New research from ISACA shows that European privacy teams have to work with fewer and fewer resources, while the risks and regulations are increasing.
In early 2025, ISACA already indicated that privacy teams in Europe have to make do with fewer people and money, despite rising risks. That warning fell on deaf ears. A year later, ISACA has to conclude in a follow-up study that companies are cutting back on the privacy budget.
Privacy experts are increasingly concerned about the declining investments. 44 percent of the European experts surveyed consider their privacy team underfunded. More than half expect budgets to shrink even further in 2026.
Underinvestment
The impact of that underinvestment is clear. Technical and legal privacy roles are understaffed in 51 and 39 percent of cases, respectively. At the same time, 26 percent of professionals think that their organization will experience a material privacy breach within a year. Yet 26 percent say that their executive committee still does not give privacy sufficient priority.
read also
What’s more Important: AI Hype or Control and Compliance?
The complexity of regulation proves to be an important barrier. More than half of the respondents refer to international privacy legislation as a stumbling block. Only 8 percent are completely sure that their organization is ready for new and emerging legislation. In addition, 22 percent indicate that they have difficulty identifying and understanding their legal obligations.
Human pressure and lack of expertise are increasing
The pressure on privacy professionals is increasing: two out of three experience more stress than five years ago. They mainly point to the speed at which technology is evolving and the increasingly complex compliance requirements. In addition, a third of organizations fail to retain qualified profiles. Lack of or inadequate training plays a role here.
Although most organizations do take certain measures – such as data security and encryption – only 64 percent have a formal incident response plan. According to ISACA, control measures or AI tools are not sufficient to structurally improve privacy. Boards must recognize privacy as a strategic theme and structurally invest in people, governance and training. It remains to be seen whether business leaders will now understand the message.