The Regulation (EU) 2025/2518 laying down additional procedural rules on the enforcement of Regulation (EU) 2016/679 (hereby referred to as the “Regulation”) entered into force on the 1st of January 2026, and will become effectively applicable starting from 2 April 2027. The Regulation introduces a new set of procedural rules governing the enforcement of the Regulation (EU) 2016/679 (the “GDPR“) in cases involving cross-border data processing activities.
The GDPR establishes a system in which a single lead supervisory authority oversees cross-border processing through the “one-stop-shop” mechanism. In practice, however, this model has frequently been undermined by diverging national procedural rules, leading to delays and legal uncertainty. Against this backdrop, the new Regulation seeks to overcome these structural shortcomings by streamlining procedures and strengthening the effectiveness of cross-border enforcement.
Briefly, this Regulation is purely procedural, given that it seeks to reinforce the procedural framework for GDPR enforcement in cross-border cases, while enhancing clarity and cooperation among EU authorities when handling such matters. It is also important to note that the obligations under the GDPR, including the criteria for fines (as set out in Article 83 GDPR), remain unchanged; the Regulation solely introduces stricter deadlines, harmonised complaint requirements, and strengthened defence rights for data subjects and relevant organisations.
The key developments brought by the Regulation can be divided into three major areas, respectively:
I. Harmonisation & Unification of the rules for the admissibility of complaints
While, under the GDPR, the requirements for filing a complaint have so far varied significantly from one Member State to another, the new Regulation introduces certain significant novelties. In this respect, the Regulation puts an end to this fragmented approach, and establishes strict and uniform requirements for the admissibility of cross-border complaints.
For example, from now on, a complaint will only be admissible if it contains specific information, such as: (i) the complainant’s contact details; (ii) information facilitating the identification of the data controller or the data processor subject of the complaint; as well as (iii) a specific description of the alleged infringement of the GDPR’s provisions.
Why is this important in practice? The legal wording appears to set out an exhaustive list of admissibility requirements. As a result, no additional information may be requested beyond what is expressly required by the Regulation for a complaint to be considered admissible by the supervisory authority.
II. Introduction of stricter deadlines for authorities & Speeding up the processes
Under the GDPR, there were no binding deadlines for concluding cross-border investigations, allowing cases to remain unresolved for several years. The Regulation introduces stricter deadlines for supervisory authorities and efficiency mechanisms, such as:
▸ The Early Resolution stage: Article 5 of the Regulation establishes a procedure for early resolution of complaints related to cross-border data processing under the GDPR, specifically when the complaint concerns data subject rights, in accordance with Chapter III of the GDPR. In essence, Article 5 allows supervisory authorities to close cross-border complaints quickly when the issue has already been remedied, while preserving the complainant’s right to object and the authorities’ enforcement powers.
▸ New deadline for issuing decisions: the lead supervisory authority (”LSA”) must, in principle, submit a draft decision within 15 months of confirmation of its competence, under the provisions of Article 60 (3) GDPR. This period may be extended only once, for a maximum period of 12 months, and in exceptional cases.
▸ The “Anti-Bureaucracy” Clause: in cases where the LSA can form a preliminary view on the main issues in an investigation, which does not raise reasonable doubts, the LSA may resort to the Simple Cooperation Procedure, as set out in Article 6 of the Regulation, to streamline the process.
Failure to comply with the deadlines set out by the Regulation does not, in itself, invalidate procedural steps or final decisions. However, observance of these time limits could be relevant in assessing whether a supervisory authority has failed to act in handling a complaint, which may entitle the entitled parties to seek an effective judicial remedy under Article 78 GDPR.
III. Strengthening the rights of defence
The Regulation significantly strengthens procedural guarantees for controllers and processors under investigation, by establishing the so-called “right to be heard”. Thus, the focus is on the right to be heard before a final decision is made; thus, a decision issued by an LSA seems to be now more precisely “scratched“, as follows:
▸ Outlining Preliminary findings: in case the LSA intends to establish an infringement, it must first draw up “preliminary findings” concerning the respective infringement. This document must contain all the facts, evidence, and legal assessment, as well as the corrective measures (such as fines) that are being considered (Article 19 of the Regulation).
▸ Exercising the right to be heard: after notification of the preliminary findings, the party under investigation is given a minimum of three and a maximum of six weeks to respond in writing (Article 20 of the Regulation).
▸ Adoption of the final decision: if, after the draft decision is shared under Article 60(3) GDPR, no supervisory authority raises an objection within the applicable time limits provided by the Regulation, the LSA must, within one month: (i) adopt the final decision under Article 60(7) or Article 60(9) GDPR; and (ii) notify that decision to the controller’s or processor’s main or single establishment, as applicable. (Article 21 of the Regulation)
▸ Right to access the administrative file: parties under investigation are now expressly granted the right to access the administrative file, subject to the protection of trade secrets and confidential information and the right to receive preliminary findings setting out the alleged infringements and the corrective measure the LSA considers using (Article 24 of the Regulation). The administrative file includes all documents and evidence gathered by the lead and concerned supervisory authorities, whether inculpatory or exculpatory. It excludes internal communications within a supervisory authority.
Conclusion
The Regulation marks a new step in the evolution and strengthening of GDPR enforcement, further refining how the GDPR is applied in practice, from a procedural point of view. While it enhances legal certainty for organisations, it also requires increased legal agility due to stricter and shorter deadlines for responding to allegations.
Having said that, the Regulation replaces fragmented national rules with a unified, time-bound framework, ensuring more efficient, predictable, and transparent GDPR enforcement across the entire European Union.
