The EDPB’s 2025 Annual Report highlights major enforcement trends, new guidance, and plans to simplify GDPR compliance, while emphasising growing alignment between data protection, AI, and wider EU digital regulation.

The European Data Protection Board (“EDPB”) published its 2025 Annual Report (the “Report”) which is available here. The Report provides an overview of the EDPB’s work in 2025 and reflects on its important milestones and objectives for 2026.

Helsinki Statement

On 3 July 2025, the EDPB adopted the Helsinki Statement on Enhanced Clarity, Support and Engagement (which is available here) and outlines new initiatives to make GDPR compliance easier, strengthen consistency, improve transparency with stakeholders, and boost cross-regulatory cooperation.  The EDPB has committed to providing clearer, more practical and accessible guidance. It will develop standard templates such as a data breach notification template (it has already published a data protection impact assessment template which is currently subject to public consultation), provide resources, guidelines, information and checklists to help organisations, particularly small and medium organisations to comply with the GDPR.  

The EDPB has also committed to strengthening relationships with stakeholders and focusing on early engagement and feedback.  It also recognises the growing complexity of the digital regulatory landscape and has renewed its commitment to fostering cooperation with non-data protection regulators to address legal and practical challenges in cross-sectoral cases.

The EDPB’s commitment to simplifying the digital landscape, highlights that data protection obligations can no longer be seen in isolation and organisations should instead focus on broader digital compliance, considering their obligations under data protection, artificial intelligence and cyber regulation.

EU Digital Omnibus Proposal

In November 2025, the European Commission, published the draft Digital Omnibus Regulations (“DOR”) which aim to simplify the EU’s data protection and cyber laws (GDPR, EUDPR, ePrivacy Directive and NIS2) and also the EU AI Act. On 11 February 2026, the EDPB and EDPS issued a joint opinion (the “Joint Opinion”) on DOR supporting the simplification of the EU digital framework while also recommending further clarifications and raising significant concerns that DOR would narrow the scope of data protection and may create legal uncertainty. You can read our commentary on the DOR which is available here  and on the Joint Opinion which is available here.

Enforcement

The Report notes that European Supervisory Authorities issued €1.1 billion in fines in 2025 (some of these fines are subject to appeal so this figure may vary). The Irish Data Protection Commission (“DPC”) issued four fines, totalling nearly €531 million, the majority of which comes from the €530 million fine imposed on TikTok in 2025 for unlawful transfers of personal data to China. The French DPA (who issued 84 fines totalling €486 million) and the DPC represent nearly 90% of the data protection fines issued by European Supervisory Authorities highlighting the concentration of technology companies headquartered in Ireland and France. The report also showed that other jurisdictions have a much higher number of fines but for less value, for example, Slovakia issued 542 fines totalling €468,953 and Romania issued 102 fines totalling €437,000.

EDPB Guidelines

The EDPB issued serval guidelines, clarifying the interplay between data protection and other digital legislation including the:

• Interplay between the EU Digital Services Act and the GDPR (Guidelines 03/2025)
• Interplay between the EU Digital Markets Act (“DMA”) and the GDPR
• Data transfers to third country authorities under Article 48 GDPR (Guidelines 02/2024)

The EDPB also issued two sets of recommendations and a range of consistency opinions.

Plans for 2026

The Report notes that the EDPB aims to “protect children effectively while avoiding generalised identification or surveillance”.  The Report acknowledges that there is increasing public awareness around the need to protect children online and highlights the EDPB’s Statement on Age Assurance which adopts a risk-based approach and outlines 10 principles to verify user age, emphasising that protection of minors must be balanced with safety and privacy. We are not yet sure what approach EU legislatures will take in protecting minors online, including whether more jurisdictions will follow Australia’s approach to banning social media for those under 16 and Greece’s plan to ban social media for children under 15 from 2027.

The EDPB has also confirmed that it will issue new guidelines, jointly with the EU Commission on the interplay between the AI Act and the GDPR as the digital landscape evolves. These guidelines should provide legal certainty, address technical challenges and reconcile conflicting principles in an ever- evolving landscape.

As already noted, we expect to see more guidance, resources and checklists to assist organisations with their GDPR and digital regulatory compliance.