France’s data protection Supervisory Authority, CNIL, has just announced what appears to be the first combined fine for a controller and one of its processors – and the decision is very important in terms both of effective cyber security measures and in relation to the controller-processor relationship.
This article gives more detailed information: CNIL Fines a Data Controller and Its Processor 225,000 Euros for Security Violation in Connection with Credential Stuffing – Lexology