— Edition 1.247 52 verified trackers
ES EN
Politics · Technology · Digital regulation  ·  where data speaks before headlines
Snapshot data
AML/OFAC enforcement against banks and fintech — 418 penalties documented 418 AML/OFAC penalties documented across 177 countries and 379 regula… Corporate bankruptcy and insolvency (Chapter 11) — 4 major corporate bankrup… Corporate bankruptcies hit decade highs: over 717 in the year per S&P… High-impact litigation risk index — 4 high-impact litigations… The risk index (0-100) aggregates five objective factors —procedural … Merger control: multi-jurisdiction competition … — 9 decisions and jurisdict… Merger control diverges by jurisdiction in 2026: the Trump administra… PEPs and sanctions networks · Ibero-American graph — 40 PEP/company nodes with … Ibero-American PEP→company→sanction graph (core: Mapa del Poder, 424 … Sovereign debt distress and restructurings — 5 distress/restructuring … The IMF's 6th Global Sovereign Debt Roundtable report (April 15, 2026… Forced labor in supply chains: entity lists — 4 forced-labor exposure i… Upstream exposure intelligence densifies: the UFLPA Entity List reach… EU AI Act — designation of national authorities — 3/10/14 / 27 Member States Tracker's first event: 3 states with both authorities / 10 partial / … AI Act · Notified bodies for conformity assessment — 1 body with AI-specific a… Ecosystem 'not ready' as of Mar-2026 (standards unpublished, insuffic… Scandal → conviction gap — — milestones logged +1 mirror case: Uribe — 7 years to convict, 8 weeks to reverse, open-… Technology ↔ regulation gap — 26 regulatory milestones +1: Peru closes the generative-AI gap in ~3 years (DS 115-2025-PCM), … CNMC Spain · the Digital Services Coordinator g… — 6 documented milestones The gap becomes chronic: Congress struck down the CNMC's legal empowe… Corporate data breaches: from incident to response — 11 breaches documented +1: Canvas/Instructure, the largest known education breach (≈275M rec… Migration friction in corporate and event mobility — 3 incidents and policies … The 2026 World Cup works as a live stress test: 39 countries under fu… Power and corruption in the courts in Ibero-Ame… — 29 documented cases Jun-2026 review: Uribe updated — first-instance conviction overturned… Crypto · Licenses and authorizations by jurisdi… — 40+ CASPs with full MiCA au… July 1, 2026 cliff: the transitional regime expires (ESMA, Apr 17) wi… Data breaches · Class-action settlements — 5 settlements and mass ca… 271 million dollars across four settlements approved or with deadline… Digital regulatory risk index by country — 16 countries profiled Jun-2026 review: Brazil updated on two layers (EU adequacy Jan 26, 20… Digital services taxes (DST) by country — 3 tax-map milestones docu… About half of European OECD countries have a DST announced, proposed … Global election risk 2026: democracy and digita… — 32 elections profiled 32 electoral processes of 2026 profiled by political regime and digit… ESG · Greenwashing enforcement — 3 enforcement milestones … The legal floor arrives Sep 27, 2026 (ECGT across the 27; transpositi… EU · Digital & sustainability regulatory deadli… — 6 calendar milestones doc… Next critical deadlines: Jun 23, 2026 closes the high-risk classifica… Export controls · Entity List and advanced chips — 6 regime milestones docum… The 2026 shift: licensing for H200/MI325X and equivalents to China mo… GDPR · International transfers and adequacy dec… — 6 framework milestones do… The EU-US DPF remains in force after surviving its first judicial cha… LATAM · AI bills in legislative process — 150+ bills identified 150+ count re-verified; milestones: Peru only country with a regulate… LATAM · Judicial and regulatory sanctions on pl… — $5,2M USD · fine on X Corp. i… Paradigm shift: the STF declared Art. 19 of the Marco Civil partially… Digital political ad spending 2026 — 6 country-platform observ… AdImpact's revised projection (Jun 11): $11.6bn for the 2026 cycle — … Shadow fleet · Sanctioned vessels and enablers — 632 vessels designated by t… +46 vessels in the 20th package (Reg. 2026/506/509/511) to 632; Art. … Whistleblower awards · SEC, CFTC and equivalent… — 3 program milestones docu… The SEC awarded over $60M to 48 whistleblowers in fiscal year 2025 (2… AI Act · Sanctions regime and its actual enforc… — 0 documented AI Act fines… 0 AI Act penalties issued to date: enforcement of high-risk obligatio… Beneficial ownership transparency (UBO / CTA / … — 4 transparency milestones 4 beneficial-ownership transparency milestones documented; the EU req… Crypto industry: collapses, sanctions and convi… — 13 documented cases 13 cases of collapses, sanctions and convictions in the crypto sector… AI harms in court — litigation, rulings and set… — 103 documented cases 103 AI-related harm and rights lawsuits documented; 2026 