← Tilbage til Blog
Policy Updates
4 min read19 April 2026

GDPR Fines Hit €1.15 Billion in 2025. The AI Act Is Adding a Whole New Layer on Top.

The EDPB’s 2025 Annual Report, published April 9, 2026, documents a year of record GDPR enforcement — €1.15 billion in fines, a first-ever joint DMA-GDPR guideline, and a suite of practical compliance tools emerging from the Helsinki Statement. For EU SMEs already navigating AI Act obligations, the message is clear: GDPR enforcement is not slowing down — it’s coordinating with the AI Act and getting more structured about it.

The Enforcement Number That Should Focus Every SME’s Mind

National data protection authorities across Europe issued a combined €1.15 billion in GDPR fines during 2025 — and the EDPB’s 2025 Annual Report, published April 9, 2026, lays out exactly where that money came from and what the enforcement priorities are heading into the rest of the year.

For small and medium businesses already managing EU AI Act compliance, this report deserves more than a cursory glance. Because the GDPR and the AI Act are not parallel tracks — they are converging. The EDPB’s report shows that convergence accelerating, and the practical implications for SMEs are more immediate than the August 2026 deadline debate.

Where the Fines Came From — And Why It Matters

The €1.15 billion total is not spread evenly across Europe. Three countries account for the overwhelming majority of enforcement action:[1]

  • Ireland: €530.8 million — driven almost entirely by a single €530 million fine against TikTok Technology Limited in April 2025 for unlawful transfers of European user data to China. Ireland’s DPA has been the dominant enforcer in Europe for years, partly because so many major tech companies are headquartered there.
  • France: €486.9 million across 84 separate enforcement actions — the highest volume of large individual fines outside Ireland.
  • Germany: €48.1 million from 499 enforcement actions — high volume, smaller individual fines, reflecting Germany’s fragmented DPA structure.
  • Spain: €45.2 million from 324 fines. Slovakia had 542 fines totalling just €469,000 — indicating a regulatory culture of high-volume, low-value enforcement rather than landmark cases.

Since 2018, GDPR fines across Europe total roughly €4.2 billion across more than 6,680 enforcement actions.[1] That is not a rounding error. It is a structural feature of the European regulatory landscape.

The Helsinki Statement: A Compliance Roadmap Nobody Is Talking About

Buried in the EDPB’s report is one of the most practically useful things for SMEs — and one of the least covered in the press. In July 2025, the EDPB held a two-day high-level meeting in Helsinki and produced the Helsinki Statement on Enhanced Clarity, Support, and Engagement: a commitment to actually make GDPR compliance easier to navigate.

This is not just aspiration. The report documents specific deliverables produced by year-end 2025: streamlined internal EDPB guidance to make Board documents more timely and practical; a stakeholder event on anonymisation and pseudonymisation with over 100 participants; and — most significantly — the endorsement of joint DMA-GDPR guidelines with the European Commission in October 2025, the first co-authored guidance document in the EDPB’s history.[1]

These joint DMA-GDPR guidelines are the document that explains how GDPR principles apply when a “gatekeeper” — Alphabet, Amazon, Apple, ByteDance, Meta, Microsoft — is processing personal data under DMA obligations. For any SME that uses advertising platforms, cloud services, or digital marketplaces operated by those companies, the rules governing how your data flows through those systems just got clearer.

Looking ahead, the Helsinki Statement pipeline includes:[1]

  • Data Protection Impact Assessment (DPIA) template — due early 2026. If you are unsure what a DPIA should contain for your AI systems, this template will be the authoritative reference. Get ready to use it.
  • Data breach notification template — coming in 2026.
  • Joint AI Act-GDPR guidelines — to be published throughout 2026. This is the document that will most directly affect SMEs using AI. It will clarify how the two regulations interact — where GDPR obligations end and AI Act obligations begin, and where they overlap.
  • Cross-regulatory cooperation template — summer 2026, covering how DPAs and AI Act enforcement authorities coordinate.

