| Dokumendiregister | Riigikogu |
| Viit | 1-2/26-447/1 |
| Registreeritud | 26.06.2026 |
| Sünkroonitud | 27.06.2026 |
| Liik | EL dokument |
| Funktsioon | |
| Sari | |
| Toimik | Ettepanek - SEC(2026) 580, SWD(2026) 580, SWD(2026) 581, SWD(2026) 582, COM(2026) 580 |
| Juurdepääsupiirang | Avalik |
| Adressaat | |
| Saabumis/saatmisviis | |
| Vastutaja | |
| Originaal | Ava uues aknas |
EN EN
EUROPEAN COMMISSION
Brussels, 24.6.2026
COM(2026) 580 final
ANNEXES 1 to 2
ANNEXES
to the
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL
on the European Union Agency for Law Enforcement Cooperation (Europol), amending
Regulation (EU) 2018/1726 and Regulation (EU) 2024/982, and repealing Regulation
(EU) 2016/794
{SEC(2026) 580 final} - {SWD(2026) 580 final} - {SWD(2026) 581 final} -
{SWD(2026) 582 final}
EN 1 EN
ANNEX 1
List of forms of crime referred to in Article 5(1):
– terrorism;
– organised crime;
– drug trafficking;
– money-laundering activities;
– crime connected with nuclear and radioactive substances;
– migrant smuggling;
– trafficking in human beings;
– motor vehicle crime;
– murder and grievous bodily injury;
– illicit trade in human organs and tissue;
– kidnapping, illegal restraint and hostage-taking;
– racism and xenophobia;
– robbery and aggravated theft;
– illicit trafficking in cultural goods, including antiquities and works of art;
– swindling and fraud;
– crime against the financial interests of the Union;
– insider dealing and financial market manipulation;
– racketeering and extortion;
– counterfeiting and product piracy;
– forgery of administrative documents and trafficking therein;
– forgery of money and means of payment;
– computer crime, including cyberattacks;
– corruption;
– illicit trafficking in arms, ammunition and explosives;
– illicit trafficking in endangered animal species;
– illicit trafficking in endangered plant species and varieties;
– environmental crime, including ship-source pollution;
– illicit trafficking in hormonal substances and other growth promoters;
– sexual abuse and sexual exploitation, including child abuse material and solicitation
of children for sexual purposes;
– gender-based violence;
– genocide, crimes against humanity and war crimes;
– violation of Union restrictive measures.
EN 2 EN
ANNEX 2
CATEGORIES OF DATA SUBJECTS REFERRED TO IN ARTICLE 32
(1) Categories of data subjects referred to in Article 32:
(a) persons who, pursuant to the national law of the Member State concerned, are
suspected of having committed or having taken part in a criminal offence in
respect of which Europol is competent, or who have been convicted of such an
offence;
(b) persons regarding whom there are factual indications or reasonable grounds
under the national law of the Member State concerned to believe that they will
commit criminal offences in respect of which Europol is competent;
(c) persons who might be called on to testify in investigations in connection with
the offences under consideration or in subsequent criminal proceedings;
(d) persons who have been the victims of one of the offences under consideration
or with regard to whom certain facts give reason to believe that they could be
the victims of such an offence;
(e) contacts and associates; and
(f) persons who can provide information on the criminal offences under
consideration.
(2) ‘Contacts and associates’, as referred to in point 1(e), are persons through whom
there is sufficient reason to believe that information, which relates to the persons
referred to in points 1(a) and (b) and which is relevant for the analysis, can be
gained, provided that they are not included in one of the categories of persons
referred to in points 1 (a) to (d) and (f). ‘Contacts’ are those persons who have a
sporadic contact with the persons referred to in points 1(a) and (b). ‘Associates’ are
those persons who have a regular contact with the persons referred to in points 1(a)
and (b).
(3) If, at any time during the course of an analysis, it becomes clear on the basis of
serious and corroborating indications that a person should be included in a category
of persons, as defined in this Annex, other than the category in which that person was
initially placed, Europol may process only the data on that person which is permitted
under that new category, and all other data shall be deleted.
(4) If, on the basis of such indications, it becomes clear that a person should be included
in two or more different categories as defined in this Annex, all data allowed under
such categories may be processed by Europol.
EN EN
EUROPEAN COMMISSION
Brussels, 24.6.2026
SWD(2026) 582 final
COMMISSION STAFF WORKING DOCUMENT
Sudsidiarity grid
Accompanying the document
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE
COUNCIL
on the European Union Agency for Law Enforcement Cooperation (Europol), amending
Regulation (EU) 2018/1726 and Regulation (EU) 2024/982, and repealing Regulation
(EU) 2016/794
{COM(2026) 580 final} - {SEC(2026) 580 final} - {SWD(2026) 580 final} -
{SWD(2026) 581 final}
1
Subsidiarity Grid
1. Can the Union act? What is the legal basis and competence of the Unions’ intended
action?
1.1 Which article(s) of the Treaty are used to support the legislative proposal or policy
initiative?
The legal basis is Article 88 of the Treaty on the Functioning of the European Union (TFEU),
which provides for the establishment and functioning of Europol and for the determination
of its tasks, structure and operation.
1.2 Is the Union competence represented by this Treaty article exclusive, shared or
supporting in nature?
In the case of law enforcement cooperation, the Union’s competence is shared (Article 4(2)(j)
TFEU). Pursuant to Article 88(2) TFEU, Europol's role is limited to supporting, coordinating
and strengthening cooperation between national law enforcement authorities, while executive
law enforcement powers remain with the Member States. The new Europol proposal does not
alter this distribution of competences but further develops Europol's supporting role within
the framework of shared competence.
Subsidiarity does not apply for policy areas where the Union has exclusive competence as
defined in Article 3 TFEU1. It is the specific legal basis which determines whether the
proposal falls under the subsidiarity control mechanism. Article 4 TFEU2 sets out the areas
where competence is shared between the Union and the Member States. Article 6 TFEU3 sets
out the areas for which the Unions has competence only to support the actions of the Member
States.
2. Subsidiarity Principle: Why should the EU act?
2.1 Does the proposal fulfil the procedural requirements of Protocol No. 24:
- Has there been a wide consultation before proposing the act?
- Is there a detailed statement with qualitative and, where possible, quantitative
indicators allowing an appraisal of whether the action can best be achieved at Union
level?
The preparation of the proposal was supported by a thorough and comprehensive consultation
process to gather input from Member States, Europol, other EU bodies, law enforcement
networks, private sector actors and civil society, ensuring that the proposal was informed by
a broad range of perspectives.
1 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:12008E003&from=EN 2 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:12008E004&from=EN 3 https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:12008E006:EN:HTML 4 https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:12016E/PRO/02&from=EN
2
Initial scoping discussions between April and June 2025 involved high-level exchanges with
the Standing Committee on Operational Cooperation on Internal Security (COSI), the
Europol Management Board, and national police chiefs.
These exchanges were followed by in-depth evidence gathering between July 2025 and
February 2026 through a Call for Evidence, a public consultation and thematic workshops
with Member States’ experts.
The preparation of the impact assessment also relied on an external study, which provided a
comprehensive evidence base drawing on desk research, interviews, surveys, focus groups
and case studies involving Member States, Union bodies, law enforcement networks and
other relevant stakeholders.
The input received from the stakeholders directly informed the design of the proposal, in
particular by confirming the need to address information gaps, operational fragmentation and
technological capability constraints. It also guided the development of measures to strengthen
data exchange, simplify procedures and enhance cooperation, while ensuring appropriate
safeguards and respecting the limits of Europol’s mandate under the Treaty.
The explanatory memorandum of the proposals and the impact assessment (chapter 3) contain
a section on the principle of subsidiarity (see the reply to question 2.2 below).
2.2 Does the explanatory memorandum (and any impact assessment) accompanying the
Commission’s proposal contain an adequate justification regarding the conformity
with the principle of subsidiarity?
The conformity with the principle of subsidiarity is assessed in the explanatory memorandum
and in the Impact Assessment accompanying the legislative proposal.
The challenges addressed by this proposal are inherently cross-border and cannot be
effectively tackled by Member States acting in isolation. The most serious and organised
forms of crime are now predominantly transnational in nature, with criminal networks
operating seamlessly across jurisdictions and digital environments. They exploit the
fragmentation of national information, operational action and capabilities. As a result,
Member States have only partial visibility of criminal activities and face structural limitations
in connecting investigations and responding effectively to criminal activities that extend
beyond their national jurisdiction.
Action at Union level is therefore more effective and necessary. The scale, speed and cross-
border nature of criminal activity require a level of coordination, data aggregation and
analytical capacity that cannot be achieved by Member States acting individually. By
operating at Union level, Europol is able to combine information from multiple jurisdictions,
identify patterns and connections that would otherwise remain undetected, and support the
prioritisation and coordination of operational action across borders. In doing so, it enhances
the impact of national investigations and ensures that responses to cross-border crime are not
fragmented but aligned and mutually reinforcing. It also enables the development and
deployment of advanced capabilities that are beyond the reach of individual Member States
acting alone, which also enables economies of scale in areas where the development of
capabilities is resource-intensive and requires critical mass. By centralising such capacities
3
at Union level and making them available across Member States, the proposal avoids
duplication, reduces costs and ensures a consistent and high level of effectiveness.
In a Schengen area without internal frontiers, this collective capacity is essential to ensure
that the level of law enforcement cooperation is commensurate with the level of integration
achieved.
2.3 Based on the answers to the questions below, can the objectives of the proposed
action be achieved sufficiently by the Member States acting alone (necessity for EU
action)?
The objectives of the proposal cannot be achieved sufficiently by Member States acting
alone. Serious and organised crime, terrorism, cyber-enabled crime and hybrid threats
increasingly operate across borders and exploit differences between national systems.
Individual Member States have only a partial view of criminal activities and cannot
independently generate a comprehensive EU-wide criminal intelligence picture. While
national authorities remain responsible for investigations and enforcement, only action at
Union level can effectively connect information, support coordinated operational responses,
and provide advanced analytical and technological capabilities that require economies of
scale. Europol therefore addresses challenges that are inherently transnational and exceed the
capacities of individual Member States.
(a) Are there significant/appreciable transnational/cross-border aspects to the problems
being tackled? Have these been quantified?
Yes. The problems addressed are inherently transnational. Serious and organised crime
networks and terrorist groups operate across multiple jurisdictions, use digital infrastructures
that transcend national borders and exploit differences between national legal and operational
systems. The explanatory memorandum highlights that crime is increasingly "international
by default", requiring cross-border intelligence gathering, operational coordination and
information sharing. Europol's evaluation covering 2017-2024 also confirmed that a
significant share of the Agency's operational support concerns cross-border investigations.
(b) Would national action or the absence of the EU level action conflict with core
objectives of the Treaty5 or significantly damage the interests of other Member
States?
The absence of EU-level action would undermine the Treaty objective of providing citizens
with a high level of security within an area of freedom, security and justice. It would also risk
creating further operational blind spots and reducing the effectiveness of cross-border
investigations, thereby negatively affecting other Member States whose security increasingly
depends on effective cooperation and information sharing across the Union.
(c) To what extent do Member States have the ability or possibility to enact appropriate
measures?
Member States can adopt national measures and remain responsible for law enforcement
activities and investigations. However, they cannot by themselves establish a complete
criminal intelligence picture across the Union, systematically connect information
originating from different jurisdictions, or provide the same level of cross-border
5 https://europa.eu/european-union/about-eu/eu-in-brief_en
4
coordination and shared technological capabilities. National action alone would therefore be
insufficient to address information fragmentation and operational gaps affecting
investigations with a cross-border dimension.
(d) How does the problem and its causes (e.g. negative externalities, spill-over effects)
vary across the national, regional and local levels of the EU?
While operational impacts may vary between Member States, regions and local authorities
depending on crime patterns and exposure to specific threats, information fragmentation,
difficulties in linking investigations and limited access to advanced technological capabilities
are common challenges across the Union that national measures alone cannot address.
(e) Is the problem widespread across the EU or limited to a few Member States?
The problem is widespread across the EU. Serious and organised crime, terrorism,
cybercrime and hybrid threats affect all Member States, albeit to varying degrees. The
functioning of the Schengen area without internal border controls further reinforces the need
for coordinated responses across the Union.
(f) Are Member States overstretched in achieving the objectives of the planned measure?
Not necessarily in terms of legal competence or resources, but Member States acting
individually face structural limitations in achieving the objectives of the proposal. They
cannot independently overcome the fragmentation of information and operational action
across the Union, nor can they efficiently develop and maintain certain advanced
technological capabilities that require significant investment and critical mass. This
assessment is supported by stakeholder consultations, which showed broad consensus on the
need to strengthen Europol’s information-processing, analytical and operational support
functions, as well as EU-level technological capabilities.
(g) How do the views/preferred courses of action of national, regional and local
authorities differ across the EU?
Overall, stakeholders expressed strong support for Europol’s added value, particularly in
facilitating cross-border information exchange, criminal intelligence analysis and operational
coordination. At the same time, they identified important operational shortcomings limiting
the Agency’s effectiveness, in particular legal and procedural constraints related to data
processing. Stakeholders also emphasised the need to strengthen Europol’s operational
support, develop more automated and interoperable systems, and enhance technological and
analytical capabilities, including through EU-level digital tools and stronger cooperation with
Union bodies. Private-sector stakeholders further underlined the importance of legal certainty
in data sharing, particularly in the area of cybercrime.
Consultations also highlighted the importance of ensuring that any strengthening of
Europol’s role remains fully consistent with fundamental rights, in particular data protection
requirements, and respects Member States’ responsibilities for national security and law
enforcement. Diverging views emerged regarding a possible further expansion of Europol’s
in relation to hybrid threats, which several stakeholders considered politically sensitive but
in principle well covered in Europol’s legal framework. Nevertheless, there was broad
consensus across Member States and operational authorities regarding the need to strengthen
Europol's information-processing, analytical and operational support functions.
5
2.4 Based on the answer to the questions below, can the objectives of the proposed action
be better achieved at Union level by reason of scale or effects of that action (EU
added value)?
The objectives can be better achieved at Union level because Europol provides clear added
value as a central information, operational and technology hub. Union action allows
information from different jurisdictions to be connected and analysed, facilitates coordinated
cross-border investigations, and enables the development of advanced capabilities that would
be difficult or costly for individual Member States to develop separately. The proposal
therefore generates economies of scale, reduces duplication, strengthens legal certainty and
ensures a more coherent response to security threats affecting the Union as a whole.
(a) Are there clear benefits from EU level action?
Yes. The evaluation of Regulation (EU) 2016/794, as amended by Regulation (EU)
2022/991, conducted in parallel with the impact assessment accompanying this proposal,
confirms that Europol plays a central and unique role in supporting Member States in
preventing and combating serious and organised crime and terrorism, particularly in cross-
border investigations. Covering the period 2017-2024, the evaluation found that Europol has
significantly strengthened information exchange and operational coordination at Union level.
EU-level action provides clear added value because Europol is uniquely positioned to
aggregate and analyse information originating from multiple jurisdictions and to generate a
Union-wide criminal intelligence picture that no individual Member State could establish on
its own. By connecting information, identifying cross-border links and supporting
coordinated operational responses, Europol enables Member States to address threats that
extend beyond national borders more effectively and efficiently than would be possible
through purely national action.
(b) Are there economies of scale? Can the objectives be met more efficiently at EU level
(larger benefits per unit cost)? Will the functioning of the internal market be
improved?
Yes. Significant economies of scale can be achieved through the centralised development of
analytical tools, secure data infrastructures, technological capabilities and specialised
expertise. Instead of each Member State developing equivalent capacities independently,
Europol can provide shared services and capabilities at Union level, reducing duplication and
increasing efficiency.
(c) What are the benefits in replacing different national policies and rules with a more
homogenous policy approach?
A more homogeneous approach improves interoperability, information exchange and
operational cooperation between national authorities. It reduces legal and procedural
fragmentation, facilitates cooperation with other EU bodies and agencies, and ensures more
consistent support for cross-border investigations throughout the Union.
(d) Do the benefits of EU-level action outweigh the loss of competence of the Member
States and the local and regional authorities (beyond the costs and benefits of acting
at national, regional and local levels)?
6
Yes. The proposal does not transfer core law enforcement powers to the Union. Member
States remain fully responsible for investigations, operational decisions and the exercise of
coercive powers. The benefits generated through improved information exchange,
coordination and shared capabilities therefore outweigh the limited constraints associated
with stronger Union-level cooperation.
(e) Will there be improved legal clarity for those having to implement the legislation?
Yes. By repealing and replacing the current Regulation with a comprehensive and
modernised framework, the proposal clarifies Europol's responsibilities, operational role,
data-processing framework and cooperation mechanisms. This increases predictability and
legal certainty for Member States, EU agencies and private stakeholders.
3. Proportionality: How the EU should act
3.1 Does the explanatory memorandum (and any impact assessment) accompanying
the Commission’s proposal contain an adequate justification regarding the
proportionality of the proposal and a statement allowing appraisal of the
compliance of the proposal with the principle of proportionality?
The explanatory memorandum and the Impact Assessment accompanying the legislative
proposal contain adequate justification regarding the proportionality of the proposal.
In accordance with the principle of proportionality, as set out in Article 5 of the Treaty on
the European Union, this Regulation does not go beyond what is necessary in order to achieve
its objectives.
The proposal introduces a more integrated framework for Union-level support to law
enforcement, reflecting the scale and complexity of cross-border crime. It focuses on
enabling more effective use of information, strengthening support to cross-border
investigations and improving access to shared capabilities, which cannot be achieved
satisfactorily by Member States alone, without altering the fundamental balance of
competences between the Union and the Member States. In particular, it does not confer any
coercive powers on Europol, which remain the exclusive competence of Member States.
Where relevant, the proportionality of the measures is further supported by the analysis
carried out in the accompanying impact assessment.
3.2 Based on the answers to the questions below and information available from any
impact assessment, the explanatory memorandum or other sources, is the proposed
action an appropriate way to achieve the intended objectives?
The proposal constitutes an appropriate and proportionate response to the identified
problems. It focuses on those aspects that cannot be addressed effectively by Member States
alone, namely the creation of an EU-wide criminal intelligence picture, enhanced cross-
border operational support and the development of shared technological capabilities. The
choice of a Regulation ensures legal certainty and uniform application across the Union,
while preserving Member States' responsibility for law enforcement activities and
maintaining the principle that Europol has no coercive powers.
7
(a) Is the initiative limited to those aspects that Member States cannot achieve
satisfactorily on their own, and where the Union can do better?
Yes.
(b) Is the form of Union action (choice of instrument) justified, as simple as possible, and
coherent with the satisfactory achievement of, and ensuring compliance with the
objectives pursued (e.g. choice between regulation, (framework) directive,
recommendation, or alternative regulatory methods such as co-legislation, etc.)?
Yes. The choice of a Regulation is justified because Europol itself is established by a
Regulation and operates directly across all Member States. Repealing and replacing
Regulation (EU) 2016/794 ensures a coherent, comprehensive and directly applicable legal
framework. The explanatory memorandum also explains that incremental amendments
would not be sufficient to accommodate the substantial operational, analytical and
technological changes envisaged by the proposal.
(c) Does the Union action leave as much scope for national decision as possible while
achieving satisfactorily the objectives set? (e.g. is it possible to limit the European
action to minimum standards or use a less stringent policy instrument or approach?)
Yes. The proposal leaves responsibility for criminal investigations, operational decisions,
national security and coercive measures entirely with Member States. Europol's role remains
supportive, analytical and coordinative. The proposal therefore limits Union action to what
is necessary to achieve its objectives while preserving national discretion wherever possible.
(d) Does the initiative create financial or administrative cost for the Union, national
governments, regional or local authorities, economic operators or citizens? Are these
costs commensurate with the objective to be achieved?
Yes. As assessed in the impact assessment and the legislative financial and digital statement,
the proposal has budgetary implications at both Union and Member State level. These
investments relate in particular to enhanced data-processing and analytical capacities,
operational support, technological capabilities and secure digital infrastructures. However,
these adjustments are expected to be proportionate and are outweighed by the benefits arising
from improved information exchange, stronger operational coordination, more efficient
cross-border investigations and access to shared Union-level capabilities. By reducing
fragmentation, avoiding duplication of effort and enabling economies of scale in the
development and deployment of advanced technological and analytical capabilities, the
proposal is expected to generate significant operational benefits for national authorities while
enhancing the security of citizens across the Union.
(e) While respecting the Union law, have special circumstances applying in individual
Member States been taken into account?
No, as there are no such special circumstances in the aspects addressed by the proposal.
EUROPEAN COMMISSION
17.4.2026
SEC(2026) 580
REGULATORY SCRUTINY BOARD OPINION
{COM(2026) 580}
{SWD(2026) 580-582}
Impact assessment (with back-to-back evaluation) / Review of Regulation on the European Union Agency for Law Enforcement Cooperation (Europol)
________________________________
This opinion concerns a draft impact assessment which may differ from the final version.
Commission européenne/Europese Commissie, 1049 Bruxelles/Brussel, BELGIQUE/BELGIË - Tel. +32 22991111
EUROPEAN COMMISSION REGULATORY SCRUTINY BOARD
Brussels, RSB
Opinion
Title: Impact assessment (with back-to-back evaluation) / Review of
Regulation on the European Union Agency for Law Enforcement
Cooperation (Europol)
Overall opinion: POSITIVE WITH RESERVATIONS
(A) Policy context
Europol is the European Union Law Agency for Law Enforcement Cooperation. Building
on the reform of the agency’s mandate in 2022, the impact assessment (with back-to-back
evaluation) aims at further strengthening Europol’s coordination role in responding
actively, effectively and efficiently to the changing security landscape and to the most
serious forms of online and offline crime and terrorism.
(B) Key issues
The Board notes the additional information provided and commitments to make
changes to the report.
However, the report still contains significant shortcomings. The Board gives a
positive opinion with reservations because it expects the lead Service(s) to rectify the
following aspects:
(1) The report does not sufficiently analyse the impacts of the intervention, in
particular on fundamental rights, data protection and cybersecurity.
(2) Given the 2022 reform, the magnitude of the problems is not sufficiently
demonstrated with evidence, including based on observational data.
(3) The specific objectives are not formulated in a SMART manner, and some policy
measures are not sufficiently described.
(4) The assessment of costs is insufficient.
(5) The monitoring and evaluation framework does not allow a clear understanding
of how performance will be measured in terms of outputs, results and impacts.
(C) What to improve
(1) The report should substantially improve the assessment of the impact on fundamental
rights related to a number of measures impacting data protection, such as changes in
data protection safeguards. It should clearly demonstrate how safeguards will work
in practice to address the data protection risks. It should also analyse potential
cybersecurity risks which would arise from the proposed measures such as EU police
cloud, including how these risks could be mitigated.
(2) The report should provide for a clear overview of the legal and operational
environment under which Europol operates, including its interactions with EU bodies
in the field of security and anti-fraud. It should explain, based on the analysis of the
2022 reform, why another revision of the mandate with similar objectives is already
required.
(3) The report should clearly distinguish between regulatory, operational and resources-
related problem drivers, for example when mentioning that Europol’s support of
national authorities is not always deployed to its full potential. The magnitude of the
problems should be substantiated with evidence, including evidence based on
observational data.
(4) The specific objectives should be formulated in SMART terms. The link with sub-
policy options should be clear and the way in which the latter address the problems
better illustrated.
(5) Some of the policy measures should be better defined, including how the interaction
with other agencies (including with Eurojust) would work in practice or how the EU
Police Cloud would function.
(6) The report should clarify the key elements (such as overall period) on which the
assessment of costs is based, present the annual costs over a given period, and ensure
coherence between its different sections. The same basis for calculation should be
used for the main body of the impact assessment and relevant annexes.
(7) Based on SMART specific objectives, the monitoring and evaluation framework
should be revised to link objectives with indicators, outputs, outcomes and impacts,
with measurable targets allowing for measuring the intervention’s success.
Some more technical comments have been sent directly to the author Service.
(D) Conclusion
The DG must revise the report and its executive summary in accordance with the
Board’s findings before launching the interservice consultation.
Full title Strengthening Europol – Review of Regulation on the European
Union Agency for Law Enforcement Cooperation (Europol)
Reference number PLAN/2025/524
Submitted to RSB on 18 March 2026
Date of RSB meeting 15 April 2026
Electronically signed on 17/04/2026 14:02 (UTC+02) in accordance with Article 11 of Commission Decision (EU) 2021/2121
EN EN
EUROPEAN COMMISSION
Brussels, 24.6.2026
SWD(2026) 580 final
COMMISSION STAFF WORKING DOCUMENT
IMPACT ASSESSMENT REPORT
Accompanying the document
Proposal for a
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on the European Union Agency for Law Enforcement Cooperation (Europol), amending
Regulation (EU) 2018/1726 and Regulation (EU) 2024/982, and repealing Regulation
(EU) 2016/794
{COM(2026) 580 final} - {SEC(2026) 580 final} - {SWD(2026) 581 final} -
{SWD(2026) 582 final}
Table of contents
1. INTRODUCTION: POLITICAL AND LEGAL CONTEXT ................................................. 6
2. PROBLEM DEFINITION ...................................................................................................... 9
3. WHY SHOULD THE EU ACT? .......................................................................................... 20
4. OBJECTIVES: WHAT IS TO BE ACHIEVED? ................................................................. 22
5. WHAT ARE THE AVAILABLE POLICY OPTIONS? ...................................................... 24
6. WHAT ARE THE IMPACTS OF THE POLICY OPTIONS? ............................................. 37
7 HOW DO THE OPTIONS COMPARE? .............................................................................. 44
8 PREFERRED OPTION ........................................................................................................ 47
9. HOW WILL ACTUAL IMPACTS BE MONITORED AND EVALUATED? ......................... 52
ANNEX 1: PROCEDURAL INFORMATION .............................................................................. 53
LEAD DG, DECIDE PLANNING/CWP REFERENCES ............................................................. 53
ORGANISATION AND TIMING ................................................................................................. 53
CONSULTATION OF THE RSB .................................................................................................. 54
EVIDENCE, SOURCES AND QUALITY .................................................................................... 54
ANNEX 2: STAKEHOLDER CONSULTATION (SYNOPSIS REPORT) .................................. 55
ANNEX 3: WHO IS AFFECTED AND HOW? ............................................................................ 71
1. PRACTICAL IMPLICATIONS OF THE INITIATIVE....................................................... 71
2. SUMMARY OF COSTS AND BENEFITS ......................................................................... 72
3. RELEVANT SUSTAINABLE DEVELOPMENT GOALS ................................................. 92
ANNEX 4: ANALYTICAL METHODS ....................................................................................... 93
1. METHODOLOGICAL APPROACH ................................................................................... 93
2. COSTING METHODOLOGIES .......................................................................................... 94
3. CAVEATS AND LIMITATIONS ........................................................................................ 96
ANNEX 5: THE PREFERRED POLICY MEASURES ................................................................ 98
ANNEX 6: MONITORING AND EVALUATION FRAMEWORK FOR THE PREFERRED
POLICY MEASURES ........................................................................................................ 106
ANNEX 7: EVALUATION OF THE EXISTING POLICY AND LEGISLATIVE FRAMEWORK
............................................................................................................................................ 111
ANNEX 8: INVENTORY OF EXISTING INFORMATION SYSTEMS AND TOOLS AT
EUROPOL .......................................................................................................................... 148
ANNEX 9: DNA MATCHING SERVICE ................................................................................... 151
ANNEX 10: IMPACTS OF POLICY OPTIONS ......................................................................... 153
2
Glossary
Term or acronym Meaning or definition
AIRPOL Law enforcement network in the European aviation sector
AMLA Authority for Anti-Money Laundering and Countering the
Financing of Terrorism
AP Analysis Project
ATLAS European Cybersecurity Atlas
CAAR Consolidated Annual Activity Report
CEPOL European Union Agency for Law Enforcement Training
CODIS Combined DNA Index System
COSI Standing Committee on Operational Cooperation on Internal
Security
DSC Data Subject Categorisation
EAS Europol Analysis System
EBCG Regulation Regulation (EU) 2019/1896 on the European Border and Coast
Guard Agency
ECB European Central Bank
ECCC European Cybersecurity Competence Centre
EDPS European Data Protection Supervisor
EEAS European External Action Service
3
EFECC European Financial and Economic Crime Centre
EIFS European In-Flight Security Officer Network
EIGE European Institute for Gender Equality
EIS Europol Information System
ELA European Labour Authority
EMPACT European Multidisciplinary Platform Against Criminal Threats
ENISA European Union Agency for Cybersecurity
ENU Europol National Unit
EPPO European Public Prosecutor’s Office
EPRIS European Police Records Index System
ER Regulation (EU) 2016/794 (“Europol Regulation”)
EUAA European Union Agency for Asylum
EUCARIS European Car and Driving Licence Information System
EUDA European Union Drugs Agency
EU-SOCTA European Union Serious and Organised Crime Threat
Assessment
Eurojust European Union Agency for Criminal Justice Cooperation
Eurojust Regulation Regulation (EU) 2018/1727
Europol European Union Agency for Law Enforcement Cooperation
4
Europol Regulation Regulation (EU) 2016/794
eu-LISA
European Union Agency for the Operational Management of
Large-Scale IT Systems in the Area of Freedom, Security and
Justice
FEPORT Federation of European Private Port Companies and Terminals
FRA European Union Agency for Fundamental Rights
Frontex European Border and Coast Guard Agency
HRSN High Risk Security Network
Interpol International Criminal Police Organization
IOCTA Internet Organised Crime Threat Assessment
JAD Joint Action Days
JHA Justice and Home Affairs
JIT Joint Investigation Team
JOAC Joint Operational Analysis Case Platform
LED Law Enforcement Directive
LEWP Law Enforcement Working Party
MAOC (N) Maritime Analysis and Operations Centre (Narcotics)
OLAF European Anti-Fraud Office
OSINT Open-Source Intelligence
5
OTF Operational Task Forces
PD Programming Document
QUEST Querying Europol Systems
RAILPOL European Association of Railway Police Forces
REFIT Commission’s Regulatory Fitness and Performance Programme
SDG Sustainable Development Goal
SIENA Secure Information Exchange Network Application
SPoC Single Points of Contact
TEU Treaty on European Union
TFEU Treaty on the Functioning of the European Union
UMF Unform Messaging Format
6
1. INTRODUCTION: POLITICAL AND LEGAL CONTEXT
The EU is entering a new security era marked by rapid and lasting change. The
assumptions that shaped Europe’s internal security framework even a decade ago are
increasingly being overtaken by a reality in which threats evolve faster, operate across
borders by default, and unfold across highly interconnected digital, economic, and societal
systems. At the same time, serious and organised crime, terrorism, cybercrime, and hybrid
threats increasingly converge, combining criminal activity, cybercrime operations, and
economic interference. Their effects ripple across the EU, threatening economic stability,
straining institutional resilience, and eroding public trust. Geopolitical instability,
including Russia’s war of aggression against Ukraine, has further amplified these risks.
As emphasised by the European Council in June 2025, “serious and organised crime, and
terrorism, radicalisation and violent extremism, both online and offline, represent a major
threat to European citizens and the security of Member States”1, requiring the
mobilisation of all relevant instruments at both national and Union level. Their impact
reaches beyond security alone, affecting citizens’ sense of safety and confidence in the
EU’s ability to protect them. This concern is tangible, with 64% of EU citizens saying they
are worried about the EU’s security in the coming years2.
This evolving threat landscape unfolds within an area without internal frontiers, where free
movement is a defining strength of the EU and where preparedness must match the scale
and fluidity of cross-border threats. In such a space, security cannot be ensured by Member
States acting alone. Europe’s security architecture therefore combines action within
national jurisdictions with coordination at Union level, where information can be brought
together, cross-border connections identified, and common responses enabled3. This
allows threats to be addressed more effectively and at the right scale. This architecture
relies on a broader ecosystem of EU bodies and agencies operating across different stages
of the security and criminal justice chain. Within this framework, Europol supports
criminal intelligence analysis, operational coordination and information exchange between
law enforcement authorities. Eurojust facilitates judicial cooperation and coordination
between prosecutors and judicial authorities. The EPPO investigates and prosecutes
criminal offences affecting the financial interests of the Union, while OLAF conducts
administrative investigations into fraud, corruption and other irregularities affecting the
EU budget. Frontex supports border management and contributes to situational awareness
at the external borders, including in relation to cross-border crime. Europol increasingly
operates in close interaction with these actors, notably through information exchange,
analytical support, operational coordination and cross-system cooperation.
These dynamics are reflected in Europol’s 2025 EU Serious and Organised Crime Threat
Assessment4, which identifies a fundamental transformation in the nature of crime.
Criminal networks5 are more resilient, technologically enabled, and transnational than ever
1 European Council, Conclusions, 26-27 June 2025, EUCO 12/25, para. 41. 2 Flash Eurobarometer FL550: EU Challenges and Priorities. 3 Articles 67(3), 87(1), and 88(1) TFEU establish the Union’s competence to support and strengthen
cooperation between Member States’ law enforcement authorities, including through Europol. 4 Europol (2025) European Union Serious and Organised Crime Threat Assessment (EU-SOCTA). 5 Europol (2024), Decoding the EU’s most threatening criminal networks.
7
before. They operate simultaneously across multiple jurisdictions and rely extensively on
digital infrastructures, encryption, financial systems, and emerging technologies (for
example cryptocurrencies or anonymisation tools) to organise, expand, and conceal their
activities. Digitalisation has accelerated the scale, reach, and operational sophistication of
criminal and terrorist actors. For example, organised crime groups increasingly use
encrypted communication platforms, online marketplaces and digital payments to
coordinate activities across borders. At the same time, the growing convergence between
cybercrime6, financial crime7, and terrorism8 further increases the complexity of the threat
environment.
This transformation is driving a change in how security is organised across the EU.
Member States are modernising their frameworks and deepening cooperation9. More
fundamentally, these developments are reshaping expectations placed on law
enforcement authorities and on the Union’s collective capacity to act. No single authority
can fully capture or address threats that develop simultaneously across multiple
jurisdictions and operational domains.
In response and recognising that internal security is a shared European responsibility, the
EU has articulated an ambitious political vision to strengthen its collective security,
notably through ProtectEU – a European Internal Security Strategy10. At the centre of
this vision stands Europol, a key instrument of European cooperation in internal security.
Established two decades ago to support cooperation between national law enforcement
authorities, the agency has progressively evolved into a key operational and analytical hub.
By enabling information exchange, criminal intelligence analysis and coordinated action
against cross-border crime, Europol helps Member States detect criminal networks,
connect intelligence and act collectively against threats that no single national authority
could address alone. Over the past 26 years, Europol has evolved from a coordination
platform into a central operational and analytical hub at the heart of Europe’s law
enforcement architecture. By supporting thousands of operations each year and enabling
millions of information exchanges, Europol has helped transform fragmented national
efforts into a more connected European response.11
Europol is today a force multiplier for European security, reflecting a shift from
cooperation as an option to cooperation as a necessity. This level of integration, once
unimaginable, has been enabled through successive legal reinforcements,12 building on
Member States’ willingness to pool expertise and capabilities to step up the fight against
serious crime and terrorism. In doing so, it gives practical effect to the Treaties’ objective
of ensuring a high level of security for the EU and its citizens in an area without internal
6 Europol (2024), Internet Organised Crime Threat Assessment (IOCTA) 2024.
ENISA (2025), ENISA Threat Landscape October 2025. 7 Europol (2023), European Financial and Economic Crime Threat Assessment 2023. 8 Europol (2025), European Union Terrorism Situation & Trend Report. 9 For instance, the Netherlands, Belgium, Germany, France, Italy, Spain, Sweden have formed the European
coalition to fight Organised crime. 10 COM (2025) 148 final. 11 In 2024 alone, Europol supported more than 3 300 operations, enabled over 2 million secure information
exchanges, and provided access to its databases nearly 15 million times. 12 Regulation (EU) 2016/794 was amended in 2022 by Regulation (EU) 2022/991 to address new security
threats and in 2025 by Regulation (EU) 2025/2611 to effectively counter migrant smuggling.
8
frontiers13. As its mandate and tools have evolved, Europol has become a central pillar of
a more integrated and operational European security architecture.
Yet Europol’s success has also raised expectations about what European cooperation can
deliver. It has shown that collective action and EU support can extend the reach and
effectiveness of national authorities. In particular, the 2022 reform14 marked a decisive
strengthening of Europol’s mandate, addressing urgent operational and legal constraints
identified at that time, notably concerning large datasets and cooperation with private
parties. However, the operational and technological environment has evolved at a
significantly faster pace than anticipated at the time of the 2022 reform, with an
exponential increase in multi-source data, growing expectations regarding proactive
operational support, and the emergence of more integrated EU security frameworks and
cooperation models. Threats that once appeared at the periphery have moved to the
forefront, redefining the scale and intensity of the challenges facing the Union15. These
developments have revealed structural limitations in the current mandate which go beyond
the targeted adjustments introduced in 2022.
This acceleration calls for safeguarding Europol’s ability to operate effectively in the face
of new threats. This ambition lies at the heart of the Union’s political priorities. In her
Political Guidelines, President von der Leyen called for making Europol “a truly
operational police agency”, signalling a clear commitment to equip the Union with the
capabilities required to respond to a rapidly evolving threat environment.
This impact assessment therefore examines how Europol’s legal framework, capabilities
and resources need to evolve to ensure the Union remains able to address emerging security
challenges effectively, with a stronger focus on speed, integration, and operational
effectiveness. As technology redefines the nature of security itself, it is essential to put in
place a robust and future-proof framework that enables Europol to respond to evolving
threats, in close coordination with all relevant Union bodies and agencies, while remaining
firmly grounded in the Union’s values and trusted by its citizens, including by maintaining
a high level of data protection at Europol.
This assessment takes place within a broader effort to strengthen the Union’s overall
security architecture as outlined in ProtectEU. In this context, several legislative and
policy initiatives are being advanced to reinforce the EU’s response to serious and
organised crime and terrorism. These include the recently adopted proposal establishing
EU-wide rules against the trafficking of illicit firearms16 and the forthcoming proposal
establishing new EU rules to fight organised crime17. At the same time, a number of
operational and strategic initiatives have been put forward to support Member States in
13 Article 88 TFEU defines Europol’s mission to support and strengthen cooperation between Member States’
law enforcement authorities in preventing and combating serious cross-border crime and terrorism. 14 Regulation (EU) 2022/991 amending Regulation (EU) 2016/794. 15 The prominence of technology-related drivers has increased significantly in Europol threat assessments.
While references to AI and digital technologies in Europol’s EU-SOCTA 2021 were largely forward-looking,
Europol’s EU-SOCTA 2025 places these technologies at the core of its analysis across multiple threat areas. 16 2026/0059 (COD). 17 Commission work programme 2026 – COM (2025) 870 final.
9
addressing evolving threats, including the new EU Drug Strategy18 and Action Plan against
drug trafficking19, and the Agenda to prevent and counter terrorism20.
It also contributes to improving the effectiveness of the EU’s unique ecosystem of
specialised bodies and agencies, whose mandates are being revised21 to reflect evolving
operational demands. Frontex22, Europol, Eurojust23, and the EPPO24 each fulfil distinct
but complementary roles across the security and criminal justice continuum. Ensuring
seamless cooperation and information exchange between them is essential for a more
integrated and effective European response. In practice, these interactions increasingly
require continuous operational coordination and interoperable information flows across the
different stages of detection, intelligence development, investigation, prosecution and
operational follow-up. This includes, for example, Europol’s analytical support to cross-
border investigations coordinated by Eurojust, cooperation with the EPPO in complex
financial and organised crime investigations, exchanges with OLAF in relation to fraud
patterns affecting the EU budget and support to Frontex regarding criminal intelligence
linked to migrant smuggling, trafficking in human beings and other cross-border criminal
activities. Closer cooperation and information exchange between relevant EU bodies and
agencies is also an integral part of the comprehensive review of the EU's anti-fraud
architecture (AFA) to strengthen oversight and accountability25.
The revision of Europol’s framework also takes place in parallel with the revision of
Chapter IX of the EU legal framework on data protection for EU institutions, bodies,
offices and agencies (EUDPR)26. This provides an opportunity to ensure full coherence
and alignment between Europol’s evolving operational mandate and the EU data protection
framework27.
In this evolving landscape, ensuring that Europol remains capable of supporting a strong
and integrated European response to security threats remains strategically important for
the Union. It also provides an opportunity to ensure greater legal coherence across the
broader EU internal security framework, including ongoing reforms affecting information
18 COM(2025) 743 final. 19 COM (2025) 744 final. 20 COM(2026) 101 final. 21 In accordance with the Commission work programme 2026. 22 The European Border and Coast Guard Agency (EBCGA), established by Regulation (EU) 2019/1896, is
responsible for the implementation of European Integrated Border Management at the EU’s external borders. 23 The EU Agency for Criminal Justice Cooperation (Eurojust), established by Regulation (EU) 2018/1727,
provides support to prosecutors and judges, notably by supporting Joint Investigation Teams and facilitating
cases involving a European Investigation Order. 24 The European Public Prosecutor’s Office (the EPPO), established by Council Regulation (EU) 2017/1939,
is the independent office responsible for investigating and prosecuting crimes against the financial interests
of the EU. 25 The Commission work programme 2026 announced a comprehensive review of the EU's anti-fraud
architecture, building on the July 2025 Commission White Paper (COM(2025) 546 final). 26 In particular, Chapter IX of Regulation 2018/1725. 27 The objective is to streamline procedures and clarify roles, while fully maintaining a high level of data
protection in line with EU standards. In doing so, the overall reform does not merely preserve existing
standards but also simplifies the data protection framework by removing fragmentation, which should ensure
a unified regime across EU law enforcement and criminal justice authorities and facilitate information
sharing between them.
10
exchange, interoperability, anti-fraud cooperation and operational coordination between
Union bodies and agencies.
2. PROBLEM DEFINITION
In today’s security environment, effective cooperation between law enforcement
authorities and strong EU-level coordination have become essential to complement and
reinforce Member States’ efforts.
The importance of strong European cooperation is reflected in the European Police Chiefs
Convention of 202328 and the joint call by European Police Chiefs29 in 2025 to further
strengthen Europol’s role.
Despite its strengthened mandate, Europol is not fully equipped to fulfil its mission in
this evolving environment. As highlighted in the Commission report pursuant to Article
68(3) of the Europol Regulation30 and in the evaluation of Europol31, the Agency faces
legal, operational, and structural constraints that limit its ability to provide timely,
comprehensive, and actionable support to Member States. Persistent information gaps
hinder the development of a complete criminal intelligence picture of cross-border threats.
Uneven and fragmented operational cooperation and coordination with Member States
limit the added value of Europol’s support for the action of national authorities on the
ground. Limitations in technical capabilities, specialised expertise, and preparedness
reduce the ability to respond effectively to increasingly sophisticated and technologically
enabled criminal activity. Together, these constraints reduce Europol’s operational
effectiveness and its capacity to deliver its full added value.
As a result, a structural gap is widening between the Union’s security ambitions and
Europol’s ability to fully deliver on its mission in practice. The scale, speed, and
sophistication of emerging threats are placing demands on Europol that its current
framework struggles to meet. When criminal intelligence cannot be fully connected and
operational responses cannot be coordinated in time, critical opportunities to detect and
disrupt cross-border criminal activity are lost, weakening the EU’s ability to respond.
2.1. What are the problems?
2.1.1 Problem 1: Europol and national authorities face persistent information gaps
when investigating cross-border crimes and identifying threats.
28 Future of policing main focus as police chiefs meet at Europol | Europol. 29 European Police Chiefs (20 April 2025) Joint Statement by the European Police Chiefs on the Future
Development of Europol, Kraków. 30 COM(2025) 752 final. 31 See Annex 7.
11
Serious and organised crime, terrorism and hybrid threats increasingly operate across
jurisdictions and digital environments. Effective investigations therefore depend on the
ability of national authorities and Europol to access and connect relevant information.
However, Member States’ law enforcement agencies do not share sufficient relevant data
with Europol. Therefore, information available at EU level remains uneven and
incomplete32, affecting Europol’s analytical capabilities and leaving investigators without
a complete picture of criminal networks operating across borders. As a result, parallel
investigations may take place without awareness of related cases in other Member States,
and links between suspects, criminal activities or financial flows may remain undetected.
This reduces the effectiveness of cross-border investigations and limits Europol’s ability
to identify connections between cases, delaying the detection of organised crime
structures and weakening the capacity to anticipate evolving criminal threats.
Data contributions via the Secure Information Exchange Network Application33 (SIENA)
and the Europol Information System34 (EIS) vary significantly, with a limited number of
Member States providing a disproportionate share of operational data, while contributions
from other Member States are limited. This uneven distribution creates structural blind
spots that can be exploited by cross-border criminal networks. In addition, even where data
are shared, they are often incomplete or lack key identifiers, that is, are not provided in
the structured format that would allow automatic comparison of records for reliable cross-
matching35. Investigators are often confronted with inconsistent data quality, or with data
that is collected or stored in different formats from their own and hence cannot be used in
the investigators’ own case management systems without manual processing. These
differences cost time and reduce usability, directly affecting national investigations.
Moreover, Europol faces operational constraints in processing large datasets relevant
for cross-border investigations. In particular, the application of Data Subject
Categorisation (DSC) under the Europol Regulation36 delays the intake and analysis of
large volumes of data, as the categorisation of large or unstructured datasets often requires
manual intervention and additional proportionality assessments. In time-sensitive
32 Key data relating to suspects, financial flows, communication identifiers, travel movements or digital
accounts may be held by different Member States without being connected at EU level. 33 In 2025, the share of SIENA messages exchanged by Member States where Europol was involved varied
from 24% to 56% across Member States. For more information on SIENA, see Annex 8. 34 As of 31 December 2025, around 90% of the objects stored in the EIS had been introduced by Member
States representing around 25% of the EU population, while Member States representing more than 50% of
the EU population contributed to less than 5% of the objects shared by EU Member States. For more
information on the EIS, see Annex 8. 35 In 2025, overall, 18% of messages received by Europol contained structured information, varying across
Member States from 0.1% to 21%. For more information on cross-checking, see Annex 8. 36 Under Union law, both Europol and Member States must perform DSC for their own processing of personal
data in criminal investigations, regardless of whether the data are subsequently transferred to Europol.
However, the legal requirements applicable to Europol differ from those applied by Member States, Eurojust
or the EPPO. Under the Europol Regulation, Europol must classify individuals whose personal data appear
in a dataset into categories defined in Annex II of that Regulation (e.g. suspects, associates, victims or
witnesses) before the data can be fully processed.
12
investigations, this limits Europol’s ability to rapidly identify links between suspects,
detect emerging criminal networks and provide timely operational support37.
2.1.2 Problem 2: Europol’s operational support remains limited and fragmented
Crime is borderless and the most threatening criminal networks in the EU affect all
Member States38. Despite its central role in enabling a necessary cross-border response
through EU-level law enforcement cooperation, Europol’s operational support to Member
States – including through cooperation with partners, in particular EU bodies and agencies
– remains limited, fragmented and uneven.
In particular, cooperation between Europol and other EU bodies and agencies is marked
by weak information exchange and insufficient institutionalisation, which limits the
potential for timely and comprehensive EU-level responses to cross-border crime.
Across Member States, engagement with Europol39 varies significantly in terms of the
frequency of operational requests, participation in analytical projects and operational task
forces, and use of Europol’s information systems40. The efficient and comprehensive use
of Europol’s support often depends on national law enforcement agencies’ knowledge
about the available services and their possible added value for a given investigation. As a
result, Europol’s operational support, including analytical products, criminal intelligence
development and operational coordination, is not always utilised in a consistent and timely
manner in ongoing investigations41. The Agency’s capabilities are therefore not always
deployed to their full potential in support of national authorities dealing with serious and
organised crime with a cross-border dimension. This significantly affects the overall
effectiveness of EU-level support for complex cross-border investigations.
At the same time, national law enforcement authorities across the Union remain unevenly
equipped with the advanced specialised and technical expertise required to address
increasingly technology-enabled forms of crime. While Member States continue to
37 Section (3) on criminal investigations of the Commission report evaluating the operational impact of
Regulation (EU) 2022/991, adopted pursuant to Article 68(3) of Regulation (EU) 2016/794 highlights that
Europol “cannot process, nor even store, the personal data of individuals who do not fall under [the relevant]
categories”. This requirement creates a significant administrative and analytical burden in practice,
particularly when handling large or unstructured datasets originating from multiple sources. Such data often
do not easily correspond to predefined categories, complicating the identification of relevant data subjects
and potentially slowing the progress of investigations. As a result, the intake and analysis of large datasets
may be delayed at critical early stages of investigations, limiting Europol’s ability to identify relevant
individuals, detect connections between cases and conduct analytical work on bulk data, including at the
request of Member States. 38 Europol (2024) Decoding the EU’s most threatening criminal networks, p. 44. 39 For instance, only one of 23 Europol Member States which responded to the targeted survey for national
law enforcement authorities reported having received more than five requests by Europol to initiate, conduct
or coordinate a criminal investigation under Article 6 ER. See Annex [No], Study supporting the evaluation
and the impact assessment of the Europol Regulation. 40 In 2025, more than 90% of the searches carried by EU Member States in Europol data had been carried
out by Member States representing less than 20% of the EU population. 41 ICF (March 2026), Draft Final Report of the Study supporting the evaluation and the impact assessment
of the Europol Regulation, Figure 35 and Questions 60-69 dedicated to Europol’s operational centres.
13
strengthen their capabilities, tackling these threats increasingly requires highly specialised
tools, expertise and analytical capacities that are costly to develop and maintain at national
level. This has led to growing reliance on Europol’s specialised technical42 and
innovation43 support, including training and operational assistance in areas such as digital
forensics, artificial intelligence, and cryptocurrency investigations44. Demand for such
support continues to grow faster than Europol’s current ability to provide it, limiting
Europol’s ability to respond effectively to the operational needs across the Union45.As a
result, Europol cannot always scale its support in line with the increasing operational
demands from Member States, leaving capability gaps at EU level in areas where collective
support would be most efficient.
Operational support limitations also stem from and extend to cooperation with relevant
EU bodies and agencies responsible for preventing and combating cross-border crime
within their respective mandates.
Since the European Public Prosecutor’s Office (EPPO)46 became operational in 2021,
Europol and the EPPO have significantly strengthened their operational cooperation on
complex cross-border investigations affecting the Union’s financial interests.47 Over recent
years, the growing scale and complexity of EPPO investigations have increased demand
for Europol’s analytical support, including cross-checking operational data against
Europol databases, identifying links across cases, and enriching them48. However, the
current legal framework governing the exchange and use of operational information
between Europol and the EPPO limits the extent of the support Europol can provide,
including by analysing relevant datasets49 and identifying connections between cases. At
42 ICF (March 2026) Draft Final Report of the Study supporting the evaluation and the impact assessment of
the Europol Regulation, interviews with national authorities and Europol . 43 For example, the number of operations supported by the Europol Innovation Lab more than doubled
between 2024 and 2025. 44 Cybersecurity skills shortages further lead to enhanced cyber inequity, creating systemic exposure for law
enforcement authorities and the digital infrastructures they rely on. See, for instance,
WEF_Global_Cybersecurity_Outlook_2026.pdf. 45 87% of respondents mentioned specialised technical skills as an area where Europol should play a stronger
role in training and capacity building. See Figure 70, Study supporting the evaluation and the impact
assessment of the Europol Regulation. Furthermore, 86% of respondents indicated there are areas where
Europol’s training offer dedicated to specialised skills should be expanded, see Figure 71, ibid. 46 In accordance with the Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced
cooperation on the establishment of the [EPPO], the EPPO is responsible for investigating, prosecuting and
bringing to judgment the perpetrators of, and accomplices to, criminal offences affecting the financial
interests of the Union which are provided for in Directive (EU) 2017/1371. 47 Article 20a(2) of the Europol Regulation provides that “Europol shall support the investigations of the
EPPO and cooperate with it, by providing information and analytical support”. Europol supported six EPPO
cases in 2021, 28 cases in 2022, 47 cases in 2023 and 83 cases in 2024. 48 Europol’s European Financial and Economic Crime Centre (EFECC) provides specialised analytical
support. EPPO estimates for the period 2028-2034 foresee substantial support needs from Europol, including
data cross-checks against Europol databases (600-1200 cases), operational analytical support (500-1200
investigations), digital forensics support (80-150 cases), and operational deployments (100-250
investigations). 49 In this context, it may be noted that the Commission proposal to amend Regulation (EU) No 904/2010 on
administrative cooperation in the field of VAT envisages facilitating access for the EPPO and the European
14
the same time, large volumes of operational data held by the EPPO50 cannot always be
effectively used by Europol for its activities due to mandate limitations. This reduces
Europol’s ability to support the investigations conducted by national law enforcement
authorities and provide them with comprehensive analytical support.
Cooperation between Europol and Eurojust also remains limited in practice, particularly
due to the very limited exchange of operational information between the two agencies51.
As a result, Europol receives only a very limited amount of information from Eurojust,
constraining its ability to detect links between cases handled by judicial authorities and
those analysed within Europol’s operational and analytical activities. In addition, gaps
persist in the EU-level support available to national authorities seeking to obtain electronic
evidence in investigations today,52 as there is currently no stable and structured EU-level
framework for operational cooperation between Europol and Eurojust to support Member
States in this regard53.
More broadly, structured EU-level cooperation in support of investigations into cross-
border crime remains uneven across the EU’s internal security architecture. Exchanges of
information between Europol and other relevant EU actors, including Frontex in the areas
of migrant smuggling and trafficking in human beings,54 the Anti-Money Laundering
Authority (AMLA) in financial crime55, and EU cybersecurity actors, such as the EU
Agency for Cybersecurity (ENISA),56 CERT-EU and the European Cybersecurity
Anti-Fraud Office (OLAF) to certain VAT information for the purposes of investigating offences affecting
the Union’s financial interests (Proposal for a Council Regulation, COM(2025) 685 final). In light of
Europol’s strengthened role in supporting EPPO investigations, the possible extension of access to similar
information for Europol could also be considered. 50 The EPPO’s Case Management System contains rapidly increasing volumes of operational data. For
example, approximately 1 406 terabytes of data are stored in relation to three investigations alone, illustrating
the scale of data potentially relevant for operational analysis and cross-case link detection. 51 Both the Europol Regulation (Article 21) and the Eurojust Regulation (Article 49) provide for indirect
information exchange between the two agencies on the basis of a hit/no-hit system. In practice, exchanges
have remained minimal. Between May 2023 and August 2025, Europol sent 108 SIENA messages to
Eurojust containing 2 081 entities for link detection, resulting in eight hits at Eurojust, none of operational
relevance to Europol. 52 According to the European Commission, “more than half of all investigations today involve a cross-border
request to access electronic evidence”, i.e., “data in electronic form that are relevant in investigating and
prosecuting criminal offences”. Notably, “electronic evidence is needed in around 85% of criminal
investigations, and in two-thirds of these investigations there is a need to request evidence from online service
providers based in another jurisdiction. The number of requests to the main online service providers grew by
70% in the period between 2013 and 2016”, Frequently Asked Questions: New EU rules to obtain electronic
evidence Brussels, 17 April 2018. 53 Since 2017, Europol and Eurojust have jointly supported EU law enforcement and judicial authorities in
obtaining electronic evidence from service providers located in other jurisdictions through the SIRIUS
Project. The initiative provided operational guidance, specialised training, investigative tools and a platform
facilitating exchanges between authorities and service providers. The SIRIUS Project has been funded by
the European Commission’s Service for Foreign Policy Instruments (FPI). 54 Improvements in the exchange of operational information between Europol and Frontex are addressed in
the impact assessment for the upcoming revision of the EBCG Regulation. 55 Reciprocal exchange of operational information between AMLA and Europol is currently not foreseen. 56 ENISA is established under Regulation (EU) 2019/881 (Cybersecurity Act) and plays a central role in EU
cybersecurity cooperation. Its mandate was further expanded by Directive (EU) 2022/2555 (NIS2 Directive),
which assigns the Agency key tasks in supporting operational cooperation and situational awareness across
the Union’s cybersecurity architecture.
15
Competence Centre (ECCC)57, remain limited, reducing the potential for coordinated
responses to cross-border and cyber-enabled crime.
2.2. What are the problem drivers?
2.2.1 Problem 1: Europol and national authorities face persistent information gaps
when investigating cross-border crimes and identifying threats.
Driver 1.1: Regulatory, legal and procedural constraints affecting information
sharing
Divergent national criminal procedure laws and differing interpretations of necessity and
proportionality drive selective and inconsistent information sharing between Member
States and Europol. Political sensitivities, historical cooperation patterns and varying
levels of trust in Europol’s handling of sensitive data (e.g. terrorism, minors, financial
crime or migration cases) further reinforce conservative practices among Member States.
As a result, information exchange remains uneven and incomplete, with Member States
sometimes limiting or delaying transmission of operational data, even where cooperation
would be legally possible and operationally justified. This is reflected in significant
variations in Member States’ contributions to Europol systems and in the uneven use of
information exchange channels.
Driver 1.2: Operational and technical limitations in data automation, integration and
standardisation hampering information exchange
Member States’ law enforcement IT systems differ significantly in terms of automation,
connectivity, and their ability to produce structured, interoperable data. Only a few operate
automated data loaders to transmit data to Europol58, while others rely on manual processes
or, in some cases, bypass EU channels altogether. Europol’s core systems remain
underutilised59, reducing cross-border visibility and EU-level situational awareness.
Therefore, the available statistics point to significant disparities in connectivity and data
transmission practices across Member States.
Even where connectivity exists, most operational information is transmitted in
unstructured formats requiring manual processing. The lack of common data models,
standardised templates and automated workflows slows ingestion, cross-checking and
analysis. These technical limitations reduce scalability and prevent near-real-time criminal
intelligence production, including for biometric and multimedia data, thereby limiting
Europol’s analytical capacity and operational added value.
Driver 1.3: Regulatory, legal and procedural constraints affecting data processing
57 SWD(2026) 11 final. 58 In 2025, only 14 Member States operated data loaders. 59 For example, in 2025, only 15 Member States allowed their users to perform direct searches in Europol
data via a technical application called QUEST. For more information on QUEST, see Annex 8.
16
Compliance requirements related to data protection rules, in particular regarding DSC60,
operate in practice as structural constraints on information processing.
The requirement to apply DSC ex ante, combined with intensive procedural safeguards,
slows down or in some cases prevents the timely processing and further handling of data,
particularly in fast-moving or data-intensive investigations. Europol experience indicates
that the application of DSC to large datasets can require significant time and specialised
resources before operational analysis can begin.
While legally robust, these procedural requirements reduce operational agility and delay
access to cross-border intelligence. As a consequence, Europol and Member States may
face constraints in fully exploiting lawfully available data, even where processing would
be operationally necessary and proportionate.
Driver 1.4: Structural and operational shift in the criminal data and information
environment
The digital transformation of crime has fundamentally changed the nature and volume of
information relevant to criminal investigations. Criminal networks increasingly operate
across digital platforms, financial systems and communication infrastructures spanning
several jurisdictions, generating large volumes of fragmented operational data held by
different authorities. The growing use of technologies such as artificial intelligence further
increases the speed, scale and complexity of criminal activity61.
As a result, effective responses to serious and organised crime increasingly depend on the
rapid exchange, correlation and analysis of information across national and EU-level
systems. In practice, key elements of an investigation are often dispersed across several
Member States and authorities, making it necessary to connect different pieces of
information – such as suspects, communication data or financial transactions – in order to
detect cross-border criminal networks.However, existing information-sharing
mechanisms were largely designed for more limited data volumes and slower operational
cycles. They rely mainly on message-based exchanges between authorities, where
information is shared case by case rather than analysed collectively across systems. This
can make it harder to identify links between investigations and to build a timely and
comprehensive EU-level criminal intelligence picture.
2.2.2 Problem 2: Europol’s operational support remains limited and fragmented
60 Data Subject Categorisation (DSC) refers to the requirement under the Europol Regulation to assign each
personal data record processed by Europol to a specific category of data subject (such as suspects, convicted
persons, potential future offenders, victims, witnesses or other contacts and associates), together with
corresponding conditions governing the processing and retention of such data. This categorisation aims to
ensure compliance with EU data protection rules but can limit the ability to process certain datasets where
the status of individuals cannot be clearly determined at the time the data are received. 61 The 2025 European Union serious and organised crime threat assessment, (EU-SOCTA 2025).
17
Driver 2.1: Operational limited awareness of Europol’s operational support
Awareness among Member States of the full range of Europol’s operational tools, services
and capabilities remains uneven62. As the use of Europol’s operational support is voluntary
and initiated at national level63, national authorities may not always consider Europol’s
involvement at an early stage of investigations.64 This results in delayed engagement with
the Agency and limits the timely exchange of information, the early identification of cross-
border links, and the effective use of Europol’s capabilities to support coordinated EU-
level responses to serious and organised crime.65 Available operational data show
important differences between Member States in the frequency and timing of requests for
Europol operational support.
Driver 2.2: Operational and capability-related constraints limiting the tailoring of
Europol’s support to national investigative needs
While Europol provides operational support to Member States, the support provided is not
always sufficiently tailored to the specific needs66, legal frameworks and evidentiary
requirements of national investigations. As a result, the analytical outputs or information
provided by Europol may not always be directly usable in national proceedings. In some
cases, national authorities must repeat investigative or analytical steps to produce evidence
that complies with national procedural requirements. This creates inefficiencies, increases
the workload for national investigators and reduces the overall effectiveness of the
operational support provided by Europol.
At the same time, the rapid digitalisation of crime requires investigators to use increasingly
specialised tools, technologies and skills, including in areas such as digital forensics,
artificial intelligence and cryptocurrency investigations. Europol’s current framework
limits its ability to develop and provide such tools and specialised training at scale across
the Union, constraining its capacity to support technology-enabled investigations. Demand
for specialised operational support and advanced analytical capabilities has increased
significantly in recent years
62 ICF (March 2026), Draft Final Report of the Study supporting the evaluation and the impact assessment
of the Europol Regulation, Annex 10.3.1. 63 Under the Europol Regulation, Europol may support investigations, coordinate operational actions and
participate in Joint Investigation Teams, but it cannot initiate investigations or conduct operational activities
without the agreement of the Member States concerned. 64 Evaluation evidence, from the study supporting the evaluation and impact assessment of the Europol
Regulation, indicates that Europol’s operational support is often mobilised only at a relatively advanced stage
of national investigations. 65 “Case study evidence on Europol’s operational centres confirms that the agency’s support often focuses
on strengthening ongoing investigations rather than shaping investigative strategies from the outset”, ibid. 66 ICF (March 2026) Study supporting the evaluation and the impact assessment of the Europol Regulation
- “Limited timeliness of replies via SIENA” is mentioned as a barrier by 40% of respondents, Figure A7.27,
Annex 7. Interviews with national authorities highlighted the time required to obtain analytical outputs from
Europol can be significant in cases involving large or technically complex datasets.
18
Driver 2.3: Limited capacity for systemic modernisation of law enforcement
capabilities
In many Member States, organisational, legal, and procurement constraints limit the
systematic uptake and scaling of innovation, resulting in fragmented development and
uneven deployment of modern investigative tools. Barriers include overlapping
responsibilities across national, regional and local authorities, slow procurement processes,
and rigid administrative procedures. As a result, innovative solutions are often developed
within short-term projects or pilot initiatives but struggle to transition into sustainable
operational capabilities deployed at EU level67. This creates disparities in operational
capabilities across the Union and even stronger reliance on Europol to provide specialised
expertise and technical support in cross-border investigations. . Despite the growing
demand68, Europol’s role in supporting innovation and specialised capabilities remains
limited in scale, constraining its ability to systematically strengthen operational capabilities
across Member States69. This includes limitations linked to available specialised expertise,
technical capacity and scalable operational support resources.
Driver 2.4: Regulatory, legal and operational constraints on information sharing
between Europol and the EPPO
The current legal framework does not provide a sufficiently robust basis for systematic
operational cooperation between Europol and the EPPO70. As a result, cooperation largely
relies on ad hoc requests and case-by-case arrangements, limiting the systematic
mobilisation of Europol’s analytical support for EPPO investigations and preventing the
full exploitation of complementarities between Europol and the EPPO71. In addition,
Europol cannot share relevant operational information directly with the EPPO without the
67 Comparative analysis shows that scaling occurs only where an EU actor combines a clear legal mandate
with an operational or coordinating role and sufficient convening power. Where such a mandate is absent,
innovation remains locked at pilot level by design, regardless of technical maturity or demonstrated
usefulness. Study on strengthening EU-funded security research and innovation – 20 years of EU-Funded
Civil Security R&I (DG HOME, 2025) 68 See Joint Statement by the European Police Chiefs on the Future Development of Europol. Moreover, the
results of the public consultation show strong support for enhancing Europol’s technological and innovation
capabilities, see the factual summary report registered under Ares(2026)2806442 and published at
https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/14638-Law-enforcement-
cooperation-new-Europol-regulation-proposal-/public-consultation_en. 69 For instance, Europol’s Innovation Lab and EU-funded projects run “sandboxes” to experiment with AI
algorithms; however, due to data protection constraints, these activities cannot rely on real operational crime
data. 70 The EPPO (November 2025), Note [to DG HOME of the European Commission] on improving the
cooperation between the EPPO and Europol. See also ICF (March 2026), Draft Final Report of the Study
supporting the evaluation and impact assessment of the Europol Regulation, sub-driver 2.5.3 ‘Legal and
mandate limitations hinder cooperation with EPPO’. 71 ibid.
19
consent of the Member State that provided the data72, which significantly delays access to
information relevant for EPPO investigations73.
Driver 2.5: Weak information exchange and insufficiently institutionalised
cooperation between Europol and other EU bodies and agencies
Despite the growing need for seamless cooperation across the EU’s internal security
architecture74, crucial information exchange between Europol and other relevant EU
bodies and agencies, including Frontex75, AMLA76, Eurojust,77 and OLAF,78 remains
weak. Existing exchanges remain uneven and are often dependent on ad hoc arrangements.
This affects the completeness of the EU-level criminal intelligence picture that Europol
can provide in support of Member State national authorities. Moreover, broader
cooperation between Europol and other relevant EU bodies and agencies, such as
Eurojust79 and ENISA80, is obstructed by insufficient institutionalisation. This hinders the
scope, foreseeability and sustainability of coordinated support benefiting the national
authorities of EU Member States.81
72 In accordance with the data ownership principle established in Article 19 ER. 73 Although the EPPO may obtain the same information directly from the Member State concerned under
Regulation (EU) 2017/1939, this indirect route duplicates exchanges and may delay access to relevant
information, in some cases by up to two months, as indicated by the EPPO at the third thematic expert
workshop on the future of Europol, see Annex II. 74 Communication from the Commission to the European Parliament, the Council, The European economic
and social committee and the Committee of the regions on ProtectEU: a European Internal Security Strategy
COM(2025) 148 final. 75 The data on the debriefing interview reports sent by Frontex to Europol, which amounted only to 40 in
2025, exemplifies the overly limited exchange of operational information between the two agencies. The
Commission has analysed the problem driver in the impact assessment for the revision of Frontex and may
accordingly propose to address the identified shortcomings in Article 90 of the ECBGA Regulation and its
implementation through the upcoming legislative initiative on Frontex. 76 The recent reform of the EU anti-money laundering framework created a new institutional architecture
centred on AMLA, but Europol currently lacks a formal interface to exchange operational information with
AMLA, which in turn contributes to the fragmentation of the EU financial intelligence landscape. See sub-
driver 2.5.4 ‘Unclear division of roles and weak operational integration between Europol and AMLA’, Study
supporting the evaluation and impact assessment of the Europol Regulation, interim report, January 2026. 77 See footnote 51 on the implementation of indirect information exchange on the basis of a hit/no-hit system;
‘Implementation challenges’ and the box summarising the results of the targeted survey for EU bodies and
agencies in Annex 2 of the Impact Assessment for the revision of Eurojust. 78 See, for instance, European Court of Auditors, Special Report 26/2025 ‘EU bodies fighting fraud’,
concluding that, “while the mandates of OLAF, the EPPO, Eurojust and Europol are clearly defined,
weaknesses remain in terms of exchange of information”. The Commission may propose to strengthen
information exchange between OLAF, the EPPO, Eurojust and Europol as part of the upcoming AFA review. 79 See also the impact assessment for the revision of Eurojust. 80 The Commission has proposed closer cooperation between Europol and ENISA to improve cybersecurity
preparedness and response to ransomware incidents as part of the Cybersecurity Act 2 (COM(2026) 11 final). 81 For instance, SIRIUS remains a project in nature and thus its mission and sustainability are varying and
uncertain as they depend on the types and timings of available EU funding. Notably, further to a change of
the funding source (Contribution agreement NDICI THREATS FPI/2024/OPSYS CT NR 700002618 as of
1 January 2025), the beneficiaries of the Project are now the national law enforcement and judicial authorities
of third countries, while the dire need expressed by the national authorities of the EU Member States to
20
2.3. How likely is the problem to persist?
The overall problem is structural and likely to persist, as it is driven by long-term trends
in the scale, complexity, and digitalisation of serious and organised crime. This will require
more timely criminal intelligence, closer operational coordination across Member States
and Europol, and access to advanced analytical and technical capabilities. At the same
time, Europol’s ability to respond effectively will continue to be shaped by its legal
framework, technical infrastructure, and available expertise, which cannot evolve
automatically in line with operational needs. As cooperation increasingly involves a wider
range of actors, including EU bodies and agencies, the need for effective coordination and
specialised support at European level will further grow. Without adaptation, these trends
are likely to widen the gap between operational needs and Europol’s capacity to support
Member States effectively.
First, data-related challenges are expected to intensify sharply as the volume, speed,
and complexity of operational data continue to accelerate. Criminal investigations are
increasingly driven by digital evidence, encrypted communications, and data dispersed
across multiple jurisdictions and platforms, generating vast and fragmented datasets. At
the same time, persistent differences in information sharing practices, limited
interoperability, and constraints in processing large and complex datasets will continue to
hinder Europol’s ability to fully integrate and exploit this information. Without addressing
these structural data gaps, Europol risks falling behind the scale and pace at which criminal
networks operate, limiting its capacity to generate a complete and timely European
criminal intelligence picture and to detect critical cross-border links.
At the same time, Europol’s role as an information hub is expected to expand significantly,
with increasing volumes of operational data being transmitted from Member States and
partners. If existing legal, technical and resource constraints regarding data processing by
Europol are not addressed, these growing data flows will place mounting pressure on
Europol’s systems and resources, creating structural bottlenecks. In such a scenario,
efforts to improve information sharing and close existing data gaps may yield only limited
operational benefit, as the Agency’s ability to translate greater data availability into
actionable criminal intelligence would remain constrained by existing legal and resource
limitations. Rather than strengthening Europol’s operational impact, the growing data
flows could deepen existing bottlenecks, increasing the burden on the Agency and limiting
its ability to deliver timely and effective support in an increasingly demanding security
environment.
continue relying on the project’s knowledge and expertise to successfully obtain critical electronic evidence
for criminal investigations and prosecutions (n 53) has remained unmet.
21
Second, operational demands on Europol are expected to increase significantly82 as
the criminal landscape becomes more complex, connected and transnational,83 requiring
faster, more coordinated responses across jurisdictions and actors. Effective action
increasingly depends on the ability to rapidly connect information, provide timely
analytical and operational support, and facilitate coordinated action across jurisdictions.
However, Europol’s ability to expand and adapt its operational support is shaped by the
scope and modalities defined in its legal framework, which cannot automatically evolve in
line with operational needs.
Furthermore, the need for closer cooperation and complementarity between EU bodies
and agencies will become more critical.84 Fragmentation and duplication of EU efforts
would reduce effectiveness and efficiency, limiting the Union’s ability to deliver a
coherent and effective operational response to increasingly complex cross-border crime.
Third, capability gaps are also expected to persist and widen due to the rapid pace of
technological change, including developments in artificial intelligence, digital forensics,
and advanced analytics.85 Criminal networks are early adopters of new technologies, and
law enforcement authorities require specialised expertise, advanced analytical tools, and
scalable technical infrastructure to respond effectively. However, national innovation
capacities and training systems are expected to evolve unevenly due to differing priorities,
resources, and organisational constraints. In addition, parallel innovation and development
ties up scarce resources. Without stronger coordination at EU level, inefficiencies,
disparities in skills86, technical capabilities, and preparedness across Member States are
likely to persist or deepen, limiting the effectiveness of the collective European response.
Taken together, these dynamics suggest that, without intervention, the gap between the
complexity of criminal threats and the capacity of Europol and law enforcement authorities
to address them effectively will widen, with continued implications for the quality of
national investigations, the effectiveness of cross-border cooperation and the overall
capacity of the Union to respond coherently to serious and organised crime.
82 Even today, there would be thousands more cases where Member States ask for Europol’s support if
Europol had the capacity to provide that according to the Deputy Director of Europol for Governance, Jürgen
Ebner, at “The future of Europol”, The Europol Podcast, 18 December 2025. Demand for Europol’s services
exceeds Europol’s current capacity also according to the Study supporting the evaluation and the impact
assessment of the Europol Regulation, draft final report, March 2026. 83 Retooling the police is a priority for a strategic response against the future evolution of organised crime
according to the Global Initiative against Transnational Organized Crime (GI-TOC), Intersections: Building
blocks of a global strategy against organized crime, p 88. Increasing crime threats and a limited budget
decisively contribute to make Europol unable to optimally fulfil its supporting role for the Member States
according to the European Police Chiefs. 84 For instance, in the area of financial crime, while this impact assessment report considers the relationship
between Europol and AMLA, GI-TOC has suggested the creation of a global financial crime intelligence
centre as a priority action to counter the future evolution of organised crime, ibid, pp. 80-81. 85 See the problem definition by the Study supporting the evaluation and the impact assessment of the Europol
Regulation, draft final report, March 2026, namely driver 2.2. 86 Feasibility study on law enforcement training in the EU to strengthen a common EU law enforcement
culture, interim report, January 2026.
22
3. WHY SHOULD THE EU ACT?
3.1. Legal basis
The legal basis of this initiative is Article 88 of the Treaty on the Functioning of the
European Union (TFEU), which establishes Europol’s mission. In particular, it stipulates
that the Agency shall ‘support and strengthen action by the Member States' police
authorities and other law enforcement services and their mutual cooperation in preventing
and combating serious crime affecting two or more Member States, terrorism and forms
of crime which affect a common interest covered by a Union policy’.
Article 88(2) TFEU empowers the European Parliament and the Council, acting in
accordance with the ordinary legislative procedure by means of regulations, to determine
Europol’s structure, operation, field of action, and tasks.
3.2. Subsidiarity: Necessity of EU action
According to the subsidiarity principle laid down in Article 5(3) TFEU, action at EU level
should be taken only when the aims envisaged cannot be achieved sufficiently by Member
States alone and can therefore, by reason of the scale or effects of the proposed action, be
better achieved by the EU.
Europol’s mandate is to support and strengthen cooperation between Member States’ law
enforcement authorities in addressing serious and organised crime and terrorism. These
threats increasingly operate across borders, jurisdictions, and digital environments,
requiring coordinated action and the timely exchange and analysis of information at Union
level. Member States acting alone cannot ensure the necessary level of coordination, nor
can they establish a comprehensive criminal intelligence picture across the Union.
Union action is therefore necessary to provide a common legal framework enabling
Europol to effectively support Member States, facilitate cooperation, and strengthen the
exchange and analysis of operational information. Moreover, as Europol is a Union agency
established by Regulation (EU) 2016/794, any modification of its mandate or functioning
can only be achieved through Union legislation. The objectives of this initiative can
therefore be better achieved at Union level, in accordance with the principle of subsidiarity.
3.3. Subsidiarity: Added value of EU action
The evaluation of the Europol Regulation (Annex 7) has confirmed that Europol plays a
unique and indispensable role in supporting Member States in preventing and combating
serious and organised crime and terrorism, in particular where these threats have a cross-
border dimension. Through its criminal intelligence analysis, operational and technical
support to investigations, coordination of cross-border law enforcement actions, and
support to joint investigation teams, Europol expands the reach, speed, and
effectiveness of national investigations. It enables authorities to detect connections
between criminal activities across multiple Member States, identify priority targets, and
coordinate operational responses, thereby significantly strengthening the Union’s
collective ability to disrupt criminal networks.
23
Europol also provides specialised capabilities, expertise, and technological infrastructure
that individual Member States could not develop or maintain efficiently on their own.87
This includes advanced analytical and forensic capacities, the ability to process and analyse
very large and complex datasets, and innovation and technical support to address evolving
threats. By centralising high-value expertise, tools, and infrastructure at Union level,
Europol generates substantial economies of scale, reduces duplication of investment, and
ensures that all Member States benefit from cutting-edge capabilities, regardless of their
size or national resources.
A common Union legal framework ensures that Europol can perform its tasks consistently,
effectively, and with full respect for Member States’ competences and responsibilities for
law enforcement. It also guarantees coherent governance, accountability, and safeguards,
including a high level of protection of personal data, thereby strengthening mutual trust
and enabling effective operational cooperation. This contributes to ensuring a high level
of security across the Union and to protecting the integrity of its internal market88,
democratic institutions, and digital and economic infrastructure.
4. OBJECTIVES: WHAT IS TO BE ACHIEVED?
4.1. General objectives
The general objective of this initiative is to improve the effectiveness of EU-level law
enforcement cooperation in preventing and combating serious and organised crime and
terrorism, in order to contribute to a high level of internal security in the EU.
In particular, the aim is to enhance Europol’s capacity to enable a more complete and
timely understanding of criminal threats across the Union and to support their effective
detection, disruption and prevention, thereby contributing to the protection of citizens and
victims.
4.2. Specific objective
4.2.1 Reinforce Europol’s role as an information hub for law enforcement
This objective aims to strengthen Europol’s capacity to collect, process, analyse and share
high-quality criminal information across borders. It focuses on:
• improving the timeliness and completeness of information exchange, including
reducing delays and gaps in cross-border data sharing;
• ensuring that relevant information is available and accessible across Member
States and relevant EU bodies and agencies in a consistent and interoperable
manner;
87 See Annex 7: Evaluation of the existing policy and legislative framework pages 120, 124. 88 https://www.europol.europa.eu/sites/default/files/documents/Europol_report_-_Leveraging_legitimacy_-
_How_the_EU_most_threatening_crim_networks_abuse_legal_business_structures.pdf
24
• improving the usability of information for operational purposes, including its
structuring, analysis and sharing in an actionable format.
By addressing fragmentation and the under-utilisation of existing tools, this objective will
enable the systematic identification of cross-border links between cases, individuals
and criminal networks, including emerging threats, and support more effective
operational action, while maintaining robust data protection and fundamental rights
safeguards.
4.2.2. Strengthening Europol’s capacity to support law enforcement operational action
This objective aims to ensure that Europol can provide timely, coordinated and
operationally relevant support to cross-border investigations into serious and
organised crime and terrorism. It focuses on:
• enabling earlier and more consistent involvement of Europol in cross-border
investigations;
• improving the translation of criminal intelligence into concrete operational
results, including support to coordinated measures;
• strengthening operational coordination and cooperation with Member States
and Union bodies and agencies, in particular the EPPO, including through a
more continuous use of EU-level capabilities.
This will support faster, more coherent and effective investigations, and ensure a more
continuous EU-level support across the operational lifecycle, from intelligence to
investigation and prosecution.
Figure 1: Intervention Logic
25
5. WHAT ARE THE AVAILABLE POLICY OPTIONS?
5.1. What is the baseline from which options are assessed?
The baseline scenario reflects the continuation of the current legal, governance, and
operational framework established by Regulation (EU) 2016/794, as amended.
Under this scenario, Europol would continue to support cross-border cooperation, provide
criminal intelligence analysis, and contribute to coordinated operational responses, playing
a key role in enabling collective action against serious and organised crime and terrorism89.
Over the period 2027-2037, the operational environment is expected to transform
fundamentally, with criminal networks leveraging advanced technologies, scaling their
activities across borders with unprecedented speed, and producing volumes of data that
challenge the ability of authorities to detect, analyse, and respond effectively90.
Operational cooperation at Union level will become indispensable, requiring faster, deeper,
and more continuous coordination to match the speed, complexity, and reach of evolving
threats.
In this evolving environment, Europol would remain a central pillar of the Union’s internal
security architecture, but the fact that its operational model was conceived for a
fundamentally different era would become increasingly evident. As threats grow faster,
more data-driven, and more interconnected, Europol’s ability to keep pace would be
progressively constrained by the limits of its current legal, technical, and organisational
framework. While Europol would continue to adapt incrementally, its capacity to operate
at the scale and tempo required by the evolving threat environment would remain shaped
by the limits of its existing legal, technical, and organisational framework.
In terms of information and criminal intelligence, Europol would remain the Union’s
central hub for receiving and analysing criminal data, but the scale and complexity of
incoming information would grow far faster than Europol’s capacity to fully exploit it.
