Kiteworks

Enabling Zero Trust Data Exchange in One Platform

Free Trial EXPLORE KITEWORKS
Home > Security and Compliance Blog > GDPR Compliance > GDPR Enforcement in 2026 Just Stopped Caring About Your Policies
Evidence Over Documentation: GDPR's New Standard

GDPR Enforcement in 2026 Just Stopped Caring About Your Policies

by Marc ten Eikelder updated May 25, 2026 GDPR Compliance
Reading Time: 9 minutes

Key Takeaways

  1. Regulators are targeting systems, not paperwork. GDPR enforcement is accelerating, with regulators issuing more fines in 2023–2026 than in the preceding five years combined. The pattern increasingly punishes the gap between documented compliance and operational reality.
  2. Two parallel cases set the pattern. The Dutch DPA’s €100M fine against MLU and the Irish DPC’s investigation into Shein send the same signal from two regulators: transfer mechanisms must be provable in practice, not just documented on paper.
  3. Evidence beats assurance. European regulators want exportable audit trails, immutable logs, and documented response readiness. “We believe we’re compliant” no longer passes the bar.
  4. Cross-DPA coordination is accelerating. The era of forum-shopping is closing. The same legal theories now appear simultaneously in Dublin, The Hague, Hamburg, and Paris.
  5. Compliance fragmentation is the real cost. Organizations running separate tools for email, file sharing, MFT, forms, and AI cannot produce a unified audit trail. The architectural debt becomes the compliance liability.

The Era of Policy-Document Compliance Is Over

In a single month, two European data protection authorities issued enforcement signals that should reset how every CISO, DPO, and general counsel thinks about compliance posture. On May 8, 2026, the Dutch DPA publicly announced a €100 million fine on MLU B.V. — the Dutch operator of the Yango taxi app and a Yandex subsidiary — for unlawful transfers of Finnish and Norwegian user data to Russia, finding that Standard Contractual Clauses alone were insufficient. Three days earlier, Ireland’s DPC announced an investigation into Infinite Styles Services (Shein Ireland) over EU and EEA data transfers to China.

Two regulators. Two high-risk destinations. One legal theory: contractual safeguards are not a substitute for architectural control.

Layered over both cases is a broader enforcement trend analysis showing that GDPR fines now exceed €7.1 billion across more than 1,400 decisions since 2018, with regulators issuing more fines between January 2023 and March 2026 than in the preceding five years combined. The acceleration reflects three factors: regulators developing institutional expertise, DPAs staffing up after initial hiring, and organizations that ignored GDPR compliance finally reaching enforcement action. Article 6 legal basis violations now account for roughly one-third of enforcement actions, and the EDPB’s 2026 coordinated enforcement initiative will focus on transparency compliance across multiple sectors and jurisdictions.

What ties these enforcement signals together is a regulatory thesis that has been building since Schrems II: that compliance is something an organization demonstrates, not something it claims. The Dutch and Irish actions are the operational version of that thesis. The fines are the price of treating it as theoretical.

For controllers, the message is uncomfortable but clear. The policy document era of GDPR compliance is over. The evidence-and-architecture era has arrived. The organizations that recognize the shift early will spend less, audit faster, and survive enforcement scrutiny better than the organizations still building binders.

Where Compliance Documentation Drifts From Operational Reality

The 2026 cases share a common thread that goes beyond any single enforcement theory: they punish the gap between what organizations document and what their systems actually do. Three patterns recur across recent DPA decisions and analyst reviews.

  • Documentation that doesn’t reflect reality. A controller’s Record of Processing Activities lists data flows that no longer match the deployed architecture. A DPIA was completed for the pilot but never updated when the system scaled. A vendor inventory is six months old. When the DPA asks for evidence, the documentation says one thing and the systems say another. The regulator concludes that the documentation is theater.
  • Corrective orders ignored. A prior DPA action required specific remediations — updated authentication, scoped access, breach notification timelines. The remediations were promised. The follow-through was partial. When a new incident occurs, the regulator escalates not because of the new incident alone, but because the prior corrective order was treated as advisory.
  • Risk recognized but not controlled. The internal documents — board decks, audit reports, DSPM findings — showed the organization knew the risk existed. The controls did not catch up. The “knew and didn’t act” framing is now the regulator’s favorite narrative because it is also the one that supports the highest penalty multiple.

Each pattern points to the same root cause: compliance treated as a documentation exercise rather than an operational one. The fix is not better policies. The fix is systems that produce the evidence the policies promise.

The 2026 enforcement trend analysis underscores how this plays out in penalty calculations. Regulators are increasingly using the “knew and didn’t act” framing because it justifies higher penalty multiples than a clean technical failure. A misconfiguration is a mistake. A documented risk that was not remediated is a choice. The fine multiplier reflects that distinction, and the documentation trail an organization produced for its own internal governance becomes the evidence the regulator uses to assess the choice.

