Cumulative GDPR fines have now exceeded €7.1 billion, with more than 2,800 penalties issued through mid-2025. Critically, over 60% of that total has arrived since January 2023 — a trajectory that signals not a regulatory peak, but a sustained enforcement regime operating at full intensity. For CFOs, General Counsel, and board members, the message is unambiguous: data privacy and regulatory compliance are no longer periodic audit concerns. They are permanent features of enterprise risk management.
From Big Tech to the Broader Market: Who Is Now in the Crosshairs
Early GDPR enforcement was disproportionately concentrated on large digital platforms — Meta, Google, and Amazon absorbed headline fines that, while significant, felt distant to mid-market operators. That dynamic has fundamentally shifted. European data protection authorities are now systematically targeting organizations across sectors: financial services, healthcare, retail, and professional services firms with far smaller compliance infrastructures.
This broadening of scope reflects a deliberate regulatory strategy. Authorities have invested in enforcement capacity, cross-border coordination mechanisms under the GDPR’s One-Stop-Shop framework, and increasingly sophisticated breach-detection capabilities. Breach notifications are rising in volume, and regulators are treating notification quality — not just the fact of disclosure — as a compliance indicator in its own right.
For corporate governance purposes, this means that executive accountability is no longer a theoretical risk. Several recent enforcement actions have explicitly examined whether board-level oversight of data protection programs was adequate. The standard being applied is not perfection — it is demonstrable, documented diligence.
A Converging Regulatory Stack: GDPR, the EU AI Act, and the Digital Omnibus
The compliance landscape is not static. Two developments will materially reshape the obligations facing European and globally operating businesses through 2026 and beyond.
First, the EU AI Act reaches full enforcement for high-risk AI systems in August 2026. Organizations deploying AI in regulated workflows — credit decisioning, HR screening, fraud detection, medical diagnostics — face a second major penalty layer that operates independently of, but intersects with, GDPR. Mid-market firms that have adopted AI tools without mature AI governance programs are particularly exposed. The Act imposes requirements around transparency, human oversight, and technical documentation that demand structured internal processes, not ad hoc responses.
Second, the European Commission’s Digital Omnibus proposal, published in November 2025, introduces the possibility of targeted simplification within the GDPR and AI governance frameworks — particularly around record-keeping obligations and cross-regulatory compliance workflows. While this may reduce administrative burden in certain areas, organizations should not interpret it as a relaxation of substantive standards. The core accountability principles remain intact, and any structural changes will require careful legal analysis before compliance programs are adjusted.
Simultaneously, the global compliance perimeter is expanding. 19 U.S. states now operate under comprehensive privacy statutes, with California introducing additional requirements around automated decision-making technology and cybersecurity audits. For multinationals, the result is a fragmented but increasingly demanding global data privacy architecture that cannot be managed through a single-jurisdiction compliance lens.
Implications for Business: Governance, Auditability, and Transaction Risk
For decision-makers, the practical implications cluster around three priorities:
- Data visibility and auditability: Regulators are examining whether organizations can demonstrate, in real time, where personal data resides, how it flows, and who has access. This requires investment in data mapping, classification infrastructure, and audit-ready documentation — not as a one-time exercise, but as an ongoing operational capability.
- AI governance integration: As the EU AI Act approaches full enforcement, compliance teams must work alongside CTOs and product owners to assess which AI systems qualify as high-risk, establish conformity assessment processes, and embed human oversight into operational workflows. Waiting until August 2026 to begin this work is not a viable posture.
- M&A and transaction due diligence: Acquirers must now treat data protection compliance, AI governance maturity, and AML controls as material diligence workstreams. Undisclosed regulatory exposure — including open investigations, inadequate breach notification histories, or non-compliant AI deployments — can represent significant post-closing liability.
Key Takeaway
The era of reactive compliance is over. With GDPR enforcement at record intensity, the EU AI Act entering full force in 2026, and privacy obligations expanding globally, organizations that treat regulatory compliance as a cost center rather than a strategic function are accumulating risk on multiple fronts simultaneously. The firms best positioned to navigate this environment are those that have embedded enterprise risk management into governance structures, invested in data infrastructure, and ensured that executive leadership — not only legal and compliance teams — owns accountability for outcomes.