GDPR cumulative fines since the regulation came into force in May 2018 have now surpassed €7.1 billion, according to the 2025/2026 CMS GDPR Enforcement Tracker report. Of that total, €1.2 billion was issued in 2025 alone, and over 60 percent of the all-time figure has been imposed since January 2023. The trajectory is clear: enforcement is not softening. It is accelerating.
The most illustrative recent enforcement action comes from the UK, where the Information Commissioner’s Office issued a fine of £963,900 against South Staffordshire Plc and its subsidiary South Staffs Water. The case is not about a sophisticated intrusion into a hardened target. It is about a phishing email that arrived in September 2020, was not detected for 20 months, and ultimately resulted in attackers publishing 4.1 terabytes of personal data on the dark web.
How 20 months of undetected access led to a £963,900 fine
The breach began when an employee at South Staffs Water clicked a phishing link. The resulting malware installation gave attackers a foothold inside the company’s network. That foothold remained undetected from September 2020 until May 2022 – nearly two years. During that interval, the attackers moved through the network at their own pace, eventually acquiring full domain administrator privileges.
With administrator access, the attackers could read, copy, and exfiltrate whatever they chose. By the time the breach was detected, they had assembled and published 4.1TB of data on a dark web forum. The published data covered 633,887 individuals: customers whose records included names, addresses, contact details, bank account numbers, sort codes, dates of birth, and gender; and employees whose HR files, National Insurance numbers, and payroll data were also included.
The ICO’s analysis of the incident found that South Staffordshire lacked adequate monitoring and detection capabilities for the duration of the attacker’s presence. A breach of this duration – 20 months of undetected lateral movement – indicates an absence of meaningful network monitoring, anomalous authentication alerting, or privileged access controls that could have flagged the compromise significantly earlier.
The £963,900 fine is not the maximum the ICO could have imposed for a breach affecting this many individuals. It reflects the company’s cooperation with the investigation, remediation steps taken after discovery, and mitigating factors in the organisation’s regulatory context as a utility. Even so, it represents a substantial financial consequence for a breach that began with a single phishing email.
The numbers behind European breach notification volumes
The South Staffordshire case is one data point in a much larger picture. European data protection authorities are now receiving 443 breach notifications per day, a 22 percent increase year on year. The CMS Enforcement Tracker records 2,245 documented fines through early 2026.
Not all of those fines are large. Many European DPAs issue relatively small penalties against smaller organisations for common compliance failures, including insufficient consent mechanisms, inadequate privacy notices, and failure to respond to subject access requests within the statutory 30-day window. The breadth of enforcement is as notable as the headline numbers: GDPR enforcement has moved well beyond actions against large technology companies and is now a routine part of the regulatory environment for organisations of all sizes.
Ireland’s Data Protection Commission accounts for €4.04 billion of the cumulative total, which reflects the headquarters effect – most major US technology companies with European operations have their EU bases in Dublin, making the DPC the lead supervisory authority for decisions that carry billion-euro penalties. But the distribution of enforcement activity across member states has widened considerably since 2022. Germany, Italy, France, the Netherlands, and Sweden all have active enforcement programmes. The Italian Garante, for example, recently imposed an €85,000 fine on a consulting firm for a breach that resulted in unauthorised access to personal data belonging to over 61,000 users, including names, email addresses, and passwords.
GDPR Article 32 and the duty to detect
The South Staffordshire case is a direct application of GDPR Article 32, which requires controllers and processors to implement “appropriate technical and organisational measures” to ensure security appropriate to the risk. The article specifically references pseudonymisation, encryption, ongoing confidentiality and integrity assurance, and – critically for this case – the ability to “restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.”
The implicit counterpart to that requirement is detection. You cannot restore availability in a timely manner if you do not know there is an incident. The 20-month dwell time in the South Staffordshire case represents a fundamental failure of the detection capability that Article 32 security measures are meant to support.
European organisations under GDPR have a 72-hour notification window once they “become aware” of a personal data breach. The practical question that enforcement authorities examine is not just when an organisation became formally aware, but what the organisation’s security posture should have enabled it to detect, and by when. A breach that remains undetected for 20 months raises the question of whether the organisation was doing enough to become aware.
This framing is increasingly common in DPA enforcement decisions and it has direct implications for how organisations should think about their security monitoring and detection investments, not as operational tools alone but as compliance requirements under GDPR.
NIS2 adds a second compliance layer for critical infrastructure
South Staffordshire Water operates critical infrastructure, which puts it within scope of both GDPR and the NIS2 Directive, which came into force across EU member states in late 2024. The UK’s equivalent Network and Information Security regulations apply to operators of essential services including utilities.
NIS2 carries its own set of obligations around incident response, security monitoring, and supply chain risk management. Its penalty regime can reach €10 million or 2 percent of global annual turnover for essential entities, and €7 million or 1.4 percent of turnover for important entities. These thresholds can apply alongside GDPR penalties, creating a dual enforcement exposure for organisations in regulated sectors.
The EU AI Act adds a third layer from 2 August 2026, when full enforcement for high-risk AI systems begins. Organisations in healthcare, critical infrastructure, employment, and financial services that use AI in ways classified as high-risk will face penalties of up to €35 million or 7 percent of global turnover for violations of the Act’s requirements. The intersection of GDPR, NIS2, and the AI Act creates a compliance landscape where the cost of inadequate security and data governance has never been higher.
What this means for European organisations of any size
The trajectory of GDPR enforcement makes a few things clear.
Phishing remains the leading initial access vector. The South Staffordshire breach began with a phishing email. The 2026 CrowdStrike Global Threat Report documented an 89 percent increase in advanced adversary techniques, but the most common entry point remains one of the oldest: a user clicking a malicious link or attachment. Investment in phishing-resistant authentication, employee awareness training, and email security controls continues to offer the highest return on security investment for most organisations.
Dwell time is the multiplier. The difference between a contained breach and a €1 million fine is often how long an attacker had access before detection. Organisations with active network monitoring, privileged access management, and anomalous login alerting will detect lateral movement significantly earlier than those relying on perimeter controls alone. Earlier detection shortens the dwell time, limits the data exfiltrated, and changes the Article 32 compliance narrative in any subsequent regulatory inquiry.
Small organisations are not exempt. The Italian Garante’s €85,000 fine against a consulting firm for a breach affecting 61,000 users illustrates that enforcement is not reserved for major corporations. DPAs across Europe have developed structured processes for identifying non-compliant smaller organisations, often through mandatory breach notifications that trigger regulatory review.
Documentation and cooperation matter. The South Staffordshire fine, while substantial, was moderated by the company’s cooperation with the ICO’s investigation and its subsequent remediation work. Organisations that have documented their security controls, can demonstrate the reasonableness of the measures they had in place, and cooperate transparently with regulators consistently receive lower penalties than those that cannot.
If your organisation wants to assess its GDPR compliance posture, review its Article 32 security measures against current enforcement standards, or build a structured incident detection and response capability that meets both GDPR and NIS2 requirements, contact Excello Digital. We help European organisations understand what regulators expect and implement security controls that provide both protection and demonstrable compliance.