# Banks Market Research Report - Europe

**Generated on:** 2026-05-29 10:31:42.189102  
**Industry:** Banks  
**Geography:** Europe  
**Details:** Research report on the estimated annual spend per tiers of regulated banks on data protection such as tokenization, anonymization, masking and so on, for mid-sized banks (Tier 2) and smaller banks (tier 3). Annual spends estimated for 2026 and for 2031, with CAGR calculation

---

# European Bank Data Protection Spend Through 2031

## Executive Summary

- **Tier 2 Spend Doubles By 2031**: A mid-sized European regulated bank is estimated to spend **EUR 1.2M-EUR 2.0M** annually on data protection in **2026**, rising to **EUR 2.4M-EUR 3.8M** in **2031**; the base-case midpoint grows from **EUR 1.6M** to **EUR 3.1M**, a **14.2% CAGR** -> treat Tier 2 banks as the priority segment for enterprise data-security platforms, masking, tokenization, and integration services.
- **Tier 3 Volume Creates A Larger Long Tail**: A smaller regulated bank is estimated to spend **EUR 0.15M-EUR 0.55M** in **2026**, rising to **EUR 0.32M-EUR 1.0M** in **2031**; the base case grows from **EUR 0.32M** to **EUR 0.65M**, a **15.2% CAGR** -> win this segment with packaged, managed, cloud-delivered controls rather than large transformation programs.
- **Official Tiering Requires Proxies**: Europe does not publish a clean public table called Tier 2/Tier 3 banks, but ECB supervision distinguishes significant institutions from less significant institutions, and ECB methodology uses thresholds such as **EUR 30B** for significance, **EUR 15B** for high-impact LSIs, and **less than EUR 5B** for small/non-complex institutions [23], [22] -> define Tier 2 as **EUR 5B-EUR 30B assets** and Tier 3 as **under EUR 5B assets**.
- **Bank Population Is Large But Fragmented**: The European Banking Federation reported **4,834** EU credit institutions and **EUR 45.1T** of assets in **2024**, while the ECB's LSI report identified **1,928** less significant institutions in the Banking Union and a list of **100** high-impact LSIs in **2024** [4], [22] -> size the market with explicit perimeter assumptions, not a single false-precision bank count.
- **Budget Benchmark Anchors The Model**: ENISA's 2024 NIS Investments report found **median banking IT spend of EUR 53M**, **median information-security spend of EUR 4.0M**, and **average information-security spend of EUR 13.9M** in its EU survey; IANS separately reported security budgets at **13.2%** of IT spend in **2024**, up from **8.6%** in **2020** [36], [11] -> estimate data protection as a funded subset of cyber, not as the entire security budget.
- **Category Growth Supports A Mid-Teens CAGR**: The data-security market is forecast to grow from **USD 17.21B in 2026** to **USD 37.93B in 2031**, a **17.12% CAGR**, while Europe data masking is forecast at **11.4% CAGR** and Europe privacy-enhancing technologies at **24.6% CAGR** [127], [54], [17] -> use **14%-15%** bank-tier CAGR after discounting for bank budget discipline and legacy integration friction.
- **Regulation Converts Privacy Tools Into Resilience Controls**: DORA creates uniform ICT-risk rules for financial entities, GDPR Article 32 explicitly references pseudonymisation and encryption, and EBA ICT guidelines require data confidentiality, integrity, availability, encryption at rest and in transit, third-party security objectives, and testing [84], [81], [88] -> position data protection as audit evidence, not only breach prevention.
- **Failure Cases Make Spend Defensive**: Santander disclosed unauthorized access to a database hosted by a third-party provider on **14 May 2024**, Deutsche Bank confirmed customer-data exposure through a service-provider MOVEit incident in **2023**, and CaixaBank faced a **EUR 6M** Spanish DPA fine for unlawfully processing client data [117], [113], [124] -> prioritize data minimization, tokenization, masking, and third-party controls before expanding analytics sharing.

## Scope, Tier Definitions, And Sizing Method

This report sizes annual European regulated-bank spend on data protection technologies: tokenization, data masking, anonymization, pseudonymisation, encryption, key management, data discovery/classification, data security posture management, data loss prevention, synthetic data, privacy-enhancing technologies, and implementation/testing services. It excludes broad network security, endpoint security, generic SOC operations, legal-only GDPR work, and general cloud migration unless the spend directly protects regulated or personal data.

The geography is Europe, but the quantitative anchor is EU and ECB Banking Union data because public bank counts are most authoritative there. The EBF reported **4,834** EU credit institutions in **2024** and **EUR 45.1T** of assets [4]. The EBA reported that EU/EEA banks in its reporting perimeter held **almost EUR 28.2T** of assets in **December 2024** [3]. The ECB also reported high concentration: the five largest credit institutions held an EU average **68.61%** of national banking assets at end-2024, with country concentration ranging from **34.1%** to **96.01%** [1]. The implication is that spend cannot be inferred linearly from bank count; a few large banks dominate total assets, while many Tier 3 banks create a long-tail compliance market.

Because no official European source labels banks as Tier 2 and Tier 3 for this purpose, the report uses supervisory proxies. Tier 1, which is outside the requested sizing, means large significant institutions. The ECB generally treats institutions as significant if they exceed **EUR 30B** in assets or meet other systemic tests [23]. Tier 2 in this report means mid-sized regulated banks with roughly **EUR 5B-EUR 30B** in assets, including high-impact or complex LSIs. Tier 3 means smaller regulated banks below **EUR 5B**, aligned with the small and non-complex institution threshold used in proportionality rules [23].

The spend model triangulates three public anchors. First, ENISA's EU survey of **1,350** organizations across **27** Member States reported **EUR 53M** median banking IT spend, **EUR 4.0M** median banking information-security spend, and **EUR 13.9M** average banking information-security spend [36]. Second, financial-services and cross-industry security benchmarks put cyber at roughly **6%-14%** of IT spend, with IANS reporting **13.2%** in **2024** [45], [11]. Third, data-security category forecasts show faster growth than general bank IT, especially for data security, PETs, masking, and encryption [127], [17].

