New procedural rules for cross-border GDPR enforcement: what will change with Regulation (EU) 2025/2518?

The European legislator has taken an important step towards harmonizing GDPR enforcement. With the publication of Regulation (EU) 2025/2518 in the Official Journal on December 12, 2025, the rules for cross-border investigations and complaints will be thoroughly revised. Although the substantive obligations of the General Data Protection Regulation (GDPR) remain unchanged, this new regulation provides for stricter deadlines, harmonized complaint requirements, and strengthened defense rights for organizations.

The GDPR provided for a system whereby a single lead supervisory authority is responsible for cross-border processing operations through the “one-stop shop” mechanism. In practice, however, this system often proved to be hampered by differences in national procedural rules. With the new Regulation (EU) 2025/2518, the EU aims to address this procedural fragmentation in order to ensure legal certainty and efficiency.

1. Uniform rules for the admissibility of complaints

Until now, the requirements for filing a complaint varied greatly from one Member State to another. The new regulation puts an end to this by establishing strict, uniform criteria for the admissibility of cross-border complaints.

From now on, a complaint will only be admissible if it contains specific information, including:

• The complainant's contact details;
• Information that facilitates the identification of the controller or processor;
• A specific description of the alleged infringement.

Important for practice: No additional information may be requested beyond what is required by the regulation. This means that organizations operating as data controllers would be well advised to review their internal complaint handling procedures now.

2. Strengthening the rights of the defense

For organizations that are the subject of an investigation, the regulation provides essential procedural safeguards. The focus is on the right to be heard before a final decision is made.

Preliminary findings

When a lead supervisory authority intends to establish an infringement, it must first draw up “preliminary findings.” This document must contain all the facts, evidence, and legal assessment, as well as the corrective measures (such as fines) that are being considered.

Tight response times

This presents a challenge for your compliance team. After notification of the preliminary findings, the party under investigation is given a minimum of three and a maximum of six weeks to respond in writing or request a hearing. This requires your organization to be able to gather evidence and build a legal defense at very short notice.

Access to the file

The right to access the administrative file is explicitly codified. Organizations are given access to all incriminating and exonerating documents collected during the investigation, with the exception of internal deliberations and confidential information.

3. Speed and efficiency in the procedure

A common criticism of current GDPR enforcement is the slowness of decision-making. The new regulation introduces hard deadlines and efficiency mechanisms.

• Deadline for decisions: The lead supervisor must, in principle, submit a draft decision within 15 months of confirmation of its competence. This period may be extended only once and in exceptional cases.
• Early settlement: A mechanism will be introduced to deal with complaints quickly. If the infringement has been rectified and the complaint has become “without merit,” the supervisory authority may close the case, provided that the complainant does not object.
• Easy collaboration: For ‘clear-cut’ cases where there is no reasonable doubt, supervisors may opt for a simplified cooperation procedure to avoid bureaucratic delays.

4. Timeline and transitional provisions

The regulation will enter into force on January 1, 2026, but its actual application will start later.

• Date of application: The rules will apply from April 2, 2027.
• Current cases: The new procedural rules apply to ex officio investigations opened after April 2, 2027, and to complaints filed after that date. Ongoing investigations are therefore not suddenly subject to this new regime.

Frequently Asked Questions (FAQ)

Does this regulation change the fines that can be imposed?
No, the regulation is purely procedural. The substantive rules of the GDPR, including the criteria for fines (as set out in Article 83 GDPR), remain unchanged. However, the regulation does require the supervisory authority to indicate in its preliminary findings whether it is considering imposing a fine and on what grounds.

Does this apply to all GDPR complaints in Belgium?
No. This regulation specifically addresses matters relating to cross-border processing. For purely local infringements limited to a single Member State, national procedural rules remain in force.

Do I need to update my data protection policy?
Not directly as a result of this regulation. However, you should evaluate your internal processes for handling requests from data subjects and responding to complaints, so that you are ready for the stricter deadlines and formal requirements from 2027 onwards.

Conclusion

Regulation (EU) 2025/2518 marks a phase of maturity in GDPR enforcement. For organizations, this means greater legal certainty, but also a greater need for legal agility. The deadlines for responding to allegations are becoming shorter and more stringent. It is advisable to use the period until April 2027 to fine-tune your internal file-building and crisis management procedures.