Italy's €31.8M GDPR Fine, EU Commission Breached by ShinyHunters — DORA & NIS2 Compliance Fallout
Italy's data protection authority hit Intesa Sanpaolo with a massive €31.8 million GDPR fine for failing to detect unauthorized access to 3,573 customer accounts over two years. Meanwhile, the European Commission itself fell victim to the ShinyHunters hacking group, which claims to have stolen 350GB from Europa.eu cloud systems. Here's what both incidents mean for GDPR, DORA, and NIS2 compliance.
🏦 Italy Hits Intesa Sanpaolo With €31.8M GDPR Fine
The Italian Data Protection Authority (Garante per la Protezione dei Dati Personali) has imposed a €31.8 million fine ($36 million) on Intesa Sanpaolo SpA — one of Italy's largest banks and a Eurozone financial giant — for what it described as "serious shortcomings in personal data security, due to the inadequacy of the technical and organizational measures adopted."
What Happened
The investigation, triggered by a data breach the bank disclosed in July 2024, revealed that a single employee accessed the banking information of 3,573 customers without authorization between February 2022 and April 2024 — a span of over two years.
⚠️ Critical Failure: No Internal Detection
The Garante noted that "these unauthorized accesses were not detected by internal control systems, highlighting significant weaknesses in the monitoring and prevention mechanisms." The bank's operating model allowed operators to query the entire customer base in a fully circular manner without adequate controls to prevent or identify unauthorized access.
Making matters worse, among the affected customers were high-profile public figures whom the regulator said the bank should have subjected to strengthened access controls. The bank's breach notification to affected customers was also found to be incomplete and late, violating GDPR's 72-hour notification requirement.
GDPR Articles Violated
- Article 5(1)(f): Integrity and confidentiality — data must be processed securely with appropriate technical measures
- Article 32: Security of processing — organizations must implement appropriate technical and organizational measures including access controls and monitoring
- Article 33: Notification of personal data breach to supervisory authority — breaches must be reported within 72 hours
- Article 34: Communication of breach to data subjects — affected individuals must be notified without undue delay when the breach poses a high risk
DORA Implications for Financial Services
This case is a perfect storm for DORA (Digital Operational Resilience Act) compliance. DORA, which has been fully applicable since January 17, 2025, specifically requires financial entities to:
- Article 9 (ICT Risk Management): Implement access control policies based on least privilege and need-to-know principles
- Article 10 (Detection): Deploy mechanisms to promptly detect anomalous activities, including unauthorized access to customer data
- Article 17 (Incident Reporting): Report major ICT-related incidents to competent authorities within strict timelines
- Article 25 (ICT Third-Party Risk): Conduct regular testing of ICT systems including insider threat scenarios
📊 Why This Fine Matters
The €31.8M fine is one of the largest GDPR penalties in Italy's history and sends a clear signal: insider threat detection is not optional. Under DORA, a bank failing to detect two years of unauthorized data access would face additional regulatory action from financial supervisors, potentially including restrictions on operations or management changes.
Key lesson: Having access controls is not enough. You must prove they actually work — and that anomalies are detected in real time, not two years later.
🇪🇺 European Commission Breached by ShinyHunters
In a deeply ironic twist, the European Commission — the institution that authored GDPR, NIS2, DORA, and the EU AI Act — disclosed that its Europa.eu web portal was breached by the ShinyHunters hacking group.
The Breach
ShinyHunters, a well-known cybercrime group, claims to have stolen over 350 gigabytes of data including databases, emails, and internal documents from European Commission cloud systems hosted on Amazon Web Services (AWS). The group has published data samples on its dark web leak site.
Commission spokesperson Thomas Regnier confirmed the incident but sought to minimize its significance, stating that:
- Defense systems "immediately detected the malicious activities" and contained the incident
- Only Europa.eu public websites were affected — not internal Commission infrastructure
- The data involved was "potentially already in the public domain"
The Commission declined to specify what data was accessed, how many users could be affected, or whether personal data was involved.
