Skip to content

Reference

EU AI & Data Leak Statistics

A sourced reference of EU AI regulation, enforcement, and adoption data: fine tiers, real enforcement actions, and how fast generative AI use has spread through the workplace.

A

AIovert Security & Compliance Team

GDPR, EU AI Act & DORA practitioners writing on AI data protection for EU businesses.

Last updated 6 July 2026

Every figure below cites a public regulatory text, an official enforcement decision, or a named third-party research report, linked at each entry. These are not AIovert's own product telemetry. Reviewed and refreshed periodically as the underlying sources change.

Regulatory exposure

GDPR fines reach up to €20 million or 4% of global annual turnover, whichever is higher, for serious violations involving personal data.

Source: GDPR Article 83 — see AIovert's EU AI Act enterprise guide

EU AI Act Article 99 sets three fine tiers: up to €35M or 7% of turnover for Article 5 prohibited-practice violations, up to €15M or 3% for most other obligations, and up to €7.5M or 1% for misleading regulators.

Source: EU AI Act Article 99 — AIovert's 2026 deadlines guide

DORA Article 9 requires financial entities to maintain ICT risk protection and prevention measures, a framework that extends to unsanctioned AI tools carrying financial data.

Source: DORA Article 9 — AIovert's DORA & AI tools guide

Enforcement history

The Italian Garante fined OpenAI €15 million in December 2024, with breach-notification and transparency failures among the grounds.

Source: Garante per la Protezione dei Dati Personali — AIovert's GDPR breach analysis

The Court of Rome annulled that €15M fine in March 2026, but only on jurisdiction (the Irish DPC, not the Garante, is OpenAI's GDPR lead supervisory authority) — the underlying conduct findings were never overturned on the merits.

Source: Court of Rome ruling, 18 March 2026 — AIovert's GDPR breach analysis

In early 2023, Samsung engineers pasted proprietary source code and internal materials into ChatGPT in at least three separate incidents within weeks of the tool being permitted, after which Samsung restricted generative AI company-wide.

Source: Widely reported 2023 incident — AIovert's developer data-leak guide

Workplace AI adoption

75% of knowledge workers already use generative AI at work.

Source: Microsoft 2024 Work Trend Index

40% of European organisations used sovereign cloud in 2025, up from around 30% a year earlier.

Source: AIovert's EU data residency guide

EU AI Act timeline

The AI literacy duty (Article 4) has been mandatory since February 2025.

Source: EU AI Act Article 4 — AIovert's literacy duty guide

Article 50 transparency obligations and regulator enforcement powers apply from 2 August 2026.

Source: EU AI Act Article 50 — AIovert's 2026 deadlines guide

The May 2026 Digital Omnibus agreement deferred the high-risk AI system obligations: stand-alone Annex III systems to 2 December 2027, and AI embedded in regulated products under Annex I to 2 August 2028.

Source: Digital Omnibus for AI, political agreement 7 May 2026 — AIovert's 2026 deadlines guide

See what this looks like in your own data

The free paste test shows exactly what AIovert's detection engine sees, no account needed.