European privacy regulators levied €68 million in GDPR fines during the first quarter of 2026, with France and the United Kingdom accounting for the bulk of the total, according to research published by financial data firm Finbold.
The quarterly figure marks a sharp uptick on the same period a year earlier. Rather than chasing headline cases against global platforms, supervisory authorities are increasingly targeting core compliance failures: unlawful processing, weak security, and unclear legal bases for data use.
GDPR enforcement in 2026 clearly signals a renewed regulatory assertiveness. The sharp increase in fines, particularly concentrated in France and the U.K., shows that regulators are no longer just setting precedents, but actively scaling enforcement.
France's CNIL and the UK's ICO have both signalled a harder line on data governance failures over the last twelve months. The Finbold analysis notes regulators are now concentrating on areas where violations are “harder to justify”, data security and lawful processing chief among them, suggesting companies that rely on procedural defences will find less cover in 2026 than in earlier enforcement cycles.
