The Data Protection Commission has found that Yahoo EMEA's oversight of how Yahoo in the United States dealt with data belonging to EU citizens did not meet the standard required by EU law.
Its final report into one of the largest breaches to impact EU citizens, which affected some 39 million European users in 2014, was issued today.
The breach was reported to the Commission in 2016.
It involved the unauthorised copying and taking, by one or more third parties, of material contained in approximately 500 million user accounts from Yahoo Inc infrastructure in 2014.
The Commission also found that Yahoo relied on global policies which defined the appropriate technical security and organisational measures implemented by it did not adequately take into account Yahoo's obligations under data protection law.
It also said Yahoo did not take sufficient, reasonable steps to ensure that the data processor it engaged complied with appropriate technical security and organisational measures as required by data protection law.
No fines or sanctions were issued in this case as it predated the introduction of the GDPR, which now gives such powers to the Data Protection Commission.
The data breach was the largest ever notified to and investigated by the DPC.
On foot of this investigation, the DPC has notified Yahoo, now known as Oath EMEA Ltd, that it requires it to take specified and mandatory actions within defined time periods.
The DPC said it will be closely supervising Yahoo's timely compliance with the required actions.