Italy's data protection authority hit Intesa Sanpaolo with a massive €31.8 million GDPR fine for failing to detect unauthorized access to 3,573 customer accounts over two years. Meanwhile, the European Commission itself fell victim to the ShinyHunters hacking group, which claims to have stolen 350GB from Europa.eu cloud systems. Here's what both incidents mean for GDPR, DORA, and NIS2 compliance.
The Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) has imposed a €31.8 million fine ($36 million) on Intesa Sanpaolo SpA — one of Italy's largest banks and a Eurozone financial giant — for what it described as "serious shortcomings in personal data security, due to the inadequacy of the technical and organizational measures adopted."
The investigation, triggered by a data breach the bank disclosed in July 2024, revealed that a single employee accessed the banking information of 3,573 customers without authorization between February 2022 and April 2024 — a span of over two years.
The Garante noted that "these unauthorized accesses were not detected by internal control systems, highlighting significant weaknesses in the monitoring and prevention mechanisms." The bank's operating model allowed operators to query the entire customer base in a fully circular manner without adequate controls to prevent or identify unauthorized access.
Making matters worse, among the affected customers were high-profile public figures whom the regulator said the bank should have subjected to strengthened access controls. The bank's breach notification to affected customers was also found to be incomplete and late, violating GDPR's 72-hour notification requirement.
This case is a perfect storm for DORA (Digital Operational Resilience Act) compliance. DORA, which has been fully applicable since January 17, 2025, specifically requires financial entities to:
The €31.8M fine is one of the largest GDPR penalties in Italy's history and sends a clear signal: insider threat detection is not optional. Under DORA, a bank failing to detect two years of unauthorized data access would face additional regulatory action from financial supervisors, potentially including restrictions on operations or management changes.
Key lesson: Having access controls is not enough. You must prove they actually work — and that anomalies are detected in real time, not two years later.
In a deeply ironic twist, the European Commission — the institution that authored GDPR, NIS2, DORA, and the EU AI Act — disclosed that its Europa.eu web portal was breached by the ShinyHunters hacking group.
ShinyHunters, a well-known cybercrime group, claims to have stolen over 350 gigabytes of data including databases, emails, and internal documents from European Commission cloud systems hosted on Amazon Web Services (AWS). The group has published data samples on its dark web leak site.
Commission spokesperson Thomas Regnier confirmed the incident but sought to minimize its significance, stating that:
The Commission declined to specify what data was accessed, how many users could be affected, or whether personal data was involved.
The irony is not lost on the cybersecurity community. The European Commission is the institution responsible for enforcing NIS2 across all 27 member states. Under NIS2 Article 23, essential entities must:
If the EU Commission cannot secure its own infrastructure, how can it credibly enforce NIS2 compliance on member states and private organizations? This breach — regardless of its actual severity — undermines regulatory credibility at a critical moment, just as NIS2 enforcement enters its first year of full implementation across Europe.
The fact that Europa.eu runs on AWS highlights a persistent compliance gap: the shared responsibility model. AWS secures the infrastructure; the customer (in this case, the Commission) secures the configuration, access controls, and data.
Common cloud misconfigurations that lead to breaches like this:
The Intesa Sanpaolo fine establishes a clear enforcement precedent:
The Commission breach demonstrates that no organization is immune:
Adding to this week's regulatory pressure, healthcare IT firm CareCloud disclosed a data breach to the SEC affecting patient data in one of its electronic health record (EHR) environments. Healthcare entities are classified as essential entities under NIS2, and patient health data receives the highest protection level under GDPR Article 9 (special categories of personal data).
Organizations handling health data face:
| Regulation | Status | Next Milestone |
|---|---|---|
| NIS2 | Enforcement active in most member states | First wave of BSI/ANSSI audits underway Q2 2026 |
| DORA | Fully applicable since Jan 17, 2025 | ESA joint committee reviewing first incident reports |
| GDPR | Enforcement intensifying (see: €31.8M fine) | EDPB guidelines on AI data processing expected Q2 2026 |
| EU AI Act | Prohibited practices ban active since Feb 2, 2025 | High-risk AI system requirements apply Aug 2, 2026 |
| CRA | Cyber Resilience Act entered into force Dec 2024 | Vulnerability reporting obligations start Sep 2026 |
KENSAI continuously monitors your infrastructure against NIS2, DORA, and GDPR requirements. Detect compliance gaps before auditors do — automated scanning, real-time alerts, and BSI-ready reports.
Start Free Compliance Scan →When the regulator becomes the regulated — and everyone pays attention.
KENSAI Security Research Team
March 31, 2026 — 06:00 CET