**Decision insight**: Treat the figures below as planning estimates, not audited expenditures. The defensible conclusion is direction and order of magnitude: Tier 2 banks are million-euro annual buyers; Tier 3 banks are six-figure annual buyers whose aggregate market is large because of institution count.

## 2026 And 2031 Spend Estimates By Tier

The base-case estimate is nominal annual spend per bank, including directly attributable software, cloud subscriptions, professional services, managed services, and internal implementation labor for data-protection controls. The model assumes that data protection absorbs a rising share of the information-security budget because data discovery, masking, tokenization, encryption, and PETs are moving from compliance projects into operational-resilience programs.

The CAGR formula used is: **CAGR = (2031 spend / 2026 spend)^(1/5) - 1**.

| Segment | Practical Definition | Estimated Bank Count Used For Aggregate Sizing | 2026 Annual Spend Per Bank | 2031 Annual Spend Per Bank | Base-Case CAGR | 2026 Aggregate Spend | 2031 Aggregate Spend |
|---|---:|---:|---:|---:|---:|---:|---:|
| Tier 2 mid-sized regulated banks | EUR 5B-EUR 30B assets; high-impact or complex LSIs; below large SI threshold | 300-600, base 450 | EUR 1.2M-EUR 2.0M, base EUR 1.6M | EUR 2.4M-EUR 3.8M, base EUR 3.1M | 14.2% | EUR 0.36B-EUR 1.20B, base EUR 0.72B | EUR 0.72B-EUR 2.28B, base EUR 1.40B |
| Tier 3 smaller regulated banks | Under EUR 5B assets; small/non-complex, local, savings, cooperative, or specialist banks | 3,500-4,100, base 3,800 | EUR 0.15M-EUR 0.55M, base EUR 0.32M | EUR 0.32M-EUR 1.00M, base EUR 0.65M | 15.2% | EUR 0.53B-EUR 2.26B, base EUR 1.22B | EUR 1.12B-EUR 4.10B, base EUR 2.47B |
| Tier 2 + Tier 3 combined | Excludes the largest Tier 1 significant institutions | Base 4,250 | Base EUR 1.94B aggregate | Base EUR 3.87B aggregate | 14.8% | EUR 0.89B-EUR 3.46B | EUR 1.84B-EUR 6.38B |

The Tier 2 estimate is anchored to the ENISA banking-security median but uplifted because a EUR 5B-EUR 30B bank normally has more regulated data domains, vendors, cross-border flows, and supervisory scrutiny than a very small local institution. In 2026, the base Tier 2 bank spends around **EUR 1.6M** on data protection, equivalent to roughly a quarter to a third of an estimated EUR 5M-EUR 6M information-security budget. By 2031, the same bank spends around **EUR 3.1M** because DORA testing, third-party controls, AI/data-sharing governance, cloud encryption, and dynamic masking increase the funded scope.

The Tier 3 estimate is lower per institution but still material. A smaller bank can often avoid large bespoke deployments by buying cloud database security, managed key management, packaged DLP, outsourced compliance reporting, and pre-integrated masking for test data. The base Tier 3 bank spends **EUR 0.32M** in 2026 and **EUR 0.65M** in 2031; that implies a **15.2% CAGR**, slightly above Tier 2 because many smaller banks start from underinvestment and catch up through managed services.

| Category | Tier 2 2026 Base Mix | Tier 2 2031 Base Mix | Tier 3 2026 Base Mix | Tier 3 2031 Base Mix | Why It Grows |
|---|---:|---:|---:|---:|---|
| Discovery, classification, DSPM, and policy inventory | EUR 0.34M | EUR 0.65M | EUR 0.07M | EUR 0.14M | Banks need evidence of where personal and regulated data reside before they can mask, tokenize, or delete it. Gartner describes data security platforms as combining data discovery, policy definition, and enforcement [97]. |
| Tokenization, static masking, dynamic masking, and test-data protection | EUR 0.42M | EUR 0.80M | EUR 0.08M | EUR 0.16M | Europe data masking is forecast at **11.4% CAGR** through 2031, with BFSI listed as a key end-use vertical [54]. |
| Encryption, HSM, KMS, secrets, and key lifecycle | EUR 0.36M | EUR 0.60M | EUR 0.08M | EUR 0.13M | EBA guidelines require encryption of data at rest and in transit based on classification [88]. |
| PETs, anonymization, pseudonymisation, and synthetic data | EUR 0.18M | EUR 0.50M | EUR 0.02M | EUR 0.08M | Europe PETs are forecast at **24.6% CAGR**, with anonymization and pseudonymization as named technique segments [17]. |
| DLP, data activity monitoring, and identity-aware access controls | EUR 0.16M | EUR 0.30M | EUR 0.03M | EUR 0.06M | DLP and monitoring reduce leakage risk as data moves into SaaS, cloud analytics, and third-party workflows. |
| Integration, testing, assurance, and managed services | EUR 0.14M | EUR 0.25M | EUR 0.04M | EUR 0.08M | DORA and EBA rules create recurring testing and evidence costs, not one-time tooling costs [84]. |

**Decision insight**: Tier 2 budgets support platform sales, multi-year implementation, and managed services. Tier 3 budgets require standardized packages priced below enterprise transformation thresholds, with compliance reporting embedded.

## Regulation Turns Data Protection Into Operational Resilience

European bank data protection spending is no longer driven only by GDPR fines. DORA, applicable to financial entities and ICT third-party providers, lays down uniform rules for the security of network and information systems across the financial sector [84]. EIOPA states that DORA harmonizes operational-resilience rules for **20** types of financial entities and ICT third-party service providers [56]. For banks, that shifts the buying question from "Can we encrypt personal data?" to "Can we prove data remains confidential, intact, available, recoverable, and controlled across our own systems and vendors?"

