Over 160,000 Firms Report GDPR Breaches to Regulators
▼ Summary
– The average daily number of GDPR data breach notifications in 2025 surged by 22% to 443, marking the first time since 2018 the figure has exceeded 400.
– Germany, the Netherlands, and Poland reported the highest number of data breach notifications in 2025, retaining their leading positions.
– Experts suggest geopolitical unrest and AI-enabled threats may be behind the increase in breaches of regulated personal data.
– Despite the rise in breaches, total GDPR fines held steady at €1.2 billion, with Ireland’s regulator imposing the largest single fine of €530m on TikTok.
– The Irish Data Protection Commission’s role as a lead authority has drawn criticism for being a bottleneck and too lenient in its enforcement actions.
The volume of organizations reporting data breaches to European regulators under the General Data Protection Regulation (GDPR) saw a significant rise last year, reaching a new high. According to an annual analysis by global law firm DLA Piper, the daily average of breach notifications climbed by 22% in 2025, hitting 443 per day. This marks the first time the daily average has surpassed 400 since the landmark regulation took effect in 2018, breaking a previous trend of plateauing numbers. Germany, the Netherlands, and Poland continued to report the highest number of breaches across the continent.
Experts point to a challenging threat environment as a key driver behind this surge. Geopolitical tensions and the rise of AI-powered cyber threats are creating new pressures, leading to more incidents involving personally identifiable information (PII). Ross McKean, a partner and chair of DLA Piper’s UK data protection and cybersecurity practice, described cyber-threat volumes as having reached “unprecedented levels.” He emphasized that the report’s findings act as a stark warning for businesses, especially with new laws introducing potential personal liability for management. “Our report underscores the urgency and need for organizations to optimize cyber defenses and operational resilience,” McKean stated.
Interestingly, while breach reports increased, the total value of GDPR fines remained consistent with the previous year. Regulators across Europe issued approximately €1.2 billion in penalties, bringing the cumulative total since 2018 to €7.1 billion. A significant portion of this sum, roughly €4 billion, has been levied by Ireland’s Data Protection Commission. This is largely because many major technology firms base their European operations in Ireland. The Irish regulator also issued the largest single fine of 2025: a €530 million penalty against TikTok for breaches related to international data transfers to China.
McKean noted that the steady level of fines indicates regulators are maintaining a high level of activity, particularly focusing on areas like information security, data transfers, and the intersection of AI with data protection law. However, the Irish Data Protection Commission’s role has attracted controversy. As the lead authority for many multinational cases, critics argue it has become a bottleneck in enforcement. Some allege the regulator has been too lenient, setting fines perceived as too low and frequently seeking amicable resolutions with companies. These criticisms intensified in September 2025 following the appointment of a former Meta lobbyist to one of the commission’s senior roles.
(Source: InfoSecurity Magazine)
