,000
ENISA NIS Investment Report 2024
Organisations aware of NIS2 applicability
62%
ENISA NIS Investment Report 2024
Organisations that have started NIS2 compliance
41%
ENISA NIS Investment Report 2024
Organisations with incident response plans meeting NIS2 24-hour early warning requirement
The Digital Operational Resilience Act (Regulation (EU) 2022/2554), applicable since 17 January 2025, sets ICT risk management and resilience requirements for the EU financial sector.
DORA Scope and Coverage
Metric
Value
Source
Financial entities in scope
approximately 22,000
European Commission Impact Assessment
ICT third-party service providers subject to oversight
1% of average daily worldwide turnover (imposed periodically until compliance)
DORA, Article 50
Penalty for critical ICT providers
EUR 5 million (or EUR 500,000 for natural persons)
DORA, Article 35
DORA Compliance Readiness
Metric
Value
Source
Financial institutions reporting full DORA readiness (January 2025)
23%
McKinsey Financial Services Survey 2025
Institutions with ICT risk management framework aligned to DORA
48%
McKinsey Financial Services Survey 2025
Institutions that have completed threat-led penetration testing (TLPT)
31%
ECB Supervisory Report 2025
Institutions with a documented ICT third-party risk policy
57%
EBA Risk Assessment Report 2025
Average number of critical ICT third-party providers per institution
12
McKinsey Financial Services Survey 2025
Institutions reporting concentration risk in cloud services
67%
ECB Supervisory Report 2025
Institutions that have revised ICT incident reporting processes for DORA
44%
EBA Risk Assessment Report 2025
ICT Incidents in EU Financial Services
Metric
Value
Source
Major ICT incidents reported to ECB (2024)
approximately 500
ECB Supervisory Report 2025
Average ICT incident cost (financial sector)
EUR 3.2 million
ECB Supervisory Report 2025
Incidents linked to third-party providers
38%
ECB Supervisory Report 2025
Average downtime from major ICT incident
15 hours
EBA Risk Assessment Report 2025
Incidents requiring customer notification
22%
ECB Supervisory Report 2025
AI Act Statistics
Regulation (EU) 2024/1689, the EU Artificial Intelligence Act, entered into force on 1 August 2024. Prohibitions on unacceptable-risk AI practices apply from 2 February 2025, with high-risk obligations phasing in through August 2027.
AI Act Scope and Coverage
Metric
Value
Source
Estimated high-risk AI systems deployed in the EU
approximately 28,000
European Commission AI Act Impact Assessment
Prohibited AI practices (banned since February 2025)
8 categories (social scoring, manipulative AI, emotion recognition in workplaces/schools, biometric categorisation by sensitive attributes, etc.)
AI Act, Article 5
High-risk categories
8 domains, including critical infrastructure, education, employment, law enforcement, migration, justice
AI Act, Annex III
General-purpose AI models in scope
All GPAI models placed on the EU market
AI Act, Articles 51-56
GPAI models with systemic risk threshold
10^25 FLOPs training compute
AI Act, Article 51
AI Act Penalties
Violation Type
Maximum Penalty
Prohibited AI practices
EUR 35 million or 7% of global annual turnover
High-risk AI system non-compliance
EUR 15 million or 3% of global annual turnover
Providing incorrect information to authorities
EUR 7.5 million or 1.5% of global annual turnover
SME/startup penalties
Proportionately lower (whichever is lower, not higher)
Source: AI Act, Article 99.
EU AI Market and Compliance Costs
Metric
Value
Source
EU AI market size (2025)
EUR 28 billion
IDC European AI Forecast 2025
Projected EU AI market size (2030)
EUR 65 billion
IDC European AI Forecast 2025
Estimated compliance cost per high-risk AI system
EUR 200,000 to EUR 330,000 (one-time)
European Commission AI Act Impact Assessment
Estimated ongoing annual compliance cost per high-risk AI system
EUR 70,000 to EUR 120,000
European Commission AI Act Impact Assessment
AI providers that have begun AI Act compliance assessment
38%
Stanford HAI AI Index Report 2025
Organisations with an AI governance framework
27%
Stanford HAI AI Index Report 2025
Number of AI regulatory sandboxes established by EU member states (2026)
12
European Commission AI Act Implementation Report
EU Compliance Market Statistics
The compliance consulting and technology market continues to expand as regulatory complexity increases.
