44% of privacy professionals in Europe say their teams are underfunded, while more than half (54%) expect privacy budgets to be reduced further in 2026. And all this, against a backdrop of increasing risks for EU companies, according to the State of Privacy 2025 study, carried out by ISACA.

In a region with one of the most mature privacy regulatory environments in the world, lack of investment is already having tangible consequences. Nearly four in ten (39%) privacy-related legal professionals and more than half (51%) of privacy technical positions in Europe report a lack of staff in companies. Meanwhile, more than a quarter (26%) of professionals believe their organization is likely to suffer a significant privacy breach in the next year.

However, this continues to go unnoticed by most managers. More than a quarter (26%) of European respondents say their board is not adequately prioritizing privacy, even as risks continue to intensify.

Chris Dimitriadis, Director of Global Strategy at ISACA, said: “Privacy teams are being asked to manage more risks with fewer resources and the pressure on workers is beginning to become apparent. As organizations adopt new technologies at a rapid pace, the volume and complexity of data protection obligations grow in parallel, but many teams continue to operate without the staff, funding or training necessary to keep up.”

Furthermore, he noted that “when boards of directors underestimate this discipline, they in turn underestimate a fundamental pillar of digital trust. A single information breach can erode years of brand value, damage customer relationships or trigger significant regulatory consequences. Prioritizing these principles is not simply a regulatory compliance requirement; it is a business imperative.”

More privacy risks than ever

These pressures are intensifying at a time when risks are accelerating. Nearly half (49%) of professionals say managing the risks associated with new technologies is a major obstacle to their privacy programs. The human impact is equally overwhelming: 67% indicate that their work is now more stressful than five years ago; Around 68% of respondents associate it with the dizzying speed of technological change and 64% with regulatory compliance challenges, as key factors.

Furthermore, regulatory complexity compounds these challenges. More than a fifth (22%) of professionals in Europe say their organization has difficulty identifying and understanding its legal obligations, while more than half (51%) point to the complexity of international laws and regulations as a key barrier. On the other hand, practically no professional has complete confidence that companies are prepared to face future challenges in this area: only 8% of respondents declare themselves completely confident in their organization’s ability to comply with new and emerging privacy laws.

While regulation helps elevate these discussions to board level, a focus solely on compliance leaves organizations exposed. True resilience requires boards to see it as a strategic and ethical priority.

Dimitriadis continues: “These gaps highlight a critical reality: the protection of personal data cannot be strengthened solely through controls or checklists, not even with the help of AI. It requires sustained investment in people, governance and culture, and that starts at the top layer of an organization.”

Greater data-oriented security

In this sense, he noted that “boards of directors must treat this matter as a strategic driver of trust, resilience and competitive advantage. When organizations provide their teams with the skills, resources and authority they need, they not only reduce risks, but also prepare their business for the next wave of regulatory and technological changes.”

Despite all of the above, many organizations are taking positive steps: 79% of European companies use a framework or regulation, the GDPR being the most common, to guide their internal programs. And the majority apply controls such as data security (71%) and encryption (73%).

The protection of personal data cannot be strengthened with controls or checklists alone, not even with the help of AI

However, only 64% of European organizations have a formal incident response plan, leaving more than a third unprepared to respond effectively to critical situations. Retention is also a growing concern: 34% report difficulties retaining qualified professionals and 45% point to lack of training as a key factor contributing to failures in this area.

As risks continue to rise, ISACA warns that failing to invest now could leave organizations increasingly vulnerable in the years to come.

Alex Chen
Alex Chen

Alex Chen serves as the chief editor of Asia Tech Journal, bringing over a decade of experience in technology journalism. Previously writing for several globally renowned publications, Alex is celebrated for his insightful analyses and in-depth reporting on tech trends across Asia. Passionate about innovation, Alex specializes in the dynamic technology ecosystem of China and its global impacts.