GDPR fines 2026: direct actions opened against EDPB decisions

Summary — On 10 February 2026, the CJEU held that companies may bring direct actions against the EDPB’s “binding” decisions. Practically, the fine calculation methodology (Art. 83 GDPR) and compliance orders under the consistency mechanism become justiciable before the EU courts, in addition to national remedies.

The case

On 10 February 2026, in case C‑97/23 P, WhatsApp Ireland Ltd v. European Data Protection Board (EDPB), the Court of Justice of the European Union (CJEU) ruled that a binding decision adopted by the EDPB under Article 65 GDPR produces legal effects vis‑à‑vis third parties and may therefore be challenged by the directly and individually concerned company before the EU courts. The Court overturned the first‑instance inadmissibility ruling and declared WhatsApp’s action against EDPB Decision 1/2021 admissible. Sources: CJEU — Press release 11/26, CJEU — C‑97/23 P (Curia).

Two days later, on 13 February 2026, the French Conseil d’État reiterated that a CNIL sanction decision may refer to Article 83 GDPR criteria without reproducing each step of the EDPB method in full, provided that the decisive elements (seriousness, duration, intentional or negligent character, remedial measures, cooperation, categories of data, etc.) are expressly addressed. Source: CE 13/02/2026, No. 498628.

Legal reasoning

• Textual basis. Article 83 GDPR sets the general conditions for imposing fines and the criteria to be considered “in each individual case”; it requires fines to be “effective, proportionate and dissuasive” and lists adjustment factors (83(2)(a) to (k)). Official text: EUR‑Lex — Art. 83 GDPR (FR).
• Pan‑European method. EDPB Guidelines 04/2022 provide a five‑step method (qualification, starting point, aggravating/mitigating adjustments, 83(4)-(6) caps, proportionality check). Final 2023 version: EDPB — Guidelines 04/2022.
• Effect of EDPB decisions. Article 65 GDPR empowers the EDPB to adopt “binding decisions” to resolve disputes between authorities. In C‑97/23 P, the CJEU held these decisions produce legal effects for the targeted company and can therefore be challenged directly before the EU courts. This complements the remedies under Chapter VIII (Arts. 78‑84 GDPR). See CJEU — Press release 11/26 and the CNPD summary Chapter VIII — remedies and sanctions.
• National review of reasoning. The Conseil d’État (13/02/2026, No. 498628) confirms that, in national litigation, it suffices for the authority to show it assessed the Article 83 criteria; the EDPB guidelines clarify the method but do not impose a “spreadsheet‑level” reproduction, provided proportionality is reasoned. CE 13/02/2026, No. 498628.

What this changes in practice

1. Two‑tier litigation to plan for. When a national decision is preceded by an EDPB decision (Art. 65), appeal strategy is no longer confined to the local courts. A directly affected company may bring an annulment action before the EU courts within the applicable deadlines. See the CJEU press release of 10/02/2026. For local support, visit our page on GDPR compliance in Luxembourg.
2. Fine methodology. Expect increased demands to evidence the “Article 83 reasoning”. The CNPD must show, case by case, how the 83(2) criteria were weighed. EDPB 04/2022 remains the common grammar; the key argument is in concreto proportionality. References: EDPB 04/2022; Article 83 GDPR. From an organisational angle, maintaining a certified DPO mandate helps document decisions.
3. GDPR/NIS 2/DORA coordination. For financial entities, a GDPR sanction may stack with technical expectations under NIS 2 or DORA; security (Art. 32 GDPR) and incident history will be scrutinised. The EDPB method factors in remediation and cooperation. For operational resilience, see our DORA framework overview.
4. Case governance. Document risk assessments, measures, notifications, and cooperation with the CNPD and concerned authorities. These directly influence fine quantum (Art. 83(2)(c), (f), (h)). To strengthen security execution, an outsourced CISO can steer security workstreams.

Common pitfalls

• Confusing “EDPB guidelines” with binding law. Guidelines 04/2022 guide practice; they do not add new legal criteria. National judges review faithful consideration of Article 83 factors, not a rigid arithmetic checklist. CE 13/02/2026, No. 498628.
• Overlooking the legal effect of an EDPB decision. If your case went through Art. 65 GDPR, ignoring a direct action before the CJEU has become a strategic mistake since 10/02/2026. CJEU — Press release 11/26.
• Under‑documenting proportionality. Authorities require proof: duration, scope of data, negligent or intentional character, remediation, cooperation (Art. 83(2)). Paper policies without operational evidence carry little weight. EUR‑Lex — Art. 83.
• Ignoring the “undertaking” concept for the cap. EDPB guidelines recall the competition‑law notion for the worldwide turnover base (2%/4%). EDPB 04/2022.
• Pursuing a purely formal defence. Challenging reasoning without addressing substance (security, minimisation, legal basis) rarely succeeds: what matters is relevant consideration of Article 83 criteria, not reproducing a spreadsheet. CE 13/02/2026, No. 498628.

Official sources

• CJEU — Press release No. 11/26 (10/02/2026)
• CJEU — Judgments and opinions page (C‑97/23 P)
• EDPB — Guidelines 04/2022 (final 2023)
• EUR‑Lex — GDPR, Article 83
• Conseil d’État (France) — 13/02/2026, No. 498628
• CNPD — Chapter VIII (remedies and sanctions)

For a focused assessment in Luxembourg, reach us via the contact page.

Luxgap regulatory expertise article. For personalised guidance on this topic, contact us or configure your online quote.