Brussels: Enforcement of Europe’s landmark privacy law, the General Data Protection Regulation (GDPR), intensified further in 2025, with regulators across the continent imposing more than ₹10,800 crore in fines even as reported personal data breaches surged to their highest level since the law came into force.
According to the latest GDPR Fines and Data Breach Survey published by international law firm DLA Piper, European data protection authorities received an average of over 440 personal data breach notifications every day during the past year. This marks the first time since GDPR’s implementation in May 2018 that daily breach reporting has crossed the 400 mark.
Certified Cyber Crime Investigator Course Launched by Centre for Police Technology
While the year-on-year increase in penalties remained moderate — fines stood at approximately ₹8,964 crore in 2024 — the cumulative impact of enforcement has become increasingly significant. Total GDPR fines imposed since 2018 have now climbed to nearly ₹63,900 crore, underlining the rising cost of non-compliance for organisations operating in Europe.
The sharp escalation in breach notifications comes at a time when companies are already under mounting pressure from a rapidly evolving cyber threat landscape. Analysts point to a combination of persistent cyberattacks, geopolitical tensions and the widespread availability of sophisticated hacking tools as key factors driving the surge in incidents.
Rather than attributing the trend to a single cause, the DLA Piper survey highlights a convergence of risks. Organisations are now required to manage GDPR obligations alongside newer cybersecurity reporting frameworks such as the NIS2 Directive and the Digital Operational Resilience Act (DORA). These regimes have tightened disclosure thresholds and shortened reporting timelines, significantly raising compliance demands.
Legal and cybersecurity experts warn that the growing regulatory burden is exposing gaps in corporate cyber preparedness. They argue that the rise in breach notifications should not be viewed as a statistical anomaly but as a clear warning sign that many organisations are struggling to keep pace with regulatory and security expectations.
On the enforcement front, familiar jurisdictions continue to dominate. Ireland once again emerged as the most aggressive GDPR enforcer. Fines issued by the Irish Data Protection Commission since the regulation took effect have now reached around ₹36,360 crore, accounting for well over half of all penalties imposed across Europe.
France and Luxembourg ranked second and third, respectively, reinforcing concerns that GDPR enforcement remains heavily concentrated among a small group of national regulators.
Ireland also handed down the largest single GDPR fine of 2025, imposing a penalty of approximately ₹4,770 crore on TikTok over unlawful international data transfers. However, the sanction fell short of the all-time record set in 2023, when Meta was fined ₹10,800 crore, which remains the biggest GDPR penalty to date.
The survey notes that big technology companies continue to be the primary targets of major enforcement actions. Nine of the ten largest GDPR fines ever issued have been imposed on global tech firms, reflecting regulators’ focus on large-scale data processing operations and cross-border data flows.
Industry observers say the figures indicate that GDPR has entered a phase of maturity. While early enforcement years were marked by caution and regulatory experimentation, authorities are now applying the rules with greater confidence and consistency, even as breach volumes continue to rise.
The sustained increase in reported breaches has also intensified scrutiny of corporate cybersecurity governance. With some newer laws introducing potential personal liability for senior executives, pressure is mounting on boards and top management to prioritise cyber resilience, incident response planning and regulatory compliance.
Seven years after its introduction, GDPR is firmly embedded in Europe’s regulatory framework. Enforcement actions are becoming routine, reporting obligations more demanding, and the consequences of delayed disclosure or weak security controls increasingly severe.
As cyber risks continue to evolve, organisations operating in Europe face a narrowing margin for error — one where lapses in data protection can result in heavy financial penalties and lasting reputational damage.
About the author — Suvedita Nath is a science student with a growing interest in cybercrime and digital safety. She writes on online activity, cyber threats, and technology-driven risks. Her work focuses on clarity, accuracy, and public awareness.
