Secure

GDPR monitoring and compliance 2026: a guide for CIO & CISO

GDPR, NIS2, DORA and the AI Act converge in 2026. A practical guide for CIOs and CISOs.

  • Momentum EMEA
  • March 17, 2026
  • 8 min read

GDPR monitoring and compliance in 2026: how your organisation stays demonstrably in control.

In 2026, large organisations face a compliance challenge that did not exist in 2018. When the GDPR took effect, organisations could focus on a single regulatory framework. In 2026, four are in play at the same time. The GDPR, NIS2, DORA and the EU AI Act overlap, reinforce one another and impose partly conflicting requirements. For CIOs and CISOs who must answer to a board or a regulator, this is not a legal question. It is a governance question.

Enforcement has also tightened. Cumulative GDPR fines in Europe reached almost 5.9 billion euro by the end of 2025, with 2025 alone accounting for 2.3 billion euro, a 38% increase on the previous year. And the new GDPR enforcement regulation, adopted in May 2025, enables faster and more effective cross-border enforcement. For the directors of multinational organisations, forum shopping is gone for good.

In this article you will read what GDPR monitoring concretely means for large organisations, what the regulatory collision of four EU frameworks looks like, and what you must do now to be demonstrably in control. With the EU AI Act fully in force from 2 August 2026, postponement is no longer an option.

Key insights

  • Four frameworks, one organisation: GDPR, NIS2, DORA and the AI Act impose partly overlapping and partly complementary requirements. Treating them separately creates duplicate work and blind spots.
  • Directors are personally liable: under NIS2 and DORA, directors can be held personally accountable for gross negligence in cybersecurity oversight.
  • Enforcement is accelerating: the new GDPR enforcement regulation (May 2025) makes cross-border enforcement faster and more effective. Cumulative EU fines now total almost 5.9 billion euro.
  • Paper is not enough: regulators expect demonstrably working processes, not static policy documents. GRC dashboards with real-time insight are becoming the norm.
  • HR plays a key role: human behaviour remains the weakest link. A compliance culture and AI literacy are not optional, they are legally required.
  • Multinational complexity is increasing: cross-border data transfers require up-to-date Standard Contractual Clauses and a data sovereignty strategy for each country of establishment.

AI use grows faster than policy. CIOs and CISOs must therefore invest in visibility, governance and integrated security. AI in security and contact centres offers opportunities, provided it is implemented in a controlled way.

Momentum EMEA

What does GDPR compliance mean for large organisations?

The GDPR is not a law you implement once and can then forget. It is a continuous process of monitoring, documentation and demonstrability. For large organisations with multiple locations, diverse business processes and hundreds of systems that process personal data, this places particular demands on the governance architecture.

The core obligations are well known but are often only partially complied with in practice. Every organisation that processes personal data is required to maintain a record of processing activities that documents, per processing activity, which data is processed, on what legal basis, for what purpose and for how long. For large organisations with decentralised IT structures, this record is often outdated or incomplete, precisely because new systems, applications and AI tools are deployed without updating the record.

In addition, organisations that process special categories of personal data on a large scale are required to appoint a Data Protection Officer (DPO). The DPO reviews policy, guides Data Protection Impact Assessments and acts as the point of contact for the data protection authority. In practice, in many organisations the DPO is involved too late in new IT projects and AI implementations, resulting in compliance risks.

A Data Protection Impact Assessment (DPIA) is mandatory when a processing activity is likely to result in a high risk to data subjects. Think of large-scale monitoring of employees, profiling based on personal data, or the use of new technologies such as AI models that influence decisions. The DPIA is not a paper exercise. It is the basis for responsible implementation decisions.

Finally, there is the 72-hour notification obligation for data breaches. Within 72 hours of discovering a breach that poses a risk to the rights of data subjects, it must be reported to the data protection authority. Where data subjects face a high risk, they must also be informed directly. In practice, detecting and classifying a data breach itself proves time-consuming, which puts pressure on the 72-hour standard.

The regulatory collision: GDPR, NIS2, DORA and the AI Act at once

2026 marks a turning point in European regulation. For the first time, four major frameworks are in force simultaneously, each addressing different aspects of digital risk, but whose requirements strongly overlap when it comes to AI systems, incident response and supply chain governance.

NIS2 requires large organisations in essential and important sectors to maintain robust risk management, logging, monitoring and rapid incident reporting. Under NIS2, directors are personally liable for adequate risk management. DORA, in force since 17 January 2025, harmonises digital operational resilience specifically for financial entities and their critical ICT service providers. The AI Act adds a third layer from 2 August 2026 for organisations that develop or deploy high-risk AI systems.

This convergence creates practical problems. A security incident involving an AI system at a financial institution may simultaneously require reporting under the AI Act (if a high-risk system fails), under DORA (as a major ICT incident) and under NIS2 (as a significant security incident). Each framework has its own timeline, thresholds and reporting procedures. Organisations without an integrated GRC platform risk missing deadlines or reporting inconsistent information to regulators.

