[dane-pgp]

For what it's worth, the European Union Agency for Cybersecurity publishes recommendations[0] for measures that digital services should implement to fulfil their responsibilities under the GDPR. One of the recommendations, K.6 is:

> User passwords must be stored in a “hashed” form.

These guidelines aren't legal requirements for every service, but if a data breach occurred, and passwords were leaked, regulators would presumably point to this recommendation, and the ease of complying with it, and take that into consideration when issuing a fine.

[0] https://www.enisa.europa.eu/risk-level-tool/help