Luxembourg has levied the third highest amount of total fines enforcing the EU’s General Data Protection Regulation (GDPR) since the data privacy rules took effect eight years ago.
The Grand Duchy’s data protection watchdog slapped penalties totalling more than €740 million between May 2018 and January 2026, according to a survey released by the law firm DLA Piper on Wednesday.
Irish and French data privacy regulators issued total fines, respectively, of €4 billion and €1.1 billion, while Dutch authorities dished out €350 million worth of fines.
The figures include penalties that have been paid or are expected to be paid. But, the law firm said, “this report does not include fines that have been successfully appealed.”
The number of data breaches reported to national authorities rose by 22% year-on-year to an average of 443 per day, the law firm stated.
“It is not clear what is driving this uptick in breach notifications, but the geopolitical landscape driving more cyber-attacks, as well as the focus on cyber incidents in the media and the raft of new laws including incident notification requirements […] may be focusing minds on breach notifications,” the report said.
“The sharp rise in personal data breaches confirms that organisations are operating in an unprecedented cyber risk landscape,” Olivier Reisch, partner and head of DLA Piper’s Luxembourg data protection and cybersecurity practice, stated in a press release. “Combined with sustained regulatory scrutiny, this reinforces the need for robust governance and cyber resilience.”
On a per capita basis, Luxembourg logged fewer data breach notifications per 100,000 inhabitants (70) than the Netherlands (224) and Ireland (113), but more than Germany (41) and France (14).