GDPR remains the legal core for personal data. Article 4(5) defines pseudonymisation as processing personal data so it can no longer be attributed to a specific data subject without additional information kept separately under technical and organizational controls [81]. Article 32 explicitly refers to pseudonymisation and encryption as security measures. The EDPB's 2025 pseudonymisation guidelines state that pseudonymisation is a technical and organizational measure that can reduce risks to data subjects [57]. This creates demand for tokenization vaults, key separation, reversible pseudonymisation controls, and governance over who can re-identify data.

EBA guidance turns those principles into bank operating requirements. The EBA ICT and security risk guidelines apply to credit institutions, investment firms, and payment service providers and became applicable on **30 June 2020**. They define ICT and security risk around breaches of data confidentiality, failures of data integrity, and unavailability of systems and data. They also require management-body budget oversight, encryption of data at rest and in transit based on classification, security objectives in third-party arrangements, and information-security testing [88].

The compliance mechanism is therefore cumulative. GDPR asks whether personal data is processed lawfully and safely. EBA asks whether bank ICT risk management protects confidentiality, integrity, and availability. DORA asks whether those controls survive incidents, outsourcing, and operational disruption. A Tier 2 bank with multiple core systems, cloud analytics, and payments vendors must fund cross-system controls; a Tier 3 bank needs fewer bespoke integrations but still needs auditable evidence.

**Case study: CaixaBank shows why consent and processing controls matter.** The Spanish Data Protection Authority imposed a **EUR 6M** fine on CaixaBank for unlawfully processing client personal data, according to the EDPB's national-news notice [124]. The lesson is not that masking alone prevents GDPR penalties. It is that banks need governance, consent lineage, processing restrictions, minimization, and technical enforcement to make privacy obligations operational.

**Decision insight**: Data protection vendors and bank buyers should sell and evaluate controls against three evidence sets: GDPR lawful processing and security, EBA ICT-risk controls, and DORA resilience/testing. Tools that cannot produce audit evidence will struggle even if they encrypt data.

## Technology Stack: Tokenization To PETs

The bank data-protection stack is becoming a platform architecture. Gartner Peer Insights describes data security platforms as combining data discovery, policy definition, and enforcement, with policy enforcement capabilities that include format-preserving encryption, tokenization, and dynamic data masking [97]. Oracle Data Safe shows the same pattern at database level: it provides sensitive-data discovery, risk assessment, user assessment, activity monitoring, and data masking for Oracle databases [110]. The implication is that point tools still matter, but Tier 2 banks increasingly buy integrated control planes.

The first layer is data discovery and classification. A bank cannot reliably tokenize card numbers, mask customer identifiers, or anonymize analytics extracts unless it knows where sensitive fields are stored and copied. This is why DSPM, data catalogs, and classification engines receive a growing share of the budget. Tier 3 banks often solve this with native cloud, database, or managed-service tools; Tier 2 banks need cross-platform coverage across mainframe, core banking, CRM, data lake, and SaaS environments.

The second layer is transformation: tokenization, static masking, dynamic masking, pseudonymisation, anonymization, and synthetic data. Data masking protects non-production and analytics environments by replacing sensitive data with realistic but non-sensitive values; tokenization replaces sensitive values with controlled tokens, often preserving application format. KBV forecasts Europe data masking at **11.4% CAGR** from **2024-2031**, and lists BFSI as an end-use vertical [54]. PETs are a higher-growth adjacent layer: KBV forecasts Europe privacy-enhancing technologies at **24.6% CAGR**, with cryptographic, anonymization, and pseudonymization techniques named as segments [17].

The third layer is cryptographic control: encryption, hardware security modules, key management, secrets management, and certificate governance. Thales states that its financial-services data-security solutions provide granular encryption, tokenization, and role-based access control for structured and unstructured data in databases, applications, file servers, cloud, and big data environments [102]. This is where Tier 2 banks often spend heavily because they have hybrid estates, outsourced processors, and strict segregation-of-duty requirements.

The fourth layer is monitoring and policy enforcement: DLP, data activity monitoring, insider-risk controls, identity-aware access, and audit evidence. This layer links data protection to incident response and operational resilience. It also determines whether masked or tokenized data remains safe once exported, shared with a vendor, or used in AI development.

**Case study: Santander illustrates the third-party data problem.** Santander disclosed on **14 May 2024** that it became aware of unauthorized access to a database hosted by a third-party provider; the bank stated it implemented measures to contain the incident and additional fraud-prevention controls [117]. The case shows why spend is moving from static perimeter controls to third-party data minimization, tokenization before transfer, database activity monitoring, and contract-level security evidence.

**Decision insight**: For Tier 2, sell a control-plane architecture across discovery, masking/tokenization, encryption, and audit. For Tier 3, sell a minimum viable stack: sensitive-data inventory, database masking, managed key management, DLP, and periodic assurance.

## Major Players: Platform Vendors And Specialist Challengers

The competitive landscape has three layers: large data/security platforms, database and cloud incumbents, and specialist privacy or cryptographic vendors. The Europe data masking market profiles vendors including IBM, Oracle, Informatica, Micro Focus, Broadcom, Solix, Delphix, ARCAD Software, IRI, and Ekobit [54]. The Europe PET market profiles IBM, Microsoft, Google, Intel, SAP, Inpher, Thales, OneTrust, TrustArc, and Oracle [17]. These lists show that the market is not a single product category; it spans data management, privacy workflow, cryptography, cloud, and security operations.

