Fines issued under the General Data Protection Regulation rose sharply in the first quarter of 2026, signalling a more assertive approach by European regulators.

Research from Finbold shows that enforcement authorities imposed a total of €68.18mn in penalties over the period — nearly four times the €13.8mn recorded in the same quarter last year. On average, companies paid about €757,600 per day in fines.

France and the UK accounted for the vast majority of enforcement activity, together responsible for 94 per cent of the total. French authorities issued €47mn in penalties, while UK regulators imposed €16.89mn. Other countries lagged behind, with Poland levying €2.94mn and smaller sums recorded in Sweden and the Netherlands.

The increase reflects a shift in regulatory priorities, according to Marko Marjanović, a research analyst at Finbold. “Authorities are increasingly focusing on core issues like data security and lawful processing,” he said, “areas where violations are harder to justify.”

The largest single fine of the quarter — €27mn — was imposed on Free Mobile by France’s data protection authority over shortcomings in subscriber data security. Social media platform Reddit received the second-largest penalty, €16mn, for failures related to protecting underage users’ data.

Additional enforcement actions included a €15mn fine against Iliad, the parent company of Free Mobile, and a €5mn penalty issued to France Travail, a government agency, over lapses in safeguarding jobseeker information. In Poland, logistics group DPD Polska was fined €2.68mn for deficiencies in data processing practices.

Despite the quarterly surge, longer-term trends show persistent areas of non-compliance. Insufficient legal basis for data processing remains the most common violation since the regulation came into force in 2018, accounting for hundreds of penalties and billions of euros in cumulative fines. Spain leads in total number of cases.

The media, telecommunications and broadcasting sectors continue to bear the brunt of enforcement, reflecting the scale and sensitivity of the data they handle. The largest fine to date remains the €1.2bn penalty imposed on Meta Platforms by Irish regulators in 2023.

Analysts say the latest figures indicate regulators are moving beyond setting precedents and are now scaling enforcement activity — a trend likely to sustain pressure on companies’ data governance practices.