Despite ongoing initiatives to improve connectivity91 and expand data exchange92,
information flows would remain uneven and incomplete, reflecting persistent disparities
in national capabilities and system integration. At the same time, the exponential growth
of digital evidence and data-intensive investigations would place mounting pressure on
Europol’s infrastructure and analytical environment. Increasingly, resources would be
absorbed by maintaining and stabilising existing systems, limiting the Agency’s ability to
scale processing capacity and deploy advanced analytical tools. Without structural change,
Europol would face growing difficulty in transforming expanding data volumes into timely
89 See Annex 7, which presents the evaluation of the Europol Regulation and shows a consistent upward
trend. 90 EU-SOCTA and IOCTA highlight that criminal networks are increasingly digitalised, technologically
enabled and transnational, generating growing volumes of data and requiring stronger cross-border
operational cooperation. 91 Examples of Europol’s ongoing modernisation efforts include the Information Management and Analysis
Capability (IMAC), aimed at strengthening the processing and analysis of criminal information, and the Joint
Operational Analysis Capability (JOAC), which enables real-time analytical support to operational activities,
including joint investigation teams, operational task forces, and coordinated cross-border investigations. 92 Considering the EU JHA interoperability roadmap and other developments related to travel information.
26
and operational criminal intelligence, weakening the Union’s ability to detect and disrupt
cross-border threats.
Europol’s operational support would also continue to expand within its existing mandate.
Europol would continue to support investigations and coordinated operational activities
through analytical contributions, technical expertise, and coordination functions, including
support to joint investigation teams, operational task forces, and cooperation with Union
bodies and agencies. Europol would also continue to play an important role in facilitating
cooperation with international partners, including through closer partnerships with specific
countries. However, as operational demands increase in scale and complexity, Europol’s
ability to provide timely and comprehensive support across all relevant investigations
would remain limited by structural factors, including legal and procedural constraints,
uneven Member State participation, and limits in the scalability of its analytical and
coordination functions. As a result, Europol’s operational engagement would remain
selective, contributing to uneven levels of operational support across the Union. At the
same time, as the mandates and operational activities of other Union actors, notably the
EPPO, expand, Europol would be increasingly expected to provide analytical and
coordination support, with cooperation continuing to deepen, while remaining hampered
by fragmented mandates.
Europol would also continue to provide specialised expertise and advanced capabilities,
including in digital forensics, decryption, and large-scale data analysis93, without
duplicating those provided by other EU bodies and agencies. Europol’s technological role
in supporting the Union’s response to online threats is also expected to continue expanding
in line with existing policy frameworks, including the Digital Services Act94 and
developments under the Cybersecurity Act95. This work increasingly involves structured
cooperation with private sector actors, including online platforms, financial service
providers and technology companies, which play an important role in detecting and
reporting criminal activity in the digital environment. These initiatives increasingly rely
on Europol’s technical and analytical expertise to support the identification and assessment
of online risks, including those linked to serious and organised crime, terrorism and illegal
content online96. Furthermore, the work of Europol’s Innovation Lab97 and the European
93 For instance, the recommendations of the High-Level Group on access to data and the Commission’s
roadmap for lawful and effective access to data for law enforcement identify Europol as a key actor in the
areas of digital forensics. At the same time, Europol Programming Document 2024-2026 establishes that
‘Europol seeks to be at the forefront of law enforcement innovation and research and through its Innovation
Lab, it facilitates innovation in the law enforcement community and addresses the risks and opportunities of
emerging technologies’, which is strategic objective 5 in that document. 94 Regulation (EU) 2022/2065. 95 Regulation (EU) 2019/881. 96 In particular, Europol’s role under Article 18 of Regulation (EU) 2022/2065. 97 Europol’s Innovation Lab, established in 2019, is a collaborative platform within Europol that brings
together law enforcement authorities, researchers, technology experts, and industry partners to explore,
develop, and test innovative tools, technologies, and methods that help law enforcement agencies across
Europe anticipate, prevent, and combat emerging criminal and security threats in an increasingly digital and
complex environment. The number of supported operations by the Europol Innovation Lab more than
doubled between 2024 and 2025.
27
Clearing Board98, and technological developments would contribute to incremental
improvements, and Europol would remain a key provider of specialised capabilities that
many Member States would not be able to sustain independently. However, the pace of
technological change and the increasing sophistication of criminal methodologies would
continue to raise operational requirements. Europol’s ability to scale advanced capabilities
and operationalise emerging technologies would remain shaped by structural constraints,
including ICT infrastructure limitations, governance and legal requirements, procurement
timelines, and compliance obligations. Legal and procedural safeguards, including
narrowly defined mandates governing the use of publicly available information, biometric
data, and artificial intelligence tools, would continue to shape the pace and scope of
deploying new analytical techniques99. In particular, the growing importance of publicly
available information and open-source intelligence (OSINT) in criminal investigations
would further increase analytical demands on Europol to exploit such data.
In financial terms, the baseline scenario assumes the continuation of Europol’s current
budgetary trajectory under the existing Multiannual Financial Framework, reflecting a no-
policy-change scenario. Europol’s budget has grown steadily in recent years, increasing
from approximately EUR 169 million in 2021 to around EUR 235 million in 2025,
reflecting the Agency’s gradual expansion of its operational responsibilities and analytical
capabilities. Based on this trend, the cumulative Europol budget over the current MFF
(2021-2027) is estimated at around EUR 1.5 billion. For the purposes of this impact
assessment, baseline projections assume that Europol’s budget would continue to evolve
broadly in line with historical trends, resulting in a projected envelope of approximately
EUR 2.3-2.9 billion over the following MFF period (2028-2034), depending on whether
linear growth or a constant growth rate is assumed100. These projections exclude the costs
associated with the policy options assessed in this impact assessment and reflect
expenditure that would likely be incurred irrespective of the initiative. The budgetary
impact of the preferred option should therefore be assessed in addition to the projected
baseline envelope.
5.2. Description of the policy options
This Impact Assessment examines two policy options, focusing on the main strategic
directions for strengthening Europol’s role within the Union’s security architecture and
presenting those measures contained in the two options that would have the most
significant implications. These options are structured around two distinct policy
directions both reflecting an ambitious strengthening of Europol’s role.
Policy Option 1 strengthens Europol’s existing mandate and operational model through
targeted structural improvements and expanded capabilities, enabling more effective and
scalable operations while preserving the current framework.
98 The European Clearing Board is a Europol-coordinated forum where EU Member States and agencies
align operational needs and guide the development of innovative law-enforcement technologies. 99 ICF (March 2026), Draft Final Report of the Study supporting the evaluation and the impact assessment
of the Europol Regulation, p.31. 100 See Annex 3 cost of the preferred option, for more details on the calculation.
28
Policy Option 2, by contrast, explores a more fundamental evolution of Europol’s role,
positioning the Agency as an essential Union-level capability for coordinating operations
and generating criminal intelligence in response to increasingly complex cross-border
threats.
Each policy option comprises a coherent, but not exhaustive, set of measures addressing
the specific objectives of strengthening Europol. Some measures represent progressive
improvements that could be implemented cumulatively, with Policy Option 2 building on
and going beyond elements of Policy Option 1. However, other measures reflect alternative
approaches that are specific to each option and are not cumulative.
The policy measures have been designed to address the two identified problem areas in a
complementary manner. Measures under Sub-policy Options 1.1, 2.1, 2.2 and 2.4 primarily
address the persistent information gaps that hinder the development of a complete EU-
wide criminal intelligence picture. Measures under Sub-policy Options 1.3, 1.4, 2.3 and
2.4 primarily address the fragmented and uneven use of Europol's operational support and
specialised capabilities. Together, the measures seek to improve both the availability of
operational information and Europol's ability to provide timely, effective and operationally
embedded support to Member States and other relevant EU actors.
Policy Options (table):
Policy Option 1: Reinforcing Europol’s
existing model
Policy Option 2: Designing a new model for
Europol
Specific Objective 1: Reinforce Europol’s role as
an information hub for law enforcement
a) closing information gaps Sub policy option 1.1: strengthened data
availability, processing and service
Sub policy option 2.1: Europol as an
operational service provider and information
hub for law enforcement
b) addressing data subject categorisation Sub policy option 1.2: enhanced
mitigating measures to address the
obstacles of Data Subject Categorisation
Sub policy option 2.2: simplified rules to
reduce the administrative burden of data
subject categorisation
Specific Objective 2: Strengthening Europol’s
capacity to support law enforcement operational
action
a) inter-agency cooperation Sub policy option 1.3: reinforced
cooperation with the EU bodies and
agencies for internal security
Sub policy option 2.3: Europol to provide
analytical support to the EPPO
b) bringing Europol’s support to the ground Sub policy option 1.4: Europol digital
platforms embedded in national
investigations
Sub policy option 2.4: EU Digital Police
Cloud and Europol support offices
4.1.1. Specific Objective 1: Reinforce Europol’s role as the EU operational information
hub for law enforcement
Policy Option 1: Reinforcing Europol’s existing model
Sub-policy option 1.1: Strengthened data availability, processing and service
Improving data availability through targeted and incremental data-sharing
obligations
Upgrading Europol systems and services to deliver stronger operational returns
This sub-policy option aims to strengthen Europol’s ability to support Member State
investigations by improving the availability, timeliness and operational use of data,
while ensuring that enhanced cooperation delivers clear operational returns to Member
States. It addresses the main technical, organisational and practical barriers to effective
information exchange without introducing automatic or bulk data transfers, and
without altering the fundamental data-ownership model or Europol’s mandate.
The option focuses on priority crime areas identified in the Europol Regulation (e.g.,
terrorism and child sexual exploitation) where EU added value is clear. Member States
would have limited, progressive duties to make relevant data available to Europol,
building on existing cooperation practices.
A key measure is the mandatory deployment of technical data-loader solutions, enabling
automated and timely data uploads while preserving full Member State control over
shared data. Experience shows such tools reduce administrative burden, increase
timeliness, and support more systematic information sharing. If all Member States were to
contribute at levels comparable (per capita) to Member States equipped with data loaders
(such as Germany and the Netherlands), the overall EIS content could potentially
increase by 50% in the short term, providing a more comprehensive threat intelligence
picture and a greater chance of identifying interconnected cases.
This approach does not alter the possibility left to Member States to decide not to supply
information to Europol under Article 7(7) of the Europol Regulation, nor does it confer
autonomous data collection powers on Europol. The focus is on technical readiness,
predictability and consistency, supported by transparency measures such as monitoring
of response times, feedback loops to national units and aggregated reporting on
responsiveness.
A central component is a major upgrade of Europol’s ICT infrastructure and core
systems (including SIENA, EIS, EAS and QUEST/QUEST+)101, improving scalability,
automation, usability and performance. This ensures that increased data availability
translates into tangible benefits for Member States. Where appropriate, proven EU
technologies from EU large-scale systems provided by eu-LISA could be reused to
101 See Annex 8 for more details.
31
enhance interoperability and resilience systems102. This increase in capacity would enable
systematic and automated cross-check against relevant EU information systems103.
Europol’s role in maintaining common technical and data standards, notably the
Universal Messaging Format (UMF), would be reinforced to reduce fragmentation,
mapping costs and duplication, while supporting automation and data quality. The option
also consolidates Europol’s OSINT capacity104, including the application and
deployment of AI-assisted tools.
To reduce implementation costs, Europol could support joint procurement of technical
components (e.g., data-loaders and interfaces), promoting economies of scale and
interoperability. Crucially, the option strengthens Europol’s service and assistance role
through a dedicated pool of ICT and data-management experts supporting Member States
with deployment, troubleshooting, standards compliance and training. This ensures
consistent uptake and practical operational benefits.
Overall, this sub-policy option enhances the availability, quality, and operational use of
data while fully respecting national autonomy and data ownership, functioning as both
a standalone upgrade and a key enabler for broader reform measures.
Sub policy option 1.2: Mitigating measures to address the obstacles of Data Subject
Categorisation
Smarter and faster implementation of Data Subject Categorisation
This sub-policy option aims to improve the efficiency of DSC at Europol without
changing the existing legal framework. It focuses on mitigating the resource-intensive
nature of current requirements by strengthening Europol’s operational procedures and
technological capabilities.
In particular, Europol would deploy advanced analytical tools and update internal
guidelines to support faster and more consistent DSC. This could include operational
manuals and standardised procedures for handling specific datasets, such as
telecommunications data, open-source intelligence or financial information. The objective
would be to streamline the process, enhance legal certainty and reduce the operational
burden. The option would also strengthen cooperation with Member States to facilitate the
efficient processing of complex datasets and support timely investigations.
102 For instance, technology used by the shared biometric matching service (sBMS) for upgrading Europol’s
biometric capabilities. 103 In 2024, Europol carried out 13 704 manual and 194 792 batch searches directly in EIS and generated
13 409 Cross Match Reports and SIENA hit notifications. If each case-triggered intake (manual or batch)
were systematically accompanied by proportionate consultations of relevant EU information systems (SIS,
VIS, EURODAC, EES, ETIAS, ECRIS-TCN), this could imply in the order of 200 000 additional structured,
logged queries annually at EU level. 104 This would entail scaling up Europol’s ability to collect and analyse publicly available online information
relevant to criminal investigations. It would involve specialised tools, analytical methods and dedicated staff
to systematically integrate OSINT into Europol’s intelligence workflows.
32
Policy Option 2: Designing a new model for Europol
Sub policy option 2.1: Europol as an operational service provider and information
hub for law enforcement
Authorised Europol access to national data
Europol as a provider of operational services
This sub policy option strengthens Europol’s role as an operational service provider
acting on behalf of Member States, by improving its ability to access, process and
operationally exploit relevant information, while fully preserving Member State data
ownership, investigative autonomy and existing decentralised architectures. It builds
on existing EU frameworks, notably Prüm II105, and focuses on targeted extensions where
clear EU added value and operational necessity are demonstrated.
Under this option, Europol would be allowed, with the explicit authorisation of the data-
owning Member State(s), to query national databases already connected under EU
information exchange mechanisms, in particular the Prüm II framework. This would
include national biometric databases (DNA profiles, fingerprints and facial images), police
record indexes (EPRIS) and vehicle registration data (EUCARIS).
The key change would be to remove the current restriction linked to the origin of the
data to be used by Europol when launching queries, allowing Europol to use authorised
national data in addition to third country-sourced data106. Europol would act strictly on
behalf of and within the scope defined by the authorising Member State(s)107.
For non-biometric data, this represents a proportionate extension of Europol’s existing
analytical role, removing an artificial constraint that limits operational effectiveness. For
biometric data, Europol would function as a technical and forensic service provider,
supporting Member States by launching authorised queries, handling complex matches and
providing expert analysis, particularly in time-critical or large-scale cases (e.g., terrorist
attacks or mass casualty events). Authorisations could be granted on a standing or ad-hoc
basis.
Beyond data access, this option would also position Europol as a provider of shared EU-
level operational and technical services, reducing fragmentation, dependencies, and
costs. These services would be optional, demand-driven and subject to strong Member
105 The Prüm II framework, established by Regulation (EU) 2024/982, is currently in the implementation
phase, with the start of operations expected by 2027. 106 Europol currently hosts roughly 17 600 fingerprints sets and 5 300 latent prints, around 450 DNA profiles,
and about 3 500 facial images in the EIS. Extending the mandate to allow Europol to run Prüm II cross-
checks not only on third-country biometrics but also on biometric data submitted by Member States would
significantly enhance effectiveness. Instead of limiting queries to externally sourced datasets, Europol could
systematically deconflict and crossmatch Member State-contributed biometric traces (e.g. latent prints from
serious crime scenes) across the full Prüm network. 107 This would not modify the Prüm II hit/no-hit architecture, nor grant Europol autonomous access rights.
33
State oversight. A key example is an EU DNA matching service108, as Member States
currently rely on different technologies, including third-country tools. An EU-level service
facilitated by Europol would support Prüm II implementation, reduce external
dependencies and ensure interoperability, while reducing dependency on third-country
tools.
Sub policy option 2.2: Simplified rules to reduce the administrative burden of Data
Subject Categorisation
Aligning the rules with already existing legal frameworks
This sub-policy option would entail a legislative overhaul, aligning the Europol Regulation
with the EU Data Protection Regulation (EUDPR) and the Law Enforcement Directive
(LED), to establish an appropriate legal framework for Europol, simplifying the rules for
data processing and improving Europol’s operational flexibility, while maintaining a high
level of data protection.
Under this approach, DSC would be required “where applicable and as far as possible”,
rather than as a strict ex ante condition for accepting and processing all data. Categorisation
would instead take place when data is operationally used, allowing Europol to process
larger and more complex datasets while ensuring proportionate and meaningful
classification.
This framework would provide greater legal clarity, support the use of advanced
analytical tools and machine learning by enabling more consistent processing and analysis
of large and complex datasets, and reduce operational bottlenecks. Oversight by the
European Data Protection Supervisor (EDPS) would remain. The alignment would also
enhance consistency across EU data protection instruments, providing simplification and
reducing fragmentation.
4.5.2. Specific objective 2: Reinforce Europol’s role in providing operational
support to investigations
Policy Option 1: Reinforcing Europol’s existing model
Sub policy option 1.3: enhanced EU inter-agency information
Reinforced operational support to the EPPO
Strengthened Europol-Eurojust operational continuum
Enhanced information sharing between Europol and AMLA
108 DNA matching services are necessary tools to allow existing systems using DNA technology to work.
Implementation would be progressive and evidence-based, starting with pilots and clear governance
arrangements, preserving flexibility and trust. For more details on the EU DNA matching service, see Annex
9.
34
This option strengthens operational information exchange and cooperation between
Europol and key EU bodies and agencies, notably the EPPO, Eurojust and AMLA, to
ensure more coherent and effective EU-level support for national authorities in tackling
cross-border crime.
Reinforced Europol support to the EPPO
This component would strengthen Europol’s support to the EPPO while maintaining the
current institutional framework. Europol would enhance its analytical support to EPPO
investigations, ensuring more systematic and timely cooperation to be able to match the
growing needs of the EPPO. This could involve allocating additional specialised staff
within Europol, including the creation of a dedicated team focusing on EPPO-related
cases. Such a team would deepen expertise, improve operational coordination and enable
more structured planning of resources. The option would also strengthen operational
interaction through enhanced coordination between liaison officers stationed at Europol
and the EPPO.
These measures would require targeted legislative amendments but would not alter the
respective mandates of Europol and the EPPO or the fundamental nature of their
relationship.
Strengthened Europol-Eurojust operational continuum
This component would strengthen complementarity between Europol and Eurojust,
ensuring a seamless continuum between law enforcement and judicial cooperation and
enabling more integrated EU support throughout cross-border investigations.
Operationally, this would support a more continuous transition between the intelligence,
investigation and prosecution phases of cross-border cases, while avoiding duplication of
efforts between authorities.
A first element of this measure would be to enhance information sharing by improving
indirect access to information between Europol and Eurojust through the practical
implementation of the hit/no-hit system provided for in the mandate of both agencies109.
Under this system, each agency would be able to query limited reference data held by the
other agency in order to identify whether potentially relevant operational or judicial
information exists, without obtaining direct access to the underlying files. Operationally,
this would involve upgrading the current mechanism through the implementation of more
automated processes, thereby enabling faster and more efficient exchanges of relevant
information between the two agencies.
A second element would establish specialised EU-level support within Europol for
national authorities seeking to obtain electronic evidence from online service providers.
This support would complement the judicial coordination role of Eurojust by focusing on
the operational and technical dimensions of cross-border access to electronic evidence.
This would include operational guidance on legal procedures, practical tools and technical
expertise for requesting and handling electronic evidence, as well as structured channels
for interaction with service providers. Europol’s role would focus on facilitating
operational coordination, technical assistance and information exchange, while judicial
109 This solution would also be expanded to other EU bodies and agencies, ensuring a semi-automated and
asymmetrical hit/no-hit system.
35
authorisations and prosecutorial decisions would remain the responsibility of competent
national authorities and judicial actors. Europol could also maintain dedicated resources
facilitating exchanges between competent authorities and providers, supporting the
preservation, production and handling of electronic evidence in cross-border
investigations. This would enable more consistent and predictable EU-level support in
cases involving digital evidence and strengthen operational coordination between Europol
and Eurojust.
Enhanced information sharing between Europol and the AMLA
This component would strengthen cooperation between Europol and the AMLA by
enabling structured information exchanges between the two bodies. In particular, it
would provide AMLA with indirect access to information stored by Europol through the
hit/no-hit system. This would allow AMLA to identify potential links between financial
intelligence and Europol’s operational information on serious and organised crime.
Sub policy option 1.4: Embedding Europol tools and systems in national
investigations
Connect national case management systems
Targeted obligation to consult Europol systems
This option would bring Europol’s analytical capabilities closer to the daily work of
investigators by integrating Europol tools directly into national case management systems.
Instead of relying mainly on reactive exchanges of information, investigators would be
able to access Europol’s analytical support as part of their normal investigative workflow,
allowing earlier identification of cross-border links and stronger analytical support
throughout investigations.
Member States would progressively connect their national case management systems -
to be established under Directive (EU) 2024/977 - with Europol systems through secure
interfaces and common data standards. Investigators would be able to consult Europol
systems automatically at predefined stages of an investigation, receive cross-checks and
analytical feedback directly within their case files, and transmit relevant case information
to Europol.
This approach would enable largely automated exchanges, allowing Europol to function
as a shared analytical backbone by providing automated cross-checks and identification of
cross-border connections in support of national investigations.
The option would also introduce a targeted obligation to consult Europol systems in
serious and organised crime investigations with a cross-border dimension. Where relevant
links are identified, this could trigger conditional sharing of case data with Europol, while
fully respecting the principles of necessity and proportionality. Embedded consultation
would support earlier detection of cross-border connections and help avoid investigative
overlaps, complementing existing information exchange channels.
Implementation would depend on the development of fast, scalable and reliable digital
infrastructure as envisaged under Sub policy option 1.1.
36
Policy Option 2: A new model for Europol
Sub policy option 2.3: Europol as structural provider of information, analytical
support and capabilities to the EPPO110
Integrated and systematic framework of operational and analytical support
This option would introduce a structural shift in Europol’s support to the EPPO, moving
from the current request-based model to a systematic framework for analytical support.
Europol would act as a structural provider of analytical capabilities to the EPPO, ensuring
that the Union’s central law enforcement expertise is mobilised consistently in
investigations affecting the Union’s financial interests.
A key element would be the establishment of a structured framework through which
Europol’s analytical and technical capabilities are systematically deployed in support of
EPPO investigations. This would include a dedicated capability within Europol
composed of specialised staff focusing on EPPO-related cases, enabling deeper
expertise and more predictable operational support.
Under this model, the EPPO would be able to guide and prioritise the analytical support
provided by Europol, ensuring alignment with investigative needs and timelines and that
analytical tasks and operational activities of a non-coercive nature are carried out by
Europol on behalf of the EPPO. Europol would provide analytical support during
operational phases of investigations, technical assistance in processing seized data, and
intelligence products supporting investigative strategies. This would allow the EPPO to
benefit more systematically from Europol’s expertise in large-scale data analysis and
criminal intelligence development in complex cross-border financial crime cases.
The option would also strengthen information exchange between Europol and the EPPO
within the EPPO’s mandate. The Europol Regulation could mirror the logic of the EPPO
Regulation by allowing the EPPO to access relevant information held by Europol when
this falls within its competence. Faster and more systematic data exchange would enable
both bodies to identify cross-border criminal links more effectively and strengthen
investigations affecting the Union’s financial interests. Clear arrangements would govern
the control and use of exchanged data, without fundamentally altering the existing data-
ownership model or Europol’s mandate.
Sub policy option 2.4: Operational integration of Europol into national
investigations
• EU Police Cloud
• Europol Support Offices
110 Policy Option 2 does not include a comparable operational support model for Eurojust, as the agency does
not exercise investigative powers or conduct operational law enforcement activities.
37
This sub-option would transform the way Europol supports investigations by embedding
its analytical, technical and coordination capabilities directly within national operational
environments. Through a shared EU law enforcement platform (“EU Police Cloud”) and
reinforced operational presence in Member States, Europol would evolve from a central
hub into an operational capability integrated into the day-to-day work of investigators
across the Union.
EU Police Cloud
The EU Police Cloud would provide investigators in Member States with direct access to
Europol’s analytical tools, collaborative environments and data-processing capabilities
through a secure digital platform. Rather than relying primarily on request-based support,
investigators would be able to use Europol tools directly during investigations. Access
would be granted only to authorised users designated by competent national authorities
and Europol, based on role-based permissions and investigation-specific access rights.
Authentication could rely on the EU Police Digital Identity, allowing national authorities
to issue, manage and revoke credentials while ensuring a harmonised and trusted access
framework across the Union.
The platform would remove technical barriers that currently limit the use of Europol’s
digital tools and progressively become accessible to a broad community of law
enforcement users across the Union (up to 380 000 by 2035111). Designed as a modular
online platform, it would allow investigators to access specialised tools and shared data in
real time, enabling more timely and operationally embedded collaboration with Europol.
In practice, investigators participating in the same join operational case could securely
collaborate within dedicated digital workspaces, exchange operational information,
perform analytical queries and coordinate investigative actions in near real time. The EU
Police Cloud would bring together, through a single digital environment, the analytical
and operational tools currently available at Europol’s headquarters and make them
accessible to national investigators across the Union.
A core function would be the ability to upload, store and analyse large volumes of
investigative data, including structured data (police records, administrative data) and
unstructured data (digital extractions, seized devices, operational material). Data uploaded
to the platform would remain logically separated according to the relevant investigation,
operational task or access authorisation. Data would remain subject to strict access control,
compartmentalisation by investigation, and robust security safeguards, ensuring that only
authorised personnel can access relevant datasets. All data-processing activities would be
logged and auditable, enabling ex post verification of compliance with access rights,
investigation mandates and data-protection requirements. Advanced forensic and
analytical modules, including AI-based tools and biometric capabilities, would enable
targeted cross-checks within joint investigations.
Other modules would automate searches and requests across information available for
law enforcement purposes under Union or national law, including police records (EIS and
national records via the Prüm II framework), investigative records, interoperability
111 Estimation based on the assumption that (i) 20% of law enforcement officers have criminal investigation
skills, and (ii) the size of the European police workforce reported by Eurostat (2023): 1,537,588 police
officers. Police, court and prison personnel statistics - Statistics Explained - Eurostat.
38
databases, national administrative records (see policy option 1.1), OSINT, referrals,
information provided by third countries or private parties to Europol. Queries would be
taking place in accordance with applicable access rights and legal bases, ensuring that users
only obtain access to information they are authorised to consult. To improve reactivity,
regular repeated searches and alerts would be implemented.
As collaboration builds upon a continuum of exchanges from the more technical to the
more communicational, this platform would provide online integrated collaboration tools
building on existing Europol tools112 such as messaging, mail and video conference. These
functionalities would support operational coordination between investigators and analysts.
To handle increasing data, processing and users, the platform would use multi-cloud
infrastructure (private and sovereign), allowing differentiated treatment of sensitive areas
like terrorism. Sensitive operational environments could be hosted within dedicated
secured infrastructures with reinforced access restrictions and cybersecurity measures. It
would be accessible as a standalone web/mobile application and via Application
Programming Interfaces (APIs)113 for integration with national case management systems,
supporting Europol’s standardisation role. Security would rely on a harmonised EU
Police Digital Identity based on the EU Digital Identity Framework at high assurance
level granting secure and trusted access across the Union. The platform would be
developed according to security-by-design and security-by-default principles.
Cybersecurity safeguards would include multi-factor authentication, encryption,
continuous security monitoring, incident detection and response capabilities, audit trails
and resilience measures against unauthorised access, data breaches or cyberattacks.
Sensitive operational environments could be subject to enhanced security requirements
depending on the nature of the data processed. Successful implementation would depend
on the simplification of the DSC under Sub policy option 2.2 to allow for Europol to
process data even if the DSC has not yet been carried out.
Europol support offices
Europol support offices would strengthen Europol’s operational presence in Member
States and serve as interfaces with national authorities, helping investigators integrate
Europol’s tools, analysis and expertise into ongoing investigations. They could build on
the existing Europol National Units in each Member State.
The model would rely on staffing arrangements that combine expertise on Europol and its
tools with strong familiarity with national investigative environments. This would allow
Europol’s support to be better aligned with national legal frameworks, procedural
requirements and investigative workflows.
Through this approach, Europol support offices would act as operational multipliers within
national investigative ecosystems. They would provide investigators with immediate
operational access to Europol’s analytical tools, specialist expertise and technical
capabilities, enhancing awareness of Europol’s support and effectively embedding that
support within investigations. By enabling the early mobilisation of Europol capabilities,
112 Including SIENA, Videoconference for Operational Purposes (VCOP) and Virtual Command Post (VCP). 113 APIs are sets of rules and protocols that allows different software applications or systems to communicate
and exchange data with each other.
39
they would ensure that analytical outputs and technical support are produced in forms that
can be directly integrated into national investigative processes and, where relevant,
relied upon in judicial proceedings.
The support offices would also provide a stable operational interface for the deployment
of specialised Europol capabilities, including digital forensic expertise, data analysis and
other technical support. This model would complement the Agency’s strong central model
while bringing Europol’s capabilities closer to investigators on the ground. It would also
support a more circular exchange of expertise between Europol and national authorities,
strengthening operational cooperation and the practical use of Europol capabilities across
the Union.
5.3. Options discarded at an early stage
5.3.1.
Non-legislative action and targeted changes to Europol’s legal framework
Non-legislative measures, including operational arrangements, guidance, and technical
improvements within the existing legal framework, were considered but found insufficient
to address the structural limitations identified. While such measures could deliver
incremental improvements, they would not enable Europol to access, process, and
operationally exploit information at the scale required, nor to strengthen its operational
support, capabilities, and governance in a systematic and sustainable manner.
Similarly, more limited and isolated amendments to the Europol Regulation were
considered but discarded, as they would not provide the comprehensive and future-proof
framework needed to enable Europol to operate effectively in a rapidly evolving and
increasingly complex security environment114. Targeted legislative adjustments may
address specific issues, but, on their own, would not fully address the broader structural
challenges identified.
5.3.2.
Turning Europol into an autonomous agency with executive powers
The option of transforming Europol into an autonomous agency with executive law
enforcement powers, including the ability to conduct investigations or take coercive
measures independently of Member State authorities, was considered115 but discarded at
an early stage. Such an approach would represent a fundamental departure from the current
role of Europol as a support and coordination agency operating in close cooperation with
national authorities in line with Article 88 TFEU.
114 The Commission’s report pursuant to Article 68(3) of the Europol Regulation (COM(2025) 752 final)
illustrates that limited changes risk to perpetuate existing shortcomings. 115 Some stakeholders, including the European People’s Party and Renew Europe, have called for
strengthening Europol’s operational role, including proposals to grant enforcement powers.
https://www.epp.eu/files/uploads/2025/01/EPP-Retreat-Priorities-2025-statement.pdf
40
This option would raise significant legal, operational and governance complexities.
Consequently, this option will not be available in short- to mid-term to address the pressing
security needs identified in Section 2.
6. WHAT ARE THE IMPACTS OF THE POLICY OPTIONS?
This section assesses the expected impacts of the policy options described in Section 5.
The analysis evaluates the extent to which the options would contribute to achieving the
objectives identified in Section 4, compared with the baseline scenario described in Section
5.3. The impacts are assessed on a scale ranging from ‘very positive impact’ (++) to ‘very
negative impact’ (--), with intermediate scores: ‘positive impact’ (+), ‘neutral’ (0) and
‘negative impact’ (-).
The assessment draws on the evidence collected through the study supporting this Impact
Assessment, including, where possible, the quantification and monetisation of impacts.
Where sufficient data was available, impacts were quantified based on existing
assessments or modelling; where this was not possible, a qualitative assessment was
carried out. Further details on the methodology and underlying estimates are provided in
Annex 10.
6.1 Financial impacts116
Impact on EU institutions and agencies
Policy Option 1 (+/-) entails additional financial and human resource requirements for
Europol. Over the 2028–2034 Multiannual Financial Framework (MFF) period, one-off
adjustment costs are estimated at approximately EUR 61 million117, mainly associated
with upgrades of ICT infrastructure including the EIS, the EAS, SIENA, QUEST and
analytical tools supporting operational information exchange and analysis. Europol would
also incur recurring annual adjustment costs of around EUR 12.2 million118
(corresponding to approximately EUR 85.4 million cumulatively over the 2028–2034
period) related to staff, system maintenance, infrastructure operation and technical support
to Member States119.
Additional costs related to mitigating measures on DSC are expected to remain limited, as
they mainly concern the development of internal guidance, analytical tools and training
materials120.
Policy Option 1 also includes measures reinforcing operational cooperation between
Europol and other EU bodies and agencies. In particular, strengthening Europol’s support
to the EPPO would require the establishment of a dedicated analytical and operational
support capacity within Europol. The recurring annual operational cost of this reinforced
116 Detailed information is provided in Annex 3. 117 See costs section of Annex 3. 118 See costs section of Annex 3. 119 These costs relate mainly to the upgrade and scaling of Europol’s core systems and the provision of
technical support to Member States. These costs include the staff needed to provide the services. 120 Costs mainly concern the development of internal operational guidance, analytical tools and training
activities aimed at improving the efficiency of data subject categorisation processes.
41
support is estimated at approximately EUR 10 million121 (corresponding to approximately
EUR 70 million cumulatively over the 2028–2034 period). Furthermore, measures
strengthening the operational continuum between Europol and Eurojust would generate
limited additional EU-level financial costs, estimated at approximately EUR 2 million
in one-off costs and EUR 1 million in recurring annual adjustment cost (corresponding
to approximately EUR 7 million cumulatively over the 2028–2034 period), mainly related
to system adaptations and operational coordination122.
Finally, the integration of Europol analytical tools and systems into national investigative
environments would require additional investment at Europol level, with one-off
adjustment costs estimated at approximately EUR 50 million and recurring annual
adjustment cost of around EUR 8 million123(corresponding to approximately EUR 56
million cumulatively over the 2028–2034 period).
Under Policy Option 2, the financial impact on EU institutions and agencies would be
more significant (+).
For Europol, one-off adjustment costs are estimated at approximately EUR 11 million,
mainly linked to system adaptations, reinforced data-management capacity and the
development of an EU DNA matching service. Europol would also incur recurring
annual adjustment cost of around EUR 5.3 million (corresponding to approximately
EUR 37.1 million cumulatively over the 2028–2034 period), primarily related to
specialised staff, system maintenance and operational support associated with these
services124. However, these investments could generate efficiency gains at EU level by
reducing fragmentation, avoiding duplication of technical solutions across Member States
and providing shared operational services at scale.
Furthermore, additional financial effects would arise from the simplification of the rules
on DSC. While this policy option would significantly improve Europol’s operational
flexibility and capacity to process information, it would not require substantial financial
investment, as it mainly involves legislative alignment and simplification of existing rules.
On the contrary, the simplification of the current framework is expected to generate
administrative savings and efficiency gains, as resources currently devoted to the labour-
intensive process of DSC could be redeployed to operational analysis and investigative
support. Overall, the measure is therefore expected to have a very positive financial
impact, primarily through efficiency gains rather than additional expenditure, although
these gains remain difficult to quantify precisely at this stage due to limited comparable
operational data.
121 Costs relate primarily to specialised staff within a dedicated Europol support capacity responsible for
operational analysis, cross-checks of operational data and digital forensic support for EPPO investigations. 52 additional officers would be required in 2026, gradually increasing to 66 officers by 2033, to meet the growing
demand for support. The total annual cost of employing these additional officers is estimated to rise from €8.2
million in 2026 to €10.4 million by 2033. 122 These costs relate to further development of the Europol-Eurojust hit/no-hit information exchange
mechanism and the consolidation of EU-level support for accessing electronic evidence. 123 See costs section of Annex 3. 124 Costs relate mainly to system adaptations enabling authorised access to national databases connected
under EU frameworks, reinforced data management capacity and the development and operation of an EU
DNA matching capability.
42
The development of the EU Police Cloud would entail one-off adjustment costs for
Europol estimated at approximately EUR 143.3 million and recurring annual
adjustment cost of around EUR 39.8 million125(corresponding to approximately EUR
278.6 million cumulatively over the 2028–2034 period). While the initial investment in
digital infrastructure is significant, the use of a common EU-level platform is expected to
generate efficiency gains over time by reducing fragmentation between national systems
and enabling more efficient processing and analysis of operational data126.
Additional costs would arise from the deployment of Europol support offices in
Member States, with recurring annual adjustment cost of up to EUR 6.5 million127
(corresponding to approximately EUR 45.5 million cumulatively over the 2028–2034
period).
Establishing Europol as a structural provider of analytical and operational support to the
EPPO would generate additional adjustment recurring cost at EU level estimated at
approximately EUR 11 million per year128 (corresponding to approximately EUR 77
million cumulatively over the 2028–2034 period). These costs relate mainly to the creation
and operation of a dedicated Europol support capacity composed of specialised analysts
and operational staff supporting EPPO investigations129. No separate one-off adjustment
costs are expected130.
Impact on Member States
Under Policy Option 1 (+), Member States would incur moderate implementation costs,
mainly related to improving data exchange with Europol and integrating Europol analytical
capabilities into national investigative environments.
One-off costs are estimated at approximately EUR 81 million in total (around EUR 3
million per Member State on average), primarily linked to the deployment of automated
data-loader solutions and the technical adjustments required to connect national systems
with upgraded Europol platforms. Recurring annual costs are estimated at approximately
EUR 16.2 million (corresponding to approximately EUR 113.4 million cumulatively over
the 2028–2034 period), mainly related to maintenance of data loader infrastructure, system
interfaces and operational support.
Further costs would arise from the integration of EIS and EAS into national
investigative environments, including updates to national case management systems, the
adoption of common data standards and training of personnel. These investments are
estimated at approximately EUR 105 million in one-off costs and EUR 20 million in
125 Costs relate mainly to infrastructure development, system integration, data migration and the operation of
the EU Police Cloud platform, as well as the establishment of a secure EU Police Digital Identity framework
for law enforcement users. 126 See benefits section of Annex 3. 127See costs section of Annex 3. 128 See costs section of Annex 3. 129 Costs primarily reflect the establishment of a dedicated EPPO support team within Europol responsible
for operational analysis, cross-checks of operational data, digital forensic support and coordination of
analytical activities supporting EPPO investigations. 130 The necessary infrastructure and onboarding requirements are already covered.
43
annual recurring costs (corresponding to approximately EUR 140 million cumulatively
over the 2028–2034 period).
At the same time, Policy Option 1 is expected to generate significant operational
efficiencies for national authorities131. Automated data loaders would reduce manual
processing and delays in information sharing, while improved Europol systems and
embedded analytical services would allow investigators to benefit more systematically
from EU-level analytical capabilities. Measures addressing obstacles linked to DSC would
not generate additional costs for Member States, as they mainly concern internal
procedures within Europol.
Under Policy Option 2 (+/-), the economic impact on Member States would vary
depending on the operational capabilities developed at EU level.
For measures enabling Europol to act as an operational service provider and
information hub, Member State costs are expected to remain very limited, as the
approach relies primarily on existing EU information exchange mechanisms, such as the
Prüm II framework. One-off costs are estimated at approximately EUR 0.05 million per
Member State132, reflecting minor technical adjustments required to enable authorised
queries through existing infrastructure. Recurring costs are expected to remain negligible.
More substantial costs would arise from the deployment of the EU Police Cloud and
related digital infrastructure, which would require adjustments to national systems,
integration with the EU Police Digital ID framework, training and data migration. These
investments are estimated at approximately EUR 67.5 million in one-off costs and EUR
11.4 million in annual recurring costs133 (corresponding to approximately EUR 79.8
million cumulatively over the 2028–2034 period).
Overall, although Policy Option 2 involves high implementation costs for Member States
in relation to digital infrastructure, these investments are expected to generate long-term
efficiency gains by enabling access to shared analytical tools and operational services at
EU level, reducing fragmentation of national solutions and supporting more effective
cross-border investigations.
6.2 Social impacts
6.2.1 Impacts on security and EU citizens
Policy Option 1 (+) is expected to have a positive impact on internal security by
strengthening the ability of national authorities and EU bodies to detect and investigate
cross-border criminal activity. Improved data availability and upgraded Europol systems
would enable more systematic cross-checks and faster analytical support, helping
investigators identify cross-border links earlier and coordinate more effectively.
Reinforced cooperation with the EPPO would reinforce investigations affecting the
Union’s financial interests, while stronger coordination with Eurojust would facilitate the
131 See benefits section of Annex 3. 132 See costs section of Annex 3 133 See costs section of Annex 3
44
judicial handling of complex cross-border cases, including those involving electronic
evidence. Embedding Europol analytical tools within national investigative workflows
would further reduce the risk of undetected cross-border criminal connections, ultimately
contributing to a higher level of security for EU citizens.
Policy Option 2 (++) is expected to have a very strong positive impact on security by
significantly strengthening the Union’s ability to detect, investigate and disrupt serious and
organised crime. Faster and more systematic cross-checks across national databases under
the Prüm II framework would enable investigators to identify cross-border criminal
networks earlier and act more quickly. Shared EU-level operational capabilities and
simplified data processing rules would substantially increase Europol’s analytical capacity,
allowing authorities to exploit large datasets and detect criminal patterns that would
otherwise remain unnoticed.
By making Europol’s capabilities directly accessible to investigators through shared digital
infrastructure and strengthened operational presence in Member States, the option would
enable faster, more coordinated and intelligence-driven investigations across the Union.
Overall, this option would markedly improve the EU’s ability to prevent and disrupt cross-
border crime and terrorism, delivering tangible security benefits for EU citizens.
6.2.2 Administrative impacts on national authorities
Policy Option 1 (+) is expected to have a positive impact on the administrative efficiency
of national law enforcement authorities by streamlining cross-border information exchange
and improving the operational returns of cooperation with Europol. Improved data
availability and automated data-sharing tools would reduce manual administrative tasks
and delays, while upgraded Europol systems would provide faster cross-checks and
analytical support. Additional efficiency gains would arise from clearer guidance on DSC
and strengthened cooperation with EU bodies and agencies. Embedding Europol tools
more directly into national investigative workflows would further reduce administrative
friction and improve the systematic use of EU-level information in investigations.
Policy Option 2 (++) would result in strong administrative efficiency gains by simplifying
procedures and expanding EU-level operational support. Allowing Europol, when
authorised by Member States, to query national databases under the Prüm II framework
would reduce administrative workload in cross-border investigations and enable Europol
to carry out complex analytical and forensic tasks on behalf of Member States. Further
gains would arise from establishing Europol as a structural provider of analytical support
to the EPPO to avoid multiple requests for information. The EU Police Cloud and Europol
support offices would also facilitate easier access to Europol tools and expertise, improving
operational interaction and reducing coordination burdens for national authorities.
6.2.3 Youth impacts
Both policy options (0) are not expected to have direct impacts specifically targeting young
people. However, by strengthening the Union’s capacity to prevent and combat serious and
organised crime, including offences that particularly affect minors, such as child sexual
45
exploitation or cyber-enabled crime, the measures may have indirect positive effects on
young people.
6.2.4 SMEs
Both policy options concern the operational framework, governance and cooperation
mechanisms of Europol and competent public authorities. It does not introduce regulatory
obligations, compliance requirements or direct operational impacts for SMEs. Both policy
options are therefore not expected to have direct impacts for SMEs.
6.3 Fundamental rights impacts
The two policy options assessed in this Impact Assessment involve the processing of
personal data in the context of law enforcement cooperation. They therefore relate
primarily to the fundamental rights to respect for private and family life (Article 7) and
protection of personal data (Article 8) of the Charter of Fundamental Rights of the
European Union. The analysis below assesses whether any interference with these rights
is necessary and proportionate to the objective of general interest consisting in the
prevention, detection and investigation of serious and organised crime and terrorism.
6.3.1 Objective of general interest
Policy Option 1 (++)
Policy Option 1 contributes to the objective of general interest consisting in the prevention,
detection and investigation of serious and organised crime and terrorism. By improving
the availability, quality and timeliness of operational data exchanged between Member
States and Europol, the option would strengthen the analytical capacity of law enforcement
authorities and support earlier identification of cross-border criminal links. Upgrading
Europol’s systems and improving data exchange with other EU bodies and agencies would
allow authorities to exploit operational information more effectively.
Policy Option 2 (++)
Objective of general interest
Policy Option 2 would further strengthen the Union’s capacity to prevent, detect and
investigate serious and organised crime and terrorism by significantly improving the ability
of law enforcement authorities to access, process and analyse operational data across
borders. By enabling faster cross-checks across databases, expanding EU-level analytical
capabilities and simplifying data processing rules, the option would allow authorities to
exploit large and complex datasets more effectively in support of investigations. This
would enhance the detection of criminal networks, strengthen cross-border investigations
and improve the overall effectiveness of EU action against serious and organised crime.
6.3.2 Protection of personal data
Policy Option 1 (0)
Necessity
The measures included in Policy Option 1 aim to address operational inefficiencies in the
current framework for information exchange and analysis. In particular, fragmented and
46
largely manual data-sharing processes limit the ability of Europol and Member States to
analyse operational information effectively and identify cross-border criminal connections.
Improving data availability through automated tools and upgrading Europol systems would
ensure that lawfully shareable information can be processed more efficiently and used
more systematically in criminal investigations.
At the same time, the option does not introduce new categories of personal data, new
processing purposes, or additional access rights. The measures primarily concern
improvements to the functioning of existing systems and procedures and therefore operate
within the current legal framework governing the processing of personal data by Europol
and national authorities.
While the option does not substantially alter the existing data-protection framework,
increased automation and interoperability may nevertheless increase certain risks related
to erroneous data propagation, unauthorised access or wider dissemination of inaccurate
information if safeguards are not effectively implemented.
Proportionality
The option preserves the existing safeguards governing the processing of personal data.
Member States would retain control over the data they share with Europol and existing
rules on purpose limitation, access conditions and retention periods would remain
unchanged. Measures addressing operational challenges related to data subject
categorisation would focus on improving procedures and guidance rather than modifying
the underlying legal obligations.
Operational safeguards would continue to include role-based access controls, logging and
traceability of access to operational data, differentiated handling codes defined by the data
owner, data-quality verification mechanisms, and supervision by the Europol Data
Protection Officer and the European Data Protection Supervisor (EDPS). Europol’s
existing information-security framework, including encryption, network segmentation,
secure authentication mechanisms and continuous security monitoring, would continue to
apply to upgraded systems and automated exchange tools.
In practice, automated data-loading solutions would not bypass Member State control over
operational data. Member States would remain responsible for defining which categories
of information may be shared automatically, under which conditions, and with which
handling restrictions. Automated exchanges would therefore remain subject to predefined
operational parameters, auditability and ex post verification mechanisms.
Conclusion
Overall, Policy Option 1 respects the principles of necessity and proportionality while
maintaining the existing level of data protection safeguards. Its impact on the protection of
personal data is therefore assessed as neutral (0). Although certain operational risks linked
to increased automation remain, these are considered limited and manageable within the
existing EU data protection, cybersecurity and supervisory framework.
Policy Option 2 (-)
Necessity
47
The measures address operational limitations currently affecting cross-border
investigations, particularly delays and fragmentation in accessing and analysing
operational data. Allowing Europol, when authorised by Member States, to perform
queries in national databases connected under existing EU frameworks would enable faster
identification of cross-border links in complex or time-critical investigations. Shared
services, such as a potential EU DNA matching service, would strengthen forensic
cooperation and reduce reliance on fragmented technical solutions.
In addition, the EU Police Cloud would provide the scalable infrastructure required to
process large and complex datasets used in cross-border investigations, while the
simplification of DSC rules would allow lawfully collected data to be processed more
efficiently. These measures are therefore necessary to ensure that operational information
can be effectively used to combat increasingly digital and transnational forms of crime.
At the same time, these measures increase the scale, speed and interconnectedness of
operational data processing, thereby creating heightened risks relating to cybersecurity,
unlawful access, function creep, excessive data availability, potential re-use of data beyond
the original operational context, and the processing of inaccurate or insufficiently
categorised data. The EU Police Cloud in particular would create a more integrated
operational environment with a significantly larger user base and increased volumes of
sensitive law-enforcement information processed digitally across borders.
Proportionality
The interference with fundamental rights remains proportionate. Europol would act only
on the basis of Member State authorisation and within its mandate, without centralising
national databases or altering Member State ownership of data. The measures do not
introduce fundamentally new categories of personal data or new processing purposes but
improve the operational use of data already lawfully collected for law enforcement
purposes.
Processing would remain subject to the safeguards provided under the Europol Regulation,
the Law Enforcement Directive and the EUDPR, including purpose limitation, access
controls and independent supervision. Technical infrastructures such as the EU Police
Cloud would incorporate security-by-design features, strong authentication and traceable
access management to ensure accountability.
More specifically, the EU Police Cloud would rely on a multi-layered security architecture
combining organisational, technical and legal safeguards. These would include end-to-end
encryption of data in transit and at rest, strict compartmentalisation of operational datasets,
role-based and attribute-based access controls, multi-factor authentication through the EU
Police Digital Identity framework, continuous security monitoring, penetration testing and
detailed audit logs enabling full traceability of user actions.
Access to operational environments and datasets would remain limited to specifically
authorised users acting within defined operational mandates and on a need-to-know basis.
Different investigations and operational projects would remain logically separated through
compartmentalised access environments, preventing unrestricted cross-access to
operational information.
The processing of sensitive operational datasets would also remain subject to differentiated
handling codes, retention periods and supervisory controls. Europol’s Data Protection
48
Function and the EDPS would continue exercising oversight over compliance with data-
protection obligations, including in relation to large datasets, automated analytical tools
and the use of artificial intelligence-supported functionalities.
Regarding the simplification of DSC rules, safeguards would continue to require Europol
to assess the relevance, reliability and necessity of operational data within defined
timeframes. The simplification would therefore not eliminate data-protection obligations,
but rather adapt the sequencing and operational handling of categorisation requirements to
avoid unnecessary delays in time-sensitive investigations, therefore aligning it with the
EUDPR.
Cybersecurity risks associated with the EU Police Cloud would furthermore be mitigated
through compliance with the EU cybersecurity framework applicable to Union institutions
and bodies, including high common cybersecurity standards, incident reporting
obligations, business continuity measures, security accreditation procedures and
continuous vulnerability management. Given the sensitivity of the data processed,
implementation would likely require phased deployment, independent security testing and
reinforced operational-security governance arrangements.
Conclusion
Overall, Policy Option 2 would increase the operational processing of personal data within
EU law enforcement cooperation and therefore has a negative impact (-) on the
protection of personal data compared with the baseline. Nevertheless, the interference
with fundamental rights remains justified by the objective of combating serious and
organised crime and terrorism, and the measures are necessary and proportionate,
while maintaining the safeguards and oversight mechanisms provided by the EU data
protection framework.
Although residual risks related to cybersecurity, data concentration and broader
operational access cannot be fully eliminated, these risks are expected to be mitigated
through a combination of legal limitations, technical safeguards, operational controls and
independent supervision. The overall impact on fundamental rights is therefore considered
proportionate in light of the security objectives pursued and the safeguards accompanying
implementation.
6.4 Environmental impacts
Both policy options are not expected to have direct environmental impacts (0), as they
concern the organisation of law enforcement cooperation and the analytical and operational
support provided by Europol. However, the options could have indirect positive effects on
the environment. Environmental crime is included among the areas of criminal activity
listed in Annex I of the Europol Regulation. By strengthening Europol’s analytical
capabilities, operational support and cooperation with national authorities, Policy Options
1 and 2 could contribute to more effective detection and investigation of
environmental crime, such as illegal waste trafficking or wildlife trafficking.
49
7 HOW DO THE OPTIONS COMPARE?
This section compares the policy options presented in Section 5 against the baseline
scenario described in Section 5.3 and assesses their relative effectiveness in achieving the
objectives identified in Section 4.
Overall, both policy options would improve Europol’s capacity to support Member States
in preventing and combating serious and organised crime and terrorism. However, they
differ in the scale of change introduced, the level of investment required and the extent to
which Europol’s operational role within the EU internal security architecture would
evolve. Policy Option 1 focuses on reinforcing and modernising the existing
cooperation model, whereas Policy Option 2 introduces a more integrated operational
model with stronger EU-level capabilities.
7.1. Addressing information gaps
Both policy options address two closely linked aspects of the problem: the availability
of operational information shared with Europol and the conditions under which Europol
can process and that information.
Policy Option 1 (Sub policy options 1.1 and 1.2) focuses on improving the functioning
of the existing information exchange model, notably through automated data loaders,
targeted data-sharing obligations and upgrades to Europol’s core information systems.
In terms of effectiveness, these measures would significantly improve the availability,
quality and timeliness of operational information available to Europol, thereby
strengthening its analytical support to Member States. However, the option would not fully
address structural constraints affecting Europol’s capacity to process large and complex
datasets, as the current framework for data subject categorisation would remain unchanged.
At the same time, information sharing would continue to rely largely on voluntary
contributions by Member States.
In terms of efficiency, the option requires investment in digital infrastructure and system
upgrades but largely builds on existing systems and cooperation mechanisms. These
investments are expected to generate operational efficiencies through improved
automation and interoperability.
Regarding coherence, the option fully preserves the current decentralised model of
information exchange and maintains Member States’ control over operational data.
In terms of fundamental rights, the option improves data-sharing efficiency within
existing safeguards and does not introduce new data, purposes or access rights.
Policy Option 2 (Sub policy options 2.1 and 2.2) introduces an integrated model by
allowing Europol, where authorised by Member States, to query certain national databases
connected under EU frameworks and by simplifying the rules governing the processing of
operational data by reforming data subject categorisation.
In terms of effectiveness, these measures would significantly improve Europol’s ability
to identify cross-border links and process large operational datasets, thereby enabling more
systematic use of advanced analytical tools.
In terms of efficiency, the option involves higher implementation costs, particularly
related to the development of shared operational capabilities and digital infrastructure.
50
However, it may also generate long-term efficiency gains by reducing fragmentation of
analytical tools across the Union.
Regarding coherence, the option represents a more significant evolution of Europol’s
operational role, but remains compatible with the EU legal framework, as Europol would
continue to act in support of Member States.
In terms of fundamental rights, the option would increase the operational processing of
personal data compared with the baseline. Such processing would nevertheless remain
subject to the safeguards and oversight mechanisms provided under EU data protection
law.
Criterion Baseline Policy option 1 Policy option 2
Effectiveness 0 + ++
Efficiency 0 + +
Coherence 0 + +
Fundamental
rights
0 0 -
7.2. Addressing operational gaps
Both policy options addressing this problem concern Europol’s capacity to provide
operational support to investigations across the Union. These limitations relate both to the
level of operational support provided to Member States and to the coordination of EU-
level support between Europol and other EU actors involved in combatting cross-border
crime.
Policy Option 1 (Sub policy options 1.3 and 1.4) focuses on reinforcing the existing
operational cooperation model by strengthening coordination between Europol and other
EU actors and by bringing Europol’s capabilities closer to national investigators.
In terms of effectiveness, these measures would improve the overall EU support
architecture for cross-border investigations. Embedding Europol tools into national
investigative workflows would support earlier identification of cross-border links and
allow Europol’s analytical capabilities to be used more systematically by national
authorities. Strengthened cooperation between Europol, the EPPO and Eurojust would also
facilitate more efficient handling of complex cases. However, the option would primarily
reinforce the current cooperation model and would not fundamentally transform how
Europol’s capabilities are accessed and used by investigators.
In terms of efficiency, the option requires significant investment in system integration and
digital infrastructure, particularly to embed Europol analytical tools into national case
management systems. At the same time, these investments build on existing cooperation
structures and are expected to generate operational efficiencies by reducing administrative
51
burdens associated with manual information exchange and by improving the timeliness of
analytical support.
Regarding coherence, the option preserves the existing institutional balance within the
EU internal security architecture. Europol would continue to operate as a support agency
acting in close cooperation with national authorities and other EU actors.
Policy Option 2 (Sub policy options 2.3 and 2.4) introduces a more integrated operational
model aimed at bringing Europol’s capabilities closer to investigators and strengthening
its role as a provider of operational services at EU level.
In terms of effectiveness, these measures would significantly enhance Europol’s
operational support to investigations. The EU Police Cloud and Europol support offices
would enable investigators to access Europol’s analytical tools, collaborative
environments and technical capabilities more directly during investigations, facilitating
large-scale collaborative investigations and more effective use of advanced analytical
tools. At the same time, establishing Europol as a structural provider of analytical
capabilities to the EPPO would ensure a more systematic use of Europol’s expertise in
complex cross-border cases.
In terms of efficiency, the option involves substantial investment in digital infrastructure
and operational capacity, particularly for the development of the EU Police Cloud and the
deployment of support offices in Member States. However, the use of shared EU-level
analytical tools and collaborative environments could generate long-term efficiency gains
by reducing fragmentation of national solutions and enabling more efficient cross-border
investigations.
Regarding coherence, the option represents a more significant evolution of Europol’s
operational role within the EU internal security architecture. The measures would remain
compatible with the existing institutional framework for EU law enforcement cooperation.
In terms of fundamental rights, the option could lead to a moderate increase in the
operational processing of personal data compared with the baseline, notably due to the
more systematic and collaborative use of Europol’s analytical tools within the EU Police
Cloud. In addition, the simplification of the DSC framework would expand the categories
of personal data that Europol may process for operational analysis in certain cases, where
the DSC is not immediately possible and must be carried out as far as feasible and as early
as possible. This may increase the volume of personal data processed compared with the
baseline. At the same time, the use of a common EU-level infrastructure could also
strengthen safeguards by enabling more consistent security standards, access controls and
audit mechanisms across the Union. In any event, such processing would remain subject
to the safeguards and oversight mechanisms provided under EU data protection law.
Criterion Baseline Policy option 1 Policy option 2
Effectiveness 0 + ++
52
Efficiency 0 + +
Coherence 0 + +
Fundamental
rights
0 0 -
8 PREFERRED OPTION
Based on the comparison of policy options in Section 7 and the impacts assessed in Section
6, the preferred approach consists of a package of measures combining elements from
Policy Options 1 and 2. This approach addresses both the information gaps affecting
Europol’s role as an information hub and the operational limitations that constrain timely
and effective support to investigations, with advanced capabilities acting as a cross-cutting
enabler.
Specific objective Policy option Main measure
Information exchange Policy Option 1 (Sub
policy option 1.1)
Strengthened data
availability, processing and
service
Information exchange and
advanced capabilities
Policy Option 2 (Sub
policy option 2.1)
Extension of Europol
access to relevant data via
the Prüm II framework
Information exchange Policy Option 2 (Sub
policy option 2.2)
Reform of Data Subject
Categorisation
Operational support Policy Option 1 (Sub
policy option 1.3)
Enhanced EU inter-agency
cooperation with Eurojust,
AMLA
Operational support Policy Option 2 (Sub
policy option 2.3)
Structural Europol-EPPO
partnership
Operational support Policy Option 1 (Sub
policy option 1.4)
Embedding Europol tools
and systems in national
investigations
Operational support and
advanced capabilities
Policy Option 2 (Sub
policy option 2.4)
Operational integration of
Europol into national
investigations (EU Cloud,
Europol support offices)
Taken together, these measures form a coherent and mutually reinforcing reform of the
EU law enforcement information architecture.
53
Options not retained
Several elements considered during the assessment were not retained in the preferred
package. In particular, Sub policy option 1.2 was not retained, as the targeted
improvements in data availability and automation provided under Sub policy options 1.1,
1.4 and 2.4, combined with the structural reform of data subject categorisation
introduced under Sub policy option 2.2, provide a more effective and coherent
framework for operational data processing. At the same, Sub policy option 1.3 is also not
retained because exploiting the full potential between Europol and the EPPO requires
substantial reinforcements.
8.1. Impacts of the preferred option
Cumulative impact of the preferred package
The preferred package generates cumulative impacts by combining measures that address
different but interrelated drivers of the problem. Taken together, these measures
strengthen Europol’s ability to combat cross-border crime more effectively than any
individual measure alone.
First, improvements in data availability and usability (Sub policy options 1.1, 2.1, 2.2 and
1.4) enhance Europol’s capacity to receive, process and analyse operational information.
This strengthens the analytical basis for cross-border investigations and improves the
quality and timeliness of criminal intelligence products provided to Member States.
Second, reinforced cooperation with EU actors, notably Eurojust and the EPPO (Sub
policy options 1.3 and 2.3), improves the coordination between operational and
prosecutorial support at EU level. This facilitates more effective follow-up of
operational criminal intelligence and strengthens the overall EU response to serious and
organised crime.
Finally, the EU Police Cloud and related operational integration measures, including
Europol support offices (Sub policy option 2.4), provide the scalable digital and
operational infrastructure needed to support more advanced data analysis and closer
day-to-day operational cooperation between Europol and national authorities, including in
support of ongoing investigations.
By combining these elements, the preferred package improves the flow of information,
strengthens operational coordination and provides the technical capabilities needed to
support more integrated EU law enforcement cooperation.
8.1.1 Financial impacts (+)
The preferred package entails cumulative investments at both Member State and EU level
while generating important efficiencies through synergies between the selected measures.
In particular, overlaps between Sub policy options 1.1 and 1.4 generate economies of
scale. As some infrastructure and implementation costs are shared, the combined
implementation reduces costs by an estimated EUR 30 million in one-off expenditure and
EUR 6 million in recurring annual costs (corresponding to approximately EUR 42
54
million over the 2028–2034 MFF period) compared with a scenario where the options
would be implemented separately.
The total estimated costs134 are:
Costs Member States Europol
One-off costs EUR 254.85 million EUR 239.8 million
Annual recurring costs EUR 47.9 million EUR 78.4 million
Recurring costs
cumulative 2028-2034 EUR 335.3 million EUR 548.8 million
Total costs over 2028–
2034 (one-off +
recurring)
EUR 590.15 million EUR 788.6 million
8.1.2. Social impacts
Impact on security and EU citizens (++)
Each of the preferred Sub policy options contributes individually to strengthening EU
internal security. When implemented together, their effects are cumulative and mutually
reinforcing because they address successive steps of cross-border law enforcement
cooperation. Improved access to and usability of data (Sub policy options 1.1, 2.1, 2.2, 1.4)
strengthens the information base for investigations. Stronger cooperation between EU
actors (Sub policy options 1.3, 2.3) ensures that this information can be operationally used
and followed up at EU level. Modern digital tools and infrastructure (Sub policy option
2.4) enable this information sharing and cooperation to take place efficiently at scale.
Administrative impacts on national authorities (++)
While some adjustments and implementation efforts will be required, the preferred
package is expected to reduce administrative burden over time by simplifying information
exchange, improving legal clarity and enabling more efficient operational cooperation.
This contributes to greater operational effectiveness and strengthens the capacity of
national authorities to address increasingly complex and digitalised criminal threats.
Youth impacts (0)
The preferred option is not expected to have direct impacts specifically targeting young
people. However, by strengthening the Union’s capacity to prevent and combat serious
crime, including offences that particularly affect minors, such as child sexual exploitation
134 For more details see Annex 3.
55
and cyber-enabled crime, the measures may have indirect positive effects on the protection
and safety of young people across the Union.
8.1.3 Fundamental rights impacts
Objective of general interest (++)
The preferred package makes a significant contribution to the objective of general interest
of preventing, detecting and investigating serious and organised crime and terrorism in the
Union. By enabling earlier identification of cross-border criminal activities and facilitating
more effective operational responses, the measures strengthen the Union’s overall capacity
to protect citizens and address evolving security threats.
Protection of personal data (0)
Necessity
Some elements of the preferred package increase Europol’s ability to query and analyse
operational data in support of cross-border investigations (notably Sub policy options 2.1
and 2.4), which may lead to a greater operational use of personal data. At the same time,
the reform of data subject categorisation (Sub policy option 2.2) is necessary to address
operational inefficiencies that currently limit the effective use of lawfully collected
information. Together, these measures enable more timely and effective analysis of data
relevant to serious and organised crime and terrorism.
Proportionality
The impact on data protection remains limited and proportionate. The measures do not
introduce new categories of personal data. Processing would remain subject to the
safeguards provided under the EU data protection framework, including purpose
limitation, access controls and independent supervision.
Conclusion
Overall, the preferred package enhances Europol’s analytical capabilities while remaining
within existing data protection safeguards. Its impact on personal data is therefore limited
and proportionate.
8.1.4 Environmental impacts (0)
The preferred option is not expected to have direct environmental impacts. However, by
strengthening the operational capabilities of law enforcement authorities to investigate
environmental crime, the package may indirectly contribute to the protection of the
environment.
8.1.5 Feasibility (+)
56
All preferred measures are technically feasible as they build on existing legal frameworks,
operational practices and IT infrastructure at EU and national level135.
From a technical perspective, the reform primarily relies on upgrading and integrating
existing systems rather than creating entirely new architectures. Synergies with established
EU technological frameworks, including those developed by eu-LISA, further enhance
feasibility by leveraging proven interoperability standards and secure digital infrastructure.
From a political perspective, the preferred package remains proportionate and compatible
with the current distribution of competences between the Union and the Member States.
8.1.6 Impact on digitalisation (++)
The preferred option strongly supports the digital transformation of EU law enforcement
cooperation.
Improved data availability and harmonised rules enhance information exchange and
operational analysis, while the EU Police Cloud provides the scalable digital infrastructure
necessary for advanced analytical capabilities and secure collaboration across Member
States.
8.2.REFIT (simplification and improved efficiency)
In line with the Commission’s Regulatory Fitness and Performance Programme (REFIT),
revisions of existing EU legislation aim to simplify rules and reduce unnecessary
administrative burden. In this context, the revision of the Europol legal framework seeks
to streamline procedures and improve the efficiency of EU law enforcement cooperation.
While the preferred option may require additional engagement from Member States,
notably in authorising Europol to query certain national databases and ensuring
connectivity to shared services, these efforts are offset by improved operational support,
faster cross-border investigations and more efficient use of EU-level analytical
capabilities. In particular, the simplification of DSC (Sub policy option 2.2) will directly
contribute to reducing administrative burden by introducing clearer procedures and more
proportionate safeguards. Additional measures, such as technical guidance, training and
centralised support provided by Europol, will further facilitate implementation.
8.3.Application of the ‘one in, one out’ approach
This initiative does not impose administrative costs on businesses and therefore does
not trigger the ‘one in, one out’ adjustment mechanism. The measures primarily concern
public authorities involved in law enforcement cooperation and do not introduce new
regulatory obligations for the private sector. As a result, the initiative does not entail
administrative costs or savings for businesses and does not generate direct costs for
citizens. Any adjustment costs associated with the implementation of the preferred option
will mainly concern public authorities, notably in relation to the adaptation of information
systems and operational procedures.
135 For example, the Prüm II framework.
57
At the same time, the initiative is expected to generate significant public benefits by
strengthening the Union’s capacity to prevent and combat serious and organised crime.
9. HOW WILL ACTUAL IMPACTS BE MONITORED AND EVALUATED?
The Commission will monitor the impacts of the preferred option through the existing
evaluation and reporting framework under Article 68 of the Europol Regulation,
which provides for periodic assessments of Europol’s effectiveness, efficiency and EU
added value. To ensure coherence and avoid duplication, monitoring will rely primarily on
Europol’s established reporting tools136, complemented where necessary by indicators
aligned with the objectives of this initiative.
Monitoring will cover outputs, results and broader impacts, including improvements
in information exchange, operational support to cross-border investigations, including the
provision of modern capabilities, and inter-agency cooperation. Particular attention will be
given to data protection compliance, proportionality and fundamental rights safeguards,
including supervision by the EDPS. Indicators will be collected annually from the entry
into force of the revised Regulation.
In line with Article 68 of the Europol Regulation, the Commission will carry out an
evaluation four years after the entry into force of the revised Regulation to assess its
effectiveness, efficiency, coherence, relevance and EU added value, and to inform any
future revision. Detailed monitoring indicators are set out in Annex 6.
136 Including the Consolidated Annual Activity Report, SIENA and EIS reporting, reporting on Member State
contributions under Article 7(11) of Europol’s Regulation, and Management Board performance indicators.
ANNEX 1: PROCEDURAL INFORMATION
LEAD DG, DECIDE PLANNING/CWP REFERENCES
The lead DG is the Directorate-General for Migration and Home Affairs (DG HOME). The
agenda planning (Decide) reference for the Proposal for a Regulation on Europol is
PLAN/2025/524.
ORGANISATION AND TIMING
The initiative is planned for Q2 2026 by the Commission Work Programme 2026.
The Interservice Steering Group (ISSG) on the Revision of Europol co-chaired by SG and
HOME was composed of the following further services: SJ, BUDG, CNECT, EEAS,
ENEST, FISMA, FPI, HR, IAS, INTPA, JRC, JUST, MARE, MENA, OLAF,
RTD,TAXUD.
The ISSG on the Revision of Europol met four times to discuss the preparations for the
upcoming initiative, namely on 11 April 2025, 11 December 2025, 11 February 2026 and
10 March 2026.
At the meeting of 11 April 2025, the ISSG discussed about the upcoming initiative and the
terms of reference for an external study supporting the back-to-back evaluation of the
Europol Regulation and the impact assessment for its revision.
At the meeting of 11 December 2025, after the draft interim report of the external ’Study
supporting the evaluation and the impact assessment of the Europol Regulation’ was
presented by the contractor, focusing on the findings of the evaluation, the ISSG discussed
the Commission report delivered pursuant to Article 68(3) of the Europol Regulation and
the draft intervention logic for the upcoming legislative initiative prepared by DG HOME.
At the meeting of 11 February 2026, the ISSG discussed a very preliminary draft of
sections 1-5 of this Impact Assessment report (SWD) to allow the Commission services to
discuss and agree on the problem definition, objectives and policy options. DG HOME
later shared a consolidated version of the draft SWD to allow the ISSG to comment in
writing by 4 March 2026.
At the meeting of 10 March 2026, after the draft final report of the external ’Study
supporting the evaluation and the impact assessment of the Europol Regulation’ was
presented by the contractor, the draft SWD was discussed by the ISSG.
Throughout the process, the ISSG was involved in all key intermediate steps: e.g., Call for
Evidence, consultation strategy, public consultation questionnaire, targeted surveys,
inception report of the external study, etc.
CONSULTATION OF THE RSB
DG HOME has prepared this draft SWD for submission to the Regulatory Scrutiny Board
(RSB) on 18 March 2026 with a view to the meeting with the RSB scheduled for 15 April
2026.
59
An upstream meeting with the RSB took place on 9 January 2026 to discuss the preparation
of the impact assessment accompanying the revision of the Europol Regulation. The
discussion focused in particular on the problem definition and evidence base, the
distinction between problem drivers and consequences, the operationalisation of objectives
in SMART terms, and the design and comparison of policy options. Particular attention
was given to fundamental rights and data protection impacts, the coherence of Europol’s
role within the broader EU security and justice architecture, and the need for robust
observational data and cost-benefit analysis. The RSB also provided guidance on
strengthening the intervention logic, monitoring framework and overall reader-friendliness
of the report.
In line with the recommendations contained in the RSB's positive opinion with
reservations, the report has been revised to address all shortcomings identified by the
Board. The table below summarises the recommendations made by the RSB and the actions
taken to reflect them in the revised Impact Assessment report:
RSB recommendation Changes introduced in the revised IA report
1. Improve assessment of
impacts on fundamental rights,
data protection and
cybersecurity. Clarify
safeguards and mitigation
measures.
The section on fundamental rights was substantially
revised. The assessment now explains in practical
terms how safeguards would operate for each
relevant measure, including purpose limitation,
access controls, role-based access management,
logging, audit trails, retention periods, prior
Member State authorisation, EDPS supervision and
judicial remedies. A dedicated assessment of
cybersecurity risks linked to the EU Police Cloud
was added, covering risks such as unauthorised
access, data breaches, insider threats, supply-chain
vulnerabilities and cloud concentration risks,
together with mitigation measures including
security-by-design, encryption, zero-trust
architecture, multi-cloud deployment, continuous
monitoring, and incident response mechanisms.
2. Better explain Europol's legal
and operational environment
and justify the need for a new
reform following the 2022
reform.
The problem definition and baseline sections were
strengthened to provide a clearer overview of
Europol's position within the EU internal security
architecture and its interaction with Member States,
Eurojust, EPPO, OLAF and other EU actors.
Additional explanation was added to demonstrate
that many operational challenges stem from
developments that occurred after the adoption of the
2022 reform, including the rapid increase in data
volumes, digitalisation of crime, operational
experience with the amended mandate, emergence
of new technologies and implementation lessons
learned since entry into force.
60
3. Better distinguish regulatory,
operational and resource-
related drivers and strengthen
evidence base.
he problem tree and problem description were
revised to clearly distinguish between regulatory
constraints, operational limitations and
resource/capacity-related challenges. Additional
evidence and operational examples were
incorporated throughout the report, including
Europol operational statistics, SIENA and Europol
information system usage data, EPPO cooperation
figures, information exchange indicators and
findings from evaluations and stakeholder
consultations.
4. Reformulate specific
objectives in SMART terms and
strengthen links to policy
options.
The specific objectives were revised following
SMART principles. Objectives are now formulated
in a more measurable and operational manner. The
intervention logic was strengthened by clarifying
the link between identified problems, specific
objectives, operational objectives and the
corresponding sub-policy options. Explanations
were added throughout the policy options chapter to
demonstrate how each measure contributes to
achieving the objectives.
5. Better define policy
measures, including
cooperation with Eurojust and
the EU Police Cloud.
Additional operational detail was introduced for
several measures. For Europol-Eurojust
cooperation, the report now explains how the
enhanced hit/no-hit mechanism would function in
practice, including automation and information
flows. The EU Police Cloud description was
substantially expanded, including architecture,
access model, data processing environment,
analytical tools, interoperability features, cloud
infrastructure, digital identity framework, APIs and
operational safeguards.
6. Improve cost assessment and
ensure consistency across the
report.
The costing methodology was revised and
harmonised across the report and annexes. The
assessment now clearly identifies the reference
period as the 2028-2034 MFF. Cost tables
distinguish one-off and recurrent costs and present
cumulative costs over the MFF period. Explanatory
text was updated throughout the report to
consistently refer to annual and cumulative costs.
The nature of costs was clarified as
implementation/adjustment costs rather than
administrative burden. Cross-references and
calculations were aligned between the main report
and Annex 3.
61
7. Strengthen monitoring and
evaluation framework and link
objectives to indicators,
outputs, outcomes and impacts.
The monitoring framework was comprehensively
revised. Indicators are now explicitly linked to
specific objectives and operational objectives. The
framework distinguishes outputs, outcomes and
impacts and introduces measurable performance
indicators. Additional indicators were added
covering information exchange, operational
support, cooperation with EU agencies, deployment
of capabilities, uptake of systems and user
satisfaction. Targets and measurement approaches
were clarified to facilitate future evaluation of
effectiveness, efficiency and impact.
EVIDENCE, SOURCES AND QUALITY
The impact assessment is based on the results of an inclusive and comprehensive
consultation of all relevant stakeholders (Annex 2), which equally informed the evaluation
of the Europol Regulation (Annex 7). The consultation included scientific expertise, for
instance through four expert workshops137. Consultations138 and desk research were
conducted also in the context of the ‘Study supporting the evaluation and the impact
assessment of the Europol Regulation’, which contributed to the evidence base for this
back-to-back evaluation and impact assessment139. Observational data complement
stakeholder views, reinforcing the evidence base.
137 See Annex 2. 138 Ibid. 139 The draft final report of March 2026 was submitted to the RSB together with the draft of this SWD.
62
63
ANNEX 2: STAKEHOLDER CONSULTATION (SYNOPSIS REPORT)
1. Introduction
The preparation for the upcoming legislative proposal on Europol has been anchored in an
inclusive and comprehensive consultation of relevant stakeholders to ensure that the
proposal reflects both the political ambition to reinforce Europol140 and the operational
needs of the Member States.141
In line with the Better Regulation Guidelines and Toolbox, this annex provides an
overview of the stakeholder consultation activities undertaken in preparation for the
initiative. It summarises the consultation strategy, the stakeholders consulted, the
consultation methods used, the main views expressed, and how these views have been
taken into account in the preparation of the impact assessment.
2. Consultation strategy
The consultation strategy followed three main phases. The first phase served to discuss
extensively with the Member States at policy and senior official level to adequately scope
their operational needs (May – June 2025). The second phase served to gather in-depth
feedback and evidence from all relevant stakeholders, including on both the evaluation of
the Europol Regulation and all the elements of the impact assessment, ranging from the
definitions of the problems and objectives to the analysis of the impacts of the policy
options and the comparison of policy measures (July 2025 – February 2026). The third
phase served for discussions at political level (March 2026).
3. Consultation activities
3.1 Phase 1: extensive consultations with the Member States at policy and
senior official level
Scoping discussions with the Member States were held in multiple fora, notably:
- the EU Council Standing Committee on Internal Security (COSI);
- the High-Level Forum on the Future of EU Criminal Justice;
- the Management Board of Europol;
- the consultation kick-off meeting organised by DG HOME at senior official level;
- the EU Council Law Enforcement Working Party (LEWP).
140 See Political Guidelines for the Next European Commission 2024-2029 & ProtectEU. 141 Joint Statement by the European Police Chiefs on the Future Development of Europol.
64
Regarding the outcomes of these consultations, Council discussions in COSI and LEWP
showed Member States broadly support reinforcing Europol’s operational role within
the current treaty limits, while strongly rejecting the idea of a “European FBI” and being
concerned about including hybrid threats as a crime area for which Europol is competent.
At the High-Level Forum on EU Criminal Justice of 21 May 2025, judicial authorities
also expressed support for strengthening Europol’s core tasks, particularly data
exchange and support for the EPPO. At the consultation kick-off meeting organised by
DG HOME on 20 June 2025, Member States expressed consensus on increasing
Europol’s operational effectiveness without transforming it into an executive or
intelligence agency. They prioritised faster, more flexible support for national
investigations. They cautioned against centralising expertise at the EU level alone. The
dedicated discussion in the Management Board of Europol on 25 June 2025 revealed
Member States’ support for reinforcing Europol’s role as the EU criminal information
hub, improving processing of large data sets and addressing legal and technical obstacles
in the data protection framework.
3.2 Phase 2: In-depth evidence gathering
3.2.1 Call for evidence
The Commission published a call for evidence on the ‘Have your say’ web portal from 3
July 2025 to 31 July 2025. Seventeen valid responses were received. Six position papers
were submitted by business associations, non-governmental organisations (NGOs) and
academia.
Table – Responses to the call for evidence by stakeholder group and country of origin
Stakeholder group Country of origin Number of responses
Academic/research
organisation
Romania 1
Business association Belgium 3
Company/business Austria, Italy 2
EU citizen Belgium, Bulgaria, Finland,
Germany, Lithuania, Slovakia
6
Non-EU citizen Mexico 1
Non-governmental
organisation (NGO)
Belgium, United Kingdom 2
Trade Union Belgium, Luxembourg 2
65
Total 17
The main points raised by the respondents to the call for evidence:
- General support for strengthening Europol’s mandate, particularly to address
emerging threats, with many calling for enhanced operational capabilities,
specialised units, and a stronger coordinating role at EU level.
- Concerns regarding fundamental rights raised mainly by a digital rights NGO
and some EU citizens.
- Emphasis on the need to support frontline policing, with police trade unions
stressing that any mandate changes should be accompanied by investments.
- Diverging views on the extent of Europol’s operational autonomy, with business
associations and an environmental NGO favouring stronger operational powers
to serve sectoral priorities, while other stakeholders believe Europol should
remain primarily a coordination and support body.
3.2.2 Public consultation
The Commission conducted a public consultation on ‘Law enforcement cooperation – new
Europol regulation (proposed)’ via its ‘Have Your Say’ web portal for 12 weeks, between
27 October 2025 and 15 January 2026. The public consultation aimed to gather insights
on: (i) the implementation of the Europol Regulation, focusing specifically on its
effectiveness, efficiency, relevance, coherence, EU added value and impact; (ii) existing
needs and gaps; (iii) quantitative and qualitative inputs to support the Commission in
identifying possible policy measures to support Member States; and (iv) the effectiveness
and operational functioning of existing EU tools. The consultation received 33 valid
replies. No coordinated campaigns were identified. Eight position papers were submitted
by three NGOs, one EU citizen, one public authority, one business association, one
company/business, and one stakeholder that identified as “other”.
Table – Responses to the public consultation by stakeholder group and country of origin
Stakeholder group Country of origin Number of
responses
EU citizen France, Germany, Ireland, Italy,
United Kingdom
6
Business association Belgium 1
Company/business Belgium, Ireland, United States 3
Consumer organisation Italy 1
Non-governmental
organisation (NGO)
Belgium, United Kingdom 4
66
Public authority Croatia, Cyprus, Ireland, Italy,
Germany, Netherlands, Norway,
Spain, Switzerland
13
Other (not specified) Germany, Italy, Latvia 5
Total 33
The main points raised by stakeholders in the public consultation were as follows:142
▪ Overall effectiveness is assessed positively, with strong performance in core
analytical and coordination functions. Respondents generally viewed
Europol’s performance under the current Regulation as effective, particularly its
role as the EU criminal information hub, its analytical outputs (e.g. threat
assessments and situation reports), and its coordination of investigative and
operational actions. At the same time, uncertainty remained higher for
cooperation with the private sector and for the development of centres of
expertise, and legal factors were most often identified as obstacles to effective
implementation.