| Vendor Group | Representative Players | Core Data-Protection Strength | Best Fit In Tier 2 Banks | Best Fit In Tier 3 Banks |
|---|---|---|---|---|
| Enterprise data-security platforms | IBM, Oracle, Informatica, Microsoft, Google Cloud | Discovery, classification, masking, policy, database/cloud integration | Cross-domain control plane for core banking, analytics, and cloud | Packaged database/cloud-native controls where the bank already uses the platform |
| Cryptography and key-management specialists | Thales, Fortanix, Intel ecosystem partners | Encryption, tokenization, HSM, confidential computing, key management | Hybrid encryption, tokenization, HSM, third-party and cloud controls | Managed KMS, tokenization-as-a-service, simplified cloud encryption |
| Privacy, governance, and PET vendors | OneTrust, TrustArc, Inpher, SAP, specialist synthetic-data vendors | Privacy workflow, pseudonymisation governance, PETs, anonymization | Consent/data-use governance and secure analytics sharing | Compliance workflow plus selective anonymization services |
| Data masking and test-data specialists | Delphix, Solix, Broadcom, OpenText/Micro Focus, ARCAD, IRI, Ekobit | Static/dynamic masking, test data, database-specific transformation | Dev/test modernization and large application portfolios | Lower-cost masking for non-production data and regulatory exams |

Oracle Data Safe is a useful example of the database-incumbent route. It combines sensitive-data discovery, risk assessment, user assessment, activity monitoring, and data masking in one control center for Oracle databases [110]. For Tier 3 banks, that kind of native control can be attractive because it reduces integration burden. For Tier 2 banks, it is often one component of a broader heterogeneous stack.

Thales demonstrates the cryptographic route. Its financial-services page emphasizes encryption, tokenization, and role-based access across structured and unstructured data [102]. Fortanix positions a SaaS-based data masking and tokenization solution powered by confidential computing [61]. These vendors matter where banks need separation of duties, sovereign key control, or cloud data protection beyond what an application vendor provides.

Informatica represents the data-management route. Its financial-services materials position the platform around trusted, fit-for-business-use data, compliance, customer experience, and secure data sharing [106]. That is especially relevant for Tier 2 banks trying to reuse customer data for analytics and AI while preserving privacy obligations.

**Decision insight**: Tier 2 banks should shortlist vendors by control-plane breadth and integration evidence. Tier 3 banks should prioritize deployment simplicity, managed-service options, bundled compliance evidence, and pricing that fits six-figure annual budgets.

## Risks, Failure Cases, And Control Gaps

The first risk is false anonymization. GDPR anonymization is not simply replacing names; if records can be re-identified through linkage, the data may remain personal data. The EDPB's pseudonymisation guidance emphasizes separation of additional information and technical/organizational measures [57]. Banks that oversell anonymization internally may create data-sharing risk, especially when analytics teams combine transaction, device, geolocation, and behavioral data.

The second risk is vendor and outsourcing exposure. DORA makes third-party ICT risk part of operational resilience rather than a procurement afterthought [84]. Deutsche Bank confirmed customer-data exposure connected to a service-provider MOVEit incident in **2023**, according to CSO Online [113]. Santander's 2024 statement involved a third-party-hosted database [117]. These cases show why banks increasingly need tokenization before transfer, least-privilege data sharing, and monitoring of outsourced datasets.

The third risk is integration debt. Tier 2 banks often run legacy core systems, national payment rails, data warehouses, cloud workloads, and SaaS applications. A masking tool that works only for one database solves test-data risk but not customer-data exposure across APIs and analytics. This is why the spend model gives Tier 2 a higher absolute budget and a stronger services component.

The fourth risk is budget compression. ENISA reported median banking information-security spend of **EUR 4.0M** but average spend of **EUR 13.9M**, showing that large institutions pull the average far above the median [36]. IANS reported that security budgets as a share of IT rose to **13.2%** in **2024**, but also noted budget pressure in the same cycle [11]. Smaller banks will therefore resist projects that require scarce security engineers or large upfront integration.

The fifth risk is data utility loss. Over-masking, irreversible anonymization, or poorly designed tokenization can reduce fraud-model accuracy, customer analytics, and operational troubleshooting. The right control choice depends on data use: static masking for dev/test, tokenization for regulated identifiers that must preserve format, pseudonymisation for controlled re-identification, and PETs for analytics where parties should not expose raw data.

**Decision insight**: The winning control strategy is risk-based segmentation. Protect high-risk identifiers with tokenization or encryption, use masking for non-production data, reserve anonymization/PETs for analytics and sharing, and require third-party datasets to be minimized before they leave the bank.

## Synthesis

Tier 2 and Tier 3 banks are exposed to the same regulatory direction, but the buying mechanisms differ. Tier 2 banks spend because complexity creates control gaps: multiple business lines, cloud data lakes, cross-border vendors, and legacy cores require an integrated data-security platform. Tier 3 banks spend because proportionality does not eliminate obligations: they still need evidence for GDPR, EBA ICT risk, DORA, outsourcing, and incident response, but they buy smaller, standardized packages.

| Dimension | Tier 2 Mid-Sized Banks | Tier 3 Smaller Banks | Strategic Implication |
|---|---|---|---|
| Spend mechanism | Complexity, integration, cross-border operations, and supervisory attention | Compliance minimums, outsourced IT, and catch-up modernization | Sell Tier 2 transformation; sell Tier 3 packaged compliance and managed controls. |
| 2026 base spend | EUR 1.6M per bank | EUR 0.32M per bank | Tier 2 has higher contract value. |
| 2031 base spend | EUR 3.1M per bank | EUR 0.65M per bank | Both roughly double, but Tier 3 catches up from a lower base. |
| Evidence base | ENISA median/average banking security spend, ECB high-impact LSI proxy, platform category growth | ENISA median adjusted downward, SNCI threshold, managed-service economics | Use ranges because public sources do not disclose tier-level spend directly. |
| Main trade-off | Broad platform control versus integration cost | Affordability versus audit completeness | Product packaging should differ by tier. |
| Time horizon | Multi-year architecture and vendor consolidation | Incremental cloud and managed-service adoption | Vendors should build separate enterprise and long-tail go-to-market motions. |

The non-obvious tension is that Tier 3 may be a larger aggregate opportunity than many enterprise sellers expect. A single Tier 3 bank cannot buy like a Tier 2 bank, but thousands of small banks can create a larger cumulative market if vendors remove deployment friction. Conversely, Tier 2 is not just a scaled-up Tier 3 opportunity. It requires policy orchestration, identity integration, cross-system discovery, and resilience evidence across third parties.

