Enhancing GDPR Enforcement: The EU’s New Procedural Regulation for Cross‑Border Cases

Written By: Jameson Pasek and Crystel Saraie

As GDPR enters its seventh year, the Regulation’s core principles, such as consent, data transfers, and compensation, remain prominent. But one crucial dimension has been overlooked in much of the discussion so far: the evolution of enforcement mechanics themselves, particularly in cross-border cases. In mid-2025, the European Parliament and the Council provisionally adopted a new GDPR Procedural Regulation for cross-border enforcement, introducing harmonized complaint standards, binding timelines, and enhanced procedural rights. This landmark procedural update marks the first significant overhaul of GDPR enforcement processes since 2018.

Why Reform Was Urgent

Historically, the GDPR’s one‑stop‑shop mechanism, where one lead supervisory authority handles cross-border complaints, has been hampered by procedural complexity, inconsistent investigative standards across Member States, and significant delays in case resolution. [1] [2] [3]

What the New Regulation Changes

Adopted provisionally on 16 June 2025, this new Regulation introduces harmonized procedural rules aimed to streamline cross-border enforcement, bringing clarity, speed, and transparency to the process. Key changes include:

Unified Complaint Admissibility Standards
Regardless of where a complaint is filed within the EU, the admissibility assessment will follow a single harmonized standard, eliminating currently fragmented criteria across jurisdictions. [1] [2]

Enhanced Procedural Rights
Complainants will now consistently have a right to be heard, including if their complaint is initially rejected. [3] Organizations under investigation gain rights too, such as access to preliminary findings and opportunities to comment, boosting procedural fairness. [1]

Firm Binding Timelines
Complex cases must be concluded within 15 months, with a single possible extension of up to 12 additional months. [4] Simplified cross-border procedures, when suitable, have a 12-month max timeline. [4]

Simplified and Early Resolution Pathways
In straightforward cases, authorities may use a light-touch cooperation model, expediting outcomes while ensuring rights remain protected. [4]

Early Liaison Mechanisms
Lead authorities must share summaries of key issues early, enabling other national DPAs to align and respond more effectively, reducing internal conflicts and delays. [3]

What’s Next?

While the agreement is politically secured, it awaits formal adoption by both the Parliament and the Council, expected in late 2025, after which it will become the first major update to GDPR enforcement procedures since the Regulation came into force in 2018. [3]

Broader Implications

This procedural overhaul is shaped to deliver:

Faster, more predictable enforcement across Member States.
Greater procedural fairness for both complainants and organizations.
Enhanced clarity and consistency in cross-border investigations.
A boost to the one‑stop‑shop mechanism, reinforcing GDPR’s unified supervision model with operational rigour. [1] [3]

This publication is distributed with the understanding that the author, publisher, and distributor of this publication and/or any linked publication are not rendering legal, accounting, or other professional advice or opinions on specific facts or matters and, accordingly, assume no liability whatsoever in connection with its use. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising. The choice of a lawyer is an important decision and should not be based solely upon advertisements.

Council of the European Union, Press Release, Data Protection: Council and European Parliament Reach Deal to Make Cross-Border GDPR Enforcement Work Better for Citizens (June 16, 2025), https://www.consilium.europa.eu/en/press/press-releases/2025/06/16/data-protection-council-and-european-parliament-reach-deal-to-make-cross-border-gdpr-enforcement-work-better-for-citizens/
European Commission, Data Protection in the EU, EUR. COMM’N,from https://commission.europa.eu/law/law-topic/data-protection/legal-framework-eu-data-protection_en (last visited Sept. 10, 2025).
European Parliament, Further specifying procedural rules relating to the enforcement of the General Data Protection Regulation, Legislative Train Schedule, https://www.europarl.europa.eu/legislative-train/theme-protecting-our-democracy-upholding-our-values/file-specifying-procedural-rules-relating-to-the-enforcement-of-the-gdpr (2025).
Federation of Business Information Services (FEBIS), EU finalizes GDPR procedural regulation to improve cross-border (June 19, 2025), enforcement. https://www.febis.org/2025/06/19/eu-finalizes-gdpr-procedural-regulation-to-improve-cross-border-enforcement/

Related News & Insights

Caldwell Recognized on the Inc. 5000 List for Sixth Consecutive Year

Caldwell Advises Forterra on the Acquisition of goTenna

New IRS Guidance Provides Clarity on Treaty Relief for Common Cross-Border Investment Structures

Caldwell Ranks Among the Inc. 5000 America’s Fastest-Growing Private Companies List for the Fifth Year in a Row

Litigating Technology Companies’ Business Torts: Where the Pursuit of Tortious Interference Fails for Lack of an Existing Business Relationship

Stay up-to-date with our newsletter