▪ The Regulation is considered relevant to and aligned with EU priorities,
with high satisfaction for operational and technological support. Most
respondents judged Europol’s objectives and activities to be highly relevant or
relevant to EU law enforcement and security priorities. Europol’s focus on key
crime areas was seen as broadly aligned with EU priorities, and satisfaction was
particularly high regarding operational investigative support and technological
expertise (including digital forensics, AI-based data analysis and biometrics).
There was limited appetite, or uncertainty, about expanding Europol’s focus to
additional crime areas.
▪ EU added value is widely recognised. An overwhelming majority of
respondents rated Europol’s EU added value positively, and more than half
observed positive changes attributable to the Regulation. In the absence of
Europol, respondents considered that Member States would only be able to
conduct comparable investigations and information exchanges to a limited
extent.
▪ Implementation challenges relate mainly to resources, governance and
legal–technical constraints. While respondents generally considered that the
current Regulation enables Europol to fulfil its mandate, governance, oversight,
and resources received the lowest positive ratings. More broadly, legal and
procedural uncertainties (notably regarding access to data and admissibility of
evidence), technological and legal disparities between Member States, and
rapidly evolving digital criminal methods were identified as significant
constraints on effective implementation.
▪ Preferred pathways for revision favour non‑legislative measures and targeted
142 For further information, see the factual summary report of the public consultation registered under
Ares(2026)2806442 and published at https://ec.europa.eu/info/law/better-regulation/have-your-
say/initiatives/14638-Law-enforcement-cooperation-new-Europol-regulation-proposal-/public-
consultation_en.
67
amendments rather than a full mandate overhaul.
3.2.3 Four thematic workshops on the future of Europol
DG HOME organised four thematic workshops on the future of Europol to gather feedback
at technical level notably from Member States’ experts. Europol participated in all
workshops and the EPPO participated in the agenda point on Europol-EPPO cooperation.
Each workshop was attended by around 100 experts. Overall, nineteen agenda topics were
addressed and around a dozen written contributions by Member States were received by
the Commission as a follow-up to the discussions.
The first two workshops were held on 6 and 7 November and were dedicated to
“Optimising Europol’s data ecosystem and strengthening Europol’s role as the EU’s
operational information hub” and “Developing EU-level specialised law enforcement
expertise and operational innovation within Europol, and reinforcing Europol’s role in
tackling persistent and emerging security threats, including within the EMPACT
framework”. The third and fourth thematic expert workshops were held on 18 and 19
December and were respectively dedicated to “inter-agency cooperation, notably
strengthening law enforcement and judicial cooperation with the EPPO” and “resources,
Europol’s human resources model, governance and data protection”.
On optimising Europol’s data ecosystem and strengthening Europol’s role as the EU’s
operational information hub, experts agreed on the need to upload, securely share and
jointly analyse large sets of data in real-time. They stressed the need to have joint and
simultaneous data analysis, paving the way towards a collaborative EU law enforcement
digital space, as a one-stop-shop working environment. They emphasised the need to
bolster Europol’s capacities to cooperate with private parties. Experts expressed varying
degrees of openness to a more active role for Europol in accessing existing information
at both national and EU levels.
On strengthening Europol’s operational role in coordinating support to counter
persistent threats, a majority of experts considered that the operational mechanisms
already in place (OTFs, EMPACT) work well and require only additional funding to
respond to their needs. Experts did not consider medium or long-term deployment of
Europol staff (e.g. the European Operational Team Costa del Sol) necessary, but
supported targeted and flexible deployments, if required, and upon request by Member
States.
On enhancing EU-level specialised expertise in fighting online crime, experts
emphasised the operational need to enhance Europol’s supportive role in the “digital
space”. They underlined the benefit of technical standardisation and discussed on an
enhanced role for Europol in case the national authority cannot be identified.
On reinforcing Europol’s support role in countering emerging criminal threats, experts
68
agreed that Europol’s capabilities should focus on the criminal law component. They
did not propose adding hybrid threats as part of the forms of crime for which Europol is
competent, noting that the current list of crimes already provides sufficient scope for
requesting Europol’s support in response to their operational needs.
On strengthening EPPO-Europol cooperation for greater operational impact, discussions
highlighted the growing demand for Europol support to EPPO investigations. EPPO
called on moving from constrained information sharing toward full bidirectional
information exchange, reinforced analytical capacities at Europol, possible dedicated
structures for EPPO-related crime areas, and operational support on the ground with
Member States’ consent. While Member States broadly supported stronger operational
cooperation, views diverged on creating dedicated Europol units and on legal changes.
Many experts favoured fully exploiting the existing legal framework, stressing data
ownership principles and better coordination.
On building a stronger EU law enforcement-judicial cooperation continuum, there was
a broad agreement on the added value of OTFs and JITs and on the need for enhanced
Europol support, including training, coordination, and deconfliction. Member States
called for simplified procedures and increased financial resources. Strong support was
expressed for the EU-funded SIRIUS project and for establishing a permanent joint
Eurojust-Europol platform, notably for asset recovery, including crypto assets.
On enhancing information sharing and aligned information management, Member States
reaffirmed SIENA as the core secure communication channel and underlined the need
to harmonise the inter-agency legal framework to avoid duplication, particularly
between Europol and Frontex. Some supported broader information exchange with other
EU actors, including AMLA, ENISA, the ECB (on terrorism) and MAOC-N (on
maritime drug trafficking).
On joining forces in digital services and cloud solutions, there was broad support for
developing a secure, future-proof EU cloud solution to enhance data management and
joint processing. Different options were discussed, ranging from a private Europol cloud
provided by a European supplier to a common eu-LISA-hosted infrastructure for the
JHA domain. Experts agreed on the strong operational need and on the necessity for
further reflection on the most appropriate model.
On Europol’s data protection framework, Member States widely considered data
protection rules, as currently interpreted, to be a major operational constraint. Many
supported a review of Europol’s data processing powers, notably for uncategorised data,
with a shift towards a case-based approach aligned with national practices, while
maintaining a high level of protection. Simplification of procedures and a review of data
retention periods were also advocated, particularly in light of the EDPS’ strict
interpretation.
69
On strengthening Member States’ role in Europol governance, experts agreed on
reviewing the functioning of the Europol National Units (ENUs) and strengthening their
role as the key interface between Europol and national authorities. ENUs should be
empowered act as a national “mirror” of Europol, enhancing awareness, trust and
effective use of the Agency’s tools.
3.2.3 Targeted consultations in the context of the external supporting study
An external study was commissioned to support the preparation of the initiative. It started
in July 2025. The contractor carried out extensive consultation activities until March 2026.
Notably, these included six targeted surveys, more than 135 stakeholder interviews (12
exploratory interviews followed by more than 123 targeted interviews), six field visits, and
three focus group meetings.
The targeted surveys were developed for the following stakeholder groups:
1. National law enforcement authorities of the EU Member States.
2. National law enforcement authorities of third countries.
3. Law enforcement networks.
4. EU agencies, bodies and offices (BOAs).
5. Private parties- companies.
6. Non-governmental, civil society and research organisations.
Interviews were conducted with:
- national authorities of the EU Member States, including Denmark (56);
- Europol staff members, including managers and senior managers (35);
- European Commission services (14);
- EU agencies143 (8);
- EU bodies and offices144 (4),
- law enforcement networks145(6);
- MAOC-N;
- third countries146 (4)
- international organisations147(1);
- the private sector148 (2)
143 CEPOL, EIGE, EUDA, eu-LISA, Eurojust, Frontex. 144 EEAS, EPPO, OLAF, EDPS. 145 AIRPOL, ATLAS, EIFS, ESG, HRSN, RAILPOL. 146 Australia, Brazil, Switzerland, Türkiye. 147 Interpol. 148 European Banking Federation; FEPORT.
70
- youth organisations149 (1).
The field visits took place in Europol and five Europol Member States.150
The three focus group meetings were dedicated to:
1. national authorities of the EU Member States, including Denmark;
2. EU agencies and bodies for internal security, in line with ProtectEU;
3. Europol.
The targeted survey for the national law enforcement authorities of the EU Member
States received 109 responses from 24 out of 25 Europol Member States and can thus be
considered as highly representative151. Most responses were received from Germany (50),
Finland (7), Belgium and Italy (6). Responses were received mostly from international
police cooperation units (61%) and home affairs ministries (48%).
The main points raised by survey respondents:152
▪ Key evaluation findings: Europol is widely assessed as effective, relevant, and
providing strong EU added value, particularly in supporting cross-border
information exchange, operational coordination, and investigations, though
relevance is more mixed in areas such as training, innovation, and certain
emerging domains.
▪ Implementation challenges: Key challenges include legal and procedural
constraints on information sharing, uneven data contributions and follow‑up
among Member States, limited automation and interoperability between Europol
systems and national databases, resource constraints, administrative and
financial burdens, and variable awareness or uptake of certain Europol tools and
innovation outputs.
▪ Pathways for revision: Forward‑looking preferences prioritise increased
resources, improved data sharing and interoperability, enhanced analytical and
technical capacity, stronger training and capacity building, and clearer
coordination with other EU agencies. Support for legislative changes is cautious
and focusing mainly on expanded analytical and data‑processing capabilities
rather than broad mandate expansion.
149 Missing Children Europe. 150 Austria, Italy, The Netherlands, Slovenia, Sweden. 151 Germany, Finland, Belgium, Italy, Hungary, Bulgaria, Czechia, Latvia, Austria, Romania, Estonia,
Portugal, Slovenia, Croatia, Cyprus, France, Ireland, Lithuania, Luxembourg, Malta, Netherlands, Poland,
Slovakia, Sweden, noting the 109th response from the 24th Europol Member State was received much later
than the deadline for replies and has therefore still to be included in the report produced by the contractor. 152 Due to the large number of responses from Germany (50) and as several other countries also provided
multiple replies, the data was cleaned and collated at a country level to provide a single aggregated response
per Member State. For each country, averages or sums were calculated across all the quantitative questions,
and if any options in a multiple-choice question were selected this counted as a response.
71
The targeted survey for EU BOAs received 13 responses, namely from all the EU justice
and home affairs agencies concerned153, “EU agencies and bodies for internal security” of
direct relevance to the implementation of ProtectEU154, and two more155.
The main points raised by survey respondents:
▪ Key evaluation findings: Cooperation with EU Agencies is generally seen as
strategically effective and aligned with EU security objectives. Europol’s
activities are broadly relevant to agency mandates, particularly for EU-level
coordination, but vary in operational impact depending on mandates and working
arrangements. Overall, Europol provides strong EU added value as a central hub
for information, analysis, and cross-border support, complementing the roles of
other EU Agencies.
▪ Implementation challenges: Key challenges include gaps in the timeliness and
completeness of information sharing (notably with Eurojust).
▪ Pathways for revision: Forward‑looking considerations prioritise strengthening
and updating existing cooperation frameworks rather than structural overhaul,
with emphasis on more systematic information sharing, enhanced analytical and
operational capacity, improved resourcing, streamlined contact points, and
expanded joint work, including through the EU Innovation Hub for Internal
Security.
The targeted survey for national law enforcement authorities of third countries
received 22 individual responses156.
The main points raised by survey respondents:
• Key evaluation findings: Cooperation with third-country authorities is
generally seen as effective, particularly in cybercrime, drug trafficking,
operational analysis, SIENA-enabled information exchange, joint operations,
and training, with strong recognition of Europol’s role in addressing evolving
criminal methods. Europol’s support is broadly aligned with third country needs,
although relevance is weaker in terrorism-related cooperation and some
innovation areas. Overall, Europol delivers clear EU added value by enabling
cooperation with Member States, strengthening cross-border data exchange and
analysis, and providing coordination and intelligence capabilities that would be
difficult to achieve independently.
• Implementation challenges: Key challenges include legal and data protection
constraints on information sharing, limited or absent direct access to Europol
data and systems (notably for Schengen Associated Countries), operational
needs falling outside the scope of existing agreements, resource constraints, and
occasional delays in feedback or request processing.
153 CEPOL, EIGE, eu-LISA, EUAA, EUDA, Eurojust, FRA, Frontex. 154 ENISA, EPPO, OLAF. 155 ELA, EMSA. 156 From Albania, Australia, Bosnia and Herzegovina, Brazil, Colombia, Ecuador, Georgia, Iceland, Japan,
Kosovo, Moldova, North Macedonia, Norway, Switzerland, Türkiye, UK, Ukraine, USA.
72
• Pathways for revision: Forward‑looking preferences prioritise more flexible
and inclusive cooperation arrangements, including improved access to Europol
systems and operational data, broader participation in analysis projects, JITs and
OTFs, strengthened analytical and training capacities, and targeted adjustments
to cooperation frameworks to address emerging threats and close operational
gaps for associated and partner countries.
The targeted survey for law enforcement networks received 20 individual responses.
The main points raised by survey respondents:
• Key evaluation findings: Cooperation with Europol is generally seen as
effective, particularly in coordination and support through information sharing,
analysis, and innovation tools, although some note greater operational
coordination is expected. Europol’s activities are broadly relevant to European
law enforcement networks, especially in analysis, coordination, and innovation,
but vary depending on mandate fit and operational needs. Overall, Europol
provides strong EU added value as a central hub for intelligence, secure
information exchange, analytical capacity, innovation, and cross-border
coordination.
• Implementation challenges: Key challenges include legal and procedural
barriers to information sharing, delays or gaps in operational data exchange,
limited analytical and technical capacity, resource and funding constraints,
administrative burdens.
• Pathways for revision: Forward‑looking preferences prioritise strengthening
practical support rather than wholesale redesign, including simplified
administrative and funding procedures, improved information‑sharing tools,
enhanced analytical and operational capacity, clearer mandate alignment with
network needs, and more structured, long‑term support, with mixed views on
mandate expansion balanced against preserving network autonomy.
The targeted survey for private parties- companies received 20 responses, almost
entirely from companies which are known to cooperate with Europol.
The main points raised by survey respondents:
▪ Key evaluation findings: From the private sector perspective, cooperation with
Europol is generally effective, particularly in information sharing, operational
collaboration, and established public–private partnerships, though effectiveness
is less clear in research and innovation activities. Europol’s engagement is
broadly relevant, especially in financial services and cybersecurity, but varies
across sectors due to uneven awareness and involvement. Overall, Europol
provides strong EU added value as a central hub for cross-border coordination,
intelligence, and public–private cooperation, delivering capabilities and scale
beyond national efforts.
73
▪ Implementation challenges: Key challenges include legal constraints on
information sharing, limited clarity on Europol’s specific intelligence needs and
feedback mechanisms, fragmentation and technical limitations of information
sharing platforms.
▪ Pathways for revision: Forward‑looking preferences focus on strengthening
and scaling existing cooperation models rather than structural overhaul, with
emphasis on clearer guidance and legal certainty, more specialised and secure
information‑sharing platforms, enhanced operational collaboration and feedback
loops, improved resourcing of successful partnerships, and governance
arrangements that ensure transparency and standardisation.
The targeted survey for non-governmental, civil society and research organisations
received responses from 14 organisations157.
The main points raised by survey respondents:
▪ Key evaluation findings: Europol’s engagement with civil society is effective
mainly in targeted, project-based and research-driven areas, while overall
effectiveness is harder to assess due to limited interaction. Its activities are
generally seen as relevant and coherent with civil society priorities on cross-
border crime and analysis, though gaps remain in prevention, victim support, and
integrating human and digital rights.
▪ Implementation challenges: Key challenges identified include limited
transparency and accessibility of engagement mechanisms, uneven awareness of
cooperation opportunities, administrative barriers, and concerns regarding
governance, accountability, and the fundamental rights implications of expanded
data processing and AI‑based analysis.
▪ Pathways for revision: Forward‑looking preferences emphasise establishing
structured and inclusive engagement with NGOs and civil society, clearer
contact points and advisory mechanisms, strengthened transparency and
oversight, and reinforced safeguards for fundamental rights.
Field visits to Member States aimed at gathering qualitative, context-specific evidence on
Europol’s cooperation with Member States.
The main points raised by the interviewees during the field visits to Member States:
▪ National authorities highly value Europol’s role in facilitating cross-border
information exchange, analytical support and operational coordination.
However, investigative responsibility and judicial accountability must remain at
national level, with Europol acting in a supportive and complementary capacity.
▪ Information exchange is functional but constrained by legal, technical and
organisational barriers. Limited interoperability between national systems and
157 The 14th response was received much later than the deadline for replies and has therefore still to be
included in the report produced by the contractor.
74
Europol tools, reliance on manual uploads and lack of automation create
administrative burdens.
▪ Strict interpretation of data protection provisions is viewed as increasingly
burdensome in fast-moving operational contexts, limiting actionable criminal
intelligence delivery.
▪ Europol’s strength lies in filtering, contextualising and prioritising information.
Proactive identification of cross-border links, emerging phenomena and
structured analytical coordination across crime areas were cited as areas where
Europol delivers clear EU added value.
▪ Duplication of analysis across Member States is a as source of inefficiency.
There is broad support for stronger interoperability and smarter automation. At
the same time, any expansion of access to sensitive data would require
mechanisms to maintain trust among Member States.
4. Main horizontal findings of the consultation
4.1 Problem definition
There was broad agreement among stakeholders that Europol and national authorities face
persistent information gaps when investigating cross-border crimes and identifying threats,
and that Europol’s operational support remains limited, including cooperation with EU
agencies and EPPO. Information gaps reduce effectiveness in the EU-level fight against
serious crime, while operational cooperation faces legal and practical constraints. The
current mandate limits Europol’s ability to provide optimal support in certain areas.
4.2 Views on strengthening Europol’s role
All stakeholder groups recognise Europol’s clear EU added value as a central hub for
cross‑border information exchange, analysis, and coordination that cannot be replicated at
national level. Across groups, there is also convergence around the nature of Europol’s
coordination role as the EU’s criminal intelligence hub and as a provider of specialised
expertise and analytical support, rather than as an entity replacing national authorities. This
includes support for stronger cooperation with partners. Member States are eager to
enhance Europol’s capacity to support complex cross-border investigations provided that
national competences remain respected, clear safeguards for trust-based cooperation are
maintained (starting with the data ownership principle) and proportionality is ensured.
Conversely, stakeholder views diverged on the extent and modalities of the structural
changes required.
5. How stakeholder views have been taken into account
Stakeholders’ views informed the initiative throughout the process in several ways. Most
importantly, the problem definition and the objectives were refined to reflect the
operational needs of the Member States. For instance, the focus group with Europol
confirmed information gaps as a primary constraint for the effectiveness of investigations,
with Europol’s support capacity being limited mainly by uneven and insufficient data
75
contributions from Member States, and voluntary information sharing approaches having
widely reached their limits.
The policy options “reinforcing Europol’s existing model” and “a new model for Europol”
were tested with the main stakeholders, especially through the focus group meetings,
proving effective to capture a wide range of desirable policy measures. Implementation
considerations were reflected in the sequencing and design of policy measures. Where
views diverged, the impact assessment presents a balanced analysis grounded in
proportionality, feasibility and EU added value.
How have stakeholder views been taken into account? A prominent example
Targeted survey for the EU Member States’ national law enforcement authorities
– Figure 10 – Question 10: Are there, in your view, any criminal or security threats
or offences that should be added or removed from Europol’s mandate to better address
current and emerging security challenges?
16 Europol Member States opposed making Europol competent for new forms of crime,
while 8 Europol Member States (7 + 1 late respondent) suggested broadening Europol’s
mandate by adding new forms of crime to Annex I, especially hybrid threats, but also
tax crime and others, or by removing the list altogether.
The Commission services took note of Member State experts’ position expressed at the
thematic workshops that Europol can already provide support to counter the criminal
law dimension of hybrid threats insofar as they materialise in any of the several forms
of crime for which Europol is competent. Notably, Europol can support crime detection
and analysis and coordinate law enforcement responses, which it must do without
interfering with the competences of national intelligence agencies.
76
The Commission services also took note of Member State law enforcement agencies’
position expressed over bilateral discussions that, while hybrid threats are transversal in
nature, Europol’s support against hybrid threats has in practice been provided mostly
through a counter-terrorism angle, without fully mobilising Europol’s capabilities across
all its various operational centres. Europol could instead mobilise the capabilities of all
its operational centres to respond to requests from national law enforcement authorities
and fully support national investigations, exploiting all its supportive potential under the
current mandate, by deploying its entire toolbox in the most relevant crime areas.
This does not require changes to Europol’s mandate and has thus been excluded by the
impact assessment report.
7. Conclusion
The extensive consultation process confirmed the centrality of the identified problems and
the need to adapt Europol’s support to evolving security challenges. While stakeholders
expressed different levels of ambition regarding structural changes, there was broad
recognition of the need to strengthen Europol’s support to Member States in tackling
serious and organised crime, cybercrime and terrorism. The impact assessment reflects the
evidence gathered and seeks to strike a balance between ambition, operational
effectiveness, legal certainty and political feasibility.
77
ANNEX 3: WHO IS AFFECTED AND HOW?
1. PRACTICAL IMPLICATIONS OF THE INITIATIVE
1.1 EU citizens
All preferred options aim to improve the prevention, detection, investigation, and
prosecution of serious and organised crime, directly benefiting citizens. By enhancing
the availability, structure, and usability of law enforcement data, the package supports:
• Earlier detection of cross-border criminal networks.
• Faster identification of suspects and links between cases in multiple Member
States.
• Improved asset tracking and coordinated operational responses.
• Stronger protection in both physical and digital environments.
Citizens benefit from a higher level of security while safeguards on data protection and
fundamental rights remain fully respected.
1.2 National authorities
a. Law enforcement officers
The initiative equips officers with enhanced operational tools, including:
• Better tools to query data stored in the Europol systems.
• Structured and semi-automated data exchange through integrated national case
management systems and the EU Police Cloud.
• Europol support in data processing, analytics and operational coordination,
including cross-border investigative leads.
• Clearer and standardised procedures for inter-agency cooperation with Eurojust
and the EPPO.
These improvements reduce delays, avoid duplication, and strengthen the quality and
timeliness of cross-border investigations.
b. IT organization in Member States
IT teams are affected primarily during initial implementation:
• Initial investment to connect national CMS to Europol platforms and the EU Police
Cloud.
• Simplified maintenance and upgrades due to centralised integration, reducing long-
term operational burden.
• Streamlined interoperability and harmonised data standards across national and EU
systems.
78
1.3 EU level
a. Europol
• Acts as the central analytical and operational hub for EU internal security,
integrating national and EU-level datasets.
• Provides structured operational support to Member States, including intelligence
analysis, cross-border link detection, advanced biometric matching and case
prioritisation.
• Supports real-time coordination and structured exchange between Member States,
EPPO and Eurojust.
• Ensures that national CMS integration and the EU Police Cloud facilitate faster,
automated and reliable access to actionable information.
• Delivers scalable technical, digital, and forensic capacity without centralising
national data or replacing national investigative powers.
Europol’s reinforced role allows for more proactive, timely and consistent support across
complex investigations, increasing operational efficiency and EU-wide situational
awareness.
b. Eurojust
• Gains access to more structured, reliable, and timely information from Europol to
support judicial cooperation and coordination of cross-border prosecutions which
facilitates the work of joint investigation teams (JITs) as well as mutual legal
assistance requests.
• Benefits from more efficient workflows with Europol information systems.
• Enhanced information quality and timeliness enables more efficient coordination
in serious and organised crime cases, strengthening legal certainty and
effectiveness of judicial processes.
c. EPPO
• Gains streamlined access to operational data and analytical outputs provided by
Europol, enabling quicker decision-making in cross-border prosecutions.
• Strengthened structural partnership with Europol ensures that EPPO investigative
needs are systematically integrated into EU-level operational workflows.
• Receives coordinated support in cross-border investigations, including
prioritisation of cases, operational insights, and access to enhanced analytical
products.
• The partnership improves the quality, consistency, and speed of EPPO-led
prosecutions, reinforcing EU-level enforcement capacity while maintaining
national procedural autonomy.
2. SUMMARY OF COSTS AND BENEFITS
Cost of the baseline scenario
Unless otherwise indicated, all cost estimates presented in this section are expressed in
current prices (2026 EUR) and cover the period 2028–2034, corresponding to the duration
of the next Multiannual Financial Framework (MFF). One-off costs refer to
implementation and deployment expenditure incurred during the roll-out phase of the
79
measures, while recurrent costs refer to average annual operational expenditure over the
same period. The same methodological assumptions and calculation basis are used
throughout the main report and the supporting annexes.
In financial terms, the baseline scenario assumes the continuation of Europol’s current
funding trajectory without the additional investments associated with the policy options
assessed in this impact assessment. Baseline projections are based on the historical
evolution of Europol’s annual adopted budget between 2017 and 2025 and extrapolated
over the 2028–2034 MFF period..
Two projection approaches were considered in order to reflect possible future expenditure
patterns.
First, a linear growth scenario assumes that Europol’s budget continues to increase by
approximately EUR 15 million per year, corresponding to the average annual increase
observed between 2017 and 2025. Under this assumption, Europol’s total budget over the
next Multiannual Financial Framework (MFF 2028–2034) would amount to approximately
EUR 2.28 billion.
Second, a constant growth rate scenario assumes that the historical growth rate observed
between 2017 and 2025 continues over the projection period. This corresponds to an annual
growth rate of approximately 9.41%, resulting in a projected budget of approximately
EUR 2.87 billion over the same MFF period.
For the purposes of the impact assessment, the linear growth scenario is used as the
conservative baseline, while the constant growth scenario illustrates a possible upper-
bound trajectory reflecting the increasing operational demand on Europol.
These projections provide a range for the expected evolution of Europol’s budget under
the baseline scenario. They reflect the continued expansion of Europol’s operational
responsibilities and analytical support functions, while assuming no structural changes to
its mandate, operational model, or technological infrastructure beyond incremental
adaptations within the current framework.
For the purpose of this impact assessment, the baseline therefore assumes a total Europol
budget envelope in the range of EUR 2.3–2.9 billion for the period 2028–2034 (as
compared to the current EUR 1.53 billion), reflecting the continuation of current trends
without the additional investments associated with the policy options assessed in the
following section.
80
Cost of the preferred option
The table below presents the costs associated with the preferred option (in million EUR).
One-off costs are presented as cumulative implementation costs over the deployment phase
of the preferred option, while recurrent costs cover the cumulated annual average costs
during the 2028–2034 period.
No costs are identified for citizens/ consumers and businesses given the costs associated
with the policy measures are directed at EU-level or national public administrations.
II. Overview of costs – Preferred option
Citizens/
Consumers
Businesses Administrations
One-off/
Recurrent
One-off/
Recurrent
One-off Recurrent
Sub policy option
1.1 -
Data loaders
Direct costs N/A N/A
54 (Member
States)
5 (Europol)
75.6 (Member
States)
7 (Europol)
Sub policy option
1.1 -
Upgrade of
systems and tools
Direct costs N/A N/A
27 (Member
States)
56 (Europol)
37.8 (Member
States)
78.4 (Europol)
81
Sub policy option
1.3 -
Automation of the
Europol-Eurojust
hit/ no hit
mechanism
Direct costs N/A N/A
0 (Member
States)
2 (Europol)
0 (Member
States)
7 (Europol)
Sub policy option
1.3 -
Institutionalisation
of SIRIUS
Direct costs N/A N/A
0 (Member
States)
0 (Europol)
0 (Member
States)
1 (Europol)
Sub policy option
1.4 -
Europol digital
platforms
embedded in
national
investigations
Direct costs N/A N/A
105 (Member
States)
50 (Europol)
140 (Member
States)
56 (Europol)
Sub policy option
2.1 -
Access to national
databases
Direct costs N/A N/A
0 (Member
States)
6 (Europol)
0 (Member
States)
30.1 (Europol)
Sub policy option
2.1 -
DNA matcher
Direct costs N/A N/A
1.35 (Member
States)
5 (Europol)
2.1 (Member
States)
14 (Europol)
Sub policy option
2.2 -
Simplified rules to
reduce the
administrative
burden of data
subject
categorisation
Direct costs N/A N/A 0 0
Sub policy option
2.3 -
Europol as
structural provider
of information,
Direct costs N/A N/A 0
0 (Member
States)
77.7 (Europol)
82
analytical support
and capabilities to
the EPPO
Sub policy option
2.4 -
EU Police Cloud
Direct costs N/A N/A
13.5 (Member
States)
143.7 (Europol)
4.2 (Member
States)
278.6 (Europol)
Sub policy option
2.4 -
EU Police Digital
ID
Direct costs
N/A
N/A
54 (Member
States)
2.5 (Europol)
75.6 (Member
States)
3.5 (Europol)
Sub policy option
2.4 -
Europol support
offices
Direct costs
N/A
N/A
0
0 (Member
States)
45.5
(Europol)
All one-off and recurrent costs are implementation costs. No regulatory charges, hassle
costs, administrative costs or indirect costs were identified and therefore are not quantified.
These are all provisional estimates that would need to be confirmed, including how the
costs are split between the different Member States. As a result, the confidence margin of
cost estimates cannot be better than 20-25% at this early stage in a project. What is stable
is how the costs of the various measures compare with each other. Where precise
operational expenditure data were not available, recurring costs were estimated using
standard lifecycle costing assumptions derived from comparable EU large-scale IT
systems and agency operational expenditure patterns. Unless otherwise specified, annual
maintenance and support costs are estimated at approximately 20% of initial deployment
costs.
Sub policy option 1.1: Strengthened data availability, processing and service
This option entails upfront investment at both Member State and Europol level, primarily
driven by data loaders as well as system and tools (including enhance use of
interoperability tools).
For Member States, one-off costs (EUR 81 million aggregated, approx. EUR 3 million
per Member State) relate mainly to:
a) Deployment of automated data-loader solutions;
b) Adaptation of national systems to interface with upgraded Europol tools;
c) Integration, testing and limited workflow adjustments;
d) Training of end-users.
The deployment of data-loaders is estimated to range between EUR 1 million and EUR 3
million per Member State depending on the size of the Member States’ databases and their
level of existing integration. An average of EUR 2 million was therefore taken as a basis.
83
The remaining EUR 1 million results from the point b) to d). The basis was similar projects
in the past where Member States had to integrate workflow adjustments.
Recurring costs (EUR 16.2 million annually, approx. EUR 600 000 per Member State),
corresponding to approximately EUR 113.4 million cumulatively over the 2028–2034
MFF period. These costs reflect maintenance, system support and continued operational
use. It is calculated as a standard 20% rate of the one-off costs based on similar simulations
and building on past experience. Costs remain moderate as the option does not require
entirely new national systems, but builds on existing infrastructure and voluntary uptake
of EU-level services.
For Europol, one-off costs (EUR 61 million) are driven by:
• Major upgrades of core ICT systems (SIENA, EIS, EAS, QUEST+);
• Development of centralised interoperability solutions and harmonised data
models (UMF);
• Design and deployment of standardised data loaders;
• Joint procurement structures and specialised ICT recruitment.
The costs are inspired by similar costs incurred by EU Agencies that built similar
technologies. For instance, the cost of building the shared Biometric Matching Service by
eu-LISA for the Interoperability Regulations15820. The cost figure has been updated from
the original 2018 estimate to account for inflation between 2018 and 2026, ensuring that
the values reflect current price levels and purchasing power.
Recurring costs are estimated at EUR 11.2 million annually, corresponding to
approximately EUR 78.4 million cumulatively over the 2028–2034 MFF period. These
costs cover maintenance, cybersecurity, governance, operational support, and reinforced
technical and analytical staff. It is calculated as a standard 20% rate of the one-off costs159.
Although the option requires significant initial investment, it is expected to generate long-
term efficiencies through:
• Economies of scale via joint procurement;
• Reduced duplication of national developments;
• Europol-supported optimisation and harmonisation of systems.
The financial effort therefore reflects a structural modernisation of the EU law
enforcement information architecture, with medium- to long-term savings and
operational gains.
Sub policy option 1.3: Measure 1 for a reinforced Europol’s support to the EPPO
One‑off costs for Member States are expected to be negligible or very limited, as the
measure concerns the creation of new Europol‑level capacities (including a dedicated
support unit and time‑bound Task Forces) and does not entail structural changes to national
158 Regulation (EU) 2019/817 & Regulation (EU) 2019/818. 159 As for instance in the impact assessment accompanying the JITs Collaboration platform – development
cost: €8.4 million; annual maintenance and operation: €1.7 million. Ratio: 1.7/8.4≈20%
84
systems, procedures or staffing. All direct operational, staffing, training and equipment
costs are expected to arise at EU level (Europol and, where relevant, EPPO). Any potential
impacts on Member States would be indirect and implementation‑specific, and no material
national cost drivers have been identified.
Recurring costs for Member States are expected to be negligible or very limited, as the
measure establishes new capacities at EU level (Europol and EPPO) and does not entail
new obligations for national authorities. In particular, the measure does not introduce new
duties, workflows, reporting requirements or compliance obligations for Member States,
nor does it require contributions of staff, procedural adaptations or the maintenance of
additional processes at national level. Any potential impacts on Member States would
therefore be indirect and implementation‑specific, and no material recurring cost drivers
have been identified at this stage.
No separate one‑off costs are calculated for Europol, because the costing approach already
captures them within the annual cost estimates. Indeed, the annual costs are based on the
average resources allocated to Europol officers – a benchmark that already includes
salaries, onboarding, training, equipment, and other personnel‑related expenses.
The recurrent costs to Europol stem from establishing a dedicated Support Team for EPPO
investigations, which requires the long‑term employment of additional specialised officers.
These staff carry out operational analysis, cross‑checks, and digital forensics, and their
salaries and related personnel expenses form the ongoing cost driver. Based on projected
staffing needs, recurrent costs are estimated to range from EUR 8.7 million in 2028 to EUR
11.8 million in 2034, with an annual average of EUR 10 million, corresponding to an
estimated cumulative cost of approximately EUR 70 million over the 2028–2034 MFF
period.
Sub policy option 1.3: Measures 2 and 3 for a strengthened continuum of EU-level
support to law enforcement cooperation through Europol and judicial cooperation
through Eurojust
Both the one‑off costs for Member States and the recurring costs for Member States are
expected to be negligible, as the measures regard cooperation between Europol and
Eurojust and the support they provide to Member States in return.
The measures would largely build on existing technical infrastructure and operational
arrangements between Europol and Eurojust. For the hit/no-hit mechanism, precise
estimation of direct one-off costs is challenging, as these would depend on the level of
technical ambition chosen for automation and the extent of system integration pursued. A
light-touch approach focused on enhancing existing interfaces would entail minimal
additional expenditure, while more advanced automation solutions could involve moderate
investment in system configuration and security. For the SIRIUS Project, the
institutionalisation within both the Europol and Eurojust Regulations would not require the
creation of new infrastructure – SIRIUS is currently operational and supported by existing
systems, workflows and personnel – but rather organisational adjustments, procedural
alignment and limited technical refinement.
85
The automation of the hit/no-hit mechanism is expected to reduce the staff-intensive
manual exchanges currently required under the baseline, generating administrative
efficiency gains. The recurring costs for SIRIUS are expected to broadly follow the
baseline level of resources already devoted to the project, with adjustments reflecting
demand and operational scope. This corresponds to estimated recurrent costs of
approximately EUR 1 million annually for Europol, or around EUR 7 million cumulatively
over the 2028–2034 MFF period.
The institutionalisation of SIRIUS and the upgrading of the Europol–Eurojust hit/no-hit
mechanism are expected to generate a minimal positive impact on efficiency compared to
the baseline. Under SIRIUS Phase II (2021–2025), the total project budget amounted to
approximately EUR 3.49 million over four years (EUR 2.16 million for Europol; EUR 1.33
million for Eurojust), with 7 contract agents supporting its activities at Europol and 4 at
Eurojust. Institutionalisation would not necessarily require a substantial increase in
resources beyond this envelope but would shift funding from a contribution-agreement
model to stable internal budget lines within Europol (and Eurojust), potentially requiring
the conversion of contract agents into temporary agents and modest additional
administrative overhead.
Regarding the hit/no-hit mechanism, the current manual and template-based model has
proven highly burdensome and operationally ineffective, requiring extensive manual
verification and layered authorisations for minimal operational output. Of the two possible
implementation modes, the person-to-system approach is likely to be more proportionate
and immediately feasible from an efficiency perspective, as it limits large-scale data
transfers while reducing manual workload and preserving data ownership. The more
ambitious system-to-system model could generate higher long-term analytical gains but
would entail greater upfront IT development and legal alignment costs. Even if the volume
of meaningful hits remains modest, a more automated and scalable mechanism would
reduce transaction costs, improve timeliness and increase the likelihood of detecting
genuinely relevant cross-case links at an earlier stage.
Sub policy option 1.4: Europol’s digital platforms embedded in national
investigations
Member States: One-off costs are estimated at EUR 105 million, reflecting the
implementation of new criminal information strategies that integrate both national and EU-
level investigative lifecycles. This includes updating national systems supporting law
enforcement procedures, such as CMS, Single Point of Contact CMS and corresponding
police records, mapping existing data and workflows to the UMF standard. National
workflows will be adapted to integrate systematic use of QUEST+ and data loaders,
alongside associated training and change management for staff to ensure proper
adoption. Recurring costs are estimated at EUR 20 million per year, corresponding to
around EUR 140 million cumulatively over the 2028–2034 MFF period, covering ongoing
operational adjustments, refresher training and maintenance of updated national workflows
and IT systems.
86
Europol: One-off costs are estimated at EUR 50 million, covering the upgrade of central
data ingestion components, including extending Europol Case Management Systems and
other databases (e.g. Europol Information System) to handle EU-wide object identifiers
and scaling up processing capacities. Costs also include reinforcement of the dedicated
team responsible for facilitating integration between Europol and national systems,
ensuring smooth operational collaboration. Additionally, costs cover standardisation
efforts, including the development of guidance documents supporting Member States’ new
criminal information lifecycle strategies. Recurring costs are estimated at EUR 8 million
per year, corresponding to around EUR 56 million cumulatively over the 2028–2034 MFF
period, reflecting ongoing support to Member States, continued maintenance and
monitoring of upgraded systems and operational assistance to ensure effective
implementation of new workflows and interoperability practices.
Sub policy option 2.1: Europol as an operational service provider and information
hub
The first part of the cost assessment focuses exclusively on access via the existing Prüm
framework. Under Prüm, Member States’ costs remain negligible, as the measure builds
on the existing legal and technical architecture and does not require new large-scale IT
systems for simple query-only access. According to the Prüm II Impact Assessment160,
establishing technical connectivity (e.g. for DNA matching) has been estimated at around
EUR 300 000 per Member State for DNA and similar biometric exchange functionality,
reflecting moderate one-off investments for automated integration with existing systems.
Consequently, the incremental costs for Member States under Sub policy option 2.1 are
considered limited, and estimated to EUR 50 000 per Member State as this option does
not introduce additional legal access rights nor require complete redesign of national
infrastructures.
For Europol, costs linked to access to national databases are primarily driven by:
• Additional forensic experts and operational staff to follow up on matches,
consistent with estimates in the legislative financial statement accompanying
proposal for a Prüm II Regulation161 which foresee staff costs for search
verification by EU agencies;
• Reinforcement of information management capacities to ensure secure and
efficient data flows;
• Limited system adaptations to handle increased volumes.
The estimated costs for the EU DNA matcher are informed by operational cost estimates
developed by forensic authorities in the context of preparatory work for a pilot project. In
particular, a budget proposal prepared by the Netherlands Forensic Institute (NFI) for a
two-year pilot project foresees a dedicated project team including forensic experts, IT
developers and project management staff, supported by technical infrastructure and
160 SWD(2021) 379.
161 COM (2021) 784 final
87
operational overhead. The budget calculations rely on standard governmental salary scales
and include an overhead rate of approximately 25 %, consistent with typical EU project
financing structures.
The pilot proposal assumes that most personnel would be employed directly by the
participating forensic institute, although additional costs could arise if specialised IT
expertise needs to be sourced through subcontracting. Such subcontracting could
potentially double certain personnel costs, illustrating the importance of relying on existing
institutional capacities where possible. Those costs would be shifted towards Europol in
line with sub policy option 2.1. The estimations consider that 75% of the recurring EUR 2
million annual adjustment costs (corresponding to approximately EUR 14 million
cumulatively over the 2028–2034 MFF period) would represent HR costs. With the
remaining being divided between travel, equipment and other goods and services costs.
These operational estimates confirm that developing and testing a shared EU-level DNA
matching capability requires a relatively limited recurring adjustment cost notably
covering HR costs. The cost assumptions used for Policy Option 2.1 therefore reflect a
realistic implementation scenario based on existing forensic cooperation initiatives.
The baseline for this assessment is not zero, as many Member States already rely on
third-country based matching solutions managed outside the EU framework. Over time,
Union-level costs under this option are expected to be offset by:
• Reduced duplication of national efforts in forensic matching and follow-up
work;
• Economies of scale from shared EU-run services rather than multiple national or
external systems;
• Avoidance of third-country dependency costs associated with non-EU provider
solutions.
The investment therefore represents not only operational reinforcement but also a long-
term strategic consolidation of EU capabilities.
Sub policy option 2.2: Simplified rules to reduce the administrative burden of data
subject categorisation
Policy option 2.2 on DSC would significantly enhance Europol’s operational flexibility
and its capacity to process and analyse information in a timely manner, while not
requiring substantial initial financial investment. The measure primarily entails
legislative alignment, clarification and simplification of the existing framework, rather
than the development of new IT systems or structural reorganisation. As such,
implementation costs would be limited and largely confined to internal adjustments,
updated guidance and targeted training.
Importantly, the option would reduce or eliminate the resource-intensive procedures
linked to data subject categorisation under the current framework. Staff time currently
devoted to ex ante categorisation, verification and corrective compliance actions could
instead be redirected towards operational analysis and investigative support. This
reallocation of resources is expected to generate tangible administrative savings and
88
efficiency gains over time. Overall, the combination of limited (to no) upfront
investment and sustained operational efficiencies justifies a very positive cost
assessment, although precise quantification of these efficiency gains remains subject to
uncertainty at this stage due to limited comparable operational data.
Sub policy option 2.3: Europol as structural provider of information, analytical
support and capacities to the EPPO
The one-off costs for Member States are expected to be negligible or very limited, as the
measure does not require them to provide additional staff, adapt national systems, or
assume operational expenditures. The initiative is designed to operate at EU level, and
therefore does not generate structural investment needs at national level. Likewise, no
significant recurring costs are anticipated for Member States, as they would neither
contribute personnel nor cover ongoing operational, administrative or compliance-related
expenses linked to the reinforced cooperation framework.
For Europol, no separate fixed start-up costs are identified, since the costing methodology
is based on the average annual cost per staff member, which already incorporates
salaries, onboarding, training, equipment, IT access and other personnel-related overheads.
As a result, initial implementation costs are embedded within the overall annual resource
envelope.
The recurrent costs for Europol arise primarily from the establishment of a dedicated
Support Team for EPPO investigations, requiring the long-term employment of
additional specialised officers. These staff members would carry out operational analysis,
cross-checks, digital forensic support and structured case coordination, with an estimated
annual average cost of EUR 10.1 million, corresponding to around EUR 70.7 million
cumulatively over the 2028–2034 MFF period. In addition, permanent cooperation
mechanisms, including reinforced coordination structures and liaison arrangements, would
entail further staffing needs, with estimated additional annual costs of less than EUR 1
million (less than EUR 7 million cumulatively over the 2028–2034 MFF period). Overall,
the financial impact is concentrated at EU level and reflects a structural reinforcement of
analytical and prosecutorial support capacities.
Sub policy option 2.4: Measure 1 on the EU Police Cloud
The initial investment costs associated with the deployment of the EU Digital Police
Cloud and the EU Police Digital ID are substantial, reflecting the scale and strategic
nature of the infrastructure.
For Member States, one-off costs are estimated at EUR 13.5 million for the EU Police
Cloud, EUR 0.5 million per Member State to bring national law enforcement ICT
infrastructure and criminal investigators’ endpoints (laptops, tablets and smartphone) in
line with a set of harmonized rules for the technical interoperability and security of
applications and digital services, notably when provided on classified networks, and EUR
54 million for the EU Police Digital ID (i.e. EUR 2 million per Member State for stepping
up the national digital identity scheme for criminal investigators based on a Digital Identity
wallet level high, for exhaustively issuing such credentials, and integrating the national
police identity scheme within the wider EU digital police scheme). Recurring costs of EUR
89
0.6 million per year for the Cloud (approximately EUR 4.2 million cumulatively over
the 2028–2034 MFF period) to maintain the national law enforcement ICT architecture up
to the evolving common standards and EUR 10.8 million per year for the Digital ID
(approximately EUR 75.6 million cumulatively over the 2028–2034 MFF period)for the
Digital ID to insure the level of authentication against the Police Cloud is maintained over
time up to the latest standards and is kept available to the evolving investigators’ staff.
For Europol, one-off investments amount to EUR 143.7 million for the EU Police Cloud
which account for the extensive migration of operational data processing operated by
Europol to a platform based self-service architecture, (applications such as EIS, analysis
projects, biometric identification, crypto asset tracing, OSINT, digital forensics and
especially those limited to Europol’s analysts) for the establishment of harmonized
technical rules applicable to national ICT infrastructures, and for the initial set-up costs of
Cloud Services, particularly for classified information and EUR 2.5 million for the EU
Police Digital ID for renovating Europol’s identity and access management (IAM)
platform and establishing harmonized rules for national authorities issuing such IDs.
Recurring costs are estimated at EUR 39.8 million annually for the Cloud, corresponding
to around EUR 278.6 million cumulatively over the 2028–2034 MFF period, to maintain
and develop the portfolio of online applications and most importantly for operating the
online service and EUR 0.5 million per year for the Digital ID (aroundEUR 3.5 million
cumulatively over the 2028-2034 MFF period)for maintaining both the IAM platform and
stirring the evolution of common standards on a Police Digital Identity at EU level. These
costs cover infrastructure development, secure hosting environments, identity and access
management solutions, system integration, data migration, cybersecurity safeguards, and
ongoing technical management.
Despite the scale of the initial expenditure, these investments represent a structural
modernisation of EU law enforcement digital capabilities. By consolidating processing
environments, standardising secure access through a common Digital ID, and reducing
fragmentation across disparate national systems, the initiative is expected to generate
significant long-term efficiencies. Cost savings will stem from economies of scale, reduced
duplication of infrastructure, lower maintenance overhead, and streamlined cross-border
data exchange. Member States benefit from significant cost efficiencies, including reduced
investments in hardware, software licenses, maintenance and IT staffing, with indicative
savings estimated at 15-30 % compared to independent deployments. Operationally,
national authorities gain faster access to cross-border data, harmonised analytical outputs,
and real-time collaboration capabilities, while reducing duplication of effort and
inconsistencies between systems.
Over time, the enhanced processing capacity and secure digital architecture will enable
faster analytics, improved operational coordination, and more automated workflows.
These efficiencies allow both Europol and Member States to reallocate resources toward
strategic and operational priorities, strengthening collective investigative capabilities while
ensuring a scalable, secure, and future-proof digital backbone for EU internal security
cooperation.
90
Sub policy option 2.4: Measure 2 on Europol support offices
Taking into account standard EU employment costs, including salaries, social security
contributions, expatriation and household allowances where applicable, as well as limited
operational expenditure such as secure IT connectivity, encrypted communications, basic
office equipment and essential coordination travel, a modest Europol support office would
be expected to generate EU-level costs in the range of approximately EUR 400,000 to
EUR 650,000 per year. This estimate assumes a small footprint structure, composed of a
limited number of specialised staff embedded in or co-located with relevant national
counterparts, without requiring significant infrastructure investment.
Under a limited rollout scenario of five to ten Europol support offices, annual EU-level
costs would therefore likely range between approximately EUR 2 million and EUR 6.5
million, corresponding to approximately EUR 14 million to EUR 45.5 million
cumulatively over the 2028–2034 MFF period, depending on staffing levels, host-country
conditions and the intensity of operational engagement. These estimates remain
proportionate, as they reflect a light and scalable deployment model focused on
coordination, facilitation and analytical support rather than autonomous operational
structures. Over time, such offices could generate indirect efficiency gains by improving
information flows, accelerating case coordination and reducing transaction costs linked to
cross-border cooperation.
III. Contribution to the administrative burden reduction targets
Administrative costs New recurrent
costs (INs)
Removed
recurrent
costs (OUTs)
Net cost (Ins
– OUTs)
New one-
off costs
(Ins)
Removed
one-off
costs
(OUTs)
All businesses n/a n/a n/a n/a n/a
in which SMEs n/a n/a n/a n/a n/a
Public administrations n/a n/a n/a n/a n/a
Citizens n/a n/a n/a n/a n/a
IV. Overview of relevant Sustainable Development Goals
Sustainable Development Goals Expected progress towards the goal
No. 16: Peace, justice, and strong
institutions
The initiative is expected to strengthen the rule of law and enhance
security within the EU by reinforcing the operational effectiveness
of Europol.
Clarifying and, where appropriate, reinforcing the role of Europol in
supporting Member States in the fight against cross-border and
serious organised crime will enhance the Agency’s contribution to
91
tackling transnational threats, including terrorism, cybercrime and
other forms of serious crime, thereby supporting broader EU security
objectives.
Improved coordination, information exchange and operational
cooperation among Member States, facilitated by Europol, are
expected to lead to more effective law enforcement outcomes. This,
in turn, may contribute to increased public trust in national
authorities and EU institutions, particularly in the EU’s capacity to
address complex and evolving security challenges.
Benefits of the preferred option
The table below presents the overview of benefits for the preferred option.
I. Overview of Benefits (total for all provisions) – Preferred Option
Description Amount Comments
(main recipients of the
benefits)
Direct benefits
Strengthened data
availability, processing
and service.
The implementation of this policy options will lead
to significantly reduced ad-hoc requests for
information, as Member States gain access to more
complete and structured datasets. This will enable
faster access to relevant data for investigations and
provide more reliable information for operational
analysis and cross-border cases, improving both the
quality and timeliness of investigative outputs.
At EU level, these improvements will allow Europol
to deliver better analytical outputs and more
effectively support EU-wide operations, ensuring
that law enforcement and judicial authorities across
the Union can act on accurate, comprehensive, and
actionable information.
National law enforcement
authorities of the EU
Member States, Europol.
Strengthened continuum
of EU-level support to
law enforcement
cooperation through
Europol and judicial
cooperation through
Eurojust.
By effectively exchanging relevant operational
information, Europol and Eurojust will be able to
better support national law enforcement and judicial
authorities in line with their respective mandates (for
instance, thanks to earlier detection of links between
cases). For Europol, this includes the ability to
produce a more complete EU-level criminal
intelligence picture.
National authorities of the EU will be able to rely in
a stable and foreseeable long-term manner on
specialised knowledge and expertise jointly
provided by Europol and Eurojust to successfully
obtain critical electronic evidence for criminal
National law enforcement
and judicial authorities of
the EU Member States,
Europol, Eurojust, private
parties.
92
investigations and prosecutions, including in
partnership with private parties
Europol digital
platforms embedded in
national investigations.
Upgrading and integrating national and EU systems
allows for more efficient queries, automated
workflows, and standardised data processing. This
reduces repetitive manual tasks and improves the
speed and reliability of investigative outputs.
Member States benefit from long-term operational
savings, as integrated systems facilitate more
effective searches, increased detection of relevant
data and leads, and stronger cross-border
investigations, reinforcing both national and EU-
wide law enforcement capabilities.
National law enforcement
authorities of the EU
Member States, Europol.
Europol as an
operational service
provider and
information hub
This option enhances Europol’s ability to use
available information effectively, providing
dedicated forensic experts and operational staff to
handle queries and analyse data. Member States
benefit directly by reducing the need to perform
time-consuming searches themselves, saving both
personnel time and operational costs.
At the EU level, the improved operational capacity
ensures that cross-border and EU-wide
investigations are supported with more accurate,
timely, and actionable intelligence, reinforcing the
overall law enforcement response and delivering
tangible efficiency gains across the Union.
National law enforcement
authorities of the EU
Member States, Europol.
Simplified rules to
reduce the
administrative burden of
data subject
categorisation (DSC)
This option will reduce the administrative burden
associated with the management of DSC procedures,
lowering the personnel resources required to carry
out labour-intensive administrative tasks. By
simplifying these processes, it will allow both
Member States and Europol to allocate staff time
more efficiently to operational activities.
At the same time, Europol will benefit from greater
flexibility in the use of certain categories of data that
were previously subject to stricter procedural
limitations. This will increase the volume and
operational relevance of information available for
analysis, thereby strengthening Europol’s analytical
capabilities.
Member States and Europol will therefore realise
efficiency gains through reduced staff time devoted
to DSC-related administrative procedures, while
maintaining a robust legal framework. Alignment
with the EUDPR and the LED, to the extent required
to establish an appropriate framework for Europol,
will ensure legal certainty and consistency with the
EU data protection acquis.
Overall, the streamlined approach will facilitate
National law enforcement
authorities of the EU
Member States, Europol.
93
more efficient information handling and intelligence
analysis, supporting cross-border investigations and
enabling more effective information sharing
between Member States and Europol.
Europol as structural
provider of information,
analytical support and
capacities to the EPPO
The financial interests of the EU will be protected as
the EPPO will be able to fulfil its mission effectively
(thanks to Europol’s reinforced support) and
efficiently (thanks to direct access to information
stored by Europol and hierarchal arrangements
between EPPO and Europol). For Europol, structural
cooperation with the EPPO will lead to the ability to
produce a more complete EU-level criminal
intelligence picture and thus better support national
law enforcement authorities.
EPPO, national law
enforcement authorities of
the EU Member States,
Europol.
EU Digital Police CloudThe EU Police Cloud provides scalable storage and
processing power for law enforcement applications,
generating economies of scale that prevent each
Member State from investing individually in
expensive digital infrastructure. This ensures faster,
more secure and harmonised access to critical tools
and datasets.
Member States save resources and gain operational
efficiency by leveraging shared infrastructure, while
Europol benefits from centralised processing,
enhanced analytical capacity, and support for EU-
wide operations, delivering tangible long-term gains
in both cost and effectiveness.
National law enforcement
authorities of the EU
Member States, Europol.
Europol support officesBy significantly improving the practical uptake of
Europol’s support (analytical, operational, and
strategic products) by national authorities thanks to
swifter, faster and more systematic access, this
measure strengthens the effectiveness and efficiency
of national investigations, as well as and the quality
and timeliness of the EU-wide criminal intelligence
picture provided by Europol.
National law enforcement
authorities of the EU
Member States, Europol.
Indirect benefits
None identified
The preferred option clearly identifies two areas where the direct benefits could result in
substantial figures. Those are:
• Potential efficiency gains from joint procurement in EU internal security
• Potential gains due to the EU Police Cloud
94
Potential efficiency gains from joint procurement in EU internal security
According to Eurostat statistics on government expenditure by function, expenditure by
EU Member States on public order and safety amounted to approximately 1.7% of EU
GDP in 2023162. This category includes expenditure related to police services, fire
protection services, law courts, prisons and related research and development.
On the basis of the current size of the EU economy, this corresponds to approximately
€270–290 billion annually across the Union. Within this category, police services
account for around 0.9% of EU GDP, representing the largest component of public order
and safety expenditure.
This spending supports a wide range of operational capabilities, including personnel,
infrastructure, and operational equipment used by law enforcement authorities. In recent
years, the technological component of law enforcement capabilities has increased
significantly, reflecting the growing role of digital evidence, cyber investigations, use of
biometric technology and data-driven policing in combating organised crime and
terrorism.
Procurement of law enforcement equipment and technologies is largely carried out at
national, and in some cases regional or local, level. As a result, procurement markets for
law enforcement technologies in the Union are characterised by a high degree of
fragmentation.
Fragmentation can lead to a number of inefficiencies, including:
• duplication of procurement procedures across Member States;
• reduced purchasing volumes for similar technologies;
• limited interoperability between equipment and systems used by different
authorities;
• weaker bargaining power vis-à-vis suppliers.
These issues are particularly relevant in areas where technologies are widely used by law
enforcement authorities across the Union, including digital investigation tools, forensic
technologies and data-analysis capabilities.
Similar challenges related to fragmentation of procurement markets have been identified
in the defence sector. In its analysis of defence capability development, the Commission
has highlighted that fragmentation of procurement across Member States may lead to
higher costs and reduced efficiency. In this context, the Commission has estimated that
joint procurement of defence equipment could generate savings of around 10% on
the value of equipment procured jointly, notably through economies of scale, stronger
bargaining power, and reduced duplication of procurement processes163.
162 Eurostat (March 2025), Government expenditure on public order and safety, accessible at: Government
expenditure on public order and safety - Statistics Explained - Eurostat 163 SWD (2025) 820 final.
95
This analysis suggests that the aggregation of demand across Member States can generate
efficiency gains in markets characterised by multiple national buyers and relatively
concentrated supplier bases.
Although the operational contexts differ, procurement markets for certain law enforcement
technologies display characteristics similar to those observed in the defence sector,
including:
• a large number of public buyers across the Union;
• relatively limited numbers of specialised suppliers;
• increasing reliance on complex technological systems;
• the need for interoperability between national authorities.
These features are particularly visible in areas such as digital forensic tools, cyber-
investigation technologies, biometric identification systems, case management systems,
and data-analysis platforms used in criminal investigations.
In such areas, voluntary joint procurement mechanisms at Union level via Europol could
allow participating Member States to aggregate demand for commonly used technologies.
This could contribute to improved purchasing conditions, facilitate interoperability of
systems used by law enforcement authorities and reduce duplication of procurement
efforts.
While the magnitude of potential efficiency gains would depend on the scope and level of
participation in joint procurement arrangements, experience from other sectors indicates
that aggregation of demand may generate both financial and operational benefits.
Potential advantages include:
• economies of scale, resulting from larger procurement volumes;
• improved bargaining power vis-à-vis technology suppliers;
• reduced administrative costs associated with procurement procedures;
• greater interoperability of technological systems used by law enforcement
authorities;
• faster deployment of new capabilities across Member States.
Such mechanisms could complement existing Union-level initiatives aimed at
strengthening operational cooperation between law enforcement authorities, including
those supported by Europol.
If we considered the above, by leveraging economies of scale, reducing duplicated
administrative effort, and increasing bargaining power, joint procurement could achieve
conservative savings of 10% compared to each Member State conducting procurement
individually. For example, a total estimated cost of EUR 200 million across 20 Member
States could be reduced to approximately EUR 180 million under a joint procurement
approach. These savings reflect both lower unit prices and reduced administrative burdens,
while maintaining compliance with EU procurement rules and ensuring harmonised
quality standards.
96
Given the scale of public expenditure on public order and safety in the Union and the
increasing importance of technological capabilities in law enforcement activities, the
aggregation of demand through voluntary joint procurement mechanisms could contribute
to improving the efficiency of public spending in this area.
Experience in other sectors, including defence, indicates that joint procurement may
generate significant efficiency gains where procurement markets are fragmented and
characterised by multiple public buyers. Similar mechanisms could therefore offer
potential benefits in specific areas of law enforcement technology procurement, while also
supporting greater interoperability and operational cooperation between Member States.
Potential gains due to the EU Police Cloud
In the absence of concrete figures, this section aims to explain the logic behind the potential
gains due to the EU Police Cloud. The EU Police Cloud would provide scalable storage
and processing capacity for law enforcement applications at Union level. By pooling
digital infrastructure, it would generate economies of scale compared to multiple
independent national deployments.
The volume of digital evidence processed by law enforcement authorities is increasing
rapidly, driven by the growing use of online communications, encrypted messaging
services, digital devices and data-intensive investigations. This trend requires expanded
storage capacity and advanced computing capabilities to process large datasets, including
for digital forensics, cybercrime investigations and data analytics. Shared infrastructure
can address these growing needs more efficiently than multiple smaller national systems,
enabling law enforcement authorities to access scalable and adaptable computing
resources.
In the absence of a shared platform, Member States would need to invest individually in
digital infrastructure, including data-storage systems, computing capacity, cybersecurity
services and software licences, notably for EU classified infrastructure. A shared EU
platform would lower the minimum cost of entry to highly specialized infrastructure and
shared tools, avoid duplication of such investments and allow participating authorities to
benefit from common infrastructure and services.
While the investment costs for cloud infrastructure itself are relatively limited compared
with the broader operational costs of analytical capabilities, economies of scale can be
achieved through several mechanisms. First, a shared platform would reduce duplication
in data collection and processing, as the same datasets, including those obtained through
open-source intelligence tools or specialised licences, would not need to be collected and
analysed separately by multiple authorities. Second, computing resources could be
allocated dynamically across participating users, allowing processing power to be
distributed more efficiently depending on operational needs. This type of shared resource
management can generate significant efficiency gains, with potential reductions in
processing requirements estimated in the range of 50–70% compared with fragmented
national deployments.
In addition, the shared platform would significantly lower the cost of access to highly
specialised capabilities, including infrastructure compliant with EU RESTRICTED
97
classification requirements and advanced analytical services. For many national
authorities, developing such capacities individually would require substantial upfront
investment and specialised expertise, which can be more efficiently provided through a
common EU-level platform.
Member States could therefore reduce costs related to hardware procurement, software
licensing, system maintenance and IT staffing, while gaining access to more advanced
analytical capabilities than might be available through smaller national deployments. The
use of a common infrastructure for public data, such as Child Sexual Abuse (CSA) material
from the Internet or the dark web and joint investigative data will a minima halve the cost
of storage and processing, as well as the cost of the collection of public data including from
the dark web. The dedicated processing capacities (GPUs) made available by the EU Police
Cloud would be allocated over more law enforcement authorities and more users, allowing
a more efficient use of such capacities, by evening out over time the Member States instant
peaks. Note that this economy of scale could not be reached at national level with other
governmental authorities for sensitivity and confidentiality reasons.
Europol would also benefit from centralised processing capacity, facilitating the analysis
of large datasets and supporting EU-wide operational activities.
Overall, the use of shared digital infrastructure could generate significant efficiencies over
time by spreading infrastructure costs across multiple users and avoiding parallel
investments by individual Member States.
3. RELEVANT SUSTAINABLE DEVELOPMENT GOALS
IV. Overview of relevant Sustainable Development Goals – Preferred Option(s)
Relevant SDG Expected progress towards the
Goal
Comments
SDG 16 – peace, justice and strong
institutions
Faster identification and joint
analysis of cross‑border criminal
activities enable investigations to be
carried out earlier and better,
empowering effective responses by
national law enforcement agencies
and thus strengthening effective
institutions and rule of law.
Stronger cooperation between
Europol and Eurojust as well as
Europol and the EPPO will
strengthen the EU-level fight against
organised crime and thus the rule of
law within the EU and its Member
States, including better protecting the
financial interest of the EU.
98
ANNEX 4: ANALYTICAL METHODS
1. METHODOLOGICAL APPROACH
This Impact Assessment has been prepared by the Commission services in accordance with
the Better Regulation Guidelines and Toolbox. The analytical framework structures the
assessment of problems, objectives, policy options and impacts in a consistent and
traceable manner. An external study supported the evidence base and analytical work.
The intervention logic links identified problems and their drivers to specific objectives and
to the measures included under each policy option. Coherence is ensured between the
evaluation findings (Annex 7), the problem definition in the main report, and the
comparative assessment of impacts. Each option was assessed against a clearly defined
baseline scenario reflecting the continuation of the current legal and operational
framework. The baseline scenario reflects the continuation of the current legal mandate,
governance structure and operational model, including already programmed
developments. It does not assume structural mandate changes beyond the current
framework. This counterfactual ensures that impacts attributed to the initiative represent
incremental effects compared to the status quo.
Three core assessment criteria guided the analysis:
- Effectiveness: the extent to which the option is expected to achieve the initiative’s
objectives.
- Efficiency: the relationship between the resources required and the results
expected, including distributional effects.
- Coherence: the internal consistency of the option and its alignment with other
relevant EU legislation and policy objectives.
The analysis also considers proportionality and EU added value.
1.1 Methodology for assessment of impacts
Effectiveness
Effectiveness was assessed by examining the extent to which each policy option addresses
the identified problems and contributes to the initiative’s specific and general objectives.
The analysis draws on evaluation findings, operational data, stakeholder feedback and
expert judgement. Where available, quantitative indicators informed the assessment. In
areas where quantitative indicators were not available, structured qualitative analysis was
applied.
The assessment considers not only formal legal changes but also implementation feasibility
and operational practicality.
99
Efficiency
Efficiency was evaluated by analysing the proportionality between expected benefits and
the resources required under each policy option. The analysis covers:
• Financial costs at EU level;
• Implementation efforts at EU and national level where relevant;
• Administrative burden and compliance implications;
• Social impacts and potential effects on fundamental rights;
• Distribution of costs and benefits across stakeholders.
Costs and benefits were assessed both in quantitative and qualitative terms. Where
monetisation was not feasible, impacts were characterised in terms of expected magnitude
and operational significance. The analysis explicitly distinguishes between one-off
implementation costs and recurring operational costs.
The proportionality principle guided the assessment: resource implications were evaluated
against expected operational improvements, including enhanced coordination,
strengthened analytical capacity, improved information exchange and reduction of
fragmentation.
Coherence
Coherence was examined by assessing the consistency of each option with related EU
legislation, in particular the ProtectEU Strategy, existing institutional mandates and
broader policy objectives. The analysis identifies potential overlaps, complementarities or
tensions with other instruments at EU and national level.
2. COSTING METHODOLOGIES
The costing exercise provides indicative ex ante estimates of the financial and operational
implications of the policy options. Given the varying degree of specification of measures
and differences in data availability, a mixed-method approach combining quantitative and
qualitative evidence was applied.
Quantification was undertaken only where sufficiently reliable and granular data were
available. Where implementation parameters remain dependent on future operational or
technical decisions, impacts were assessed qualitatively in order to avoid artificial
quantification.
2.1 Evidence base for quantification
Quantitative analysis relied primarily on Europol’s annual budget, establishment plans and
Single Programming Documents. These sources enabled:
• estimation of unit costs per full-time equivalent (FTE);
• allocation of costs between operational and enabling functions;
• modelling of scaling effects for analytical, operational and compliance capacities;
• differentiation between capital expenditure and recurring expenditure.
For selected measures involving regulatory and compliance functions, quantitative inputs
were drawn from Commission Staff Working Documents and administrative reporting,
including cost modelling related to temporary data processing under Article 18 of the
Europol Regulation and reporting to the Joint Parliamentary Scrutiny Group.
100
Publicly available remuneration benchmarks were used, where relevant, to estimate
staffing costs for potential new organisational structures.
2.2 Benchmarking and modelling
Where direct measurement was not feasible, project-level financial data from comparable
EU-level initiatives were used as benchmarks. These include platforms such as the SIRIUS
project and the Joint Operational Analysis Case (JOAC) platform. These benchmarks
provided reference points for development costs, staffing structures and operational
expenditure.
For infrastructure-intensive or digital measures, including the EU Digital Police Cloud,
scenario-based modelling was applied over a multi-annual horizon. Financial projections
incorporated known technical constraints, including projected data volume growth, system
performance requirements, data-centre capacity limits, and expected system usage
intensity.
Alternative scenarios reflected varying levels of technical ambition and investment scale.
Costs were systematically differentiated between one-off implementation expenditure and
recurring adjustment costs related to maintenance, licences, managed services and ongoing
support.
2.3 Human resources
Human resource impacts were explicitly quantified where measures implied structural
expansion of analytical, operational or compliance functions. Quantification relied on
activity-based costing, operational workload benchmarks and scenario-based scaling of
staffing needs.
Where quantitative operational data were insufficient to support monetisation, staffing
impacts were assessed qualitatively and characterised conservatively.
2.4 ICT and interoperability
ICT-related costs were identified for measures that explicitly require IT infrastructure,
system development or integration, data-processing platforms, large-scale information
exchange mechanisms, or a material expansion of Europol’s digital and analytical
environment. For a substantial share of measures, ICT impacts were assessed as negligible
or limited, on the assumption that they build on existing Europol systems, interoperability
frameworks and national infrastructures without requiring major upgrades. The
quantification and qualitative assessment of ICT costs followed three approaches
depending on the nature of the measure and data availability: incremental adjustment of
existing systems; proportional scaling of enabling ICT capacity alongside operational
expansion; and scenario-based modelling for large digital platforms and collaborative
environments.
The latter approach was applied in particular to the EU Police Cloud. In these cases,
financial projections were developed over a multi-annual period, incorporating known
technical constraints such as projected data volume growth, existing data-centre capacity
limits, legal restrictions affecting outsourcing, and the scale and duration of large ICT
programmes. Alternative scenarios were used to reflect varying levels of investment
ambition and technical capability, ranging from limited system upgrades to more advanced
configurations involving cloud solutions, enhanced security features, automation and
advanced analytics. ICT costs were therefore differentiated between one-off
101
implementation costs and recurring adjustment costs related to maintenance, licences,
managed services and ongoing support.
For measures involving data exchange with other EU agencies, ICT costs are primarily
driven by interoperability requirements and workload-dependent demand. In these cases,
the analysis assumes that core systems are already in place and that additional costs mainly
relate to integration, logging and auditing configurations, capacity management and
maintenance. Benchmarks from comparable projects were used where relevant to
approximate development and operating costs, with low and high-bound estimates applied
to reflect uncertainty regarding future data volumes, query intensity and participation
levels.
2.5 Infrastructure
Infrastructure costs include premises, secure facilities, equipment and organisational
support services required to accommodate operational expansion. As such costs are highly
dependent on future implementation choices and location-specific factors, they could not
be estimated ex ante with sufficient reliability and were therefore not monetised. Their
potential impact is described qualitatively.
3. CAVEATS AND LIMITATIONS
Uncertainty in cost projections was addressed through scenario analysis and the use of
lower- and upper-bound estimates where appropriate. Key variables subject to sensitivity
considerations include staffing levels, data volumes, ICT scaling requirements and
participation rates.
Where impacts could not be reliably monetised, qualitative assessment was applied.
Conservative assumptions were used in order to avoid overstating benefits or
underestimating costs.
Certain limitations are inherent to ex ante assessments of complex institutional reforms.
Some implementation parameters depend on future operational decisions, legislative
negotiations or technological developments. In such cases, impacts are presented
proportionately and transparently, ensuring analytical robustness without over-precision.
Despite these limitations, the consistent comparative framework applied across policy
options ensures that the relative differences between options are analytically sound and
that conclusions are evidence-based and proportionate.
102
ANNEX 5: THE PREFERRED POLICY MEASURES
The combined effect operates along three mutually dependent pillars: data availability,
legal usability and technical-operational capacity. The contribution of each measure to
the operational objectives will be reported under the section on the preferred policy option.
Legal enabler: Data Subject Categorisation
The reform of Data Subject Categorisation (DSC) of policy option 2.2 constitutes a
horizontal enabler for the entire package. By streamlining and aligning the DSC
framework, it removes structural constraints affecting the timely processing of large and
complex datasets.
This directly strengthens the effectiveness of:
• Sub policy option 1.1, by facilitating faster and more consistent data uploads;
• Sub policy option 2.1, by enabling more efficient cross-border exploitation of
shared data;
• Sub policy option 1.4, by ensuring that systematic consultation mechanisms
function without procedural bottlenecks;
• Sub policy option 2.4, by providing legal clarity for scalable cloud-based
analytics.
Data availability and systematic use
Options 1.1 and 2.1 improve the quantity, quality and cross-border use of data, within
proportionate limits. Automated data loaders and structured workflows ensure more
consistent contributions from Member States. Option 1.4 embeds Europol systems into
national workflows and makes cross-border checks systematic.
More information at Europol strengthens the EU intelligence picture and directly enhances
cooperation with EPPO and Eurojust. Conversely, structured data inflows from EPPO,
Eurojust and other EU actors increase the analytical value of Europol datasets by enabling
broader cross-checks and correlation.
Together, these measures will contribute to the operational objectives of:
• Improving information exchange by increasing the volume and reliability of
operational data at EU level and reducing fragmentation and uneven participation;
• Reducing delays and increasing actionable intelligence by ensuring that shared data
is systematically queried and exploited.
Structural enablers
Sub policy options 1.3 and 2.3 reinforce the institutional architecture at EU level:
• Institutionalisation of SIRIUS ensures sustainable support to national authorities in
accessing electronic evidence.
103
• Upgrading and automating the Europol–Eurojust hit/no-hit mechanism, and
extending indirect access, enhances structured inter-agency information exchange.
• A reinforced partnership with the EPPO, including a dedicated team at Europol,
ensures predictable, specialised and high-quality analytical support.
Processing capacity and scalability
The EU Police Cloud (Sub policy option 2.4) provides the scalable infrastructure
necessary to absorb and analyse increased data flows. It enables secure storage,
advanced analytics and structured collaboration at scale. Enhanced analytical tools
(including those under Sub policy options 1.1, 1.3 and 2.1) and strengthened Europol–
EPPO cooperation (Sub policy option 2.3) ensure that increased data volumes translate
into operational results rather than administrative burden.
The combined dynamic is cumulative: More structured data → improved analytics →
stronger operational insights → more effective cross-border cooperation.
Financial coherence and cost synergies
Certain investments under Sub policy options 1.1 and 1.4 overlap, particularly in relation
to system upgrades and integration components. Implemented together, these elements
avoid duplication, meaning that the combined investment remains broadly aligned with the
previously estimated envelope (approximately EUR 30 million in system modernisation),
rather than accumulating mechanically.
Economies of scale, reduced duplication and structured EU-level coordination further
enhance cost-efficiency.
Overall assessment
Taken together, the preferred options form a coherent, cumulative and scalable reform
package:
• Sub policy option 2.2 removes legal bottlenecks;
• Sub policy options 1.1 and 2.1 increase data availability and cross-border use;
• Sub policy option 1.3 strengthens inter-agency cooperation and information
exchange;
• Sub policy option 2.3 anchors Europol as a structural analytical partner of
the EPPO;
• Sub policy option 1.4 ensures systematic operational embedding;
• Sub policy option 2.4 provides the digital backbone and scalability.
Their combined implementation directly supports the operational objectives identified in
this Impact Assessment and will be subject to structured monitoring and evaluation to
ensure measurable improvements in information exchange, analytical capacity and cross-
border operational effectiveness.
The package therefore delivers a proportionate and mutually reinforcing response to the
evolving digital and transnational nature of serious and organised crime.
104
The preferred package combines Sub policy options 1.1 + 2.1 (limited to Prüm II and
without broader interoperability), Sub policy option 2.2 (Data Subject Categorisation
reform), Sub policy option 1.3 (enhanced EU inter-agency cooperation limited to
Eurojust), Sub policy option 2.3 (structural Europol–EPPO partnership) and Sub
policy options 1.4 + 2.4 (structural integration and EU Police Cloud). Together, these
measures form a coherent and mutually reinforcing reform of the EU law enforcement
information architecture.
Preferred policy option 1.1 +
1.3 + 1.4 + 2.1+ 2.2 +2.3+ 2.4 assessment criteria
1) Impact on citizens ++
2) Impact on national authorities ++
3) Objective of general interest
++
4) Data protection 0
5) Costs +
6) Feasibility +
7) Impact on digitalisation ++
a. Impact on citizens (++)
Each of the preferred options individually contributes to strengthening EU internal
security; combined, their impact is cumulative and mutually reinforcing. By improving
the availability, quality and usability of data (1.1, 1.4, 2.1, 2.2), enhancing structured inter-
agency and prosecutorial cooperation (1.3, 2.3), and providing scalable digital and
analytical capacity (2.4), the package directly addresses the three core problems identified:
persistent information gaps in cross-border investigations, fragmented and uneven
operational coordination, and structural resource and capability constraints at EU level.
In practical terms, this translates into earlier detection of criminal networks, faster
identification of cross-border links, improved asset tracing, and more coordinated
operational action across Member States. Strengthened analytical capabilities and
streamlined information flows reduce delays, minimise duplication of efforts and increase
the likelihood that criminal activities are detected before harm escalates. At the same time,
reinforced cooperation with EU partners and prosecutorial authorities supports stronger
case-building and higher-quality evidence, contributing to more effective prosecutions.
Overall, the combined measures significantly enhance the capacity of Europol and national
authorities to prevent, investigate and disrupt serious and organised crime, including
105
in the digital domain, thereby delivering a substantially higher level of protection for
citizens in both physical and online environments, while operating within a robust
framework of data protection and fundamental rights safeguards.
b. Impact on national authorities (++)
Each of the preferred options individually strengthens national authorities’ operational
capacities; taken together, their impact is systemic and mutually reinforcing. By closing
information gaps and improving structured data exchange (1.1, 1.4, 2.1, 2.2), reinforcing
EU-level coordination and prosecutorial cooperation (1.3, 2.3), and providing scalable
digital infrastructure and advanced analytical tools (2.4), the package directly tackles
fragmented cross-border information flows, uneven coordination and structural constraints
in resources and technical capabilities.
In practical terms, national authorities benefit from faster access to relevant intelligence,
improved cross-border link detection, stronger analytical support and more
predictable cooperation channels. Streamlined procedures and clearer frameworks
enhance legal certainty and reduce operational friction, while shared digital tools and
specialised expertise help address capacity gaps, particularly in complex areas such as
cybercrime, financial investigations and large datasets. Overall, the measures reinforce
Member States’ ability to act effectively, cooperate efficiently and rely on sustained
EU-level support, strengthening both day-to-day operational performance and long-term
resilience against increasingly sophisticated and digitalised criminal threats.
c. Impact on fundamental rights
Objective of general interest (++)
Each of the preferred options contributes individually to strengthening the Union’s Area
of Freedom, Security and Justice; combined, they create a more coherent, resilient and
future-proof internal security framework. By reinforcing structured information
exchange, operational coordination and digital capabilities, the package enhances the
Union’s collective capacity to prevent and combat serious and organised crime in an
increasingly cross-border and digitalised threat environment.
The measures also strengthen mutual trust and solidarity among Member States, ensure
more effective interaction between EU bodies, notably Europol, the EPPO and Eurojust
and reduce fragmentation in the EU security architecture. By investing in shared digital
and analytical capacities, the Union advances its strategic autonomy in law enforcement
technologies and expertise, reducing reliance on external tools while maintaining high
standards. Overall, the initiative supports the objective of delivering a high level of
security across the EU, firmly anchored in respect for fundamental rights, data protection
and the rule of law.
Impact on data protection (0)
The impact of the preferred package on data protection is considered overall neutral, as
all retained options have successfully passed both the necessity and proportionality
assessments.
106
Necessity. The measures respond to clearly identified structural problems, persistent
information gaps, fragmented cross-border exchanges and inefficiencies in data handling,
which cannot be effectively addressed by Member States acting alone. The initiative does
not introduce new categories of personal data nor expand the purposes of processing.
Instead, it seeks to improve the relevance, structure and operational usability of data
already lawfully processed within the existing legal framework. By optimising information
flows and clarifying procedural conditions, the package ensures that processing remains
strictly linked to operational needs in combating serious and organised crime.
Proportionality. The preferred options are limited to what is necessary to achieve the
identified objectives and avoid excessive or unjustified data processing. They build on
existing systems and legal bases, refrain from creating parallel databases or duplicative
storage, and maintain decentralised responsibilities where appropriate. Safeguards relating
to purpose limitation, access control, oversight and data subject rights remain fully
applicable. Particular attention has been paid to ensuring that enhanced analytical
capacities and improved interoperability do not alter the balance between operational
effectiveness and fundamental rights protection.
The reform of Data Subject Categorisation (Option 2.2) simplifies an existing safeguard
to remove structural inefficiencies and reduce administrative burden, while maintaining
the core protective logic of differentiated data handling. This adjustment strengthens legal
clarity and aligns more closely with the framework of the EUDPR and the Law
Enforcement Directive, without lowering the level of protection.
Overall, the combined measures preserve a high level of data protection, while enhancing
coherence, transparency and accountability in EU law enforcement information
processing.
e) Cost (+)
Member States Europol
Direct costs
Expected one-off costs (in million EUR)
- Policy option 1.1
- Policy option 1.3
- Policy option 1.4
- Policy option 2.1
- Policy option 2.2
- Policy option 2.3
- Policy option 2.4
254.85
- 81
- 0
- 105
- 1.35
- 0
- 0
- 67.5
267.3
- 61*
- 2
- 50*
- 11
- 0
- 0
- 143.3
Expected yearly recurring costs
(in million EUR)
- Policy option 1.1
- Policy option 1.3
- Policy option 1.4
- Policy option 2.1
47.9
- 16.2
- 0
- 20
- 0.3
77.3
- 12.2
- 1
- 8
- 5.3
107
- Policy option 2.2
- Policy option 2.3
- Policy option 2.4
- 0
- 0
- 11.4
- 0
- 11
- 39.8
The combined package entails cumulative investments at both Member State and EU
level, while generating important efficiencies through synergies and rationalised
implementation. In particular, overlaps between Policy Options 1.1 (strengthening
information exchange) and 1.4 (CMS integration and workflow embedding) create
economies of scale estimated at approximately EUR 30 million, reducing overall
expenditure compared to a purely additive approach.
