EDPB Binding Decisions Can Be Challenged Directly by Organizations Before EU Courts

The GDPR’s cross‑border enforcement framework relies on a lead supervisory authority that coordinates with other national bodies, while the European Data Protection Board steps in to resolve disputes through binding decisions. Historically, companies forced to contest those decisions had to navigate a two‑stage process: first appealing the national authority’s final ruling, then hoping a domestic court would refer the matter to the CJEU. This indirect route often led to procedural delays and strategic uncertainty, especially when national courts declined to refer questions for a preliminary ruling.

The CJEU’s February 10 2026 judgment in Case C‑97/23 P fundamentally changes that landscape. By classifying EDPB binding decisions as acts of an EU institution that are directly reviewable under Article 263 TFEU, the Court grants organizations standing to file annulment actions before the EU’s General Court without first exhausting national remedies. The ruling emphasizes that such decisions are not merely intermediate steps but definitive measures that determine a company’s legal position, thereby satisfying the direct‑concern test. This legal clarification empowers data‑processing firms to shape the arguments presented to the CJEU and to control the timing of their challenge.

Practically, the decision is set to accelerate GDPR litigation and increase pressure on supervisory authorities to produce well‑reasoned, proportionate EDPB decisions. Companies can now integrate EU‑level legal risk assessments into their compliance programs, potentially reducing reliance on fragmented national court strategies. For regulators, the precedent encourages greater diligence in drafting binding decisions, knowing they may be scrutinized directly by the EU courts. Overall, the ruling strengthens the enforcement architecture of the GDPR while offering businesses a clearer, more efficient avenue to defend their cross‑border data‑processing practices.