Global Compliance Market Size
Metric
Value
Source
Global regulatory compliance market size (2024)
USD 33.4 billion
Grand View Research, 2024
Projected global market size (2027)
USD 45.3 billion
Grand View Research, 2024
CAGR (2024 to 2030)
10.1%
Grand View Research, 2024
Global GRC (governance, risk, and compliance) software market (2024)
USD 15.2 billion
MarketsandMarkets, 2024
Projected GRC software market (2029)
USD 25.8 billion
MarketsandMarkets, 2024
EU share of global compliance spending
approximately 30%
Grand View Research, 2024
EU Compliance Consulting Market
Metric
Value
Source
EU compliance consulting market size (2025)
EUR 10.2 billion
Source Global Research, 2025
EU data privacy consulting segment
EUR 3.8 billion
Source Global Research, 2025
EU cybersecurity consulting segment
EUR 4.1 billion
Source Global Research, 2025
EU financial services compliance consulting
EUR 2.3 billion
Source Global Research, 2025
Year-over-year growth in EU compliance consulting
12.4%
Source Global Research, 2025
Average hourly rate for compliance consultants (EU)
EUR 150 to EUR 350
Source Global Research, 2025
Compliance Workforce
Metric
Value
Source
Estimated privacy professionals worldwide
approximately 500,000
IAPP-EY Governance Report 2024
Estimated privacy professional shortage (EU)
approximately 30,000 unfilled roles
IAPP-EY Governance Report 2024
Average compliance team size (enterprise, 5,000+ employees)
12 FTEs
Thomson Reuters Cost of Compliance Survey 2025
Average compliance team size (mid-market, 500 to 5,000 employees)
4 FTEs
Thomson Reuters Cost of Compliance Survey 2025
Average compliance team size (SME, under 500 employees)
1.3 FTEs
Thomson Reuters Cost of Compliance Survey 2025
Organisations planning to increase compliance spending (2026)
67%
Thomson Reuters Cost of Compliance Survey 2025
Organisations outsourcing at least one compliance function
53%
Thomson Reuters Cost of Compliance Survey 2025
Top outsourced function
Data protection / privacy (38%)
Thomson Reuters Cost of Compliance Survey 2025
Compliance Technology Adoption
Metric
Value
Source
Organisations using compliance management software
Average annual spend on compliance technology (large enterprise)
EUR 850,000
Thomson Reuters Cost of Compliance Survey 2025
Organisations citing regulatory change management as biggest compliance challenge
71%
Thomson Reuters Cost of Compliance Survey 2025
FAQ
What is the largest GDPR fine ever issued?
The largest GDPR fine is EUR 1.2 billion, issued to Meta Platforms (Facebook) by the Irish Data Protection Commission in May 2023 for unlawfully transferring EU personal data to the United States without adequate safeguards (GDPR Enforcement Tracker, CMS Law).
How many GDPR fines have been issued in total?
As of March 2026, EU and EEA data protection authorities have issued over 3,042 GDPR fines totalling more than EUR 5.9 billion since enforcement began in May 2018 (GDPR Enforcement Tracker, CMS Law).
How much does GDPR compliance cost?
The average cost of an initial GDPR compliance programme for a mid-size company is approximately EUR 550,000, with ongoing annual costs of approximately EUR 1.4 million for large enterprises. Smaller organisations typically spend between EUR 50,000 and EUR 200,000 on initial compliance (IAPP-EY Governance Report 2024).
How many organisations are affected by NIS2?
NIS2 brings approximately 160,000 entities across 18 sectors into scope for mandatory cybersecurity requirements, up from an estimated 15,000 entities under the original NIS Directive. This includes approximately 67,000 essential entities and 93,000 important entities (European Commission Impact Assessment).
What is the EU compliance market worth?
The EU compliance consulting market was valued at approximately EUR 10.2 billion in 2025, with the broader global regulatory compliance market projected to reach USD 45.3 billion by 2027 at a growth rate of 10.1% (Source Global Research, 2025; Grand View Research, 2024).
How many data breaches occur in the EU each year?
In 2024, approximately 160,000 data breach notifications were submitted to EU data protection authorities, averaging about 440 per day. Since GDPR enforcement began in May 2018, a cumulative total of over 340,000 breach notifications have been filed (DLA Piper GDPR Fines and Data Breach Survey 2025).
Methodology and Sources
All statistics on this page are drawn from publicly available regulatory reports, peer-reviewed surveys, and reputable market research firms. Primary sources include:
GDPR Enforcement Tracker (CMS Law, enforcementtracker.com) for fine amounts and enforcement actions
DLA Piper GDPR Fines and Data Breach Survey (annual) for breach notification volumes and enforcement trends
IBM Cost of Data Breach Report (annual) for breach costs and timelines
Cisco Data Privacy Benchmark Study (annual) for organisational compliance rates and privacy ROI
IAPP-EY Governance Report (annual) for privacy team structure, DPO adoption, and workforce data
ENISA Threat Landscape and NIS Investment Report (annual) for cybersecurity statistics
European Commission Impact Assessments and official trackers for NIS2, DORA, and AI Act scope data
Grand View Research and MarketsandMarkets for market sizing and growth projections
Thomson Reuters Cost of Compliance Survey (annual) for compliance spending and workforce trends
ECB Supervisory Reports and EBA Risk Assessment Reports for financial sector data
Statistics are updated as new reports become available. If you identify an error or outdated figure, please contact us.
Related Articles
GDPR Compliance Guide for the complete framework covering principles, lawful bases, and compliance checklists
Statistics compiled by Vision Compliance. For tailored compliance assessments and implementation support across GDPR, NIS2, DORA, and the AI Act, see our data protection and NIS2 compliance services.
Robert Lozo, mag. iur., is a Partner at Vision Compliance specializing in EU regulatory compliance. He advises organizations on GDPR, NIS2, AI Act, and financial regulation, delivering audit-ready documentation and compliance roadmaps across regulated industries.