The one-off costs reflect initial investments in system upgrades, deployment of technical
infrastructure, training, and integration of digital and analytical tools. For Member States,
these are estimated at EUR 254.85 million, while for Europol they amount to EUR 237.3
million. Recurring annual costs cover ongoing maintenance, operational support,
staffing, and continuous improvements to systems and services, amounting to EUR 47.9
million for Member States and EUR 77.3 million for Europol.
These figures represent a consolidated and optimised implementation of the preferred
options, ensuring that operational impact is maximised while financial burdens are
contained. Importantly, the investments are expected to generate significant efficiency
gains: improved interoperability, automation of data flows, and enhanced analytical
capacity will reduce time and resources needed for cross-border investigations. Over time,
these operational efficiencies are likely to offset a portion of the recurring costs, while also
increasing the overall return on investment in terms of faster investigations, better
intelligence, and improved EU internal security outcomes.
Overall, the cost estimates demonstrate that the package is financially feasible,
proportionate, and justified by the expected operational and strategic benefits for both
Member States and Europol.
f) Feasibility (+)
All preferred options are individually technically feasible, as they build on existing legal
frameworks, operational practices, and IT infrastructures at both EU and national level.
When combined, they form a reinforced and coherent technical package: increased data
availability and streamlined categorisation (1.1, 2.1, 2.2, 1.4) feed directly into
strengthened inter-agency and prosecutorial cooperation (1.3, 2.3), while the EU Police
Cloud (2.4) provides the scalable digital infrastructure necessary to support expanded
analytical use, advanced data matching, and secure cross-border workflows. The approach
relies primarily on upgrading and integrating existing systems, rather than creating
entirely new architectures, ensuring continuity, manageability, and reduced
implementation risk. Synergies with established EU technological frameworks, including
those developed by eu-LISA, further enhance feasibility by leveraging proven
interoperability standards, secure authentication mechanisms, and shared infrastructure
components. Collectively, these measures generate cumulative efficiencies, enabling the
package to deliver greater operational impact than the sum of individual options.
108
From a political feasibility perspective, each option is achievable when considered
individually, as all are anchored in existing cooperation frameworks and respect the
division of competences between the Union and Member States. Certain elements, notably
strengthened EU-level coordination, DSC reform and the structural reinforcement of
Europol’s role vis-à-vis the EPPO, may encounter reservations from stakeholders
traditionally cautious about deeper integration. However, the package remains
proportionate and firmly rooted in operational needs identified by Member States
themselves, and its design emphasizes support rather than substitution of national
responsibilities. Taken together, the measures form a balanced and pragmatic reform:
they enhance EU-level support, strengthen operational effectiveness and provide scalable
and resilient tools while preserving Member State decision-making and oversight.
By improving the efficiency and coherence of cross-border investigations, enabling better
use of shared intelligence, and embedding upgraded technical infrastructure, the combined
package is technically achievable, politically realistic, and institutionally well
grounded. It ensures high data protection standards, maintains Member State control over
operational decisions, and creates a sustainable foundation for future-proof EU internal
security cooperation.
g) Impact on digitalisation (++)
All preferred options with a digital dimension have a positive impact on the digital
transformation of EU law enforcement cooperation, as they modernise data exchange,
streamline digital processing frameworks, and strengthen analytical and cloud-based
capacities. By improving the automation, standardisation, and interoperability of existing
systems, these options reduce manual workflows, accelerate the timeliness of cross-border
intelligence sharing, and enhance the reliability and usability of operational data.
Combined, their effect is mutually reinforcing: improved data availability and
harmonised rules feed directly into stronger inter-agency and prosecutorial cooperation,
while the EU Police Cloud provides a scalable, secure and resilient digital backbone
capable of supporting advanced analytics, AI-assisted processing and structured cross-
border workflows. In addition, the integration of national Case Management Systems with
EU-level platforms further embeds digital tools into everyday investigative processes,
ensuring that information flows efficiently and systematically without creating new access
rights or duplicating datasets. Together, the package accelerates a coherent and future-
proof digitalisation of EU internal security, enhancing operational effectiveness, fostering
standardised digital practices across Member States, and creating a sustainable foundation
for next-generation law enforcement capabilities.
109
ANNEX 6: MONITORING AND EVALUATION FRAMEWORK FOR
THE PREFERRED POLICY MEASURES
Putting in place a structured framework for monitoring and evaluation will help ensure that
the strengthened mandate under the preferred policy option translates into measurable
operational, strategic and systemic benefits. The framework will establish clear links
between the general and specific objectives, operational outputs, expected outcomes and
broader impacts, supported by measurable indicators and, where feasible, baselines and
targets. Monitoring arrangements will build on the mechanisms already established under
Article 68 of the Europol Regulation, which foresees periodic evaluations of Europol’s
impact, effectiveness and efficiency. These mechanisms will be complemented by a
refined indicator framework aligned with the specific and operational objectives of the
preferred option.
Monitoring will focus on outputs (e.g. volume and quality of information exchange,
operational support delivered), results (e.g. improved cross-border linkages identified,
investigative acceleration), and broader impacts (e.g. strengthened EU-level situational
awareness, reduced fragmentation in operational coordination). The framework will
distinguish more clearly between outputs (activities and services delivered), outcomes
(changes in operational cooperation and investigative effectiveness) and impacts
(contribution to EU internal security objectives). Attention will be given to monitoring
data-protection compliance, proportionality and fundamental rights safeguards, especially
in relation to large and complex datasets and advanced analytical tools.
Core indicators will be drawn from a range of sources, including Europol’s existing
reporting instruments, including the Consolidated Annual Activity Report (CAAR);
Article 7(11) reporting on Member State information contributions; EDPS supervisory
findings and data protection reporting; SIENA Annual Reports; EIS Annual Reports; and
Management Board performance indicators. Where possible, indicators will include
baseline values and measurable targets to support the assessment of progress over time.
The Commission will monitor implementation through its representation on the
Management Board, structured exchanges with Member States and Europol, and
consultation with oversight bodies, including the EDPS. Data will also be drawn from
SOCTA cycles, EMPACT performance reporting and, where appropriate, targeted
stakeholder surveys.
Monitoring will begin from the entry into force of the revised Regulation. Indicators will
be collected annually. A structured evaluation should be undertaken four years after entry
into force, allowing sufficient time for operational maturation while ensuring that findings
can inform any future legislative revision. The evaluation will assess effectiveness,
efficiency, coherence, relevance and EU added value, including the extent to which the
initiative has achieved the specific objectives and contributed to the overall objective.
Where relevant, interim reviews may assess implementation bottlenecks, including
technical interoperability and data-protection compliance burdens, in line with REFIT
principles.
The monitoring framework below summarises the operational objectives and associated
indicators per specific objective. It also identifies the corresponding outputs, outcomes and
expected impacts to facilitate the assessment of operational success over time.
Specific objective Operational objective Indicator description Data source Targets / frequency
SO1: Reinforce Europol’s
role as an information
hub
Strengthen Europol’s
capacity to collect,
process, analyse and
exchange criminal
intelligence with Member
States and improve the
timeliness, interoperability
and usability of
information exchanges
• % of Member States
technically integrated with
Europol data-ingestion
tools
• % of operational data
flows transmitted through
automated channels
• Average time between
receipt of information by
Europol and dissemination
of operational leads
• % of Europol-supported
investigations relying on
data from at least two
Member States
• Number of cross-system
matches generating
operational follow-up
• Satisfaction score from
Member States regarding
Europol analytical support
SIENA and EIS
transaction logs;
CAAR;
Article 7(11) reporting;
Europol operational
workflow logs;
Europol user surveys
Annual monitoring; target
increases to be defined in
Programming Documents
and Management Board
KPIs
SO2: Strengthening
Europol’s capacity to
support law enforcement
operational action
Optimally integrate human
resources between Europol
and Member States
• Number of operational
deployments and
embedded Europol support
arrangements
• Average time-to-
deployment following
Member State request
Europol HR and
deployment records;
ENU coordination records;
Annual monitoring;
deployment and training
targets to be reviewed
every two years
111
• Number of specialised
experts deployed in
operational cases
• Number of national
officers trained in
specialised investigative
fields
• Share of priority cases
supported by specialised
expertise
operational support office
reporting
Ensure direct and
proactive operational
support by Europol to
Member States and EPPO
investigations
• Number and share of
cross-border investigations
supported operationally by
Europol
• Number and share of
EMPACT and EPPO cases
receiving Europol support
• Number of proactive
support offers initiated by
Europol and accepted by
Member States/EPPO
• Share of cases where
Europol support
contributed to operational
outcomes
• Feedback score from
CAAR;
operational reporting;
EMPACT reporting;
EPPO cooperation
reporting;
targeted stakeholder
surveys
Annual monitoring with
mid-term review after four
years
112
Member States and EPPO
on operational usefulness
Enhance coordination and
complementarity between
Europol and relevant EU
entities to reinforce
synergies and ensure
efficient resource use
• Number of joint
operational activities with
Eurojust, EPPO and other
EU entities
• Number of SIRIUS
requests handled and
median response time
• Share of Europol-
supported cases involving
coordinated cooperation
channels with Eurojust or
EPPO
• Number of structured
information exchanges
through hit/no-hit systems
Joint operational activity
registers;
SIRIUS platform metrics;
cooperation logs;
case-management systems
Annual monitoring;
operational coordination
targets to be reviewed in
evaluation cycle
ANNEX 7: EVALUATION OF THE EXISTING POLICY AND
LEGISLATIVE FRAMEWORK
1. Introduction
1.1. Purpose and scope
This evaluation assesses the performance of Regulation (EU) 2016/794, as amended by
Regulation (EU) 2022/991, establishing the legal framework governing the European
Union Agency for Law Enforcement Cooperation (Europol).
The evaluation is conducted in line with the European Commission’s Better Regulation
Guidelines and applies the standard evaluation criteria of effectiveness, efficiency,
relevance, coherence, and EU added value. In this context, the analysis examines the
extent to which the intervention has achieved its intended objectives, whether it has done
so in a proportionate and resource-efficient manner, and whether the underlying policy
rationale remains valid in light of the evolving security landscape in the European Union.
The evaluation covers the period 2017-2024, corresponding to the implementation of
Regulation (EU) 2016/794 and the initial application of the amendments introduced by
Regulation (EU) 2022/991. The analysis therefore assesses both the functioning of the
original regulatory framework and the initial impacts of the 2022 legislative changes.
The scope of the evaluation focuses on Europol’s core tasks as defined in the Regulation, in
particular its role in facilitating information exchange, providing criminal intelligence
analysis, supporting operational coordination between Member States, developing
specialised expertise through dedicated operational centres, and cooperating with EU
institutions, agencies, third countries, and private actors. Particular attention is given to the
extent to which the Regulation has enabled Europol to respond to the increasingly
transnational, digitalised, and technologically sophisticated nature of serious crime and
terrorism.
In addition to assessing operational performance, the evaluation examines whether the
current legal framework provides Europol with the necessary tools to address emerging
challenges. These include the increasing volume and complexity of data relevant to
criminal investigations, and the need for law enforcement authorities to develop advanced
technological capabilities, including in the areas of digital forensics, and data analytics.
The analysis therefore considers whether the Regulation remains adequate to support
Europol’s evolving role within the EU’s internal security architecture.
The evaluation also takes into account the broader policy context in which Europol
operates, including the EU’s internal security strategies and operational cooperation
frameworks, such as the ProtectEU Internal Security Strategy. These policy initiatives
shape Europol’s operational priorities and provide an important reference point for
assessing the continued relevance of the existing regulatory framework.
The findings of the evaluation contribute to the accompanying impact assessment, which
examines potential policy options for revising Europol’s mandate. The evaluation therefore
provides the analytical basis for identifying possible shortcomings in the current legislative
114
framework and for assessing whether further policy or legislative action at EU level may
be necessary.
1.2. Methodology
The evaluation draws on a broad range of qualitative and quantitative evidence
sources in order to ensure a comprehensive assessment of the functioning of Regulation
(EU) 2016/794, as amended by Regulation (EU) 2022/991.
The main evidence base for the evaluation was generated through an external study
commissioned by the European Commission. The study supported the analytical work
underpinning the evaluation, including evidence collection, stakeholder consultations,
data analysis and the development of thematic case studies.
The external study supporting this evaluation was carried out by ICF S.A under
Framework Contract 330302019 between July 2025 and March 2026.
The external study included extensive stakeholder consultations, public surveys and
targeted interviews with relevant stakeholders. These consultations involved law
enforcement officials from Member States, Europol officers directly involved in
operational activities, and representatives of relevant EU institutions and agencies. The
purpose of these consultations was to gather practical insights into how the Regulation
functions in practice, including operational experiences, perceived added value of
Europol’s support, and potential challenges related to the implementation of the legal
framework.
In total, 135 stakeholder interviews were held, including 12 explanatory interviews
followed by 123 targeted interviews. They were conducted with national authorities of the
EU Member States, including Denmark (56), Europol staff managers including managers
and senior managers (35), European Commission services (14), EU agencies (8), EU
bodies and offices (4), law enforcement networks (6), MAOC-N, third countries (5),
international organisations (1), the private sector (2) and youth organisations (1).
The external study also included thematic case studies illustrating Europol’s role in
supporting specific operational activities and investigations. These case
studies provide qualitative insight into how Europol’s analytical capabilities, coordination
functions and operational support contribute to concrete law enforcement outcomes at EU
level. Field visits to Europol and five Member States164, which also included further
interviews, were conducted in order to gather qualitative and context specific evidence on
Europol’s cooperation with Member States.
In addition to the evidence generated through the external study, the Commission carried
out complementary evidence-gathering activities in order to further inform the
evaluation. These included thematic workshops with relevant stakeholders,
which provided an opportunity to discuss specific operational and policy issues related to
Europol’s mandate and its future development.
The first two workshops were held on 6 and 7 November 2025, focusing on optimising
Europol’s data ecosystem and reinforcing its role as the EU’s central operational hub and
developing EU-level specialised law enforcement expertise and operational innovation
164 Austria, Italy, The Netherlands, Slovenia, Sweden.
115
within Europol and reinforcing Europol’s role in tackling persistent and emerging threats
including within the EMPACT framework respectively. The third and fourth thematic
expert workshops were held on 18 and 19 December 2025, with a focus on enhancing
coordination and complementarily between Europol and relevant EU entities to reinforce
synergies, ensure efficient resource use, and consolidate Europol’s central role in the
EU internal security infrastructure for the third workshop and on strengthening
the steering and oversights of Europol to ensure effective governance in line with its
growing operational tasks, budget and staff, while optimally integrating human resources
between Europol and Member States for the fourth workshop.
Furthermore, the Commission conducted targeted bilateral outreach to Member
States’ authorities, as well as exchanges with institutional stakeholders, including the
Council, in the context of COSI and the Law Enforcement Working Party, and the
European Parliament, including the Joint Parliamentary Scrutiny Group. These exchanges
helped gather additional perspectives on the implementation of the Europol Regulation,
the practical functioning of Europol’s mandate, and possible areas where the current
legislative framework could be further strengthened.165
The evaluation also relies on quantitative data analysis, including operational statistics
and performance indicators relating to Europol’s activities and the use of its information
systems and operational support tools. This analysis includes trend analysis of relevant
indicators over the evaluation period in order to identify developments in Europol’s
operational role and the use of its services by Member States. Data sources used
predominantly include Europol Annual Reports, SIENA statistics and annual reports, EIS
annual reports, operational support statistics, Europol’s annual budget, establishment plans
and Single Programming Documents.
The combination of these sources enables the triangulation of evidence, allowing findings
to be validated across multiple data sources and perspectives. Quantitative operational data
are therefore assessed alongside stakeholder input and qualitative operational examples in
order to identify both measurable outcomes and structural challenges in the
implementation of the Regulation.
Nevertheless, certain methodological limitations should be taken into account when
interpreting the findings of this evaluation. First, the availability and comparability of
operational data across the evaluation period may be affected by changes in reporting
practices, evolving performance indicators, and the progressive development of Europol’s
operational tools and systems. As a result, some trend analyses rely on partially comparable
datasets or proxy indicators.
Second, evidence collected through stakeholder consultations and interviews reflects the
perspectives of participating stakeholders and may therefore be subject to response bias or
differences in national operational practices. While efforts were made to ensure balanced
representation across Member States and stakeholder groups, the consultation results
cannot be considered fully statistically representative of all users of Europol’s services.
Third, given the evolving nature of criminal threats and technological developments, it is
not always possible to attribute observed outcomes solely to the
intervention. Europol operates within a broader and constantly evolving security
165 More detailed information can be found in Annex 2 of the Staff Working Document.
116
environment shaped by multiple external factors, including developments in criminal
activity, technological change, and variations in national law enforcement capacities.
These external developments may influence observed outcomes, making it difficult in
some cases to isolate the specific effects of the Regulation from broader contextual trends.
Where such limitations arise, the evaluation relies on the triangulation of multiple evidence
sources in order to ensure that conclusions remain proportionate and robust. Further
methodological details are provided in Annex 4.
2. What was the expected outcome of the intervention
2.1. Description of the intervention and its objective
Europol was founded under the 1995 Europol Convention as a European Police Office
to facilitate cooperation among national law enforcement authorities in combating serious
cross-border crime. The Convention came into force 1 October 1998 and Europol became
fully operational 1 July 1999. Initially, Europol focused on supporting information
exchange between Member States through national contact points, analysing criminal
intelligence, supporting investigations into organised
criminal networks and maintaining centralised data systems. From its inception, Europol
was designed to act as a hub for criminal intelligence sharing among Member States in
order to address transnational crime phenomena such as terrorism, drug trafficking,
trafficking in human beings, cybercrime and other forms of serious organised crime.
The Agency’s legal framework evolved significantly with the Council Decision of 6 April
2009, which broadened Europol’s operational scope and clarified
its objectives, competences and tasks. The Decision removed the requirement
to identify organised crime groups before action could be taken and expanded Europol’s
responsibilities to additional crime areas, including money laundering, trafficking in
human beings, trafficking of cultural goods, racism and xenophobia and environmental
crime. It also strengthened Europol’s operational role by enabling it to request the initiation
of investigations, support Joint Investigation Teams (JITs) and produce strategic threat
assessments.
Council Framework Decision of 13 June 2002 established the legal framework for Joint
Investigation Teams to facilitate cross-border investigations and judicial cooperation. The
2009 Council Decision subsequently authorised Europol staff to participate in JITs,
allowing the Agency to support investigations directly within its mandate.
Regulation (EU) 2016/794 replaced the 2009 Council Decision and strengthened Europol’s
legal framework as the EU agency for law enforcement cooperation. The Regulation
introduced enhanced governance and accountability mechanisms, including scrutiny by the
European Parliament and national parliaments, as well as supervision of Europol’s data
processing activities by the European Data Protection Supervisor (EDPS). It also clarified
and expanded Europol’s mandate and established the legal basis for specialised centres
within Europol providing targeted expertise in specific crime areas.
The overall objective of the Regulation is to strengthen cooperation between Member
States’ law enforcement authorities in preventing and combating serious cross-border
crime and terrorism by improving information exchange, analytical capabilities and
operational coordination at EU level.
117
In 2022, Regulation (EU) 2022/991 introduced further amendments aimed at addressing
emerging operational and technological challenges. These amendments strengthened
cooperation between law enforcement authorities and private parties, enabled Europol to
process large and complex datasets for criminal analysis, and enhanced the Agency’s role
in research and innovation related to security technologies. They also clarified Europol’s
ability to support investigations concerning crimes affecting a Union interest, even where
a clear cross-border dimension is not initially established, and empowered Europol to
propose the introduction of information alerts in the Schengen Information System (SIS)
regarding third-country nationals involved in terrorism and serious crime.
The amended framework also strengthened cooperation between Europol and the
European Public Prosecutor’s Office (EPPO), operational since 2021. Europol’s activities
are organised around specialised centres focusing on specific crime areas, providing
targeted operational and analytical support to Member States.
These developments progressively strengthened Europol’s mandate and operational
capabilities, positioning the Agency as the EU’s central hub for criminal intelligence and
operational coordination in the fight against serious cross-border crime and terrorism.
Figure 1: The evolution of Europol’s mandate
Europol operates in a rapidly evolving security environment. Criminal networks
increasingly operate across borders, exploiting differences between national legal
frameworks, jurisdictional limits and gaps in information exchange between authorities.
At the same time, they make extensive use of digital technologies,
encrypted communications and global financial systems to facilitate and conceal their
activities. These developments create significant challenges for national law enforcement
authorities, which often face difficulties in obtaining timely cross-border information and
coordinating investigations. In this context, Europol supports Member States in preventing
and combating serious and organised crime, terrorism and other forms of cross-border
criminal activity by providing analytical support, facilitating information exchange and
supporting the coordination of cross-border investigations. Europol also contributes to the
implementation of EU security priorities, as reflected in the ProtectEU Internal Security
Strategy, including operational cooperation frameworks such as EMPACT.
The intervention logic underlying Regulation (EU) 2016/794 and
its subsequent amendment by Regulation (EU) 2022/991 is based on the recognition that
serious and organised crime and terrorism increasingly operate across national borders and
require coordinated responses at EU level. By strengthening Europol’s mandate,
improving mechanisms for information exchange and criminal intelligence analysis, and
enhancing operational coordination between national law enforcement authorities, the
Regulation aims to increase the effectiveness of cross-border investigations and support
Member States in addressing complex transnational crime threats. The intervention is
118
therefore expected to contribute to improved operational cooperation, more efficient use
of law enforcement resources, and enhanced situational awareness at EU level, ultimately
strengthening the Union’s capacity to prevent and combat serious crime and terrorism
while ensuring respect for fundamental rights.
This evaluation therefore examines the extent to which the existing legal framework has
enabled Europol to fulfil these objectives, in particular by strengthening information
exchange, analytical support and operational coordination between Member States in the
fight against serious cross-border crime and terrorism.
Figure 2: Intervention logic
2.2. Points of comparison
This section explains the points of comparison used to assess the impact of Regulation
(EU) 2016/794 and its amendment by Regulation (EU) 2022/991 on Europol’s functioning.
The evaluation relies primarily on temporal comparisons between the situation prior to
the adoption of the Regulation and developments observed during its implementation.
The main baseline for the evaluation is the situation before the entry into force of
Regulation (EU) 2016/794, when Europol operated under the legal framework established
by the 2009 Council Decision. This baseline provides a reference point for assessing how
the 2016 Regulation strengthened Europol’s governance framework, operational mandate
and analytical capabilities.
The evaluation then examines developments during the implementation period of the
Regulation, from its entry into force in 2017 to 2024. Within this period, particular
attention is given to developments following the entry into force of Regulation (EU)
2022/991. This allows the evaluation to assess both the longer-term effects of the 2016
Regulation and the early impacts of the 2022 amendment.
To structure the analysis, the evaluation examines developments across six core activity
areas reflecting Europol’s main operational functions: information management,
operational support, strategic analysis, specialised expertise through operational centres,
cooperation with private sector entities and external cooperation with international
partners. These activity areas serve as analytical benchmarks for assessing changes in
Europol’s operational output, use of information systems and support to Member States
over the evaluation period.
In addition to temporal comparisons, the evaluation also considers contextual
benchmarks in order to better understand Europol’s role within the broader EU security
architecture. This includes comparisons with other EU bodies involved in combatting
cross-border crime, such as Frontex and the European Public Prosecutor’s Office, as well
as reference to international cooperation mechanisms, notably Interpol, in order to
contextualise Europol’s position as an EU-level criminal intelligence hub.
Finally, thematic comparisons are used to assess how Europol’s activities have evolved
in response to emerging crime threats. This includes examining developments in areas such
as cybercrime, terrorism, human trafficking and financial crime, in order to determine
whether the regulatory framework has enabled Europol to adapt its operational and
analytical support to the evolving security environment.
Taken together, these points of comparison allow the evaluation to assess whether the
current legal framework has strengthened Europol’s operational effectiveness, improved
information exchange and analytical support to Member States, and enhanced cooperation
with relevant partners at EU and international level.
3. What was the expected outcome of the intervention?
The intervention evaluated in this report is Regulation (EU) 2016/794, which entered into
force in May 2017 and established the current legal framework governing Europol. The
Regulation replaced the framework established by Council Decision 2009/371/JHA,
under which Europol had operated since 2010. The reform responded to the growing cross-
border dimension of serious and organised crime and terrorism, which increasingly
required more effective mechanisms for information exchange, criminal intelligence
121
analysis and operational coordination between Member States166. The need for the
intervention was linked to limitations identified in the previous legal framework, including
restrictions on Europol’s ability to process operational data, support investigations and
cooperate effectively with other EU bodies and external partners.
The general objective of the Regulation was to enhance cooperation between law-
enforcement authorities in the Union and to strengthen support to Member States in
preventing and combating serious and organised crime and terrorism affecting two or more
Member States167. To achieve this objective, the Regulation clarified Europol’s tasks and
strengthened its mandate to provide criminal intelligence analysis, operational
coordination and specialised support to investigations, as well as to manage EU-level
information systems used for law-enforcement cooperation168.
The intervention logic underlying the Regulation expected that strengthening Europol’s
mandate and analytical capabilities would lead to increased use of Europol’s information
systems, greater analytical and operational support provided to Member States’
investigations and stronger coordination of cross-border law-enforcement actions. These
outputs were expected to improve the identification of links between criminal
investigations conducted in different Member States and facilitate coordinated
investigations targeting organised criminal networks operating across jurisdictions169.
Ultimately, the intervention was expected to contribute to strengthening the EU’s capacity
to combat serious and organised crime and terrorism with a cross-border dimension and to
improve the effectiveness of law-enforcement cooperation across the Union. These
objectives are also consistent with broader EU policy goals on internal security170 and
contribute indirectly to SDG 16 (peace, justice and strong institutions), particularly targets
relating to combating organised crime and strengthening institutional capacity171.
The evaluation therefore assesses whether these expected outputs, results and impacts
materialised during the evaluation period 2017-2024 compared with the baseline situation
under the previous legal framework between 2014 and 2016.
4. How has the situation evolved over the evaluation period?
4.1. Current state of play
This section describes how Europol’s activities and operational capacity evolved during
the evaluation period 2017-2024 following the entry into force of Regulation (EU)
2016/794. Developments are compared with the baseline period 2014-2016, when Europol
operated under the legal framework established by the 2009 Council Decision.
166 European Commission, Proposal for a Regulation on the European Union Agency for Law Enforcement
Cooperation (Europol), COM(2013) 173 final, 27.3.2013, explanatory memorandum; European
Commission, Impact Assessment accompanying the proposal for a Regulation on Europol, SWD(2013) 98
final, 27.3.2013; Recitals 1-6 of Regulation (EU) 2016/794. 167 Article 3 of Regulation (EU) 2016/794. 168 Articles 4-7 and Articles 17-21 of Regulation (EU) 2016/794. 169 SWD(2013) 98 final, 170 European Commission, The EU Internal Security Strategy in Action, COM(2010) 673 final. 171 A/RES/70/1, 2015.
122
During the evaluation period, Europol’s activities developed across three main areas:
information management, operational support and analytical capabilities, and cooperation
with operational partners.
Information management
Europol acts as a hub for criminal intelligence exchange between EU law enforcement
authorities. Secure operational communication is primarily conducted through the Secure
Information Exchange Network Application (SIENA), supported by the Europol
Information System (EIS) and the Querying Europol Systems (QUEST) interface. These
systems enable national authorities to exchange operational messages, query data stored in
Europol systems and identify links between investigations.
During the evaluation period, the volume of operational exchanges conducted through
SIENA increased steadily, and its use also contributed to a rise in the number of
operational cases. During the same period, the number of competent authorities connected
to SIENA expanded to include national law enforcement authorities, customs
administrations, and Police and Customs Cooperation Centres (PCCCs)172.
SIENA
Year Messages exchanged Creation of
operational cases
Connected
authorities
2016 869 858 46 437 757
2017 ~1 million 66 113 1 100
2020 ~1.3 million 88 748 2 239
2023 ~1.8 million 151 318 2 950
2024 ~2 million 169 500 3 500
Source: Europol operational statistics; Europol annual reports 2017-2024.
The expansion of SIENA connectivity took place in a broader EU policy context aimed
at strengthening law enforcement information exchange173. During the evaluation period,
the Union adopted new legislative measures in this area, including the Information
172 The extent and timing of this integration varied across Member States. Member States with direct
connections between national case-management systems and SIENA recorded higher volumes of automated
exchanges, while others continued to rely primarily on manual message entry through central contact points
or Europol National Units (External evaluation study, 2026). 173 During the evaluation period, the Union adopted or developed several instruments relevant to police
information exchange, including the Information Exchange Directive, Prüm II, the interoperability
framework for EU information systems and the Digital Services Act, each of which created new interfaces
or implementation tasks relevant to Europol’s information-management and ICT environment. These
developments affected the technical and organisational environment in which SIENA, EIS and related tools
operated during the period under evaluation.
123
Exchange Directive174, which provides for the mandatory use of SIENA by national Single
Points of Contact and foresees the integration of SIENA into national police case-
management systems. As the Directive was adopted towards the end of the evaluation
period, its implementation had only started in several Member States by 2024 and the
transitional arrangements for its application extend beyond the evaluation period. During
the period covered by this evaluation, SIENA therefore remained one of several channels
used by national authorities for cross-border law enforcement information exchange.
The operation of Europol’s information-management environment during the evaluation
period was also shaped by developments relating to data standardisation, large datasets and
data protection. A large share of SIENA traffic continued to be transmitted in unstructured
formats, including narrative text, PDFs, screenshots, scans and extracted device data,
requiring manual handling before these data could be cross-checked or analysed175. The
UMF initiative did not progress to full operational implementation during the evaluation
period176.
In addition to secure communication through SIENA, Europol maintains centralised
criminal intelligence databases accessible to national authorities through the Europol
Information System (EIS) and the QUEST search interface177, which enables searches
across multiple Europol datasets. This system allows national authorities to query
operational data stored at Europol and identify potential links between criminal
investigations conducted in different jurisdictions.
During the evaluation period, both the volume of searches conducted in Europol systems
and the number of data objects stored in the EIS evolved as follows:
Year EIS searches EIS objects
2015 633 639 295 374
2016 1 436 838 395 357
2017 2 478 825 1 062 236
2020 10 231 771 1 337 089
2023 14 238 667 1 572 837
174 Directive (EU) 2023/977 of the European Parliament and of the Council of 10 May 2023 on the exchange
of information between law enforcement authorities of Member States and repealing Council Framework
Decision 2006/960/JHA. 175 External evaluation study supporting the evaluation and impact assessment of Regulation (EU) 2016/794,
2026. 176 External evaluation study supporting the evaluation and impact assessment of Regulation (EU) 2016/794,
2026. 177 The development and use of EIS and QUEST during the evaluation period depended on how national
authorities connected their domestic systems to Europol’s tools. Many Member States continued to use
SIENA to request EIS cross-checks, as QUEST or other automated loaders had not yet been implemented.
Data provision to EIS also remained uneven, with structured uploads, automated ingestion, and common
formats not uniformly implemented across the Union. (External evaluation study, 2026).
124
2024 12 795 330 1 693 143
Source: Europol
Europol also performs automated cross-matching of operational data received from
Member States in order to identify potential links between criminal investigations
conducted in different jurisdictions. This process generates crossmatch reports and SIENA
hit notifications that are transmitted to the relevant national authorities when matches are
detected between datasets stored in Europol systems.
During the evaluation period, the number of crossmatch reports and hit notifications
generated by Europol evolved as follows: 7 372 in 2017, 6 824 in 2018, 7 806 in 2019, 9
559 in 2020, 14 413 in 2021, 14 737 in 2022, and 14 407 crossmatch reports in 2023,
followed by 13 409 reports in 2024178.
A key development affecting information management during the evaluation period
concerned the handling of large and complex datasets. Regulation (EU) 2022/991 clarified
Europol’s legal framework for processing personal data received without data-subject
categorisation for the purpose of completing categorisation and supporting ongoing
investigations. Under Article 18(6a), such data may be processed for up to 18 months,
extendable to 36 months in justified cases, solely for completing data-subject
categorisation. Article 18a introduced a derogation allowing Europol to process personal
data from competent authorities, the EPPO or Eurojust, where necessary to support
ongoing criminal investigations, including through operational analysis and, in exceptional
and duly justified cases, cross-checking. These amendments required the development of
internal procedures and data-governance arrangements for the management of large and
complex datasets.
Operational support and analytical capabilities
Europol provides operational support to Member States in cross-border investigations and
operational actions through analytical support, operational coordination and specialised
technical expertise. Under Regulation (EU) 2016/794, Europol supports national
authorities by providing criminal intelligence analysis, coordinating operational activities
and deploying specialised capabilities during investigations. These activities include
support to operational investigations, participation in Joint Investigation Teams (JITs),
organisation of operational meetings, support to Operational Task Forces (OTFs),
coordination of Joint Action Days (JADs) and the deployment of mobile offices and
specialised staff during operational actions.
During the baseline period (2014-2016), Europol already provided operational analytical
support to Member States primarily through Analytical Work Files (AWFs), operational
meetings and participation in Joint Investigation Teams (JITs). AWFs were the main
analytical structures used by Europol to analyse operational data and support cross-border
investigations179. Europol also facilitated coordination between national authorities
178 Europol Consolidated annual activity reports. 179 Council Decision 2009/371/JHA establishing the European Police Office (Europol), OJ L 121, 15.5.2009,
Articles 10-14.
125
through operational meetings and analytical support to investigations180. According to
Europol operational statistics, the Agency produced around 5 300 operational reports in
2016, reflecting the analytical support provided to national investigations during this
period181. Operational support during the baseline period was therefore primarily focused
on providing criminal intelligence analysis and facilitating coordination between national
authorities involved in cross-border investigations.182
Following the entry into force of Regulation (EU) 2016/794 in 2017, Europol’s
operational support was progressively expanded and became increasingly structured
around intelligence-led investigations targeting organised criminal networks operating
across several Member States. This reflected the strengthened mandate of Europol to
provide analytical support, operational coordination and specialised expertise to national
authorities in cross-border investigation. During the evaluation period, operational
coordination increasingly relied on structures such as Operational Task Forces (OTFs)183
and Europol’s participation in Joint Investigation Teams (JITs)184, which bring together
investigators and analysts from several Member States to support intelligence-led
investigations targeting priority criminal networks. Europol also supports coordinated
operational actions between Member States through the organisation of Joint Action
Days185. The number of JADs has increased throughout the evaluation period, with a total
of 7 taking place in 2017, 10 in 2023 and 11 in 2024.186
Year
Cross-border
investigations
supported by Europol
Joint Investigation
Teams
Operational
Task Forces
2014-2016
(baseline annual
average)
~1 000 38 JITs -
2017 1496 61 JITs -
2020 837 57 JITs (including
15 newly signed) 11
180 Europol, Annual General Report 2015, The Hague, 2016. 181 Europol, Consolidated Annual Activity Report 2016, The Hague, 2017, p. 12. 182 Europol, Consolidated Annual Activity Report 2016, pp. 11–14. 183 Operational Task Forces are operational coordination structures supported by Europol that bring together
investigators and analysts from several Member States to target priority criminal networks and conduct
intelligence-led investigations. 184 Joint Investigation Teams are cooperation mechanisms enabling competent authorities from two or more
countries to conduct joint criminal investigations for a specific purpose and limited period. Europol supports
JITs by providing analytical, operational and coordination assistance. 185 These operations involve coordinated law enforcement activities carried out simultaneously in several
Member States and supported by Europol through operational coordination, criminal intelligence analysis
and mobile office deployment. They take place in the framework of EMPACT. 186 Europol, Consolidated Annual Activity Reports 2017, 2023, 2024.
126
2023 3155
33 JITs (including
21 newly initiated
teams)
27
2024 3 324
49 JITs (including
36 newly
established).
65187
Source: Europol operational statistics
In parallel with the increase in investigations supported, Europol’s analytical output
expanded considerably during the evaluation period. Operational reports produced in
direct support of investigations increased from 5 330 in 2016 to 23 012 in 2023 and 21 281
in 2024. Europol also continued to produce strategic analysis188 on emerging crime threats
and supporting EU operational frameworks such as EMPACT. In 2024, Europol produced
29 strategic analysis reports and 366 operational analysis reports, compared with 44
strategic reports and 332 operational reports in 2017.
At the same time, the speed of operational analytical responses improved substantially
over the evaluation period. Europol operational data indicate that the average response
time to analytical requests from Member States decreased from 27.5 days in 2016 to a
range of 3-4 days between 2021 and 2024. In 2024, the average turnaround time for 80%
of first-line analysis requests was 3.2 days, compared with 4.2 days in 2023.
A further component of Europol’s operational support consists of on-the-spot operational
deployments, primarily through the use of mobile offices189 and the deployment of
specialised operational staff. During the baseline period (2014-2016), Europol already
provided such support during investigations and operational actions. In 2016, Europol
recorded 159 short-term mobile office deployments, 56 long-term deployments and 6
permanent deployments supporting operational activities190. Mobile offices were also
deployed during major investigations, for example to support operations in Belgium and
France following the 2015-2016 terrorist attacks191.
During the evaluation period, the number of deployments increased significantly, reaching
339 in 2017, 370 in 2018 and 353 in 2019192. While reporting categories changed slightly
over time, the figures indicate a substantial increase in the use of mobile offices to provide
on-the-spot analytical support during operational actions.
187 In 2024, Europol also introduced a new internal management and monitoring framework for OTFs
(OTF.360), although the operational impact of this new framework falls largely beyond the evaluation period. 188 Europol’s analytical products include the Serious and Organised Crime Threat Assessment (SOCTA), the
Internet Organised Crime Threat Assessment (IOCTA), the EU Terrorism Situation and Trend Report (TE-
SAT) and the European Financial and Economic Crime Threat Assessment (EFECTA). 189 Mobile offices allow investigators to access Europol databases and analytical tools in real time during
operational actions and enable the immediate cross-checking of operational data against information stored
in Europol systems. 190 Europol Consolidated Annual Activity Report 2016. 191 Europol Review 2016-2017. 192 Europol, Consolidated Annual Activity Reports 2017–2019. Mobile offices were also used to support
major international security events requiring enhanced operational coordination. In 2024, for example,
Europol provided operational support during UEFA EURO 2024 and the Paris 2024 Olympic and Paralympic
Games, including the deployment of staff and coordination support.
127
During the evaluation period (2017-2024), Europol further expanded its specialised
operational structures to address evolving crime threats193. The European Counter
Terrorism Centre (ECTC), launched in 2016, strengthened operational coordination and
information exchange between Member States in terrorism investigations. In 2020,
Europol established the European Financial and Economic Crime Centre (EFECC) to
enhance support for investigations related to financial and economic crime, including
fraud, corruption, money laundering and asset recovery.
Technological developments increasingly shaped Europol’s operational capabilities
during the evaluation period, reflecting the growing importance of digital evidence and
large datasets in criminal investigations. While Europol already used analytical tools to
support investigations during the baseline period, it did not yet have dedicated innovation
structures or programmes to develop new technological capabilities. The expansion of
cybercrime, online fraud, encrypted communications and cryptocurrency-related crime
therefore led to growing demand from Member States for advanced data-analysis tools,
prompting Europol to progressively strengthen its technological capacities and establish
dedicated innovation structures.
In this context, Europol created the Europol Innovation Lab in 2020 to develop and test
new technologies relevant for law enforcement, including artificial intelligence, data
mining and advanced analytics applied to large operational datasets194. In 2024, Europol
further strengthened these capabilities with the launch of the Research and Innovation
Sandbox, which allows the development and testing of AI models using operational
datasets under controlled conditions. These developments illustrate a broader shift during
the evaluation period towards data-driven investigations, in which large volumes of
digital evidence and financial data increasingly require specialised analytical tools and
technological expertise to support cross-border investigations.
In addition to supporting Member States directly, Europol provides operational and
analytical support within the broader EU internal security architecture through
cooperation with EU agencies and bodies involved in law-enforcement, border
management and judicial cooperation.
During the baseline period (2014-2016), operational cooperation between Europol and
other EU actors already existed195, particularly with Eurojust in the context of Joint
Investigation Teams (JITs). In 2016, 50 operational cases supported by Europol involved
Eurojust, reflecting the complementary analytical and judicial support provided by the two
agencies in cross-border criminal investigations196. Cooperation also took place with
Frontex, particularly in investigations related to migrant smuggling and cross-border
193 Some of these structures were already operational during the baseline period (2014-2016). The European
Cybercrime Centre (EC3), established in 2013, supports investigations related to cybercrime, online fraud
and child sexual exploitation and provides specialised capabilities such as digital forensics, malware analysis
and cryptocurrency tracing. In 2016, Europol created the European Migrant Smuggling Centre (EMSC) to
strengthen support to Member States in investigations targeting migrant smuggling networks. 194 By 2023, the Innovation Lab had supported dozens of innovation projects and research initiatives
involving law enforcement authorities, EU agencies, research institutions and private-sector partners, and
contributed to the development and testing of analytical tools made available to the European policing
community through Europol’s tool repository, which hosts more than 30 investigative tools. 195 Cooperation was primarily based on operational coordination, participation in joint meetings and
information exchange through Europol systems. 196 Europol, Consolidated Annual Activity Report 2016.
128
organised crime. In 2016, Europol deployed officers to migration hotspot locations in
Greece and Italy to support operations coordinated by Frontex and assist Member States
in identifying criminal networks involved in migrant smuggling197.
During the evaluation period (2017-2024), this cooperation expanded as the EU internal
security architecture evolved and new actors were created. Europol increasingly
contributed analytical support, operational coordination and information exchange to
multi-agency investigations and EU-level operational frameworks.
One important development was the establishment of the European Public Prosecutor’s
Office (EPPO)198, operational since 2021, which investigates crimes affecting the EU’s
financial interests. Europol provides analytical support and intelligence cross-checks in
investigations related to fraud, corruption and other financial crimes affecting the EU
budget. Europol contributes to a subset of these investigations by providing analytical
support, cross-matching of operational data and intelligence analysis, particularly in
complex cases involving organised fraud schemes, corruption and cross-border VAT fraud
affecting the EU budget. Europol supported six EPPO cases in 2021, 28 cases in 2022, 47
cases in 2023 and 83 cases in 2024. Cooperation with EPPO increased gradually during
the latter part of the evaluation period as operational arrangements between the two
organisations were implemented.
Europol also contributed to training and knowledge-sharing activities for law enforcement
authorities. During the evaluation period, Europol cooperated with the European Union
Agency for Law Enforcement Training (CEPOL) to deliver training programmes
addressing priority crime areas such as cybercrime, financial crime and counterterrorism.
In 2024, more than 800 law enforcement officers participated in Europol-supported
training activities.
The implementation of this support to EU agencies and EU-level frameworks developed
progressively during the evaluation period and was influenced by differences in
institutional mandates, data access conditions and the maturity of inter-agency working
arrangements. The focus group with EU agencies and bodies noted that cooperation is often
operationally close, but that data protection arrangements, mandate boundaries and data
ownership principles continue to shape how information can be exchanged and used across
institutional actors. These factors formed part of the operational context in which Europol’s
support functions evolved over the period.
External cooperation
Cooperation with external partners strengthened over the evaluation period, reflecting the
increasing international dimension of serious and organised crime and the operational
needs of Member States to cooperate with partners outside the EU.
During the baseline period (2014-2016), Europol already maintained cooperation
agreements with around 25 third countries and international organisations and hosted
around 200 liaison officers at it headquarter.
During the evaluation period, Europol further expanded its external cooperation network.
The Agency concluded additional working arrangements with third countries and partners,
197 Europol, Consolidated Annual Activity Report 2016. 198 Regulation (EU) 2017/1939.
129
including Singapore in 2020 and India in 2023, and strengthened operational cooperation
with international organisations such as INTERPOL and International Criminal Court.
In parallel, Europol increasingly cooperated with private-sector partners, particularly in
cybercrime and online fraud investigations. By the early 2020s, Europol was working with
a large number of private-sector partners, including technology companies and
financial institutions, in public-private partnerships supporting investigations related to
cybercrime and illicit financial flows.
The pace of developments in external cooperation during the evaluation period was
influenced by several factors. The growing transnational nature of criminal networks
created increased demand from Member States for cooperation with third countries and
international partners. At the same time, the development of formal cooperation
frameworks depends on the existence of an appropriate legal basis under the Europol
Regulation, including international agreements between the EU and partner countries
where the exchange of personal data is envisaged. The negotiation and adoption of such
agreements require compliance with EU data protection standards and fundamental rights
safeguards and may therefore take time. In addition, broader EU external security priorities
and the strategic importance of certain partner countries also shaped the development of
Europol’s external cooperation network.
5. Evaluation findings
5.1. To what extent was the intervention successful and why?
The success of the intervention is assessed in terms of the extent to which the Regulation
strengthened cooperation between Member States’ law enforcement authorities in
preventing and combating serious cross-border crime and terrorism, and whether this was
achieved effectively, efficiently and in a coherent manner within the EU internal security
framework.
Effectiveness
Effectiveness concerns the extent to which the objectives of the Regulation have been
achieved.
The expected outcome of the intervention was to strengthen operational cooperation
between Member States through improved information exchange, enhanced analytical
capabilities and stronger operational coordination at EU level. Evidence presented in
Section 2 indicates that these objectives have been largely achieved during the evaluation
period.
Operational data199 show a substantial increase in the use of Europol’s information
exchange infrastructure. The volume of operational exchanges through the Secure
Information Exchange Network Application (SIENA) increased significantly during the
evaluation period, reaching approximately two million messages in 2024. Similarly, the
number of searches conducted in Europol’s information systems increased substantially
over the same period. These developments suggest that national law enforcement
authorities increasingly rely on Europol’s systems to support cross-border investigations.
199 Europol Annual Reports 2017-2024.
130
Evidence from stakeholder consultations supports this finding. Respondents to the
Commission’s public consultation200 consistently identified Europol’s role in facilitating
cross-border information exchange and operational coordination as one of the Agency’s
most important contributions to EU law enforcement cooperation. Focus group
discussions with Member State authorities201 similarly emphasised the operational
importance of Europol’s information exchange systems and analytical support.
Participants indicated that Europol’s analytical capabilities frequently enable investigators
to identify links between criminal cases conducted in different jurisdictions and facilitate
coordinated operational actions across Member States.
Operational support provided by Europol has also expanded significantly during the
evaluation period. The number of cross-border investigations supported by Europol
increased substantially, reaching approximately 3 324 investigations supported in 2024202.
Case studies analysed during the external evaluation203 study demonstrate that Europol’s
analytical capabilities frequently enable investigators to identify links between
criminal cases in different Member States and facilitate coordinated operational action
against transnational criminal networks.
The development of specialised operational centres within Europol also contributed to
strengthening operational effectiveness. Centres such as the European Cybercrime Centre
(EC3), the European Counter Terrorism Centre (ECTC) and the European Financial and
Economic Crime Centre (EFECC) provide specialised expertise in areas such as digital
forensics, financial investigations and counter-terrorism intelligence analysis204.
Stakeholder consultations205 indicate that these specialised capabilities are particularly
valuable for Member States with more limited technical resources.
Despite these positive developments, the evaluation identified several factors that may
affect the full effectiveness of the intervention.
First, evidence collected through focus group discussions206 indicates that information
sharing practices remain uneven across Member States. Some Member States contribute
significantly larger volumes of operational data than others, which may affect the
completeness of operational datasets available to Europol for analytical purposes.
Second, stakeholders207 highlighted operational challenges related to the processing of
large and complex datasets, particularly in cases involving digital evidence and
encrypted communications.
Third, consultations identified procedural constraints related to data protection
requirements and data ownership principles that may affect Europol’s ability to process
certain datasets or share information across institutional boundaries (EU agencies focus
group, January 2026).
200 Public consultation summary report, 2026. 201 Member States focus group, January 2026. 202 Europol Annual Reports 2017-2024. 203 External evaluation study, 2026. 204 Europol Annual Reports 2017-2024. 205 Public consultation summary report, 2026. 206 Member States focus group, January 2026. 207 EU agencies focus group, January 2026.
131
Overall, the available evidence indicates that the Regulation has significantly strengthened
operational cooperation between Member States and enhanced Europol’s role as the EU’s
central criminal intelligence hub.
Efficiency
Efficiency assesses whether the objectives of the intervention were achieved at reasonable
cost and whether the available resources were used proportionately to the results obtained.
Europol provides several centralised services at EU level, including secure communication
systems, analytical platforms and specialised forensic capabilities. These services allow
Member States to pool resources and avoid duplicating similar infrastructure at national
level.
The expansion of Europol’s operational activities during the evaluation period occurred
alongside increases in the Agency’s financial and human resources. Overall, the available
evidence indicates that Europol’s operational outputs have increased broadly in line with
the growth in available resources208.
Year Budget Staff
2016 €104.9 million 655
2017 €129.9 million 684
2018 €136.1 million 859
2019 €138.3 million 893
2020 €143.6 million 871
2021 €168.8 million 960
2022 €192.4 million 992
2023 €200 million 911
2024 €217 million 941
Evidence from stakeholder consultations209 suggests that Europol’s centralised services
generate economies of scale by providing specialised analytical and technical capabilities
that would be costly for individual Member States to develop independently.
Focus group discussions with Member States210 indicate that measures aimed at
strengthening automated data exchange and systematic use of Europol systems could
generate significant operational benefits while involving moderate implementation costs.
At the same time, consultations indicate that increasing demand for Europol’s services may
place pressure on the Agency’s analytical capacity and operational resources211.
208 Europol Annual Reports 2017-2024. 209 Public consultation summary report, 2026. 210 Member States focus group, January 2026. 211 External evaluation study, 2026.
132
Stakeholders212 also identified opportunities to improve efficiency by simplifying certain
operational procedures, strengthening interoperability between information systems and
improving digital tools supporting operational cooperation.
Overall, the evaluation indicates that Europol’s services contribute to more efficient use of
law enforcement resources across the Union, although growing operational demand may
require additional resources to maintain this level of efficiency.
Coherence
Coherence assesses whether the intervention is consistent with other EU policies and
instruments and whether it interacts effectively with the broader EU internal security
framework.
Europol operates within a broader EU security architecture that includes several actors
involved in law enforcement cooperation and judicial coordination, including Eurojust, the
European Public Prosecutor’s Office (EPPO), Frontex and CEPOL.
Evidence collected during the evaluation213 indicates that Europol’s activities generally
complement those of these actors, particularly through its role in providing criminal
intelligence analysis and facilitating information exchange between national authorities
and other EU Agencies, bodies and offices. In particular, Europol plays an important role
in supporting the European Multidisciplinary Platform Against Criminal Threats
(EMPACT), which coordinates operational actions against priority crime threats at EU
level.
At the same time, consultations with EU agencies214 highlighted certain operational
challenges related to the interaction between different institutional mandates and legal
frameworks. In particular, stakeholders noted that differences in data protection
frameworks and institutional mandates may affect the efficiency of information exchange
between EU bodies.
Nevertheless, the evaluation did not identify major inconsistencies between the Europol
Regulation and other EU legal instruments.
5.2. How did the EU intervention make a difference?
This section assesses the EU added value of the intervention. EU added value refers to
the benefits generated by EU-level intervention that would not have been achieved, or
would have been achieved less effectively, by Member States acting individually.
The evaluation finds that Europol generates substantial EU added value by enabling the
integration of criminal intelligence and operational coordination across multiple Member
States.
Europol’s centralised information exchange infrastructure enables national authorities to
share operational information simultaneously with multiple partners, facilitating the
identification of links between criminal investigations conducted in different Member
212 EU agencies focus group, January 2026. 213 External evaluation study, 2026. 214 EU agencies focus group, January 2026.
133
States 215. Without EU-level coordination mechanisms such as those provided by Europol,
cooperation between national authorities would rely primarily on bilateral exchanges,
which may be slower and less effective in addressing complex transnational criminal
networks. Stakeholder consultations216 indicate that Europol’s analytical and coordination
capabilities significantly enhance the effectiveness of cross-border investigations
compared with bilateral cooperation mechanisms.
Europol also centralises specialised analytical and technical capabilities at EU level,
including advanced digital forensic tools, financial intelligence analysis and cybercrime
investigation support. By pooling these capabilities, Europol allows Member States to
benefit from economies of scale and reduces the need for duplicative investment in
specialised infrastructure217.
These capabilities are particularly valuable for smaller or resource-constrained Member
States218.
Operational case studies analysed during the evaluation219 show that Europol’s analytical
and coordination capabilities can play a decisive role in complex investigations targeting
criminal networks operating across several jurisdictions.
Europol also facilitates cooperation between EU law enforcement authorities and
international partners. Consultations with external stakeholders indicate that Europol
serves as an important gateway for cooperation with the European Union, reducing the
need for multiple bilateral contacts with individual Member States220.
High-level stakeholders221 also emphasised Europol’s central role in facilitating
information exchange and analytical cooperation across the Union.
Overall, the evaluation concludes that the intervention provides clear EU added value by
enabling coordinated operational responses to cross-border criminal threats that would be
significantly more difficult to achieve through national or bilateral cooperation
mechanisms alone.
5.3. Is the intervention still relevant?
The relevance criterion assesses whether the objectives of the intervention remain
appropriate in the context of evolving crime threats and operational needs.
Evidence from Europol threat assessments222 indicates that organised crime groups
increasingly operate across national borders and rely heavily on digital technologies,
encrypted communication services and global financial systems to conduct illicit activities.
215 Europol Annual Reports 2017-2024. 216 Public consultation summary report, 2026. 217 External evaluation study, 2026. 218 Public consultation summary report, 2026. 219 External evaluation study, 2026. 220 External evaluation study, 2026. 221 Joint Statement by the European Police Chiefs on the Future Development of Europol. 222 SOCTA, 2025.
134
Stakeholder consultations conducted during the evaluation223 indicate strong support for
Europol’s role in facilitating cross-border operational cooperation and providing analytical
support to Member States. In particular, respondents to the public consultation and call for
evidence emphasised the growing importance of EU-level coordination mechanisms in
addressing technologically sophisticated forms of criminal activity, including cybercrime
and online financial fraud224.
Focus group discussions with Member States and EU agencies225 highlighted the
increasing importance of EU-level coordination mechanisms in addressing
technologically sophisticated forms of criminal activity, including cybercrime and online
financial fraud. Focus group discussions226 similarly highlighted the increasing complexity
of criminal investigations involving digital evidence, large datasets and cross-border
financial flows.
At the same time, stakeholders identified areas where evolving operational needs may
require further adaptation of the legal framework. These include:
• the increasing volume of digital evidence in criminal investigations
• the need to process large and complex datasets
• the growing importance of cooperation with private sector actors
• the rapid technological evolution of criminal methods.
Overall, the evaluation finds that the objectives of Regulation (EU) 2016/794 remain
highly relevant, as the increasingly transnational and digital nature of serious crime
continues to require strong EU-level mechanisms supporting operational cooperation
between Member States.
6. What are the conclusions and lessons learned
6.1. Conclusions
The evaluation concludes that Regulation (EU) 2016/794 has substantially strengthened
the European Union’s capacity to prevent and combat serious and organised crime and
terrorism with a cross-border dimension. Europol has consolidated its role as a central
operational and analytical hub within the EU’s internal security architecture, providing
clear added value to Member States’ law enforcement cooperation.
The evidence presented in Sections 3 and 4 indicates that the intervention has largely
achieved its objectives. Europol has enhanced the quality, scale and intensity of cross-
border information exchange and operational coordination among Member States. The
growing use of Europol’s information systems, notably SIENA and the Europol
Information System, illustrates the increasing reliance of national authorities on Europol
as a platform for secure information exchange and analytical support. Europol’s strategic
threat assessments, including SOCTA, IOCTA and TE-SAT, have become key tools for
identifying EU crime priorities and informing operational planning at EU level.
223 Public consultation summary report, 2026. 224 Public Consultation Factual Summary Report, 2026; Call for Evidence Factual Summary Report, 2026. 225 Member States focus group, January 2026; EU agencies focus group, January 2026. 226 EU Agencies Focus Group Summary, February 2026.
135
Europol’s specialised centres, such as the European Cybercrime Centre (EC3) and the
European Counter Terrorism Centre (ECTC), have strengthened the Union’s capacity to
address emerging and technically complex threats by providing specialised expertise and
analytical capabilities that many Member States could not sustain independently. In
addition, Europol’s operational support to mechanisms such as Joint Investigation Teams
(JITs), Joint Action Days (JADs) and Operational Task Forces (OTFs) has facilitated
coordinated enforcement actions, accelerated evidence collection and reduced duplication
of investigative efforts across jurisdictions.
The evaluation also finds that Europol operates efficiently by centralising specialised ICT
systems, analytical capabilities and operational coordination at EU level, generating
economies of scale that individual Member States would struggle to achieve alone.
Increased resources have enabled Europol to expand its outputs, particularly in information
exchange and operational support. However, the continued growth in operational demand
and the increasing complexity of transnational crime create pressures on Europol’s
resources and risk shifting the balance towards reactive operational support at the expense
of strategic foresight.
The evaluation also finds that the intervention contributed to strengthening Europol’s role
within the EU internal security architecture. Cooperation between Europol and other EU
actors, including Eurojust, Frontex, European Public Prosecutor’s Office and CEPOL,
expanded during the evaluation period. Europol also increased its engagement with
international partners and private-sector actors in areas such as cybercrime and online
fraud.
The Regulation remains highly relevant to the evolving security landscape. Serious and
organised crime and terrorism continue to operate increasingly across borders, with
digitalisation further expanding the scale and reach of criminal activities. Europol’s
mandate remains broadly aligned with these challenges, although emerging threats such as
large-scale cyber-enabled fraud and the use of artificial intelligence in criminal activities
may require further adaptation of the legal framework.
The evaluation finds that the Regulation is coherent both internally and with the broader
EU legal framework governing police cooperation. Europol’s mandate complements other
EU instruments and agencies, contributing to a more integrated European security
architecture while maintaining safeguards for fundamental rights.
Finally, the evaluation confirms that Europol generates clear EU added value. By
providing EU-wide criminal intelligence, facilitating operational coordination and
enabling cooperation with private sector partners and third countries, Europol supports a
more coherent and effective European response to transnational crime. These benefits are
particularly significant for smaller Member States that may lack the capacity to develop
comparable capabilities at national level. At the same time, Europol’s effectiveness
continues to depend on the timely and comprehensive sharing of information by Member
States, highlighting the importance of sustained engagement across the EU law
enforcement community.
6.2. Lessons learned
Several lessons emerge from the evaluation.
136
First, the evaluation confirms the continued importance of EU-level mechanisms for
criminal intelligence exchange and operational coordination. The transnational nature
of serious and organised crime means that effective investigations increasingly require
structured cooperation between multiple jurisdictions. Europol’s systems and analytical
capabilities play a central role in enabling such cooperation.
Second, the evaluation highlights the growing importance of advanced analytical
capabilities and technological tools in criminal investigations. The increasing volume of
digital evidence and the use of encrypted communications by criminal networks require
specialised expertise and technological capabilities. The development of innovation-
related initiatives within Europol during the evaluation period reflects the need to adapt
operational support to these technological developments.
Third, the evaluation underlines the importance of consistent and systematic information
sharing between Member States. Differences in data-sharing practices may reduce the
completeness of operational datasets and limit the effectiveness of analytical support.
Stakeholders emphasised that more systematic use of Europol systems and automated data
exchange could further improve operational cooperation.
Fourth, the evaluation highlights the importance of coherence across the EU internal
security framework. Effective cooperation between Europol and other EU actors depends
on clear mandates, compatible data-protection frameworks and efficient mechanisms for
information exchange. While cooperation between agencies is generally effective,
stakeholders noted that differences in legal frameworks may sometimes affect operational
coordination.
Finally, from a REFIT perspective, the evaluation suggests that simplifying operational
procedures and improving interoperability between information systems could reduce
administrative burden and increase efficiency. Stakeholders identified opportunities to
streamline certain operational processes and strengthen digital tools supporting
information exchange and analytical cooperation.
Overall, the evaluation indicates that the legal framework established by the Europol
Regulation continues to provide a relevant basis for supporting Member States in
addressing serious and organised crime and terrorism with a cross-border dimension. The
lessons identified in this evaluation may inform future reflections on how EU-level
mechanisms for law-enforcement cooperation can continue to adapt to evolving security
threats and operational needs.
Table 1: Evaluation Matrix
Evaluation questions
A Effectiveness: To what extent has Europol progressed positively towards achieving the objectives under its mandate?
Sub-questions Judgment criteria Indicators Data collection tools and
methods
Based on data and in the views
of ‘stakeholders’227
1 To what extent have Europol's
activities contributed to
achieving the objectives under
its regulatory framework to
support and strengthen action
by the competent authorities
of the Member States and
their mutual cooperation in
preventing and combating
serious crime affecting two or
more Member States, terrorism
and forms of crime which affect
a common interest covered by a
Europol’s contribution to
ending ongoing or preventing
cross-border serious and
organised crime and terrorism
is significant in terms of
successful police interventions
and operational results.
Europol and Member States
Law Enforcement Authorities
(LEAs) cooperation is
effective
Qualitative:
Alignment of Europol’s operations
and activities with its policy
objectives and priorities.
Opinion based:
Stakeholders’ satisfaction level with
Europol's activities and objectives.
Desk research: Data on
evolution of serious and
organised crime and terrorism
and successful operations with
the support of Europol, place
into context crime areas in focus
(Annex 1 Europol Reg).
Interviews: Europol MB,
Member States Ministry of
Interior (political level);
network of national parliament
representatives reviewing report
227 Unless otherwise specified, the term stakeholders indicate all categories consulted as indicated in the last column.
138
Union policy and ensure
security in the Area of Freedom,
Security and Justice?
Resources allocated to Europol
and their employment by the
Agency meets the needs of MS
and allows to swiftly address
all requests for support by
Member States law
enforcement authorities.
There is satisfaction with
Europol’s support
Stakeholders’ perception of the
pertinence of the EU policy
objectives and related priorities.
Member States law enforcement
authorities’ satisfaction with
responsiveness of Europol.
Quantitative:
Overview of statistics on criminality
in focus (Eurostat, UN survey of
crime threads, JRC counter-terrorism
knowledge hub, EU database of
terrorist offenders etc) where
available (limited information of
cross-border crime), data from
SIENA reports.
from Europol (Joint
Parliamentary Scrutiny Group
(JPSG)).
Survey: Member States law
enforcement authorities,
General public, COM and EU
agencies and bodies
2 To what extent have Europol's
activities supported relevant EU
policy objectives and priorities
related to the Area of
Freedom, Security and Justice
(specifically TFEU Art 67 (3);
Art 87, 88)? (ER Art. 4.1 (j),
(l); (u); (z); 4.2; 4.3; 4.4)
Evolution of Europol’s
strategic contributions to
cross-border police
cooperation, support for
judicial collaboration, and
combatting serious crime and
terrorism.
Qualitative:
Alignment of EU operations with
policy objectives and priorities.
Opinion based:
Desk research: Europol
strategic reports on evolution of
crime, input to policy
development.
Interviews: Commission
representatives of Europol
Management Board, Member
139
Measurement of
improvements in the speed,
efficiency, and success rates of
joint operations, intelligence
sharing, and coordination
among Member States
(Article. 4.2).
Cooperation between Europol
and Member State law
enforcement authorities is
considered effective
Evidence of concrete
outcomes, such as dismantling
criminal networks, successful
counterterrorism initiatives,
and enhanced security
measures.
Europol successfully
facilitated cooperation
between law enforcement and
judicial authorities across
Member States
Stakeholders’ satisfaction levels with
Europol's activities and objectives.
Stakeholders’ perception of EU
policy objectives and related
priorities.
Quantitative:
Statistical data to measure operational
success against crime and in
supporting security – using EU-
SOCTA, iOCTA, TE-SAT data,
EMPACT reporting and specific
early warning notifications, SIENA
data
States, Ministries of Interior
(political level), JSPG,
Commission services, including
SG, DG HOME, DG JUST
coordination unit, Police Chiefs,
HENU.
Survey: Member State law
enforcement authorities, EU
agencies and bodies; General
public (public consultation).
Comparative analysis: with the
operational records of other EU
agencies, Member State law
enforcement authorities and
INTERPOL.
140
Europol’s input into EU policy
development through strategic
analysis a, recommendation,
and dissemination of good
practices to Member States and
EU agencies.
There is satisfaction with
Europol’s role in the EU
architecture.
3 To what extent did Europol’s
priorities and objectives set
respectively by the multi-
annual programming and the
annual work programmes
adopted by Europol
Management Board (MB)
between 2017-2024 reflect over
time the overall priorities and
objectives of the Agency under
its legal mandate? (Article. 3)
Consistency between the
priorities and objectives across
the multi-annual
programming, annual work
programmes, and Europol’s
legal mandate and obligations
resulting from other legal acts.
Alignment of the programmes’
goals with the overarching
strategic goals of the Agency
and the evolving political and
legislative landscape.
Qualitative:
Evidence of main initiatives or
projects within the multi-annual and
annual programmes adopted by the
MB to illustrate how they contribute
to the Agency’s objectives under its
legal mandate.
Identified consistencies or
discrepancies in the stated priorities
and objectives.
Opinion based:
Desk research: Review of grey
literature (notably, Europol’s
operational documents such as
SPDs and CAARs); mapping
priorities against Annex 1 listed
crimes
Interviews: Member States
Ministries of Interior/political
level, JSPG, COM strategic staff
JHA policy, Europol MB
Survey: Member State law
enforcement authorities, EU
agencies and bodies; General
public (public consultation)
141
Effectiveness of the multi-annual
programming and the annual work
programmes adopted by Europol MB
in meeting the Agency’s objectives
under its legal mandate.
Quantitative:
Review of performance indicators
and data and progress reports to
measure the progress and
achievements over the evaluation
period (2017-2024).
4 To what extent and how have
external factors (COVID,
development of AI and other
technology; global security
developments) influenced the
effectiveness of Europol?
External factors had limited
impact on Europol’s objectives
and tasks.
External factors had limited
impact on the effectiveness of
Europol’s working methods.
Qualitative:
Identification and assessment of
external factors impacting Europol’s
operational effectiveness.
Opinion-based:
Perceptions of Europol staff, law
enforcement authorities, EU policy
makers, other experts on impact of
Desk research: Academic
papers, grey literature,
Europol’s operational support
documents
Interviews: JSPG, Member
States Ministries of Interior
(political level), COM strategic
policy staff, Europol MB,
Academia and other experts,
NGOs
142
external factors (e.g. on Europol’s
effectiveness.
Perceptions about the development of
technology for LEA purposes.
Perceptions about developments of
use of technology for criminal
purposes.
Quantitative:
Evolution of the number of
stakeholders with which Europol is
expected to cooperate and of its areas
of activity.
Survey: Member States law
enforcement authorities, EU
agencies and bodies; General
public (public consultation)
5 To what extent does Europol
make effective and
proportionate use of the
different task domains (6 core
areas: information
management, operational
support, strategic analysis,
specialised expertise (expert
support centres), private
sector cooperation, external
Europol’s makes satisfactory
and proportionate use of all
task domains and tools
entrusted to it to achieve its
objectives and tasks as set out
in its legal mandate.
There is clear complementarity
between the use made by
Europol of its task domains
Qualitative:
Impact of development of tools and
task domains on crime and terrorism.
Opinion-based:
Europol staff views on the use of
different powers and tools as set out
Desk research: Europol’s
operational documents,
academic research, National
information on ENUs and their
impact.
Interviews: JSPG, Member
States Ministries of Interior
(political level), COM strategic
143
cooperation) - and tools (EIS,
SIS, EAS, SIENA, Big data
processing, system with
EPPO) under the current legal
framework?
and tools and Member State
law enforcement authorities’
activities.
The mere fact that Europol
disposes of certain tasks and
tools has already a deterrent
effect for criminals and
terrorists regardless of its use.
in the legal mandate and likely impact
on crime/ deterrent effect.
Public and academic experts – on use
of Europol of its powers and tools and
possible impact on crime / deterrent
effect.
Quantitative:
Statistical information on the use and
costs of the various tools such as EIS,
SIENA, EAS, big data processing,
system with EPPO.
policy staff JHA area, Europol
MB.
Survey: Member State law
enforcement authorities,
General public (public
consultation), EU institutions,
agencies and bodies.
B Efficiency: How well did Europol use resources relative to the changes achieved?
Sub-questions Judgment criteria Indicators Data collection tools and
method
6 What are the overall direct and
indirect costs and benefits of
Europol’s core task domains
(six core areas: information
management, operational
support, strategic analysis,
The overall costs of Europol’s
activities are proportionate to
their impact and outweigh the
benefits generated.
Qualitative:
Resource allocation is proportionate
to operations and support provided by
Europol.
Desk research: Review of grey
literature and operational
reports, including COM review
under Article 68(3) ER,
CAARs, Europol Survey on
number of staff.
144
specialised expertise (expert
support centres), private
sector cooperation, external
cooperation) and how have
they evolved since 2017? Are
efficiency gains expected or
possible in the short or long
term?
The activities of Europol do
not cause significant costs for
Member State law
enforcement authorities.
The current organization and
working methods are highly
efficient and there is no scope
for savings or room to achieve
the same results in a more
efficient way.
The activities of Europol
generate (on balance)
efficiencies gains for Member
State law enforcement
authorities.
Opinion-based:
Europol staff, EU policy makers on
perceived levels of cost and benefits
of Europol’s activities.
Perspective of strengths and gaps or
cost-intensiveness.
Quantitative:
Statistics on resources by year and
their evolution and employment by
the Agency.
Allocation of resources per core
areas.
Interviews: JSPG, Europol MB,
Member States Ministries of
Interior (political level), ECA.
Survey: Member State law
enforcement authorities and EU
agencies and bodies, general
public (public consultation).
Case studies: Review of
specific operations and their
costs and benefits, collecting
deep insights, drawing on good
practices.
C Relevance: To what extent do the objectives of the Regulation continue to align with current needs within the EU and among stakeholders?
Sub-questions Judgment criteria Indicators Data collection tools and
method
145
7 To what extent do Europol’s
objectives and activities (core
task domains) under its legal
framework correspond to the
evolving needs within the EU
and among affected
stakeholders?
Europol’s objectives and
activities are well aligned with
Regulations and corresponding
to needs of affected key
stakeholders.
Europol’s activities and
objectives are well aligned
with the legal framework
setting up Europol and
Member State needs.
Regulatory framework is
adapted to evolving needs of
the Agency and its
stakeholders.
Qualitative:
Needs of Member States law
enforcement authorities, Europol
staff, EC, European Parliament, JHA
agencies.
Coherence of
Europol’s objectives and activities
with Regulation 2016/794 as
amended by Regulation 2022/991.
Trends of crime and development of
criminal activities, broader trends of
technology development, needs in
terms of data sharing, trends for
cooperation with third countries.
Opinion-based:
Perspectives on alignment of
Europol’s objectives and activities as
stated in amended Regulation with
evolving needs of affected
stakeholders and Europol
collaborators.
Desk research: Review of grey
literature and operational
reports, stakeholder reports
Interviews: JSPG, COM,
Member States Ministries of
Interior (political level),
strategic policy staff JHA area,
Europol MB, academia,
networks.
Survey: Member State law
enforcement authorities, COM
and EU agencies and
bodies staff, general public
146
Views on needs of adaptation of
regulatory framework applicable to
Europol
Quantitative:
SOCTA reports
D Coherence:
internal coherence - to what extent Europol various components or interventions achieve together the overall Europol objectives?
External coherence - how well different interventions of Europol work with other EU policy interventions, other EU agency interventions or
international ones - as well as national/ regional local level interventions?
Sub-questions Judgment criteria Indicators Data collection tools and
method
8 To what extent are Europol's
objectives and activities (core
task domains) under its legal
framework coherent with other
relevant EU policy
developments, in the fields of
law enforcement cooperation
and security, including with
ProtectEU, the European
Internal Security Strategy?
Europol’s objectives and
activities as set out under legal
framework are coherent and
aligned to EU polices related to
law enforcement cooperation
and security.
Europol's objectives and
activities as set out under its
legal framework created
synergies with other EU
Qualitative:
Evidence that Europol's objectives
and activities worked in coherence
with other EU law enforcement
cooperation and security policies.
Evidence or indications of
contradictions, synergies and gaps.
Desk research: Review of grey
literature and operational
reports, including COM review
under Article 68(3) of the
Europol Regulation.
Interviews: JSPG, COM,
COSI, strategic policy staff JHA
area, Member States Ministries
of Interior (political level),
Europol MB.
147
policies in the field of law
enforcement cooperation and
security
No evidence of contradictions
between Europol legal
framework and other EU
policies on law enforcement
cooperation and security.
There was no evidence of
overlaps between Europol's
legal framework and EU
policies on law enforcement
cooperation and security.
Opinion-based:
Stakeholders’ views on existence of
synergies, gaps, coherence,
contradictions and overlaps.
Survey: Member States law
enforcement authorities and EU
agencies and bodies, general
publics (public consultation).
E EU Added value
Sub-questions Judgment criteria Indicators Data collection tools and
method
9 Without Europol, how
effectively could Member States
conduct and exchange
investigations and information
at their current scale?
Member States do not have the
possibility to carry out
investigations and information
exchange in a comparable
scale and manner without the
support of Europol in the
current context.
Qualitative:
Baseline of current scale of
exchanges.
Evidence on cases or specific
requests, activities where Europol
Desk research: Review of grey
literature and operational
reports
Interviews: JSPG, COM
strategic policy staff JHA area,
Member States Ministries of
148
Member States clearly relied
on Europol's activities and
knowledge.
had key role in investigation or
sharing of knowledge.
Evidence on existing Member States
practices on investigations and
exchanges of information.
Absence of indications that Member
States could have achieved the same
results without Europol’s expertise in
investigations and knowledge.
Opinion-based:
Stakeholders’ perspectives on the
ability of Member States to carry out
the same investigations and
exchanges of information, pointing to
clear cases, instances.
Quantitative:
EIS information, use of EAS and
SIENA.
Interior (political level),
Europol MB, Europol Police
Chiefs.
Survey: Member States law
enforcement authorities and EU
agencies and bodies, general
public (public consultation).
Case studies: specific cases of
cross-border investigations
conducted with and without
Europol’s involvement,
understand effectiveness and
challenges faced in both
scenarios.
ANNEX 8: INVENTORY OF EXISTING INFORMATION SYSTEMS
AND TOOLS AT EUROPOL
This inventory provides an overview of Europol’s main information systems and tools to
support Member States in preventing and combating serious international and organised
crime, cybercrime and terrorism.
It is aimed at facilitating navigation through the Agency’s operational environment by
presenting core systems, information exchange tools, operational support tools and
coordination mechanisms.
1. Core Operational Systems
Store, process and analyse operational criminal data shared by Member States
Europol Information System (EIS)
Europol’s centralcriminal information system. It contains information related to suspected
and convicted persons, criminal networks and structures, offences and criminal activities,
objects used to commit crimes (e.g. vehicles, communication devices, financial accounts).
Data can be inserted into the EIS manually through a specific Europol’s web application,
or automatically through a data loader solution. Newly inserted data is automatically
compared with existing information in the system to identify potential matches.
The EIS user community includes officials in the Member State Europol National Units
(ENUs), Member State liaison officers at Europol, as well as Europol officials and
seconded national experts (SNEs).
Europol Analysis System (EAS)
Operational information system hosting data contributed by Member States and Third
Parties. It supports Europol analysts in their operational and strategic analysis of data
provided by Europol’s stakeholders and enables information to be managed centrally.
Analysis Projects (APs)
Operational data processed in the EAS is organised in Analysis Projects. As intelligence
platforms supporting criminal investigations related to specific crime areas, they enable
Europol and Member States to collect and analyse operational data, identify criminal
networks and links between investigations, support international investigations through
analytical products.
They focus on certain crime areas from commodity-based, thematic or regional angles
(e.g., drugs trafficking, Islamist terrorism, Italian organised crime).
2. Information Access and Exchange Tools
Exchange operational information and securely access Europol data systems
Secure Information Exchange Network Application (SIENA)
150
The Agency’s main platform for the secure exchange of operational and strategic crime-
related information. It enables communication between Europol, EU Member States, EU
agencies, Third Parties and international partners with cooperation agreements.
The application allows the exchange of information on three classification levels: EU
Confidential (EU-C), EU Restricted (EU-R), and Basic Protection Level (BPL).
SIENA can be used by liaison officers, Europol officials, ENU personnel and other
designated law enforcement authorities. Third Parties with whom Europol has cooperation
agreements are also connected to SIENA.
Querying Europol Systems (QUEST)
Web service integrated in national system interface(s) of Europol Member States. It allows
law enforcement authorities to query Europol data directly from their national interfaces.
It enables searches in the EIS and APs and allows queries concerning persons, firearms,
identity documents, means of communication, means of transportation, financial accounts
and means of payment.
Large File Exchange
System allowing the secure exchange of large volumes of data that exceed the size
limitation of file attachment in SIENA. It is used to exchange large datasets related to
criminal investigations, such as digital evidence or extensive operational datasets.
It can also be used for bilateral exchanges of large data volumes.
3. Operational Coordination Mechanisms
Support the coordination of international investigations and operational responses
involving multiple Member States.
24/7 Operational Centre
By ensuring continuous operational support for Member States and Europol partners, it
monitors operational and non-operational information exchange through SIENA, provides
first-level response on a 24/7 basis to law enforcement authorities’ requests and supports
urgent cross-border investigations.
Joint Cybercrime Action Taskforce (J-CAT)
24/7 permanent taskforce operating from Europol headquarters together with the European
Cybercrime Centre (EC3). It coordinates intelligence-led coordinated actions against key
cybercrime threats and targets. It also facilitates between law enforcement agencies from
different countries.
Governed by a Board composed of at least one senior law enforcement representative per
participating agency.
151
Operational Task Force (OTF)
Established by EU Member States and operational partners to target a High Value Target
involved in serious and organised crime or terrorism, it temporarily brings investigators
and analysts from the relevant countries to enhance coordination, intelligence sharing and
operational cooperation during cross-border cooperation. Europol offers analytical and
operational support.
152
ANNEX 9: DNA MATCHING SERVICE
DNA is currently the most widely used biometric modality in the European Union for the
identification of individuals and the resolution of criminal investigations.
Within the EU, DNA profiles are always generated by accredited national forensic
laboratories. These certified laboratories analyse DNA samples, either collected from a
known individual (typically through a buccal swab) or recovered as biological traces from
a crime scene. The analysis involves a series of complex biological, chemical and physical
processes that ultimately produce a standardised DNA profile suitable for forensic
comparison.
Once generated, each DNA profile is stored in a national DNA database, where it can be
compared against other profiles to identify potential matches. Such matches may occur
between a crime scene trace and the profile of a known individual, or between crime scene
traces originating from different investigations, thereby helping to establish links between
criminal cases.
Currently, 23 out of the 27 EU Member States use the Combined DNA Index System
(CODIS) as the software application for managing national DNA databases and
performing DNA profile comparisons. CODIS is owned, developed and maintained by the
Federal Bureau of Investigation (FBI) of the United States. Under the existing Prüm
framework, national CODIS systems are interconnected, enabling automated cross-border
DNA comparisons between Member States.
While the process of DNA matching itself is computationally straightforward compared to
other biometric modalities, it is governed by a set of highly specific and rigorous biological
rules that must be applied consistently. Unlike facial recognition or fingerprint matching
systems, DNA profile matching does not rely on artificial intelligence or machine learning
techniques, but instead on deterministic comparison algorithms based on established
forensic standards.
The Prüm II Regulation228 and its implementing act229 introduce important changes to
the DNA profile comparison framework. In particular, DNA profile exchanges will be
228 Regulation (EU) 2024/982 229 [Note to publication colleagues, link to be updated in June when the IA is published with the right
reference]
CODIS
DNA
Matcher
CODIS
DNA
Matcher
FBI builtForensic
Lab Forensic
Lab
Current Prüm I situation FBI
built
Prüm I Bilateral connections
153
routed through a centralised technical router operated by eu-LISA, and updated
matching rules will apply. Implementing these changes requires modifications to the
CODIS software currently used by Member States. As CODIS is proprietary software
owned and maintained by the FBI, such changes can only be carried out by the United
States authorities.
This situation creates a structural technological dependency of the EU on a third country
for a core component of its law enforcement infrastructure. In the current geopolitical
context, reducing such dependencies has become an increasingly important objective for
the Union, particularly in sensitive areas related to internal security and law enforcement
cooperation.
To address this dependency, the EU could develop, deploy and maintain its own European
DNA matching service capable of performing the same core functionalities currently
provided by CODIS. Such an EU-developed application would implement equivalent
DNA profile comparison rules and database management capabilities, while being fully
aligned with EU legal and operational requirements. Member States would progressively
migrate their existing DNA profiles from CODIS to the new EU system, after which
CODIS would no longer be required for national DNA profile database management or
cross-border comparisons.