The second tension is between data protection and data utility. Banks want AI, open banking, fraud analytics, and customer personalization, but the same datasets create GDPR, DORA, and third-party leakage risks. PETs, pseudonymisation, and synthetic data grow quickly because they promise controlled data use, not merely data lockdown. That explains why PET forecasts are faster than data masking forecasts, even though masking remains a practical near-term control [17], [54].

The third tension is between regulatory proportionality and operational reality. Smaller banks may qualify for simpler treatment, but attackers and third-party incidents do not scale down neatly with asset size. A Tier 3 bank with outsourced core banking and cloud CRM can still expose sensitive data if contracts, keys, and masking are weak. Proportionality therefore changes the form of spend more than the need for spend.

**Overall recommendation**: For 2026 planning, budget data protection at **EUR 1.2M-EUR 2.0M** for a Tier 2 bank and **EUR 0.15M-EUR 0.55M** for a Tier 3 bank. For 2031 strategy, plan for **EUR 2.4M-EUR 3.8M** per Tier 2 bank and **EUR 0.32M-EUR 1.0M** per Tier 3 bank, with mid-teen CAGR. The most resilient investment sequence is: inventory sensitive data, encrypt and manage keys, mask/tokenize high-risk fields, enforce identity-aware access, and then add PETs or synthetic data for analytics sharing.