Why Cross-Border Transfers Are the Test Case

Cross-border transfers concentrate every governance failure into one decision point. The legal basis. The technical safeguards. The vendor due diligence. The Transfer Impact Assessment. The response readiness for a government access request. All of it converges at the moment a personal data record crosses a border.

That is why the Dutch AP picked Yango operator MLU and the Irish DPC picked Shein. The transfer is the visible artifact of the underlying governance system. If the transfer mechanism cannot be defended, the rest of the governance posture is presumed weak.

Kiteworks Data Security and Compliance Risk: 2026 Forecast Report data shows the scale of the gap. Only 36% of organizations have visibility into how partners handle data in AI systems. 29% cite cross-border transfers via AI vendors as a top privacy exposure. The recognition is high. The control is not.

The 2026 Forecast Report describes the shift as moving from “where is the data stored?” to “where is it processed, who can access it, and can you prove it?” Storage sovereignty answers the first question and most large organizations have solved it. Processing sovereignty answers the second two. The MLU and Shein cases turn entirely on the second two.

AI workloads complicate every part of this. A prompt may be processed in a different jurisdiction than the storage location. The model may be hosted in a third country. Fine-tuning may occur in a fourth. The output may traverse multiple borders before returning. Traditional sovereignty controls cannot capture this distribution because they assume data has a fixed location. AI assumes it doesn’t.

Cross-DPA Coordination Is Closing the Forum-Shopping Era

For years, organizations could exploit the inconsistency between European DPAs. Ireland’s DPC was slow. Germany’s authorities were aggressive but fragmented. The Italian Garante issued bold orders that frequently faced court reversal. Different jurisdictions, different appetites, different timelines.

The 2026 enforcement trend analysis shows that gap closing. DPAs are coordinating through the European Data Protection Board, sharing case theories, and aligning on enforcement priorities. The Dutch AP’s reasoning in MLU is consistent with positions articulated by the EDPB on Schrems II. The Irish DPC’s Shein inquiry follows the same legal architecture. The CNIL, the BfDI, and the AP are increasingly arriving at the same conclusions on overlapping fact patterns.

This matters because it eliminates the strategic advantage of forum-shopping for the EU headquarters. A multinational that picks Dublin because the DPC is perceived as lenient now faces a DPC investigating Shein under the same theory the AP used against MLU. The friendly forum has become the coordinated one.

It also matters because the coordination accelerates the legal half-life of enforcement decisions. The MLU theory will appear in other DPA actions within months, not years. Controllers who decide to wait and see whether the precedent holds are deciding to be the next defendant.

The practical implication for compliance teams: monitoring enforcement requires monitoring all DPAs simultaneously, not just the local one. The risk register has to assume that any theory adopted by one DPA will be applied by others within a compressed window.

Fragmentation Is the Architectural Debt

Most organizations cannot produce the unified evidence European regulators now expect because their data exchange infrastructure is fragmented. Email lives in one system. File sharing in another. Managed file transfer in a third. SFTP servers run on legacy boxes. Data forms collect personal data through point solutions. AI workloads consume data through yet another integration layer.

Each system has its own audit trail. Each integration has its own gap. When a DPA asks for the complete record of how a personal data set moved — which user accessed it, which vendor processed it, which jurisdiction it traversed — the answer requires correlating five or six different log sources. The correlation takes weeks. The DPA wants the answer in days.

This is what Kiteworks 2026 Forecast Report data describes as architectural debt becoming compliance liability. 33% of organizations lack evidence-quality audit trails. The reason is not lack of logging. It is fragmented logging. The systems each produce data; no single system produces evidence.

The European Sovereignty Report from Kiteworks describes the consolidated alternative: a single zero-trust platform where email, file sharing, managed file transfer, SFTP, data forms, and AI workloads share unified policy enforcement and a consolidated audit log. That is the architectural answer to the systemic governance problem the DPAs are now punishing. It is not the only answer, but it is the one most aligned with where regulators are headed.

The Kiteworks Approach: One Audit Trail, Many Frameworks

Kiteworks replaces fragmented point solutions with a unified governance framework that produces the audit-ready documentation regulators, auditors, and enterprise customers increasingly demand. The Private Data Network consolidates email, file sharing, managed file transfer, SFTP, and data forms into a single platform where every file is controlled, tracked, and protected across its life cycle.

The architecture matters for compliance because it produces single-source evidence. Centralized, immutable audit logs capture who accessed what, when, on whose behalf, and under which policy. Automated compliance reporting — with preconfigured templates for GDPR, DORA, NIS 2, PIPEDA, PDPL, and more — delivers the exportable artifacts a DPA expects to see on demand, not on quarterly cadence.

