Podcast Episode
Distributed denial of service attacks reached 3.2 million across Europe, the Middle East, and Africa in the first half of 2025 alone, representing a dominant incident type that accounted for 77 percent of reported incidents. Hacktivism represented almost 80 percent of the total number of incidents, primarily through low-impact DDoS campaigns targeting EU member state organisations' websites.
State-aligned threat actors steadily intensified their operations towards EU organisations, carrying out cyber espionage against the public administration sector. State-sponsored adversaries from Russia, China, North Korea, and Iran expanded regional targeting across industries. Adversary groups increased ransomware deployment speed by 48 percent, with the average attack now taking just 24 hours from initial breach to encryption.
The fine consisted of 45 million euros for violating transparency requirements and 485 million euros for violating data transfer requirements under GDPR. The inquiry found that TikTok's transfers to China failed to verify, guarantee and demonstrate that supplementary measures and Standard Contractual Clauses were effective to ensure personal data of EEA users transferred via remote access were afforded a level of protection essentially equivalent to that guaranteed within the EU.
TikTok is appealing the ruling, and in November 2025, the High Court of Ireland put the decision on hold until the appeal outcome. The company was ordered to bring its data processing into compliance within 6 months or face suspension of data transfers to China.
European GDPR fines totalled approximately 1.2 billion euros in 2025, consistent with 2024 levels, with Ireland and France accounting for more than 1 billion euros of that total. France overtook Luxembourg to become the second-largest enforcer overall and is now the only other country after Ireland to have issued more than 1 billion euros in GDPR fines since 2018.
Cumulative GDPR fines across Europe now stand at 7.1 billion euros since the regulation came into force in May 2018. However, collection remains a significant challenge. Of the 4.04 billion euros in fines imposed by Ireland's DPC, just 20 million euros has been paid due to ongoing legal appeals. The 1.2 billion euro fine issued against Meta by the DPC in 2023 remains the largest GDPR fine ever imposed.
The Netherlands, Germany, and Poland remain the top 3 countries for highest number of data breaches notified, with 33,471, 27,829 and 14,286 breaches notified respectively in the latest reporting period.
The convergence of increasing breach notifications, rising geopolitical cyber threats, and expanding regulatory enforcement signals a new phase in Europe's data protection landscape. Organizations across all sectors face mounting pressure to strengthen their cybersecurity defenses and compliance measures as both threat actors and regulators intensify their activities.
EU Data Breach Reports Surge to Record Highs Amid Rising Cyber Threats
January 21, 2026
Audio archived. Episodes older than 60 days are removed to save server storage. Story details remain below.
European companies reported a sharp increase in cybersecurity incidents to regulators in 2025, breaking a years-long plateau and pushing daily breach notifications past 400 for the first time since data protection rules took effect nearly 8 years ago. The average number of data breaches reported daily to EU data protection authorities jumped 22 percent in 2025, reaching 443 notifications per day, according to DLA Piper's annual GDPR Fines and Data Breach Survey released in January 2026.
Geopolitical Tensions Drive Cyber Attack Surge
The spike in reported incidents comes amid what industry experts describe as an increasingly risky cybersecurity threat landscape fuelled by heightened geopolitical tensions and high-profile cyberattacks. Europe accounted for 22 percent of all global ransomware incidents in 2025, with France, Germany, Italy, and Spain facing a combined 300 billion euros in costs over the last 5 years.Distributed denial of service attacks reached 3.2 million across Europe, the Middle East, and Africa in the first half of 2025 alone, representing a dominant incident type that accounted for 77 percent of reported incidents. Hacktivism represented almost 80 percent of the total number of incidents, primarily through low-impact DDoS campaigns targeting EU member state organisations' websites.
State-aligned threat actors steadily intensified their operations towards EU organisations, carrying out cyber espionage against the public administration sector. State-sponsored adversaries from Russia, China, North Korea, and Iran expanded regional targeting across industries. Adversary groups increased ransomware deployment speed by 48 percent, with the average attack now taking just 24 hours from initial breach to encryption.
Ireland Leads GDPR Enforcement Despite Collection Challenges
Ireland's Data Protection Commission remains Europe's dominant enforcer by a wide margin, having issued 4.04 billion euros in fines since May 2018, nearly 4 times more than second-placed France. The DPC issued the largest fine of 2025, a 530 million euro penalty against TikTok over the transfer of European user data to China.The fine consisted of 45 million euros for violating transparency requirements and 485 million euros for violating data transfer requirements under GDPR. The inquiry found that TikTok's transfers to China failed to verify, guarantee and demonstrate that supplementary measures and Standard Contractual Clauses were effective to ensure personal data of EEA users transferred via remote access were afforded a level of protection essentially equivalent to that guaranteed within the EU.
TikTok is appealing the ruling, and in November 2025, the High Court of Ireland put the decision on hold until the appeal outcome. The company was ordered to bring its data processing into compliance within 6 months or face suspension of data transfers to China.
European GDPR fines totalled approximately 1.2 billion euros in 2025, consistent with 2024 levels, with Ireland and France accounting for more than 1 billion euros of that total. France overtook Luxembourg to become the second-largest enforcer overall and is now the only other country after Ireland to have issued more than 1 billion euros in GDPR fines since 2018.
Cumulative GDPR fines across Europe now stand at 7.1 billion euros since the regulation came into force in May 2018. However, collection remains a significant challenge. Of the 4.04 billion euros in fines imposed by Ireland's DPC, just 20 million euros has been paid due to ongoing legal appeals. The 1.2 billion euro fine issued against Meta by the DPC in 2023 remains the largest GDPR fine ever imposed.
Expanding Regulatory Scrutiny Beyond Big Tech
While large technology and social media companies continue to attract the highest penalties, regulators are increasingly scrutinising a wider range of sectors, including financial services, telecommunications, and utilities. GDPR is being used as a guardrail for AI enforcement, reflecting the evolving nature of data protection concerns.The Netherlands, Germany, and Poland remain the top 3 countries for highest number of data breaches notified, with 33,471, 27,829 and 14,286 breaches notified respectively in the latest reporting period.
Looking Ahead to 2026
In 2025, Europe faced a wave of cyber attacks from airport disruptions and allegations of election sabotage to GPS spoofing on European Commission President Ursula von der Leyen's flight and assaults on satellites in space. Looking ahead, the need to address cybersecurity is more pressing than ever, and experts expect it to be a major priority for governments in 2026.The convergence of increasing breach notifications, rising geopolitical cyber threats, and expanding regulatory enforcement signals a new phase in Europe's data protection landscape. Organizations across all sectors face mounting pressure to strengthen their cybersecurity defenses and compliance measures as both threat actors and regulators intensify their activities.
Published January 21, 2026 at 4:10am