milestones: … DMA · designated gatekeepers and real compliance — 9 documented DMA acts 9 DMA compliance actions documented against gatekeepers; 2026 develop… Documented electoral disinformation 2026 — 7 documented campaigns 7 electoral disinformation campaigns or patterns documented with open… GDPR · which national authority really sanctions — 11 authorities profiled 11 GDPR enforcement country profiles and milestones documented; 2026 … LATAM · Internet shutdowns and platform blocks — 8 documented events · 202… 8 internet shutdown and blocking episodes documented in Latin America… Operational resilience & cyber (DORA / NIS2 / SEC) — 4 regulatory milestones 4 operational-resilience milestones documented; 2026 is the first rea… Digital fines actually imposed — 61 sanctions recorded 61 high-value penalties across 18 jurisdictions and 6 continents; cov… Commercial spyware: documented cases worldwide — 23 documented cases 23 spyware and surveillance cases documented across the Ibero-America… Trade compliance & forced labor (UFLPA) — 4 actions documented 4 trade-compliance actions on forced labor documented; under UFLPA ar… US · the state AI regulation patchwork — 10 laws and milestones 10 state AI laws or milestones documented in the U.S.; 2026 developme… Electoral digital integrity 2026 — 13 elections profiled 13 elections profiled by digital integrity; 5 with transparent politi… Climate: the gap between pledge and action — 12 countries assessed 12 countries assessed by the Climate Action Tracker: 10 with insuffic… Content moderation: appeals and reversals — 19 documented decisions 19 appealed and reviewed moderation decisions, with their policy, ori… Public AI spending — global government contracts — 50 documented contracts 50 public AI contracts across 15 jurisdictions on 5 continents (45 wi… Campaign promises → fulfillment — 29 term evaluations 29 terms evaluated across 25 countries on five continents EU · Consolidated DSA enforcement decisions — €120M first DSA fine · X · 5 … 5 Member States referred to CJEU for insufficient DSC implementation LATAM · Digital spending in 2026 electoral camp… — $14.794M COP · highest declared … Only 8 of 13 campaigns had reported in Cuentas Claras by mid-May Ibero-America · documented public contracts wit… — 3 contracts verified with… DC registry kickoff · ongoing monthly manual sweep RSF · Press freedom in Latin America — 144 Peru's rank (the region… AR -11 · PE -14 · SV -8 · EC -31 · USA -7 AML/OFAC enforcement against banks and fintech — 418 penalties documented 418 AML/OFAC penalties documented across 177 countries and 379 regula… Corporate bankruptcy and insolvency (Chapter 11) — 4 major corporate bankrup… Corporate bankruptcies hit decade highs: over 717 in the year per S&P… High-impact litigation risk index — 4 high-impact litigations… The risk index (0-100) aggregates five objective factors —procedural … Merger control: multi-jurisdiction competition … — 9 decisions and jurisdict… Merger control diverges by jurisdiction in 2026: the Trump administra… PEPs and sanctions networks · Ibero-American graph — 40 PEP/company nodes with … Ibero-American PEP→company→sanction graph (core: Mapa del Poder, 424 … Sovereign debt distress and restructurings — 5 distress/restructuring … The IMF's 6th Global Sovereign Debt Roundtable report (April 15, 2026… Forced labor in supply chains: entity lists — 4 forced-labor exposure i… Upstream exposure intelligence densifies: the UFLPA Entity List reach… EU AI Act — designation of national authorities — 3/10/14 / 27 Member States Tracker's first event: 3 states with both authorities / 10 partial / … AI Act · Notified bodies for conformity assessment — 1 body with AI-specific a… Ecosystem 'not ready' as of Mar-2026 (standards unpublished, insuffic… Scandal → conviction gap — — milestones logged +1 mirror case: Uribe — 7 years to convict, 8 weeks to reverse, open-… Technology ↔ regulation gap — 26 regulatory milestones +1: Peru closes the generative-AI gap in ~3 years (DS 115-2025-PCM), … CNMC Spain · the Digital Services Coordinator g… — 6 documented milestones The gap becomes chronic: Congress struck down the CNMC's legal empowe… Corporate data breaches: from incident to response — 11 breaches documented +1: Canvas/Instructure, the largest known education breach (≈275M rec… Migration friction in corporate and event mobility — 3 incidents and policies … The 2026 World Cup works as a live stress test: 39 countries under fu… Power and corruption in the courts in Ibero-Ame… — 29 documented cases Jun-2026 review: Uribe updated — first-instance conviction overturned… Crypto · Licenses and authorizations by jurisdi… — 40+ CASPs with full MiCA au… July 1, 2026 cliff: the transitional regime expires (ESMA, Apr 17) wi… Data breaches · Class-action settlements — 5 settlements and mass ca… 271 million dollars across