Sweden’s privacy regulator has fined Sportadmin roughly $560,000 (SEK 6 million) after concluding that the company failed to implement adequate IT security measures ahead of a major cyberattack that exposed personal data on more than 2.1 million people.
France’s data protection authority, the CNIL, has imposed a €3.5 million fine on a company for unlawfully using the personal data of its loyalty program members to fuel targeted advertising on a social network. The sanction, adopted on 30 December 2025 and announced publicly on 22 January 2026, stems from long-running practices that the regulator says breached core principles of EU data protection law and affected more than 10.5 million people.
The European Commission has unveiled a new package of measures aimed at strengthening the European Union’s cybersecurity resilience, as cyber and hybrid threats increasingly target essential services, businesses, and democratic institutions across the bloc.
The Cyprus Securities and Exchange Commission has issued guidance to regulated entities so that Europe’s new digital resilience regime is no longer an abstract compliance exercise. In a circular published on 19 January 2026, the regulator signaled growing concern that some firms are still struggling with the basics of the Digital Operational Resilience Act (DORA), particularly when it comes to incident reporting, ICT governance, and regulatory submissions.
The Dutch data protection watchdog is urging lawmakers to slow down and look closely at the real-world impact of sweeping new anti-money laundering rules, warning that a major expansion of financial surveillance can only be justified if it is proven to work and if people’s privacy is meaningfully protected.
UK organizations grappling with cross-border data transfers have new help at hand. The country’s data protection regulator has published updated guidance on international transfers of personal information, with the stated aim of making the rules under the UK GDPR quicker to understand and easier to apply in practice.
For years, cybersecurity has been treated like a home alarm system. You install it, arm it, and hope it only goes off when something truly bad happens. The problem is that modern cyber threats no longer behave like burglars rattling windows at night. They act more like termites, quietly weakening structures over time, or like flash floods that overwhelm defenses faster than alarms can react. In this environment, reacting after the fact is no longer enough. Organizations must move from reactive cybersecurity to proactive cyber resilience.