Active Network is used by a number of events including Velothon Wales, the Cardiff Half Marathon and Ironman Wales to process registrations and payments.
The US firm has admitted payment details had been accessed over a nine month period.
New EU rules - along with hefty fines - come into force in May.
The General Data Protection Regulation (GDPR) increases responsibilities on companies and protects EU citizens regardless of where the data is being used.
Read Declan's full comment below.
Declan Goodwin, of-Cardiff based firm Capital Law, said the Active Network breach highlighted why the GDPR was essential. He said: "Companies like Active Network will need to improve data protection compliance as breaches like this will have much more significant implications under GDPR." "The GDPR has a wider territorial scope than the current system, meaning companies outside of Europe that process the data of people in Europe can't ignore it."