four settlements approved or with deadline… Digital regulatory risk index by country — 16 countries profiled Jun-2026 review: Brazil updated on two layers (EU adequacy Jan 26, 20… Digital services taxes (DST) by country — 3 tax-map milestones docu… About half of European OECD countries have a DST announced, proposed … Global election risk 2026: democracy and digita… — 32 elections profiled 32 electoral processes of 2026 profiled by political regime and digit… ESG · Greenwashing enforcement — 3 enforcement milestones … The legal floor arrives Sep 27, 2026 (ECGT across the 27; transpositi… EU · Digital & sustainability regulatory deadli… — 6 calendar milestones doc… Next critical deadlines: Jun 23, 2026 closes the high-risk classifica… Export controls · Entity List and advanced chips — 6 regime milestones docum… The 2026 shift: licensing for H200/MI325X and equivalents to China mo… GDPR · International transfers and adequacy dec… — 6 framework milestones do… The EU-US DPF remains in force after surviving its first judicial cha… LATAM · AI bills in legislative process — 150+ bills identified 150+ count re-verified; milestones: Peru only country with a regulate… LATAM · Judicial and regulatory sanctions on pl… — $5,2M USD · fine on X Corp. i… Paradigm shift: the STF declared Art. 19 of the Marco Civil partially… Digital political ad spending 2026 — 6 country-platform observ… AdImpact's revised projection (Jun 11): $11.6bn for the 2026 cycle — … Shadow fleet · Sanctioned vessels and enablers — 632 vessels designated by t… +46 vessels in the 20th package (Reg. 2026/506/509/511) to 632; Art. … Whistleblower awards · SEC, CFTC and equivalent… — 3 program milestones docu… The SEC awarded over $60M to 48 whistleblowers in fiscal year 2025 (2… AI Act · Sanctions regime and its actual enforc… — 0 documented AI Act fines… 0 AI Act penalties issued to date: enforcement of high-risk obligatio… Beneficial ownership transparency (UBO / CTA / … — 4 transparency milestones 4 beneficial-ownership transparency milestones documented; the EU req… Crypto industry: collapses, sanctions and convi… — 13 documented cases 13 cases of collapses, sanctions and convictions in the crypto sector… AI harms in court — litigation, rulings and set… — 103 documented cases 103 AI-related harm and rights lawsuits documented; 2026 milestones: … DMA · designated gatekeepers and real compliance — 9 documented DMA acts 9 DMA compliance actions documented against gatekeepers; 2026 develop… Documented electoral disinformation 2026 — 7 documented campaigns 7 electoral disinformation campaigns or patterns documented with open… GDPR · which national authority really sanctions — 11 authorities profiled 11 GDPR enforcement country profiles and milestones documented; 2026 … LATAM · Internet shutdowns and platform blocks — 8 documented events · 202… 8 internet shutdown and blocking episodes documented in Latin America… Operational resilience & cyber (DORA / NIS2 / SEC) — 4 regulatory milestones 4 operational-resilience milestones documented; 2026 is the first rea… Digital fines actually imposed — 61 sanctions recorded 61 high-value penalties across 18 jurisdictions and 6 continents; cov… Commercial spyware: documented cases worldwide — 23 documented cases 23 spyware and surveillance cases documented across the Ibero-America… Trade compliance & forced labor (UFLPA) — 4 actions documented 4 trade-compliance actions on forced labor documented; under UFLPA ar… US · the state AI regulation patchwork — 10 laws and milestones 10 state AI laws or milestones documented in the U.S.; 2026 developme… Electoral digital integrity 2026 — 13 elections profiled 13 elections profiled by digital integrity; 5 with transparent politi… Climate: the gap between pledge and action — 12 countries assessed 12 countries assessed by the Climate Action Tracker: 10 with insuffic… Content moderation: appeals and reversals — 19 documented decisions 19 appealed and reviewed moderation decisions, with their policy, ori… Public AI spending — global government contracts — 50 documented contracts 50 public AI contracts across 15 jurisdictions on 5 continents (45 wi… Campaign promises → fulfillment — 29 term evaluations 29 terms evaluated across 25 countries on five continents EU · Consolidated DSA enforcement decisions — €120M first DSA fine · X · 5 … 5 Member States referred to CJEU for insufficient DSC implementation LATAM · Digital spending in 2026 electoral camp… — $14.794M COP · highest declared … Only 8 of 13 campaigns had reported in Cuentas Claras by mid-May Ibero-America · documented public contracts wit… — 3 contracts verified with… DC registry kickoff · ongoing monthly manual sweep RSF · Press freedom in Latin America — 144 Peru's rank (the region… AR -11 · PE -14 · SV -8 · EC -31 · USA -7
/ trackers / gdpr-enforcement-by-country
EU · Data protection