## References

1. *EU structural financial indicators: end of 2024*. https://www.ecb.europa.eu/press/pr/date/2025/html/ecb.pr250612_1~6afb2dc0f9.en.html
2. *EBF Facts & Figures 2024 - European Banking Federation*. https://www.ebf.eu/ebf-media-centre/ebf-facts-and-figures-2024/
3. *Asset side | European Banking Authority*. https://www.eba.europa.eu/publications-and-media/publications/asset-side-1
4. *Facts & Figures 2025 - EBF - European Banking Federation*. https://www.ebf.eu/ebf-media-centre/ebf-facts-and-figures-2025/
5. *Lists of financial institutions - European Central Bank*. https://www.ecb.europa.eu/stats/financial_corporations/list_of_financial_institutions/html/index.en.html
6. *The NIS 2 Directive | Updates, Compliance, Training*. https://www.nis-2-directive.com/
7. *Anonymisation and pseudonymisation - Data Protection Commission*. http://www.dataprotection.ie/en/dpc-guidance/anonymisation-pseudonymisation
8. *Digital Operational Resilience Act (DORA) | Updates ...*. https://www.digital-operational-resilience-act.com/
9. *The Ultimate Guide to DORA Compliance for the Financial ...*. https://www.fortra.com/resources/guides/ultimate-guide-dora-compliance-financial-sector
10. *PseudonymisationandEncryption PolicyVersion8*. http://cdn.prod.website-files.com/63e3bd1943813b219ca26303/692012b6190294a5616f958d_Pseudonymisation%20and%20Encryption%20Policy%20v8.pdf
11. *New Research Reveals Security Budgets Only Increased 2 Points in ...*. https://www.iansresearch.com/resources/press-releases/detail/new-research-reveals-security-budgets-only-increased-2-points-in-2024--while-12--of-cisos-faced-reductions
12. *IANS Security Budget Benchmark Report - IANS Research*. https://www.iansresearch.com/resources/ians-security-budget-benchmark-report
13. *The Cost of Good Security: Analyzing 2024's Cyber Budget Trends*. https://nationalcioreview.com/articles-insights/information-security/the-cost-of-good-security-analyzing-2024s-cyber-budget-trends/
14. *2026 CISO Budget Benchmark Report - Wiz*. https://www.wiz.io/reports/ciso-security-budget-benchmark-2026
15. *Financial Services Cybersecurity: 2024 Performance in Banking ...*. https://www.picussecurity.com/resource/blog/financial-services-cybersecurity-performance-2024
16. *Europe Data Masking Market Projected to Reach $137.8 ...*. https://finance.yahoo.com/news/europe-data-masking-market-projected-080400709.html
17. *Europe Privacy Enhancing Technologies Market Size | 2031*. https://www.kbvresearch.com/europe-privacy-enhancing-technologies-market/
18. *Data Masking Market Size & Share | Top Key Players - 2031*. https://www.kbvresearch.com/data-masking-market/
19. *Tokenization Market Size and Outlook 2031 - TechSci Research*. https://www.techsciresearch.com/report/tokenization-market/25399.html
20. *Europe Tokenization Market Size, Share & Growth, 2034*. https://www.marketdataforecast.com/market-reports/europe-tokenization-market
21. *Outline CRR III / CRD VI - Final Basel III Standards | Insights*. https://www.mayerbrown.com/en/insights/publications/2024/06/outline-crriii-crd-vi-final-basel-iii-standards
22. *LSI supervision report 2024*. https://www.bankingsupervision.europa.eu/ecb/pub/html/LSIreport/ssm.LSIreport2024~b8dd7cda4f.en.html
23. *Supervisory approach and methodologies - Banking supervision*. https://www.bankingsupervision.europa.eu/framework/lsi/methodologies/html/index.en.html
24. *Pillar 3 framework*. https://www.cssf.lu/en/pillar-3-framework/
25. *Proportionality in banking regulation*. https://www.oenb.at/dam/jcr:d9e8bdcc-fb74-4de0-9c28-af2bf4c00391/05_mop_2_18_proportionality_in_banking_regulation.pdf
26. *ECB Annual Report on supervisory activities 2025*. https://www.bankingsupervision.europa.eu/press/other-publications/annual-report/html/ssm.ar2025~6ee989dc7e.en.html
27. *Supervisory data - Banking supervision*. https://www.bankingsupervision.europa.eu/framework/statistics/html/index.en.html
28. *Significance Assessment: 2024 at a glance - moving to 2025*. https://www.bankingsupervision.europa.eu/press/other-publications/publications/significance-assessment/pdf/ssm.sar2024.bg.pdf
29. *List of supervised banks*. http://bankingsupervision.europa.eu/framework/supervised-banks/html/index.en.html
30. *Europe Cybersecurity Market Report 2025-2030, ...*. https://www.marketsandmarkets.com/Market-Reports/europe-cybersecurity-market-156644743.html
31. *Europe Cybersecurity Market Size, Share, Analysis, Trends*. https://www.mordorintelligence.com/industry-reports/europe-cybersecurity-market
32. *Europe Cybersecurity Market to 2031 - By Size, Share, ...*. https://www.theinsightpartners.com/reports/europe-cybersecurity-market
33. *Cybersecurity Market Report 2025-2030, by Application, Geo, Tech*. https://www.marketsandmarkets.com/Market-Reports/cyber-security-market-505.html
34. *Europe Cyber Security Market Size & Outlook, 2026-2033*. https://www.grandviewresearch.com/horizon/outlook/cyber-security-market/europe
35. *Profitability | European Banking Authority*. https://www.eba.europa.eu/publications-and-media/publications/profitability-0
36. [[PDF] NIS INVESTMENTS 2024 - ENISA](https://www.enisa.europa.eu/sites/default/files/2024-11/CSPA%20-%20NIS%20Investments%20-%202024_0.pdf)
37. *Cybersecurity Budget 2026: Benchmarks & Spending Trends - Elisity*. https://www.elisity.com/blog/2026-cybersecurity-budget-complete-enterprise-planning-guide
38. [[PDF] NIS Investments 2025 - Main report.pdf - ENISA](https://www.enisa.europa.eu/sites/default/files/2025-12/NIS%20Investments%202025%20-%20Main%20report.pdf)
39. *Annual Accounts 2024 - European Central Bank*. https://www.ecb.europa.eu/press/annual-reports-financial-statements/annual/annual-accounts/html/ecb.annualaccounts2024~718377b1c1.en.html
40. *Marketing Spend Benchmarks: How Much are Banks ...*. https://thefinancialbrand.com/news/banking-trends-strategies/marketing-spend-benchmarks-2026-cpg-financial-brand-196920
41. *Managing bank IT spending: Five questions for tech leaders*. https://www.mckinsey.com/capabilities/tech-and-ai/our-insights/tech-forward/managing-bank-it-spending-five-questions-for-tech-leaders
42. *2021 Technology Survey*. https://www.bankdirector.com/wp-content/uploads/2021-Tech-Report.pdf
43. *Bank IT Spending – Use These Metrics to Improve ...*. http://southstatecorrespondent.com/banker-to-banker/technology/bank-it-spending-use-these-metrics-to-improve-performance