The sovereignty dimension is enforced at the architectural level. Encryption key custody is retained in-jurisdiction. Geofencing is enforced through configurable IP controls. Flexible deployment options — on-premises, private cloud, hybrid, FedRAMP — allow organizations to keep sensitive content within the home jurisdiction, whether that is the EU, Canada, the Middle East, or the US. The controls do not depend on the goodwill of a third-country processor. They depend on the architecture of the data path itself.

For organizations preparing for the next wave of GDPR enforcement, the implication is straightforward. The same investments that satisfy GDPR also satisfy DORA, NIS 2, PIPEDA, PDPL, and the data governance components of the EU AI Act. The “one platform, multiple frameworks” posture is not a marketing line. It is the operational answer to a regulatory environment that is converging on common evidence requirements across overlapping frameworks.

What Organizations Need to Do Before the Next DPA Inquiry Lands

  1. First, run a documentation-to-reality audit. Compare the ROPA, DPIAs, and vendor inventories against what is actually deployed. Per Kiteworks 2026 Forecast Report findings, 33% of organizations lack evidence-quality audit trails — which usually means the documentation and the systems have drifted apart. Identify every gap before a regulator does.
  2. Second, consolidate the audit trail. Fragmented logging is the structural cause of most compliance failures. Kiteworks 2026 Forecast Report data shows the consolidation pays back fastest in cross-border investigations, where unified evidence reduces response time from weeks to days. A single immutable log across data exchange channels is the single most defensible compliance investment available right now.
  3. Third, treat Transfer Impact Assessments as architectural exercises, not legal exercises. TIAs that document risks without describing the technical controls that mitigate them will not survive post-MLU scrutiny. Kiteworks 2026 Forecast Report findings show only 36% of organizations have visibility into partner AI data handling. Add encryption with controller-held keys, residency enforcement, and access logging to every TIA.
  4. Fourth, monitor cross-DPA enforcement actively. The coordination among European DPAs means a theory adopted in one jurisdiction will appear in others within months. Per Kiteworks 2026 Forecast Report data, organizations with mature compliance automation programs absorb enforcement signals faster. Build the monitoring into the GRC workflow, not just the legal one.
  5. Fifth, test the response playbook. Tabletop a government access request. Tabletop a vendor failure in a high-risk jurisdiction. Tabletop a DPA inquiry that requires evidence of processing sovereignty within 72 hours. The Dutch AP decision shows that documented preparation distinguishes the organizations that contain enforcement risk from the ones that pay it.
  6. Sixth, align the board to the new math. GDPR maximum penalties at 4% of global turnover, combined with the EU AI Act maximum at 7%, push compliance into the enterprise risk register. The MLU fine, the Shein investigation, and the broader enforcement trend are budget conversations now, not just compliance conversations.

The next inquiry will not announce itself. The architecture has to be in place before it arrives.

Frequently Asked Questions

Cross-DPA coordination eliminates forum-shopping. A theory adopted by one DPA will be applied by others within months. Kiteworks Data Security and Compliance Risk: 2026 Forecast Report data shows 33% of organizations lack evidence-quality audit trails. Build the monitoring into GRC workflows, not just legal review, and consolidate logging so evidence can be produced on demand for any DPA inquiry.

Individual logs are telemetry; unified logs are evidence. Kiteworks Data Security and Compliance Risk: 2026 Forecast Report shows 33% of organizations lack evidence-quality audit trails, usually because logs are fragmented across email, file sharing, MFT, and AI tools. Regulators want correlated evidence within days. Unified logging cuts response time from weeks to days and supports GDPR, DORA, NIS 2, and PIPEDA simultaneously.

DPIAs must reflect the deployed architecture, not the planned one. Kiteworks Data Security and Compliance Risk: 2026 Forecast Report found 36% of organizations have visibility into partner AI data handling. DPAs increasingly check whether the DPIA describes the system actually running. Run a documentation-to-reality audit, update DPIAs to reflect AI workflows, and document the technical controls that mitigate identified risks.

The Dutch AP decision targets processing sovereignty, not just storage sovereignty. Kiteworks Data Security and Compliance Risk: 2026 Forecast Report found 29% of organizations cite cross-border transfers via AI vendors as a top privacy exposure. Document where each vendor processes data, who can access it under which jurisdiction’s law, and whether encryption keys are held outside the destination country. SCCs alone do not pass the new standard.

Healthcare faces overlapping regulatory exposure where evidence requirements compound. Kiteworks Data Security and Compliance Risk: 2026 Forecast Report found 33% of organizations lack evidence-quality audit trails. A unified governance framework that satisfies GDPR Article 30, HIPAA Security Rule, and emerging AI requirements simultaneously closes the documentation-versus-reality gap that DPAs and HHS OCR increasingly target.

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who are confident in how they exchange private data between people, machines, and systems. Get started today.

Schedule a Demo

Table of Contents

Table of Content
Share
Tweet
Share
Explore Kiteworks