GDPR · which national authority really sanctions

Comparative tracking of GDPR enforcement by national data-protection authority. Since 2018, European authorities have imposed around €7.1 billion across more than 2,600 fines, but that total is very unevenly distributed: Ireland concentrates more than half the amount (due to big tech's European headquarters), while Spain leads by number of fines with much smaller average amounts. The tracker measures two gaps: cumulative amount versus number of sanctions (sanctioning a lot is not sanctioning expensively), and the distance between the announced fine and the final one (Amazon's €746 million sanction was annulled on appeal). Each record profiles a national authority with its approach, its volume and its flagship case.

Snapshot · June 8, 2026
11
authorities profiled
↑ 11 GDPR enforcement country profiles and milestones documented; 2026 developments: Italy (Garante) issues the first European AI-related GDPR fines, and a Luxembourg court annuls a large fine on procedural grounds while upholding the violations. Spain leads by volume with over 900 fines

Evolution

Data analysis

Statistical readings derived from the attributes of each recorded case. All figures come from the documented events; amounts are computed only over cases with a sum expressed in the indicated currency, without converting between currencies.

Regulatory approach

How each authority sanctions: direct fine, prior warning, or scepticism toward fines. The field that reveals opposing philosophies.

Region

Regional distribution of the data-protection authorities profiled.

Cumulative amount bracket

The bracket of total GDPR fine amount imposed by each authority since 2018.

Global incidence map

Choropleth by number of forensically or judicially documented cases. Countries with no verifiable public cases remain in the base colour — the absence of events does not equal the absence of surveillance. Hover or click a coloured country to see the cases.

Natural Earth 50m · Diálogo Ciudadano

Reading the data

Saying Europe has fined €7.1 billion under the GDPR hides the essential: that money is not shared equally by the Twenty-Seven. Ireland concentrates over half the amount with just a handful of giant fines; Spain imposes nearly a thousand sanctions, but far cheaper. Sanctioning a lot and sanctioning expensively are two different things, and this tracker separates them.

YV
Yaneth Vickari S. · Digital regulation expert · Madrid
May 26, 2026 · 6 min read

The GDPR is a single law, but it is applied by twenty-seven national authorities plus those of the European Economic Area, and each does it its own way. The aggregate headline —around €7.1 billion in fines since 2018, per the CMS GDPR Enforcement Tracker— is true but misleading, because it hides an enormous inequality in how that enforcement is distributed. This tracker profiles the main authorities to answer the question the aggregate does not: who really sanctions, and how?

