A €10,000 penalty is small, but the message is not: once systems are compromised, regulators look hard at whether basic security was in place before the incident.