Why the AI Act-GDPR Guidelines Coming in 2026 Matter for Your Business

If you run an AI system that processes personal data — which is almost any AI tool operating in a business context — you are already subject to both the GDPR and the AI Act simultaneously. The EDPB’s announcement that joint AI Act-GDPR guidelines will be published throughout 2026 is the clearest signal yet that regulators are aware the dual-compliance situation is creating genuine confusion for businesses.

EDPB Chair Anu Talus framed it directly in the report’s foreword: the rapid expansion of the EU’s digital regulatory framework has added complexity to the data protection ecosystem, and the Board is committed to reducing unnecessary administrative burden while ensuring that simplification does not erode the protection of individuals’ fundamental rights.[1]

That sentence is worth unpacking. “Unnecessary administrative burden” is the Helsinki Statement’s stated goal — practical tools like the DPIA template, the breach notification form, and the forthcoming joint guidelines. “Without lowering protection” is the constraint that ensures those tools cannot be used to circumvent real compliance obligations.

For SMEs, the practical meaning is this: the guidelines will give you a clearer answer to the question you are probably already asking. If I am already doing X for GDPR, do I need to do it again for the AI Act? Where do the two sets of obligations reinforce each other and where do they diverge? The joint guidelines are the document that will answer those questions authoritatively.

The CEF 2026 Connection Is Already Active

We covered the EDPB’s CEF 2026 coordinated enforcement action — 25 DPAs examining AI transparency under GDPR Articles 12, 13, and 14 — in our post on April 16. The annual report confirms that this is not an isolated exercise. The Helsinki Statement’s cross-regulatory cooperation template, due summer 2026, is designed specifically to make operations like CEF 2026 more systematic.

In other words: the enforcement infrastructure for AI transparency compliance is being built right now. The coordinated action across 25 DPAs in CEF 2026 is the pilot. The tools being developed under the Helsinki Statement are what make it a permanent capability rather than a one-off exercise.

What This Means for Your Compliance Planning

Three things to take away from the EDPB’s 2025 Annual Report if you are an SME in Europe:

  • GDPR enforcement is not a background concern — it is an active, well-resourced operation. The €1.15 billion in 2025 fines reflects serious institutional capacity in Ireland, France, Germany, and Spain. If your AI systems process personal data and you have not audited your GDPR compliance recently, now is the time.
  • Watch for the DPIA template in early 2026. If you are deploying a high-risk AI system, a DPIA is mandatory under both GDPR and the AI Act. Having a single authoritative template that covers both requirements will save significant time. When it drops, use it immediately — do not build your DPIA from scratch.
  • The joint AI Act-GDPR guidelines coming in 2026 are the most important document you will read this year. Until that document exists, dual compliance is necessarily uncertain. If you have been waiting for clarity before investing in a compliance process, those guidelines will give you a foundation to build on. Monitor the EDPB’s publications page and act on the guidelines as soon as they are released.

The Bigger Picture

The GDPR has now accumulated €4.2 billion in fines since 2018. The AI Act adds a second layer of obligations on top of the same data processing activities. The Helsinki Statement’s practical tools — DPIA templates, breach forms, joint guidelines — are the EU’s answer to the legitimate concern that running two complex regulations simultaneously creates confusion and compliance cost.

That answer is still being built. But the enforcement is already here. The €1.15 billion figure is not a warning about the future — it is a record of what has already happened. For SMEs: the regulatory environment is not theoretical. It is being enforced today, and it will be enforced more systematically as the Helsinki Statement tools land throughout 2026.

This article is for informational purposes only and does not constitute legal advice.

Sources

  1. [1]PPC Land — EDPB 2025 Annual Report: €1.15bn in GDPR fines, new AI and DMA rules (April 9, 2026)
  2. [2]Europe Says — EDPB 2025 Annual Report: €1.15bn in GDPR fines, new AI and DMA rules

Kend dit EU AI Act-risikoniveau på 10 minutter

Vores gratis audit guider dig gennem de præcise spørgsmål for at klassificere dine AI-systemer og identificere, hvad du skal gøre inden 2. august 2026.

Start gratis audit →
← Tilbage til Blog

⚠️ Ikke juridisk rådgivning — kun til vejledningsformål