Reference
EU AI & Data Leak Statistics
A sourced reference of EU AI regulation, enforcement, and adoption data: fine tiers, real enforcement actions, and how fast generative AI use has spread through the workplace.
AIovert Security & Compliance Team
GDPR, EU AI Act & DORA practitioners writing on AI data protection for EU businesses.
Last updated 6 July 2026
Every figure below cites a public regulatory text, an official enforcement decision, or a named third-party research report, linked at each entry. These are not AIovert's own product telemetry. Reviewed and refreshed periodically as the underlying sources change.
Regulatory exposure
GDPR fines reach up to €20 million or 4% of global annual turnover, whichever is higher, for serious violations involving personal data.
Source: GDPR Article 83 — see AIovert's EU AI Act enterprise guide →EU AI Act Article 99 sets three fine tiers: up to €35M or 7% of turnover for Article 5 prohibited-practice violations, up to €15M or 3% for most other obligations, and up to €7.5M or 1% for misleading regulators.
Source: EU AI Act Article 99 — AIovert's 2026 deadlines guide →DORA Article 9 requires financial entities to maintain ICT risk protection and prevention measures, a framework that extends to unsanctioned AI tools carrying financial data.
Source: DORA Article 9 — AIovert's DORA & AI tools guide →Enforcement history
The Italian Garante fined OpenAI €15 million in December 2024, with breach-notification and transparency failures among the grounds.
Source: Garante per la Protezione dei Dati Personali — AIovert's GDPR breach analysis →The Court of Rome annulled that €15M fine in March 2026, but only on jurisdiction (the Irish DPC, not the Garante, is OpenAI's GDPR lead supervisory authority) — the underlying conduct findings were never overturned on the merits.
Source: Court of Rome ruling, 18 March 2026 — AIovert's GDPR breach analysis →In early 2023, Samsung engineers pasted proprietary source code and internal materials into ChatGPT in at least three separate incidents within weeks of the tool being permitted, after which Samsung restricted generative AI company-wide.
Source: Widely reported 2023 incident — AIovert's developer data-leak guide →Workplace AI adoption
75% of knowledge workers already use generative AI at work.
Source: Microsoft 2024 Work Trend Index →40% of European organisations used sovereign cloud in 2025, up from around 30% a year earlier.
Source: AIovert's EU data residency guide →EU AI Act timeline
The AI literacy duty (Article 4) has been mandatory since February 2025.
Source: EU AI Act Article 4 — AIovert's literacy duty guide →Article 50 transparency obligations and regulator enforcement powers apply from 2 August 2026.
Source: EU AI Act Article 50 — AIovert's 2026 deadlines guide →The May 2026 Digital Omnibus agreement deferred the high-risk AI system obligations: stand-alone Annex III systems to 2 December 2027, and AI embedded in regulated products under Annex I to 2 August 2028.
Source: Digital Omnibus for AI, political agreement 7 May 2026 — AIovert's 2026 deadlines guide →See what this looks like in your own data
The free paste test shows exactly what AIovert's detection engine sees, no account needed.