On 26 November 2025, the European Parliament and the Council finally adopted a new Regulation laying down additional procedural rules on the enforcement of the General Data Protection Regulation (GDPR). The Regulation (Regulation 2026/2518) was published in the Official Journal L, 2025/2518 of 12.12.2025. It will improve cooperation between national data protection authorities in enforcing the GDPR. The law seeks to streamline how cross-border data protection complaints are handled across the EU, making procedures more efficient and predictable.

Under the new rules, the criteria for determining whether a cross-border complaint is admissible have been harmonised so that admissibility is assessed on the same basis – regardless of where a complaint is filed. Common procedural safeguards have also been introduced, including clear rights for complainants and organisations under investigation to be heard and to see preliminary findings. For straightforward cases, data protection authorities will have the option to use a simplified cooperation procedure without invoking the full set of cooperation mechanisms. The Regulation also imposes time limits: regular investigations are expected to conclude within 15 months, with possible extensions for complex cases, and simpler procedures within 12 months.

Regulation 2025/2518 entered into force on 1 January 2026 and it will apply from 2 April 2027.