The French cyber watchdog has analyzed GDPR’s cybersecurity benefits and found them to be between 585 million and 1.4 billion euros at the EU level, in five years. The sum is comparable to a single 1.2 billion euro fine issued to Meta for GDPR violations.
The French Data Protection Authority (CNIL) estimates that the General Data Protection Regulation (GDPR) has prevented between 90 and 219 million euros in cyber-related losses in France alone and up to 1.4 billion euros ($1.6 billion) at the EU level since 2018.
CNIL specifies that these figures only include the prevention of identity theft, which is a small fraction of cybercrime, and the total gains from the GDPR in reducing it. The avoided losses would be higher with the inclusion of prevented ransomware, malware, botnets, and other attacks.
Previous economic studies only marginally addressed GDPR’s benefits, CNIL argues. When IT companies invest in cybersecurity, they only weigh costs against the risk of cyberattacks, but do not include the external benefits to the overall environment, which becomes more resilient to cybercrime.
The watchdog compares cybersecurity to herd immunity, benefiting the sector in a “virtuous circle” logic. Without GDPR, companies would underinvest, creating negative externalities.
“Underinvestment in cybersecurity increases the profitability of cybercrime, particularly through ransomware. When security measures are insufficient, attacks are more likely to succeed,” the report reads.
GDPR addresses market failures such as inadequate protection that affects other businesses, insufficient deterrence against cybercriminals, and poor user data protection.
The researchers argue that without GDPR, companies would not communicate about data leaks to escape liability and negative consequences. The study found that since the GDPR implementation in 2018, data breach notifications led to a 2.5% to 6.1% decrease in identity theft.
“The GDPR has made this opacity illegal. Data controllers are now required to inform the data protection authority of any breach, as well as the data subjects, in the event of a high risk of a personal data breach.”
The report also claims that 82% of avoided losses ultimately benefited businesses.
While the avoided losses might seem large, the sum is comparable to a single record 1.2 billion euro fine issued to Meta for improperly handling user data according to the GDPR. Meta has appealed the decision, and the process is ongoing.
According to a recent report by the Federal Bureau of Investigation (FBI), the reported losses from cybercrime in the US soared to $16.6 billion in 2024.
Your email address will not be published. Required fields are markedmarked