The first gap that stands out is amount versus volume. Ireland's Data Protection Commission accumulates around €4.04 billion —over half the European total— with just a handful of fines, nine of the ten largest in history. Spain, by contrast, has imposed nearly a thousand sanctions, the continent's highest count, but with a far lower average amount. They are two opposing philosophies: Ireland sanctions little and huge; Spain, a lot and cheap. Neither is 'the right one'; they are different regulatory strategies that the aggregate figure merges and hides.

Ireland's dominance is structural, not accidental: Meta, Google, TikTok, LinkedIn, Apple and Microsoft have their European headquarters in Dublin, and under the GDPR's one-stop-shop mechanism, the authority of the country of establishment leads the investigation. That turns a regulator from a country of five million people into the de facto arbiter of the privacy of hundreds of millions of Europeans.

The second gap: announced is not final

The second gap the tracker captures is this outlet's usual one: the distance between the fine that makes headlines and the one that becomes final. Luxembourg is the textbook case. Its authority ranks second in Europe by cumulative amount —around €746 million— but almost all of it comes from a single sanction: the 2021 Amazon fine. And that fine was annulled on procedural grounds by the Luxembourg Administrative Court in March 2026, even though the underlying violations were upheld. On paper, Luxembourg is a major sanctioner; in practice, its largest fine evaporated on appeal.

And then there are the approaches that do not even prioritize the fine. Sweden consults and warns before sanctioning; the United Kingdom, after Brexit, applies an openly fine-sceptical philosophy —its commissioner said he does not believe they are the highest-impact tool—. A low cumulative amount does not mean a passive authority: it may mean one that regulates with other tools. That is why the tracker profiles each authority's approach, not just its figure.

Who this profile is for

For a data-protection officer, a law firm or a company operating in several European markets, knowing 'how much Europe fines' is useless; what matters is which authority supervises it depending on where its main establishment is, and how that specific authority sanctions. Falling under France's CNIL —aggressive on cookies and ad-tech— is not the same as falling under an authority that warns before fining. The tracker turns the European aggregate into a comparable map, authority by authority, of where the real risk lies.

That is the asset's value: going from '€7.1 billion in GDPR fines' to 'Ireland €4.04 billion by structural concentration, France over €1 billion aggressive on cookies, Spain nearly a thousand fines but cheap, Luxembourg second by amount but with its largest fine annulled'. That granularity is the difference between a headline and a due-diligence tool.

Methodology note

The amounts come from the CMS GDPR Enforcement Tracker (7th ed., cutoff 1 March 2026), the DLA Piper GDPR Fines Survey and Statista; they are approximate because the sources differ in methodology and cutoff date (the European total is cited between €5.88 and €7.1 billion depending on the source). A distinction is drawn between announced and final fine: the Amazon sanction in Luxembourg was noted as annulled on appeal. The number of fines and the average amount are treated as separate dimensions. The regulatory approach is attributed to each authority's documented statements and practices.

The charts and map are computed from each record's attributes. This tracker is informational infrastructure, not legal advice nor a valuation of any company's liability.

Documented events (11)

November 1, 2024 GB confirmed

United Kingdom (ICO): sceptical of fines as a tool

The UK Information Commissioner was an outlier in 2024, with very few fines. Its head, John Edwards, said in November 2024 that he does not believe fines have the greatest impact and that they would tie his office up in years of litigation. After Brexit, the UK applies its own version of the GDPR with a deliberately less punitive philosophy.

March 1, 2026 SE confirmed

Sweden (IMY): consults and warns before imposing fines

The Swedish authority follows a different approach from the big sanctioners: it prioritizes consultation and issues reprimands or warnings before imposing fines. Its cumulative amount is low, not from inaction, but from regulatory philosophy: the financial penalty is the last resort, not the first.

August 1, 2024 NL confirmed

Netherlands (AP): forceful, selective fines

The Dutch authority applies forceful though less numerous sanctions: in August 2024 it imposed a €290 million fine, one of the year's largest in Europe. It prioritizes systemic cases over volume.