Developing an EU-controlled DNA matching service would enhance the Union’s
technological sovereignty in a critical area of forensic cooperation, while ensuring full
operational continuity for national authorities and supporting the long-term sustainability
of the Prüm II framework.
Forensic Lab
Forensic Lab
EU
DNA
Matcher
EU
DNA
Matcher
EU built
EU built
Prüm II Router
Future foreseen Prüm II situation
154
ANNEX 10: IMPACTS OF POLICY OPTIONS
The information presented in this annex aims to enhance transparency and provide further
evidence underpinning the conclusions of the impact assessment. The annex should
therefore be read in conjunction with the main impact assessment, as it provides the
technical background and detailed results that support the overall evaluation of the policy
options.
Environmental impact: None, as the options do not involve environmental aspects.
Economic impact: Limited to EU and Member State investment in Europol human and
technical resources; no direct effects on private operators or SMEs are expected.
As certain options involve the exchange of personal data, particular attention is given to
fundamental rights, in line with the EU Charter. Any interference must be necessary and
proportionate (Articles 51–52), balancing security objectives with protection of personal
data (Articles 7–8) and privacy. The options aim to improve law enforcement
effectiveness, supporting public security and preventing serious crimes such as human
trafficking (Articles 2 and 5 of the Charter).
Data protection is safeguarded by the Europol Regulation, the Law Enforcement
Directive, and the EU Data Protection Regulation, ensuring legality, necessity, and
proportionality of processing. Limitations on rights are targeted, strictly within existing
law enforcement mandates. Each option pursues the general interest of EU internal
security, and the assessment focuses on necessity and proportionality.
The impacts are assessed on a scale ranging from ‘very positive impact’ (++) to ‘very
negative impact’ (--), with intermediate scores: ‘positive impact’ (+), ‘neutral’ (0) and
‘negative impact’ (-).Reinforcing Europol’s existing model
1.1 Sub policy option 1.1: Strengthened data availability, processing and service
a. Impact on citizens (+)
This option protects EU citizens by enabling Europol to cross-check and analyse
lawfully available data, allowing earlier detection of criminal networks, faster
Member State coordination, and more targeted law enforcement, while focusing on
priority crimes and preserving Member State control and fundamental rights.
b. Impact on national authorities (++)
This policy option has a very positive impact on national authorities by addressing
operational, technical and resource constraints and improving the returns of cooperation
with Europol. Member States gain:
• Automated data-loaders, reducing manual uploads and delays;
• Systematic cross-checks by Europol, enhancing intelligence quality;
155
• Upgraded systems (SIENA, EIS, EAS, QUEST/QUEST+), enabling faster and
more actionable analysis;
• Dedicated technical support, including specialised teams for integration and
optimisation;
• Joint procurement, reducing costs and promoting interoperability.
Overall, the option improves the cost–benefit of sharing data, encourages systematic
engagement, and strengthens mutual trust and EU-level law enforcement effectiveness.
c. Impact on fundamental rights
i. Objective of general interest (+)
This option supports the prevention, detection, and investigation of serious crime and
terrorism by improving the efficiency, quality, and timeliness of information exchange.
Automated data-loading and proportionate cross-checks by Europol enhance
intelligence accuracy and reduce delays and duplication. Upgraded systems (SIENA, EIS,
EAS, QUEST/QUEST+) provide faster queries, stronger analytics, and traceable
processing, while technical support and joint procurement promote interoperability, data
quality, and compliance. Overall, it fosters a systematic, accountable, and transparent
use of shared information.
ii. Impact on data protection (0)
Overall, the policy option has a neutral to slightly positive impact on data protection.
Necessity
The measures tackle inefficiencies in current cooperation, such as fragmented and manual
data-sharing. Automated data-loaders ensure that lawfully shareable data are complete,
accurate, and consistently used. System upgrades and technical support make existing
tools function effectively and comply with EU data protection standards, without
changing retention, access rights, or processing purposes. We therefore conclude that the
policy option respects the principle of necessity.
Proportionality
The option preserves full Member State control over shared data, with purpose limits.
System upgrades improve architecture, reliability, and safeguards without changing the
legal balance. Overall, measures focus on enhancing lawful processing while respecting
existing safeguards and oversight. We therefore conclude that the policy option respects
the principle of proportionality.
d. Costs (0)
Member
States
Europol
Direct costs
156
Expected one-off costs (in million EUR)
1) Data loaders
2) Upgrade of systems and tools
81 (3 per MS)
1) 54
2) 27
61
1) 5
2) 56
Expected yearly recurring costs (in million EUR per
annum)
1) Data loaders
2) Upgrade of systems and tools
16.2
1) 10.8
2) 5.4
12.2
1) 1
2) 11.2
This option entails upfront investment at both Member State and Europol level, primarily
driven by data loaders as well as system and tools (including enhance use of
interoperability tools). The financial effort reflects a structural modernisation of the EU
law enforcement information architecture, with medium to long-term savings and
operational gains. For more details on the costs of this policy option see Annex 3.
e. Feasibility (+)
Technical feasibility is high. The main components, automated data-loaders,
interoperability tools and Europol systems (SIENA, EIS, EAS, QUEST/QUEST+), are
already operational. The option focuses on scaling and upgrading existing capabilities,
not creating new infrastructures. Europol’s in-house expertise and eu-LISA’s experience
with large-scale EU systems further reduce implementation risks and support secure,
coherent deployment. Where relevant, synergies with eu-LISA’s infrastructure,
interoperability architecture and technical standards can support secure implementation,
ensure consistency across EU information systems and reduce duplication of effort. This
institutional ecosystem significantly mitigates implementation risks.
Political feasibility is positive. The option preserves Member State control and does not
expand Europol’s mandate or introduce indiscriminate data transfers. By delivering
tangible operational benefits – stronger analytical support and reduced administrative
burden – it aligns EU-level improvements with national interests.
Overall, the measure is feasible from a technical, operational and political perspective.
f. Impact on digitalisation (++)
This option has a very positive impact because it advances the digital transformation of
EU law enforcement by introducing automated data-loaders, enabling faster, more
reliable, and systematic information exchange. It automates existing processes, reduces
administrative burden, and supports near real-time cross-border flow. Standardised
data models and guidance foster interoperability across Member States, while timely,
structured data feeding enhances analytical capabilities and real-time intelligence
services. The infrastructure also lays the foundation for future digital initiatives,
embedding the ‘digital by default’ principle without creating new legal obligations.
157
1.2 Policy option 1.2: enhanced mitigating measures to address the obstacles of data
subject categorisation
a. Impact on citizens (0)
This policy option has a neutral impact on citizens (0). It does not constitute any significant
changes, as the obligation to carry out the categorisation of data subjects remains
unchanged. Instead, the measures of this option aim at improving the situation for national
authorities by facilitating the overall process.
b. Impact on national authorities (+)
The option has a positive impact on national authorities as it would result in more
streamlined processing of complex and large datasets. Due to the detailed internal guidance
and tools (checklists, templates, standard scenarios) that would be developed as part of this
option, there would be reduced operational delays and fewer inconsistencies, resulting in
the overall positive impact on national authorities. Greater legal certainty and clarity in
applying DSC rules would also reduce the risk of errors and subsequent corrective actions.
c. Impact on fundamental rights (0)
i. Objective of general interest (+)
This option makes a positive contribution to an objective of general interest (+), as it
constitutes a measure to facilitate the overall fight against serious and organised crime.
Improving and harmonising the practical application of the rules governing data subject
categorisation and the subsequent improvement would lead to more consistent and reliable
data processing, facilitating the work of both national authorities and Europol, resulting in
faster operational results and investigations.
ii. Impact on data protection (0)
Necessity
The flaws and obstacles of the current DSC framework have been highlighted both by the
national authorities of the Member States as well as by the Commission, as underlined by
the report pursuant to article 68(3) of the ER230, resulting in the necessity for a change to
such rules and the operational capabilities.
By utilising current tools and methodologies to reduce errors and inconsistencies in data
categorisation, the overall level of data protection is maintained and strengthened through
improved compliance and consistency. We therefore conclude that the policy option
respects the principle of necessity.
230 COM(2025) 752 final, 11.12.2025.
158
Proportionality
The policy option of addressing the obstacles of DSC by introducing mitigation measures
is fully proportionate as it would aim to harmonise and streamline currently existing rules
rather than introduce new ones. Standardising the process of DSC while increasing the
legal certainty and simultaneously making it more efficient and less resource-intensive,
demonstrates the proportionality of this option. No new categories of data, new processing
purposes or expanded access rights are introduced. We therefore conclude that the policy
option respects the principle of proportionality.
d. Cost (+)
The overall cost of this option is difficult to estimate. The option will require small initial
investments related to the development of internal guidance, tools and training materials.
In the long-term, however, the initial cost of labour needs would be offset by the overall
benefit of clarifying and improving the framework on DSC, reducing inefficiencies and
corrective workload.
e. Feasibility (++)
This policy option has very positive feasibility as it would be easily put into place. The
technical feasibility would not require developing an entirely new framework for DSC but
rather improving and further developing a set of rules already in place.
The political feasibility would be equally as positive (++) as national authorities have
underlined the need for further clarifications and guidelines, as well as the necessity to
reform the overall process of DSC. This policy option should therefore face little to no
political opposition.
f. Impact on digitalisation (0)
The option has an overall neutral impact on digitalisation. While it relies on existing digital
infrastructures, it does not fundamentally transform the digital architecture of the process
of data subject categorisation. Subsequently putting in place mitigating measures to
address the obstacles of DSC serves as an enabler for Europol to process and analyse data
rather than being a driver of structural change. Meaning that Europol’s overall usage of
data would be (further) consolidated, which has no impact on digitalisation as such.
1.3 Policy option 1.3 - Measure 1 on reinforced Europol’s support to the EPPO
EPPO Support Unit: a reinforced, dedicated unit within Europol’s Financial and
Economic Crime Centre (EFECC), composed of specialised staff assigned exclusively to
EPPO-related cases, replacing and reinforcing the current small team handling these. The
organisation of the unit would not change compared to what is currently in place with the
current small team except in terms of staff, which would however grow significantly. The
unit’s staff will need to be specialised in VAT fraud, customs fraud, excise fraud, and
trade-based money laundering, and should have familiarity with the complex multi-
criminal behaviours of modern organised crime groups (MTIC schemes). Four different
159
types of support tasks would be handled by the unit: cross-checks of EPPO data against
Europol database (hit/no-hit), digital forensics (in particular making information in seized
devices available for operation analysis), operational analysis (making sense of data
gathered in EPPO cases), and operational support (e.g. assets tracing, preparatory
activities for action days, manning virtual command posts). The Europol-EPPO Working
Arrangement would be updated accordingly.
a. Impact on citizens (+)
This measure would reinforce the protection of EU citizens against the crimes for which
the EPPO is competent and the criminal actors involved. Therefore, this measure has a
positive impact on citizens.
b. Impact on national authorities (+)
Europol’s reinforced support to the EPPO will help further extract criminal proceeds from
criminal actors. Therefore, this measure has a positive impact on national authorities
(+).
c. Impact on fundamental rights (+)
This measure would have a positive impact on fundamental rights insofar as it would
ultimately help strengthen the EU Member States’ statehood against criminal threats,
prompting Member States’ concrete ability to respect, promote and fulfil human rights
under international and EU law.
i. Objective of general interest (+)
This measure makes a positive contribution to an objective of general interest (+),
namely the protection of the financial interests of the EU, by allowing the EPPO to
effectively carry out its mission vis-a-vis sharply increasing need for support from Europol.
ii. Data protection (0)
Necessity and proportionality
The current Europol staff allocated to support the EPPO (8-9 officers) is not sufficient.
This measure is necessary to meet the minimum level of the EPPO’s sharply increasingly
needs and thus allow it to effectively protect the financial interests of the EU. It does not
interfere with current data protection levels. Therefore, this policy measure respects the
principles of necessity and proportionality.
d. Costs (+)
Member States activities EU activities
Direct costs
160
Expected one-off costs (in
million EUR)
0 0
Expected yearly recurring
costs (in million EUR)
0 10
One-off costs for Member States are negligible, as the measure focuses on establishing
new Europol-level capacities, without requiring structural changes, staff contributions, or
procedural adaptations at national level. Recurrent costs arise mainly at Europol, reflecting
the long-term employment of specialised officers in the dedicated EPPO Support Team,
responsible for operational analysis, cross-checks, and digital forensics, with an average
annual cost of approximately EUR 10 million.
e. Feasibility (+)
Technical feasibility
The measure is legally feasible. Establishing the EPPO Support Unit at Europol would not
alter the respective mandates or the fundamental nature of the relationship between
Europol and the EPPO. It would not require amending the Europol Regulation. Amending
the Europol-EPPO Working Arrangement would suffice. From an organisational
perspective, the measure would build on existing organisational and technological set-ups
(e.g. EFECC, JIT model, case-handling processes), but would require enhanced
operational capacity in terms of staff (e.g. capability to support investigations and run
analytical tasks, expertise in defined areas [VAT fraud, customs fraud, MTIC]). For this
reason, the option is technically feasible (++).
Political feasibility
The consultation activities have revealed that both Europol and the EPPO would fully
support this measure,231 while Member States would widely support it232. However, several
Member States have also emphasised their preference that Europol’s support remain
essentially focused on the operational needs of the Member States233. Overall, the measure
is politically feasible (+).
f. Impact on digitalisation (0)
This measure would have no to positive impacts on digitalisation depending on whether
implementation maintains the current level or increases the digital delivery of services.
231 Interview, focus groups, targeted survey with agencies. 232 The responses to the targeted survey for the EU Member States’ national law enforcement authorities
show support for the update of the working arrangement 233 As discussed in the COSI meeting of February 2026.
161
1.4 Policy option 1.3 - Measures 2 and 3 for a strengthened continuum of EU-level
support to law enforcement cooperation through Europol and judicial cooperation
through Eurojust
a. Impact on citizens (+)
These measures would overall reinforce the protection of EU citizens against organised
crime, albeit moderately.
b. Impact on national authorities (+)
These measures would overall reinforce the information at disposal of Europol and
Eurojust and thus the support they can provide to national authorities, albeit moderately.
The national authorities of EU Member States would be able to continue relying on
SIRIUS’ knowledge and expertise to successfully obtain critical electronic evidence for
criminal investigations and prosecutions, namely in a permanent manner.
c. Impact on fundamental rights (+)
These measures would have a positive impact on fundamental rights insofar as it would
ultimately help strengthen the EU Member States’ statehood against criminal threats,
prompting Member States’ concrete ability to respect, promote and fulfil human rights
under international and EU law.
i. Objective of general interest (+)
These measures make a positive contribution to an objective of general interest (+), namely
the EU-level fight against organised crime and cybercrime, by strengthening the
continuum of EU-level support through Europol and judicial cooperation through Eurojust.
ii. Data protection (0)
Necessity and proportionality
These measures are necessary to strengthen the continuum of EU-level support through
Europol and judicial cooperation through Eurojust. Upgrading the existing hit/no-hit
mechanism through the introduction of automated processes is necessary to improve
indirect information exchange between Europol and Eurojust. Introducing
Institutionalising the mission of the SIRIUS project within the Europol Regulation is
necessary to ensure the long-term financial sustainability and permanent support for the
national authorities of the EU Member States according to their needs. Therefore, these
measures respect the principles of necessity and proportionality.
d. Costs (+)
Member States activities EU activities
Direct costs
162
Expected one-off costs (in
million EUR)
0 2
Expected yearly recurring
costs (in million EUR)
0 1
One-off and recurring costs for Member States are expected to be negligible, as the
measures focus on Europol–Eurojust cooperation and build on existing infrastructure,
workflows, and personnel. Costs at EU level reflect Europol and Eurojust staffing for the
SIRIUS project and the hit/no-hit mechanism, with modest adjustments for
institutionalisation and light automation, generating efficiency gains by reducing manual
exchanges and improving operational timeliness.
e. Feasibility (+)
Technical feasibility
From a legal perspective, the institutionalisation of SIRIUS would require amending the
Europol and Eurojust Regulations regarding their tasks. Article 4 of the Europol
Regulation already provides a broad mandate for Europol to support Member States
through expertise, training, operational coordination and facilitation of cooperation with
private parties. A legislative clarification explicitly mandating Europol to provide
structured support on cross-border access to electronic evidence, including cooperation
with Eurojust, service providers and third countries, would provide legal certainty, stable
governance and budgetary predictability. For the hit/no-hit automation component, both
Regulations foresee indirect access to information on a hit/no-hit basis. The current
limitations are related to implementation modalities. From a technical perspective,
feasibility remains strong.
Political feasibility
From a political perspective, feasibility is high. The SIRIUS EU Electronic Evidence
Situation Report 2024 confirms sustained and growing operational demand for EU-level
support in accessing electronic evidence.234 In 2023 alone, competent authorities
submitted 266,855 cross-border data disclosure requests to major online service
providers, representing a 22% increase compared to 2022, demonstrating the scale and
structural nature of demand.235 Feedback collected in the 2024 report from law
enforcement, judicial authorities and service providers highlights the value of centralised
expertise, Single Points of Contact (SPoCs) and structured dialogue with private
companies.236 Service providers also emphasised the importance of predictable
engagement and harmonised practices, indicating that institutionalisation would enhance
234 Europol (2025) SIRIUS Electronic Evidence Situation Report 2024.
235 Europol (2025) SIRIUS EU Electronic Evidence Situation Report 2024 – Factsheets (Law Enforcement,
Judicial Authorities, Service Providers).236
ibid.
163
legal certainty rather than create new burdens.237 These stakeholder views demonstrate
broad operational acceptance and support across law enforcement, judiciary and private
sector actors, reinforcing the political feasibility of embedding SIRIUS permanently
within the Europol and Eurojust mandates.
f. Impact on digitalisation (0)
This measure would have no to positive impacts on digitalisation depending on whether
implementation maintains the current level or increases the digital delivery of services.
1.5 Policy option 1.4: Europol digital platforms embedded in national investigations
a. Impact on citizens (++)
This option has a very positive impact on citizens by reducing the risk of undetected
cross-border criminal links. Integrating national CMS with Europol platforms and
requiring targeted consultation in serious cases embeds checks into everyday workflows,
enabling earlier detection, reducing blind spots, and improving Member State
coordination, thereby enhancing overall citizen security.
b. Impact on national authorities (+)
This option benefits national authorities by embedding Europol support directly into
CMS workflows, allowing investigators to consult platforms and receive analytical
feedback within their national environment. Targeted consultation in serious cross-border
cases ensures EU-level information is systematically used, preventing missed links and
supporting early de-confliction. National authorities retain full control while gaining
enhanced situational awareness and more consistent analytical support.
c. Impact on fundamental rights
i. Objective of general interest (++)
This option makes a strong positive contribution to an objective of general interest, i.e.
the prevention and combating of serious crime and terrorism, by embedding Europol
platforms into national workflows and requiring targeted consultation in cross-border
cases, ensuring EU-level information is systematically used, reducing fragmentation,
closing information gaps, and strengthening early detection of criminal networks.
ii. Data protection (0)
Necessity
The integration of national CMS with Europol systems improves workflows and
interfaces without creating new data categories, access rights, or processing purposes. A
targeted obligation to systematically consult EIS in serious cross-border cases addresses
237 Europol (2025) SIRIUS EU Electronic Evidence Situation Report 2024 – Factsheets (Law Enforcement,
Judicial Authorities, Service Providers).
164
operational gaps, ensuring lawfully available information is effectively used. By
embedding consultation as a structured, proportionate step, the measure reduces blind
spots, prevents information gaps, and ensures existing data-sharing mechanisms function
as intended. We therefore conclude that the policy option respects the principle of
necessity.
Proportionality
This option does not create new data categories, databases, or purposes; it structures
existing lawful access to Europol systems, notably EIS, within national CMS. A targeted
obligation to consult EIS in serious cross-border cases ensures that lawfully available data
is consistently and effectively used, without expanding Europol’s mandate. Embedded
consultation reduces missed links and fragmentation while preserving national control,
purpose limitation, and data ownership, ensuring interference with data protection
rights is proportionate.
We therefore conclude that the policy option respects the principle of proportionality.
d. Costs (0)
Member
States
Europol
Direct costs
Expected one-off costs (in million EUR)
105 50
Expected yearly recurring costs (in million EUR per
annum)
20 8
One-off costs for Member States (EUR 105 million) cover new criminal information
strategies, updates to case management systems, integration with UMF standards, and
training, with recurring costs (EUR 20 million/year) for ongoing maintenance. Europol
one-off costs (EUR 50 million) include upgrades to data ingestion, scaling of databases,
and support to Member States, with recurring costs (EUR 8 million/year) for continued
operational and integration support.
Technical feasibility
Integrating national CMS with Europol systems requires secure APIs, harmonised data
models, workflow adjustments, and increased capacity, but builds on existing SIENA
connectivity rather than creating a new digital ecosystem. Implementation will need
substantial EU and national resources, including development, testing, training, and
change management, with Europol providing central support through toolkits, reference
architectures, and on-site assistance. Systematic consultation is technically feasible only if
Europol systems are robust, scalable, and able to handle increased queries while
delivering timely responses.
165
For this reason, the option is technically feasible (+) only in conjunction with Policy
Option 1.1, which upgrades Europol’s ICT infrastructure, performance and service
delivery. Without Option 1.1, embedding systematic consultation into national workflows
would risk system overload, latency and reduced reliability, making overall feasibility
negative (–).
Political feasibility
Political feasibility is ambitious, as embedding Europol systems into national CMS and
introducing systematic consultation represents a major shift for Member States. While
benefits are clear, faster detection, improved situational awareness, and better
analytical support, authorities may resist changing established workflows. Feasibility is
higher with phased implementation, pilot projects, peer exchanges, and strong Europol
support to build trust. Rapid, large-scale deployment without engagement and resources
is unlikely to succeed. Overall, the option is politically feasible but facing significant
obstacles (-).
e. Impact on digitalisation (+)
This option advances the digitalisation of EU law enforcement by integrating national
CMS with Europol systems and enabling systematic consultation of EIS/EAS. It
replaces manual, ad hoc processes with automated workflow checks, standardises
information exchange, and delivers timely, actionable analytical outputs, improving
usability, automation, and effectiveness of existing systems while reinforcing the ‘digital
by default’ principle’.
1. Designing a new model for Europol
2.1 Policy option 2.1: Europol as an operational service provider and information hub
a. Impact on citizens (+)
Overall, this policy option has a positive impact on citizens (+), by enhancing the EU’s
capacity to prevent and combat serious crime while preserving Member State control.
Europol, when authorised, could query national databases under Prüm II (DNA,
fingerprints, facial images), police indexes, and vehicle records, acting strictly on behalf
of Member States. In time-critical or large-scale cases, Europol’s technical and forensic
support enables faster cross-border link detection. An EU DNA matching service would
strengthen forensic cooperation, reduce reliance on third-country tools, and improve the
speed and reliability of cross-border investigations.
b. Impact on national authorities (++)
This option strongly benefits national authorities, especially investigators handling
complex or cross-border cases, by allowing Europol, strictly on behalf of and with
explicit authorization, to query national databases under Prüm II. Authorities gain faster
handling of biometric and non-biometric queries, technical and forensic support in
high-volume cases, and improved analytical coherence across jurisdictions. Real-time
alerts and subscription-based notifications reduce fragmentation and ensure that relevant
166
developments are not missed, without creating automatic data transfers. Political
acceptability relies on strict safeguards, authorisation, and clear governance.
The optional EU DNA matching service would provide shared forensic capabilities,
reduce dependency on third-country tools and align with Prüm II standards. Member
States would benefit from faster adaptation to evolving requirements, operational
continuity, and support for smaller forensic authorities, while maintaining national
ownership of data and investigative decisions. The service strengthens strategic
autonomy and technical resilience in cross-border investigations.
c. Impact on fundamental rights
i. Objective of general interest (+)
This option makes a positive contribution to an objective of general interest (+), namely
the prevention and combating of serious crime and terrorism. By combining authorised
Europol access to national data under Prüm II, improved system interoperability, and
shared services such as a potential EU DNA matching service, this option strengthens the
speed, coherence, and reliability of cross-border investigations. It reduces fragmentation,
enables earlier detection of cross-system links, and enhances forensic cooperation in
complex or time-critical cases, while Europol acts strictly within its mandate and on
Member State authorisation, without centralising data. Overall, it reinforces EU internal
security and delivers clear EU added value.
ii. Impact on data protection (0)
Necessity
Allowing Europol, with explicit Member State authorisation, to query national databases
under EU frameworks addresses operational gaps that currently cause delays and blind
spots. Anchored in the Prüm II hit/no-hit architecture and maintaining full national
control, Europol acts as a technical and analytical service provider without new data
categories or autonomous access rights, ensuring more effective cross-border cooperation,
particularly in complex or time-critical cases.
A shared EU DNA matching service enhances operational resilience, aligns with
evolving Prüm II standards, and reduces reliance on third-country tools. Developed with
Member States and forensic authorities, it is optional and fully governed by Member
States, providing a common solution for lawfully collected data while preventing
fragmentation and ensuring consistent application of EU data protection standards. Both
measures are necessary and targeted, addressing identified operational gaps without
expanding Europol’s mandate or data scope.
This policy option passes the necessity test.
Proportionality
Europol access strictly limited to Prüm II and under Member State authorisation is
proportionate, preserving the hit/no-hit architecture, national control, case-based use,
167
and data ownership, without expanding data categories or retention. This supports cross-
border investigations without exceeding what is necessary, while any access beyond Prüm
II is not proportionate and excluded from option comparisons.
A shared EU DNA matching service, developed with Member States and aligned with
Prüm II, is proportionate. It does not create new data categories, remains optional and
Member State–governed, and preserves decentralised storage and ownership,
providing common infrastructure for lawfully exchanged DNA data. Its benefits –
enhanced effectiveness and EU strategic autonomy – outweigh the limited, controlled
impact on data processing. We therefore conclude that the option respects the principle
of proportionality.
d. Costs (+/--)
Member States Europol
Direct costs
Expected one-off costs (in million EUR)
1) Access to national databases
2) DNA matcher
1.35 (0.05 per
MS)
1) 0
2) 1.35
11
1) 6
2) 5
Expected yearly recurring costs (in million EUR per
annum)
1) Access to national databases
2) DNA matcher
0.3
1) 0
2) 0.3
5.3*
1) 4.3
2) 1
Under the Prüm-based approach, Member States’ costs remain negligible, with only
limited technical adjustments and a small one-off cost (around EUR 0.05 million per
Member State). Europol bears moderate initial and limited recurring costs for additional
staff, reinforced data management and minor system upgrades, including the EU DNA
matcher. While EU-level expenditure increases, overall Union costs are expected to
decrease over time through economies of scale and reduced reliance on third-country
solutions.
e. Feasibility (+)
Technical feasibility
Technical feasibility is high for Prüm II–based authorised access, as the necessary
hit/no-hit infrastructure, secure channels, and biometric matching are already in place,
requiring mainly workflow and configuration adjustments. A shared EU DNA matching
service is more complex but feasible, building on existing forensic standards, technologies,
168
and Prüm frameworks, and requiring robust security, governance, and Member State
cooperation. With phased implementation, both measures are technically feasible, giving
an overall positive feasibility assessment (+).
Political feasibility
The policy option in politically feasible (+). Prüm II-based authorised access is
challenging, as it shifts Europol’s role to querying Member State data, but is acceptable
when Europol acts strictly on Member State request. Any access beyond Prüm II would
likely face strong opposition. The EU DNA matching service is politically feasible, as it
enhances strategic autonomy, reduces reliance on third-country tools, and remains
optional and Member State-governed.
f. Impact on digitalisation (0)
The option has a neutral impact on digitalisation, relying on existing infrastructures like
Prüm II and forensic technologies without fundamentally transforming EU law
enforcement’s digital architecture. Prüm II access builds on established frameworks, and
the optional EU DNA matching service consolidates existing capabilities. Digital tools
primarily enable operational support rather than driving structural digital transformation.
2.2 Policy option 2.2: Simplified rules to reduce the administrative burden of data
subject categorisation
a. Impact on citizens (+)
As this policy option would allow both Europol and the EU Member States to use data
more effectively and consistently, there would be a direct, positive impact on Europol’s
ability to fight serious and organised crime and terrorism. By reducing operational delays
and increasing legal clarity, investigations could progress more efficiently, leading to a
positive impact on citizens and strengthening overall security.
b. Impact on national authorities (++)
The option would significantly change and simplify the process of Member States sharing
data. It would lead to harmonisation of rules applicable to Member States and Europol
alike, by aligning the Europol Regulation with the Law Enforcement Directive (LED) and
the EU Data Protection Regulation (EUDPR), resulting in clearer and more coherent rules
for national authorities.
In addition, the overall harmonisation would lead to a decrease in bureaucracy, constituting
another very positive impact on national authorities. Greater legal certainty would also
reduce the risk of divergent interpretations and corrective actions.
169
c. Impact on fundamental rights (+)
i. Objective of general interest (+)
This policy option would have a clear positive impact as regards the objective of general
interest. A simplified and harmonised framework for data subject categorisation would
enhance Europol’s operational effectiveness positively contributes to the ability of Europol
to fight against serious and organised crime and terrorism by lessening operational burden
on Europol and eliminating operational delays currently faced.
ii. Impact on data protection (-)
Necessity
This policy option proves to be of a high necessity as it would positively impact the way
data would be analysed and used by Europol. Whereas currently data may remain
underused due to the complex framework governing data subject categorisation, the option
would allow for data to be processed and analysed more efficiently, within a clearer and
legally aligned structure. This ensures that data already lawfully collected can be
effectively used for its intended law enforcement purpose. We therefore conclude that the
policy option respects the principle of necessity.
Proportionality
The option is proportionate in that it does not introduce new categories of data, new
processing purposes, or expanded access rights. However, the removal and simplification
of the Data Subject Categorisation (DSC) entail a moderate negative impact on data
protection, as some of the procedural safeguards that previously limited operational
processing are reduced. The measure aligns existing rules with the LED and the EUDPR
and reduces procedural constraints, thereby enhancing operational coherence and
effectiveness. By maintaining the core safeguards and limiting the scope of processing to
operationally necessary cases, the option seeks an appropriate balance between efficiency
and fundamental rights. We therefore conclude that, while there is a negative impact on
data protection, the policy option remains proportionate in relation to the objectives
pursued.
d. Cost (++)
Even though the policy option would significantly improve Europol’s operational
flexibility and capacity to process information, it would not require substantial initial
investment, as it primarily concerns legislative alignment and simplification. Moreover,
this policy option would likely free up resources that are currently deployed to specifically
engage in the burdensome procedure of data subject categorisation under the current
framework.
Administrative savings and efficiency gains are therefore expected, justifying the very
positive cost assessment.
170
e. Feasibility (+)
The technical feasibility of this option is to be assessed as very positive (++), as it would
not require substantial changes to be put in place or require the development of an entirely
new legal framework for DSC. Instead, the framework would be aligned to that of the LED
and the EUDPR.
The alignment with already existing legislation would constitute a positive assessment as
regards political feasibility (+). Overall, this harmonisation would be well-received by
Europol and the Member States aligned, as underlined by the recent report under article
68(3) of the ER and further consultation of Member States’ experts at technical level.
However, as this option could potentially offset complexities as regards data ownership
and sovereignty, the impact is assessed only as positive and not as very positive.
f. Impact on digitalisation (0)
The option has an overall neutral impact on digitalisation. By aligning existing legal
frameworks and procedures, the digital architecture of the process of data subject
categorisation is not fundamentally transformed. Subsequently address the obstacles of
DSC serves as an enabler for Europol to process and analyse data rather than being a driver
of structural change. Meaning that Europol’s overall usage of data would be (further)
consolidated, which has no impact on digitalisation as such.
2.3 Policy option 2.3: Europol as structural provider of information, analytical support
and capacities to the EPPO
a. Impact on citizens (++)
The positive impacts on citizens mentioned for policy option 1 would increase thanks to
efficiency gains deriving from the introduction of both hierarchical arrangements and
direct information exchange between Europol and EPPO. Citizens would also benefit
indirectly from Europol having access to further information stored by the EPPO.
b. Impact on national authorities (++)
The positive impacts on national authorities mentioned for policy option 1 would increase
thanks to efficiency gains deriving from the introduction of both hierarchical
arrangements and direct information exchange between Europol and EPPO. Law
enforcement authorities would also benefit indirectly from Europol having access to
further information stored by the EPPO, as this would strengthen Europol’s support and
coordination abilities.
c. Impact on fundamental rights (++)
This measure would have a very positive impact on fundamental rights insofar as it would
ultimately help strengthen the EU Member States’ statehood against criminal threats in an
efficient manner, prompting Member States’ concrete ability to respect, promote and fulfil
human rights under international and EU law.
171
i. Objective of general interest (++)
This measure makes a very positive contribution to an objective of general interest (+),
namely the protection of the financial interests of the EU, by allowing the EPPO to
effectively and efficiently carry out its mission. The same goes for the EU-level fight
against serious and organised crime, cybercrime and terrorism, by allowing Europol to
develop specialised skills and have access to a huge amount of relevant information to
ultimately more effectively support the Member States.
ii. Impact on data protection (0)
Necessity and proportionality
This measure is necessary to efficiently meet the EPPO’s sharply increasingly needs and
allow it to maximally protect the financial interests of the EU. It does not interfere with
current data protection levels. Therefore, this policy measure respects the principles of
necessity and proportionality.
d. Costs (++)
Member States activities EU activities
Direct costs
Expected one-off costs (in
million EUR)
0 0
Expected yearly recurring
costs (in million EUR)
0 11.1
One-off and recurring costs for Member States are negligible, as the measure operates at
EU level and does not require national staff contributions or operational expenditure. For
Europol, no separate start-up costs are identified, since onboarding and infrastructure needs
are already captured in the average annual staff cost methodology. Recurrent costs stem
mainly from establishing a dedicated EPPO Support Team (around EUR 10.1 million
annually) and additional permanent cooperation mechanisms (less than EUR 1 million
per year).
e. Feasibility (+)
Technical feasibility
The measure is legally feasible. Besides establishing the EPPO Support Unit, which was
analysed for policy option 1, turning Europol into a structural provider of information,
analytical support and capacities to the EPPO would require amending the Europol
Regulation regarding Europol’s tasks. Introducing the possibility for hierarchical
arrangements and direct information exchange between Europol and EPPO when
information falls within the EPPO’s competence would also require amending the Europol
Regulation regarding relations between Europol and EPPO.
172
Political feasibility
The consultation activities have revealed that the EPPO would fully support this
measure,238 while both Europol and several Member States remain reluctant toward
introducing the possibility for information exchanges in derogation from the “data
ownership principle”239. Overall, the measure remains politically feasible, albeit with
difficulties.
f. Impact on digitalisation (0)
This measure would have no to positive impacts on digitalisation depending on whether
implementation maintains the current level or increases the digital delivery of services.
2.4 Policy option 2.4: EU Police Cloud and Europol support offices
a. Impact on citizens (+)
The continued rise of digitally enabled and AI-facilitated crime, combined with
increased cross-border mobility, has led to a more diverse and complex threat landscape.
Criminal activities increasingly span EU internal borders and affect citizens both directly
and indirectly. This trend is expected to intensify as a growing share of citizens’ daily
activities takes place in digital environments.
Ensuring a safer physical and online environment therefore requires enhanced cross-
border cooperation, improved information exchange among Member States, and
analytical capacities capable of processing large and complex datasets. The EU Police
Cloud would support the deployment of interoperable digital investigative tools and
scalable processing capabilities, enabling law enforcement authorities to respond more
effectively to evolving forms of criminality. Overall, the initiative is expected to
strengthen EU internal security by supporting law enforcement adaptation to the digital
transformation of crime, thereby delivering tangible benefits for citizens in terms of safer
physical and online environments.
By strengthening the operational link between Europol and the Member States, through
reinforced Europol National Units complemented by Europol Support Offices, this
measure would establish a more integrated, efficient and operationally driven model of
cross-border law-enforcement cooperation. It is expected to deliver tangible security
outcomes for citizens, including more effective disruption of cross-border criminal
networks, earlier detection of cross-border dimensions in criminal investigations, faster
operational responses, and improved coordination of operational and investigative
238 As stated by the EPPO in the interview carried out by ICF in the context of the study supporting the
evaluation and impact assessment of the Europol Regulation, as well as during the third workshop on the
future of Europol and in its Note to DG HOME on improving the cooperation between the EPPO and
Europol. 239
As stated by Europol, during the focus groups carried out in the context of the study supporting the
evaluation and impact assessment of the Europol Regulation, and by Member States during the fourth
workshop on the future of Europol and during the COSI meeting of February 2026.
173
activities. Over time, this enhanced effectiveness is likely to contribute to a higher level of
security within the Union and to reinforce citizens’ trust in the EU’s capacity to combat
serious and organised crime.
b. Impact on national authorities (++)
The EU Police Cloud would provide criminal investigators across the Union with scalable
storage and on-demand computing capacity, enabling them to manage expanding
datasets and peak workloads more effectively. National authorities would benefit from
enhanced analytical tools, including AI-supported pattern detection, network and
multimedia analysis, and decryption capabilities. These functionalities would support more
precise and near real-time data processing, thereby strengthening investigative and crime-
prevention capacities.
The initiative would also foster secure and trust-based cross-border information
sharing. Through harmonised authentication mechanisms and common security standards
across Member States, the Police Cloud would offer a unified environment for joint
analysis and cooperation. National authorities would retain control over their data
throughout its lifecycle, while benefiting from reduced fragmentation and improved
interoperability, thus reinforcing mutual trust and operational cooperation.
By enabling the processing of sensitive law enforcement data within a sovereign
European framework, the transition would contribute to resilience and strategic
autonomy. Moving beyond constraints linked to traditional infrastructure would facilitate
more efficient data handling and timely operational responses, in line with EU digital
sovereignty objectives. Overall, the EU Police Cloud is expected to enhance operational
effectiveness, efficiency and cooperation among national authorities, supporting strategic
law enforcement objectives at Union level.
Europol Support Offices would have a significant operational impact on national law-
enforcement authorities. They would provide more systematic and easier access to
Europol’s analytical, operational, and strategic products, while reducing administrative
and coordination burdens through locally embedded expertise familiar with both national
procedures and Europol systems. The offices would also strengthen trust and mutual
understanding between national services and Europol and support capacity-building
through specialised training. Evidence shows that Europol support is often mobilised late
in investigations, limiting its impact; these Europol support offices would facilitate earlier
engagement, improve uptake of Europol products in national proceedings, and, in the
medium term, increase operational efficiency while reducing duplication of efforts.
c. Impact on fundamental rights (+)
i. Objective of general interest (+)
The proposal aligns firmly with the EU’s overarching interest in promoting security, peace,
and the well-being of citizens through a unified law enforcement framework. In supporting
Europol’s capabilities, the measure seeks to uphold the collective security interests of
Member States, ensuring a harmonised approach to combating serious crime.
174
ii. Impact on data protection (0)
Necessity
The EU Police Cloud would provide the scalable storage and processing infrastructure
required to support an expanding range of EU criminal information-sharing and analytical
tools. It would enable seamless deployment within national environments and ensure a
high and harmonised level of security, notably through an EU Digital Police identity
framework.
The initiative would not introduce new personal data or new processing operations,
but would serve as the secure technical backbone for existing and future applications
requiring significant computing capacity.
Its necessity arises from the need to process large, complex and cross-border datasets
that cannot be efficiently handled through decentralised infrastructures alone. Certain joint
analytical and communication-based applications inherently require centralised capacity
due to volume and operational constraints. Joint cross-border analysis of information
shared by Member States, including extensions of JOAC and Europol Analytical Projects,
requires centralised storage and processing, as the data volumes involved exceed the
practical transfer capacities between national data centres. Similarly, communication-
based tools such as SIENA, the Large File Exchange (LFE) system, and multilateral
operational cooperation mechanisms rely on central processing infrastructure to
function effectively.
The EU Police Cloud is therefore considered a necessary enabling measure to maintain
effective and secure EU law enforcement cooperation in the digital environment.
Proportionality
The EU Police Cloud being only a technical platform for hosting law enforcement
applications does not entail per se any possible consequence on the persons’ rights and
freedom. Such hosted data processing being however susceptible by the size and the
processing power to augment the risks of potential infringements, EU police cloud will
accordingly provide by default build-in safeguards ensuring that a first unconditional line
of guarantees will be available to limit the hosted application to essential purposes in law
enforcement: along with harmonized digital police environment, will a common police
digital ID scheme, based on EU Digital Identity with insurance level high be the ground
stone for insuring traceability, accountability and strong role-based access to such sensitive
investigative data and to the corresponding tools.
In that way will the EU Police Cloud contribute to safeguarding individual privacy rights
for all potential storage and processing of data while maximising operational efficacy. The
approach ensures a balanced application of processing power without overextending the
access to or usage of personal data.
175
d. Cost (0)
Member States Europol
Direct costs
Expected one-off costs (in million EUR)
- EU Police Cloud
- EU Police Digital ID
- Europol Support offices
67,5
- 13,5
- 54
- 0
145.8
- 143.3
- 2,5
- 0
Expected yearly recurring costs
(in million EUR)
- EU Police Cloud
- EU Police Digital ID
- Europol Support offices
11,4
- 0,6
- 10,8
- 0
46.8
- 39.8
- 0,5
- 6,5
The initial investment costs associated with the deployment of the EU Digital Police Cloud
are substantial, encompassing infrastructure development, data migration, and ongoing
system management. Nevertheless, these investments are counterbalanced by long-term
savings arising from enhanced processing efficiencies and reduced overhead linked to
disparate national law enforcement systems.
A modest Europol support office would generate approximately EUR 400,000 to EUR
650,000 per year, covering staff costs, secure IT connectivity, equipment and limited
coordination travel. Under a rollout of five to ten antenna offices, total annual EU-level
costs would range between EUR 2 million and EUR 6.5 million, reflecting a scalable and
proportionate deployment model.
e. Feasibility (+)
From a technical perspective, the deployment of the EU Digital Police Cloud is feasible,
supported by robust advancements in cloud computing and data analytics technologies,
and notably via a more robust market offering including under sovereignty aspects. The
initiative benefits from a solid foundation of Europol’s existing expertise in secure data
processing and with IT resilience across JHA agencies, ensuring that the infrastructure
meets the high demands of law enforcement applications.
From a political perspective, there is broad support for the proposal given its alignment
with EU objectives relating to enhanced security, digital sovereignty, and collaborative
law enforcement. While recognising the strategic importance of unified crime prevention
capabilities across the Union, sovereignty, security and data ownership, will be essential
criteria to be met to comfort MS readiness to cooperate in implementing shared
infrastructure.
176
The Europol Support Offices are operationally feasible, as they build on existing
structures (Europol National Units), leverage Europol’s current practice of temporarily
deploying staff to support investigations and can make use of the Agency’s secure IT and
forensic environments, which could be extended to support this model.
From a legal perspective, the measure would require a targeted legislative amendment
introducing an explicit legal basis for the establishment of Europol support offices in
Member States limiting to support, coordination and technical functions, for the purpose
of facilitating and strengthening operational support.
From a political perspective, the establishment of support offices would be demand-
driven and voluntary, based on an invitation or agreement with the host Member State. The
exact size, number, location and duration of Europol support offices would remain flexible
and subject to periodic review.
f. Impact on digitalisation (++)
Digitalisation brought about by the EU Digital Police Cloud facilitates superior analytical
capabilities, enabling Europol to process increasingly complex and voluminous datasets
with greater precision and speed. This transformation accelerates the timeliness and
accuracy of operative activity, promoting proactive threat identification and intervention
strategies.
The cloud's sophisticated data handling and integration capacities afford Europol and
national law enforcement authorities the opportunity to harness machine learning and AI-
enhanced insights, fostering innovative approaches in combating organised crime and
terrorism. Through these technological advancements, Europol and national authorities are
better equipped to adapt to evolving criminal modalities, ensuring resilient and forward-
thinking security strategies.
Europol Support Offices would enhance the digitalisation of law-enforcement cooperation
by enabling earlier and more effective use of Europol’s platforms and tools, improving
data quality and interoperability, facilitating faster digital information exchange, and
supporting the deployment of mobile digital tools during operations. By embedding
expertise at national level, the option bridges the gap between technical capabilities and
operational use, complementing EU efforts on interoperability, secure information
exchange, and digital transformation.
177
ANNEX 11: COMPETITIVENESS CHECK
1. Overview of impacts on competitiveness
Dimensions of
Competitiveness
Impact of the initiative
(++ / + / 0 / - / -- / n.a.)
References to sub-sections of the
main report or annexes
Cost and price competitiveness n.a.
Main report – sections on economic
impacts / stakeholders affected
(initiative targets public authorities)
International competitiveness n.a. Main report – sections on economic
impacts / stakeholders affected
Capacity to innovate n.a. Main report – sections on economic
impacts / stakeholders affected
SME competitiveness n.a.
Main report – “Application of the ‘one
in, one out’ approach” (no admin costs
for private sector)
2. SYNTHETIC ASSESSMENT
Overall, this initiative aims to address challenges related to the efficiency of Europol and
to strengthen the implementation and further development of EU law enforcement
cooperation. The measures under consideration primarily concern the organisation,
planning, governance, operational cooperation and internal capacities of public authorities
(Europol and Member States’ competent law enforcement authorities). They do not
introduce regulatory obligations for economic operators, do not set product requirements,
and do not alter market access conditions or the rules governing competition in the internal
market.
Accordingly, no direct impacts on competitiveness are expected across the four dimensions
(cost/price competitiveness, international competitiveness, capacity to innovate and SME
competitiveness). For the purposes of the competitiveness check, the initiative is therefore
assessed as not applicable.
While the implementation of some measures may entail public procurement by Europol or
Member States (e.g. for technical equipment and related services, including IT
components, data processing tools, integration, maintenance, training or other support
services), this reflects how public authorities may operationalise the measures, rather than
an impact stemming from new requirements on undertakings. Such procurement would be
conducted under the applicable EU and national public procurement rules and would not,
in itself, constitute a competitiveness effect attributable to the initiative (no new
compliance burden or market constraint is created for operators, including SMEs).
Stakeholder input from economic operators received during the Call for Evidence does not
alter this conclusion, as the initiative remains focused on public-sector operational
capacity, information exchange and governance in the area of law enforcement
cooperation, rather than on regulating private-sector activity.
EUROPEAN COMMISSION
Brussels, 24.6.2026
SWD(2026) 581 final
COMMISSION STAFF WORKING DOCUMENT
EXECUTIVE SUMMARY OF THE IMPACT ASSESSMENT REPORT
Accompanying the document
PROPOSAL FOR A REGULATION OF THE EUROPEAN PARLIAMENT AND OF
THE COUNCIL
on the European Union Agency for Law Enforcement Cooperation (Europol), amending
Regulation (EU) 2018/1726 and Regulation (EU) 2024/982, and repealing Regulation
(EU) 2016/794
{COM(2026) 580 final} - {SEC(2026) 580 final} - {SWD(2026) 580 final} -
{SWD(2026) 582 final}
1
A. Need for action
What is the problem and why is it a problem at EU level?
The European Union (EU) is facing a profound transformation in its security environment, as
serious crime and terrorism grow more transnational, technologically advanced, and
interconnected. Criminal networks operate through flexible cross-border ecosystems that
combine digital infrastructures, illicit financial flows, logistical networks and online services.
Criminal activities are now often designed, coordinated and scaled transnationally from the
start, effectively making crime a cross-border issue by default.
Rapid technological advances have accelerated this shift. Encrypted communications,
automation tools and cryptocurrencies are no longer simply enablers of criminal activity but
core operational assets of modern criminal networks. Combined with digital platforms and
online infrastructures, they allow criminals to coordinate operations in real time, scale illicit
activities with unprecedented speed, conceal financial flows, rapidly adapt operational models
and exploit weaknesses across jurisdictions. At the same time, the boundaries between
cybercrime, financial crime and other forms of serious and organised crime are increasingly
blurring.
Europol is today a force multiplier for European security, reflecting a shift from cooperation
as an option to cooperation as a necessity. This level of integration, once unimaginable, has
been enabled through successive legal reinforcements1, building on Member States’
willingness to pool expertise and capabilities to step up the fight against serious crime and
terrorism. In doing so, it gives practical effect to the Treaties’ objective of ensuring a high level
of security for the EU and its citizens in an area without internal frontiers2. As its mandate and
tools have evolved, Europol has become a central pillar of a more integrated and operational
European security architecture.
Despite its strengthened mandate, Europol is not fully equipped to fulfil its mission in this
evolving environment. As highlighted in the Commission report pursuant to Article 68(3) of
the Europol Regulation3 and in the evaluation of Europol4, the Agency faces legal, operational,
and structural constraints that limit its ability to provide timely, comprehensive, and actionable
support to Member States. Persistent information gaps hinder the development of a complete
criminal intelligence picture of cross-border threats. Uneven and fragmented operational
cooperation and coordination with Member States limit the added value of Europol’s support
for the action of national authorities on the ground. Limitations in technical capabilities,
specialised expertise, and preparedness reduce the ability to respond effectively to increasingly
sophisticated and technologically enabled criminal activity. Together, these constraints reduce
Europol’s operational effectiveness and its capacity to deliver its full added value.
Two main problems have been identified:
• Europol and national authorities face persistent information gaps when investigating
cross-border crimes and identifying threats.
1 Regulation (EU) 2016/794 was amended in 2022 by Regulation (EU) 2022/991 to address new security threats
and in 2025 by Regulation (EU) 2025/2611 to effectively counter migrant smuggling. 2 Article 88 TFEU defines Europol’s mission to support and strengthen cooperation between Member States’ law
enforcement authorities in preventing and combating serious cross-border crime and terrorism. 3 COM(2025) 752 final. 4 See Annex 7.
2
• Europol’s operational support remains limited and fragmented.
Objectives: What should be achieved?
The general objective of this initiative is to improve the effectiveness of EU-level law
enforcement cooperation in preventing and combating serious and organised crime and
terrorism, in order to contribute to a high level of internal security in the EU.
Specifically, the initiative aims to:
• Reinforce Europol’s role as an information hub for law enforcement.
• Strengthening Europol’s capacity to support law enforcement operational action
What is the added value of action at EU level (subsidiarity)?
Europol plays a unique and indispensable role in supporting Member States in preventing and
combating serious crime and terrorism, in particular where these threats have a cross-border
dimension. Through its criminal intelligence analysis, operational and technical support to
investigations, coordination of cross-border law enforcement actions, and support to joint
investigation teams, Europol expands the reach, speed, and effectiveness of national
investigations. It enables authorities to detect connections between criminal activities across
multiple Member States, identify priority targets, and coordinate operational responses, thereby
significantly strengthening the Union’s collective ability to disrupt criminal networks.
Europol also provides specialised capabilities, expertise, and technological infrastructure that
individual Member States could not develop or maintain efficiently on their own. By
centralising high-value expertise, tools, and infrastructure at Union level, Europol generates
substantial economies of scale, reduces duplication of investment, and ensures that all
Member States benefit from cutting-edge capabilities, regardless of their size or national
resources.
B. Solutions
What are the various options to achieve the objectives? Is there a preferred option?
Two main policy options were considered.
The first option focuses on targeted improvements to the existing operational model, which
would strengthen Europol’s support to Member State investigations. This would include
improving data availability, timeliness and operational use. Key measures include targeted
data-sharing obligations in priority crime areas, mandatory deployment of automated data-
loader tools, and major upgrades to Europol’s ICT systems to enhance automation,
interoperability and analytical capabilities. Europol would also provide technical support,
common standards and training to ensure operational benefits for Member States. Under this
approach, measures would also improve the implementation of Data Subject Categorisation
(DSC) without changing the legal framework, notably through advanced analytical tools and
updated procedures. This first option would also enhance cooperation with Union bodies and
agencies. In particular, it would enhance Europol’s analytical support to EPPO investigations
through dedicated expertise and closer coordination, improve the Europol-Eurojust operational
continuum through more automated information-sharing and specialised support for accessing
electronic evidence, and enable structured exchanges with AMLA via a hit/no-hit system to
better identify links between financial intelligence and serious organised crime. At the same
time, the second option would integrate Europol’s analytical capabilities directly into national
3
investigations by connecting national case management systems with Europol’s databases and
tools.
The second approach envisaged a more structural evolution of Europol’s operational model.
It aimed to move beyond a framework centred primarily on bilateral information transmission
towards the development of shared Union-level communication infrastructures, notably the EU
Police Shared Data Space. This approach would also simplify Data Subject Categorisation
(DSC) by aligning the Europol Regulation with the EUDPR and the Law Enforcement
Directive. Instead of requiring categorisation before all data processing, DSC would apply
where relevant and possible due to the nature of the data. This would improve Europol’s ability
to process large and complex datasets, while maintaining strong data protection oversight by
the EDPS. This approach also provides for a more integrated form of operational support
embedded directly within national investigative environments, including through the
establishment of Europol Support Offices in Member States. In addition, this option also
includes reinforced cooperation with the European Public Prosecutor’s Office from a request-
based model into a systematic and structured partnership.
On this basis, the preferred option combines elements of both approaches. It builds on the
incremental improvements identified under the first approach, in particular as regards
strengthening data availability, upgrading systems and embedding Europol tools into national
investigations. At the same time, it goes beyond the existing model where necessary to address
structural limitations, notably by enabling authorised access to national data, reinforcing
Europol’s operational presence in Member States, and strengthening its cooperation with the
European Public Prosecutor’s Office. These measures are designed to be mutually reinforcing.
In particular, the incremental improvements under the first approach create the conditions for
the more advanced measures to operate effectively, ensuring that enhanced data availability,
systems and workflows support the use of new operational capabilities at Union level.
C. Impact of the preferred option
What are the benefits of the preferred option (if any, otherwise the main ones)?
The preferred option is expected to significantly improve the effectiveness of cross-border law
enforcement cooperation by reducing information fragmentation, accelerating the
identification of operational links across investigations, and strengthening operational
coordination between EU bodies and agencies. It is also expected to improve the capacity of
national authorities to investigate increasingly digital, cross-border, and data-intensive forms
of crime through enhanced analytical support, shared technological capabilities, and more
integrated operational support structures. Citizens are expected to benefit through strengthened
internal security and more effective prevention and investigation of serious and organised
crime and terrorism.
The preferred option requires significant investments at both Union and Member State level,
notably for the development of shared technological infrastructures, interoperability solutions,
operational integration measures, and enhanced analytical and operational capabilities.
Estimated one-off costs amount to approximately EUR 255 million for Member States and
EUR 240 million for Europol, while annual recurring costs are estimated at approximately EUR
48 million for Member States and EUR 78 million for Europol. Total estimated costs over the
2028-2034 period amount to approximately EUR 590 million for Member States and EUR 789
million for Europol. At the same time, the use of shared Union-level infrastructures and
capabilities is expected to generate important efficiencies and economies of scale, including
4
estimated savings of approximately EUR 42 million compared to separate implementation
approaches
The interferences with the rights to privacy and protection of personal data resulting from the
preferred option remain necessary and proportionate having regard to the objective of ensuring
effective prevention and combating of serious and organised crime and terrorism in an
increasingly digital and cross-border operational environment. The impact assessment
concluded that the current framework no longer adequately reflects the operational realities of
modern criminal intelligence and creates structural limitations affecting Europol’s ability to
support Member States effectively. At the same time, the proposal substantially strengthens
and restructures the safeguards framework applicable to Europol’s processing activities. In
particular, it introduces a more detailed legal and technical framework governing Europol’s
data environments, processing regimes, access conditions, separation of processing
environments, logging and traceability requirements, storage periods, and supervisory and
oversight mechanism.
EN EN
EUROPEAN COMMISSION
Brussels, 24.6.2026
COM(2026) 580 final
2026/0165 (COD)
Proposal for a
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on the European Union Agency for Law Enforcement Cooperation (Europol), amending
Regulation (EU) 2018/1726 and Regulation (EU) 2024/982, and repealing Regulation
(EU) 2016/794
{SEC(2026) 580 final} - {SWD(2026) 580 final} - {SWD(2026) 581 final} -
{SWD(2026) 582 final}
EN 1 EN
EXPLANATORY MEMORANDUM
1. CONTEXT OF THE PROPOSAL
• Reasons for and objectives of the proposal
The European Union (EU) is facing a profound transformation in its security environment, as
serious and organised crime and terrorism grow more transnational, technologically advanced,
and interconnected. Criminal networks operate through flexible cross-border ecosystems that
combine digital infrastructures, illicit financial flows, logistical networks and online services.
Criminal activities are now often designed, coordinated and scaled transnationally from the
start, effectively making crime a cross-border issue by default.
Rapid technological advances have accelerated this shift. Encrypted communications,
automation tools and cryptocurrencies are no longer simply enablers of criminal activity but
core operational assets of modern criminal networks. Combined with digital platforms and
online infrastructures, they allow criminals to coordinate operations in real time, scale illicit
activities with unprecedented speed, conceal financial flows, rapidly adapt operational models
and exploit weaknesses across jurisdictions. At the same time, the boundaries between
cybercrime, financial crime and other forms of serious and organised crime are increasingly
blurring.
The current threat landscape is further aggravated by the rise of hybrid threats, including
cyberattacks, attacks against critical infrastructure, and the instrumentalisation of migration or
economic dependencies by hostile state and non-state actors. Such activities increasingly
intersect with serious and organised crime networks, creating complex and multidimensional
security risks that challenge the distinction between internal and external security.
As highlighted by the European Council in its conclusions of 26-27 June 2025 (1), these
threats represent a major challenge to the security of Member States and Europeans. Their
impact extends beyond immediate security risks, contributing to a growing sense of
uncertainty and affecting citizens’ trust in the public authorities’ ability to ensure a high level
of internal security. At the same time, serious and organised crime increasingly penetrates and
distorts the legal economy, including through corruption, money laundering and the misuse of
legitimate business structures, thereby weakening fair competition and undermining the
integrity of markets and public institutions.
In the current security environment, the EU and its Member States have significantly
strengthened cooperation and developed critical capabilities to support cross-border law
enforcement action (2). However, the EU’s response has yet to fully match the speed and
adaptability of modern criminal activity.
First, the European law enforcement architecture has not sufficiently adapted to the significant
increase in the volume, complexity and speed of information relevant to criminal
investigations. Information on criminal activities remains fragmented across authorities,
jurisdictions and systems and is not properly shared, connected or analysed in an effective and
timely manner. This has progressively magnified critical blind spots in the EU’s criminal
1 See the conclusions of the European Council of 26-27 June 2025 on the fight against serious and
organised crime. 2 See Section 2.1 on the Consistency with existing policy provisions in the policy area.
EN 2 EN
intelligence picture and reduced the capacity to identify cross-border criminal links, support
investigations effectively at European level and detect emerging threats.
Second, the EU’s operational response remains fragmented. In the Schengen area without
internal frontiers, where criminal networks operate seamlessly across jurisdictions, law
enforcement action remains too often organised primarily along national lines. National
authorities often only have partial visibility over criminal networks operating across several
Member States and face persistent difficulties in coordinating investigations across borders.
As a result, fragmentation remains one of the principal weaknesses of the European security
response, reducing the effectiveness and efficiency of national law enforcement action against
threats that are inherently transnational and require a stronger collective European approach.
Under this framework, Europol plays a central role as the EU’s agency for law enforcement
cooperation (3). Since its establishment, Europol has evolved from a support platform into a
key analytical and operational hub supporting Member States in preventing and combating
serious and organised crime and terrorism. Through its unique ability to connect information,
generate EU-level criminal intelligence and support coordinated cross-border operations,
Europol enables Member States to detect complex criminal networks, identify links across
jurisdictions and respond more effectively to rapidly evolving security threats.
President von der Leyen’s 2024-2029 Political Guidelines (4) announced the aim to further
strengthen Europol. This includes a new legislative framework to boost Europol’s operational
role and support more effective cross-border law enforcement cooperation. This objective is
further anchored in ProtectEU – a European internal security strategy (5), which defines a step
change in how the EU organises its collective response to increasingly complex and
interconnected security threats. Achieving this vision requires a comprehensive review of the
Europol framework that goes beyond targeted amendments, ensuring Europol’s mandate is
fully aligned with the operational realities across all areas of serious and organised crime and
terrorism.
The need to strengthen EU-level law enforcement cooperation has been consistently
underscored by Member States and the European Parliament, particularly during the broad
stakeholder consultations conducted in 2025 and 2026. European Police Chiefs (6) highlighted
the benefits of a more robust and operational Europol, capable of serving as a genuine
European force multiplier. Furthermore, evidence from the evaluation of the Europol
framework and the Commission report pursuant to Article 68(3) of the Europol Regulation
indicated that Europol’s current mandate and operational model are no longer fully aligned
with the scale and complexity of the evolving security environment. Existing limitations in
the availability, integration and processing of information, as well as constraints affecting the
depth of Europol’s operational engagement, reduces its capacity to support Member States
effectively in responding to increasingly interconnected cross-border threats.
The evaluation also highlights a growing structural imbalance between the scale and
technological sophistication of criminal networks and the collective capabilities available to
3 Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the
European Union Agency for Law Enforcement Cooperation (Europol), and replacing and repealing
Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA. 4 Europe’s Choice – Political Guidelines for the next European Commission 2024–2029, July 2024. 5 Communication from the Commission to the European Parliament, the Council, the European
Economic and Social Committee and the Committee of the Regions, ProtectEU – a European Internal
Security Strategy, COM(2025) 148 final, 1 April 2025. 6 Statement from the European Police Chiefs, 29 April 2025.
EN 3 EN
EU law enforcement authorities. Criminal actors increasingly leverage artificial intelligence,
large-scale data exploitation and sophisticated digital infrastructures that no Member State can
efficiently match alone. Yet Europol’s current mandate and capabilities do not allow it to fully
act as the EU-level capability hub needed to reduce fragmentation, pool resources and provide
Member States with the advanced operational and technological support needed to respond to
the evolving threat environment.
The 2022 reform of Europol’s legal framework (7) marked an important step in strengthening
the Agency’s mandate, in particular by enabling the processing of large and complex datasets
and reinforcing its analytical capacities. However, the threat landscape and operational
demands of Member States have evolved faster than anticipated. The large-scale processing of
data, the early operational involvement of Europol in complex cross-border investigations and
the provision of advanced technological support are no longer exceptional requirements but
have become core features of modern law enforcement cooperation. In 2025, the European
Parliament and the Council adopted a targeted amendment to the Europol framework to
address specific operational needs. However, it did not tackle the underlying structural
challenge: ensuring Europol can operate with the scale, agility, and integration needed to
underpin an effective EU-wide response to threats that are increasingly transnational and
technologically advanced.
At the same time, the EU’s broader security architecture has evolved significantly.
Cooperation between Europol and other EU bodies, offices and agencies, including
Eurojust (8), the European Public Prosecutor’s Office (‘the EPPO’) (9), Frontex (10),
OLAF (11) and the Anti-Money Laundering Authority (‘AMLA’) (12), has become
increasingly important in ensuring an effective and coherent response to cross-border threats.
However, the current framework has yet to provide sufficient operational integration to
support this evolving architecture (13) and ensure seamless cooperation across the different
stages of the security and criminal justice cycle.
This adaptation is not only necessary but also timely. The conditions are now in place to
support a more transformative evolution of Europol’s framework. Recent and ongoing EU
initiatives, in particular the revision of the framework for information exchange between law
7 Regulation (EU) 2022/991 of the European Parliament and of the Council of 8 June 2022 amending
Regulation (EU) 2016/794, as regards Europol’s cooperation with private parties, the processing of
personal data by Europol in support of criminal investigations, and Europol’s role in research and
innovation, OJ L 169, 27.6.2022, p. 1. 8 Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on
the European Union Agency for Criminal Justice Cooperation (Eurojust). 9 Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the
establishment of the European Public Prosecutor’s Office (‘the EPPO’). 10 Regulation (EU) 2019/1896 of the European Parliament and of the Council of 13 November 2019 on
the European Border and Coast Guard and repealing Regulations (EU) No 1052/2013 and (EU)
2016/1624. 11 Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11
September 2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF). 12 Regulation (EU) 2024/1620 of the European Parliament and of the Council of 31 May 2024 establishing
the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA). 13 Including developments arising from the Commission proposal for a Regulation of the European
Parliament and of the Council establishing the European Union Customs Authority and amending
Regulation (EU) No 952/2013, COM(2023) 258 final, 17.5.2023.
EN 4 EN
enforcement authorities (14), have laid the foundations for improving the availability, quality
and timeliness of data at EU level. In parallel, broader developments across the EU security
and justice architecture, including strengthened cooperation between relevant EU bodies,
offices and agencies, create a better environment for integrated and coordinated action.
This proposal therefore establishes a strengthened legal framework for Europol, reflecting the
evolution of cross-border criminal threats and the operational needs of Member States. It aims
to strengthen Europol’s role as:
• an EU information hub capable of ensuring that Member States law enforcement
authorities are provided with a more complete and integrated criminal intelligence
picture at EU level;
• an operational hub supporting Member States more effectively and at an earlier stage
in cross-border investigations and operational activities; and
• a technology and innovation hub supporting Member States with advanced
capabilities, expertise and operational tools.
To achieve these objectives, the proposal builds on the strengths of the existing framework,
bringing them to a level of operational excellence, while introducing the structural changes
necessary to enable a more effective European response to cross-border crime. It establishes a
robust and modern legal framework that equips Europol to:
• respond to current and future security challenges;
• better support Member States in cross-border investigations; and
• strengthen the EU’s capacity to deliver a coordinated, efficient and resilient response
to serious and organised crime and terrorism, in full compliance with the Charter of
Fundamental Rights of the European Union.
• Consistency with existing policy provisions in the policy area
The present package of criminal justice initiatives pursues a coherent and complementary
objective: strengthening the EU's capacity to prevent, detect, investigate and prosecute serious
cross-border crime in an increasingly complex security environment. By modernising the
legal frameworks governing cooperation between law enforcement, judicial and other relevant
authorities, the package seeks to reinforce the effectiveness, coherence and interoperability of
the Union’s internal security architecture.
The proposed revisions of the Europol and Eurojust Regulations constitute the core of this
effort. Europol and Eurojust perform distinct yet complementary functions within the Area of
Freedom, Security and Justice: while Europol supports the prevention and combating of
criminal activities, Eurojust facilitates judicial cooperation and ensures effective prosecutorial
and judicial follow-up. The package therefore aims to strengthen cooperation and
complementarity between the two agencies, as well as with other relevant Union actors in the
Justice and Home Affairs and Anti-Fraud Architecture areas, with a view to ensuring a
seamless continuum between law enforcement action and judicial follow-up across all stages
of the criminal justice chain.
14 Directive (EU) 2023/977 of the European Parliament and of the Council of 10 May 2023 on the
exchange of information between the law enforcement authorities of Member States and repealing
Council Framework Decision 2006/960/JHA.
EN 5 EN
In this context, the amendments to the European Investigation Order framework and to the
data protection rules applicable in the Justice and Home Affairs domain data protection
regime for EU institutions, bodies, offices and agencies (15), further contribute to this
objective by facilitating effective cross-border cooperation, improving the conditions for
information exchange and ensuring a coherent legal framework adapted to operational
realities and technological developments. Taken together, the measures proposed in this
package will enhance the EU’s ability to respond to evolving security threats while fully
respecting fundamental rights, the rule of law and the division of responsibilities between the
different actors involved.
Furthermore, the proposal for the revision of the Europol Regulation is consistent with the
EU’s broader internal security framework, in particular ProtectEU and directly contributes to
its implementation. By strengthening Europol’s role as an information, operational and
technology and innovation hub, the proposal supports the closing of criminal intelligence
gaps, reinforces cross-border investigations and enhances the use of advanced technological
capabilities at EU level.
The proposal is also consistent with recent EU policy developments in internal security,
including the counter-terrorism agenda under ProtectEU (16), the EU crime priorities for the
2026-2029 EMPACT cycle (17), the 2025 EU drugs strategy (18) and accompanying action
plan against drug trafficking (19), and the 2026 Commission proposal for EU-wide rules
against firearms trafficking (20). These initiatives reflect a broader shift towards more
operational, intelligence-led and capability-based EU action against serious and organised
crime and terrorism. The proposal also complements the roadmap for lawful and effective
access to data for law enforcement, presented by the Commission in June 2025 (21), which
addresses key challenges related to access to digital evidence.
The proposal is also consistent with the framework for information exchange among national
law enforcement authorities and between them and Europol. While recent reforms have
strengthened and aligned case management systems and cross-border information exchange
practices at national level, their benefits have yet to be fully achieved as regards their
integration with Europol services and analytical capabilities. By ensuring that information
exchanged and managed at national level can be systematically made available to Europol
through its information services and tools, the proposal enables Member States to make full
use of Europol services, supporting a more integrated, automated and effective use of
information across the EU law enforcement community.
15 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the
protection of natural persons with regard to the processing of personal data by the Union institutions,
bodies, offices and agencies and on the free movement of such data. 16 Communication from the Commission to the European Parliament, the Council, the European
Economic and Social Committee and the Committee of the Regions, ProtectEU: Agenda to prevent and
counter terrorism, COM(2026) 101 final, 26 February 2026. 17 Council conclusions on the enhancement of EMPACT and on EU crime priorities for the next
EMPACT cycle 2026–2029, approved by the Council on 13 June 2025. 18 COM(2025) 743 final, 4 December 2025. 19 COM(2025) 744 final, 4 December 2025. 20 Proposal for a Directive of the European Parliament and of the Council on combating firearms
trafficking and other firearms-related offences, COM(2026) 102 final, adopted by the Commission on
26 February 2026. 21 Communication from the Commission to the European Parliament, the Council, the European
Economic and Social Committee and the Committee of the Regions, Roadmap for lawful and effective
access to data for law enforcement, COM(2025) 349 final, 24 June 2025.
EN 6 EN
The proposal provides Europol with the mandate and tools to address, across the EU, crimes
falling within the scope of Europol’s competence that involve a hybrid dimension, addressing
the needs set out in particular under ProtectEU, the EU preparedness strategy and the
Democracy Shield. It allows Europol to use its full operational, analytical and technical
toolbox to act within its powers, including serious and organised crime, terrorism and cyber-
enabled crime, when such offences involve a hybrid dimension. The proposal establishes EU
Centres of Operational Expertise as the model for Europol’s operational approach, embedding
the prevention and combating of criminal offences with a hybrid dimension as a cross-cutting
priority. Criminal activities with a hybrid dimension may arise in relation to any form of
crime falling within the scope of Europol’s competence. The Centres are established to ensure
a horizontal contribution, within their respective fields of expertise, to the prevention and
combating of such criminal activities, including where they form part of, contribute to or are
linked to a threat with a hybrid dimension
The proposal also strengthens complementarities with the EPPO and Eurojust in the
prosecutorial and judicial phases, including by providing structural analytical support to the
EPPO in the analysis of complex cross-border financial crime affecting the EU’s financial
interests. It also supports closer interaction with Frontex in areas where cross-border crime
intersects with border management, the European Union Agency for the Operational
Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (‘eu-
LISA’)22 in relation to the development, deployment and technical management of
information management services and tools, with AMLA in relation to financial crime, and
with the European Union Agency for Cybersecurity (‘ENISA’)23 in relation to cybersecurity,
in particular ransomware incidents.
The proposal directly contributes to the functioning of the Schengen area where free
movement can only be sustained through an equally integrated and effective European
security response. By reinforcing EU-level law enforcement cooperation and reducing
fragmentation, the proposal helps ensure that security within the Schengen area is delivered
with the same level of integration as the freedom of movement it is designed to protect. At the
same time, the proposal also aims at deepening Europol’s cooperation with Countries
associated with the implementation, application and development of the Schengen acquis.
• Consistency with other Union policies
The proposal is consistent with the EU’s broader policy objectives on technological
sovereignty and secure digital infrastructure, including the European strategy for data (24), the
Digital Decade policy programme 2030 (25),the strategy on an EU’s cloud (26) and the
22 Regulation (EU) 2018/1726 of the European Parliament and of the Council of 14 November 2018 on
the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of
Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council
Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011. 23 Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA
(the European Union Agency for Cybersecurity) and on information and communications technology
cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act). 24 Communication from the Commission to the European Parliament, the Council, the European
Economic and Social Committee and the Committee of the Regions, A European strategy for data,
COM(2020) 66 final, 19 February 2020. 25 Decision (EU) 2022/2481 of the European Parliament and of the Council of 14 December 2022
establishing the Digital Decade Policy Programme 2030. 26 Communication from the Commission to the European Parliament, the Council, the European
Economic and Social Committee and the Committee of the Regions, An EU Strategy for Data Centres
and Cloud, COM(2024) [final].
EN 7 EN
cybersecurity (27) initiatives, including the new proposal on the Cloud and AI Development
Act (CADA) aimed at strengthening the EU's cloud and AI ecosystem, investment and
infrastructure28. By enabling Europol and the competent authorities of Member States to
process and analyse data securely at scale and to operate in secure, trusted and scalable data-
processing environments, including through the use of sovereign cloud capabilities and
advanced digital infrastructures, the proposal contributes to building resilient (29) and
autonomous European technological capacities.
The proposal also supports the EU’s policies on innovation, research and competitiveness,
including under Horizon Europe (30) and the European Innovation Agenda (31). By positioning
Europol as a central hub for identifying emerging operational needs and shaping future law
enforcement capabilities, it supports the development and uptake of advanced technologies,
including through joint procurement solutions.
At the same time, the proposal remains fully aligned with the EU’s data protection
framework, in particular Regulation (EU) 2018/1725 on the protection of personal data by EU
institutions, bodies, offices and agencies, ensuring that Europol’s strengthened operational
role remains anchored in a high level of fundamental rights protection.
The proposal strengthens the EU’s anti-money laundering and financial crime framework,
including the Anti-Money Laundering Package (32) and the establishment of AMLA, while
reinforcing the EU’s anti-fraud architecture and the protection of the EU’s financial interests
under Directive (EU) 2017/1371 (33). It provides Europol with enhanced capabilities to
support complex cross-border financial investigations and to cooperate effectively with the
EPPO and with OLAF’s administrative and investigative work. By enabling Europol to
integrate financial intelligence, analytical capacities and operational resources, the proposal
allows it to identify, analyse and trace criminal financial flows and assets, including those
affecting the EU budget, in turn reinforcing a systematic “follow the money” approach and
ensuring a coordinated, EU-level response to financial crime. This reinforcement of Europol’s
role is particularly relevant in the context of the ongoing review of the anti-fraud architecture,
ensuring that its capabilities are aligned with future EU-level reforms and the evolving needs
of cross-border financial crime enforcement.
27 Regulation (EU) 2024/2847 of the European Parliament and of the Council of 23 October 2024 on
horizontal cybersecurity requirements for products with digital elements and amending Regulations
(EU) No 168/2013 and (EU) 2019/1020 and Directive (EU) 2020/1828 (Cyber Resilience Act). 28 Proposal for a Regulation of the European Parliament and of the Council establishing a framework of
measures for strengthening Europe’s cloud and AI ecosystem (Cloud and AI Development Act);
COM(2026) 502 final. 29 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on
measures for a high common level of cybersecurity across the Union (NIS 2 Directive). 30 Regulation (EU) 2021/695 of the European Parliament and of the Council of 28 April 2021 establishing
Horizon Europe – the Framework Programme for Research and Innovation. 31 Communication from the Commission to the European Parliament, the Council, the European
Economic and Social Committee and the Committee of the Regions, A New European Innovation
Agenda, COM(2022) 332 final, 5 July 2022. 32 Regulation (EU) 2024/1620 of the European Parliament and of the Council of 31 May 2024 establishing
the Authority for Anti-Money Laundering and Countering the Financing of Terrorism (AMLA), and
Regulation (EU) 2024/1624 and Directive (EU) 2024/1640 forming part of the Union anti-money
laundering package. 33 Directive (EU) 2017/1371 of the European Parliament and of the Council of 5 July 2017 on the fight
against fraud to the Union’s financial interests by means of criminal law (PIF Directive).
EN 8 EN
The proposal boosts the EU’s external security by allowing Europol to carry out joint
processing of criminal intelligence with non-EU partner countries, improving the speed and
quality of international investigations, while ensuring secure information exchange through
channels such as INTERPOL. The proposal also enables Europol to deploy experts in non-EU
countries to coordinate operational measures. By focusing Europol’s external activities on
operational objectives, the proposal maximises their added value for Member States’
competent authorities while remaining complementary to the role of the European Union
Agency for Law Enforcement Training (‘CEPOL’) in capacity building in third countries.
The proposal further contributes to the EU enlargement process by deepening operational
cooperation with candidate countries and potential candidates. As key partners in addressing
transnational crime, terrorism and other cross-border security threats, those countries play an
important role in the wider European security architecture and need to be progressively
integrated into relevant security cooperation frameworks.
2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
• Legal basis
This proposal is based on Articles 87(2), point (a), and 88 of the Treaty on the Functioning of
the European Union (TFEU). Article 88 provides the legal basis for the establishment and
functioning of Europol and for the determination of its tasks, structure and operation. Article
87(2), point (a), TFEU provides for the adoption of measures concerning the collection,
storage, processing, analysis and exchange of relevant information for the purposes of police
cooperation.
• Subsidiarity (for non-exclusive competence)
The challenges addressed by this proposal are inherently cross-border and cannot be
effectively tackled by Member States acting alone. The most serious and organised forms of
crime are now mainly transnational in nature, with criminal networks operating seamlessly
across jurisdictions and digital environments. They exploit the fragmentation of national
information, operational action and capabilities. As a result, Member States only have a
partial view of criminal activities and face structural limitations in connecting investigations
and responding effectively to criminal activities that extend beyond their national jurisdiction.
Action at EU level is therefore more effective and necessary. The scale, speed and cross-
border nature of criminal activity require a level of coordination, data aggregation and
analytical capacity that cannot be achieved by Member States acting alone. By operating at
EU level, Europol is able to combine information from multiple jurisdictions, identify patterns
and connections that would otherwise remain undetected, and support the prioritisation and
coordination of operational action across borders. In doing so, it enhances the impact of
national investigations and ensures that responses to cross-border crime are not fragmented
but aligned and mutually reinforcing. It also enables the development and deployment of
advanced capabilities that are beyond the reach of individual Member States acting alone,
which also enables economies of scale in areas where the development of capabilities is
resource-intensive and requires critical mass. By centralising such capacities at EU level and
making them available across Member States, the proposal avoids duplication, reduces costs
and ensures a consistent and high level of effectiveness.
In a Schengen area, this collective capacity is essential to ensure that the level of law
enforcement cooperation is proportionate with the level of integration achieved.
EN 9 EN
• Proportionality
In line with the principle of proportionality, as set out in Article 5 of the Treaty on the
European Union, this proposal does not go beyond what is necessary to achieve its objectives.
The proposal introduces a more integrated framework for EU-level support to law
enforcement, reflecting the scale and complexity of cross-border crime. It focuses on enabling
more effective use of information, strengthening support to cross-border investigations and
improving access to shared capabilities, without altering the fundamental balance of
competences between the EU and its Member States. In particular, it does not confer any
coercive powers on Europol, which remain the exclusive competence of Member States.
Where relevant, the proportionality of the measures is further supported by the analysis
carried out in the accompanying impact assessment.
• Choice of the instrument
The proposal takes the form of a Regulation that repeals Regulation (EU) 2016/794
establishing Europol. Repealing and replacing the existing framework is necessary in the light
of the significant evolution of Europol’s mandate and activities, and the resulting need for a
corresponding shift in the legal approach. The current Regulation, originally designed as a
flexible and broadly framed instrument, is no longer sufficient to support Europol’s growing
responsibilities or the increasing complexity of its operations, including its expanded role in
data processing.
The evolution of Europol’s role requires a modernised and fully structured legal framework to
clearly define its core responsibilities, remove ambiguities, and provide the legal certainty,
predictability, and accountability necessary for it to carry out its reinforced mandate
effectively. The revised legal framework needs to allow Europol to perform its enhanced
functions efficiently while operating within a clear, robust, and predictable legal environment,
and maintaining the operational flexibility needed to respond to evolving threats.
Recasting Regulation (EU) 2016/794 would not suffice to enable Europol’s modernisation.
The current Regulation does not provide the foundational structure required to integrate
substantial operational, analytical, and technological changes, and incremental amendments
would be inadequate to establish the coherence, legal certainty, and institutional architecture
necessary for a fully modernised Europol. This proposal aims to amend and expand the
provisions of Regulation (EU) 2016/794. Since the amendments to be made are substantial in
number and nature, the legal act should, for the sake of clarity, be repealed.
3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER
CONSULTATIONS AND IMPACT ASSESSMENTS
• Ex-post evaluations/fitness checks of existing legislation
The evaluation of Regulation (EU) 2016/794, as amended by Regulation (EU) 2022/991,
conducted in parallel with the impact assessment accompanying this proposal, confirms that
Europol plays a central and unique role in supporting Member States in preventing and
combating serious and organised crime and terrorism, particularly in cross-border
investigations. Covering the period 2017-2024, the evaluation found that Europol has
significantly strengthened information exchange and operational coordination at Union level.