44. *WaFd (WAFD) Q2 2026 Earnings Call Transcript*. http://fool.com/earnings/call-transcripts/2026/04/17/wafd-wafd-q2-2026-earnings-call-transcript
45. *Cybersecurity Budgets, Benchmarks for Financial Services*. https://deloitte.wsj.com/cio/cybersecurity-budgets-benchmarks-for-financial-services-72924cb6
46. *Security Budget of a Company : r/cybersecurity*. https://www.reddit.com/r/cybersecurity/comments/1ireqrq/security_budget_of_a_company/
47. [Cybersecurity Spending Statistics [2026]: Budgets & ROI](https://app.stationx.net/articles/cybersecurity-spending-statistics)
48. *Top Ten Insights from Forrester's 2024 Cybersecurity Budget ...*. https://softwarestrategiesblog.com/2024/08/25/top-ten-insights-from-forresters-2024-cybersecurity-budget-benchmarks/
49. *Cybersecurity Market Size, Share, Analysis | Global Report 2034*. https://www.fortunebusinessinsights.com/industry-reports/cyber-security-market-101165
50. *How Much Should Your Business Spend on Cybersecurity?*. https://goleadingit.com/blog/how-much-should-your-business-spend-on-cybersecurity/
51. *Benchmark - Powering Tomorrow's Infrastructure*. http://itsbenchmark.com/
52. *IT Solutions for Banking and Financial Services - Benchmark*. http://itsbenchmark.com/industries/finance
53. *Europe Data Masking Market Projected to Reach $137.8 ...*. https://uk.finance.yahoo.com/news/europe-data-masking-market-projected-080400965.html
54. *Europe Data Masking Market Size | Industry Trends to 2031*. https://www.kbvresearch.com/europe-data-masking-market/
55. *Privacy Enhancing Technologies Market Size Report, 2030*. https://www.grandviewresearch.com/industry-analysis/privacy-enhancing-technologies-market-report
56. *Digital Operational Resilience Act (DORA) - EIOPA*. https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en
57. *Guidelines 01/2025 on Pseudonymisation | EDPB*. https://www.edpb.europa.eu/system/files/2025-01/edpb_guidelines_202501_pseudonymisation_en.pdf
58. *Digital Operational Resilience Act - KPMG Netherlands*. http://kpmg.com/nl/en/home/services/advisory/technology/cybersecurity-services/cyber-strategy-and-risk-management-services/digital-operational-resilience-act.html
59. [[PDF] Group Annual Report 2024 - Addiko Bank AG](http://addiko.com/static/uploads/Addiko-Group-Consolidated-Financial-Report-2024-EN-1.pdf)
60. *Data masking vs tokenization: Where and when to use which*. https://www.k2view.com/blog/data-masking-vs-tokenization/
61. *SaaS-Based Data Masking & Data Tokenization Solution - Fortanix*. https://www.fortanix.com/company/pr/2023/07/industry-first-saas-based-data-masking-and-tokenization-solution
62. *Unlocking the Power of Privacy-Enhancing Technologies in ...*. https://internationalbanker.com/technology/unlocking-the-power-of-privacy-enhancing-technologies-in-financial-services/
63. *Identity-Driven Data Security*. http://ubiqsecurity.com/
64. [Cybersecurity Budget 2026: Benchmarks & Spending Trends](/goto?url=CAESkQEB7keqTeNhteb1b192sYsnlOG2CBVIkt6cFFEWSZKDSPDFJfpRYjUcdSNffMvNFiUVE6pm4NHsZUqanRpMn6rMGwJ2tX6WGNoc9HuNGkkWLu-qGtFW9X-CxzeLghWL6u82Hbuk45d9eyXv5Y_WWHRIn3FCwOAHg57Ckw5D9VbvN7VhbzjJ6B9u43yfZs8hrXHz)
65. *What is data loss prevention (DLP)?*. https://www.microsoft.com/en-us/security/business/security-101/what-is-data-loss-prevention-dlp
66. [AI Security Budget Percentage for 2026 | CISO Hub - Reco AI](/goto?url=CAESgAEB7keqTZJ9Yo2u4cW9ERyjmYXY2ZBLcQq14B186foInHzCcfLFSAQYqyBk5NW3diMA1kHNU8BOUQQZyKQzOdrRSc64C0Cars7CTXVsSLebjJY9ZoVd-UPA8NowYruNsyLNQjR8VgFNkcp9Tul_AfIhnUAE32Un0bvSJlsZ01DQNA==)
67. [How to Optimize Cybersecurity Budget in 2026?](/goto?url=CAESgQEB7keqTQI4BKEg_PXZk-L3zJdjBHW3YSSb2tu1o65k-2UIM4wwtlaXh_uMYl1srhAWy0n4fh62r1eVs2rMXZnwSOPR7W3WEZrarnmyQWo1gTQlCy-9jBgZJWknl4az3L-4lTECzll1lpKJYxUFOQZ6RzXxEOzkv35Qf1YRwD9zkyM=)
68. [Data Protection Strategies for 2026](/goto?url=CAESewHuR6pNv1OVvEvWmWIOSMAP-gni9K4CMbzB0-tPfYSq50UNcvbghSdoT7OMCcHX3tSC5_-IUlQdWnxiq7n76dOeit1FD1Ev0OJ2xKsgkauNDBNFkhnBfv5nSnie787pIwoyD3Ur2hJ4Lp_P6t-VrhRr_GfaLRmVnGRZpg==)
69. *Supervision & oversight of less significant institutions*. https://www.bankingsupervision.europa.eu/framework/lsi/html/index.en.html
70. *2022_6335 Definition of small and non-complex institutions ...*. https://www.eba.europa.eu/single-rule-book-qa/qna/view/publicId/2022_6335
71. [[PDF] Banking package factsheet](https://www.dnb.nl/media/xn0plvah/factsheet-banking-package.pdf)
72. *About us - SNCI | Société Nationale de Crédit et d'Investissement*. http://snci.lu/en/what-abous-us/about-us
73. *ECB Annual Report on supervisory activities 2024*. https://www.bankingsupervision.europa.eu/press/other-publications/annual-report/html/ssm.ar2024~700cba1314.en.html
74. [[PDF] ECB Annual Report on supervisory activities - Banque de France](https://www.banque-france.fr/system/files/2024-03/ECB-Annual-Report-on-supervisory-activities_2023.pdf)
75. *List of supervised banks*. https://www.bankingsupervision.europa.eu/framework/supervised-banks/html/index.en.html
76. *Europe's 50 largest banks by assets, 2026*. https://www.spglobal.com/market-intelligence/en/news-insights/research/2026/04/europes-50-largest-banks-by-assets-2026
77. *ECB publishes consolidated banking data for end-March 2025*. https://www.ecb.europa.eu/press/pr/date/2025/html/ecb.pr250924~26701c4e87.en.html
78. *Number of banks decreasing*. https://ec.europa.eu/eurostat/cache/digpub/european_economy/bloc-3d.html?lang=en
79. *The European banking sector: situation and outlook*. https://www.bde.es/f/webbe/GAP/Secciones/SalaPrensa/IntervencionesPublicas/Subgobernador/Arc/Fic/IIPP-2023-11-22-delgado-en-tr.pdf
80. *Guidelines 01/2025 on Pseudonymisation*. https://www.edpb.europa.eu/our-work-tools/documents/public-consultations/2025/guidelines-012025-pseudonymisation_en
81. *Regulation - 2016/679 - EN - gdpr - EUR-Lex - European Union*. https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng
82. [[PDF] Opinion 28/2024 on certain data protection aspects related to the ...](http://edpb.europa.eu/system/files/2024-12/edpb_opinion_202428_ai-models_en.pdf)
83. *EDPB adopts pseudonymisation guidelines and paves the way to ...*. https://www.edpb.europa.eu/news/news/2025/edpb-adopts-pseudonymisation-guidelines-and-paves-way-improve-cooperation_en
84. *Regulation - 2022/2554 - EN - DORA - EUR-Lex*. https://eur-lex.europa.eu/eli/reg/2022/2554/oj/eng
85. *Digital Operational Resilience Act | European Banking Authority*. https://www.eba.europa.eu/activities/direct-supervision-and-oversight/digital-operational-resilience-act
