On 26 November 2025, the European Parliament and the Council adopted Regulation (EU) 2025/2518, a new EU law that lays down additional procedural rules for enforcing the General Data Protection Regulation (GDPR) in cross-border cases. The regulation was published in the Official Journal on 12 December 2025 and will enter into force 20 days after publication. It will apply from 2 April 2027, following a transitional period that gives authorities and stakeholders time to prepare for its implementation.
The GDPR (in force since 2018) created a single set of data protection rules across the EU and a cooperative enforcement system for cases involving personal data processed in more than one Member State. Under the existing framework, if a complaint concerns cross-border processing (for example, when a resident of one Member State alleges unlawful data handling by a company established in another), a lead supervisory authority is appointed to coordinate the investigation with other national data protection authorities. However, differences in national administrative procedures have often led to delays, legal uncertainty and uneven outcomes in cross-border enforcement.
The Regulation addresses these challenges by introducing harmonised procedural rules that apply whenever a case falls under the GDPR’s cross-border cooperation mechanism. One of the main cross-border improvements is the introduction of uniform criteria for the admissibility of complaints which ensure that individuals face the same basic requirements across the EU. The regulation also strengthens procedural fairness by guaranteeing that complainants and organisations under investigation are informed of key steps and have the opportunity to be heard before final decisions are taken.
To improve efficiency in cross-border enforcement, the regulation sets clear timeframes for investigations and introduces mechanisms for resolving cases more quickly when issues have been remedied and no objections remain. These measures aim to reduce delays and inconsistencies that have affected complex cross-border GDPR cases in recent years.
Overall, Regulation (EU) 2025/2518 reinforces a more coherent and transparent enforcement framework for cross-border cases to the benefit of individuals, businesses and public authorities across the EU, while not changing the GDPR's substantive data protection rights.
The full text of Regulation (EU) 2025/2518 can be found here.
- Illoggja biex tippowstja l-kummenti