Introduction 

On 17 November 2025, the Council of the European Union formally adopted a new regulation aimed at strengthening and accelerating the enforcement of the General Data Protection Regulation (GDPR) in cross-border cases. This legislative development represents the final step in a reform process that began with a proposal from the European Commission in July 2023 and culminated in provisional political agreement between the Council and the European Parliament in June 2025, followed by the Parliament’s formal adoption in October 2025.  

The regulation introduces harmonised procedural rules governing cooperation between national data protection authorities (DPAs) in cross-border GDPR complaints. Its central objective is to address long-standing inefficiencies in the EU’s enforcement framework, particularly those arising under the GDPR’s “one-stop-shop” mechanism. By standardising admissibility criteria, strengthening procedural rights, introducing binding deadlines, and creating simplified cooperation procedures for straightforward cases, the regulation seeks to ensure that cross-border enforcement becomes faster, more transparent, and more predictable. 

This blog analyses the background, content, and implications of the new EU regulation, drawing exclusively on the information provided and situating the reform within the broader context of EU data protection enforcement. 

Cross-Border Enforcement under the GDPR 

The General Data Protection Regulation, which entered into force in 2018, fundamentally reshaped the regulation of personal data across the European Union. By establishing uniform substantive rules on data processing, transparency, and accountability, the GDPR aimed to ensure a high and consistent level of data protection for individuals across Member States. 

To implement this goal in cases involving cross-border processing, the GDPR introduced a system of cooperation between national DPAs., where data processing affects individuals in more than one Member State, a single national authority acts as the “lead supervisory authority” (LSA), while remaining obliged to cooperate with DPAs in other affected states. 

Despite its ambition, the cross-border enforcement framework has faced sustained criticism since 2018. In practice, cross-border cases have often been characterised by lengthy investigations, fragmented procedures, and inconsistent treatment of complaints. Divergent national procedural rules have led to uncertainty over the admissibility of complaints, uneven involvement of complainants, and delays in final decision-making. 

One of the most persistent concerns has been the lack of binding timelines. Investigations in high-profile cross-border cases have sometimes taken several years to conclude, undermining both effective enforcement and legal certainty for businesses and individuals alike. These shortcomings prompted calls for procedural harmonisation to complement the GDPR’s substantive uniformity. 

Legislative Evolution of the New Regulation 

In response to these systemic weaknesses, the European Commission published a proposal on 4 July 2023 to introduce common procedural rules for cross-border GDPR enforcement. The proposal sought to streamline administrative cooperation, clarify the rights of complainants and investigated parties, and reduce the number of disputes escalated to EU-level dispute resolution. 

Following negotiations between EU institutions, the Council and the European Parliament reached provisional agreement on the text on 16 June 2025. The Parliament formally adopted the regulation on 21 October 2025, signalling broad political consensus on the need for reform. 

The Council’s adoption on 17 November 2025 constituted the final legislative step. According to the agreed timeline, the regulation will enter into force 20 days after publication in the Official Journal of the European Union and will become applicable 15 months thereafter. 

Core Objectives of the New Procedural Rules 

The regulation is designed to enhance the effectiveness of cross-border GDPR enforcement through four interrelated objectives: 

1. Harmonisation of procedural standards across Member States 

   
   

2. Strengthening of procedural rights for complainants and investigated parties 

   
   

3. Acceleration of investigations through binding deadlines and simplified procedures 

   
   

4. Improved cooperation and consensus-building among DPAs 

Each of these objectives is reflected in specific legal mechanisms introduced by the regulation. 

Harmonised Admissibility Requirements 

A central reform introduced by the regulation concerns the admissibility of cross-border complaints. Prior to this reform, national DPAs applied varying standards when assessing whether a complaint met the conditions for investigation. This resulted in inconsistent outcomes depending on where a complaint was lodged. 

Under the new rules, admissibility requirements are harmonised across the EU. Regardless of the Member State in which a complaint is filed, DPAs must assess admissibility based on the same set of information and criteria. This ensures equal treatment of complainants throughout the Union. 

By clarifying the conditions under which complaints may be accepted or rejected, the regulation enhances legal certainty for individuals and reduces the risk of forum-dependent outcomes. It also fixes deadlines, linked to the complexity of investigations, within which admissibility must be determined, thereby preventing preliminary procedural stages from becoming a source of delay. 

A particularly significant development is the formal recognition of the “right to be heard.” Complainants must be given the opportunity to comment at defined stages of the procedure, reinforcing transparency and trust in the enforcement process. 

In parallel, the regulation strengthens the procedural guarantees available to companies or organisations subject to investigation. Investigated parties are entitled to receive preliminary findings and to submit comments before a final decision is adopted. This right to respond to preliminary conclusions reflects a fundamental principle of EU law and is especially important in proceedings that may result in significant administrative fines or corrective measures under the GDPR. 

Introduction of Deadlines for Investigations 

One of the most consequential reforms introduced by the regulation is the imposition of binding deadlines on investigations. As a general rule, cross-border investigations must be concluded within 15 months. For particularly complex cases, this period may be extended by an additional 12 months. 

For straightforward cases, the regulation introduces a “simple cooperation procedure.” Where appropriate, DPAs may resolve such cases without resorting to the full set of cooperation mechanisms. Investigations conducted under this simplified procedure must be completed within 12 months. This approach reduces administrative burden while ensuring that less complex matters are resolved efficiently. The regulation introduces an early resolution mechanism that allows authorities to close cases swiftly when the underlying issue has been addressed and the complainant agrees to the proposed outcome. This mechanism encourages pragmatic enforcement and avoids unnecessary procedural escalation. 

A further aim of the regulation is to reduce the number of cases referred to EU dispute resolution bodies by encouraging consensus at an earlier stage. By obliging DPAs to exchange all relevant information and engage in structured cooperation, the regulation seeks to address disagreements before they escalate. This approach is expected to improve predictability and consistency while preserving the integrity of the EU’s cooperative enforcement framework. The adoption of the new procedural regulation coincides with wider debates about the future of EU digital regulation. The European Commission has recently signalled its intention to simplify certain aspects of data protection law, citing concerns about regulatory complexity and compliance burdens. In this context, the procedural reform should be understood as an effort to strengthen enforcement effectiveness without altering the substantive rights and obligations established by the GDPR. 

Practical Implications for Organisations 

Organisations handling cross-border data within the EU must now adjust their internal compliance and complaint-handling processes to meet the updated procedural demands. This means bracing for tighter deadlines, more stringent transparency rules, and increased interaction with data protection authorities (DPAs). However, the regulation also provides businesses with a more predictable operational environment. Organisations can navigate regulatory risks with greater certainty, thanks to clear rules, well-defined procedural rights, and deadlines. 

The EU's Official Journal publishes this regulation, which takes effect twenty days later and becomes applicable 15 months later. So, even though the regulation gets the official nod in 2025, its actual rules won't take effect until 2027. The year 2026 will be a transition period, giving data protection authorities and the companies they oversee time to get their internal processes in order and get ready to comply with the new procedural setup. 

Conclusion 

The adoption of the Regulation on procedural aspects of cross-border GDPR enforcement marks a significant milestone in the evolution of EU data protection law. By harmonising admissibility criteria, strengthening procedural rights, introducing binding deadlines, and enhancing cooperation between national DPAs, the Council of the European Union has addressed some of the most persistent weaknesses in the GDPR’s enforcement architecture. 

While the regulation does not alter the substantive obligations imposed by the GDPR, it substantially improves the machinery through which those obligations are enforced. As a result, the EU data protection framework is poised to become more efficient, coherent, and trustworthy benefiting individuals, regulators, and organisations alike.