NIS2 Compliance Questions
The irony is not lost on the cybersecurity community. The European Commission is the institution responsible for enforcing NIS2 across all 27 member states. Under NIS2 Article 23, essential entities must:
- Submit an early warning within 24 hours of becoming aware of a significant incident
- Provide an incident notification within 72 hours with an initial assessment
- Deliver a final report within one month including root cause analysis
🚨 The Credibility Problem
If the EU Commission cannot secure its own infrastructure, how can it credibly enforce NIS2 compliance on member states and private organizations? This breach — regardless of its actual severity — undermines regulatory credibility at a critical moment, just as NIS2 enforcement enters its first year of full implementation across Europe.
Cloud Security Under Shared Responsibility
The fact that Europa.eu runs on AWS highlights a persistent compliance gap: the shared responsibility model. AWS secures the infrastructure; the customer (in this case, the Commission) secures the configuration, access controls, and data.
Common cloud misconfigurations that lead to breaches like this:
- S3 buckets with overly permissive access policies — the most common cloud data leak vector
- IAM roles with excessive privileges — violating least-privilege principles
- Unencrypted databases exposed to the internet via misconfigured security groups
- Missing logging/monitoring — CloudTrail or GuardDuty not enabled on all accounts
- Legacy API keys with broad access that were never rotated
📋 What This Means for Your Organization
If You're in Financial Services (DORA + GDPR)
The Intesa Sanpaolo fine establishes a clear enforcement precedent:
- Insider threat detection is mandatory. User behavior analytics (UBA) and privileged access monitoring must be in place — not just access controls.
- Least-privilege access is enforced, not assumed. Employees should only access customer records they need for their specific role. Query-the-entire-database access is a compliance violation.
- Breach notification timelines are strictly enforced. GDPR's 72-hour window and DORA's incident reporting requirements are not suggestions.
- High-profile customers require enhanced controls. PEP (Politically Exposed Persons) monitoring isn't just for AML — it's now a data protection requirement.
If You're an Essential or Important Entity (NIS2)
The Commission breach demonstrates that no organization is immune:
- Audit your cloud configuration. If the EU Commission can misconfigure AWS, so can you. Run infrastructure-as-code security scanning (Checkov, tfsec, KENSAI).
- Don't rely on "it's public data" defense. Under GDPR and NIS2, even publicly available data can contain personal information requiring protection.
- Third-party cloud risk is your risk. NIS2 Article 21 makes you liable for supply chain security, including cloud provider configurations.
- Incident response plans must include cloud scenarios. Can your team respond to an S3 breach at 3 AM? Is your CSIRT trained on cloud forensics?
CareCloud Healthcare Breach — GDPR/NIS2 for Health Data
Adding to this week's regulatory pressure, healthcare IT firm CareCloud disclosed a data breach to the SEC affecting patient data in one of its electronic health record (EHR) environments. Healthcare entities are classified as essential entities under NIS2, and patient health data receives the highest protection level under GDPR Article 9 (special categories of personal data).
Organizations handling health data face:
- GDPR fines up to €20 million or 4% of global turnover for health data breaches
- NIS2 penalties up to €10 million or 2% of global turnover for essential entities
- Potential management liability — NIS2 Article 20 allows personal sanctions against directors
🔮 Regulation Outlook: What's Coming
| Regulation | Status | Next Milestone |
|---|---|---|
| NIS2 | Enforcement active in most member states | First wave of BSI/ANSSI audits underway Q2 2026 |
| DORA | Fully applicable since Jan 17, 2025 | ESA joint committee reviewing first incident reports |
| GDPR | Enforcement intensifying (see: €31.8M fine) | EDPB guidelines on AI data processing expected Q2 2026 |
| EU AI Act | Prohibited practices ban active since Feb 2, 2025 | High-risk AI system requirements apply Aug 2, 2026 |
| CRA | Cyber Resilience Act entered into force Dec 2024 | Vulnerability reporting obligations start Sep 2026 |