← Back to Blog
Regulation Roundup 📅 March 31, 2026 ⏱️ 8 min read

Italy's €31.8M GDPR Fine, EU Commission Breached by ShinyHunters — DORA & NIS2 Compliance Fallout

Italy's data protection authority hit Intesa Sanpaolo with a massive €31.8 million GDPR fine for failing to detect unauthorized access to 3,573 customer accounts over two years. Meanwhile, the European Commission itself fell victim to the ShinyHunters hacking group, which claims to have stolen 350GB from Europa.eu cloud systems. Here's what both incidents mean for GDPR, DORA, and NIS2 compliance.

Is your organization GDPR & NIS2 compliant? Scan your infrastructure for compliance gaps before regulators find them.
Free Compliance Scan →

🏦 Italy Hits Intesa Sanpaolo With €31.8M GDPR Fine

The Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) has imposed a €31.8 million fine ($36 million) on Intesa Sanpaolo SpA — one of Italy's largest banks and a Eurozone financial giant — for what it described as "serious shortcomings in personal data security, due to the inadequacy of the technical and organizational measures adopted."

What Happened

The investigation, triggered by a data breach the bank disclosed in July 2024, revealed that a single employee accessed the banking information of 3,573 customers without authorization between February 2022 and April 2024 — a span of over two years.

⚠️ Critical Failure: No Internal Detection

The Garante noted that "these unauthorized accesses were not detected by internal control systems, highlighting significant weaknesses in the monitoring and prevention mechanisms." The bank's operating model allowed operators to query the entire customer base in a fully circular manner without adequate controls to prevent or identify unauthorized access.

Making matters worse, among the affected customers were high-profile public figures whom the regulator said the bank should have subjected to strengthened access controls. The bank's breach notification to affected customers was also found to be incomplete and late, violating GDPR's 72-hour notification requirement.

GDPR Articles Violated

DORA Implications for Financial Services

This case is a perfect storm for DORA (Digital Operational Resilience Act) compliance. DORA, which has been fully applicable since January 17, 2025, specifically requires financial entities to:

📊 Why This Fine Matters

The €31.8M fine is one of the largest GDPR penalties in Italy's history and sends a clear signal: insider threat detection is not optional. Under DORA, a bank failing to detect two years of unauthorized data access would face additional regulatory action from financial supervisors, potentially including restrictions on operations or management changes.

Key lesson: Having access controls is not enough. You must prove they actually work — and that anomalies are detected in real time, not two years later.

🇪🇺 European Commission Breached by ShinyHunters

In a deeply ironic twist, the European Commission — the institution that authored GDPR, NIS2, DORA, and the EU AI Act — disclosed that its Europa.eu web portal was breached by the ShinyHunters hacking group.

The Breach

ShinyHunters, a well-known cybercrime group, claims to have stolen over 350 gigabytes of data including databases, emails, and internal documents from European Commission cloud systems hosted on Amazon Web Services (AWS). The group has published data samples on its dark web leak site.

Commission spokesperson Thomas Regnier confirmed the incident but sought to minimize its significance, stating that:

The Commission declined to specify what data was accessed, how many users could be affected, or whether personal data was involved.

NIS2 Compliance Questions

The irony is not lost on the cybersecurity community. The European Commission is the institution responsible for enforcing NIS2 across all 27 member states. Under NIS2 Article 23, essential entities must:

🚨 The Credibility Problem

If the EU Commission cannot secure its own infrastructure, how can it credibly enforce NIS2 compliance on member states and private organizations? This breach — regardless of its actual severity — undermines regulatory credibility at a critical moment, just as NIS2 enforcement enters its first year of full implementation across Europe.

Cloud Security Under Shared Responsibility

The fact that Europa.eu runs on AWS highlights a persistent compliance gap: the shared responsibility model. AWS secures the infrastructure; the customer (in this case, the Commission) secures the configuration, access controls, and data.

Common cloud misconfigurations that lead to breaches like this:

📋 What This Means for Your Organization

If You're in Financial Services (DORA + GDPR)

The Intesa Sanpaolo fine establishes a clear enforcement precedent:

  1. Insider threat detection is mandatory. User behavior analytics (UBA) and privileged access monitoring must be in place — not just access controls.
  2. Least-privilege access is enforced, not assumed. Employees should only access customer records they need for their specific role. Query-the-entire-database access is a compliance violation.
  3. Breach notification timelines are strictly enforced. GDPR's 72-hour window and DORA's incident reporting requirements are not suggestions.
  4. High-profile customers require enhanced controls. PEP (Politically Exposed Persons) monitoring isn't just for AML — it's now a data protection requirement.

If You're an Essential or Important Entity (NIS2)

The Commission breach demonstrates that no organization is immune:

  1. Audit your cloud configuration. If the EU Commission can misconfigure AWS, so can you. Run infrastructure-as-code security scanning (Checkov, tfsec, KENSAI).
  2. Don't rely on "it's public data" defense. Under GDPR and NIS2, even publicly available data can contain personal information requiring protection.
  3. Third-party cloud risk is your risk. NIS2 Article 21 makes you liable for supply chain security, including cloud provider configurations.
  4. Incident response plans must include cloud scenarios. Can your team respond to an S3 breach at 3 AM? Is your CSIRT trained on cloud forensics?

CareCloud Healthcare Breach — GDPR/NIS2 for Health Data

Adding to this week's regulatory pressure, healthcare IT firm CareCloud disclosed a data breach to the SEC affecting patient data in one of its electronic health record (EHR) environments. Healthcare entities are classified as essential entities under NIS2, and patient health data receives the highest protection level under GDPR Article 9 (special categories of personal data).

Organizations handling health data face:

🔮 Regulation Outlook: What's Coming

Regulation Status Next Milestone
NIS2 Enforcement active in most member states First wave of BSI/ANSSI audits underway Q2 2026
DORA Fully applicable since Jan 17, 2025 ESA joint committee reviewing first incident reports
GDPR Enforcement intensifying (see: €31.8M fine) EDPB guidelines on AI data processing expected Q2 2026
EU AI Act Prohibited practices ban active since Feb 2, 2025 High-risk AI system requirements apply Aug 2, 2026
CRA Cyber Resilience Act entered into force Dec 2024 Vulnerability reporting obligations start Sep 2026

Stay Ahead of Regulatory Enforcement

KENSAI continuously monitors your infrastructure against NIS2, DORA, and GDPR requirements. Detect compliance gaps before auditors do — automated scanning, real-time alerts, and BSI-ready reports.

Start Free Compliance Scan →

📚 Further Reading


When the regulator becomes the regulated — and everyone pays attention.
KENSAI Security Research Team
March 31, 2026 — 06:00 CET

Stay Informed on Security Regulations

Daily analysis of NIS2, DORA, GDPR & EU AI Act enforcement — direct to your feed.