Press coverage of GDPR fines is skewed toward the megafines (Meta, Amazon, Google) that grab headlines. The GDPR.eu fine reference is useful for the legal mechanics; this article complements it with the 2026 reality of what fines look like for SaaS at different sizes, so you can plan rather than panic.
The legal ceiling vs the operational floor
The ceiling is well known: up to 4% of global annual revenue or 20M EUR (whichever is higher) for severe violations. The operational floor (what actually happens to small and medium SaaS) is much lower:
| Company size | Typical fine range | Common violation |
|---|---|---|
| Pre-revenue / under 100k EUR ARR | 500 - 5,000 EUR | Missing DPO designation, no privacy notice |
| 100k - 1M EUR ARR | 2,000 - 30,000 EUR | Late breach notification, cookie banner issues |
| 1M - 10M EUR ARR | 10,000 - 250,000 EUR | Sub-processor failures, retention violations |
| 10M - 100M EUR ARR | 100,000 - 2M EUR | Systemic process failures |
| 100M+ EUR ARR | 500,000 - 50M EUR | Cross-border violations, repeated breaches |
These are medians across EU authorities for 2024-2025. Outliers exist; the distribution is what matters for planning.
The 4 levers regulators use
1. Nature and gravity
Number of affected subjects, sensitivity of data, intentional vs negligent. Health/financial data multiplies the base.
2. Mitigation
Speed of response, voluntary notification, cooperation. Self-disclosure routinely cuts fines 30-50%.
3. Compliance posture
Documented DPIAs, sub-processor agreements, internal training. A company that can show "we tried" pays less.
4. Repeat offender status
First-time violations get warnings or low fines. Second-time in the same area can be 5-10x.
The single highest-leverage action a small SaaS can take is keeping a documented privacy posture (policies versioned, sub-processors mapped, DPIA on file). Regulators routinely cite "the entity demonstrated good faith" as a reason to reduce the base fine substantially.
What insurance can and cannot do
Cyber insurance often covers third-party costs (legal defense, notification) but rarely covers the regulatory fine itself in EU jurisdictions. Plan accordingly: insurance buys you the response, not the fine.
The realistic budget for 2026
For a SaaS between 1M and 10M ARR operating in EU:
- Privacy compliance program: 30,000-80,000 EUR/year
- Risk reserve for potential fine: 100,000-250,000 EUR
- Incident response retainer: 10,000-30,000 EUR/year
Investing in the compliance program lowers both the fine reserve and the incident response cost. The math compounds.
The GDPR.eu reference notes that fines are "effective, proportionate, and dissuasive". For SaaS, the practical translation: bad faith multiplies fines, documented good faith divides them. Your compliance trail is the single biggest variable.
Conclusion
Plan for the median, prepare for the outlier. A 30,000 EUR fine is survivable; a 2M EUR fine restructures the company. The variance is mostly explained by documentation and posture. Both are within your control.
To maintain versioned policies, sub-processor maps and DPIA records that regulators recognize as good faith, try Termerly free.