The key to efficient compliance is cross-mapping: identify common controls that satisfy multiple frameworks at the same time. Risk registration, access management, audit logging and incident response are areas where policy set up correctly once covers the requirements of all four frameworks. Organisations that leverage this overlap significantly reduce their compliance workload.

Expert insight

Compliance is not a cost item. It is proof that your organisation can be trusted.

The heart of the regulatory collision in 2026 is not the complexity of the rules themselves. It is the shift from "are we compliant?" to "can we demonstrate it every day?" Organisations that keep treating compliance as annual audit preparation build legally vulnerable positions. Organisations that embed compliance in daily processes, automate audit trails and link board reporting to real-time GRC dashboards build a competitive advantage. Trust among customers, partners and regulators is no longer only an ethical choice. It is a market position.

Momentum supports CIOs and CISOs in setting up integrated compliance architectures for the GDPR, NIS2, DORA and AI Act. Meet us on 4 June at the BMW Driving Experience in Zandvoort.

What is at stake? Fines and director liability

The financial risks of non-compliance are substantial and increasing. Fines for serious GDPR breaches can reach up to 20 million euro or 4% of global annual turnover, whichever is higher. For large multinational companies, 4% of annual turnover can be an astronomical amount: analyses show that for the largest listed European companies this can run to several billion euro.

The enforcement trend is unmistakable. In 2025, TikTok was fined 530 million euro by the Irish regulator for systematically transferring personal data of EU users to China without adequate safeguards. LinkedIn received a 310 million euro fine in October 2024 for using personal data for advertising purposes without a valid legal basis. The message is clear: even the largest technology companies are being corrected.

Alongside financial fines, NIS2 introduces a dimension that has not yet fully registered with many directors: personal liability. Directors can be held personally accountable for gross negligence in the oversight of cybersecurity risk management. This makes compliance a direct board responsibility, not solely a task for IT or Legal. The same logic applies to DORA in the financial sector. Combined with the new GDPR enforcement regulation, which streamlines cross-border procedures and sets concrete deadlines for decision-making, the back door of endless procedural delay is closing.

Reputational damage is a third risk factor that is harder to quantify but at least as impactful. A published fine or a data breach that becomes public affects customer trust, shareholder value and the ability to attract talent. For organisations active in multiple countries, the international media impact of a significant enforcement action is correspondingly greater.

From paper policy to demonstrable compliance: a step-by-step plan

The distinction between paper compliance and demonstrable compliance is the difference between a policy manual and living evidence. In 2026, regulators expect not only a record of processing activities and a privacy policy. They expect log trails, attestations, dashboards and reports that show processes work daily as intended.

Step 1: Determine scope. Map out which regulations apply to your organisation. The GDPR applies to all organisations that process personal data of EU citizens. NIS2 applies to essential and important entities across eighteen sectors. DORA applies to financial entities and their critical ICT service providers. The AI Act applies to organisations that develop or deploy high-risk AI systems. For large multinational organisations, multiple frameworks almost always apply.

Step 2: GRC as the anchor. Implement a Governance, Risk & Compliance (GRC) platform as the central anchor for all compliance activities. Link controls to owners, set up a review calendar and ensure reports are available to the board in real time. ISO 27001 and ISO 42001 provide a recognised management system that aligns with the technical requirements of both NIS2 and the AI Act.

Step 3: Automate evidence. Generating compliance evidence manually via spreadsheets is untenable from the outset for large organisations. Automate the evidence base via IAM systems that generate access logs, SIEM platforms that capture incident trails, DLP tools that record data processing patterns, and records of processing activities that are maintained live as systems change. The goal is for compliance evidence to be a natural by-product of daily operations, not a quarterly project.

Step 4: Culture and periodic review. Policy only works if employees act on it. Embed periodic compliance training, role-specific awareness for HR, Legal, IT and Management, and tabletop exercises for incident response. Build compliance in structurally as a fixed agenda item in board and management meetings.

Particular challenges for multinational organisations

Large organisations with locations in multiple countries face a compliance challenge that is fundamentally more complex than that of national companies. The GDPR is, admittedly, a European regulation that applies uniformly, but its practical implementation varies by country through national supplementary legislation, sector-specific rules and the interpretation of national regulators.

Cross-border data transfers are a particular point of risk. When personal data of EU citizens is transferred to locations or service providers outside the EU, this requires a valid transfer mechanism. Standard Contractual Clauses (SCCs) are the most widely used instrument, but require an up-to-date Transfer Impact Assessment for each destination country. After the General Court ruling of September 2025 that upheld the EU-US Data Privacy Framework, the situation for transatlantic transfers has stabilised, but organisations are advised to maintain SCCs as a back-up.