86. *Digital Operational Resilience Act (DORA) - Article*. https://www.sailpoint.com/identity-library/digital-operational-resilience-act
87. *Digital operational resilience for the financial sector | EUR-Lex*. https://eur-lex.europa.eu/EN/legal-content/summary/digital-operational-resilience-for-the-financial-sector.html
88. *EBA Guidelines on ICT and security risk management*. https://www.eba.europa.eu/sites/default/files/document_library/Publications/Guidelines/2020/GLs%20on%20ICT%20and%20security%20risk%20management/872936/Final%20draft%20Guidelines%20on%20ICT%20and%20security%20risk%20management.pdf
89. *Guidelines on ICT and security risk management*. https://www.eba.europa.eu/activities/single-rulebook/regulatory-activities/internal-governance/guidelines-ict-and-security-risk-management
90. *What are the EBA guidelines on ICT and Security Risk ...*. https://thecompliancedigest.com/what-are-the-eba-guidelines-on-ict-and-security-risk-management/
91. *Guidelines amending Guidelines EBA/GL/2019/04 on ICT ...*. https://www.bde.es/f/webbe/INF/MenuHorizontal/Normativa/guias/EBA_GL_2025_02_sobre_gestion_de_riesgos_TIC_y_seguridad_EN.pdf
92. *Cloud Encryption Software Market Size, Report & Share Analysis 2031*. https://www.mordorintelligence.com/industry-reports/gobal-cloud-encryption-software-market-industry
93. *Artificial Intelligence in Cybersecurity Market Report 2026*. https://www.marketsandmarkets.com/Market-Reports/artificial-intelligence-ai-cyber-security-market-220634996.html
94. *Banking Encryption Software Market*. https://www.vantagemarketresearch.com/banking-encryption-software-market?srsltid=AfmBOoo2NqkaC1jO6UvzlC3_LOyVlNubmlOAV1N8F4mR19WjWGbKvW4b
95. *Data Security Market Size Report & Forecast Analysis, 2031*. http://mordorintelligence.com/industry-reports/data-security-market
96. *Cybersecurity Market Size & Growth Trends Report 2031*. https://www.mordorintelligence.com/industry-reports/cyber-security-market
97. *Best Data Security Platforms Reviews 2026 | Gartner Peer Insights*. https://www.gartner.com/reviews/market/data-security-platforms
98. *Forrester Buyer's Guide: Data Security Platforms 2025 - Thales CPL*. https://cpl.thalesgroup.com/resources/data-security/forrester-buyers-guide-data-security-platforms-2025
99. *Best DSPM Solutions for Enterprise Data Security - Thales CPL*. https://cpl.thalesgroup.com/insights/data-security/best-dspm-solutions-enterprise-data-security
100. *SecuPi Platform Reviews & Ratings 2026 | Gartner Peer Insights*. https://www.gartner.com/reviews/product/secupi-platform
101. *Identity-Driven Data Security - Ubiq Security*. http://ubiqsecurity.com/product
102. *Cybersecurity Solutions for Financial Services*. https://cpl.thalesgroup.com/industry/financial-data-security
103. *Thales Data Protection on Demand - Solution Brief*. https://cpl.thalesgroup.com/resources/encryption/thales-data-protection-on-demand-solution-brief
104. *Ready as a Strategic Asset in Financial Services*. https://www.informatica.com/content/dam/informatica-com/en/collateral/solution-brief/informatica-financial-services_solution-brief_3668en.pdf
105. *Data Security Compliance with DORA Resilience Act*. https://cpl.thalesgroup.com/compliance/emea/data-security-compliance-dora-resilience-act
106. *Financial Services Data Solutions*. https://www.informatica.com/solutions/industry-solutions/financial-services.html
107. *Central Bank Assets for Euro Area (11-19 Countries) - FRED*. https://fred.stlouisfed.org/series/ECBASSETSW
108. *Largest Banks in Europe*. http://thebanks.eu/top-banks-by-assets
109. *Prevent Financial Services Data Breaches - Video*. https://cpl.thalesgroup.com/resources/encryption/prevent-financial-services-data-breaches-video
110. *Oracle Data Safe Overview*. https://docs.oracle.com/en/cloud/paas/data-safe/udscs/oracle-data-safe-overview.html
111. *Data protection solutions for financial services enterprises*. https://cpl.thalesgroup.com/sites/default/files/content/solution_briefs/field_document/2020-05/Financial-Services-sb.pdf
112. *Thales and ServiceNow - Solution Brief*. http://cpl.thalesgroup.com/resources/encryption/servicenow-solution-brief
113. *Deutsche Bank customer data exposed in latest MOVEit exploit*. https://www.csoonline.com/article/645974/deutsche-bank-customer-data-exposed-in-latest-moveit-exploit.html
114. *Navigating a third-party Data Breach: Santander's Effective ...*. https://red-goat.com/navigating-a-data-breach-santanders-effective-communication-strategy/
115. *SecurityScorecard Threat Intel Report: 97% of Leading U.S. Banks ...*. https://securityscorecard.com/resources/press/securityscorecard-threat-intel-report-97-of-leading-u-s-banks-impacted-by-third-party-data-breaches-in-2024/
116. *Citizens Bank customers' personal information ...*. http://wpri.com/money/citizens-bank-customers-personal-information-compromised-in-data-breach
117. *Statement - Banco Santander*. http://santander.com/en/stories/statement
118. *Privacy-First Financial Data Sharing: The Role of PETs ...*. https://www.linkedin.com/pulse/privacy-first-financial-data-sharing-role-pets-cisa-cism-crisc-cipm-85jef
119. *15 synthetic data use cases in banking - MOSTLY AI*. https://mostly.ai/blog/15-synthetic-data-use-cases-in-banking
120. *Ondato Case Studies: KYC, AML & Compliance Success*. http://ondato.com/case-studies
121. *Fetched web page*. http://ai-ryvl.com/
122. *Spanish Bank Fined After Deleting Former Employee's Data*. https://www.vitallaw.com/news/spanish-bank-fined-after-deleting-former-employee-s-data/cspd01647516520dd2499291f56a81b9c44e15
123. *GDPR Compliance In Banking - Meegle*. https://www.meegle.com/en_us/topics/banking/gdpr-compliance-in-banking
124. *Spanish Data Protection Authority (AEPD) imposes fine of 6.000.000 ...*. https://www.edpb.europa.eu/news/national-news/2021/spanish-data-protection-authority-aepd-imposes-fine-6000000-eur-caixabank_en
125. *AEPD fines BBVA €5M for GDPR information and consent ...*. https://www.dataguidance.com/news/spain-aepd-fines-bbva-5m-gdpr-information-and-consent
126. *Spain: AEPD fines CaixaBank €5M for inadequate security measures*. https://www.dataguidance.com/news/spain-aepd-fines-caixabank-5m-inadequate-security
127. *Data Security Market Size Report & Forecast Analysis, 2031*. https://www.mordorintelligence.com/industry-reports/data-security-market