EN 10 EN
At the same time, the evaluation highlights some structural limitations that constrain
Europol’s ability to fully achieve its potential. Persistent information gaps, linked to uneven
data contributions by Member States and procedural constraints, limit the development of a
complete criminal intelligence picture at EU level. Operational support remains inconsistent
and, in some cases, lacks proper integration into national investigations. Meanwhile,
cooperation with other Union bodies, offices and agencies is hindered by limitations in
institutional frameworks. In addition, the evaluation points to increasing pressure on
Europol’s resources and capabilities, in particular in the context of more complex, digital and
data-intensive forms of crime, requiring scalable technological solutions and enhanced
analytical capacity.
These findings reveal a structural gap between Europol’s current framework and the evolving
threat landscape and underpin the need for this proposal. The detailed evaluation is presented
in the accompanying staff working document.
Furthermore, the Commission report pursuant to Article 68(3) of Regulation (EU) 2016/794
(34) confirms that Europol has made substantial progress in implementing
Regulation (EU) 2022/991. Europol has implemented nearly all of its new data-processing and
analytical tasks, including handling large and complex datasets and supporting research and
innovation projects through specific frameworks. Europol’s expanded capabilities have
strengthened cross-border investigations, improved information exchange among Member
States, and enhanced analytical support for serious and organised crime and terrorism, all
without evidence of negative impacts on fundamental rights due to the safeguards in place.
Member States continue to actively engage with Europol’s new tools, reflecting a growing
operational reliance on its capabilities.
At the same time, the evaluation identifies some structural and operational limitations that
constrain the full use of Europol’s new capabilities. Complex data protection processes slow
down operational uptake and discourage consistent use of the tools in day-to-day
investigations. Operational support is unevenly integrated into national investigations, while
constraints in analytical capacity and technological scalability limit Europol’s ability to
process and act on increasing volumes of complex data. The report also notes that the growing
scale and sophistication of digital and cross-border crime require more advanced, flexible, and
scalable operational solutions to ensure that Europol can respond effectively across Member
States.
• Stakeholder consultations
A thorough and comprehensive consultation process was carried out to gather input from
Member States, Europol, EU agencies, law enforcement networks, and private parties
(companies and business associations, as well as non-governmental, civil society and research
organisations).
Initial scoping discussions between April and June 2025 involved high-level exchanges with
the Standing Committee on Operational Cooperation on Internal Security (COSI), the Europol
Management Board, and national police chiefs. These discussions helped identify operational
priorities, challenges in cross-border cooperation, and political boundaries that would need to
guide the reform of Europol’s framework. These were followed by in-depth evidence
gathering between July 2025 and February 2026 through a call for evidence, a public
consultation and thematic workshops with Member States’ experts.
34 COM(2025) 752 final.
EN 11 EN
Overall, stakeholders expressed strong support for Europol’s added value, particularly in
facilitating cross-border information exchange, criminal intelligence analysis and operational
coordination. At the same time, they identified important operational shortcomings limiting
its effectiveness, in particular legal and procedural constraints related to data processing.
Stakeholders also emphasised the need to strengthen Europol’s operational support, develop
more automated and interoperable systems, and boost technological and analytical
capabilities, including through EU-level digital tools and stronger cooperation with EU
bodies, offices and agencies. Private-sector stakeholders further underlined the importance of
legal certainty in data sharing, particularly in cybercrime.
Consultations also highlighted the importance of ensuring that any strengthening of Europol’s
role remains fully consistent with fundamental rights, in particular data protection
requirements, and respects Member States’ responsibilities for national security and law
enforcement. Diverging views emerged on a possible further expansion of Europol’s
competence in relation to hybrid threats, which several stakeholders considered politically
sensitive but in principle well covered in Europol’s legal framework.
The input received from the stakeholders directly informed the design of the proposal by
confirming the need to address information gaps, operational fragmentation and technological
capability constraints. It also guided the development of measures to strengthen data
exchange, simplify procedures and boost cooperation, while ensuring appropriate safeguards
and respecting the limits of Europol’s mandate under the Treaty on the Functioning of the
European Union.
• Collection and use of expertise
The Commission relied on external expertise to support both the evaluation and the impact
assessment accompanying this proposal. In particular, an external study carried out between
July 2025 and June 2026 provided a comprehensive evidence base drawing on input from
Member States, EU bodies, offices and agencies, law enforcement networks and relevant
stakeholders. Moreover, the Commission has considered a broad range of contributions,
including policy papers submitted during the preparation of this proposal.
• Impact assessment
This proposal is supported by an impact assessment, which analysed a range of policy options
to address the identified problems related to information gaps, operational fragmentation, and
capability constraints.
The impact assessment focused on the issues presenting the most significant political,
operational, and fundamental rights implications. Therefore, areas where broad support
already existed, including capability and technology development were not covered by the
assessment.
Two main policy approaches were considered.
The first approach focused on targeted improvements to the existing operational model by
strengthening data availability, boosting cooperation with EU bodies, offices and agencies,
and improving the integration of Europol tools and information systems into national
investigative workflows. This included measures such as connections with national case
management systems and more systematic consultation of Europol systems in relevant
investigations.
EN 12 EN
The second approach envisaged a more structural evolution of Europol’s operational model. It
aimed to move beyond a framework centred mainly on bilateral information transmission
towards the development of shared EU-level communication infrastructures, in particular the
EU Police Shared Data Space. It also provided for a more integrated form of operational
support embedded directly within national investigative environments, including through the
establishment of Europol Support Offices in Member States. In addition, the approach
included a substantial modernisation of Europol’s data-processing framework and reinforced
cooperation with the EPPO.
On this basis, the preferred policy option combines elements of both approaches. It builds on
the incremental improvements identified under the first approach, in particular on
strengthening data availability, upgrading systems and embedding Europol tools into national
investigations. At the same time, it goes beyond the existing model where necessary to
address structural limitations by enabling authorised access to national data, reinforcing
Europol’s operational presence in Member States, and strengthening its cooperation with the
EPPO. These measures are designed to be mutually reinforcing. In particular, the incremental
improvements under the first approach create the conditions for the more advanced measures
to operate effectively.
The preferred policy option is expected to significantly improve the effectiveness of cross-
border law enforcement cooperation by reducing information fragmentation, accelerating the
identification of operational links across investigations, and strengthening operational
coordination between EU bodies, offices and agencies. It is also expected to improve the
capacity of national authorities to investigate increasingly digital, cross-border, and data-
intensive forms of crime through enhanced analytical support, shared technological
capabilities, and more integrated operational support structures. Citizens are expected to
benefit through strengthened internal security and more effective prevention and combating of
serious and organised crime and terrorism.
The preferred policy option requires significant investments at both EU and Member State
level, in particular for the development of shared technological infrastructures,
interoperability solutions, operational integration measures, and enhanced analytical and
operational capabilities. Estimated one-off costs amount to approximately EUR 255 million
for Member States and EUR 240 million for Europol, while annual recurring costs are
estimated at approximately EUR 48 million for Member States and EUR 78 million for
Europol. Total estimated costs over the 2028-2034 period amount to around EUR 590 million
for Member States and EUR 789 million for Europol. At the same time, the use of shared EU-
level infrastructures and capabilities is expected to generate considerable efficiencies and
economies of scale, including estimated savings of approximately EUR 42 million compared
to separate implementation approaches.
The interference with the rights to privacy and protection of personal data arising from the
preferred policy option remains both necessary and proportionate. This is justified in the light
of its objective: ensuring the effective prevention and combating of serious and organised
crime and terrorism in an increasingly digital and cross-border operational landscape. The
impact assessment concluded that the current data processing framework no longer reflects
the operational realities of modern criminal intelligence and creates structural limitations
affecting Europol’s ability to support Member States effectively. At the same time, the
proposal substantially strengthens and restructures the safeguards framework applicable to
Europol’s processing activities. In particular, it introduces a more detailed legal and technical
framework governing Europol’s data environments, processing regimes, access conditions,
EN 13 EN
separation of processing environments, logging and traceability requirements, storage periods,
and supervisory and oversight mechanism.
The impact assessment received a positive opinion from the Commission’s independent
Regulatory Scrutiny Board on 17 April 2026. The summary sheet of the impact assessment is
available at the following link: Executive summary of the Impact assessment - Migration and
Home Affairs.
The RSB requested improvements to the impact assessment regarding the policy context,
evidence base, intervention logic, impact analysis, and monitoring framework. In response,
the impact assessment was revised to better explain the evolution of Europol’s mandate and
the wider EU security framework, strengthen the evidence base through evaluation findings
and operational data, refine the objectives and policy options, deepen the assessment of
impacts and safeguards, and reinforce the monitoring and evaluation framework through
clearer objectives and indicators.
• Regulatory fitness and simplification
The proposal delivers a major simplification of Europol’s data-processing rules and related
procedures, directly addressing inefficiencies in the current framework. Today, most datasets
received by Europol are unstructured, and implementing the existing data categorisation rules
and derogations is highly complex and resource intensive. The proposal aligns these rules
with Regulation (EU) 2018/1725, eliminating unnecessary complexity that were unique to
Europol, while maintaining high data protection standards through this alignment.
Similarly, the prior consultation procedures, which currently can delay operational
deployment of new capabilities. The proposal simplifies these procedures, removing
procedural bottlenecks and accelerating implementation, while freeing up significant
operational resources. Collectively, these changes reduce administrative workload and hence
the associated human and financial resources needed for governance.
The proposal also introduces automated and structured data-sharing mechanisms between
Member States and Europol and facilitates the integration of Europol tools into national
workflows. This approach significantly reduces the administrative burden on Member States,
eliminates the need for manual handling of data, accelerates the exchange of criminal
intelligence, and allows Member State authorities to focus on core law enforcement tasks
rather than administrative processes.
The proposal is also consistent with the Digital Check, as it supports the digital
transformation of law enforcement cooperation through interoperable systems, automated data
exchange and secure digital infrastructures adapted to the increasingly digital nature of crime.
• Fundamental rights
As the proposal involves the processing and exchange of personal data for law enforcement
purposes, particular attention has been given to observing the principles, rights and freedoms
recognised in the Charter of Fundamental Rights of the European Union, in particular the
right to respect for private and family life (Article 7) and the right to the protection of
personal data (Article 8), as well as ensuring compliance with the EU’s data protection
framework, including Regulation (EU) 2018/1725.
The proposal does not introduce new categories of personal data or new processing purposes.
Instead, it simplifies the requirements under which lawfully obtained data may be processed
EN 14 EN
by aligning the rules on data subject categorisation under Europol’s legal framework with
Regulation (EU) 2018/1725. Europol remains required to distinguish between categories of
data subjects. Where such distinction is not possible or where processing outside those
categories is necessary for the performance of Europol’s tasks, processing may take place
subject to the conditions laid down in this Regulation and appropriate oversight, including the
involvement of Europol’s Data Protection Officer. The proposal preserves the core safeguards
of the existing framework, including purpose limitation, necessity and proportionality
requirements and independent supervision by the European Data Protection Supervisor.
While such processing may interfere with the rights guaranteed under Articles 7 and 8 of the
Charter of Fundamental Rights of the European Union, that interference is justified by the
objective of preventing and combating serious and organised crime and terrorism and is
limited to what is necessary and proportionate for the performance of Europol’s tasks. In
today’s criminal investigations, competent authorities increasingly collect and transmit large
volumes of unstructured data originating from a variety of sources, including digital devices,
communication services and online platforms. Such datasets often require complex processing
and analysis before the information they contain can be organised, interpreted, structured and
attributed to specific categories of data subjects. Moreover, even where data subjects can be
categorised, the relevance of particular information and the existence of links between
persons, investigations, criminal activities and criminal networks might require further
analysis on the basis of new leads and information previously not available. The processing of
such datasets is therefore necessary to enable Europol to identify relevant information, detect
previously unknown connections and provide effective support to Member States in the
prevention and combating of serious and organised crime and terrorism, subject to the
conditions provided for in this Regulation.
4. BUDGETARY IMPLICATIONS
The proposal has budgetary implications at both EU and Member State level. At EU level, the
strengthening of Europol’s role as an information, operational and technology hub will require
additional human, technical and financial resources estimated at approximately EUR 1.053
billion over the implementation period. These investments relate to enhanced data-processing
and analytical capacities, operational support, technological capabilities and secure digital
infrastructures. At the same time, and thanks to the above-mentioned simplification and
reduction of administrative complexity, the proposal does not require any increase in
Europol’s spending for governance.
The implementation of the proposal will also entail costs for Member States, estimated at
approximately EUR 590 million in payments over the first seven years, in particular for the
adaptation of national systems, workflows and technical interfaces necessary to support more
integrated and automated cooperation with Europol systems and tools.
The detailed financial implications of the proposal are set out in the legislative financial
statement accompanying the proposal. The estimated financial and staffing implications for
2028 and beyond are provided for illustrative purposes only and do not pre-empt decisions on
the next multiannual EU budget (2028-2034 multiannual financial framework). The funding
sources and the extent of the EU’s financial commitment beyond 2027 will depend on the
outcome of the interinstitutional negotiations for the 2028-2034 multiannual financial
framework. Thereafter they must be determined through the annual budgetary procedure. All
appropriations and staffing allocations from 2028 onwards are therefore indicative.
EN 15 EN
5. OTHER ELEMENTS
• Implementation plans and monitoring, evaluation and reporting arrangements
The implementation of the proposal will follow reinforced governance structures in line with
the common approach applicable to decentralised EU agencies, with Europol reporting
regularly to the Management Board and the Joint Parliamentary Scrutiny Group. A dedicated
Executive Board will assist the Management Board in overseeing the preparation and
implementation of the annual and multiannual programming, and more generally in
reinforcing supervision of administrative and budgetary management.
Performance, operational outcomes, and compliance with legal and data protection
obligations will be monitored and evaluated using established reporting cycles and
procedures, complemented where necessary to reflect the new measures. The proposal also
strengthens Europol’s capacity to generate more structured, automated and comparable
statistical reporting at EU level, which will support more effective monitoring of the overall
performance of the Regulation.
The Commission will evaluate the functioning and effectiveness of the Regulation in line with
standard evaluation requirements and report on its performance.
• Detailed explanation of the specific provisions of the proposal
Chapter I – General provisions, objectives and tasks of Europol
Chapter I establishes Europol, defines its objectives, legal status, seat and scope of
competence, and sets out the core functions through which Europol supports the competent
authorities of the Member States.
It also includes gender-based violence among the forms of crime falling within Europol’s
competence. This reflects the increasing cross-border and technology-facilitated nature of
such conduct and ensures coherence with Directive (EU) 2024/1385, thereby enabling
Europol to support Member States more effectively through information exchange, criminal
intelligence analysis and operational cooperation.
In contrast to Regulation (EU) 2016/794, which defines Europol’s tasks through an extensive
and detailed list of activities, the proposed Article 4 structures Europol’s competence around
its principal functions and responsibilities, namely information processing and criminal
intelligence, operational support, strategic and operational analysis, cooperation with Union
bodies, offices and agencies, third countries and international organisations, and research and
innovation activities. The detailed rules governing the exercise of those functions, including
the including the applicable procedures, powers, conditions and safeguards are set out in the
relevant substantive chapters.
This approach provides a more coherent, flexible, and clear legal framework. It strengthens
transparency and accountability by creating a clearer structure for how Europol is expected to
operate and deliver on its mandate, while at the same time preserving the operational
flexibility needed for Europol to respond effectively to evolving threats and operational
realities.
Chapter II – Operational cooperation
EN 16 EN
This Chapter establishes a new operational framework for Europol’s activities, designed to
equip it to support increasingly complex, interconnected, and multidimensional investigations
through a multidisciplinary operational model. It moves Europol towards a more structured
and continuous form of operational delivery, where operational coordination, criminal
intelligence, specialised expertise, analytical capabilities, and operational support are
organised within a coherent operational architecture rather than through isolated or case-by-
case arrangements.
Article 7 structures Europol’s strategic analytical support functions. Article 8 defines the
operational capabilities that are required to provide continuous support to Member States,
including Europol’s key role in identifying operational links, detecting cross-border
connections between investigations, and supporting operational coordination across Member
States. Article 9 significantly reinforces Europol’s role in supporting “follow the money”
investigations and asset tracing as a core operational dimension of cross-border investigations.
It establishes stronger cooperation mechanisms with national asset recovery offices and
financial intelligence units, grants Europol better access to relevant financial and asset-tracing
information and introduces the possibility for Europol to request urgent freezing measures
where there is an imminent risk of dissipation of criminal assets. It establishes stronger
cooperation mechanisms with national asset recovery offices and financial intelligence units,
grants Europol better access to relevant financial and asset-tracing information and introduces
the possibility for Europol to request urgent freezing measures to Member States where there
is an imminent risk of dissipation of criminal assets. Article 11 strengthens Europol’s follow-
up to cross-border criminal intelligence by ensuring that proposals to launch investigations are
systematically channelled to Eurojust for judicial coordination purposes. This will ensure that
criminal intelligence requiring investigative follow-up can be taken forward through the
appropriate judicial coordination mechanisms at EU level.
Section 2 establishes the permanent operational backbone through which Europol organises
and delivers continuous specialised operational support to Member States.
Reflecting the increasingly interconnected and multidimensional nature of serious and
organised crime and terrorism, Article 12 establishes the Operational and Analysis Service as
Europol’s central and permanent 24/7 operational coordination and criminal intelligence hub.
The Service is designed to function as Europol’s operational nerve centre, ensuring the
continuous coordination of information exchange, criminal intelligence analysis, operational
support requests, and operational follow-up across Europol’s operational architecture. A core
function of the Service is to identify operational links across national investigations, bring
together information and expertise from different operational areas, support coherent
operational responses across the Union, and ensure coherence between the different centres of
specialised expertise.
Article 13 creates a common and scalable legal framework for Europol’s Centres of
specialised expertise as the primary specialised capability and expertise structures within
Europol, bringing together criminal intelligence, operational coordination, specialised
capabilities, analytical and forensic support, and operational expertise in key areas. It builds
on the approach introduced by the European Parliament and the Council through Regulation
(EU) 2025/2611 establishing the European Centre against Migrant Smuggling.
Articles 14 to 18 establish the operational framework for the Centres of Operational
Expertise. The provisions recognise that the effective delivery of Europol’s support requires
the concentration of specialised expertise and capabilities in priority crime areas requiring
EN 17 EN
sustained Union-level action. The Centres constitute the principal organisational mechanism
through which Europol prioritises, develops and delivers such operational support and ensures
coherence across its activities. Given their central role in the performance of Europol’s
mandate and in the allocation of operational resources, the basic framework governing the
Centres is laid down in this Regulation. Further details on the organisation and functioning of
the Centres are to be laid down in implementing rules adopted by the Management Board.
This will allow their operational set up to evolve alongside operational priorities and
emerging threats.
These provisions also reflect that serious and organised crime increasingly presents a hybrid
dimension. The provisions therefore ensure that, where criminal activities related to a crime
falling within the scope of Europol’s competence involve a hybrid dimension, Europol is able
to support Member States through the full range of its operational capabilities. For this reason,
this dimension is integrated across all Centres, recognising that criminal activities involving a
hybrid dimension may arise across any of the crime areas falling within Europol’s mandate
and cannot be confined to a single operational domain.
Article 19 ensures that Europol’s operational architecture remains capable of evolving over
time through the establishment of additional Centres where emerging threats or operational
needs require new permanent specialised capabilities at EU level.
Section 3 establishes the core operational cooperation instruments through which Europol
supports coordinated operational action. Article 20 sets out the framework for operational task
forces as a flexible operational coordination mechanism supporting priority investigations and
operational actions in high-value and operationally significant cross-border cases. Article 22
establishes the framework governing Europol deployments for operational, technical,
analytical, and forensic support to Member States and, where applicable, non-EU countries.
Article 23 establishes the framework for Europol’s role in supporting the European
Multidisciplinary Platform Against Criminal Threats (EMPACT).
The provisions codify these operational cooperation instruments within a legal framework,
clarifying the specific operational purpose and added value of each structure while ensuring
their complementarity. The objective is to provide sufficiently broad and flexible operational
categories capable of covering most operational support and coordination needs, avoiding the
continuous multiplication of ad hoc structures while preserving the flexibility needed to
respond to evolving operational realities.
Article 21 strengthens the continuum of EU-level support for law enforcement cooperation
and judicial cooperation by reinforcing Europol’s participation in joint investigation teams.
Article 24 establishes specialised operational and technical expert pools composed of Member
State experts to ensure the availability of highly specialised operational, analytical and
technical expertise.
Section 4 strengthens the framework governing national structures for cooperation with
Europol, recognising that the effectiveness of Europol’s operational model ultimately depends
on its integration within national law enforcement systems. To this end, Article 25
restructures and significantly expands the role of Europol national units, reinforcing their role
as the main operational interface between Europol and the competent national authorities.
A central element of this proposal is the establishment, under Article 26, of Europol support
offices within the Europol national units. These offices are designed to ensure the continuous
EN 18 EN
operational integration of Europol’s operational, analytical, technical, and forensic
capabilities directly into national investigations and operational activities. To this end, the
staff deployed to the offices would support the day-to-day identification of operational needs,
facilitate the mobilisation of Europol capabilities and operational instruments in ongoing
investigations, assist national authorities in making operational use of Europol systems,
analyses, and specialised support, and ensure continuous operational coordination and follow-
up between Europol and the competent national authorities throughout the operational life
cycle of investigations and operational actions. Reflecting their bridging function between
EU-level and national operational environments, the offices are staffed by Europol staff with
prior experience in Member State’s competent authorities and operate through a dual
reporting line ensuring close operational integration with both Europol and the national
authorities concerned. This model promotes the continuous circulation of expertise between
Europol and the Member States, enabling operational experience acquired at national level to
be integrated into Europol’s activities while ensuring that knowledge of Europol’s
capabilities, tools and working methods is subsequently transferred back into national law
enforcement structures.
Chapter III – Information management
Articles 28 and 29 strengthen the framework governing Member States’ provision of
information to Europol. Building on the existing obligations under Regulation (EU) 2016/794
and pursuant to Directive (EU) 2023/977, it updates the framework to support more timely,
structured and interoperable information exchange and introduces an annual assessment of
Member States’ information contributions.
Article 30 sets out Europol’s role in the Schengen Information System (SIS), in particular on
the operational use of supplementary information, support for information alerts and the
operational follow-up to SIS hits. Article 31 sets out Europol’s role in relation to the Visa
Information System (VIS) and the European travel information and authorisation system
(ETIAS).
Article 32 establishes the purposes of information processing activities by Europol, The
provision enables Europol to process information in so far as is necessary for fulfilling its
tasks and exhaustively determines the purposes for which Europol may process personal data
cross-checking aimed at identifying connections or other relevant links with information
related to a criminal offence in respect of which Europol is competent; strategic or thematic
analysis; operational analysis, facilitating operational information exchange; supporting
research and innovation activities and supporting Member States in informing the public
about wanted suspects or convicted individuals.
At the same time, the provision aligns Europol’s data subject categorisation regime with the
approach set out in Regulation (EU) 2018/1725. This marks a fundamental shift with
significant operational benefits while maintaining the necessary safeguards applicable across
EU entities and also at national level. The constraints imposed by the previous regime on data
subject categorisation have emerged as a key operational bottleneck, severely limiting
Europol’s ability to support Member States effectively. Without this change, the broader
modernisation of Europol’s operational and technological capabilities would remain
structurally hindered.
In particular, it marks a shift from the logic of the previous regime under which Europol
should in principle only process personal data falling within one of the data subject categories
set out in Annex II, with the processing of personal data outside of these data subject
categories as exception. Instead, Article 32 together with Annex II reflects the operational
EN 19 EN
reality of modern law enforcement where the extraction of information from large and
unstructured datasets constitutes a core operational task of law enforcement authorities, and
hence also of Europol in support of national authorities. Indeed, Europol operates in an
information environment characterised by high volumes of heterogeneous data, which often
originate from multiple sources and operational contexts. A substantial share of that
information is received in an unstructured form, making categorisation with predefined data
subject categories difficult or at times even impossible. Article 32 therefore provides that
Europol must distinguish between categories of data subjects “where applicable and as far as
possible”, in line with Regulation (EU) 2018/1725.
Article 32 explicitly allows Europol to process personal data relating to persons outside the
predefined categories of data subjects listed in Annex II, where such processing is necessary
and proportionate for the performance of Europol’s tasks. This reflects the dynamic nature of
police investigations and criminal intelligence activities, where the operational relevance of
certain data or their connection to criminal activities may only emerge progressively during
operational analysis or through the identification of links across investigations.
Specific safeguards apply to the instances where Europol processes data outside of the
categories listed in Annex II, such as obligations for Europol to immediately delete such data
once the purpose of processing is fulfilled, inform the Data Protection Officer and keep such
data functionally separate from ‘categorised’ data.
Article 33 preserves the data ownership principle as a core enabler of law enforcement
cooperation facilitated by Europol’s information processing activities. It ensures that the
Member States, EU institutions, bodies, missions, office and agencies, third countries and
international organisations providing information to Europol retain control over the purposes
for which that information may be processed and over any access restrictions on that
information, including as regards its use, transfer, transmission, erasure or destruction. Article
34 sets out the duty to consult or notify the owner of the information where relevant.
Section 2 establishes the legal and technical framework governing Europol’s data
environment and constitutes a central safeguard accompanying the changes introduced in
Article 35 concerning data subject categorisation. The provisions define Europol’s data
environment to ensure that different processing activities are carried out within clearly
regulated technical and operational frameworks accompanied by appropriate safeguards and
access conditions.
It sets out clear and precise rules on the functioning of a number of Europol’s core services
and tools. This includes Europol’s cross-matching service (Articles 36-39) for Member
States’ competent authorities to upload, query and access data against Europol’s analytical
environment (Articles 40-41) to store, analyse and process data to fulfil its analytical tasks,
the Police Shared Data Space (Articles 42-45), where Member States’ competent authorities
can open and perform joint operational analysis, in cooperation with Europol. It also sets out
rules on the Secure Information Exchange Network Application (SIENA – Article 46) and of
the information exchange mechanism aimed to facilitate communication with private parties
(Article 47). Europol’s role in the European Police Record Index System is also set out
(Article 48) as well as the possibility for the Commission to adopt implementing acts to
regulate additional functionalities or services and tools to be developed by Europol.
Section 3 sets out the rules required for the operation of Europol’s services and tools. This
includes rules on a cloud infrastructure (Article 50) to support the storage, processing,
analysis and exchange of data, in an efficient and scalable fashion, for the purposes set out in
this Regulation, as well as on the minimum requirements for police officers to access such
data, by means of an EU Police Digital Identity (Article 51). It also includes requirements on
EN 20 EN
the reporting of statistical information for oversight and accountability purposes (Article 52)
and sets out Europol’s role in relation to the Universal message format (UMF – Article 53)
and of an EU DNA matching application (Article 54).
Chapter IV – Technological capabilities and innovation
Chapter IV is structured along the innovation and capability development life cycle
framework.
The objective is to avoid fragmented or isolated innovation activities by creating continuity
between technological foresight, capability planning, research and innovation, development of
advanced capabilities, operational testing, deployment, operational uptake, and specialised
operational support.
Chapter IV is based on the recognition that the technological transformation of internal
security increasingly requires capabilities, infrastructure, expertise, computing environments,
data-processing capacities, and innovation ecosystems whose scale, complexity, and cost can
no longer be efficiently developed at national level alone. Europol is uniquely positioned to
support this role given its ability to identify common technological and operational needs, and
its capacity to develop interoperable, scalable, and shared technological solutions capable of
supporting law enforcement authorities across the EU. The objective is therefore to avoid
technological fragmentation, duplication of investments, and diverging capability levels
between Member States in areas where common EU-level technological capabilities provide
clear operational and financial benefits.
Article 57 establishes the strategic foresight and capability planning layer under the
establishment of a framework mechanism to identify operational capability gaps, emerging
technologies, and future capability priorities at EU level. The provision is designed to support
a more strategic and coordinated approach to technological capability development, including
in areas such as interoperability, standardisation, capability sharing, and joint procurement.
Article 58 clarifies Europol’s role in relation to Union funding programmes by enabling
Europol to assist the Commission in the programming of the Union Framework Programme
for Research and Innovation and participate in capability-development activities funded
through the European Competitiveness Fund, while ensuring appropriate safeguards to
prevent conflicts of interest.
Article 59 provides a legal basis for Europol to develop, host, operate, and provide shared
advanced technological capabilities for law enforcement. This includes AI-enabled
applications, secure information-processing environments, forensic capabilities, cloud-based
collaborative environments, and capabilities supporting the processing and analysis of
lawfully obtained encrypted data. It also introduces a mechanism enabling a number of
Member States to request Europol to develop common EU-level capabilities where shared
technological solutions provide operational benefits.
Article 60 establishes the research and innovation layer by providing Europol with a
comprehensive legal basis to carry out and participate in research and innovation activities.
This includes pilot projects, artificial intelligence-related activities, operational
experimentation, and participation in regulatory sandboxes for artificial intelligence systems.
Article 61 establishes the legal and technical framework enabling Europol to develop, test and
validate artificial intelligence systems and models in a secure environment, including through
EN 21 EN
the use of AI regulatory sandboxes35 and dedicated safeguards ensuring compliance with
Union law.
Articles 62 and 63 establish the operational capability development and deployment layer by
strengthening Europol’s role in supporting the operational testing, validation, deployment,
scaling, and operational uptake of innovative technologies and capabilities. The objective is to
ensure continuity between research activities and operational deployment across Member
States.
Article 64 establishes the expertise and operational support layer ensuring that advanced
technological capabilities are accompanied by specialised operational expertise and training.
The provision significantly strengthens Europol’s role in supporting Member States through
specialised expertise, while reinforcing cooperation with the European Union Agency for Law
Enforcement Training (CEPOL) in areas requiring coordinated EU-level support and
specialised training.
Articles 65 to 67 establish the coordination and governance layer through the creation of a
dedicated Capabilities and Innovation Service and a Capabilities and Innovation Advisory
Group bringing together Member States, relevant EU bodies, and experts within a common
EU innovation ecosystem for internal security.
Chapter V – Organisation of Europol
Chapter V aligns Europol’s governance model with the common approach applicable to
decentralised EU agencies. It updates the composition of the Management Board (Article 69)
and reinforces its functions (Article 72) in order to boost its effectiveness and strengthen its
strategic decision-making role.
Article 75 establishes an Executive Board to support the Management Board, in line with the
two-layer governance model recommended for EU agencies. This aims to ensure more
efficient oversight and preparation of decisions, while allowing the Management Board to
focus on strategic matters. In the light of the significant expansion of Europol’s
responsibilities and the corresponding increase in resources, the Executive Board will also
contribute to strengthened budgetary oversight.
Article 77 provides for the central role of the Executive Director in ensuring the overall
functioning of the Agency, while reinforcing clear accountability for the effective
implementation of Europol’s mandate and strategic priorities.
Chapter VI – Relations with Union entities
Article 79 establishes common provisions governing Europol’s cooperation with EU bodies,
offices and agencies, including operational cooperation and information exchange. The
provision introduces a framework for working arrangements, which requires the
Commission’s prior approval for working arrangements concluded with Union bodies, offices
and agencies established within the framework of the TFEU.
Article 80 provides for indirect access to information held by Europol for relevant EU bodies,
offices and agencies, on the basis of an automated hit/no-hit system and on the conditions of
reciprocity. The provision creates a more coherent and future-proof framework for
information cross-checking across EU bodies, offices and agencies, notably the anti-fraud
35 Established pursuant to Regulation (EU) 2024/1689 (Artificial Intelligence Act).
EN 22 EN
actors, while maintaining the applicable access restrictions, data ownership principles, and
data protection safeguards. It also provides for the adoption of implementing acts setting out
the technical procedure, to also ensure coherent technical standards and interoperability across
the broader EU anti-fraud architecture. The automation of the hit/no-hit system for data
exchange substantially reduces manual follow-up, improving efficiency and operational
responsiveness.
Articles 81 to 90 further structure and strengthen Europol’s cooperation with key EU bodies,
offices and agencies, including the EPPO, Eurojust, OLAF, AMLA, Frontex, eu-LISA, the
EU Drugs Agency, the EU Agency for Fundamental Rights, the EU Customs Authority and
ENISA.
Article 81 significantly strengthens Europol’s relationship with the EPPO, reflecting the
growing operational importance of cooperation in combating complex cross-border financial
crime affecting the EU’s financial interests. The provision reinforces Europol’s obligations to
support the EPPO investigations, including through dedicated analytical support. It also
establishes a dedicated hit/no-hit mechanism enabling the EPPO to access data held by
Europol related to offences falling within the EPPO’s competence regardless of any
restrictions on access to or use of information provided to Europol by Member States and
Union institutions, bodies, offices or agencies. This dedicated mechanism reflects the
particular role, status and competence of the EPPO within the Union’s system for protecting
the Union’s financial interests and the obligations that Member States and Union institutions,
bodies, offices and agencies have under Regulation (EU) 2017/1939. Therefore, a targeted
derogation from the application of the restrictions indicated by providers of information to
Europol is conceivable only as regards the EPPO.
Chapter VII – Relations with partners
Article 92 strengthens framework governing Europol’s external engagement by ensuring that
Europol’s cooperation with non-EU countries and international organisations remains aligned
with the EU’s external policies and strategic priorities.
Article 93 establishes a specific framework for cooperation with countries associated with the
implementation, application and development of the Schengen acquis, reflecting their
particular role in the functioning and security of the Schengen area. Unlike other third
countries, those countries participate in an area without controls at the internal borders and
share responsibility for maintaining a high level of security throughout the Schengen area. In
light of that close integration, the Article provides for the possibility of a higher degree of
operational integration with Europol than is available under the general framework for
cooperation with third countries. To that end, international agreements with those countries
may provide, for direct access to specified Europol information exchange mechanisms,
participation in certain governance structures, the posting of liaison officers and
corresponding obligations relating to information sharing and financial contributions.
Article 96 updates and consolidates the framework governing Europol’s cooperation with
private parties. It clarifies the conditions under which Europol may receive and process
personal data directly from private parties and reinforces Europol’s role as a facilitator of
cooperation between private parties and the competent authorities of the Member States. To
ensure that information relevant for criminal investigations can be acted upon effectively,
Europol is required to transmit relevant information received from private parties to the
Member States concerned.
The Article provides for limitations on the transmission and transfer of personal data by
Europol to private parties. Such exchanges remain subject to necessity and proportionality
EN 23 EN
requirements. Special conditions apply to transfers to private parties established outside the
Union and outside countries benefiting from an adequacy decision.
The Article further clarifies the relationship between Europol’s cooperation with private
parties and the responsibilities of Financial Intelligence Units, ensuring that Europol’s
activities do not duplicate or interfere with the anti-money laundering framework established
under Union law.
In addition, the Article, read together with Article 47, strengthens Europol’s role as a trusted
technical intermediary by allowing Member States and private parties to use Europol’s
infrastructure for the secure exchange of information in accordance with Union and national
law. Where such exchanges concern crimes falling within Europol’s competence, Europol is
provided with a copy of the information exchanged in order to support its operational and
analytical tasks. The Article also introduces enhanced transparency and accountability
measures, including reporting obligations to the Management Board, the European
Parliament, the Council, the Commission and national parliaments.
Chapter VIII – Data protection
Chapter VIII establishes the main data protection safeguards governing Europol’s processing
activities, while aligning the framework with Regulation (EU) 2018/1725. It provides for the
framework governing sensitive data processing (Article 100), storage periods and erasure of
data (Article 101), rights of data subjects including access, rectification and erasure (Articles
105 and 106) and responsibility for data protection compliance (Article 107). It further
reinforces the institutional safeguards architecture through the roles for the Data Protection
Officer and the Fundamental Rights Officer (Articles 109 and 110), mandatory fundamental
rights training (Article 111), and enhanced supervision and cooperation mechanisms between
the European Data Protection Supervisor (EDPS) and national supervisory authorities
(Articles 112 and 113).
Article 102 establishes a dedicated framework governing the processing of personal data in
the context of Europol’s research and innovation projects. This includes activities involving
artificial intelligence systems and models. The provision provides for specific safeguards
relating to prior authorisation, isolated processing environments, restricted access, purpose
limitation, and data protection impact assessments for certain projects, while clarifying that
those requirements do not apply to the development or deployment of existing tools or
capabilities where the nature, scope, and purpose of the processing remain unchanged.
On the prior consultation of the EDPS, Article 108 permits Europol, in duly justified cases of
urgent operational necessity, to exceptionally begin certain processing activities without prior
EDPS consultation. Such cases remain subject to prior notification of the EDPS; involvement
of the Data Protection Officer; and subsequent submission of the required consultation to the
EDPS.
Chapter IX – Remedies and Liability
Chapter IX establishes the framework governing remedies and liability, which is
complementary to and aligned with that of Regulation (EU) 2018/1725. It sets out the
procedure for the handling of complaints by the EDPS (Article 114) and general provisions on
liability and the right to compensation (Article 115).
Chapter X - Joint Parliamentary Scrutiny Group
Chapter X sets out the arrangements for the joint parliamentary scrutiny of Europol by the
European Parliament and national parliaments through the Joint Parliamentary Scrutiny
Group. It defines the mechanisms for political oversight of Europol’s activities, including
EN 24 EN
reporting obligations, access to information and the involvement of the European Data
Protection Supervisor.
Chapter XI – Staff
Chapter XI sets out the rules governing Europol’s staff. It provides for the application of the
Staff Regulations and the Conditions of Employment of Other Servants to Europol staff and
establishes the categories of staff employed by Europol. The Chapter also lays down specific
provisions aimed at preserving and renewing operational expertise within Europol, including
through posts reserved for personnel with experience in the competent authorities of the
Member States and through the use of seconded national experts.
Chapter XII – Financial provisions
Chapter XII lays down the financial framework governing Europol’s budgetary planning,
financing, implementation and accountability. Article 120 establishes the principles applicable
to Europol’s budget and defines its sources of revenue, including the contribution from the
Union budget, contributions from countries associated with the implementation, application
and development of the Schengen acquis where provided for in the relevant international
agreements, and voluntary financial contributions from Member States. It also sets out the
main categories of expenditure and permits the use of multiannual budgetary commitments.
Article 121 governs the preparation, establishment and adoption of Europol’s budget and
establishment plan. In particular, it requires the draft statement of estimates to be prepared in
a manner that ensures a clear differentiation of appropriations by sub-activity, consistent with
the structure of the Single Programming Document, thereby strengthening the link between
budgetary resources, operational priorities and expected outputs. The Article also defines the
respective responsibilities of the Executive Director, the Management Board, the
Commission, the Council and the European Parliament in the annual budgetary procedure.
Article 122 entrusts the implementation of the budget to the Executive Director.
Article 123 sets out the arrangements relating to accounting, audit and discharge, including
the preparation and presentation of accounts, the role of the Court of Auditors, the adoption of
final accounts by the Management Board and the discharge procedure before the European
Parliament, thereby ensuring compliance with the Union’s financial accountability
framework.
Article 124 establishes the framework governing Europol’s financial rules, which are to be
aligned with the Union’s framework financial regulation for decentralised agencies unless
operational requirements justify specific derogations approved by the Commission. In
addition to providing for the award of grants, including without a call for proposals where this
is justified by the nature of the beneficiaries and the operational objectives pursued, the
Article enables Europol to support operational cooperation activities, including joint
investigation teams, and, where necessary, to contribute to the financing of equipment and
infrastructure required for law-enforcement cooperation.
Chapter XII – Miscellaneous provisions
Chapter XIII contains miscellaneous provisions governing the legal, administrative and
accountability framework applicable to Europol. It lays down rules on privileges and
immunities, language arrangements, transparency and public access to documents, the
protection of sensitive non-classified and classified information, and the prevention and
investigation of fraud affecting the Union’s financial interests. The Chapter also provides for
the periodic evaluation of Europol, inquiries by the European Ombudsman, and the
arrangements relating to Europol’s seat and headquarters.
EN 25 EN
Chapter XIV – Transitional provisions
Chapter XIV contains the transitional provisions necessary to ensure legal certainty and the
uninterrupted functioning of Europol following the repeal of Regulation (EU) 2016/794.
Article 133 establishes Europol as the legal successor to the agency established under
Regulation (EU) 2016/79 in respect of all rights and obligations arising under national, Union
and international law. It further provides that the replacement of the existing legal framework
does not affect the validity of cooperation agreements and working arrangements concluded
by Europol under the Europol Convention, Decision 2009/371/JHA or Regulation (EU)
2016/794. Those instruments remain in force and continue to apply until they expire or are
replaced.
Article 134 sets out the arrangements governing the transition to the new Regulation. It
ensures the continuity of ongoing operational activities, the continued processing of data
lawfully held by Europol, and the validity of existing authorisations relating to transfers of
personal data. It also preserves the legal effects of decisions, implementing measures, rules
and arrangements adopted under Regulation (EU) 2016/794 pending their review,
amendment, replacement or repeal under the new framework. In this context, the Management
Board is required to assess the continued compatibility of existing acts with this Regulation
and to take the necessary measures to adapt Europol’s internal framework where appropriate.
Chapter XV –Amendments to other existing instruments
Chapter XV contains amendments to related Union instruments necessary to support the
implementation of this Regulation. Article 135 provides for consequential amendment in
order to strengthens the legal framework for cooperation between Europol and eu-LISA in
areas of common technical and operational interest. Article 136 amends Regulation (EU)
2024/982 to enable Europol to make use of the Prüm II framework.
Chapter XVI - Final provisions
Chapter XVI lays down the arrangements governing the implementation of this Regulation. It
establishes a phased approach for the operational deployment of key systems and capabilities,
defines the procedures applicable to implementing and delegated acts, and provides for the
repeal of Regulation (EU) 2016/794 and the continuity of references made thereto.
EN 26 EN
2026/0165 (COD)
Proposal for a
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on the European Union Agency for Law Enforcement Cooperation (Europol), amending
Regulation (EU) 2018/1726 and Regulation (EU) 2024/982, and repealing Regulation
(EU) 2016/794
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular
Article 87(2), point (a), and Article 88 thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national Parliaments,
Acting in accordance with the ordinary legislative procedure,
Whereas:
(1) Pursuant to Article 67(1) and (3) of the Treaty on the Functioning of the European
Union (TFEU), the Union is to offer its citizens an area of freedom, security and
justice in which a high level of security is ensured through measures to prevent and
combat crime, racism and xenophobia, and through coordination and cooperation
between police and judicial authorities and other competent authorities of the
Member States.
(2) The existence of an area without internal border controls presupposes a common
responsibility of the Union and the Member States to ensure a high level of internal
security. Effective prevention and combating of serious crime, terrorism and other
forms of crime affecting a common interest covered by a Union policy require
effective cooperation, coordination and information exchange between the competent
authorities of the Member States.
(3) Serious crime, terrorism and other forms of crime affecting a common interest
covered by a Union policy increasingly have a cross-border dimension and are
characterised by a high degree of complexity and adaptability. Such criminal
activities frequently generate links that may not be apparent from a national
perspective alone. To support the competent authorities of the Member States in
addressing such threats effectively and to contribute to a coherent and effective
response throughout the Union, enhanced support and coordination at Union level
are necessary.
(4) Article 88 TFEU provides that Europol’s mission is to support and strengthen action
by the competent authorities of the Member States and their mutual cooperation in
preventing and combating serious crime affecting two or more Member States,
terrorism and forms of crime affecting a common interest covered by a Union policy.
(5) Europol was initially established by the Europol Convention of 26 July 1995 and was
subsequently integrated into the Union framework by Council Decision
EN 27 EN
2009/371/JHA36. Regulation (EU) 2016/794 of the European Parliament and of the
Council37 further strengthened Europol’s role.
(6) In carrying out its mission, Europol should support the competent authorities of the
Member States through information exchange, operational analysis and operational
support, and other forms of assistance within the scope of its competence. Given the
cross-border nature of the crimes falling within the scope of its competence and the
diversity of actors involved in preventing and combating them, Europol should also
facilitate the effective cooperation between the competent authorities of the Member
States and, where appropriate, between those authorities and relevant Union
institutions, bodies, offices and agencies, third countries, international organisations
and private parties, in accordance with this Regulation.
(7) Effective support for the competent authorities of the Member States requires access
to specialised expertise, capabilities and services that can be developed, maintained
and made available more effectively and efficiently at Union level. Europol should
therefore maintain and continuously develop such expertise, capabilities and services
and make them available to the competent authorities of the Member States, thereby
strengthening their ability to respond to increasingly complex, technologically
sophisticated and cross-border criminal threats.
(8) The criminal threat landscape affecting the Union is continuously evolving. Certain
forms of crime increasingly manifest themselves through online environments,
creating new operational challenges for law enforcement authorities. Gender-based
violence increasingly involves technology-facilitated forms of criminal conduct and
spreads across borders. The use of information and communication technologies
enables such conduct to be committed, facilitated, amplified or disseminated across
jurisdictions, often involving victims, perpetrators, service providers, evidence and
relevant information located in different Member States or third countries. Directive
(EU) 2024/1385 of the European Parliament and of the Council38 recognises violence
against women and domestic violence as a distinct area requiring coordinated action
across the Union. Such offences may therefore affect common interests covered by
Union policies, including equality between women and men, the protection of
victims of crime and the protection of fundamental rights. The recognition of gender-
based violence as a distinct criminal phenomenon under Union law reflects the need
to address those offences in a coherent manner across the Union. Effective action
against gender-based violence may require the combination of information and
expertise relating to different forms of criminal conduct, the identification of links
between cases affecting several jurisdictions and enhanced cooperation between the
competent authorities of the Member States. The list of forms of serious crime in
respect of which Europol is competent should therefore include gender-based
violence.
36 Council Decision 2009/371/JHA of 6 April 2009 establishing the European Police Office (Europol) (OJ
L 121, 15.5.2009, p. 37, ELI: http://data.europa.eu/eli/dec/2009/371/oj). 37 Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the
European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing
Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA
(OJ L 135, 24.5.2016, p. 53, ELI: http://data.europa.eu/eli/reg/2016/794/oj). 38 Directive (EU) 2024/1385 of the European Parliament and of the Council of 14 May 2024 on
combating violence against women and domestic violence (OJ L, 2024/1385, 24.5.2024, ELI:
http://data.europa.eu/eli/dir/2024/1385/oj).
EN 28 EN
(9) To address criminal offences related to the forms of crime falling within the scope of
Europol’s competence that form part of, contribute to or are linked to a threat with a
hybrid dimension, Europol should make full use of the tasks, capabilities and tools
provided for in this Regulation. The existence of a hybrid dimension in a crime
falling within the scope of Europol’s competence should not affect Europol’s ability
to support the competent authorities of the Member States through information
exchange, operational analysis, operational cooperation and other forms of support
within the scope of its competence.
(10) Europol should act in support of the competent authorities of the Member States and
should not itself exercise coercive powers or carry out investigative measures. This
Regulation should therefore establish clear rules concerning Europol’s competence,
tasks and functioning, while ensuring respect for fundamental rights, including the
right to the protection of personal data.
(11) As Europol’s operational support activities have expanded and diversified, it is
necessary to ensure coherence, complementarity and operational continuity between
the different forms of operational support provided by Europol. Europol’s
operational framework should therefore allow its operational tools, specialised
expertise and support structures to function in an integrated and mutually reinforcing
manner, while remaining sufficiently adaptable to evolving operational needs,
technological developments and emerging security threats.
(12) The cross-border and interconnected nature of serious and organised crime and
terrorism requires the identification of links, patterns and developments across
jurisdictions and areas of criminal activity. Fragmented or incomplete criminal
information may create operational blind spots that can be exploited by transnational
criminal networks and terrorists. By bringing together information and criminal
intelligence originating from multiple authorities and sources across the Union and
beyond, Europol is uniquely placed to contribute to the development of a shared
strategic analysis of criminal threats, operational developments and emerging
security risks.
(13) To ensure that strategic analysis is translated into effective action, Europol’s
analytical products should support the identification of priorities, the allocation of
resources and the planning of operational action at Union and national levels,
including within the framework of the European Multidisciplinary Platform Against
Criminal Threats (EMPACT). They should also support the Commission and the
Member States in carrying out risk assessments and verifying the implementation of
the Schengen framework.
(14) The production of a common Union strategic analytical picture should be a shared
responsibility of Europol, the Member States and the relevant Union institutions,
bodies, missions, offices and agencies, which should provide the information
necessary for the preparation of those analytical products in accordance with their
respective mandates and applicable Union law. Europol should also support the
development and use of common analytical methodologies and standards, in
particular for Union-level threat assessments, to strengthen the comparability,
consistency and interoperability of criminal intelligence analysis at Union level.
(15) Europol’s strategic analyses and threat assessments should pay particular attention,
where appropriate, to the Union’s closest neighbourhood and, in particular, to the
situation in countries that are candidate countries and potential candidates for
accession to the Union. Such contributions may include assessments of those
EN 29 EN
partners’ capacities to prevent and combat serious crime and terrorism. The strategic
analyses and threat assessments should be further informed by contributions from EU
candidate countries and potential candidates, whose own national serious and
organised crime threat assessments are being developed with the support of Union-
funded projects.
(16) By bringing together and analysing information and criminal intelligence originating
from multiple sources, Europol may identify links that are not apparent from the
perspective of a single Member State and that may require investigative action at
national level. Since the responsibility for conducting criminal investigations rests
with the competent authorities of the Member States, Europol should therefore be
able, within the scope of its competence, to request those authorities to assess,
without undue delay, the need to initiate, conduct or coordinate investigations in
relation to forms of crime falling within the scope of Europol’s competence. Europol
should also be able to make such request where criminal activity primarily concerns
a single Member State but may have implications for the Union’s internal security.
Criminal activities concentrated in a single Member State may nevertheless form part
of wider criminal phenomena or generate risks and vulnerabilities extending beyond
national borders and therefore require consideration from a broader Union
perspective.
(17) Effective judicial follow up to requests made by Europol concerning the need to
assess the initiation, conduct or coordination of criminal investigations may require
judicial coordination and cooperation at Union level. The European Union Agency
for Criminal Justice Cooperation (‘Eurojust’), established by Regulation (EU)
2018/1727 of the European Parliament and of the Council39, should therefore be
informed without delay of such requests and of any follow-up decision taken by the
competent authorities of the Member States. That should enable Eurojust to facilitate
judicial follow-up, ensure coherence between law enforcement and prosecutorial
action at Union level and exercise its tasks in accordance with that Regulation.
(18) Operational coherence across Europol’s activities is essential for an integrated
response to serious and organised crime, terrorism and other forms of crime falling
within the scope of Europol's competence. Given the increasingly interconnected
nature of criminal threats and the growing complexity of criminal activities, Europol
should ensure the coordinated handling of information, criminal intelligence and
operational support across its structures and areas of specialised expertise. Europol
should therefore maintain a permanent Operational and Analysis Service to ensure
coordination and coherence across its activities and to support Member States in
delivering a multidisciplinary operational response at Union level.
(19) Several forms of crime falling within Europol’s competence require dedicated
expertise, operational capabilities and support that are most effectively organised and
maintained at Union level. Europol should therefore maintain Union Centres of
specialised expertise as part of its organisational structure in areas of particular
relevance for the Union’s internal security. The Centres should form an integral part
of Europol's organisational structure, contributing to the performance of Europol’s
tasks in their respective areas of expertise. They should not have separate legal
39 Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on
the European Union Agency for Criminal Justice Cooperation (Eurojust), and replacing and repealing
Council Decision 2002/187/JHA (OJ L 295, 21.11.2018, p. 138,
ELI: http://data.europa.eu/eli/reg/2018/1727/oj).
EN 30 EN
personality. In order to ensure the continuity and stability of those core capabilities,
the establishment of such Centres should be determined by this Regulation. The
Management Board should be responsible for specifying the organisation, specialised
functions, composition and operation of the Centres in light of operational needs and
evolving security threats.
(20) Criminal activities involving a hybrid dimension may arise in relation to any form of
crime falling within the scope of Europol’s competence. All Centres should therefore
contribute, within their respective fields of expertise, to the prevention and
combating of such crimes, including where they form part of, contribute to or are
linked to a threat with a hybrid dimension.
(21) As the operational landscape in which Europol operates is increasingly characterised
by fluid criminal structures and the convergence of multiple crime areas, effective
support for the competent authorities of the Member States requires close
cooperation and coordination between the Centres and other organisational structures
within Europol. The Centres should therefore work together and combine their
respective expertise and capabilities where this is necessary to support
multidisciplinary operational responses to cross-cutting threats. The allocation of
tasks to a specific Centre under this Regulation should not preclude the involvement
of other Centres or organisational structures in the performance of those tasks where
operational needs so require.
(22) To address the increasingly severe threats posed by transnational serious and
organised crime networks, Europol should provide, in particular through its
European Serious and Organised Crime Centre, Member States with operational,
analytical, technical and forensic support to combat forms of serious and organised
crime such as drug trafficking, trafficking in firearms and explosives, environmental
crime and property crime and in complex cross-border investigations.
(23) The terrorist threat affecting the Union continues to evolve in terms of actors,
methods and means, including through the exploitation of online environments and
emerging technologies. An effective counter-terrorism response requires Europol,
through its European Counter Terrorism Centre, to provide Member States with
operational, analytical, technical and forensic support to counter terrorist activities
such as terrorist financing, online radicalisation, the dissemination of terrorist content
online or physical attack prevention. Europol should also support the coordination of
crisis response mechanisms at Union level.
(24) Financial and economic crime undermines the integrity of the Union’s economy,
financial system, and legal order and constitutes a key enabler of serious and
organised crime and terrorism. The use of complex financial schemes, crypto-assets
and digital financial technologies makes the detection, investigation and tracing of
criminal assets increasingly challenging. It requires permanent specialised expertise
and capabilities at Union level. Europol, in particular through its European Financial
and Economic Crime Centre, should therefore provide Member States and relevant
Union bodies, offices and agencies, such as the European Public Prosecutor’s Office
(EPPO), established by Council Regulation (EU) 2017/193940, with specialised
support for financial investigations, asset tracing and recovery, crypto-assets and
40 Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the
establishment of the European Public Prosecutor’s Office (‘the EPPO’) (OJ L 283, 31.10.2017, p. 1,
ELI: http://data.europa.eu/eli/reg/2017/1939/oj).
EN 31 EN
digital financial technologies, and the identification and analysis of criminal financial
schemes and transactions.
(25) To enable Europol to provide effective support to national asset recovery offices in
assets tracing and recovery, Member States should ensure that Europol has effective
access to the information necessary for the tracing and identification of property.
Where, on the basis of its analytical activities, Europol identifies an imminent risk of
disappearance of traced and identified property, it should be able to request the
competent authorities of the Member State concerned to take immediate action.
(26) Cybercrime and cyber-enabled criminal activities constitute a central component of
the threat landscape affecting the Union’s internal security. The growing availability
of cybercrime-as-a-service facilitates the use of sophisticated tools and services by a
broad range of criminal and terrorist actors, thereby increasing the scale and impact
of cyber-enabled criminal activities. Europol, in particular through its European
Cybercrime Centre, should therefore support Member States in preventing and
combating cybercrime, responding to cyberattacks, and addressing the growing
digital dimension of criminal activities across all crime areas falling within the scope
of its competence. Europol should also contribute to the development and
deployment of specialised technical capabilities, in particular in the areas of digital
forensics, lawful access, and the processing and analysis of encrypted data. Such
capabilities require a level of expertise and resources that can be provided more
effectively at Union level.
(27) Cyber incidents of suspected criminal origin, notably ransomware incidents, often
require both a cybersecurity and a law enforcement response. The European
Cybercrime Centre should therefore cooperate closely with the European Union
Agency for Cybersecurity (ENISA), established by Regulation (EU) 2019/881 of the
European Parliament and of the Council41, in relation to cybersecurity, cyber threats
and cyber incidents of suspected criminal origin, with a particular focus on
ransomware incidents, including through ENISA’s ransomware helpdesk. Such
cooperation should support effective coordination, the exchange of information and
expertise, and the development of synergies between the cybersecurity and law
enforcement communities.
(28) Migrant smuggling and trafficking in human beings constitute major cross-border
criminal activities that endanger human life, undermine the Union’s migration and
border management policies and generate significant profits for organised criminal
networks. The European Centre Against Migrant Smuggling established within
Europol should ensure permanent specialised expertise and capabilities at Union
level to support the fight against migrant smuggling and trafficking in human beings.
Europol, in particular through that Centre, should support Member States in
dismantling migrant smuggling routes and criminal facilitation networks. Europol
should also support the identification of victims of trafficking and other vulnerable
persons, ensuring cooperation with the EU anti-trafficking coordinator referred to in
Directive 2011/36/EU of the European Parliament and of the Council42.
41 Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA
(the European Union Agency for Cybersecurity) and on information and communications technology
cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151,
7.6.2019, p. 15, ELI: http://data.europa.eu/eli/reg/2019/881/oj). 42 Directive 2011/36/EU of the European Parliament and of the Council of 5 April 2011 on preventing and
combating trafficking in human beings and protecting its victims, and replacing Council Framework
Decision 2002/629/JHA (OJ L 101, 15.4.2011, p. 1, ELI: http://data.europa.eu/eli/dir/2011/36/oj).
EN 32 EN
(29) Evolving crime threats and operational needs may, in exceptional circumstances,
require the establishment of additional Centres dedicated to areas requiring
specialised expertise or coordinated action at Union level. The Executive Director
should continuously assess operational developments, capability requirements and
emerging crime areas and, where appropriate, identify the need for the establishment
of additional Centres. Additional Centres should only be established where a
sustained operational need exists that cannot be adequately addressed through
Europol’s existing organisational structures. It should also be possible to adapt,
merge or discontinue such additional Centres where this is necessary to reflect
changing operational requirements. In order to ensure a coherent framework for the
establishment of Centres, the power to adopt acts in accordance with Article 290
TFEU should be delegated to the Commission in respect of the establishment,
adaptation, merger or discontinuation of additional Centres. It is of particular
importance that the Commission carry out appropriate consultations during its
preparatory work, including at expert level, and that those consultations be conducted
in accordance with the principles laid down in the Interinstitutional Agreement of 13
April 2016 on Better Law-Making43. In particular, to ensure equal participation in the
preparation of delegated acts, the European Parliament and the Council receive all
documents at the same time as Member States' experts, and their experts
systematically have access to meetings of Commission expert groups dealing with
the preparation of delegated acts.
(30) In carrying out their activities, the Centres should cooperate closely with similar
specialised structures established at Union level, including Eurojust’s Centres of
Expertise in criminal matters and the future EU Centre for the Protection of Children
from Child Sexual Abuse, within their respective competences. Such cooperation
should contribute to ensuring complementarity, avoiding duplication of efforts and
maximising the operational value of specialised expertise and capabilities.
(31) The investigation of high-risk criminal networks and complex cross-border criminal
phenomena requires structured yet flexible forms of operational cooperation between
the competent authorities of the Member States. Operational task forces provide a
framework for concentrating investigative efforts, operational expertise and criminal
intelligence on priority targets, supported by Europol. Europol should therefore
participate in operational task forces, enabling operational coordination, facilitating
the exchange and analysis of information and contributing with its specialised
operational, technical, analytical and forensic support. Where appropriate,
operational task forces should be integrated within EMPACT activities. Where
operational findings indicate the need for judicial coordination, Europol should
ensure timely transmission of relevant information to Eurojust to support the
effective exercise of its mandate in accordance with Regulation (EU) 2018/1727.
(32) Joint investigation teams provide a structured framework for coordinated
investigations, shared operational planning and the use of evidence within a common
investigative setting. Europol should therefore be able to support joint investigation
teams for crimes falling within the scope of its competence by contributing criminal
intelligence, analytical input and specialised operational capabilities, and by
facilitating operational coordination where this strengthens joint investigative action.
Where operational findings indicate the need for judicial coordination, Europol
43 OJ L 123, 12.05.2016, p. 1, ELI: http://data.europa.eu/eli/agree_interinstit/2016/512/oj.
EN 33 EN
should ensure timely transmission of relevant information to Eurojust to support the
effective exercise of its mandate in accordance with Regulation (EU) 2018/1727.
(33) To provide effective operational support to the competent authorities of the Member
States and, where relevant, third countries, Europol needs to make its expertise,
capabilities and support available where operational activities are carried out.
Europol should therefore be able to deploy staff in order to provide analytical,
operational, technical and forensic support directly to the competent authorities
concerned. Such deployments should notably support large-scale and complex
investigations, operational coordination activities and major international events.
They should also contribute to ensuring coherence between law enforcement
activities and activities carried out at the Union’s external borders, with each
authority acting within the limits of its competence. In particular, Europol
deployments should assist screening authorities in carrying out checks in accordance
with Regulation (EU) 2024/1356 of the European Parliament and of the Council44,
support Frontex established by Regulation (EU) 2019/1896 of the European
Parliament and of the Council45 and migration management activities under
Regulation (EU) 2019/1896, and support border management authorities in
performing security checks against Europol information at the Union’s external
borders. The effectiveness of Europol deployments is contingent on timely and active
support from the Member States. Member States should therefore ensure that staff
deployed by Europol has, where relevant and appropriate, secure access to
operational sites, information and technical equipment, and should facilitate
coordination and integration with national operational teams.
(34) In certain situations, Europol may require the secondment of highly specialised
expertise to respond to specific operational needs. Maintaining specialised
operational and technical pools composed of experts designated by the Member
States contributes to ensuring the availability of such expertise when needed. At the
same time, the specialised knowledge and experience of those experts remain
essential for the performance of the tasks of the competent authorities of the Member
States. A balanced approach is therefore necessary to enable Europol to draw on that
expertise for specific operational needs while preserving national operational
capacities. Secondments from those pools provide an effective mechanism to achieve
that objective.
(35) The value of Europol’s operational support depends on its close integration with the
activities of the competent authorities of the Member States. Such integration
requires robust national coordination structures capable of acting as a genuine
interface between Europol and competent authorities of the Member States. Europol
national units play a central role in ensuring cooperation between Europol and those
authorities and in facilitating the exchange of information. They should also
contribute to the identification of national operational priorities and capability needs
to be supported by Europol, facilitate national contributions to Europol’s analytical
and strategic assessments, and help ensure the effective coordination of Europol’s
support at national level. Liaison officers attached to Europol should play an
important role in facilitating direct cooperation and coordination with the competent
44 Regulation (EU) 2024/1356 of the European Parliament and of the Council of 14 May 2024 introducing
the screening of third-country nationals at the external borders and amending Regulations (EC) No
767/2008, (EU) 2017/2226, (EU) 2018/1240 and (EU) 2019/817 (OJ L, 2024/1356, 22.05.2024, ELI:
http://data.europa.eu/eli/reg/2024/1356/oj). 45 OJ L 123, 12.05.2016, p. 1, ELI: http://data.europa.eu/eli/agree_interinstit/2016/512/oj.
EN 34 EN
authorities of the Member States, including through the rapid exchange of
information and the identification of cross-border operational links.
(36) Europol national units should also assume a reinforced role in ensuring that
EMPACT delivers its full operational potential, addressing existing coordination
gaps that prevent effective linkage between Union-level priorities and national needs.
To that end, Europol national units should evolve into central operational platforms
hosting their national EMPACT support team, responsible for facilitating operational
participation and aligning national contributions with EMPACT priorities.
(37) To effectively use Europol’s operational, analytical, technical and forensic support in
national investigations, that support needs to be tailored to national needs and
procedures. To ensure that Europol support can be mobilised rapidly and aligned
with operational needs and procedural requirements at national level, Europol
support offices should be established within the Europol national unit in each
Member State. These offices should facilitate the integration of criminal intelligence,
analytical tools, digital and forensic technologies and operational expertise directly
into ongoing national investigations. The support offices should also help ensure that
operational outputs provided by Europol can be used effectively by the competent
authorities of the Member States in preventing and combating serious crime and
terrorism.
(38) The Europol support offices should be staffed by Europol staff that has completed a
structured career pathway combining experience in the competent authorities of a
Member State and subsequent service within Europol, before being seconded back to
the national structure. That rotation model is essential to ensure that the expertise
acquired at Europol is effectively reinvested into the national system and that the
integration of Europol support is carried out by Europol staff with operational
understanding of the specific legal, operational and organisational framework within
which the competent authorities of the respective Member State operate. Such
Europol staff should act under a dual reporting line to Europol and the Member State
where the Europol support office is established. The establishment of the Europol
support offices should not affect the responsibilities and powers of the competent
authorities of the Member States under national law. To ensure the effectiveness of
the rotation-based staffing model underpinning Europol support offices, Member
States should take the necessary measures to facilitate the reintegration of staff into
their national administrations upon completion of their assignment within that office.
That requires the removal of administrative, organisational and career-related
barriers that could hinder mobility between national authorities and Europol, thereby
ensuring that such mobility is recognised as an integral part of their professional
career development.
(39) To serve as the Union’s criminal information hub, Europol should be able to process
information that it has received from the sources or that it has directly retrieved from
publicly available sources, subject to the conditions and safeguards laid down in this
Regulation. The effective gathering of information from publicly available sources
for Europol includes notably the use of online search engines, including the input of
personal data, which should not be regarded as a transmission or transfer of personal
EN 35 EN
data to private parties under this Regulation or Regulation (EU) 2018/1725 of the
European Parliament and of the Council46.
(40) Member States should ensure the timely provision of the information necessary for
Europol to fulfil its tasks, including through structured, secure and automated
exchange mechanisms. In that context, Member States should establish and maintain
appropriate national data loaders enabling the structured feeding of relevant
information into Europol services and tools, ensuring data quality, completeness and
timeliness.
(41) Europol’s operational model remains firmly anchored in the data ownership
principle, under which Member States, Union institutions, bodies, missions, offices
and agencies, third countries and international organisations providing information to
Europol retain control over the purpose and conditions of its processing. That
principle is a cornerstone of mutual trust in the exchange of information with
Europol and ensures that the use of data remains strictly aligned with the intent
defined by the provider.
(42) In so far as is necessary for the fulfilment of its tasks, Europol should be able to
process personal data, provided that such processing is carried out only for the
purposes laid down in this Regulation. Regulation (EU) 2018/1725 lays down the
rules on the protection of natural persons with regard to the processing of personal
data by Union institutions, bodies, offices and agencies. Regulation (EU) 2018/1725
should apply to the processing of personal data by Europol, complemented by the
specific rules of this Regulation.
(43) Europol operates in an information environment characterised by high volumes of
heterogeneous data, which often originate from multiple sources and operational
contexts. A substantial share of that information is received in an unstructured form,
making categorisation with predefined data subject categories difficult or at times
even impossible. That reflects the reality of modern law enforcement where the
extraction of information from large and unstructured datasets constitutes a core
operational task of law enforcement authorities. In that context, the data subject
categorisation rules applicable to Europol should be aligned with Regulation (EU)
2018/1725. Europol should therefore make a clear distinction between personal data
relating to the different categories of data subjects listed in Annex II only where
applicable and as far as possible, ensuring that operational effectiveness is ensured
while fully respecting data protection safeguards and principles, such as data
minimisation and purpose limitation.
(44) The categorisation of personal data is a dynamic process that may change as new
leads and information become available. Personal data that are initially not
considered relevant for inclusion under a data subject category of Annex II may,
upon further processing, acquire operational significance or reveal connections to
ongoing investigations. Where it is not possible to clearly distinguish between the
personal data that relate to the different categories of data subjects listed in Annex II,
or where Europol has to process personal data outside of the categories of data
subjects listed in Annex II, Europol should inform its Data Protection Officer. Such
46 Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the
protection of natural persons with regard to the processing of personal data by the Union institutions,
bodies, offices and agencies and on the free movement of such data and repealing Regulation (EC)
No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39,
ELI: http://data.europa.eu/eli/reg/2018/1725/oj).
EN 36 EN
personal data should be immediately deleted once the purpose of processing is
fulfilled.
(45) The effective carrying out of Europol’s tasks and the processing of information
require the development and use of services and tools, which should be established
and managed in a manner that ensures their effectiveness, efficiency and compliance
with applicable data protection and security standards.
(46) For the purpose of processing information for cross-checking against existing data
already stored and categorised by Europol in cooperation with the Member States,
the establishment of a Europol cross-checking service is necessary to support
Europol’s objectives and tasks and to facilitate the exchange of information between
Member States and other Union bodies, offices and agencies. For the effective and
efficient functioning of that service, the case management systems of the competent
authorities of the Member States should be interoperable and technically connected
with such service. To maximise technical efficiency and ensure consistency with
existing Union information systems, the Europol cross-checking service should,
where technically feasible, re-use and adapt existing technologies and components
developed by eu-LISA, including the technology underpinning the Shared Biometric
Matching Service (sBMS), for its biometric matching functionalities. The re-use and
adaptation of such technology should serve solely technical, operational and cost-
efficiency objectives, including economies of scale and the avoidance of duplication
of investments, and should not affect existing governance arrangements, access
rights, data ownership, interoperability architectures, the allocation of responsibilities
between Union bodies, offices and agencies, or the legal conditions governing access
to information under Union law.
(47) The processing of personal data in the Europol cross-checking service requires the
definition of a precise and exhaustive list of categories of data to ensure that the
processing remains necessary and proportionate for the fulfilment of Europol’s tasks
and that the rights of individuals are protected in accordance with the applicable data
protection rules. The data formats of such categories of data, including identifiable
objects or multimedia data used for the querying of the service, should be laid out by
means of an implementing act.
(48) The systematic and timely uploading of relevant data to the Europol cross-checking
service by Member States and Europol is essential to ensure the effectiveness of the
service and to support cross-border cooperation in the prevention and combating of
serious and organised crime, while also providing for necessary safeguards to protect
the essential interests of the security of the Member States and the rights of
individuals. By systematically cross-checking any newly uploaded data against
already stored data to identify links and connections between cases, the service
enables Europol to support Member States in cross-border investigations.
(49) Systematic querying of the Europol cross-checking service by competent authorities
of the Member States is necessary to ensure the effective use of the service by all
relevant law enforcement actors across the Union, and thereby enhance the
prevention and combating of serious crime and terrorism, while also ensuring that
access to the data remains subject to strict conditions and safeguards to protect the
rights of individuals and respect the data ownership principle.
(50) For Europol to effectively support cross-border investigations and operational
activities, it is necessary to establish a Europol Analytical Environment as a secure
technical and operational platform for the storage, processing, analysis and
EN 37 EN
visualisation of data. The Europol Analytical Environment should support the
fulfilment of Europol's tasks by facilitating the operational analysis of data received
by Member States, third countries, international organisations, private parties or
other sources in accordance with this Regulation.
(51) To ensure that the rights of individuals are protected, the querying of and access to
Europol Analytical Environment data, including data stored as part of analysis
projects, should be subject to strict access conditions and data protection safeguards,
while also enabling authorised entities to effectively query and have indirect access
to the data to contribute to the prevention and combating of serious crime and
terrorism.
(52) To support Member States in carrying out joint operational analysis, the Police
Shared Data Space should leverage the capabilities of the Europol Analytical
Environment. This includes, where appropriate, advanced analytical tools and
modules, such as those enabling the processing and comparison of biometric data,
and functionalities supporting the collection and analysis of data from publicly
available sources. The availability of such capabilities within the Police Shared Data
Space should enhance the detection of links between cases and facilitate coordinated
operational responses.
(53) In order to facilitate real-time operational cooperation between competent authorities
of different Member States and Europol, the Police Shared Data Space should enable
the establishment of Joint Operational Analysis Cases (JOAC). A JOAC should
constitute a secure collaborative environment in which participating authorities and
Europol can jointly process, analyse, enrich and exchange information relating to a
specific criminal investigation, threat, criminal network or operational objective. The
creation of JOACs should be subject to clear criteria and procedures, including the
designation of participating authorities and the conditions governing access to and
use of the information processed therein.
(54) To enhance the effectiveness of joint operational analysis, Europol should be able to
propose the establishment of a JOAC to Member States, based on its analysis of
available information and data, while respecting the discretion of Member States to
decide on the opening of a JOAC.
(55) To enable participants to a JOAC to effectively collaborate and analyse data,
exchange information and conduct joint activities, while granting the possibility to
use Europol relevant capabilities, a set of advanced features, including secure
communication tools such as chat and video conferencing, and collaborative
document editing and visualisation capabilities, should be provided within the Police
Shared Data Space as means to facilitate effective and efficient cooperation and
analysis among participants and to support the exchange of information and expertise
in a secure and controlled environment.
(56) Given the increasingly transnational nature of crime, it should be possible, in duly
justified cases, for the Member State opening a JOAC to propose the participation of
third country. Such participation should remain limited to third countries having an
agreement enabling the exchange of personal data with Europol and to situations
where Europol considers that the involvement of the third country concerned is
relevant for achieving the objectives of the JOAC. Participation by a third country
should not lead to generalised access to Europol services and tools, but should be
limited only to the specific JOAC and the information made available therein in
accordance with this Regulation.
EN 38 EN
(57) To facilitate the seamless exchange of information between the single points of
contact and competent authorities of Member States, Europol and other authorised
entities, Europol should provide a secure and reliable tool, such as the Secure
Information Exchange Network Application (SIENA), with web interfaces, mobile
applications and dedicated programming interfaces.
(58) To streamline the cooperation between private parties, Member States and Europol in
preventing and responding to online crisis situations, cybersecurity threats, and other
criminal activities exploiting digital services, Europol should establish a dedicated
mechanism within the Europol Analytical Environment. That mechanism should, in
particular, support compliance with Union reporting and notification obligations
under Regulations (EU) 2021/78447 and (EU) 2022/206548 of the European
Parliament and of the Council by both private parties, such as hosting service
providers, and competent law enforcement or judicial authorities of the Member
States and enable rapid coordination during online crisis situations. It should be
designed to facilitate the determination of the Member State to be notified and ensure
interoperability with national systems while maintaining robust security and data
protection safeguards. Europol should ensure that the development and maintenance
of the mechanism is supported by the necessary resources.
(59) To support the objectives of Regulation (EU) 2024/982 of the European Parliament
and of the Council49, Europol should perform the tasks conferred on it in relation to
the European Police Record Index System (EPRIS), providing a centralised platform
for the indexing and sharing of police records, and enabling law enforcement
authorities to access and exchange information efficiently and effectively.
(60) To support the effective achievement of its objectives and to enhance the cooperation
between Europol, competent authorities of the Member States and other authorised
entities, Europol should establish a secure, scalable and sovereign Europol cloud
infrastructure, hosting the Police Shared Data Space and enabling the storage,
processing, analysis and exchange of data, while ensuring strict access control, data
compartmentalisation and full compliance with Union law, and allowing for the
development, operation and maintenance of a range of digital services and
operational data-processing capabilities.
(61) To facilitate secure, efficient and trusted access to the Police Shared Data Space for a
wide range of investigators across the Union, an EU Police Digital Identity should be
established, enabling representatives of competent authorities of the Member States,
Europol and other authorised entities to access the Europol infrastructure and
connected national systems in a harmonised and secure manner, while ensuring
accountability and oversight through logging and auditing mechanisms, and allowing
for differentiated access rights based on specific needs and requirements.
47 Regulation (EU) 2021/784 of the European Parliament and of the Council of 29 April 2021 on
addressing the dissemination of terrorist content online (OJ L 172, 17.5.2021, p. 79,
http://data.europa.eu/eli/reg/2021/784/oj). 48 Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a
Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (OJ L
277, 27.10.2022, p. 1, ELI: http://data.europa.eu/eli/reg/2022/2065/oj). 49 Regulation (EU) 2024/982 of the European Parliament and of the Council of 13 March 2024 on the
automated search and exchange of data for police cooperation, and amending Council
Decisions 2008/615/JHA and 2008/616/JHA and Regulations (EU) 2018/1726, (EU) No 2019/817 and
(EU) 2019/818 of the European Parliament and of the Council (the Prüm II Regulation) (OJ L,
2024/982, 05.04.2024, ELI: http://data.europa.eu/eli/reg/2024/982/oj).
EN 39 EN
(62) To ensure effective monitoring, evaluation and oversight of Europol’s services and
tools, Europol should develop and maintain statistics and reporting tools capable of
generating statistical information, indicators and analytical reports concerning their
use, performance, operational effectiveness and interoperability. Those tools should
support the preparation of strategic and operational analyses, threat assessments,
trend reports and situational briefings, and contribute to the annual reporting
obligations of Europol and to the Commission’s evaluation reports, in particular
regarding the operational impact of this Regulation. They should also facilitate the
availability of reliable information for evaluation, monitoring and reporting purposes
and, where appropriate, support the Commission in carrying out its responsibilities
under Union law, including the monitoring, implementation and evaluation of
legislation relevant to Europol’s mandate. They should also facilitate the provision of
information to the Joint Parliamentary Scrutiny Group (JPSG). The statistics and
reporting tools should enable the analysis of trends, operational needs and
information exchange activities, while ensuring that statistical information is
processed in compliance with Union law on data protection, cybersecurity and
confidentiality. Such information should be subject to appropriate safeguards and
access control measures. To ensure that the report to be submitted each year by the
Commission pursuant to Article 325(5) TFEU includes a comprehensive overview of
the measures taken to counter fraud affecting the Union’s financial interests, Europol
should contribute to the preparation of that report. That contribution should cover the
results achieved and the activities carried out to that end by Europol.
(63) To facilitate the efficient and interoperable exchange of information between
Member States, Union bodies, offices or agencies and other relevant entities, Europol
should support the development, implementation and operational use of the universal
message format established Regulation (EU) 2019/818 of the European Parliament
and of the Council50 by providing the secretariat and steering technical and
operational discussions. To that end, Europol should cooperate closely with the
Commission to support the consistent application of the UMF across relevant
information systems and communication channels, thereby enhancing
interoperability and the effectiveness of information sharing.
(64) The comparison of DNA profiles requires specialised matching tools that are distinct
from the information systems through which DNA data are exchanged. Europol
should therefore be able to provide a common DNA matching application serving as
a technical and forensic component for the automated comparison of DNA profiles.
The application should function as a shared technical capability that can be deployed
within Europol services and tools or by Member States. It should support the
implementation of information exchange frameworks, including Regulation (EU)
2024/982, while respecting the ownership of data by the authorities providing them
and the safeguards governing their processing and exchange. The availability of a
common EU DNA matching tool is also important to strengthen Europe's
technological sovereignty in a critical area of law enforcement and forensic
cooperation, reduce dependency on external technologies and providers, and ensure
that the development, operation and evolution of DNA matching functionalities
remain subject to Union standards, governance and security requirements.
50 Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on
establishing a framework for interoperability between EU information systems in the field of police and
judicial cooperation, asylum and migration and amending Regulations (EU) 2018/1726, (EU)
2018/1862 and (EU) 2019/816 (OJ L 135, 22.5.2019, p. 85, ELI:
http://data.europa.eu/eli/reg/2019/818/oj).
EN 40 EN
(65) To ensure that Europol remains equipped to effectively respond to evolving
operational, technical and analytical needs, and to support the effective achievement
of its objectives, Europol should be able to design, develop and manage additional
services and tools, while ensuring that such systems and tools comply with the
applicable data protection rules and safeguards and are subject to appropriate
procedural and technical requirements. The Commission should be empowered to
adopt implementing acts laying out such procedural and technical requirements.
(66) To ensure the effective development and implementation of Europol’s information
systems and ICT infrastructure, an ICT and Information Management Steering Group
should be established as a sub-structure of the Management Board to provide
strategic guidance, expertise and oversight on ICT and information management
activities and to support the Management Board in taking informed decisions on
those matters, while ensuring consistency with Member States’ operational needs and
Union-wide interoperability objectives.
(67) To provide specialised technical expertise and advice to support the development and
implementation of Europol’s information systems and ICT infrastructure, an ICT and
Information Management Advisory Group should be established to assist the
Steering Group and Europol in designing, developing and operating information
systems, communication infrastructure and information exchange mechanisms, and
to promote common technical components, standards and best practices, while
ensuring close coordination and cooperation between Europol, eu-LISA, Member
States and the Commission on technical and implementation-related matters.
(68) To achieve a more coordinated approach to anticipating and addressing operational
and technological needs of law enforcement authorities across the Union, Europol
should establish a Foresight and Common Capability Development Framework (‘the
Framework’) aimed at developing a common understanding of short-, medium- and
long-term capability priorities. The Framework should contribute to the more
efficient pooling, sharing and use of resources, promote interoperability and
standardisation and help avoid duplication of investments.
(69) To ensure continuity between the identification of capability priorities under the
Framework, the development of innovative solutions for advanced capabilities and
their deployment in operational law enforcement environments, Europol should be
able to assist the Commission in the programming of the Union Framework
programme for Research and Innovation, and participate in capability-development
activities supported under Union funding programmes, notably the European
Competitiveness Fund, where necessary for the fulfilment of its tasks. As Europol
may perform different functions in relation to Union funding programmes, the
Commission and Europol should ensure that Europol’s participation in activities
supported under Union funding programmes does not confer any undue advantage
resulting from its involvement in the programming of those programmes.
