Will EU Privacy Authorities Start Enforcing the GDPR More Often?
If your business operates across multiple EU countries, you have probably noticed that GDPR enforcement has not always been consistent. Cases drag on for years. Different national authorities apply different procedures. The outcome can feel unpredictable.
That is exactly the problem the EU set out to fix.
What happened
Back in 2023, the European Commission proposed new rules to strengthen cooperation between EU Data Protection Authorities (DPAs) when handling cross-border GDPR cases. The idea was straightforward: if a company processes data across multiple EU member states, the DPAs involved need clear, shared procedures to work together effectively.
The proposal went through the full EU legislative process, and in December 2025 it became law as Regulation (EU) 2025/2518. The regulation will become applicable 15 months after its publication, meaning enforcement under the new rules is approaching fast.
What this means for you
A few things are changing in practice.
First, investigations now come with binding deadlines. Complex cross-border cases must be wrapped up within 15 months, with a possible extension of up to 12 additional months for the most complex matters. Simpler cases go through a streamlined procedure with a 12-month limit. For businesses, this means more predictability: you will know where you stand and within what timeframe.
Second, complaint handling becomes more consistent across all 27 EU member states. Until now, the rules varied significantly depending on which national DPA was leading a case. The new regulation harmonises those procedures, so the process becomes more uniform regardless of where a complaint is filed.
Third, your rights as a party under investigation are more clearly defined. You now have the right to access the relevant case file and the right to be heard at key stages of the process.
Does this mean DPAs will suddenly start investigating far more cases? Not necessarily. What it does mean is that the administrative barriers that previously slowed things down are being removed. Cases that used to stall can now move forward more efficiently.
For businesses that are already compliant, this is broadly good news: faster resolution, more legal certainty, and a clearer process. For businesses that have been hoping slow enforcement would shield them, the landscape is shifting.
What to do now
Now is a good time to take stock of your cross-border data flows and confirm which DPA acts as your lead supervisory authority. That depends on where your main establishment is located, and it determines who leads any investigation involving your business.
If you are not sure whether your current compliance setup holds up under increased enforcement scrutiny, we can help you review it. Get in touch to book a call.