New EU Regulation on Cross-Border GDPR Enforcement Procedures

On 12 December 2025, a new EU Regulation was published, setting harmonised procedural rules for the handling of cross-border GDPR enforcement cases by data protection authorities.

The Regulation standardises the procedural framework for complaint-based investigations and investigations initiated by data protection authorities on their own motion, involving cross-border processing. It structures the full enforcement lifecycle, from complaint admissibility and identification of the lead supervisory authority (for example, the Swedish Data Protection Authority).

The Regulation primarily affects EU supervisory authorities acting as lead or concerned authorities in cross-border cases. It also directly impacts controllers and processors involved in cross-border processing and complainants, including NGOs acting under Article 80 GDPR.

Key points

  • Complaint admissibility is strictly limited to core information (identity, controller/processor, and alleged infringement); no additional requirements may be imposed for admissibility.
  • Clear procedural time markers apply, including short deadlines for inadmissibility decisions (for example, inadmissibility must be decided within two weeks) and mandatory timelines for transferring complaints to the presumed lead authority (generally within six weeks of receipt).
  • A formal early resolution mechanism allows rights-based complaints to be closed quickly where the infringement has ended, subject to a complainant objection period (the complainant has four weeks to object; if no objection is made, the case is closed shortly thereafter).
  • Two cooperation tracks exist: a streamlined simple cooperation procedure for straightforward cases and a fuller consensus-driven procedure for complex cases.
  • The Regulation strengthens procedural guarantees, including the right to be heard, structured preliminary findings, and defined rules on access to the administrative file and confidentiality.
  • Built-in escalation mechanisms allow unresolved disagreements to be referred to the European Data Protection Board (EDPB), including under urgency procedures.

The Regulation enters into force 20 days after its publication in the Official Journal of the European Union and applies from 2 April 2027.

Full text of the Regulation is available here.

See All News Here

Related News

Swedish Supreme Court Adds Nuance to Previous Ruling on Bulk Requests for Court Judgments and Decisions

NIS2 and the Swedish Regulation Jungle

EU Commission Proposes Tech Sovereignty Package with New Rules for Chips, Cloud Services and AI infrastructure