For seven years, the GDPR’s one-stop-shop has been the regime’s most criticised mechanism. A complaint lodged in Berlin against a controller headquartered in Dublin could sit for years while supervisory authorities argued over admissibility, scope, and procedure — with each Member State applying its own national rules to a regulation meant to be uniform. Regulation (EU) 2025/2518, the GDPR Procedural Regulation, is the EU’s answer. It was published in the Official Journal on December 12, 2025, and will become applicable from April 2, 2027, leaving organisations and supervisory authorities (SAs) roughly twelve months from now to adapt.
The regulation does not change a single substantive obligation under the GDPR. What it changes is the procedural plumbing: who decides admissibility, on what timeline, with what cooperation duties, and with what rights for the parties involved. For data protection officers, in-house counsel, and security teams who track regulatory exposure, the practical effect is significant — investigations will move faster, defence rights will harden, and the room for procedural delay will narrow on both sides.
What Regulation 2025/2518 Actually Does
The Procedural Regulation is narrower in scope than its name suggests. It lays down procedural rules for the handling of complaints and the conduct of investigations in complaint-based and ex officio cases by supervisory authorities in the enforcement of Regulation (EU) 2016/679 where those cases concern cross-border processing. Purely domestic complaints — a German resident complaining about a German controller processing only in Germany — remain governed by national procedural law.
The regulation runs to 68 recitals and 37 Articles. It addresses three persistent failure modes in the existing system: fragmented admissibility standards across the 27 national authorities, indefinite timelines that allowed flagship cases to stretch past five years, and procedural rights that varied so widely that controllers and complainants experienced fundamentally different processes depending on which Member State took the lead.
A critical timing nuance matters for any active matter. The new procedural rules apply to ex officio investigations opened after April 2, 2027, and to complaints filed after that date. Ongoing investigations are therefore not suddenly subject to this new regime. Cases already in flight on application day stay under the existing patchwork. The regulation also entered into force on 1 January 2026, applies from 2 April 2027 — the gap is deliberate, giving SAs time to build the operational machinery.
Harmonised Admissibility: The End of National Idiosyncrasy
The most immediate change for complainants is a single EU-wide standard for what makes a cross-border complaint admissible. Under the current regime, a complaint that satisfied Irish requirements might be rejected in France for lacking a notarised signature, or returned by the German DPA for failure to attempt direct contact with the controller first. That ends.
Article 3 sets a closed list. A complaint on the basis of Regulation (EU) 2016/679 concerning cross-border processing shall be admissible provided that it includes the following information: (a) the name and contact details of the person lodging the complaint; (b) where the complaint is lodged by a not-for-profit body, organisation or association referred to in Article 80 of Regulation (EU) 2016/679, proof that that body, organisation or association has been properly constituted, contact details and mandate evidence where Article 80 representation applies, information which facilitates the identification of the controller or processor that is the subject of the complaint; (e) a description of the alleged infringement of Regulation (EU) 2016/679.
Two design choices matter here. First, the list is exhaustive — no information additional to that referred to in the first subparagraph shall be required in order for a complaint concerning cross-border processing to be admissible. National authorities cannot bolt on extra hurdles. Second, the complainant shall not be required to have contacted the party under investigation before lodging a complaint in order for that complaint to be admissible. Pre-complaint contact requirements that several Member States imposed are gone for cross-border cases.
The triage timeline is tight. Where the supervisory authority with which a complaint has been lodged determines that the complaint does not contain the information referred to in paragraph 1, first subparagraph, it shall, within two weeks of receiving that complaint, declare that complaint inadmissible and inform the complainant of the reasons thereof. An admissibility determination by the receiving authority binds the lead authority — there is no second look.
The Binding Timelines
The regulation’s headline feature for most readers is hard deadlines on investigations. The system is sequenced: triage, transfer, investigation, draft decision, dispute resolution where needed.
Where a complaint that concerns cross-border processing is admissible and in the absence of an early resolution pursuant to Article 5, the supervisory authority with which the complaint has been lodged shall transmit that complaint to the supervisory authority it presumes is competent to act as lead supervisory authority no later than six weeks from the receipt of that complaint and inform the complainant of that transmission. The presumed lead has its own six-week clock to confirm competence or escalate. Within six weeks of the receipt of a complaint, the supervisory authority presumed to be competent to act as lead supervisory authority shall either confirm its competence or, where there are conflicting views on which of the other supervisory authorities concerned is competent for the main establishment, refer the subject matter to the European Data Protection Board (the ‘Board’) for dispute resolution under Article 65(1), point (b).
Once the lead is fixed, the investigation clock dominates. The lead supervisor must, in principle, submit a draft decision within 15 months of confirmation of its competence. This period may be extended only once and in exceptional cases. Other commentators describe the extension as up to 12 additional months for genuinely complex investigations. Simpler coordination procedures will have a 12-month deadline.
The teeth on these deadlines are unusual — they bite asymmetrically. Where the SA takes procedural steps after the expiry of their corresponding time limits, the Procedural Regulation provides that this cannot be considered grounds for the illegality or invalidity of the procedural step in question or of the final decision. A failure to submit a draft decision or adopt a final decision within the time limit provided for in the Procedural Regulation or in Article 65(6) GDPR will, however, be considered in assessing whether a SA has not handled a complaint in accordance with the data subject’s right to an effective judicial remedy against a competent supervisory authority.
In plain English: a controller cannot get a decision annulled because the SA missed a deadline, but a complainant can use that delay as evidence that the SA failed in its duty. That asymmetry will pressure SAs to staff up rather than slow-walk.
Early Resolution and the Simple Cooperation Track
Not every cross-border complaint deserves the full machinery. The regulation introduces two faster lanes: early resolution under Article 5 and a simple cooperation procedure for clear-cut cases.