March 1, 2026 LU reported

Luxembourg · A court annuls a large GDPR fine on procedural grounds, but upholds the violations

Luxembourg's Administrative Court annulled in March 2026, on procedural grounds, one of the largest GDPR fines imposed by the CNPD, though it upheld the underlying violations and sent the case back to the regulator. The episode illustrates a recurring tension in GDPR enforcement: the validity of large penalties depends as much on the merits as on procedural correctness, and courts do not hesitate to annul on form even when they confirm the material breach. Outside that case, Luxembourg's enforcement activity is modest.

March 1, 2026 LU confirmed

Luxembourg (CNPD): second by amount, but its largest fine was annulled

The Luxembourg authority accumulates around €746 million, almost all from a single sanction: the 2021 Amazon fine for advertising without valid consent. That fine was annulled on procedural grounds by the Luxembourg Administrative Court in March 2026, though the underlying violations were upheld. It is the perfect example of the gap between announced and final amount.

May 1, 2026 IT reported

Italy · The Garante issues the first European AI-related GDPR fines

Italy's Garante, one of Europe's most active data-protection regulators with hundreds of decisions, recorded recent activity including the first European AI-related GDPR fines, with a particular focus on telecoms, AI services and employment-related data processing. The data confirms that GDPR enforcement is extending into AI territory even before the AI Act's high-risk obligations take effect (August 2, 2026), creating a double layer of scrutiny over AI systems that process personal data.

March 1, 2026 IT confirmed

Italy (Garante): active by volume and attentive to AI

Italy's Garante is one of the most active authorities by number of sanctions (41 in 2024, third in the EU) and has been a pioneer in acting against AI services over data processing. It combines sanctions on large and mid-sized firms in sectors such as utilities and telecoms.

March 1, 2026 IE confirmed

Ireland (DPC): the authority concentrating more than half the total amount

Ireland's Data Protection Commission leads by far: around €4.04 billion cumulative, over 50% of the European total, and 9 of the 10 largest GDPR fines. Its dominance is structural: Meta, Google, TikTok, LinkedIn, Apple and Microsoft have their European headquarters in Dublin, making it the lead authority under the one-stop-shop. Largest fine ever: Meta, €1.2 billion (2023).

March 1, 2026 FR confirmed

France (CNIL): overtook Luxembourg and is the most aggressive on cookies and ad-tech

France's CNIL overtook Luxembourg in 2025 and is the second authority besides Ireland to exceed €1 billion cumulative. It has been the most aggressive on cookie consent and advertising: in September 2025 it imposed €325 million on Google and €150 million on Shein.

March 1, 2026 ES confirmed

Spain (AEPD): leader by number of fines, but with low average amounts

The Spanish Data Protection Agency is Europe's most active by volume: nearly 1,000 fines since 2018, the continent's highest count. But its average amount is far below other authorities. It is the opposite of Ireland: it sanctions a lot and cheaply, versus Ireland which sanctions little and huge. By number of fines in 2024 it led with 107, followed by Romania and Italy.

January 1, 2025 DE confirmed

Germany: decentralized enforcement among regional authorities

Germany is a particular case: its enforcement is split among the data-protection authorities of each Land (federal state), plus the federal one. This produces a relevant volume of sanctions (around €45.9 million in the analyzed 2024 period) but dispersed, without Ireland's concentration nor Spain's unit volume.

Methodology

Type
event-log
Construction
DC editorial construction
Cadence
quarterly

Each record profiles a national data-protection authority with its cumulative GDPR fine amount since 2018, its approximate number of sanctions, its regulatory approach (sanction directly, warn before fining, sceptical of fines) and its flagship case. The amounts come from specialised trackers (CMS, DLA Piper, Statista) and are approximate given differences in methodology and cutoff date between sources; ranges are cited where sources differ. A distinction is drawn between announced and final fine: where a sanction has been annulled or reduced on appeal, it is noted. No unpublished figures are imputed. The decisive field is the contrast between amount and volume, which reveals opposing regulatory approaches.

Sources consulted

  1. CMS GDPR Enforcement Tracker Report (7ª ed., corte 1-mar-2026) ↗ academic
  2. DLA Piper GDPR Fines and Data Breach Survey (ene 2026) ↗ academic
  3. Statista — Countries with highest GDPR fines ↗ press