(70) Certain technological, analytical and forensic capabilities are increasingly complex
and resource-intensive, making it inefficient for Member States to develop and
maintain such capabilities separately at national level. Europol should therefore be
able to develop, operate, host and provide shared advanced capabilities in support of
its tasks and of the competent authorities of the Member States. As law enforcement
authorities increasingly rely on electronic evidence and face growing challenges in
accessing data that is lawfully available to them, Europol should support the
development and provision of capabilities for the decryption of such data. To avoid
EN 41 EN
duplication and inefficient use of resources at Union level, Europol should, before
developing new capabilities, assess the availability of equivalent solutions on the
market or within Member States, Union institutions, bodies, offices and agencies
and, where available, prioritise their reuse, adaptation or acquisition. Europol should
also take into account risks arising from strategic dependencies and reliance on
suppliers outside the Union. In the context of investigations and operational activities
supported by Europol, where necessary, it should be possible to make available those
capabilities to participating third countries, notably where this contributes to the
effective conduct of the operational activity and supports the operational objectives
pursued by the participating Member States.
(71) To support the development of innovative solutions for advanced capabilities
relevant to the performance of its tasks, Europol should be able to carry out and
participate in research and innovation activities, including pilot projects and
preparatory actions. Europol should ensure synergies and avoid duplications with
activities supported by other Union institutions, bodies, agencies and offices and
under relevant Union funding programmes.
(72) To enable the development, testing and validation of algorithmic tools and AI
systems and models, in a controlled and secure environment providing for adequate
safeguards, Europol should use dedicated testing environments. It should participate
in regulatory sandboxes established pursuant to Regulation (EU) 2024/168951 of the
European Parliament and of the Council and, where appropriate, make such
environments available to private parties participating in collaborative research and
innovation activities.
(73) To assess the effectiveness, suitability and added value for law enforcement use of
innovative solutions, Europol should be able to support early deployment,
operational testing and validation activities. Where commercial solutions are
concerned, such activities should be based on transparent procedures and objective
technical and operational criteria.
(74) To facilitate the transition of tested and validated innovative solutions into advanced
capabilities for operational use and maximise the operational impact across the
Union, Europol should support their uptake, deployment, scaling and integration into
operational activities and investigations of the competent authorities of the Member
States. Innovative solutions and advanced capabilities can only deliver their full
operational benefit where they are accompanied by the necessary skills, expertise and
know-how. Europol should therefore support Member States in strengthening
specialised expertise and operational capabilities through specialised training
activities, in close cooperation with European Union Agency for Law Enforcement
Training (CEPOL) established by Regulation (EU) 2015/2219 of the European
Parliament and of the Council52, which coordinates centres of excellence.
(75) To promote coherence, coordination and continuity across foresight, capability
planning, research, innovation and capability-development activities carried out
under this Regulation, Europol should maintain a dedicated Capabilities and
51 Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022 on a
Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (OJ L
277, 27.10.2022, p. 1, ELI: http://data.europa.eu/eli/reg/2022/2065/oj). 52 Regulation (EU) 2015/2219 of the European Parliament and of the Council of 25 November 2015 on
the European Union Agency for Law Enforcement Training (CEPOL) and replacing and repealing
Council Decision 2005/681/JHA (OJ L 319, 4.12.2015, p. 1,
ELI: http://data.europa.eu/eli/reg/2015/2219/oj).
EN 42 EN
Innovation Service acting as a central coordination hub within Europol to support the
implementation of the Framework and ensure coherence across Europol’s Centres
and other organisational structures.
(76) Effective capability development increasingly requires cooperation between law
enforcement authorities, Union institutions, bodies, offices and agencies, research
organisations, academia, technology providers, industry and other innovation actors.
Europol should therefore support cooperation and coordination on capability-
development and innovation activities at Union level, such as those of the EU
Innovation Hub for Internal Security and the Commission’s Security Research and
Innovation Campus. Europol should also be able to facilitate joint projects, testing
activities and other forms of cooperation, including with private parties and, where
appropriate, through joint development and procurement activities carried out in
accordance with applicable Union law.
(77) Europol should be supported by a Capabilities and Innovation Advisory Group
providing expertise on capability-development, research and innovation activities,
supporting the preparation and updating of the Framework and facilitating exchanges
with other relevant partners, notably research organisations and private parties.
(78) To fulfil its tasks effectively, Europol should be equipped with a governance
structure that ensures effective strategic direction, accountability, transparency and
sound financial and administrative management. The governance of the Agency
needs to be aligned with the Joint Statement of the European Parliament, the Council
of the EU and the European Commission of 2012 on decentralised agencies (‘Joint
Statement and Common Approach’) and Commission Delegated Regulation (EU)
2019/71553.
(79) In order to streamline the decision-making process within Europol, an efficient and
effective governance structure should be introduced. To that end, the Member States
and the Commission should be represented on a Management Board vested with the
necessary powers, including the power to approve the single programming
document. In order to ensure effective political oversight, the Management Board
should also include a member designated by the European Parliament. The
Management Board should be the principal body responsible for the strategic
direction and oversight of Europol. It should establish Europol’s priorities and
objectives, oversee their implementation and exercise the powers conferred upon it
under this Regulation in relation to programming, budgetary matters, organisational
structure, governance and accountability.
(80) In order to ensure an efficient and effective governance, the Management Board
should be assisted by an Executive Board responsible for supporting the preparation
and follow-up of strategic, administrative and budgetary decisions. Such
arrangements should facilitate effective decision-making while preserving the
respective responsibilities of the Management Board and the Executive Director.
(81) To fulfil its tasks, Europol requires strong executive management capable of
ensuring the implementation of strategic priorities, the efficient allocation of
resources and the effective performance of operational, administrative and
organisational tasks. The Executive Director should therefore be entrusted with the
53 Commission Delegated Regulation (EU) 2019/715 of 18 December 2018 on the framework financial
regulation for the bodies set up under the TFEU and Euratom Treaty and referred to in Article 70 of
Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council (OJ L 122,
10.5.2019, p. 1, ELI: http://data.europa.eu/eli/reg_del/2019/715/oj).
EN 43 EN
day-to-day management of Europol and should perform those duties independently.
Where necessary, the Executive Director should be assisted by one or more Deputy
Executive Directors.
(82) To ensure that Europol’s activities remain aligned with its strategic objectives and
operational priorities, Europol should operate on the basis of a coherent
programming and performance-management framework linking multiannual
planning, annual activities, resource allocation and performance assessment. Such
framework should be driven by the principles of sound financial management,
effective use of Union resources and accountability for results.
(83) With regard to the prevention and management of conflicts of interest, it is essential
that the Agency acts impartially, demonstrates integrity and establishes high
professional standards. To that end, members of Europol’s administrative and
management structure should act in the public interest and be subject to appropriate
rules on transparency, declarations of interests and the prevention and management
of conflicts of interest.
(84) To strengthen the Union security architecture, Europol should be able to develop
close relations with relevant Union bodies, offices and agencies. Europol should also
be able to develop close relations with Union institutions and missions. To frame and
facilitate such relations, Europol should conclude working arrangements with them.
To ensure consistency with Union policies, the conclusion of working arrangements
with Union bodies, offices and agencies established within the framework of the
TFEU should be subject to the prior approval of the Commission. Such working
arrangements should be updated on a regular basis to remain effective, operationally
relevant and aligned with the Union priorities on the fight against evolving criminal
threats.
(85) Europol should be able to receive from and transmit or transfer to Union institutions,
bodies, missions, offices and agencies both personal and non-personal data in
accordance with this Regulation and applicable Union law.
(86) To achieve efficient information exchange while ensuring appropriate safeguards,
Europol should ensure that Union bodies, offices and agencies have, in accordance
with this Regulation, indirect access to information held by Europol on the basis of
an automated hit/no-hit system, under conditions of reciprocity and without affecting
any restriction indicated by the provider of the information pursuant to this
Regulation. Such access should be limited to information strictly falling within the
respective competences of those Union bodies, offices and agencies, such as the
EPPO, Eurojust, OLAF and the Authority for Anti-Money Laundering and
Countering the Financing of Terrorism (‘AMLA’), established by Regulation (EU)
2024/1620 of the European Parliament and of the Council54.
(87) To ensure that crimes affecting the financial interests of the Union are effectively
prosecuted by the EPPO and that information received by Europol from the EPPO
strengthens Europol’s criminal intelligence on forms of crime falling within the
scope of Europol’s competence, Europol should develop a structured cooperation
with the EPPO. To support the investigations of the EPPO, Europol should, upon
request by the EPPO, provide the EPPO with relevant information and operational
54 Regulation (EU) 2024/1620 of the European Parliament and of the Council of 31 May 2024 establishing
the Authority for Anti-Money Laundering and Countering the Financing of Terrorism and amending
Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010 (OJ L, 2024/1620,
19.6.2024, ELI: http://data.europa.eu/eli/reg/2024/1620/oj).
EN 44 EN
and analytical support. To that end, Europol should ensure that appropriate
organisational arrangements are in place, including the allocation of dedicated human
resources, for instance through the establishment of a dedicated support unit. That
would allow the EPPO to benefit from Europol’s analytical support, ensuring an
efficient use of Union resources in the investigation and prosecution of crimes
affecting the financial interests of the Union. Considering the competences attributed
to the EPPO under Union law, information exchange between the EPPO and Europol
on the basis of the automated hit/no-hit system should not be affected by any
restriction indicated by the Member State or the Union institution, body, office or
agency that provided the information to Europol. Providing the EPPO with such
information, independently from any restriction, would reduce delays and avoid
taking additional procedural steps following a hit in respect of information that the
EPPO could otherwise obtain in accordance with Union law. Given that timely
access to information is essential for the effective conduct of investigations by the
EPPO, that mechanism would maximise the efficiency gains and added value of
Europol as a centralised information hub. In addition, Europol should report to the
EPPO on criminal conduct in respect of which the EPPO could exercise its
competence, regardless of any restriction indicated by a Member State or a Union
institution, body, office or agency. In both instances, Europol should inform the
provider of the information.
(88) To ensure synergies at Union level between law enforcement cooperation, through
Europol, and judicial cooperation, through Eurojust, Europol should develop a
structured cooperation with Eurojust. Where the need for effective judicial follow-up
is identified, Europol should initiate the procedure for sharing the relevant
information with Eurojust, in compliance with the rules set out in this Regulation.
(89) To reinforce the fight against financial crime at Union level, Europol should develop
close relations with the AMLA including through the exchange of operational,
strategic and other non-operational information and through the posting of liaison
officers at each other’s premises. Where Europol, pursuant to Directive (EU)
2019/1153, is invited to support Financial Intelligence Units (‘FIUs’) in the context
of joint analyses and these are carried out with the assistance of the AMLA, Europol
should cooperate with the AMLA to more effectively support those FIUs in that
context.
(90) Serious and organised crime increasingly exploits international trade flows, supply
chains and cross-border movements of goods. Cooperation between Europol and the
European Union Customs Authority (EUCA) established by Regulation […] can
therefore provide valuable insights for the prevention and combating of serious and
organised crime and terrorism. Europol should develop close relations with the
European Union Customs Authority, notably to enable reciprocal exchange of
relevant data and information, in accordance with Regulation […] and subject to the
applicable safeguards and conditions laid down therein.
(91) To contribute to effective protection of the Union’s financial interests, Europol
should cooperate with the other anti-fraud actors involved in the protection of the
Union’s financial interests, such as the EPPO, Eurojust, OLAF, AMLA and the EU
Customs Authority, to address matters relevant to the coordination of anti-fraud
activities, such as facilitating the exchange of information, the undertaking of
coordinated or joint actions, exchanging on emerging criminal trends in activities
affecting the financial interests of the Union, the sharing of best practices including
matters relating to information technology security and development, establishing
EN 45 EN
criteria for common reporting or coordinating training activities or general
developments concerning the anti-fraud architecture of the Union. Being a relevant
actor in the protection of the Union financial interests, Europol should participate
actively in such joint cooperation activities.
(92) To enhance the Union’s overall operational response to cross-border crime such as
migrant smuggling trafficking in human beings, Europol and Frontex should be able
to leverage their complementary capabilities. They should closely cooperate in
particular within the framework of the European Integrated Border Management, as
defined in Regulation (EU) 2019/1896 and the European Integrated Border
Management multiannual strategic policy cycle, ensuring coherence of action and
avoiding operational gaps.
(93) To enhance efficiency, avoid duplication of investments, benefit from economies of
scale and promote interoperability, Europol and eu-LISA should cooperate in the
development, procurement and use of technical information management
components, including, where appropriate, solutions related to biometric data
processing and other shared services, in full compliance with their respective
mandates and applicable data protection rules.
(94) The prevention and combating of the forms of crime falling within Europol’s
competence increasingly require cooperation beyond the Union. Europol should,
where necessary for the performance of its tasks, establish and maintain cooperative
relations with third countries, international organisations and private parties, in
accordance with Union law and subject to appropriate safeguards. This cooperation
should be conducted in a manner that is consistent with the Union’s external policies
and priorities. To ensure coherence and consistency, Europol’s external engagement
should be coordinated, where appropriate, with the relevant Union institutions,
bodies, offices and agencies.
(95) Europol’s engagement with third countries should focus on operational cooperation,
including exchange of information, operational coordination and support to
investigations. Concentrating Europol’s external activities on operational objectives
ensures that its expertise and resources are directed towards activities that provide
the greatest operational added value for the competent authorities of the Member
States, while remaining complementary to the role of the CEPOL in the area of
capacity building in third countries.
(96) The functioning of the Schengen area without controls at the internal borders creates
a high degree of mutual dependence between the participating States in the
prevention and combating of cross-border crime. Countries associated with the
implementation, application and development of the Schengen acquis are closely
integrated into that common security framework and contribute directly to the
security of the Schengen area. Effective protection of the Union internal security
therefore requires particularly close cooperation between Europol and those
countries. To that end, specific arrangements reflecting the special relationship
between those countries and the Union will be key. Given the reciprocal benefits
arising from such cooperation, it is also important that those arrangements could be
based on mutual rights and obligations, including obligations to share relevant
information and provisions on financial contributions.
(97) Countries that are candidates for accession to the Union, as well as potential
candidates, are key partners for strengthening European internal security. Owing to
their geographical proximity to the Union, their position along major criminal routes
EN 46 EN
and the cross-regional nature of organised crime, terrorism and criminal offences
related to a crime falling within the scope of Europol’s competence where such
offences involve a hybrid dimension, close operational cooperation with those
countries is an important element for the effective prevention and combating of such
crimes and threats.
(98) In order to support operational cooperation with third countries and international
organisations, it is necessary to provide clear conditions under which personal data
may be transferred while ensuring a high level of protection of fundamental rights
and freedoms, in particular the right to the protection of personal data. Any such
transfers should take place only in accordance with Regulation (EU) 2018/1725 and
the specific provisions of this Regulation and be subject to the conditions and
safeguards laid down therein. Transfers of personal data to third countries and
international organisations may require swift decisions. In order to ensure both
operational responsiveness and a clear allocation of responsibility, decisions
authorising such transfers under the conditions and safeguards laid down in
Regulation (EU) 2018/1725 should be taken by the Executive Director.
(99) Information necessary for the prevention and combating of crimes increasingly
originates from private parties, including providers of electronic communications
services, online platforms, financial institutions, transport operators and other private
entities. Europol should, within its competence, receive, process and exchange
information and personal data involving private parties where necessary and
proportionate for the performance of its tasks, while respecting the responsibilities of
the Member States.
(100) The prevention of serious threats to public security, including those arising from the
dissemination of terrorist content and from online crisis situations, increasingly relies
on effective cooperation between public authorities and private parties. The effective
implementation of certain measures and obligations provided for under Union law,
including Regulation (EU) 2021/784 and Regulation (EU) 2022/2065, may require
timely exchanges of information between Europol and relevant private parties. To
reconcile operational effectiveness with a high level of protection of fundamental
rights, in particular the right to the protection of personal data, it is therefore
necessary to set out the conditions for such exchanges.
(101) Information voluntarily provided by natural persons may contribute to the prevention
and combating of the forms of crime falling within Europol’s competence.
Appropriate conditions are necessary to ensure that such information can be used
where operationally relevant, while preserving Europol’s role as a law-enforcement
support agency and ensuring the protection of the rights and freedoms of the persons
concerned.
(102) Regulation (EU) 2018/1725 of the European Parliament and of the Council applies to
the processing of personal data by Europol. This Regulation should therefore be
understood as laying down only those data protection rules that are necessary to
supplement, clarify or specify the application of Regulation (EU) 2018/1725 in view
of the specific tasks and operational activities of Europol. Accordingly, the
provisions of this Regulation concerning the processing of personal data by Europol
constitute lex specialis in relation to Regulation (EU) 2018/1725 and should prevail
only to the extent that they provide more specific rules.
(103) The effectiveness of criminal intelligence and law enforcement cooperation depends
on the quality of the information processed by Europol. Therefore, wherever
EN 47 EN
possible, the reliability of the source of the information and the accuracy of the
information received, retrieved or analysed by Europol should be assessed based on a
common evaluation methodology. Where information is received by Europol, the
responsibility for that assessment should remain with the provider of the information.
Where Europol considers that an assessment should be revised, it should seek
agreement with the provider concerned.
(104) Personal data concerning victims of criminal offences, witnesses and other persons
who may provide information relevant to criminal offences require particular
protection, in line with the provisions of the Directive 2012/29/EU on establishing
minimum standards on the rights, support and protection of victims of crime.
Europol should therefore process such data only where it is strictly necessary and
proportionate for the performance of its tasks and subject to appropriate safeguards.
In order to better contribute to the fight against the criminal exploitation of young
perpetrators and in the best interest of the child, Europol should be able to process
the data of persons under the age of 18 where it is necessary and proportionate for
preventing or combating crime which falls within the scope of Europol’s
competence.
(105) Sensitive personal data in accordance with Article 4(13), (14) and (15) and Article 9
and recitals (51) to (56) of Regulation (EU) 2016/679 should be processed by
Europol only where strictly necessary and proportionate for the performance of its
tasks and subject to appropriate safeguards and oversight mechanisms.
(106) Biometric data may be processed for different purposes and do not in all
circumstances present the same risks to the rights and freedoms of data subjects. The
specific safeguards laid down in this Regulation for special categories of personal
data should therefore apply to biometric data only where they are processed for the
purpose of uniquely identifying a natural person, in accordance with Regulation (EU)
2018/1725. Processing of biometric data for the purpose of uniquely identifying a
natural person by Europol in the Europol Analytical Environment and where
otherwise required under Union law should be considered strictly necessary for
preventing or combating crimes falling within the scope of Europol’s competence.
(107) Europol should be able to process personal data for research and innovation purposes
subject to appropriate safeguards, including prior authorisation by the Executive
Director and oversight by the Management Board. Where Europol considers that a
new type of project poses a significant risk to the rights and freedoms of data
subjects, Europol should also carry out a data protection impact assessment and
inform the European Data Protection Supervisor before launching the project.
(108) Data subjects should be able to exercise the right of access referred to in Regulation
(EU) 2018/1725 by making a request either to Europol or through the national
authority appointed for that purpose in any Member State. Given that personal data
processed by Europol frequently originate from providers, decisions on data subject
access requests should be taken in close cooperation with the Member States and the
data providers concerned in order to ensure both the effective protection of data
subject rights and the safeguarding of ongoing investigations. In order to ensure that
the time limit for answering data subject access requests can always be respected, the
Member States and the providers consulted should reply to Europol without delay.
(109) In order to ensure a high level of data quality and accuracy, personal data processed
by Europol should be rectified, erased or subject to restriction of processing where
they are inaccurate, unlawfully processed or no longer required in accordance with
EN 48 EN
this Regulation and Regulation (EU) 2018/1725. Given that personal data processed
by Europol may originate from a variety of sources, Europol and the provider of the
data concerned should cooperate closely when taking measures affecting the
accuracy, storage or use of such data.
(110) The prior consultation mechanism with the European Data Protection Supervisor
(EDPS) under Regulation (EU) 2018/1725 is a key safeguard. It applies only to high-
risk processing operations, where the potential risks to data subjects are particularly
significant. At the same time, prior consultation should not be required for the
adjustment, modification or deployment of existing capabilities, including in a
defined operational context, provided that such activities do not alter the nature,
scope, or purpose of the processing in a manner that would increase the risk to the
rights and freedoms of data subjects. To preserve Europol’s operational
effectiveness, the period within which the EDPS is able to provide written advice
pursuant to Regulation (EU) 2018/1725 should be of eight weeks and should not be
suspended or extended. In particularly urgent cases of substantial significance for the
performance of Europol’s tasks, Europol should be able to exceptionally begin
processing where this is necessary to prevent and combat an immediate criminal
threat or to protect vital interests of the data subject or another person. In such cases,
Europol should inform the EDPS prior to the start of the processing operations and
should provide all the information required for the purpose of the prior consultation
within four weeks following the start of the processing operations.
(111) Regulation (EEC, Euratom) No 1182/71 of the Council55 should be applicable to any
time period provided for the EDPS under this Regulation.
(112) To ensure robust compliance with the rules on the protection of personal data, the
Management Board of Europol should appoint a Data Protection Officer. The Data
Protection Officer should be able to perform his or her duties in accordance with
Regulation (EU) 2018/1725. Where the Data Protection Officer identifies a case of
non-compliance with the rules on the protection of personal data, he or she should be
able to require the Executive Director to take corrective action within a specified
timeframe. Should the Executive Director fail to act, the Data Protection Officer
should be empowered to escalate the matter to the Management Board and, where
necessary, ultimately to the EDPS.
(113) To support Europol in respecting, promoting and fulfilling fundamental rights
throughout its action, the Management Board should designate a Fundamental Rights
Officer.
(114) Ensuring respect for fundamental rights requires specialist knowledge by Europol
staff. Europol staff should therefore receive appropriate training on fundamental
rights and freedoms. Europol staff involved in operational activities should receive
dedicated training on data protection and the practical application of the safeguards
laid down in this Regulation and Regulation (EU) 2018/1725. To ensure a high and
consistent standard of training, Europol should cooperate with the European Union
Agency for Fundamental Rights established by Council Regulation (EC) No
168/200756and CEPOL in the development of such training.
55 Regulation (EEC, Euratom) No 1182/71 of the Council of 3 June 1971 determining the rules applicable
to periods, dates and time limits (OJ L 124, 8.6.1971, p. 1,
ELI: http://data.europa.eu/eli/reg/1971/1182/oj). 56 Council Regulation (EC) No 168/2007 of 15 February 2007 establishing a European Union Agency for
Fundamental Rights (OJ L 53, 22.2.2007, p. 1, ELI: http://data.europa.eu/eli/reg/2007/168/oj).
EN 49 EN
(115) National authorities competent for the supervision of the processing of personal data
should monitor the lawfulness of any provision of personal data to Europol by
Member States. The EDPS should monitor the lawfulness of data processing carried
out by Europol, exercising his or her functions in accordance with Regulation (EU)
2018/1725. To ensure effective supervision of Europol, the EDPS and national
supervisory authorities should closely cooperate with each other on specific issues
requiring national involvement.
(116) Pursuant to Article 88 of the TFEU, Europol’s activities are to be subject to scrutiny
by the European Parliament together with national parliaments. Effective
parliamentary scrutiny contributes to the democratic accountability, transparency and
legitimacy of Europol's activities while respecting its operational independence and
the responsibilities of the competent authorities of the Member States. Effective
scrutiny requires regular dialogue with Europol and access to the information
necessary for the performance of that task, while respecting the requirements of
confidentiality and the protection of ongoing investigations and operational
activities. The protection of fundamental rights, in particular the right to the
protection of personal data, is of particular importance in the exercise of Europol’s
tasks. Parliamentary scrutiny should therefore be supported by appropriate exchanges
with the European Data Protection Supervisor and by access to independent expertise
on fundamental rights matters.
(117) Europol’s operational effectiveness depends on maintaining specialised expertise and
practical experience in law enforcement matters. In order to preserve a close
connection with the operational realities and needs of the competent authorities of
the Member States, certain posts should be occupied by personnel possessing
relevant experience acquired within those authorities. This contributes to ensuring
that Europol’s activities remain closely aligned with operational developments,
investigative practices and emerging security threats across the Union.
(118) The exchange of expertise and operational experience between Europol and the
competent authorities of the Member States contributes to effective law-enforcement
cooperation within the Union. The use of seconded national experts strengthens
mutual understanding, facilitates the sharing of specialised knowledge and best
practices and supports the effective performance of Europol’s tasks.
(119) The performance of Europol’s tasks requires budgetary resources that are
commensurate with its operational responsibilities and capable of supporting long-
term planning, operational support and the development of common capabilities for
the benefit of the Member States. To carry out its tasks, Europol should be properly
resourced and granted an autonomous budget. It should be mainly financed by
a contribution from the general budget of the Union. The Union budgetary procedure
should be applicable to the Union contribution and to any other subsidies chargeable
to the general budget of the Union. The auditing of accounts should be undertaken by
the European Court of Auditors.
(120) Financial contributions through grants are an important element of Europol’s
operational support to Member States to prevent and combat the forms of crime
falling within Europol’s competence. Moreover, given the transnational nature of
serious crime and terrorism, effective operational support might also require financial
contributions to third countries or international organisations involved in operational
activities with Member States. In that respect, certain activities necessary for the
fulfilment of Europol’s tasks are intrinsically linked to the actors involved in a in a
EN 50 EN
particular operational activity. Moreover, the effectiveness of Europol’s financial
support may depend on timely implementation, confidentiality and continuity of
cooperation among the actors involved. In such cases, a competitive call for
proposals would not be capable of identifying an alternative beneficiary Therefore, it
should be possible for Europol, in duly justified cases, to award grants without a call
for proposals for activities falling within the scope of its tasks.
(121) The necessary provisions regarding accommodation for Europol in the Netherlands,
where it has its seat, and the specific rules applicable to Europol staff and members
of their families should be laid down in a Headquarters Agreement between Europol
and the Kingdom of the Netherlands. The host Member State should provide the best
possible conditions to ensure the effective functioning of Europol.
(122) Europol established by this Regulation should succeed Europol established by
Regulation (EU) 2016/794 in respect of all its rights and obligations. In order to
ensure legal certainty, operational continuity and the stability of Europol’s external
relations, cooperation agreements and working arrangements concluded by Europol
under the Europol Convention, Decision 2009/371/JHA or Regulation (EU)
2016/794 should remain in force and be applied until they expire or are replaced.
(123) Appropriate transitional arrangements are necessary to ensure the uninterrupted
functioning of Europol and the continuity of its activities. Decisions, implementing
measures, rules and arrangements adopted pursuant to Regulation (EU) 2016/794
should therefore remain in force until repealed or replaced. In order to ensure
consistency with the legal framework established by this Regulation, the
Management Board should review those measures without undue delay and
determine whether they remain appropriate and compatible with this Regulation or
should be amended or repealed. In order to strengthen continuity and strategic
leadership within Europol and to enhance the long-term planning and
implementation of its operational priorities, it is appropriate also to adapt the
duration of the on-going respective mandates of the Executive Director and the
Deputy Executive Directors. Ensuring continuity in Europol’s current executive
management is necessary to safeguard institutional stability and operational
effectiveness of the Agency. Therefore, the duration of the term of office for the
members of Europol’s executive management who are serving their first term of
office at the time of entry into force of this Regulation, should allow for a maximum
total term of office of ten years. The duration of the term of office for the members
of Europol’s executive management who are serving their second term of office at
the time of entry into force of this Regulation, should allow for a maximum total
term of office of nine years.
(124) The increasing digitalisation of law enforcement cooperation and the development of
advanced information systems, cloud infrastructures and secure communication
services require closer cooperation between Europol and eu-LISA. Given eu-LISA’s
expertise in the development and operation of large-scale information systems and
related communication infrastructures in the area of freedom, security and justice,
and Europol’s role in supporting operational law enforcement cooperation, it is
appropriate to provide rules for the cooperation between the two agencies. Such
cooperation should enable synergies, avoid duplication of efforts, promote
interoperability and cost-efficiency, and facilitate the re-use of technical components,
services and expertise, while fully respecting the respective mandates, governance
structures and responsibilities of the two agencies. Therefore, Regulation (EU)
EN 51 EN
2018/1726 of the European Parliament and of the Council57 should be amended
accordingly.
(125) eu-LISA already operates a public key infrastructure and provides certification
services supporting the secure operation of Union information systems in the area of
freedom, security and justice. In order to ensure a high level of security, trust and
interoperability across Europol services and tools, Europol should be able to make
use of those existing services. To that end, eu-LISA should be able to provide public
key infrastructure certificates to Europol and, where appropriate, to the competent
authorities of the Member States connected to Europol services and tools. That
should enable Europol to benefit from existing capabilities and expertise available at
Union level in a cost-efficient manner, contributing to secure authentication,
encrypted communications and trusted electronic interactions.
(126) In order to strengthen Europol’s capacity to support Member States in the prevention
and combating of serious crime and terrorism, and to make more effective use of
existing Union information exchange frameworks, Europol should be able, under
clearly defined conditions, to conduct searches in national databases connected under
the Prüm II framework on behalf of Member States. It is important that Europol
provides operational, analytical, technical and forensic support in situations where its
expertise, resources or cross-border perspective can provide added value, while fully
preserving Member States’ ownership of data, investigative autonomy and the
decentralised architecture underpinning the Union information exchange systems.
Regulation (EU) 2024/982 currently enables Europol to conduct searches in Member
States’ Prüm databases using data received from third countries. In order to remove
any operational limitation that may prevent the identification of relevant cross-border
links, Europol should also be able to conduct such searches using data originating
from Member States, where authorised by the data-owning Member State. This
should apply in particular to searches involving DNA profiles, dactyloscopic data
and facial images, while ensuring that Member States will be able to decide on the
conditions under which their data may be used. Therefore, Regulation (EU)
2024/982should be amended accordingly.
(127) To enhance the effectiveness of Europol's access to data stored in Member States'
databases, while ensuring the protection of personal data and the respect of national
law, Europol should have access to data stored in national databases and police
record indexes, subject to specific conditions and limitations, including the use of
designated routers and systems, such as EPRIS, EUCARIS and the router for
biometric data and the requirement for human oversight and decision-making in the
return of core data, and should only use data originating from Member States where
authorised by the data-owning Member State, and should handle such data in
accordance with Regulation (EU) 2018/1725 and this Regulation as well as the
consent of the relevant Member State.
(128) Where Europol conducts searches using biometric data originating from Member
States, it should act solely as a technical and forensic service provider on behalf of
the authorising Member State. Europol should therefore carry out such searches only
within the scope of the authorisation granted by the Member State concerned,
whether on a case-by-case basis or through standing authorisations subject to
conditions defined by that Member State. Europol should fully respect any
57 Regulation (EU) 2018/1726 of the European Parliament and of the Council …(OJ…, ELI: ..).
EN 52 EN
restrictions imposed by the authorising Member State regarding access to, use,
transmission, retention, deletion or destruction of the information concerned.
(129) Since the objectives of this Regulation, namely to support and strengthen the action
of the competent authorities of the Member States and their mutual cooperation in
preventing and combating serious crime affecting two or more Member States,
terrorism and forms of crime affecting a common interest covered by a Union policy,
cannot be sufficiently achieved by the Member States acting alone but can rather, by
reason of the scale, transnational nature and effects of those threats, be better
achieved at Union level, the Union may adopt measures in accordance with the
principle of subsidiarity as set out in Article 5 TEU. In accordance with the principle
of proportionality as set out in that Article, this Regulation does not go beyond what
is necessary in order to achieve those objectives.
(130) [In accordance with Article 3 and Article 4a(1) of Protocol No 21 on the position of
the United Kingdom and Ireland in respect of the area of freedom, security and
justice, annexed to the Treaty on European Union (TEU) and to the TFEU, Ireland
has notified [, by letter of …,] its wish to take part in the adoption and application of
this Regulation] OR [In accordance with Articles 1, 2and Article 4a(1) of Protocol
No 21 on the position of the United Kingdom and Ireland in respect of the area of
freedom, security and justice, annexed to the Treaty on European Union (TEU) and
to the TFEU, and without prejudice to Article 4 of that Protocol, Ireland is not taking
part in the adoption of this [act] and is not bound by it or subject to its application.]
(131) In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark,
annexed to the TEU and to the TFEU, Denmark is not taking part in the adoption of
this Regulation and is not bound by it or subject to its application.
(132) The EDPS was consulted in accordance with Article 42 of Regulation (EU)
2018/1725 and delivered an opinion on [date].
(133) This Regulation fully respects the fundamental rights and freedoms and observes the
principles recognised in particular by the Charter of Fundamental Rights of the
European Union, in particular the right to the protection of personal data and the
right to privacy as protected by Articles 8 and 7 of the Charter respectively, as well
as by Article 16 TFEU, the right to an effective remedy and to a fair trial under
Article 47 of the Charter, the presumption of innocence under Article 48 of the
Charter, and the rights of victims of crime.
(134) This Regulation aims to amend and expand the provisions of Regulation (EU)
2016/794. Since the amendments to be made are substantial in number and nature,
that legal act should, for the sake of clarity, be repealed,
HAVE ADOPTED THIS REGULATION:
Chapter I
General provisions
Article 1
Subject matter
EN 53 EN
1. This Regulation establishes a European Union Agency for Law Enforcement
Cooperation (Europol) to support and strengthen action by the competent authorities
of the Member States and their mutual cooperation with the aim to prevent and
combat cross-border serious crime, terrorism and forms of crime which affect a
common interest covered by a Union policy.
2. Europol, as established by this Regulation, shall replace and succeed the agency
established by Regulation (EU) 2016/794.
Article 2
Legal status
1. Europol shall be an agency of the Union and shall have legal personality.
2. In each of the Member States, Europol shall enjoy the most extensive legal capacity
accorded to legal persons under national law. It may, in particular, acquire and
dispose of movable and immovable property and be party to legal proceedings.
3. Europol shall be represented by an Executive Director.
Article 3
Seat
The seat of Europol shall be in The Hague, the Netherlands.
Article 4
Definitions
For the purposes of this Regulation, the following definitions apply:
(1) ‘competent authorities of the Member States’ means all police authorities and other
law enforcement services existing in the Member States which are responsible under
national law for preventing and combating criminal offences and other public
authorities existing in the Member States which are responsible under national law
for preventing and combating criminal offences in respect of which Europol is
competent;
(2) ‘strategic analysis’ means all methods and techniques by which information is
collected, stored, processed and assessed with the aim of supporting and developing
a criminal policy that contributes to the efficient and effective prevention and
combating of crime;
(3) ‘operational analysis’ means all methods and techniques by which information is
collected, stored, processed and assessed with the aim of supporting criminal
investigations and criminal intelligence activities;
(4) ‘private parties’ means entities and bodies established under the law of a Member
State or third country, including companies and firms, business associations, non-
profit organisations and other legal persons that are not covered by point 5;
(5) ‘recipient’ means a natural or legal person, public authority, agency or any other
body to which data are disclosed, whether a third party or not;
(6) ‘administrative personal data’ means personal data processed by Europol other than
operational personal data
EN 54 EN
(7) ‘terrorist content’ means terrorist content as defined in Article 2, point (7), of
Regulation (EU) 2021/784;
(8) ‘online child sexual abuse’ means the online dissemination of child sexual abuse
material and the solicitation of children;
(9) ‘online crisis situation’ means the dissemination of online content stemming from an
ongoing or recent real world event which depicts harm to life or to physical integrity,
or calls for imminent harm to life or to physical integrity;
(10) ‘immigration liaison officer’ means an immigration liaison officer as defined in
Article 2, point (1), of Regulation (EU) 2019/1240 of the European Parliament and of
the Council58;
(11) 'single point of contact' means the central entity responsible for coordinating and
facilitating the exchange of information in accordance with Article 14 of Directive
(EU) 2023/977 of the European Parliament and of the Council59;
(12) ‘advanced capabilities’ means technological, analytical or operational capabilities
providing enhanced or novel functionalities supporting the prevention and combating
of the forms of crime falling within the scope of Europol’s competence and
cooperation between the competent authorities of the Member States.
Article 5
Competence
1. Europol shall support and strengthen action by the competent authorities of the
Member States and their mutual cooperation in preventing and combating serious
crime affecting two or more Member States, terrorism and forms of crime which
affect a common interest covered by a Union policy, as listed in Annex I.
2. Europol’s competence shall also cover criminal offences related to the forms of
crime listed in Annex I, in particular offences committed for the purpose of
preparing, facilitating, supporting or concealing such forms of crime, offences
committed in connection therewith, or offences committed to ensure the impunity of
persons involved in such forms of crime, including where such offences involve a
hybrid dimension.
Article 6
Tasks
1. Europol shall perform the following tasks:
(a) collect, store, process, analyse and exchange information, including criminal
intelligence;
(b) provide operational support to the competent authorities of the Member States,
including the coordination, organisation and implementation of investigative
58 Regulation (EU) 2019/1240 of the European Parliament and of the Council of 20 June 2019 on the
creation of a European network of immigration liaison officers (OJ L 198, 25.7.2019, p. 88, ELI:
http://data.europa.eu/eli/reg/2019/1240/oj). 59 Directive (EU) 2023/977 of the European Parliament and of the Council of 10 May 2023 on the
exchange of information between the law enforcement authorities of Member States and repealing
Council Framework Decision 2006/960/JHA (OJ L 134, 22.5.2023, p. 1, ELI:
http://data.europa.eu/eli/dir/2023/977/oj).
EN 55 EN
and operational actions, analytical support through operational analysis, and
technical and forensic support;
(c) provide support of a strategic and thematic nature to the competent authorities
of the Member States and Union institutions through strategic analysis and by
preparing analytical products, including threat assessments, strategic analyses,
trend reports and situational briefings;
(d) cooperate with Union institutions, bodies, missions, offices and agencies,
where relevant through the exchange of information and provision of analytical
support in areas that fall within their respective mandates;
(e) cooperate with third countries and other relevant partners, in particular through
the exchange of information;
(f) carry out research and innovation activities under the Union Framework
Programme for Research and Innovation, and develop advanced capabilities;
(g) develop and maintain information management and ICT services, tools and
components enabling it to perform the tasks referred in points (a) to (e);
(h) provide financial support for operational activities carried out in the context of
investigative or operational actions.
2. In addition to the tasks set out in paragraph 1, Europol shall carry out the following
supportive tasks:
(a) provide information and operational support to Member States in connection
with major international events;
(b) provide information and operational support to Union crisis management
structures and missions established on the basis of the TEU, within the scope of
Europol’s competence;
(c) provide administrative, financial and technical support to Union-funded
operational projects and European law enforcement networks falling within the
scope of Europol’s competence, to enhance coordination, continuity and
coherence of action;
(d) act as the Central Office for combating euro counterfeiting in accordance with
Council Decision 2005/511/JHA60, including by encouraging the coordination
of measures carried out to fight euro counterfeiting by the competent
authorities of the Member States or in the context of joint investigation teams,
where appropriate in liaison with Union bodies, offices and agencies and the
authorities of third countries;
(e) support the Member States in the screening, as regards the expected
implications for security, of specific cases of foreign direct investments into the
Union under Regulation (EU) 2019/452 of the European Parliament and of the
Council61 that concern undertakings that provide technologies, including
60 Council Decision 2005/511/JHA of 12 July 2005 on protecting the euro against counterfeiting, by
designating Europol as the Central Office for combating euro counterfeiting (OJ L 185, 16.7.2005, p.
35, ELI: http://data.europa.eu/eli/dec/2005/511/oj). 61 Regulation (EU) 2019/452 of the European Parliament and of the Council of 19 March 2019
establishing a framework for the screening of foreign direct investments into the Union (OJ L 79I,
21.3.2019, p. 1, ELI: http://data.europa.eu/eli/reg/2019/452/oj).
EN 56 EN
software, used by Europol for the prevention and combating of crimes falling
within the scope of Europol’s competence
(f) contribute to the implementation of the Schengen Evaluation and Monitoring
Mechanism to verify the application of the Schengen acquis under Council
Regulation (EU) 2022/92262, Regulation (EU) 2022/922, within the scope of
Europol’s competence, through the participation in Schengen evaluation
missions and other on-site visits, provision of expertise and analyses, where
requested by the Commission.
(g) cooperate in a structured way and on a regular basis, including by concluding
bilateral or multilateral working arrangements governing the modalities of such
cooperation, with the anti-fraud actors involved in the protection of the Union’s
financial interests, such as the EPPO, Eurojust, OLAF, AMLA and the EU
Customs Authority.
3. Europol shall not apply coercive measures in carrying out any of its tasks.
During the execution of investigative measures by the national competent authorities
of the Member States, Europol may support those competent authorities, at their
request and in accordance with their national law, in particular by facilitating cross-
border information exchange and other forms of data processing and by providing
operational support remotely or by being present during the execution of those
measures. Europol shall not have the power to execute investigative measures.
Article 7
Europol’s strategic support
1. Europol shall contribute to the development of a common Union strategic analytical
framework relating to serious crime and terrorism.
For that purpose, Europol shall prepare, on a regular basis, analytical products on
internal security, including strategic analyses, threat assessments, trend reports and
situational briefings, and shall make them available in accordance with Article 129.
2. Europol shall support the development and use of common analytical methodologies
and standards, in particular for Union-level threat assessments, to ensure
comparability, interoperability and consistency of analytical products.
3. Member States shall provide Europol with all necessary information for the
preparation of the analytical products referred to in paragraph 1.
Member States may refuse to supply information based on one or more of the
following grounds:
(a) the supply of information is contrary to the essential interests of the security of
the Member State concerned;
(b) the supply of information jeopardises the success of an ongoing investigation
or the safety of an individual;
(c) the supply of information would disclose information relating to organisations
or specific intelligence activities in the field of national security.
62 Council Regulation (EU) 2022/922 of 9 June 2022 on the establishment and operation of an evaluation
and monitoring mechanism to verify the application of the Schengen acquis, and repealing Regulation
(EU) No 1053/2013 (OJ L 160, 15.6.2022, p. 1, ELI: http://data.europa.eu/eli/reg/2022/922/oj).
EN 57 EN
Member States shall supply information as soon as the grounds referred to in points
(a), (b) or (c), cease to exist.
4. Union institutions, bodies, offices and agencies shall, within their competence and in
accordance with applicable Union law, provide Europol with information relevant for
the preparation of the analytical products referred to in paragraph 1.
5. Europol may use open-source information and contributions from relevant partners
as complementary sources for the preparation of the analytical products referred to in
paragraph 1.
6. The analytical products referred to in paragraph 1 shall be made available to the
Council and the Commission for the identification, development and implementation
of strategic, policy and operational priorities of the Union for fighting crime and
in the implementation thereof.
7. Europol shall use the analytical products referred to in paragraph 1 to support the
planning and implementation of operational activities under this Chapter and shall
take those products into account in the preparation and regular updating of the
Framework referred to in Article 57.
8. Member States shall take the analytical products referred to in paragraph 1 into
account when determining their participation in operational activities supported by
Europol, allocating operational resources and implementing Union strategic and
operational priorities at the national level.
9. The analytical products referred to in paragraph 1 may be used for the purposes of
analyses carried out by the Commission and the Member States and for Schengen
evaluations and monitoring activities carried out in accordance with Regulation (EU)
2022/922 in the policy areas falling within the scope of Europol’s competence.
Chapter II
Operational cooperation
SECTION 1
OPERATIONAL SUPPORT AND COORDINATION
Article 8
Europol’s operational support
1. Europol shall provide operational support to the competent authorities of the Member
States to contribute to the prevention and combating of the forms of crime falling
within Europol’s competence.
2. Europol shall establish and maintain the capabilities necessary to provide continuous
and effective operational support to the competent authorities of the Member States.
3. Europol shall support, in particular:
(a) investigations and operational activities requiring coordinated action at Union
level;
(b) the identification, targeting and disruption of high-risk criminal networks and
their supporting criminal infrastructure;
EN 58 EN
(c) operational activities requiring specialised analytical, technical, digital,
forensic or multidisciplinary capabilities;
(d) the detection, analysis and coordination of action against large-scale, emerging,
rapidly evolving security threats, including criminal offences related to the
forms of crime listed in Annex I where such offences involve a hybrid
dimension and the coordination of law enforcement responses to them;
(e) the implementation of Union strategic and operational priorities relating to
internal security.
4. Operational support provided by Europol may, as appropriate and in accordance with
operational needs, be provided through, among others:
(a) Union Centres of specialised expertise (‘Centres’), as referred to in Articles 13
to 19;
(b) operational task forces in accordance with Article 20;
(c) joint investigation teams in accordance with Article 21, including in
cooperation with Eurojust;
(d) Europol deployments in accordance with Article 22;
(e) support to strategic and operational activities carried out within the framework
of the European Multidisciplinary Platform Against Criminal Threats
(EMPACT) in accordance with Article 23.
5. Europol shall ensure the coordination, coherence and complementarity of the
operational support, structures and cooperation instruments referred to in this
Chapter, including where several forms of operational support are deployed
simultaneously.
6. Member States shall seek to make effective use of the forms of operational support
referred to in paragraph 4, notably where coordinated Union-level action is necessary
to ensure an effective response to serious and organised crime and terrorism.
7. Where the Operational and Analysis Service or the Centres identify operational links
or coordination needs relating to cross-border criminal activities, Europol shall
request the competent authorities of the Member States concerned to provide relevant
information, criminal intelligence or contribute to coordination measures.
The competent authorities of the Member States concerned shall respond without
undue delay and, where they decide not to provide the requested contribution or
participate in the proposed coordination measures, they shall provide Europol with a
reasoned justification.
Article 9
Operational support to financial investigations and asset recovery
1. Europol shall cooperate with asset recovery offices established pursuant to Article 5
of Directive (EU) 2024/1260.
2. Member States shall ensure that Europol has direct and immediate access to the
information referred to in Article 6(2) of Directive (EU) 2024/1260 under the
conditions set out therein and to the extent necessary for the performance of the tasks
referred to in Article 16 of this Regulation.
EN 59 EN
Member States shall also ensure that Europol can swiftly obtain the information
listed in Article 6(3) of Directive (EU) 2024/1260 upon request to the relevant access
recovery office and in situations described in Article 6(4) of that Directive, to the
extent necessary for the performance of the tasks referred to in Article 16 of this
Regulation.
Access to information referred to in this paragraph shall be compliant with Article
6(5) and (6) of Directive (EU) 2024/1260.
3. Where Europol considers that there is an imminent risk of disappearance of property
traced and identified as a result of the activities referred to in Article 16 of this
Regulation, it shall submit a request to the competent authorities of the Member
States concerned to take immediate action in accordance with Article 11(2) of
Directive (EU) 2024/1260.
The competent authority of the Member State concerned shall decide on the request
without delay and, where possible, within 24 hours.
Where the competent authority of the Member State concerned decides not to take
immediate action, it shall inform Europol and provide the reasons for its decision.
Those reasons may be withheld in the following cases:
(a) the disclosure of the reasons is contrary to the essential interests of the security
of the Member State concerned;
(b) the disclosure of the reasons jeopardises the success of an ongoing
investigation or the safety of an individual.
4. Europol shall cooperate, in accordance with Article 12 of Directive (EU) 2019/1153
of the European Parliament and of the Council63, with Financial Intelligence Units
(FIUs) established pursuant to Directive (EU) 2015/849 of the European Parliament
and of the Council64, through the relevant Europol national unit or, where allowed by
the relevant Member State, by direct contact, in particular through the exchange of
information and the provision of analyses to Member States to support cross-border
investigations falling within the scope of Europol’s competence.
5. Each Member State shall ensure that its FIU, within the limits of its mandate and
competence and subject to national procedural safeguards, is entitled to reply to duly
justified requests that are made by Europol in accordance with Article 12 of
Directive (EU) 2019/1153 regarding financial information and financial analyses,
either via its Europol national unit or, where allowed by that Member State, by direct
contact between the FIUs and Europol.
Article 10
Financial support for operational activities
63 Directive (EU) 2019/1153 of the European Parliament and of the Council of 20 June 2019 laying down
rules facilitating the use of financial and other information for the prevention, detection, investigation or
prosecution of certain criminal offences, and repealing Council Decision 2000/642/JHA (OJ L 186,
11.7.2019, p. 122, ELI: http://data.europa.eu/eli/dir/2019/1153/oj). 64 Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the
prevention of the use of the financial system for the purposes of money laundering or terrorist
financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and
repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission
Directive 2006/70/EC (OJ L 141, 5.6.2015, p. 73, ELI: http://data.europa.eu/eli/dir/2015/849/oj).
EN 60 EN
1. Upon receipt of a duly justified written request from a Member State, Europol may
provide targeted financial support for operational activities carried out in the context
of a priority investigation or operational action supported by Europol and falling
within the scope of its competence.
2. The financial support referred to in paragraph 1 shall be limited to what is necessary
and proportionate for the purposes of the relevant priority investigation or
operational action and may cover the operational, technical, logistical and other
necessary expenditures required for its effective implementation.
3. Europol may, where appropriate and in accordance with operational priorities,
prioritise financial support for coordinated cross-border operational activities.
4. Decisions to grant the financial support referred to in paragraph 1 shall be taken by
Europol on a case-by-case basis, in accordance with implementing rules adopted by
the Management Board on a proposal from the Executive Director and after
consultation of the Commission.
Those implementing rules shall provide for the conditions and procedures for
granting, managing and monitoring such support, including requirements ensuring
accountability, traceability, auditability and compliance with applicable Union
financial rules.
Article 11
Request to initiate a criminal investigation
1. In specific cases where Europol considers that a criminal investigation should be
initiated into a crime falling within the scope of its competence, it shall request the
competent authorities of the Member State concerned via, its Europol national unit,
to initiate, conduct or coordinate such a criminal investigation.
2. Without affecting paragraph 1, where the Executive Director considers that a
criminal investigation should be initiated into a specific crime which concerns only
one Member State but affects a common interest covered by a Union policy, he or
she may request the competent authorities of the Member State concerned, via its
Europol national unit, to initiate, conduct or coordinate such a criminal investigation.
3. Paragraphs 1 and 2 do not apply with regard to criminal offences affecting the
Union’s financial interests that fall within the scope of the competence of the EPPO.
4. The competent authorities of the Member States concerned shall examine any request
made pursuant to paragraphs 1 and 2 as a matter of priority and shall take a reasoned
decision without undue delay.
Europol national units shall inform Europol, with regard to any request made
pursuant to paragraphs 1 or 2, of the decision of the competent authorities of the
Member States, without undue delay.
5. Where the competent authorities of a Member State decide not to accede to a request
made pursuant to paragraphs 1 and 2, they shall inform Europol of the reasons for the
decision without undue delay, and in any event within one month of receipt of the
request. The reasons may be withheld in the following cases:
(a) the disclosure of the reasons is contrary to the essential interests of the
security of the Member State concerned;
EN 61 EN
(b) the disclosure of the reasons jeopardises the success of an ongoing
investigation or the safety of an individual.
6. Europol shall immediately inform Eurojust of any request made under paragraphs 1
and 2, and of any decision of a competent authority of a Member State taken
pursuant to paragraphs 4 and 5 to enable Eurojust to ensure timely judicial follow-up
at national level and to exercise its competence, including, where appropriate, the
capacity to act on its own initiative in accordance with the applicable provisions of
Regulation (EU) 2018/1727.
7. Europol shall immediately inform the EPPO of requests made under paragraphs 1
and 2 concerning criminal offences falling within the EPPO’s competence, and of
any related decision of a competent authority of a Member State pursuant to
paragraph 4 and 5.
SECTION 2
OPERATIONAL SPECIALISED CAPABILITIES
Article 12
Operational and Analysis Service
1. Europol shall maintain, through the Operational and Analysis Service, a continuous
24/7 operational and analytical capability to support the coordination, organisation
and implementation of investigative and operational action carried out jointly with
the Member States pursuant to this Regulation.
2. The Operational and Analysis Service shall ensure:
(a) the operational and strategic analysis of information and criminal intelligence,
including in support of the activities carried out by the Centres;
(b) the support and coordination of analysis projects;
(c) the provision of cross-cutting services in the areas of interoperability,
biometrics, open-source intelligence (OSINT), travel intelligence and satellite
imagery;
(d) the identification of operational links, and the coordination of cross-border
operational and investigative responses, including, where appropriate, by
proposing the establishment of a Joint Operational Analysis Case (JOAC);
(e) the coordination and coherence of operational support provided pursuant to this
Regulation, including in the framework of operational task forces, joint
investigation teams, Europol deployments and EMPACT activities;
(f) the preparation of the analytical products referred to in Article 7.
3. The Operational and Analysis Service shall ensure coordination, cooperation and
operational coherence between the Union Centres of specialised expertise, in
particular where operational activities, criminal intelligence or investigations concern
multiple forms of crime, or criminal offences related to the forms of crime listed in
Annex I where such offences involve a hybrid dimension, or otherwise require a
multidisciplinary response.
Article 13
Union Centres of specialised expertise
EN 62 EN
1. The European Cybercrime Centre, the European Counter Terrorism Centre, the
European Financial and Economic Crime Centre, the European Serious and
Organised Crime Centre and the European Centre Against Migrant Smuggling are
hereby established as Union Centres of specialised expertise (‘Centres’).
2. The Centres shall form part of Europol’s organisational structure and shall not have
separate legal personality. They shall serve as Europol’s primary specialised
capability and expertise structures in their respective areas and shall support the
prevention and combating of the forms of crimes, including criminal offences related
to the forms of crime listed in Annex I where such offences involve a hybrid
dimension, falling within the scope of Europol’s competence.
3. The Centres shall, in particular:
(a) provide specialised operational support to the competent authorities of the
Member States;
(b) provide operational support within the framework of operational task forces,
joint investigation teams and EMPACT;
(c) facilitate coordination and cooperation between Member States, and, where
appropriate, with other Union institutions, bodies, offices and agencies and
relevant partners, including the identification of operational links;
(d) support integrated operational action, under the coordination of the Operational
and Analysis Service, involving multiple forms of crime falling within the
scope of Europol’s competence, or criminal offences related to the forms of
crime listed in Annex I where such offences involve a hybrid dimension,
including through the mobilisation and coordination of specialised expertise
and capabilities across several operational areas;
(e) identify capability needs and contribute to the development, deployment and
integration of advanced capabilities into the activities of Europol and of the
competent authorities of the Member States, including through specialised
training, in coordination with the Foresight and Capability Service and in close
cooperation with the Europol support offices;
(f) contribute to the preparation of analytical products referred to in Article 7.
4. Europol shall ensure that the activities of the Centres are consistent with Union
strategic and operational priorities on internal security, including those established
within the EMPACT framework.
5. The Centres may include liaison officers and representatives of other Union bodies,
offices and agencies in accordance with the implementing rules referred to in
paragraph 6.
Europol may also invite partners with relevant expertise to contribute to the activities
referred to in paragraph 3, points (e) and (f), in accordance with the implementing
rules referred to in paragraph 6.
6. Upon a proposal from the Executive Director, the Management Board shall adopt
implementing rules on the organisation, specific functions, composition and
operation of the Centres and shall regularly review and, where necessary, adapt these
rules in light of operational needs and evolving security threats.
EN 63 EN
Article 14
European Serious and Organised Crime Centre
In accordance with Article 6(1), point (b), the support provided by Europol, notably through
the European Serious and Organised Crime Centre shall, in particular, consist of:
(a) supporting the identification, prioritisation, targeting and disruption of high-
value targets and high-risk criminal networks;
(b) supporting and coordinating cross-border investigations and operational
activities relating to drug trafficking, trafficking in firearms and explosives,
environmental crime, property crime and other forms of serious and organised
crime;
(c) providing specialised expertise in support of complex, multi-jurisdictional
investigations and operational activities, including in the framework of
Operational Task Forces, joint investigation teams and EMPACT activities;
(d) supporting the identification, monitoring and disruption of the recruitment and
exploitation of children and young persons by criminal networks, including
through online services and platforms, for the purposes of committing,
facilitating or concealing criminal activities.
Article 15
European Cybercrime Centre
In accordance with Article 6(1), point (b), the support provided by Europol, notably through
the European Cybercrime Centre shall, in particular, consist of:
(a) supporting Member States, and where relevant private parties, in preventing
and responding to cyberattacks of suspected criminal origin and large-scale
malicious online activities, including in cooperation with the European Union
Agency for Cybersecurity (ENISA), including with respect to ransomware
incidents, and by accessing the infrastructure used to conduct the attack;
(b) supporting Members States, and where relevant private parties, in addressing
online crisis situations, in particular by providing private parties with the
information necessary to identify relevant online content, services, accounts,
infrastructures or digital activities, including by means of referrals of online
content to online service providers;
(c) supporting Member States in preventing and combating child sexual abuse, the
dissemination of online child sexual abuse material and the solicitation of
children;
(d) contributing to the identification of victims and offenders of cybercrime and
cyber-enabled criminal activities, including online child sexual abuse;
(e) maintaining and deploying specialised digital forensic, technical, analytical and
investigative expertise and capabilities, including to support the processing and
analysis of digital data and lawfully obtained encrypted data;
(f) hosting and supporting operational coordination platforms and specialised
operational cooperation frameworks in the area of cybercrime and cross-border
access to electronic evidence, including the Joint Cybercrime Action
Taskforce.
EN 64 EN
Article 16
European Financial and Economic Crime Centre
In accordance with Article 6(1), point (b), the support provided by Europol, notably through
the European Financial and Economic Crime Centre, shall, in particular, consist of:
(a) supporting the asset recovery offices of Member States in the tracing and
identification of instrumentalities, proceeds, and properties, which are, or
might become, the object of a freezing or confiscation order, in accordance
with Article 9;
(b) supporting the detection, analysis and monitoring of criminal financial flows,
illicit financial networks and criminal business models linked to organised
crime and terrorism financing;
(c) providing operational and analytical support to the EPPO in relation to crimes
falling within the competence of Europol and the EPPO in accordance with
Article 81;
(d) supporting Member States in tackling large-scale digital fraud, including by
facilitating reporting of fraud and cooperating with financial institutions, online
platforms, and international partners.
Article 17
European Centre Against Migrant Smuggling
In accordance with Article 6(1), point (b), the support provided by Europol, notably through
the European Centre Against Migrant Smuggling, shall, in particular, consist of:
(a) supporting the identification, monitoring and analysis of criminal networks
involved in migrant smuggling and trafficking in human beings, including their
business models, modi operandi and criminal infrastructure;
(b) supporting the detection and analysis of the digital dimension of migrant
smuggling and trafficking in human beings, including through open-source
analysis, cooperation with online service providers and specialised practitioner
networks;
(c) supporting the detection, analysis and disruption of illicit financial flows,
criminal assets and financial infrastructure used by migrant smuggling and
trafficking in human beings networks, in close cooperation with the European
Financial and Economic Crime Centre;
(d) supporting cooperation and operational coordination with Member States,
Frontex, Eurojust, other relevant Union bodies, offices and agencies, third
countries and international partners in matters relating to migrant smuggling
and trafficking in human beings.
Article 18
European Counter Terrorism Centre
In accordance with Article 6(1), point (d), the support provided by Europol, notably through
the European Counter Terrorism Centre shall, in particular, consist of:
EN 65 EN
(a) addressing the dissemination of terrorist and violent extremist content online
including by cooperating with the competent authorities of the Member States
with regard to removal orders, in accordance with Article 14 of Regulation
(EU) 2021/784, and by making referrals of online content to online service
providers;
(b) supporting investigations, including through the detection and analysis of
terrorist financing flows and networks, threats related to chemical, biological,
radiological and nuclear substances and explosives, online radicalisation and
the misuse of online platforms for terrorist and new technologies for terrorist
purposes;
(c) supporting crisis response and operational coordination, including in online
crisis situations, through dedicated capabilities, tools, joint coordination
structures and support mechanisms, including through the information
exchange mechanism referred to in Article 47;
(d) supporting the prevention of radicalisation that leads to terrorism by facilitating
the exchange of information, criminal intelligence and analytical products,
between the competent authorities of the Member States and, where
appropriate, with relevant Union bodies, offices and agencies and private
parties.
Article 19
Establishment and governance of additional Union Centres of specialised expertise
1. Additional Union Centres of specialised expertise may be established within
Europol, in particular where the Executive Director identifies a need for permanent
specialised capabilities or coordinated action at Union level in order to fulfil
Europol’s tasks.
2. The establishment, adaptation and, where appropriate, merger and discontinuation of
the additional Centres shall be decided by means of delegated acts adopted in
accordance with Article 139 taking into account, in particular:
(a) the scale, complexity or cross-border dimension of the relevant criminal or
security threats and of criminal offences related to the forms of crime listed in
Annex I where such offences involve a hybrid dimension;
(b) the operational needs of the Member States and the need for permanent
specialised capabilities at Union level;
(c) the need to ensure coherence, and complementarity with existing Centres and
other Union operational frameworks;
(d) the availability of resources within Europol.
3. Article 13(2) to (6) shall apply to the Centres established under this Article.
SECTION 3
OPERATIONAL COOPERATION INSTRUMENTS
Article 20
Operational task forces
EN 66 EN
1. Operational task forces may be established by the competent authorities of the
Member States, with the support of Europol, for the purpose of addressing specific
cross-border criminal threats falling within the scope of Europol’s competence.
An operational task force may be established where the criminal threat concerned
involves two or more Member States and, by reason of its scale, complexity or cross-
border dimension, requires coordinated operational and investigative action at Union
level.
2. The Member States participating in an operational task force and Europol shall
ensure coherence and, where possible, integration with the framework of EMPACT.
3. The Member States setting up an operational task force may decide to invite other
Member States, and third countries referred to in Chapter VII to participate in or
support the operational task force.
4. Europol shall, in agreement with the Member States participating in an operational
task force, support the planning, coordination and implementation of the operational
and criminal intelligence activities carried out in the framework of that task force.
Europol shall make available the relevant operational and financial support.
5. Member States participating in an operational task force shall, in accordance with
national law:
(a) ensure the continuous and structured exchange of all relevant information with
Europol and the other participating Member States in a timely manner, through
the Secure Information Exchange Network Application (SIENA), and, where
appropriate, ensure that such information is made available for direct access in
accordance with Articles 39, 40 and 41;
(b) make effective use of the operational and financial support provided by
Europol;
(c) undertake, where necessary and in accordance with national law, coordinated
criminal intelligence activities and investigations to address the criminal threats
concerned;
(d) initiate parallel financial investigations to identify, freeze and seize criminal
assets;
(e) mobilise, where relevant, liaison officers deployed in third countries where
criminal activities are investigated in the context of the operational task force
to enhance cooperation and information sharing and provide Europol with the
information obtained.
6. The Executive Director shall propose to the competent authorities of the Member
States concerned via the Europol national unit the establishment of an operational
task force where, on the basis of objective criteria, such a task force would provide
added value in addressing a specific cross-border criminal threat falling within the
scope of Europol’s competence and respond to identified operational needs.
7. The Management Board shall adopt implementing rules for the setting up and
implementation of operational task forces, including the necessary safeguards for the
participation of third countries.
8. Europol shall, together with the Member States participating in an operational task
force, assess at all stages of the operational activities whether the establishment of a
EN 67 EN
joint investigation team in accordance with Article 21 is necessary to support
coordinated and sustained action at Union level.
Article 21
Participation in joint investigation teams
1. Europol may participate in the activities of joint investigation teams, including those
established in accordance with Council Framework Decision 2002/465/JHA65 and
the Convention established by the Council in accordance with Article 34 of the TEU,
on Mutual Assistance in Criminal Matters between the Member States of the
European Union66, dealing with forms of crime falling within the scope of Europol's
competence. The agreement setting up a joint investigation team shall determine the
conditions relating to the participation of Europol in the team and shall include
information on the rules on liability.
2. Europol may, within the limits of the laws of the Member States in which a joint
investigation team is operating, assist in all activities and exchanges of information
with all members of the joint investigation team.
3. When participating in a joint investigation team, Europol may, in accordance with
this Regulation, provide all members of the team with necessary information
processed by Europol for the purposes set out in Article 32(2). Europol shall at the
same time inform the Europol national units of the Member States represented in the
team, and those of the Member States which provided the information.
4. Europol may process, for the purposes set out in Article 32(2), information obtained
while participating in a joint investigation team with the consent of the Member State
which provided the information, under the conditions laid down in this Regulation.
5. Where Europol has reason to believe that setting up a joint investigation team would
add value to an investigation, it may propose that to the Member States concerned
and take measures to assist them in setting up the joint investigation team.
6. Upon a request made the competent authority of a Member States made following
the advice of Eurojust pursuant to Article 27(1) of Regulation (EU) …/… [proposal
for Eurojust Regulation], Europol shall, within the limits of its competence,
participate in the joint investigation team concerned, unless it provides duly justified
reasons for not doing so.
Article 22
Europol deployments
1. A Member State may request, in accordance with its national law, Europol
deployments on its territory to make use of the operational support provided by
Europol.
2. Europol deployments for operational support shall take place, in particular, in the
context of complex or large-scale investigations or criminal intelligence activities
requiring coordinated support at Union level. Europol deployments may include
participation in joint investigation teams established in accordance with Article 21, in
65 Council Framework Decision of 13 June 2002 on joint investigation teams (OJ L 162, 20.6.2002, p. 1,
ELI: http://data.europa.eu/eli/dec_framw/2002/465/oj). 66 OJ C 197, 12.7.2000, p. 3.
EN 68 EN
operational task forces established in accordance with Article 20, or in other
coordinated operational activities.
Europol deployments may also take place to support checks against relevant
databases, including in the context of strengthening controls at the Union’s external
borders or supporting migration management activities in accordance with
Regulation (EU) 2019/1896, or to support Member States in major international
events.
Europol deployments shall also take place, in particular, to ensure the effective use,
integration and deployment of Europol’s services, tools and advanced capabilities in
the operational environments of the Member States.
3. Europol shall assess any request made by a Member State pursuant to paragraph 1
and may authorise a Europol deployment, taking into account Europol’s available
resources.
4. Following authorisation of a Europol deployment pursuant to paragraph 3, Europol
and the Member State concerned shall agree on the modalities of the Europol
deployment.
5. Europol staff and seconded national experts deployed in the territory of the Member
State concerned shall act in accordance with this Regulation and with the national
law of the Member State in whose territory the deployment takes place.
6. The Member State in whose territory the deployment takes place shall, in accordance
with the modalities agreed pursuant to paragraph 4:
(a) provide Europol with all relevant information without undue delay and, where
possible, enable direct access to such information for Europol deployments, in
accordance with national law;
(b) allow Europol deployments to be present during the execution of investigative
measures, in accordance with national law;
(c) facilitate the mobilisation of specialised expertise, including analytical, digital
forensic, IT and system-integration expertise;
(d) take the necessary measures, in accordance with national law, to ensure that the
outputs produced through the operational support provided by Europol
deployments may be used as evidence in national investigative and judicial
proceedings, including by ensuring such outputs are generated, documented
and transmitted in a manner compatible with the requirements of national law.
7. The Executive Director may propose to the competent authorities of a Member State,
via the Europol support office, a Europol deployment where he or she considers that
such deployment would provide added value in preventing or combating forms of
crime falling within the scope of Europol’s competence.
8. Where a third country, with whom Europol has established cooperative relations
pursuant to this Regulation or Regulation (EU) 2018/1725, requests Europol
deployments on its territory pursuant to this Article, the requirements and the
procedure set out in paragraphs 2, 3 and 4 of this Article shall apply, in accordance
with the implementing rules referred to in paragraph 9 of this Article.
9. Upon a proposal from the Executive Director, the Management Board shall adopt
implementing rules on the preparation and implementation of Europol deployments.
EN 69 EN
Article 23
Europol support to EMPACT
1. For the purpose of supporting Member States in further strengthening the EMPACT
as a coherent framework to prevent and combat the threats posed by criminal
networks at Union level, Europol shall provide administrative, logistical, financial
and operational support to operational and strategic activities carried out by Member
States and third countries, including related exchange of information, as well as to
third countries participating in such activities.
In that regard, Europol shall complement the coordination functions carried out at
national level by Europol national units.
2. For the purposes of paragraph 1, Europol, through the EMPACT Support Team,
shall, in particular:
(a) support the development and implementation of biennial operational action
plans, including by assisting in the definition of operational priorities,
targets and deliverables;
(b) facilitate the meetings of the National EMPACT Coordinators;
(c) support the preparation and management of operational action plans;
(d) support the involvement of third countries in EMPACT, notably EU
candidate countries and potential candidates.
3. In carrying out the support referred to in paragraph 2, Europol shall, through the
EMPACT Support Team, cooperate closely with Europol national units, the National
EMPACT Coordinators, and with other relevant Union bodies, offices and agencies
involved in EMPACT, and, where appropriate, with third countries and other
partners in accordance with this Regulation.
Article 24
Use of operational and technical pools
1. Europol shall establish and maintain specialised operational and technical pools
composed of experts designated by the Member States in order to ensure the
availability of highly specialised expertise necessary for the fulfilment of Europol’s
tasks and to support Member States.
2. Member States shall designate experts for inclusion in the specialised operational and
technical pools referred to in paragraph 1, in accordance with the profiles and
participation requirements determined by the Management Board, in order to ensure
the availability of specialised expertise. The designation of an expert to a pool shall
not affect the employment relationship between that expert and the competent
authority of the Member State concerned.
3. Experts participating in the pools may, with the agreement of the competent authority
of the Member State concerned, be seconded to Europol.
4. Europol may provide financial support to Member States in connection with the
training and secondment of experts participating in the pools.
5. Upon a proposal from the Executive Director, the Management Board shall adopt
implementing rules on the operation of the pools, including the modalities for the
EN 70 EN
secondment of experts, the organisation of training, and the provision of financial
support referred to in paragraph 4.
SECTION 4
NATIONAL STRUCTURES FOR OPERATIONAL COOPERATION
Article 25
Europol national units
1. The Member States and Europol shall cooperate with each other in the fulfilment of
their respective tasks set out in this Regulation.
2. Each Member State shall establish or designate a Europol national unit.
The Europol national unit shall be the liaison body and central coordination point
between Europol and the competent authorities of the Member State. Each Member
State shall ensure its Europol national unit is able to fulfil the tasks assigned to it
under this Regulation and, in particular, that it has access to national law
enforcement data and other relevant data necessary for cooperation with Europol.
3. Europol national units shall ensure the strategic coordination at national level of the
competent authorities of the Member States whose activities fall within the scope of
Europol’s competence, for the purposes of cooperation with Europol.
For that purpose, the Europol national units shall, in particular:
(a) identify, consolidate and communicate to Europol the operational priorities and
capability needs of the competent authorities of the Member State, including in
the context of the Framework referred to in Article 57;
(b) coordinate national contributions to Europol’s strategic and analytical
activities;
(c) support the alignment of national priorities with Union priorities for preventing
and combating the forms of crime falling within the scope of Europol’s
competence.
4. The heads of the Europol national units shall meet on a regular basis to coordinate
strategic priorities for cooperation with Europol and to identify common operational
priorities and capability needs.
5. Europol national units shall facilitate the information exchange between Europol and
the competent authorities of their Member States. For that purpose, Europol national
units shall:
(a) receive from Europol any information exchanged in the course of direct
contacts between Europol and the competent authorities of their Member
States, unless the Europol national unit indicates that it does not need to receive
such information;
(b) have access to national law enforcement data and other relevant data necessary
for cooperation with Europol;
(c) contribute to the fulfilment of tasks assigned to the competent authorities of the
Member States in relation to their obligations on information exchange with
Europol, in accordance with Chapter III.
EN 71 EN
6. The Europol national unit shall ensure the appropriate uptake by Member States of
Europol’s operational support, including by facilitating the integration of Europol
support and tools in national investigations and the participation of the competent
authorities of the Member State in operational activities coordinated, organised or
supported by Europol, including operational task forces and Europol deployments.
For the purposes referred to in the first subparagraph, the Europol national unit shall
include a Europol support office, established in accordance with Article 26.
7. Europol national units shall ensure the coordination at national level of activities
carried out in the framework of the EMPACT, including by supporting the EMPACT
National Coordinator in the planning and implementation of EMPACT activities and
facilitating the involvement of competent authorities of the Member State.
For the purposes referred to in the first subparagraph, the Europol national unit shall
include an EMPACT support team.
Each Member State setting up or participating in an EMPACT operational action
supported by Europol shall, whenever feasible, use SIENA to provide all relevant
information without delay to Europol and to other Member States.
8. The costs incurred by Europol national units in communications with Europol shall
be borne by the Member States and, with the exception of the costs of connection,
shall not be charged to Europol.
Europol shall support the functioning and capacity of Europol national units,
including their support functions.
Such support shall include financial contributions to Europol national units, provided
for in accordance with the rules adopted pursuant to Article 124.
Article 26
Europol support offices
1. Member States shall establish a Europol support office within the Europol national
unit to ensure appropriate uptake by Member States of Europol’s support.
2. Europol support offices shall, as appropriate:
(a) facilitate the use and integration of Europol’s operational support, analytical
products and expertise by the competent authorities of the Member State;
(b) support the preparation, conduct and follow-up of operational activities
supported by Europol, including operational task forces and Europol
deployments;
(c) facilitate the mobilisation of specialised capabilities for investigations at
national level.
3. Europol support offices shall be composed of seconded Europol staff with prior
experience in the competent authorities of the Member State in which the Europol
support office is established. That staff shall operate under the responsibility of
Europol and the Member State where the Europol support office is established, in
accordance with the implementing rules referred to in paragraph 4.
4. Upon a proposal from the Executive Director, the Management Board shall adopt
implementing rules governing the establishment, organisation and functioning of
Europol support offices, including the minimum requirements to be fulfilled by
EN 72 EN
Europol staff seconded to such offices, the arrangements governing their secondment
and the allocation of responsibilities between Europol and the Member State in
which the Europol support office is established.
Article 27
Liaison officers
1. Each Europol national unit shall designate at least one liaison officer to be attached
to Europol.
Except as otherwise laid down in this Regulation, the liaison officers shall be subject
to the national law of the designating Member State.
2. Liaison officers shall constitute the national liaison bureaux at Europol and shall be
instructed by their Europol national units to represent the interests of the Member
State they represent within Europol in accordance with the national law of the
designating Member State and the provisions applicable to the administration of
Europol.
3. Liaison officers shall support the effective integration of Europol’s support into
national operational activities.
For that purpose, liaison officers shall, in coordination with Europol, contribute to
the delivery of support tailored to the operational needs and requirements of their
Member State.
4. Liaison officers shall assist in the exchange of information between Europol and the
Member States.
5. Liaison officers shall, in accordance with the national law, assist in the exchange of
information between Member States and the liaison officers of other Member States,
third countries and international organisations.
Europol's infrastructure may be used, in accordance with national law, for such
bilateral exchanges also to cover forms of crime falling outside the scope of
Europol’s competence. All such exchanges of information shall be in accordance
with applicable Union and national law.
6. Through the exchange of information referred to in paragraph 5, liaison officers shall
support the identification of operational links and the coordination of cross-border
operational and investigative responses, in close cooperation with the Operational
and Analysis Service.
7. The Management Board shall determine the rights and obligations of liaison officers
in relation to Europol. Liaison officers shall enjoy the privileges and immunities
necessary for the performance of their tasks in accordance with Article 125(2).
8. Europol shall ensure that liaison officers are fully informed of and associated with all
of its activities, in so far as necessary for the performance of their tasks.
9. Europol shall cover the costs of providing Member States with the necessary
premises within the Europol’s headquarters and adequate support for liaison officers
to perform their duties. All other costs that arise in connection with the designation
of liaison officers shall be borne by the designating Member State, including the
costs of equipment for liaison officers.
EN 73 EN
Chapter III
Information management
SECTION 1
HORIZONTAL RULES ON DATA PROCESSING
Article 28
Sources of information
1. Europol shall only process information that has been provided to it:
(a) by Member States in accordance with their national law and Article 29;
(b) by Union institutions, bodies, missions, offices and agencies, third countries
and international organisations;
(c) by private parties and natural persons.
2. Europol may directly retrieve and process information, including personal data, from
publicly available sources, including the internet and public data.
3. In so far as Europol is entitled under Union, international or national legal
instruments to gain access to data from Union, international or national information
systems, it may retrieve and process information, including personal data, by such
means if and to the extent that is necessary for the performance of its tasks. The
applicable provisions of such Union, international or national legal instruments shall
govern access to, and the use of, that information by Europol, in so far as they
provide for stricter rules on access and use than those laid down by this Regulation.
Access to such information systems shall be granted only to duly authorised staff and
only in so far as this is necessary and proportionate for the performance of their
tasks.
Article 29
Provision of information by Member States
1. Member States shall provide Europol in a timely manner with the information
necessary for it to carry out its tasks.
2. Member States shall ensure the effective participation of the competent authorities of
the Member States in the information exchange and operational data management
frameworks established under this Regulation and shall, where appropriate, enable
the structured, automated and interoperable provision of information to Europol in
accordance with applicable Union and national law.
3. Immigration liaison officers designated by competent authorities of the Member
States shall provide Europol with relevant information through the information
exchange frameworks established under this Regulation, using SIENA. Where this is
not possible due to legal, organisational or technical reasons, Member States shall
ensure that the relevant information is transmitted to Europol through other secure
channels by the competent authorities of the Member States concerned.
4. In accordance with Article 107, the Europol national unit and the competent
authorities of the Member State concerned shall be responsible for ensuring
EN 74 EN
compliance with national law when providing information to Europol, and for
ensuring, to the extent possible, the completeness, accuracy and timeliness of such
information.
5. Without affecting the discharge by Member States of their responsibilities with
regard to the maintenance of law and order and the safeguarding of internal security,
Member States may refuse to supply information based on one or more of the
following grounds:
(a) the supply of information is contrary to the essential interests of the security of
the Member State concerned;
(b) the supply of information jeopardises the success of an ongoing investigation
or the safety of an individual;
(c) the supply of information would disclose information relating to organisations
or specific intelligence activities in the field of national security.
Member States shall supply information as soon as the grounds referred to in the first
subparagraph, points (a), (b) or (c), cease to exist.
6. Europol shall produce an annual assessment of the information provided by Member
States under this Article on the basis of quantitative and qualitative criteria defined
by the Management Board. The assessment shall be transmitted to the European
Parliament, the Council, the Commission and national parliaments.
Article 30
Europol’s role in relation to the Schengen Information System
1. Europol shall, through the SIRENE Office, ensure the exchange and availability of
supplementary information, in accordance with Regulations (EU) 2018/186067, (EU)
2018/186168 and (EU) 2018/186269 of the European Parliament and the Council.
2. Europol shall support Member States, upon request of the alert issuing Member
State, by facilitating the crosschecking and analysis of alert data and supplementary
information against information stored at Europol, in particular to locate the persons
subject to an alert.
3. Europol shall, upon request, forward to Member States information it receives in
accordance with Article 35(8) of Regulation (EU) 2018/1861 and in accordance with
Article 48(8) of Regulation (EU) 2018/1862 by the exchange of supplementary
67 Regulation (EU) 2018/1860 of the European Parliament and of the Council of 28 November 2018 on
the use of the Schengen Information System for the return of illegally staying third-country nationals
(OJ L 312, 7.12.2018, p. 1, ELI: http://data.europa.eu/eli/reg/2018/1860/oj). 68 Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on
the establishment, operation and use of the Schengen Information System (SIS) in the field of border
checks, and amending the Convention implementing the Schengen Agreement, and amending and
repealing Regulation (EC) No 1987/2006 (OJ L 312, 7.12.2018, p. 14,
ELI: http://data.europa.eu/eli/reg/2018/1861/oj). 69 Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on
the establishment, operation and use of the Schengen Information System (SIS) in the field of police
cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision
2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the
Council and Commission Decision 2010/261/EU (OJ L 312, 7.12.2018, p. 56,
ELI: http://data.europa.eu/eli/reg/2018/1862/oj).
EN 75 EN
information, subject to restrictions for processing the information as indicated by the
alert issuing Member State.
4. Europol shall support Member States in processing data provided by third countries
or international organisations to Europol on persons involved in terrorism or in
serious crime.
For such data, Europol shall propose to Member States that information alerts on
third-country nationals in the interest of the Union (‘information alerts’) be entered
into the Schengen Information System (SIS), in accordance with Article 37a
Regulation (EU) 2018/1862.
5. Member States shall inform Europol of any information alerts entered in SIS and of
any hit on such information alerts, and may inform, through Europol, the third
country or international organisation that provided the data leading to the entry of the
information alert on hits on such information alert, in accordance with the procedure
set out in Regulation (EU) 2018/1862.
Europol may transmit to the Member States concerned information relating to hits
for the purposes of operational coordination, cross-checking and investigative
support, in accordance with Chapter III of this Regulation.
Article 31
Europol’s role in relation to the Visa information system and the European travel
information and authorisation system
1. Europol shall take all appropriate measures to enable the VIS designated authorities,
for the purposes of Regulation (EC) No 767/2008 of the European Parliament and of
the Council70, to have indirect access on the basis of a hit/no-hit system to data
provided for the purposes of Article 32(2), point (a) of this Regulation, without
affecting any restriction indicated by the provider of the information in accordance
with Article 33(2).