Early resolution is narrower than the marketing suggests. An early resolution mechanism will allow DPAs to resolve complaints that concern the exercise of Chapter III rights under the GDPR (e.g. access requests) swiftly without involving other DPAs. This will apply where a DPA can establish that the alleged infringement has been brought to an end and provided the complainant does not object to this approach. The mechanism targets the largest single category of GDPR complaints — data subject rights requests — and lets a single DPA close the file when the controller has remedied the issue.
There is a wrinkle that defence-side commentators have flagged. Although the early resolution of a case will be without prejudice to the lead supervisory authority’s exercise of its powers under Article 58 of the GDPR, including its power to impose fines, it appears that the lead supervisory authority will be enabled to exercise those powers ex officio. After the resolution of the complainant’s case, the complainant will no longer need to remain a party to the proceedings. This could significantly reduce the lead supervisory authority’s inclination to impose fines. Practical translation: organisations that cure quickly may avoid escalation altogether, which is precisely the incentive the regulation appears to create.
The simple cooperation procedure handles the next tier. Once the LSA has formed a preliminary view on the main issues in the investigation, and considers that (i) there is no reasonable doubt as to the scope of the investigation; and (ii) the legal and factual issues do not require the additional co-operation involved in a complex investigation, it may engage with other supervisory authorities under the simple co-operation procedure. For example, Articles 16 (procedure for rejection or dismissal of a complaint) and 19 (obligation to draft preliminary findings) do not apply under the simple co-operation procedure.
Procedural Rights for Both Sides
The regulation is unusually balanced. It gives complainants stronger participation rights and gives parties under investigation harder defence rights, in roughly equal measure.
For complainants, the right to be heard before rejection is now uniform. Where the LSA’s preliminary view is to partially reject or dismiss a complaint, it must provide reasons for this view and give the complainant a period of between three and six weeks to give written views on these reasons. If the LSA maintains its preliminary view after receiving the complainant’s views, it will prepare a draft decision. If the revised draft decision raises new elements, the LSA must give the complainant a further three- to six-week period to provide written views on these new elements.
For parties under investigation, the regime introduces something closer to formal preliminary findings. The lead authority must produce a document setting out the alleged facts, evidence, and legal assessment, and the party must be given an opportunity to respond before the draft decision is finalised. New procedural rights will be introduced for parties involved in investigations. These include the right to receive preliminary findings and the right to be heard during the complaint-handling and investigation stages.
Confidential information protection is hardened in parallel. With the new rules for the treatment of confidential information, the Regulation aims to protect trade secrets – as defined in Directive (EU) 2016/943 on the protection of undisclosed know-how and business information (trade secrets) – and other confidential information. The party under investigation must contribute to the protection of confidential information by clearly identifying such information at the time of its submission (Article 25(3) of the Regulation).
What Organisations Should Be Doing Between Now and April 2027
The lead time is generous on paper and short in practice. Three internal workstreams matter.
The first is complaint-handling readiness. The Article 3 admissibility list is also a roadmap of what a complainant will hand a controller’s regulator on day one — name and contact details, controller identification, description of the alleged infringement. Internal incident response and complaint-intake procedures should be tested against the assumption that a transmitted complaint will arrive at the lead authority within six weeks of being lodged anywhere in the EU.
The second is documentation. Preliminary findings and the right to be heard depend on the controller’s ability to produce coherent, contemporaneous records under tight response windows. The regulation’s procedural fairness gains are real, but they only help an organisation that can populate them with evidence.
The third is governance of cross-border processing itself. The regulation operates only on cases involving cross-border processing — the determination of which is itself a procedural question the regulation addresses. Organisations that have been ambiguous about which establishment is their main establishment for GDPR purposes should resolve that ambiguity before a complaint forces the question.
Frequently Asked Questions
Does the Procedural Regulation change GDPR fines?
No. The substantive grounds, the categories of infringement, and the fining tiers under Article 83 GDPR are untouched. What changes is the procedure that produces a fining decision and the timeline within which it must be produced.
Will it apply to investigations already underway on April 2, 2027?
No. The new procedural rules apply to ex officio investigations opened after April 2, 2027, and to complaints filed after that date. Ongoing investigations are therefore not suddenly subject to this new regime. Active matters continue under the rules in force when they were opened.
Does it apply to purely national complaints?
No. The regulation governs cross-border processing only. Purely domestic complaints continue under national procedural law.
Can supervisory authorities still miss the deadlines?
In practical effect, yes — a missed deadline does not invalidate the procedural step or the final decision. But missing the draft-decision deadline is treated as relevant evidence in any judicial-remedy proceedings a complainant brings against the SA, which gives missed deadlines a litigation cost rather than a cure cost.
Whether It Will Actually Work
The honest answer is that we will know in 2028 at the earliest. The regulation’s premises are sound: harmonised admissibility removes a real source of delay, binding deadlines create accountability that the Article 60 cooperation mechanism never had, and the early resolution lane should drain the pipeline of routine access-request disputes.
The risk is that the SAs cannot scale to meet the new tempo. Being able to operationalise the regulation’s requirements and facilitate the timeframes and cooperation requirements of the Procedural Regulation will involve significant work for SAs over the course of 2026. A 15-month draft-decision window is tight even for a fully resourced authority working a single matter. Several national DPAs have spent years complaining about budget and headcount; the regulation does not solve that problem, it transfers it from a complaint about delay to a litigation risk over delay.
For organisations, the safer assumption is that cross-border enforcement is about to become both faster and more legally formalised, with shorter response windows and harder procedural posture on both sides. Treat April 2, 2027 as a deadline for internal readiness, not the regulator’s deadline.
