European policymakers are currently changing a tyre on a moving car. They are navigating the implementation of the AI Act while simultaneously engaging in critical reflections on how the Act can be simplified and on the future of the GDPR. The central question: How do we find the right balance between empowering businesses to leverage the full potential of AI and ensuring privacy protection remains uncompromised?
The findings from the Cisco 2026 Data and Privacy Benchmark Study, released today, provide a clear answer. To stay competitive, regulatory approaches must meet the new realities of AI and enable businesses to keep pace with rapid technological change. There is an urgent need, highlighted both by industry feedback and ongoing policy debate, to move towards modernised agile data governance frameworks.
Privacy as a Growth Enabler
For years, privacy was often framed in policy circles as a defensive necessity, a brake on innovation. Our latest study suggests that narrative fails to paint the whole picture. Today, 90% of organisations globally (86% in Europe) report that their privacy programmes have expanded specifically because of AI, and 93% plan to increase investments in data governance over the next two years.
An overwhelming 99% of organisations report at least one tangible benefit from privacy investments. But the nature of that benefit has changed. It is no longer just about compliance or avoiding fines. For example, 94% of European organisations report that robust privacy frameworks unlock AI agility and innovation, and 93% recognise privacy is essential for building customer trust in AI-powered services.
Bridging the Governance Gap
While AI ambition is high, governance is still evolving. Even though 82% of EU organisations report having a dedicated AI governance body in place, only 9% describe these structures as mature.
One of the key bottlenecks is data governance. Data is the lifeblood for AI training, fine-tuning, and inference. But 60% of organisations struggle to access the high-quality, relevant data needed to train and deploy AI effectively, with many pointing to the associated cost of data preparation and governance as a key barrier to AI success.
While companies need to invest in data governance, policymakers are beginning to recognise they also need to streamline overly complex data requirements that act as an inhibitor to AI success in their jurisdictions. As a result, the EU is proposing to simplify some of the data governance requirements for AI training through reforms to the GDPR in the so-called ‘Digital Omnibus’ regulation.
Data Localisation vs. Global Realities
One of the most pressing tensions in Europe involves data localisation and digital sovereignty. While the impulse to keep data within borders is understandable, the operational reality for businesses is far more nuanced than “black-or-white” political messaging suggests.
According to the 1,700 security and privacy professionals we surveyed in the EU, 72% say they face heightened demand for data localisation and global data complexity due to AI. For the EU’s digital goals, it is a significant warning sign that 84% of organisations find that data localisation adds cost, complexity, and risk to cross-border service delivery.
We are also seeing a shift in security perceptions in Europe. The assumption that locally stored data is inherently more secure is eroding, falling from 91% in 2025 to 83% in 2026. Meanwhile, 79% of organisations operating globally believe that global-scale providers are better equipped to manage complex, multi-jurisdictional data flows than local entities.
To foster a competitive AI ecosystem, Europe must address these “global pressure points.” The study shows that 83% of respondents support more harmonised international data transfer rules to streamline compliance.
A Call for Modernisation
As the debate over a GDPR review continues, we must ensure that our data protection framework evolves to handle AI. The EU must champion a regulatory environment that favours interoperability-at-scale over isolation. By modernising Europe’s approach to cross-border data flows and focusing on streamlined data governance, policy can support responsible, secure innovation at speed.
More on this in this Q&A with Dev Stahlkopf, EVP and Cisco’s Chief Legal Officer and on Cisco’s Trust Center.