The rise of data sovereignty as a policy principle adds an extra layer. Countries such as India (Digital Personal Data Protection Act, in force 2025) and Saudi Arabia impose requirements on local storage of certain data types. For organisations with locations in these regions, this means that cloud infrastructure choices have acquired a direct compliance dimension. A centralised data storage model is no longer tenable for such organisations without an explicit data residency strategy per jurisdiction.

The combination of the GDPR, NIS2 and AI Act also makes supply chain compliance a direct responsibility. NIS2 requires the assessment of supply chain security. This means that CISOs of large organisations must not only ensure internal compliance, but must also be able to demonstrate that critical suppliers and IT service providers meet equivalent security standards. Contractual anchoring and periodic supplier audits are the indispensable instruments for this.

How HR and change management make the difference

Compliance technology and policy documents are necessary, but not sufficient. The most frequently cited weak point in virtually every compliance framework remains human behaviour. Phishing, shared passwords, the inadvertent use of unapproved tools and insufficient knowledge of data processing rules are risks that cannot be solved with a firewall.

As of February 2025, AI literacy for all employees who work with AI systems is already legally required under the EU AI Act. That is an explicit invitation to HR and Learning & Development to play an active role in compliance. But it goes further than mandatory training. Organisations that want to build a culture of responsible data use invest in role-specific awareness programmes, simulations of phishing and data breach scenarios, and transparent communication about what is being monitored and why.

Change management plays a key role for large organisations that want to translate compliance policy into daily behaviour on the work floor, especially across locations in multiple countries with different organisational cultures. A compliance framework that lives only at head office does not protect the organisation. The behavioural change must demonstrably take place at all locations, in all roles and in all languages.

Want to know where your organisation stands on GDPR monitoring, regulatory convergence and demonstrable compliance? On 4 June 2026, Momentum is hosting an exclusive event at the BMW Driving Experience in Zandvoort for CIOs, CISOs and IT directors. Concrete governance models, insights from Cato Networks and Five9, and peer conversations with other IT leaders. Only 60 places available.

Ready for the compliance challenge of 2026?

GDPR, NIS2, DORA and the AI Act are converging. Director liability is real. And enforcement is accelerating. On 4 June 2026, Momentum brings IT leaders together for an exclusive inspiration session at the BMW Driving Experience in Zandvoort. Governance models, real-world cases and peer exchange in an environment that combines control and speed. Only 60 places available.

Register now and make sure your compliance strategy is ready for August 2026.

FAQ

Frequently asked questions

What is GDPR compliance and what does it mean for large organisations?

GDPR compliance means that an organisation meets all the obligations of the General Data Protection Regulation when processing personal data. For large organisations this includes an up-to-date record of processing activities, the appointment of a DPO where required, carrying out DPIAs for high-risk processing, complying with the 72-hour breach notification obligation and demonstrably safeguarding the rights of data subjects.

What fines does an organisation risk for breaching the GDPR?

For serious GDPR breaches, fines can reach up to 20 million euro or 4% of global annual turnover, whichever is higher. Cumulative GDPR fines in Europe amounted to almost 5.9 billion euro by the end of 2025. Besides financial fines, organisations risk reputational damage and operational disruption from regulatory investigations.

What is the difference between the GDPR, NIS2 and DORA?

The GDPR governs the protection of personal data. NIS2 sets requirements for cybersecurity risk management and incident reporting for essential and important entities across eighteen sectors. DORA harmonises digital operational resilience specifically for financial entities and their critical ICT service providers. In 2026, all three are in force simultaneously, complemented by the EU AI Act for organisations that deploy high-risk AI systems.

When is a Data Protection Impact Assessment mandatory?

A DPIA is mandatory when a processing activity is likely to result in a high risk to the rights and freedoms of data subjects. This is the case at least for large-scale processing of special categories of personal data, systematic and extensive profiling, and the use of new technologies such as AI systems that influence decisions.

How does the data breach notification obligation work?

A data breach that poses a risk to the rights and freedoms of data subjects must be reported to the data protection authority within 72 hours of discovery. Where there is a high risk to data subjects, they must also be informed directly. The organisation is required to document all data breaches, even when notification is not mandatory.

Who is the BMW Driving Experience event on 4 June 2026 for?

The event is aimed at CIOs, CISOs, IT directors and IT managers of large enterprises who think strategically about compliance governance, privacy monitoring and the interplay of GDPR, NIS2, DORA and the AI Act. The programme combines strategic insights, real-world cases from Five9 and Cato Networks, and peer exchange at Circuit Zandvoort. Only 60 places available.

Knowledge base

Read more

View more articles
Plan a call

Ready for the compliance challenge of 2026?

Want to know where your organisation stands on GDPR monitoring and the interplay of NIS2, DORA and the AI Act? Let's start the conversation.

Book a call