2. In the case of a hit pursuant to paragraph 1, Europol shall initiate the procedure by
which the information that generated the hit may be shared, in accordance with the
decision of the provider of the information to Europol, and only to the extent that the
data generating the hit are necessary for the performance of the VIS designated
authorities’ tasks related to the Visa Information System.
3. Europol shall manage the ETIAS watchlist in accordance with Articles 34 and 35 of
Regulation (EU) 2018/1240 of the European Parliament and of the Council71.
4. Europol may enter data into the ETIAS watchlist related to terrorist offences or other
serious criminal offences obtained by Europol, without prejudice to the conditions
regulating Europol’s international cooperation.
5. Europol shall provide a reasoned opinion following a consultation request referred to
in:
70 Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning
the Visa Information System (VIS) and the exchange of data between Member States on short-stay
visas (VIS Regulation) (OJ L 218, 13.8.2008, p. 60, ELI: http://data.europa.eu/eli/reg/2008/767/oj). 71 Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning
the Visa Information System (VIS) and the exchange of data between Member States on short-stay
visas (VIS Regulation) (OJ L 218, 13.8.2008, p. 60, ELI: http://data.europa.eu/eli/reg/2008/767/oj).
EN 76 EN
(a) Article 29 of Regulation (EU) 2018/1240;
(b) Article 9e(4) of Regulation (EC) No 767/2008;
(c) Article 9g(4) of Regulation (EC) No 767/2008;
(d) Article 22b(14) and (16) of Regulation (EC) No 767/2008.
For the purposes of point (a), Europol may issue a reasoned positive or negative
opinion. Europol shall transmit, via SIENA, a report supporting that opinion to the
Europol national unit of the Member State responsible for the ETIAS application file.
The Europol National Unit shall make that report available to the ETIAS National
Unit concerned for the purposes of its assessment and decision-making under
Regulation (EU) 2018/1240.
6. For the purpose of carrying out the task referred to in paragraph 3, Europol’s
Management Board shall, after consulting the European Data Protection Supervisor,
adopt the procedures referred to in Article 35 of Regulation (EU) 2018/1240.
7. Europol shall take all appropriate measures to enable the European Border and Coast
Guard Agency, within its mandate and for the purposes of Regulation (EU)
2018/1240, to have indirect access on the basis of a hit/no-hit system to data
provided for the purposes of Article 32(2), point (a) of this Regulation, without
affecting any restriction indicated by the provider of the information in question in
accordance with Article 33(2) of this Regulation.
8. In the case of a hit, Europol shall initiate the procedure by which the information that
generated the hit may be shared, in accordance with the decision of the provider of
the information to Europol, and only to the extent that the data generating the hit are
necessary for the performance of the European Border and Coast Guard Agency’s
tasks related to ETIAS. Paragraphs 2 to 6 of this Article shall apply accordingly.
Article 32
Purposes of information processing activities
1. In so far as is necessary for fulfilling its tasks, Europol may process information,
including personal data.
2. Personal data may be processed only for the purposes of:
(a) cross-checking aimed at identifying connections or other relevant links with
information related to a criminal offence in respect of which Europol is
competent;
(b) analyses of a strategic or thematic nature;
(c) operational analyses;
(d) facilitating the exchange of information between Member States, Europol,
other Union institutions, bodies, missions, offices and agencies, third countries,
international organisations and private parties;
(e) relevant research and innovation projects carried out under the Union
Framework Programme for Research and Innovation;
(f) supporting Member States, upon their request, in informing the public about
suspects or convicted individuals who are wanted on the basis of a national
judicial decision relating to a crime that falls within the scope of Europol’s
EN 77 EN
competence, and facilitating the provision by the public of information on
those individuals to the Member States and Europol;
(g) distinguishing between the operational data that relate to the different
categories of data subjects listed in Annex II of this Regulation, in accordance
with Article 73 of Regulation (EU) 2018/1725.
3. Processing for the purpose of operational analyses as referred to in paragraph 2, point
(c), shall be performed by means of operational analysis projects, in respect of which
the following specific data protection safeguards shall apply:
(a) for every operational analysis project, the Executive Director shall define the
specific purpose, categories of personal data and categories of data subjects,
participants, duration of storage and conditions for access, transmission or
transfer and use of the data concerned, and shall inform the Management Board
and the European Data Protection Supervisor (EDPS) thereof;
(b) personal data may only be collected and processed for the purpose of the
specified operational analysis project and stored in the Europol Analytical
Environment referred to in Article 40, whereas it becomes apparent that
personal data may be relevant for another operational analysis project, further
processing of that personal data shall only be permitted insofar as such further
processing is necessary and proportionate and the personal data are compatible
with the conditions set out in point (a) of this paragraph that apply to the other
analysis project;
(c) only authorised staff may access and process the data of the relevant project.
4. Where necessary to achieve the objectives of the research and innovation projects
carried out by Europol, the processing of personal data for that purpose shall be in
accordance with Article 102.
5. The processing referred to in paragraphs 2 and 3 shall be carried out in compliance
with the data protection safeguards provided for in Regulation (EU) 2018/1725 and
in this Regulation. Europol shall duly document those processing operations. The
documentation shall be made available, upon request, to the Data Protection Officer
and to the EDPS for the purpose of verifying the lawfulness of the processing
operations.
6. In accordance with Article 73 of Regulation (EU) 2018/1725, Europol shall, where
applicable and as far as possible, make a clear distinction between the personal data
that relate to the different categories of data subjects listed in Annex II.
7. Europol may only process personal data outside of the categories of data subjects
listed in Annex II where such processing is relevant and necessary for the purposes
set out in paragraph 2. Such personal data shall be immediately deleted once the
purpose of processing is fulfilled.
8. Where it is not possible to clearly distinguish between the personal data that relate to
the different categories of data subjects listed in Annex II, or where Europol has to
process personal data outside of the categories of data subjects listed in Annex II,
Europol shall inform its Data Protection Officer.
9. Personal data that do not relate to the categories of data subjects listed in Annex II
shall be kept functionally separate from other data where applicable and as far as
possible, and shall in any case only be processed where necessary and proportionate
for the purposes of paragraphs 2.
EN 78 EN
10. Europol may temporarily process data for the purpose of determining whether the
processing of such data is relevant and necessary for Europol to fulfil to its tasks.
The time limit for the processing of such data shall not exceed six months from the
receipt of those data.
11. The Management Board, after consulting the EDPS, shall, as appropriate, adopt
guidelines further specifying procedures for the processing of information for the
purposes listed in paragraph 2 of this Article in accordance with Article 72(2), point
(t).
Article 33
Determination of the purpose of, and restrictions on, the processing of information by
Europol
1. A Member State, a Union institution, body, mission, office or agency, a third country
or an international organisation that provides information to Europol shall determine
the purpose or purposes for which that information is to be processed, in accordance
with Article 32.
Where a provider of information referred to in the first subparagraph has not
complied with that subparagraph, Europol, in agreement with the provider of the
information concerned, shall process the information to determine the relevance of
such information and the purpose or purposes for which it is to be further processed.
Europol shall process information for a purpose different from that for which
information has been provided only where authorised to do so by the provider of the
information.
Information provided for the purposes referred to in Article 32(2), points (a) to (d),
may also be processed by Europol, in accordance with Article 102, for the purpose of
Article 32(2), point (e).
2. Member States, Union institutions, bodies, missions, offices and agencies, third
countries and international organisations may indicate, at the moment of providing
information to Europol, any access restriction, in general or specific terms, including
as regards its use, transfer, transmission, erasure or destruction. Where the need for
such restrictions becomes apparent after the information has been provided, they
shall inform Europol accordingly. Europol shall comply with such restrictions.
3. In duly justified cases Europol may assign access restrictions by Member States,
Union institutions, bodies, missions, offices and agencies, third countries and
international organisations of information retrieved from publicly available sources.
Article 34
Duty to notify Member States
1. Europol shall notify a Member State without delay of any information concerning it.
If such information is subject to access restrictions pursuant to Article 33(2) that
would prohibit its being shared, Europol shall consult with the provider of the
information stipulating the access restriction and seek its authorisation for sharing.
In such a case, the information shall not be shared without an explicit authorisation
by the provider.
EN 79 EN
2. Irrespective of any access restrictions, Europol shall notify a Member State of any
information concerning it where that is necessary in the interest of preventing an
imminent threat to life.
In such a case, Europol shall at the same time notify the provider of the information
about the sharing of the information and justify its analysis of the situation.
SECTION 2
EUROPOL SERVICES AND TOOLS
Article 35
Europol data environment
1. Europol shall develop and maintain the necessary services and tools enabling it to
perform its tasks under this Regulation, and in particular to process information in
accordance with Section 1 of this Chapter.
2. Europol services and tools shall consist of interoperable technical components,
infrastructures and functionalities enabling Europol to perform its tasks under this
Regulation.
3. Europol shall develop, in particular:
(a) a cross-checking service, for the purposes of Article 32(2), point (a);
(b) an IT environment for the purposes of Article 32(2);
(c) SIENA, as the secure information exchange tool for the purposes of Article
32(2), point (d);
(d) a shared data space for joint operational analysis as referred to in Article 42;
(e) a platform to facilitate cooperation and exchange of information with private
parties as referred to in Article 47.
Article 36
Europol cross-checking service
1. Europol’s cross-checking service shall be composed of:
(a) an infrastructure for the storage of information;
(b) a search interface, enabling to query and retrieve any relevant information;
(c) an interface, enabling to upload, update or delete information;
(d) a secure communication infrastructure between the cross-checking service and
Member States, and the Union bodies, offices and agencies that are entitled to
use the service;
(e) a secure communication infrastructure between the cross-checking service and
the European Search Portal established by Article 6(2), point (c), of Regulation
(EU) 2019/818.
(f) Europol shall ensure the operational management, security, availability and
integrity of the cross-checking service.
2. Member States shall ensure that the case management systems of their single points
of contact, of their Europol national units and of the competent authorities of the
EN 80 EN
Member State are technically connected and interoperable with the Europol cross-
checking service.
3. The Commission shall adopt implementing acts laying down the procedures for
defining the technical connection between national case management systems and
the cross-checking service and the technical connection between that service and
other Europol services and tools. Those implementing acts shall be adopted in
accordance with the examination procedure referred to in Article 138(2).
4. Europol shall, when developing and operating the Europol cross-checking service
and where appropriate, make use of existing technological components and
infrastructures developed and managed by the European Union Agency for the
Operational Management of Large-Scale IT Systems in the Area of Freedom,
Security and Justice (eu-LISA).
Europol shall seek synergies in the design and technical architecture of the cross-
checking service, including through the re-use of shared services, communication
infrastructures and software components, where that is technically feasible and does
not affect the specific purpose, governance or data protection requirements of the
cross-checking service as set out in this Regulation and in Regulation (EU)
2018/1726.
For the purposes of biometric matching, Europol shall, where technically feasible, re-
use and adapt the technology underpinning the Shared Biometric Matching Service
(sBMS), established in Article 12 of Regulation (EU) 2019/818, developed by eu-
LISA.
Article 37
Content of the Europol cross-checking service data
1. The Europol cross-checking service shall only contain data relating to:
(a) persons who, in accordance with the national law of the Member State
concerned, are suspected of having committed or having taken part in a
criminal offence in respect of which Europol is competent or who have been
convicted of such an offence;
(b) persons regarding whom there are factual indications or reasonable grounds
under the national law of the Member State concerned to believe that they will
commit criminal offences in respect of which Europol is competent;
(c) identifiable objects used in or linked to criminal offences, including
documents, vehicles, weapons and other relevant items.
2. Data relating to the persons or objects referred to in paragraph 1 may include:
(a) identity data, including biographical data and biometric data;
(b) criminal intelligence data;
(c) operational data, including data on criminal activities, investigations and
connections between cases;
(d) reference data, including national case identifiers and police records references;
(e) data relating to objects used in or linked to criminal offences, including
documents, vehicles, weapons and other relevant items.
EN 81 EN
3. In accordance with this Regulation, the Europol cross-checking service may contain
data uploaded by the following entities:
(a) Europol national units established or designated pursuant to Article 25(2);
(b) the competent authorities of the Member States;
(c) Europol, including data provided by third countries, Union institutions, bodies,
offices and agencies, private parties and international organisations.
4. The Commission shall adopt implementing acts laying down the technical
procedures for the storage of data, including data formats, data quality requirements
and rules for cross-checking.
Those implementing acts shall be adopted in accordance with the examination
procedure referred to in Article 138(2).
Article 38
Uploading data to Europol cross-checking service
1. Member States shall ensure that their Europol national units and the competent
authorities of the Member State, systematically and without undue delay, upload into
the Europol cross-checking service any data that:
(a) relates to forms of crime falling within the scope of Europol’s competence;
(b) is relevant for cross-border cooperation or where there are factual indications
of a possible link to other Member States or third countries.
2. By way of derogation from paragraph 1, competent authorities of the Member States
may refrain from uploading data into the Europol cross-checking service on the
grounds referred to in Article 29(5).
3. Member States shall ensure that Europol national units and competent authorities of
the Member States are equipped with automated technical means (‘data loaders’)
enabling to systematically upload data from their national case management systems
to the Europol cross-checking service in accordance with paragraph 1.
4. Europol shall upload, systematically and without undue delay, data to the Europol
cross-checking service that fulfil the conditions set out in paragraph 1.
5. Member States and Europol shall ensure that data uploaded into Europol cross-
checking service is accurate, up to date and complete, and shall update or delete it
where necessary.
6. The Europol cross-checking service shall automatically cross-check any newly
uploaded data against data already stored in the service, to identify links between:
(a) persons;
(b) objects;
(c) criminal activities;
(d) investigations conducted in one or more Member States or with third countries.
7. Upon obtaining a positive result from the cross-checking referred to in paragraph 6,
the Europol cross-checking service shall generate an alert and notify the relevant
entity in accordance with Article 34.
EN 82 EN
8. The Commission shall adopt implementing acts laying down the technical
procedures for the upload of data, including on data formats, and the automated
uploading and cross-checking procedures. Those implementing acts shall be adopted
in accordance with the examination procedure referred to in Article 138(2).
Article 39
Querying of and access to Europol cross-checking service data
1. Member States shall be able to query and have access to all information stored in the
Europol cross-checking service, in accordance with this Regulation.
2. The Europol cross-checking service shall enable the querying by the Europol
national units and the competent authorities of the Member States of the information
stored by means of:
(a) alphanumeric data;
(b) biometric data;
(c) multimedia data.
3. Competent authorities of the Member States shall systematically query the Europol
cross-checking service with the relevant information:
(a) when conducting investigations into forms of crime falling within the scope of
Europol’s competence;
(b) where there are reasonable grounds to consider that the case has a cross-border
or international dimension.
4. Europol shall not have access to the content of the query carried out by the
competent authorities of the Member States nor to the results of the query.
5. Europol shall query the Europol cross-checking service to carry out its tasks set out
in this Regulation.
6. The Europol cross-checking service may be queried where provided for by other
legislative acts of the Union.
7. The result of the query shall include any relevant data stored in the Europol cross-
checking service to which the querying entity pursuant to paragraphs 2 and 4 of this
Article has access in accordance with any restriction indicated pursuant to Article
33(2).
8. The Commission shall adopt implementing acts laying down the technical
procedures for the querying of data, including on data formats. Those implementing
acts shall be adopted in accordance with the examination procedure referred to in
Article 138(2).
Article 40
The Europol Analytical Environment
1. Europol shall develop and maintain the technical and operational environment for the
storage, processing, cross-checking, visualisation and analysis of data, including in
support of criminal investigations and operational coordination (Europol Analytical
Environment).
EN 83 EN
2. Europol Analytical Environment shall comprise analytical workspaces, case
management functionalities, collaborative tools, data processing services and other
capabilities necessary to support Europol’s analytical activities and cooperation with
Member States and other authorised partners and to respond to operational, technical
or analytical needs identified in the context of its activities.
3. The Europol Analytical Environment shall provide for logically separated analysis
projects for storing and processing data for distinct analytical purposes, as referred to
in Article 32(3).
4. Europol shall ensure the operational management, security, availability and integrity
of the Europol Analytical Environment.
Article 41
Query of and access to Europol Analytical Environment data
1. The Europol Analytical Environment shall enable the querying by the Europol
national units and the competent authorities of the Member States of the data stored
to find connections with existing cases by means of:
(a) alphanumeric data;
(b) biometric data;
(c) multimedia data.
2. Europol shall query the Europol Analytical Environment to carry out its tasks,
including biometric data for the purpose of uniquely identifying a natural person.
3. Europol national units and competent authorities of the Member States, including in
the context of a JOAC, querying the Europol Analytical Environment shall only have
indirect access to the results of such query, on a hit / no-hit basis. In the case of a hit,
Europol shall initiate the procedure by which the information that generated the hit
may be shared with the querying entity, in accordance with Article 34.
4. Union information systems may also query the Europol Analytical Environment
where provided for by other legislative act of the Union.
(a) alphanumeric data;
(b) biometric data;
(c) multimedia data.
5. Europol shall query the Europol Analytical Environment to carry out its tasks,
including biometric data for the purpose of uniquely identifying a natural person.
6. Europol national units and competent authorities of the Member States, including in
the context of a JOAC, querying the Europol Analytical Environment shall only have
indirect access to the results of such query, on a hit / no-hit basis. In the case of a hit,
Europol shall initiate the procedure by which the information that generated the hit
may be shared with the querying entity, in accordance with Article 34.
7. Any restriction on access to, use or storage of data in the Europol Analytical
Environment shall comply with this Regulation, in particular Articles 33 and 101.
Article 42
Police Shared Data Space establishment
EN 84 EN
1. Europol shall develop and maintain a service which enables Europol national units
and competent authorities of the Member States to open JOACs (‘Police Shared Data
Space’).
2. The Police Shared Data Space shall be based on the Europol cloud infrastructure
referred to in Article 50.
3. The Police Shared Data Space shall, to the extent technically possible, share and re-
use the hardware and software components of the Europol Analytical Environment
referred to in Article 40.
4. The Police Shared Data Space shall make available the tools, functionalities and
modules of that environment, including analytical, data processing and data
integration functionalities, to the extent necessary for the conduct of joint operational
analysis within JOACs.
5. The Commission shall adopt implementing acts laying down the procedures for
defining the necessary functionalities of the Police Shared Data Space and the
modalities for ensuring interoperability and availability of the tools and those
functionalities. Those implementing acts shall be adopted in accordance with the
examination procedure referred to in Article 138(2).
Article 43
Creation of a Joint Operational Analysis Case
1. Europol national units and competent authorities of the Member States may decide to
open a JOAC for carrying out joint operational analysis.
2. The Member State opening the JOAC shall indicate:
(a) the Member State(s) invited to participate to the JOAC and have access to the
relevant data uploaded in the JOAC;
(b) the third country that may participate to the JOAC and have access to the
relevant data uploaded in the JOAC;
(c) the reasons for involving Centre(s), Member States or third countries into the
JOAC.
3. Europol shall have access to the JOAC and, where appropriate, provide analytical
support and expertise to the Member States concerned in relation to the JOAC.
4. The participating Member States shall designate representatives of the respective
competent authorities of the Member States which will participate to the JOAC and
have access to the data processed therein.
5. When the Member State(s) opening the JOAC proposes that a third country should
be part of the JOAC, Europol shall be responsible to enable the participation and to
give access to the relevant data stored in the Police Shared Data Space to the third
country, where the following conditions are met:
(a) Europol considers it relevant for the third country to participate in the JOAC,
including based on the information provided by the Member States opening a
JOAC pursuant to point (c) of paragraph 2;
(b) an agreement enabling the third country to exchange personal data with
Europol is in force.
EN 85 EN
6. The third country authorised to participate to the JOAC shall appoint its participating
representatives.
7. Europol shall appoint one or more of its representatives to participate in a JOAC and
have access to the information uploaded therein.
Article 44
Europol proposal for the establishment of a Joint Operational Analysis Case
1. Based on the analysis of information and data available to it, Europol may propose to
one or more Member States the opening of a JOAC, where it considers that
coordinated operational analysis could provide added value in the joint operational
analysis of a crime falling within the scope of Europol’s competence.
2. Any proposal made pursuant to paragraph 1 shall be non-binding and shall not affect
the discretion of the Member States concerned to decide whether to open a JOAC in
accordance with Article 43.
3. For the purposes of paragraph 1, Europol may identify and flag relevant information
within the Europol Analytical Environment that should be uploaded in the JOAC.
Article 45
Use of a Joint Operational Analysis Case
1. The participants to a JOAC may carry out the following activities within the Police
Shared Data Space:
(a) process information uploaded by the entities opening the JOAC or by any other
participating entity;
(b) upload new data which is deemed relevant for analysis as part of the JOAC, in
accordance with Article 33;
(c) securely communicate and exchange information within the JOAC with other
participants, either by chat, video or with other relevant tools supported by the
Europol Analytical Environment;
(d) jointly visualise or edit any documents or reports relevant for the JOAC.
2. Europol and the participating Member States shall ensure that the personal data
uploaded in a JOAC, when processed outside of the Police Shared Data Space, is
protected through technical and organisational measures in accordance with,
Regulation (EU) 2018/1725, with this Regulation and with Directive (EU) 2016/680
of the European Parliament and of the Council72.
Article 46
Secure Information Exchange Network Application
72 Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data by competent authorities for
the purposes of the prevention, investigation, detection or prosecution of criminal offences or the
execution of criminal penalties, and on the free movement of such data, and repealing Council
Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89,
ELI: http://data.europa.eu/eli/dir/2016/680/oj).
EN 86 EN
1. SIENA is established for the purpose of facilitating the exchange of information
between Member States, Europol, Union institutions, bodies, offices and agencies,
third countries and international organisations.
2. SIENA shall be composed of:
(a) a central infrastructure for the storage and processing of data;
(b) web interface(s) to exchange information;
(c) mobile application(s) to exchange information;
(d) dedicated programming interface(s) for Member States and, where appropriate,
Union institutions, bodies, offices or agencies supporting the interoperability
with their systems, including their case management systems;
(e) a secure communication infrastructure between SIENA and Member States,
and, where appropriate, the Union institutions, bodies, offices or agencies, third
countries and international organisations that are entitled to use SIENA.
3. In accordance with Article 13 of Directive (EU) 2023/977, SIENA shall be the
secure communication channel used by the single points of contact and by the
competent authorities of the Member States to send requests for information, to
provide information pursuant to such requests or to provide information on its or
their own initiative including, where applicable, to send a copy of such request or
information to Europol. For that purpose, single points of contact and competent
authorities of the Member States shall be connected to SIENA, including, where
appropriate, through mobile devices.
4. When exchanging information between themselves, SIENA shall provide for the
possibility for the single points of contact or competent authorities of the Member
States to indicate that a JOAC should be opened in accordance with Article 43.
5. SIENA shall be the default channel of communication to be used by the competent
authorities of the Member States to exchange information with Europol.
6. Europol or competent authorities of the Member States may use SIENA to exchange
information with third countries whose authorities have been connected to SIENA by
Europol, pursuant to working arrangements or international agreements concluded
with the Union.
7. The authorities of third countries referred to in paragraph 6 may also use SIENA to
exchange information with the authorities of other third countries with whom a
working arrangement or international agreement has been concluded.
8. Europol shall ensure the operational management, security, availability and integrity
of SIENA.
9. The Commission shall adopt implementing acts laying down the procedures for
defining the necessary functionalities of the secure infrastructure referred to in
paragraph 2. Those implementing acts shall be adopted in accordance with the
examination procedure referred to in Article 138(2).
Article 47
Information exchange mechanism for cooperation with private parties
EN 87 EN
1. The Europol Analytical Environment shall include an information exchange
mechanism to facilitate cooperation and exchange of information between private
parties, Europol and the Member States.
2. The information exchange mechanism shall have, in particular, the following
functions:
(a) facilitate communication between Europol, the Member States and private
parties offering services in the Union, including by facilitating reporting or
notification obligations under Regulations (EU) 2021/784 and 2022/2065;
(b) act as a crisis response platform in online crisis situations, in accordance with
Article 96 by facilitating communication between Europol, the Member States,
private parties and where applicable third countries and by enabling Europol to
provide private parties with the information necessary to identify relevant
online content, services, accounts, infrastructures or digital activities.
3. The information exchange mechanism shall as a minimum be composed of:
(a) a central infrastructure for the storage and processing of data;
(b) web interface(s);
(c) dedicated programming interface(s) for Member States supporting the
interoperability with their national systems, including their case management
systems;
(d) a secure communication infrastructure between Europol, the Member States
and private parties.
4. Europol shall establish the procedure and conditions for granting or withdrawing
secure access of private parties to the information exchange mechanism.
Article 48
European Police Record Index System
In relation to the European Police Record Index System (EPRIS), Europol shall perform the
tasks conferred on it by Regulation (EU) 2024/982.
Article 49
Development of other services and tools
The Commission may adopt implementing acts laying down additional functionalities of
existing services and tools or the necessary functionalities of additional services and tools.
Those additional functionalities or additional services and tools shall comply with the
applicable rules on processing of personal data set out in Regulation (EU) 2018/1725 and this
Regulation. Those implementing acts shall be adopted in accordance with the examination
procedure referred to in Article 138(2) of this Regulation.
EN 88 EN
SECTION 3
TECHNICAL COMPONENTS AND STANDARDISATION
Article 50
Europol cloud infrastructure
1. The Europol cloud infrastructure is established. The Europol cloud infrastructure is a
secure and scalable platform of cloud computing services enabling Europol and
competent authorities of the Member States to access Europol’s tools, collaborative
environments and other operational and analytical capabilities in accordance with
this Regulation. The Europol cloud infrastructure may also be used by other Union
institutions, bodies, offices or agencies, and third countries to access Europol’s tools,
collaborative environments and other operational and analytical capabilities in
accordance with this Regulation.
2. The Europol cloud infrastructure shall support the achievement of the purposes set
out in this Regulation in the context of criminal investigations and operational
support, including by supporting the storage, processing, analysis and exchange of
data, while ensuring strict access control, data compartmentalisation and full
compliance with Union law.
3. Europol shall establish, operate and maintain the Europol cloud infrastructure. In
establishing, operating and maintaining the Europol cloud infrastructure, Europol
shall, where appropriate and technically feasible, make use of existing technical
solutions, services and infrastructure components developed or operated by Union
institutions, bodies, offices and agencies, including eu-LISA, with a view to ensuring
efficiency, interoperability and the optimal use of Union resources.
4. Europol shall ensure that the procurement of cloud computing services complies with
applicable Union law, including requirements on the EU cloud sovereignty
framework, data security, data protection, cybersecurity and digital sovereignty.
5. Europol systems and tools processing operational data shall be made available to
authorities of the Member States from the Europol cloud infrastructure.
6. Europol shall prioritise the development of new systems and tools on the Europol
cloud infrastructure.
7. Access to and use of the Europol cloud infrastructure shall be limited to authorised
users from competent authorities of the Member States, from third countries, where
appropriate, and Europol, in accordance with their respective access rights under this
Regulation and subject to appropriate authentication mechanisms, including high-
assurance digital identity solutions in accordance with Article 51.
8. Europol shall assess the technical, operational and financial implications of making
existing systems and tools available on the Europol cloud infrastructure and submit a
reasoned report to the Commission by … [6 months after start date of application of
this Regulation].
9. The Commission shall adopt implementing acts defining the requirements relating to
security, interoperability, performance and the architecture of the Europol cloud
infrastructure. On the basis of the report referred to in paragraph 8, those
implementing acts shall also indicate the systems and tools that shall be migrated to
the Europol cloud infrastructure. Those implementing acts shall be adopted in
accordance with the examination procedure referred to in Article 138(2).
EN 89 EN
Article 51
EU Police Digital Identity
1. The EU Police Digital Identity shall constitute the set of rules for the common
identification and access management means for each authorised representatives of
competent authorities of the Member States or of Union institutions, bodies, offices
and agencies to securely access, use and interact with the Europol cloud
infrastructure and to national systems connected to the Europol cloud infrastructure.
Member States, Europol, Union institutions, bodies, offices and agencies as well as
third countries shall ensure that access to the Europol cloud infrastructure and to
national systems connected to the Europol cloud infrastructure is granted to their
respective representatives in a secure, harmonised and trusted manner, by means of
an EU Police Digital Identity.
2. In establishing the EU Police Digital Identity, Europol and the Member States shall,
where appropriate and technically feasible, make use of existing Union digital
identity solutions and standards, including those established under Regulation (EU)
No 910/2014 of the European Parliament and of the Council73, provided that they
meet the operational, security and data protection requirements laid down in this
Regulation.
3. Europol shall ensure that any operation carried out in the Europol cloud
infrastructure is logged and available for oversight purposes.
4. Member States, Europol, Union institutions, bodies, offices and agencies and third
countries shall grant differentiated access rights to services or tools hosted in the
Europol cloud infrastructure, commensurate with the roles, responsibilities and
access authorisations of the users concerned, in full respect of this Regulation.
5. The Commission shall adopt implementing acts defining the procedures for the
establishment of an EU Police Digital Identity referred to in paragraph 1. Those
implementing acts shall be adopted in accordance with the examination procedure
referred to in Article 138(2).
Article 52
Statistics and reporting tools
1. Europol shall develop, implement and maintain statistics and reporting tools for
evaluation, monitoring, analysing and reporting. Those tools shall not allow for the
identification of individuals. Those tolls shall allow the entities referred to in
paragraph 2, point (a), to obtain customisable reports and statistics.
2. The statistics and reporting tools concerning the use, performance, operational
effectiveness and interoperability of the services and tools shall collect, generate and
provide aggregated statistical information, indicators, technical logs, usage metrics
and analytical reports relating in particular to:
(a) the use of Europol services and tools by Member States, Europol, Union
institutions, bodies, offices or agencies, third countries and international
organisations in accordance with this Regulation;
73 Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on
electronic identification and trust services for electronic transactions in the internal market and
repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73,
ELI: http://data.europa.eu/eli/reg/2014/910/oj).
EN 90 EN
(b) the exchange, querying, upload, cross-checking and processing of data;
(c) information exchange activities;
(d) the performance, availability and security of the technical infrastructures;
(e) trends, patterns and operational needs relevant for the implementation of this
Regulation.
3. Europol, Member States and the Commission shall have access to statistical
information and reports generated pursuant to paragraph 2, solely for the purposes of
reporting and statistics. Access to that data repository shall be granted by means of
secured access through TESTA with control of access and specific user profiles
solely for the purpose of reporting and statistics.
4. The statistics and reporting tools shall not be used to take decisions affecting
individuals solely on the basis of automated processing and shall not be used for
operational analysis concerning identifiable persons.
5. Europol shall ensure that the generation and sharing of statistics pursuant to this
Article complies with Union law on data protection, cybersecurity and
confidentiality. Statistical information shall, where appropriate, be anonymised or
aggregated.
6. The Commission shall adopt implementing acts laying down detailed rules
concerning the technical functionalities, access rights, categories of statistics,
reporting arrangements and data protection safeguards applicable to the statistics and
reporting tools referred to in paragraph 2 of this Article. Those implementing acts
shall be adopted in accordance with the examination procedure referred to in Article
138(2).
Article 53
Universal message format
1. Europol shall support the development, implementation and operational use of the
universal message format (UMF) standard established under Article 38 of Regulation
(EU) 2019/818 for the exchange of information between Member States, eu-LISA
and other Union bodies, offices and agencies.
2. Europol shall ensure the provision of the secretariat for the governance of the UMF
and shall facilitate and steer discussions of a technical and operational nature with
Member States, eu-LISA and other relevant Union agencies.
3. In carrying out its tasks under paragraph 2, Europol shall:
(a) support the further development and updating of the UMF, including data
models, semantics and technical specifications;
(b) promote the consistent and interoperable use of the UMF across information
systems and communication channels in the area of freedom, security and
justice;
(c) assist Member States and Union bodies, offices and agencies in the
implementation and practical application of the UMF;
(d) ensure coherence with the relevant requirements of the large-scale IT systems
in the area of freedom, security and justice for which eu-LISA is responsible
EN 91 EN
for the preparation, development or operational management pursuant to Union
law.
Article 54
EU DNA matching application
1. Europol shall develop, implement and maintain an EU DNA matching application
for the purpose of enabling the secure and reliable comparison of DNA profiles in
support of Member States’ investigations of criminal offences.
2. The EU DNA matching application shall provide a technical capability allowing for
the automated comparison of DNA profiles in accordance with scientifically
established matching rules. The application shall replicate the core functionalities of
existing DNA matching systems used by Member States and shall support their
adaptation to Union legal and technical requirements, including those stemming from
Regulation (EU) 2024/982.
3. The use of the EU DNA matching application shall not affect the ownership or
control of DNA data.
4. The EU DNA matching application shall be used by the competent authorities of the
Member States, Europol and any other Union bodies, offices or agencies on a
voluntary basis. Europol shall act solely in a supporting and technical capacity.
5. Europol shall support Member States in the transition from existing DNA matching
systems to the EU DNA matching application, including by providing technical
guidance, tools and assistance to ensure continuity of operations.
6. Europol shall ensure that appropriate technical and organisational measures are in
place to guarantee a high level of security, integrity and confidentiality.
Article 55
Information and Communication Technology and Information Management Steering
Group
1. An Information and Communication Technology and Information Management
Steering Group (the ‘ICT/IM Steering Group’) is established.
2. The ICT/IM Steering Group shall be composed of one member representing each
Member State, one for the Commission, one for Europol and one for eu-LISA. The
Management Board shall appoint the members of the ICT/IM Steering Group. The
ICT/IM Steering Group shall include the chair of the ICT/IM Advisory Group
established pursuant to Article 56.
3. The Management Board shall adopt the rules of procedure of the ICT/IM Steering
Group.
4. The ICT/IM Steering Group shall be chaired by a representative of a Member State
appointed by the Management Board.
5. The ICT/IM Steering Group shall support the Management Board for decisions
related to Europol ICT and information management activities, in particular with
regard to the following:
EN 92 EN
(a) analytical capabilities;
(b) central systems;
(c) information exchange and communication tools;
(d) technical infrastructure and platforms;
(e) cybersecurity;
(f) interoperability with EU information systems and national systems and
databases.
6. The ICT/IM Steering Group shall support and monitor the strategic direction, design,
development and implementation of Europol’s information management and ICT
services, tools and components, including the financial aspects related to information
systems and information exchange mechanisms.
7. In particular, the ICT/IM Steering Group shall:
(a) contribute to the definition of Europol strategic multiannual programming of
Europol ICT and information management activities including the objectives,
the expected results over time, the performance indicators and the multiannual
resource planning per information management and ICT services, tools and
components;
(b) provide an opinion to the Management Board on Europol ICT and Information
Management annual work programmes in accordance with Article 73;
(c) provide an opinion to the Management Board on internal evaluations related to
Europol ICT and Information Management activities;
(d) ensure consistency with Member States’ operational needs and Union-wide
interoperability objectives;
(e) monitor the implementation of major ICT and information management
initiatives;
(f) provide opinions and recommendations to the Executive Director and, where
appropriate, to the Management Board.
8. The ICT/IM Steering Group shall meet regularly. It shall have no decision-making
power and shall not represent the Management Board.
9. Europol shall provide the ICT/IM Steering Group with a secretariat and
administrative support.
10. The ICT/IM Advisory Group established pursuant to Article 56 shall provide
technical expertise to support the tasks of the ICT/IM Steering Group and shall report
regularly to it.
Article 56
ICT and Information Management Advisory Group
1. An Information and Communication Technology and Information Management
Advisory Group (the ‘ICT/IM Advisory Group’) is hereby established.
2. The ICT/IM Advisory Group shall be composed of one expert designated by each
Member State, the Commission and eu-LISA for a four-year term, which may be
renewed.
EN 93 EN
3. Representatives of other relevant Union institutions, bodies, offices and agencies
may be invited to participate, where appropriate.
4. The ICT/IM Advisory Group shall be chaired by Europol.
5. The ICT/IM Advisory Group shall assist Europol and the ICT/IM Steering Group
established pursuant to Article 55 by providing technical expertise on the design,
development, implementation and operation of information systems and related
communication infrastructure and information exchange mechanisms.
6. In particular, the ICT/IM Advisory Group shall:
(a) provide technical advice on ICT architecture, data management and
interoperability;
(b) support the preparation and implementation of technical solutions for
information exchange;
(c) contribute to the identification and promotion of common technical
components, standards and best practices;
(d) support coordination between Europol, the Member States and the Commission
on technical and implementation-related matters;
(e) follow and assess the state of preparation and implementation by the Member
States, where relevant;
(f) report regularly to the Information Management Steering Group and provide it
with the technical input necessary for the performance of its tasks.
7. The ICT/IM Advisory Group shall meet regularly. It shall have no decision-making
power and shall not represent the Steering Group or the Management Board.
8. Europol shall provide the ICT/IM Advisory Group with a secretariat and
administrative support.
9. The ICT/IM Advisory Group shall adopt its rules of procedure.
Chapter IV
Technological capabilities and innovation
SECTION 1
CAPABILITY PLANNING, RESEARCH, INNOVATION AND DEVELOPMENT
Article 57
Foresight and Common Capability Development Framework
1. On the basis of strategic analyses, threat assessments, trend reports and situational
briefings referred to in Article 7, Europol shall establish a Foresight and Common
Capability Development Framework ('the Framework').
2. The Framework shall support the identification of immediate, emerging and longer-
term capability needs at Union level for preventing and combating the forms of crime
falling within the scope of Europol’s competence.
The Framework shall identify:
(a) common capability gaps, challenges and critical dependencies;
EN 94 EN
(b) key research themes and priorities for research, innovation and capability
development activities in which Europol participates or could participate;
(c) emerging developments and technologies relevant to the identified priority
capabilities;
(d) needs and opportunities for interoperability, standardisation and common
capability development at Union level.
3. On the basis of the Framework, Europol shall support Member States and the
Commission, in particular by:
(a) contributing to research, innovation, and capability development activities;
(b) supporting interoperability and standardisation processes, in cooperation with
ENISA where appropriate, including the development and promotion of
common standards, interoperability requirements, and operational and
technical specifications relevant for law enforcement cooperation;
(c) providing, where relevant in cooperation with Union institutions, bodies,
offices and agencies advice and capability development support;
(d) facilitating the pooling, sharing and joint procurement of capabilities, including
technical resources and equipment, knowledge and expertise between Member
States, including in cooperation with relevant Union institutions, bodies,
offices and agencies and through the specialised training referred to in Article
64.
4. For the purposes of establishing and updating the Framework referred to in
paragraph 1, Member States shall provide Europol, on an annual basis, with
information on national research and innovation activities, including relevant
investments, and on their participation in Union-funded and nationally funded
research and innovation projects, relevant to Europol’s competence.
5. The Framework shall form part of Europol’s multiannual programming referred to in
Article 73 and shall be adopted by the Management Board on the basis of a proposal
from Europol after consultation of the Commission.
The Framework shall be regularly reviewed and, where necessary, updated. Europol
shall report, in the annual work programmes referred to in Article 73 on the
implementation of the Framework, including on the follow-up given to the capability
needs identified therein.
Europol shall consult the Capabilities and Innovation Advisory Group established
pursuant to Article 65 in the preparation and regularly reviewing and updating of the
Framework.
Article 58
Europol's role in Union funding programmes supporting research, innovation and
capability development
1. Europol may assist the Commission in the programming of Union funding
programmes supporting research, innovation and capability development relevant to
Europol’s competences.
2. Europol may participate in activities supported under relevant Union funding
programmes for the development, uptake, deployment, scaling and integration of
EN 95 EN
innovative solutions and advanced capabilities, where such participation is necessary
for Europol to fulfil its tasks.
3. In accordance with the applicable rules, the Commission and Europol shall take all
necessary measures to avoid conflicts of interest and ensure a clear separation
between Europol’s roles referred to in paragraphs 1 and 2.
Article 59
Advanced capabilities
1. Europol shall develop, operate, host and provide advanced capabilities, including
systems, services, analytical environments, infrastructure, tools, technical
components and platforms necessary for the performance of its tasks.
2. Europol may undertake such activities on its own initiative or at the request of at
least three Member States pursuant to paragraph 3.
3. Before developing a new advanced capability pursuant to paragraph 1, Europol shall
assess:
(a) whether equivalent capabilities are already available on the market or have
been developed or acquired by Union institutions, bodies, offices and agencies
or Member States;
(b) whether reliance on suppliers outside the Union would create risks to the
Union’s security interests or technological resilience;
(c) the availability of resources, taking into account the capability development
priorities identified in the Framework referred to in Article 57.
Where Europol concludes that equivalent advanced capabilities are already available,
it shall, where appropriate, prioritise the reuse, adaptation, interoperability, scaling or
acquisition of such capabilities.
Where Europol concludes that the development of the advanced capabilities
requested by at least three Member States is necessary and feasible, it shall develop,
operate and host such capabilities.
4. The development, operation, hosting or provision of the advanced capabilities
referred to in paragraph 1 shall not affect the responsibility of the requesting Member
States for compliance with their obligations under Union and national law, including
obligations related to data protection and cybersecurity.
5. Europol shall support Member States in the development, deployment, integration
and interoperability of shared advanced capabilities, including by making available
shared infrastructure, technical services and secure technological environments.
6. The advanced capabilities referred to in paragraph 1 and the shared infrastructure,
technical services and secure technological environments referred to in paragraph 4
shall, where technically feasible, be integrated into the Police Shared Data Space
referred to in Article 42.
7. In the context of an investigation or operational activity supported by Europol,
Europol may make the advanced capabilities referred to in paragraph 1 available to a
participating third country where such use is necessary for the effective conduct of
that investigation or activity.
EN 96 EN
Article 60
Research and innovation
Europol may carry out and participate in research and innovation activities, including pilot
projects and preparatory actions, where necessary for the performance of its tasks under this
Regulation, in particular for the development of innovative solutions for advanced capabilities
intended for use by the competent authorities of the Member States.
Article 61
Testing environments and regulatory sandboxes
1. Europol may make use of the separate, isolated and protected processing
environment referred to in Article 102(2), point (c)(i), for the development,
substantial modification, testing and validation of algorithmic tools, AI systems and
models and other advanced technologies and, where relevant, for the training of such
systems.
2. Where AI systems or AI models developed or substantially modified in the context
of Europol’s research and innovation activities constitute high-risk AI systems within
the meaning of Regulation (EU) 2024/1689, Europol shall ensure that the
environment referred to in paragraph 1 complies, as applicable with the requirements
governing AI regulatory sandboxes laid down in Article 57 of that Regulation.
3. Europol may make the environment referred to in paragraph 1 available to private
parties participating in research and innovation activities carried out by Europol or in
which Europol participates, subject to appropriate technical, organisational, security
and data protection safeguards.
4. Europol may also participate in regulatory sandboxes for AI systems and models
established in accordance with Article 57 of Regulation (EU) 2024/1689 including
regulatory sandboxes established by the European Data Protection Supervisor.
Article 62
Early deployment, operational testing and validation of innovative solutions
1. Europol may support the early deployment, operational testing and validation of
innovative solutions for advanced capabilities, including commercial solutions,
taking into account the Framework referred to in Article 57.
2. Where Europol participates in research and innovation activities pursuant to Article
60, it shall assess the potential operational use of resulting innovative solutions and,
where appropriate, support their early deployment, operational testing and validation
for use by the competent authorities of the Member States.
Where Europol concludes that such support is necessary and feasible, taking into
account available resources and the Framework referred to in Article 57, it shall
provide such support in accordance with this Article.
Article 63
Uptake, deployment, scaling and integration of advanced capabilities
1. Europol shall support the uptake, deployment, scaling and integration of advanced
capabilities, in particular those resulting from the research and innovation activities
EN 97 EN
referred to in Article 60, into operational activities and investigations of competent
authorities of the Member States, in accordance with applicable Union and national
law.
2. For the purpose of paragraph 1, Europol shall cooperate closely with Member States
to facilitate the effective use and integration of advanced capabilities in national
operational environments, in particular through the Centres, Europol deployments
and Europol support offices, as appropriate.
Article 64
Specialised training
1. Europol shall support Member States in strengthening specialised expertise and
ensuring the effective deployment and use of the shared advanced capabilities
developed, hosted, operated or provided under this Regulation, including through
specialised training activities on:
(a) advanced operational, analytical, technical and forensic methods relevant to
criminal investigations;
(b) capabilities relating to emerging technologies, including artificial intelligence,
digital investigations, open-source intelligence and the decryption and
processing of data;
(c) operational methodologies relevant for cross-border law enforcement
cooperation, including crime prevention methods and investigative procedures.
2. Europol shall also provide specialised expertise and training where common
operational or capability needs identified under the Framework require coordinated
support at Union level.
3. Europol shall carry out the activities referred to in paragraphs 1 and 2 in close
cooperation with the European Union Agency for Law Enforcement Training
(CEPOL) including in relation to the specialised training activities carried out
through centres of excellence coordinated by CEPOL.
SECTION 2
COOPERATION AND COLLABORATION ON CAPABILITIES AND INNOVATION
Article 65
Capabilities and Innovation Service
1. Europol shall maintain a Capabilities and Innovation Service to coordinate Europol’s
activities in the fields of foresight, research, innovation and capability development.
2. The Capabilities and Innovation Service shall, in particular:
(a) coordinate the preparation, implementation, review and updating of the
Framework referred to in Article 57;
(b) coordinate and carry out research, innovation and capability development
activities carried out by Europol, including within the Centres, and steer the
development and evolution of Europol’s services, tools and technical
capabilities established under this Regulation;
EN 98 EN
(c) support Member States in the development, testing, validation, uptake,
deployment, scaling and integration of advanced capabilities, including by
facilitating interoperability, standardisation and their consistent use across
Member States;
(d) contribute to Union-level cooperation and coordination between Member
States, Union institutions, bodies, offices and agencies and, where appropriate,
other relevant stakeholders in the fields of research, innovation and capability
development relevant to Europol's competence.
(e) disseminate, in accordance with Article 129, the results of research, innovation
and capability development activities carried out pursuant to this Regulation.
Article 66
Collaborative arrangements for innovation and capability development
1. Europol may establish and participate in collaborative arrangements, cooperation
networks and other innovation initiatives with Union institutions, bodies, offices and
agencies, and competent authorities of the Member States.
For the purpose of the collaborative arrangements referred to in the first
subparagraph, Europol may establish and participate in innovation partnerships, pre-
commercial procurements and other innovation and capability development activities
with relevant private parties, including research organisations, academia, technology
providers, industry, small and medium-sized enterprises, start-ups and innovation
actors, subject to appropriate data protection and security safeguards and without
prejudice to applicable Union law.
2. Europol shall regularly inform and consult the Capability and Innovation Advisory
Group established pursuant to Article 67 regarding the activities carried out under
this Article.
Article 67
Capabilities and Innovation Advisory Group
1. A Capabilities and Innovation Advisory Group (the ‘Innovation Advisory Group’) is
hereby established.
2. The Innovation Advisory Group shall be composed of one expert designated by each
Member States and one expert designated by the Commission.
ENISA, ECCC, Frontex, eu-LISA and Eurojust may each appoint a representative to
the Innovation Advisory Group.
3. Europol may invite representatives of other relevant Union bodies, agencies and
offices and private parties to participate, where appropriate.
4. The Advisory Group shall assist Europol by providing technical expertise on
research, innovation and capability development activities, in particular in relation to
the preparation, review and regular updating of the Framework referred to in Article
57.
For that purpose, the Innovation Advisory Group shall:
EN 99 EN
(a) enable participants to exchange on ongoing and planned capability
development and innovation activities carried out at Union and national level
that may have a relevance for the Framework;
(b) support consistency, complementarity and coordination between research,
innovation and capability development activities carried out pursuant to this
Regulation and related national and Union-level initiatives;
(c) support structured engagement with private parties for capability development,
testing and innovation relevant to Europol’s competence.
5. The Innovation Advisory Group shall meet regularly. It shall have no decision-
making power and shall not represent the Management Board.
6. Europol shall provide secretariat and administrative support.
7. The Innovation Advisory Group shall adopt its rules of procedure.
Chapter V
Organisation of Europol
Article 68
Administrative and management structure of Europol
1. The administrative and management structure of Europol shall comprise:
(a) a Management Board;
(b) an Executive Board;
(c) an Executive Director;
(d) Deputy Executive Directors, where such positions are established;
(e) an ICT/IM Steering Group;
(f) an ICT/IM Advisory Group;
(g) an Innovation Advisory Group;
(h) where appropriate, other advisory bodies established by the Management
Board in accordance with Article 72;
(i) the Centres.
2. The members of Europol’s administrative and management structure shall not have
any financial or other interests that could affect their impartiality. They shall act in
the public interest and carry out their activities in an independent, impartial and
transparent manner. They shall make annual declarations of interests in accordance
with the internal rules adopted by the Management Board. Europol shall make those
declarations public on an annual basis.
SECTION 1
MANAGEMENT BOARD
Article 69
Composition of the Management Board
EN 100 EN
1. The Management Board shall be composed of one representative from each Member
State and two representatives of the Commission, all with a voting right.
2. The Management Board shall also include:
(a) one member designated by the European Parliament, without the right to vote.
(b) one member appointed by each of the countries associated with the
implementation, application and development of the Schengen acquis, where
provided for and in accordance with the relevant international agreement
referred to in Article 93.
3. Each member of the Management Board shall have an alternate. The alternate shall
represent the member in his or her absence.
4. The members of the Management Board and their alternates shall be appointed in
light of their knowledge of law enforcement cooperation relevant to the Europol’s
competence, taking into account their managerial, administrative and budgetary skills
and expertise. All parties represented in the Management Board shall make efforts to
limit the turnover of their representatives to ensure continuity in the work of the
Management Board. All parties shall aim to achieve a balanced representation
between men and women on the Management Board.
5. The term of office for members and their alternates shall be four years. The terms of
office shall be extendable.
Article 70
Chairperson of the Management Board
1. The Management Board shall elect a Chairperson and a Deputy Chairperson from
within the group of three Member States that have jointly prepared the Council's 18-
month programme. They shall serve for the 18-month period corresponding to that
Council programme. Where, however, the Chairperson's or the Deputy Chairperson's
membership of the Management Board ends at any time during their term of office as
Chairperson or Deputy Chairperson, their term of office shall automatically expire at
the same time.
2. The Chairperson and the Deputy Chairperson shall be elected by a majority of two-
thirds of the members with the right to vote of the Management Board.
3. The Deputy Chairperson shall automatically replace the Chairperson if he or she is
prevented from attending to his or her duties.
Article 71
Meetings of the Management Board
1. The Chairperson shall convene the meetings of the Management Board.
Meetings of the Management Board shall, in principle, be held at Europol’s
headquarters.
2. The Executive Director shall take part in the deliberations, without the right to vote.
3. The Management Board shall hold at least two ordinary meetings a year. In addition,
it shall meet on the initiative of its Chairperson, at the request of the Commission, or
at the request of at least one-third of its members.
EN 101 EN
4. Where necessary, the Management Board may hold joint meetings with the
management boards of Eurojust, Frontex and CEPOL.
5. The Management Board may invite any person whose opinion may be of interest to
attend its meeting as an observer.
6. Two representatives of the JPSG shall be invited to attend two ordinary meetings of
the Management Board per year as non-voting observers to discuss the following
matters of political interest:
(a) the consolidated annual activity report referred to in Article 72(2), point (m),
for the previous year;
(b) the single programming document referred to in Article 73 for the following
year and the annual budget;
(c) JPSG written questions and answers;
(d) external relations and partnership matters.
The Management Board, together with the representatives of the JPSG, may
determine other matters of political interest to be discussed.
7. The members of the Management Board and their alternates may, subject to its rules
of procedure, be assisted at the meetings by advisers or experts.
8. Europol shall provide the secretariat for the Management Board.
Article 72
Functions of the Management Board
1. The Management Board shall be responsible for taking the strategic decisions of
Europol and give the general orientations for Europol’s activities.
2. The Management Board shall:
(a) adopt, by a majority of two-thirds of its members with voting rights, the annual
budget of Europol and exercise other functions in respect of Europol’s budget;
(b) adopt the financial rules applicable to Europol;
(c) adopt and regularly update the communication and dissemination plans, based
on an analysis of needs;
(d) adopt its rules of procedure, including provisions concerning the tasks and the
functioning of its secretariat;
(e) exercise, in accordance with paragraph 5 and with respect to Europol staff, the
powers conferred by the Staff Regulations on the appointing authority and by
the Conditions of Employment of Other Servants on the authority empowered
to conclude a contract of employment of other servants (‘the appointing
authority powers’);
(f) adopt implementing rules giving effect to the Staff Regulations and the
Conditions of Employment of Other Servants in accordance with Article
110(2) of the Staff Regulations;
(g) appoint by a majority of two-third the Executive Director and, where
appropriate, the Deputy Executive Directors, and where relevant extend their
term of office or remove them from office;
EN 102 EN
(h) establish the organisational structure of Europol and adopt Europol’s staff
policy having regard to sound budgetary management;
(i) establish, where appropriate, advisory bodies, determine their mandate,
composition, and implementing rules;
(j) decide, on a proposal from the Executive Director and subject to the prior
approval of the Commission, on the establishment of operational, technical or
administrative functions, capacities or facilities in Member States other than
the host Member State, where necessary for the performance of Europol’s
tasks;
(k) authorise the conclusion of working arrangements;
(l) taking into account the opinion of the Commission, adopt Europol’s single
programming document by a majority of two-thirds of members entitled to
vote with voting rights.
(m) define the evaluation criteria for assessing Europol’s performance and adopt,
by a majority of two-thirds of its members with voting rights, a consolidated
annual activity report on Europol's activities and, by 1 July of the following
year, send it to the European Parliament, the Council, the Commission, the
Court of Auditors and the national parliaments. The consolidated annual
activity report shall be made public. The Commission shall adopt
implementing acts establishing reporting indicators to ensure a uniform
approach to the collection and presentation of information by Europol in
respect of crimes affecting the financial interests of the Union;
(n) adopt rules for the prevention and management of conflicts of interest in
respect of its members, including in relation to their declaration of interests;
(o) adopt appropriate measures to support the recognition of skills and professional
experience acquired in the course of employment with, or activities carried out
for, Europol, including through the development of a common competency
framework in cooperation with CEPOL;
(p) monitor Europol’s strategic priorities and objectives, as reflected in the
evaluation criteria referred to in point (m), and ensure appropriate follow-up to
operational, technological and organisational challenges affecting the
fulfilment of Europol’s tasks;
(q) oversee the performance of the Executive Director, including the
implementation of Management Board decisions and the effective exercise of
the powers conferred on the Executive Director under this Regulation;
(r) appoint a Data Protection Officer, who shall be functionally independent in the
performance of his or her duties;
(s) appoint an accounting officer, who shall be functionally independent in the
performance of his or her duties;
(t) establish and oversee an independent internal audit capability, and ensure
adequate follow-up to recommendations stemming from the internal or external
audit reports evaluations and investigations of the EPPO, the European Anti-
Fraud Office (OLAF) and the EDPS;
(u) adopt guidelines for the processing of information by Europol in accordance
with Article 32, after consulting the EDPS;
EN 103 EN
(v) adopt implementing rules governing the Centres in accordance with Articles 13
to 19, and regularly assess their functioning and adapt them where necessary in
light of operational needs and evolving security threats;
(w) designate the Fundamental Rights Officer, who shall be functionally
independent in the performance of his or her duties;
(x) specify the criteria on the basis of which Europol may issue proposals for
possible entry of information alerts in SIS.
3. Where the Management Board considers it necessary for the performance of
Europol's tasks, it may suggest to the Council that it draw the attention of the
Commission to the need for an adequacy decision as referred to in Article 94a
Regulation (EU) 2018/1725, or for a recommendation for a decision authorising the
opening of negotiations to conclude an international agreement as referred to in
Article 94b(2) of Regulation (EU) 2018/1725.
4. Where at least one third of the members of the Management Board identify a need
for action by Europol in a specific area falling within its competence, the
Management Board shall invite the Executive Director to propose appropriate
measures.
5. The Management Board shall adopt, in accordance with Article 110(2) of the Staff
Regulations, a decision based on Article 2(1) of the Staff Regulations and on Article
6 of the Conditions of Employment of Other Servants, delegating the relevant
appointing authority powers to the Executive Director and establishing the conditions
under which such delegation of powers may be suspended. The Executive Director
shall be authorised to subdelegate those powers.
6. Where exceptional circumstances so require, the Management Board may, by way of
a decision, temporarily suspend the delegation of the appointing authority powers to
the Executive Director and any sub-delegation of such powers and exercise them
itself or delegate those powers to one of its members or to a staff member other than
the Executive Director.
7. The Management Board may delegate certain tasks, except those requiring a two-
thirds majority of the Management Board, to the Executive Board referred to in
Article 75, and shall adopt internal rules governing its tasks, composition and
functioning.
Article 73
Multiannual programming and annual work programmes
1. The Management Board shall, by the end of each year, adopt a single programming
document containing Europol’s multiannual programming and annual work
programme, based on a draft put forward by the Executive Director, in accordance
with the opinion of the Commission and, as regards the multiannual programming,
after having consulted the Joint Parliamentary Scrutiny Group (JPSG), established
jointly by the European Parliament and national parliaments.
Where the Commission delivers a negative opinion on grounds relating to
compliance with Union law, consistency with Union policy objectives or sound
financial management, the Management Board shall review the draft single
programming document prior to its adoption to ensure compliance with Union law,
consistency with Union policy objectives and sound financial management.
EN 104 EN
Where the Management Board decides not to take into account any of the matters
raised by the JPSG in accordance with Article 71(6), point (c), it shall provide a
thorough justification.
Once the single programming document has been adopted, the Management Board
shall forward it to the Council, the Commission and the JPSG.
2. The multiannual programming shall set out the overall strategic programming,
including the objectives, expected results and performance indicators. It shall also set
out the resource planning, including the multiannual budget and establishment plan
taking into account the need to ensure an appropriate mix of skills and expertise
required for the performance of Europol’s tasks. It shall include the strategy for
relations with third countries and international organisations and Europol’s planned
research and innovation activities.
The multiannual programming shall be implemented by means of annual work
programmes and shall, where appropriate, be updated following the outcome of
external and internal evaluations. The conclusion of those evaluations shall also be
reflected, where appropriate, in the annual work programme for the following year.
3. The annual work programme shall comprise detailed objectives, expected results and
performance indicators. It shall also contain a description of the actions to be
financed and an indication of the financial and human resources allocated to each
action, in accordance with the principles of activity-based budgeting and
management. The annual work programme shall be consistent with the multiannual
programming. It shall clearly indicate tasks that have been added, changed or deleted
compared to the previous financial year.
4. Where, after adoption of an annual work programme, a new task is assigned to
Europol, the Management Board shall amend the annual work programme.
5. Any substantial amendment to the annual work programme, especially a
modification resulting in a reallocation of the budgetary resources above 2 % of the
annual budget, shall be adopted by the same procedure as that applicable to the
adoption of the initial annual work programme. The Management Board may
delegate to the Executive Director the power to make non-substantial amendments to
the annual work programme.
Article 74
Voting rules of the Management Board
1. Without affecting Article 70(2), Article 72(2), points (a),(g), (l) and (m), Article
76(7) and Article 126(2), the Management Board shall take decisions by an majority
of its members with voting rights.
2. In the event that the Commission raises serious concerns on a decision proposal
presented to the Management Board on matters related to Delegated Regulation (EU)
2019/715, the Staff Regulations and the Conditions of Employment of Other
Servants, the Management Board shall postpone the adoption of the decision
concerned. Within 15 days of the Commission’s raising of serious concerns on a
decision proposal presented to the Management Board, the Management Board shall
re-examine and adopt that decision, possibly amended, at second reading either by a
two-thirds majority of its members with voting rights, including the Commission
EN 105 EN
representatives, or by a four-fifths majority of the representatives of the Member
States.
3. Each member with voting rights shall have one vote. In the absence of a member
with voting rights, his or her alternate shall be entitled to exercise his or her right to
vote.
4. The Chairperson shall take part in the voting.
5. The Executive Director shall not take part in the voting.
6. The Management Board's rules of procedure shall establish more detailed voting
arrangements, in particular the circumstances in which a member may act on behalf
of another member.
SECTION 3
EXECUTIVE BOARD
Article 75
Executive Board
1. The Management Board shall be assisted by an Executive Board.
2. The Executive Board shall:
(a) prepare the decisions to be adopted by the Management Board and monitor the
implementation of the decisions adopted by it, without affecting the
responsibilities of the Executive Director;
(b) review the draft annual budget, the draft consolidated annual activity report and
the oversee the preparation and implementation of the annual and multiannual
programming;
(c) monitor the implementation of Europol’s budget and prepare the financial and
budgetary decisions to be adopted by the Management Board;
(d) adopt an internal anti-fraud strategy, proportionate to risk of fraud;
(e) ensure, together with the Management Board, adequate follow-up to the
findings and recommendations resulting from internal or external audit reports
and evaluations, to the findings of investigations conducted by the European
Anti-Fraud Office (OLAF), and to the outcomes, including judicial decisions,
of investigations, conducted by the EPPO, in accordance with applicable Union
law;
(f) without affecting the responsibilities of the Executive Director, assist and
advise him or her in the implementation of the decisions of the Management
Board, with a view to reinforcing supervision of administrative and budgetary
management;
3. Where necessary on grounds of urgency, the Executive Board may adopt provisional
decisions on behalf of the Management Board, in particular in matters relating to
administrative and budgetary management, management, including the suspension of
the delegation of appointing authority powers. Such decisions shall be submitted to
the Management Board for confirmation at its next meeting.
4. The Executive Board shall be composed of the Chairperson of the Management
Board, one representative of the Commission to the Management Board and three
EN 106 EN
other members appointed by the Management Board from among its members with
the right to vote. The Chairperson of the Management Board shall also be the
Chairperson of the Executive Board. The Executive Director shall take part in the
meetings of the Executive Board but shall not have the right to vote.
5. The term of office of members of the Executive Board shall be four years. The term
of office of members of the Executive Board shall end when their membership of the
Management Board ends.
6. The Executive Board shall hold at least one ordinary meeting every three months. In
addition, it shall meet on the initiative of its Chairperson or at the request of its
members.
7. The Executive Board may also invite as observers without the right to vote other
participants for specific agenda items.
SECTION 4
EXECUTIVE DIRECTOR
Article 76
Appointment, dismissal, and extension of the term of office
1. The Executive Director shall be engaged as a temporary agent of Europol under
Article 2, point (a), of the Conditions of Employment of Other Servants.
2. The Executive Director shall be appointed by the Management Board from a list of
candidates proposed by the Commission. For the purpose of concluding the contract
of the Executive Director, Europol shall be represented by the Chairperson of the
Management Board.
3. The term of office of the Executive Director shall be five years. In due time before
the end of that period, the Commission shall carry out an assessment that takes into
account an evaluation of the performance of the Executive Director and Europol’s
future tasks and challenges.
4. The Management Board, acting on a proposal from the Commission which takes into
account the assessment referred to in paragraph 3, may extend the term of office of
the Executive Director once, for no more than five years.
5. An Executive Director whose term of office has been extended shall not participate
in another selection procedure for the same post at the end of the overall period.
6. The Executive Director may be removed from office only upon a decision of the
Management Board acting on a proposal from the Commission.
7. The Management Board shall reach decisions on appointment, extension of the term
of office or removal from office of the Executive Director and/or Deputy Executive
Director(s) on the basis of a two-thirds majority of its members with voting rights.
8. In case of vacancy, unless the Management Board decides which Deputy Executive
Director will ensure tasks and responsibilities of the Executive Director until the
appointment of a new Executive Director, a Deputy Executive Director in the highest
grade shall ensure that role.
Article 77
Tasks and responsibilities of the Executive Director
EN 107 EN
1. The Executive Director shall be responsible for the management of Europol. The
Executive Director shall be accountable to the Management Board.
2. The Executive Director shall report to the European Parliament, the JPSG and the
Council on Europol’s performance and tasks when invited to do so.
3. The Executive Director shall be the legal representative of Europol.
4. The Executive Director shall be responsible for the implementation of the tasks
assigned to Europol by this Regulation. In particular, the Executive Director shall be
responsible for:
(a) ensuring the day-to-day administration of Europol;
(b) proposing to the Management Board the establishment of operational, technical
or administrative functions or capacities hosted in Member States other than
the host Member State, where necessary for the performance of Europol’s
tasks;
(c) identifying operational priorities, capability gaps and emerging security threats
relevant to Europol’s competence and propose appropriate operational,
technological or organisational measures to the Management Board;
(d) ensuring compliance with the financial rules of Europol;
(e) preparing the draft single programming document and submitting it to the
Management Board after consulting the Commission;
(f) preparing Europol’s consolidated annual activity report and presenting it to the
Management Board for assessment and adoption;
(g) protecting the financial interests of the Union by applying preventive measures
against fraud, corruption and any other illegal activities, without prejudicing
the investigative competence of OLAF and EPPO by effective checks and, if
irregularities are detected, by recovering amounts wrongly paid and, where
appropriate, by imposing effective, proportionate and dissuasive administrative
and financial penalties;
(h) reporting any criminal conduct to the EPPO in accordance with Article 24 of
Regulation (EU) 2017/1939 in respect of which the EPPO could exercise its
competence and reporting to OLAF in accordance with Article 8(1) of
Regulation (EU, Euratom) 883/ 2013;
(i) preparing a follow-up action plan related to the conclusions of internal or
external audit reports and evaluations, and investigation reports and
recommendations from investigations by the EPPO, OLAF and the EDPS, and
report on progress regularly to the Management Board and inform the
Commission, where appropriate and without undue delay, of significant
findings and the measures taken in response;
(j) preparing draft financial rules applicable to the Agency;
(k) preparing the Agency's draft statement of estimates of revenue and expenditure
and implementing its budget in accordance with the principles of sound
financial management and performance-based budgeting;
(l) preparing appropriate draft implementing rules to give effect to the Staff
Regulations and the Conditions of Employment of Other Servants in
accordance with Article 110 of the Staff Regulations;
EN 108 EN
(m) preparing draft internal rules for the prevention and management of conflicts of
interest in respect of the members of the Management Board and present those
draft rules to the Management Board for adoption;
(n) promoting diversity and gender balance as regards the recruitment of the
Agency’s staff;
(o) regularly informing the Management Board of cooperation with Union
institutions, bodies, missions and agencies, including on the preparation and
conclusion of working arrangements and the operational considerations relating
thereto, and, where appropriate submit proposals for follow-up measures to the
Management Board;
(p) regularly informing the Management Board of cooperation with third countries
and international organisations, including on the preparation and conclusion of
working arrangements with authorities of third countries and international
organisations;
(q) regularly informing the Management Board of the application of Regulation
(EU) 2018/1725 for the transfer of personal data and the operational
considerations relating thereto;
(r) regularly informing the Management Board of working arrangements
concluded with private parties, including their strategic relevance, operational
impact and any associated risks;
(s) performing other tasks pursuant to this Regulation.
Article 78
Deputy Executive Directors
1. One or more Deputy Executive Directors may assist the Executive Director. The
Executive Director shall define their tasks.
2. Article 77 shall apply to the Deputy Executive Directors. The Executive Director
shall be consulted prior to their appointment, any extension of their term of office or
their removal from office.
Chapter VI
Relations with Union entities
Article 79
Common provisions
1. Europol may establish and maintain cooperative relations with Union bodies, offices
and agencies in accordance with the tasks attributed to Europol and to those bodies,
offices and agencies and shall seek to ensure synergies in the performance of their
respective tasks. Europol shall establish and maintain a close relationship with the
Union bodies, offices and agencies under Articles 81 to 90, which shall not be
limited to the areas referred to therein.
Europol may also establish and maintain cooperative relations with Union
institutions and missions set up on the basis of the Treaties in accordance with the
tasks attributed to Europol and to those institutions and missions.
EN 109 EN
2. Europol’s cooperation with Union bodies, offices and agencies under this Chapter
shall notably aim at strengthening the overall effectiveness of the Union’s response
to forms of crime listed in Annex I, in particular by seeking to ensure
complementarity and, where possible, enhance coordination and avoid duplication of
actions, including by means of:
(a) the exchange of information, in accordance with the conditions laid down in
this Regulation;
(b) operational activities;
(c) strategic and analytical activities;
(d) the exchange of specialist knowledge and expertise;
(e) training activities;
(f) the development of capabilities, including through research and innovation,
and joint procurement;
(g) coordination of activities, where relevant, in relation to third countries and
international organisations;
(h) coordination of activities for the implementation of relevant Union strategies
and policy priorities.
3. The cooperation referred to in paragraphs 1 and 2 shall take place within the
framework of working arrangements concluded with the entities referred to in
paragraph 1. Such working arrangements shall not allow for the exchange of personal
data and shall not bind the Union or its Member States.
The working arrangements concluded with Union bodies, offices and agencies
established within the framework of the TFEU shall be subject to the Commission’s
prior approval, with the exception of the working arrangement referred to in Article
81. These working arrangements shall be subject to regular review depending on the
evolution of operational needs, at the own initiative of Europol and the Union
institution, body, mission, office or agency concerned or, with the exception of the
working arrangement referred to in Article 81, at the request of the Commission.
Any working arrangement concluded by Europol with a Union institution, body,
mission, office or agency before the entry into force of this Regulation shall be
subject to review after the start date of application of this Regulation.
4. The Executive Director shall inform the Management Board about any regular
cooperative relations which Europol intends to establish and maintain in accordance
with paragraphs 1, 2 and 3, and about the development of such relations once
established.
5. Subject to any restriction pursuant to Article 33(2) and to the rules applicable
pursuant to Article 129, Europol may directly exchange any information, with the
exception of personal data, with a Union institution, body, mission, office or agency,
in so far as such an exchange is relevant for the performance of Europol's tasks or
those of that Union institution, body, mission, office or agency.
6. Subject to any restrictions indicated pursuant to Article 33(2) or (3) and to the rules
applicable pursuant to Article 129, Europol may transmit personal data to the entities
referred to in paragraph 1, insofar as such transmission is necessary and
proportionate for the legitimate performance of the tasks of that entity. Personal data
EN 110 EN
transmitted to the entities referred to in paragraph 1 by Europol may be processed for
another purpose only where authorised by Europol and where compatible with the
initial purpose for which the data were collected and transmitted by Europol. Where
the data to be transmitted have been provided by a Member State or a Union
institution, body, office or agency and the conditions in Article 81 paragraphs (3) and
(4) are fulfilled, Europol shall share personal data and other relevant information
with the EPPO regardless of any restriction indicated pursuant to Article 33(2) or (3).
7. Europol may receive and process personal data from Union institutions, bodies,
missions, offices and agencies insofar as necessary and proportionate for the
legitimate performance of its tasks. Any information which has clearly been obtained
in obvious violation of human rights shall not be processed.
8. Where a Union institution, body, mission, office or agency has received personal
data from Europol, onward transmissions or transfers of such data shall be prohibited
unless Europol has given its prior explicit authorisation.
9. Europol shall ensure that detailed records of all transmissions or transfers of personal
data and of the grounds for such transmissions or transfers are recorded in
accordance with this Regulation.
Article 80
Common provisions on indirect information exchange on the basis of a hit/no-hit system
1. Europol shall take all appropriate measures to ensure indirect access by other Union
bodies, offices and agencies, where such access is provided for in Union law, to
information held by Europol, on the conditions of reciprocity, by means of an
automated hit/no-hit system operated through the searching of indexes which shall be
kept up to date.
2. Indirect access to information under the first paragraph shall not affect any
restrictions indicated by the Member States, Union institutions, bodies, missions,
offices and agencies, third countries or international organisations providing the
information, in accordance with Article 33(2).
3. In the case of a hit, Europol shall initiate the procedure by which the information that
generated the hit is to be transmitted to the searching Union body, office or agency as
referred to in paragraph 1, in accordance with the restrictions set by the provider of
the information pursuant to this Regulation. In case of a hit with information that is
subject to restrictions indicated pursuant to Article 33(2), the automated hit/no-hit
system referred to in paragraph 1 shall not notify the searching Union body, office or
agency of that hit. In that case, Europol shall contact expeditiously the provider of
the information to inquire if the information that generated the hit can be shared with
the searching Union body, office or agency. Where the provider of the information
lifts those restrictions, Europol shall transmit the information that generated the hit to
the searching Union body, office or agency. Where the provider of the information
maintains those restrictions, Europol shall comply with those restrictions and not
transmit the information that generated the hit to the searching Union body, office or
agency.
4. Searches of information in accordance with paragraphs 1 and 2 shall be carried out
only for the purpose of identifying whether information available at another Union
body, office or agency matches information processed at Europol for the purposes of
points (a), (b) and (c) of Article 32(2).
EN 111 EN
5. While preserving the automated nature of the hit/no-hit system, Europol shall allow
searches in accordance with paragraphs 1 and 2 only by persons designated by other
Union bodies, offices or agencies as authorised to perform such searches.
6. Under the conditions of reciprocity referred to in the first paragraph, Europol shall,
within the limits of its competence, have indirect access, on the basis of an
automated hit/no-hit system, to information provided to Union bodies, offices and
agencies, subject to the conditions set out in Union law.
7. Such access shall not affect any restrictions indicated by the Member State, Union
institution, body, office or agency, third country or international organisation that
provided that information.
8. Europol and other Union bodies, offices and agencies shall inform each other if, as a
result of a hit in accordance with paragraphs 1 and 3, there are indications that data
may be incorrect or may conflict with other data.
9. Where necessary for the implementation of the hit/no-hit system referred to in
paragraphs 1 to 8, the technical procedure, including the data sets that should be
included in the indexes as well as performance and availability requirements, shall be
laid down by means of implementing acts adopted in accordance with Article 138.
Article 81
Relations with the EPPO
1. Europol shall establish and maintain a close relationship with the EPPO based on a
working arrangement setting out the modalities of their cooperation. The working
arrangement shall be subject to regular review.
2. Upon request by the EPPO in accordance with Article 102 of Regulation (EU)
2017/1939, Europol shall support the investigations of the EPPO, namely by
providing any information held by Europol and related to crimes falling within the
competence of the EPPO and by providing the requested operational support for the
performance of the EPPO’s tasks.
3. For the purpose of providing the EPPO with the information and support referred to
in the first subparagraph, Europol shall ensure that the necessary organisational
arrangements are in place, including the allocation of dedicated human resources.
4. To ensure that Europol provides the EPPO with the necessary information under
paragraph 2 of this Article, Europol shall enable the EPPO to have indirect access on
the basis of a hit/no hit automated system to data related to offences that fall within
the competence of the EPPO, held for the purposes referred to in Article 32(2),
points (a), (b) and (c). That hit/no hit system shall notify Europol and the provider of
the information referred to in Article 33(1) in the case of a hit.
5. Pursuant to Article 43(2) of Regulation (EU) 2017/1939, in the case of a hit, Europol
shall share with the EPPO the information that generated the hit to the extent that
relates to offences within the competence of the EPPO and shall notify the provider
of the information.
6. In accordance with Article 24(1) of Regulation (EU) 2017/1939, Europol shall,
without undue delay, report to the EPPO any criminal conduct in respect of which
the EPPO could exercise its competence in accordance with Regulation (EU)
2017/1939.
EN 112 EN
7. Where Europol reports to the EPPO under the first subparagraph, it shall notify the
competent authorities of the Member States concerned without delay.
8. Europol may carry out joint operational analysis with the EPPO.
9. When Europol receives information from the EPPO on forms of crime falling outside
the scope of the competence of the EPPO and within the scope of Europol’s
competence, Europol shall process and analyse such information and, where relevant,
disseminate it to the competent authorities of the Member States in accordance with
this Regulation.
Article 82
Relations with Eurojust
1. Where, during Europol's activities, including at any stage of an operational task
force, Europol or a Member State identifies the need for effective judicial follow-up
within the mandate of Eurojust, Europol shall, without undue delay, notify Eurojust
and any Member State concerned to that effect. Europol shall initiate the procedure
for sharing the relevant information, in accordance with the decision of the Member
State providing the information. In such a case, Eurojust shall consult with Europol.
2. Europol and Eurojust may agree on establishing joint operational platforms and other
forms of structured cooperation to support the competent authorities of the Member
States in specific crime areas which fall within their respective competence. This
may include joint operational analysis.
3. Europol shall cooperate with Eurojust, within their respective mandates, in
supporting the competent authorities of the Member States in the context of digital
investigations and access to data, and in particular act as a knowledge hub for
advising, assisting and providing capacity-building on the cross-border access to e-
evidence.
4. Europol shall support Eurojust, within their respective mandates, in relation to core
international crimes.
Article 83
Relations with OLAF
Where, during Europol's information-processing activities in respect of an individual
investigation or in the process of asset recoveries, Europol or a Member State identifies the
need for coordination, cooperation or support in accordance with the mandate of OLAF,
Europol shall notify OLAF to that effect and shall initiate the procedure for sharing the
relevant information, in accordance with the decision of the Member State providing the
information. In such a case, OLAF shall consult with Europol.
Article 84
Relations with the Authority for Anti-Money Laundering and Countering the Financing
of Terrorism (AMLA)
1. Europol's relationship with the AMLA shall aim notably at supporting Financial
Intelligence Units (FIUs) in the context of a joint analysis carried out pursuant to
EN 113 EN
Article 32 of Directive (EU) 2024/1640 of the European Parliament and of the
Council74 and Article 40 of Regulation (EU) 2024/1620.
2. For the purposes of Article 41(4) of Regulation (EU) 2024/1620, Europol shall
receive, process and analyse the results of the joint analyses and any additional
information in accordance with this Regulation.
Article 85
Relations with the European Border and Coast Guard Agency (Frontex)
Europol shall cooperate with Frontex, notably in:
(a) identifying high-risk cross-border movements and related criminal activities,
including by analysing travel information contained in Union large-scale IT
systems, and for that purpose, Europol shall compare such data with
information it holds in accordance with this Regulation and provide Frontex
with relevant risk indicators.
(b) implementing the activities carried out under Regulation (EU) 2024/1356 and
in the framework of Regulation (EU) 2019/1896, and for that purpose, Europol
may, at the request of the concerned Member State, deploy staff to support
checks against relevant Union large-scale IT systems, in accordance with
Article 22 of this Regulation, including in the context of activities carried out
under Regulation (EU) 2019/1896, and major international events.
Article 86
Relations with eu-LISA
1. Europol shall cooperate with eu-LISA in areas of common interest related to the
development, deployment and operation of information systems and related
communication infrastructure.
2. The cooperation between Europol and eu-LISA referred to in paragraph 1 shall
include, where appropriate and in accordance with their respective mandates, but
shall not be limited to:
(a) the participation in, or use of, procurement procedures, including joint
procurement actions, framework contracts or other procurement instruments
for the acquisition of works, supplies or services;
(b) the sharing, re-use or adaptation of technical components, tools, services or
building blocks developed or operated by either agency;
(c) the provision of technical support, expertise or services, including in the field
of system development, testing, maintenance and security;
(d) the establishment of joint project teams and the exchange of staff, expertise and
other resources necessary for the implementation of common projects and
technical activities.
74 Directive (EU) 2024/1640 of the European Parliament and of the Council of 31 May 2024 on the
mechanisms to be put in place by Member States for the prevention of the use of the financial system
for the purposes of money laundering or terrorist financing, amending Directive(EU) 2019/1937, and
amending and repealing Directive (EU) 2015/849 (OJ L, 2024/1640, 19.6.2024,
ELI: http://data.europa.eu/eli/dir/2024/1640/oj).
EN 114 EN
3. For the development and maintenance of services, tools and applications created,
hosted or managed by Europol, Europol shall request eu-LISA to provide public key
infrastructure certificates from eu-LISA’s Certification Authority to Europol and,
where appropriate, to the competent authorities of the Member States.
4. Cooperation under paragraphs 1, 2 and 3 shall take place within the framework of
working arrangements setting out the practical modalities, including financial
aspects, governance arrangements, arrangements for staff exchanges and temporary
assignments, and the establishment and operation of joint project teams.
5. Paragraphs 1 to 4 shall not affect the responsibilities of Europol as regards the
development and operation of its own information systems.
Article 87
Relations with the European Union Drugs Agency
Europol’s cooperation with the European Union Drugs Agency, established by Regulation
(EU) 2023/1322 of the European Parliament and of the Council75, shall concern notably the
collection of data, and the monitoring of trends, on drug supply, including illicit production
and trafficking and other related crimes, on the use of new technologies and on new
psychoactive substances.
Article 88
Relations with the European Union Agency for Fundamental Rights (FRA)
Europol’s cooperation with the FRA shall support Europol in ensuring full respect of the
fundamental rights and freedoms enshrined in the Charter in the performance of its different
tasks. This shall notably include areas of Europol’s activity that can have particular impact on
the rights of individuals, including vulnerable persons, such as children.
Article 89
Relations with the European Union Customs Authority
Europol’s cooperation with the European Union Customs Authority, established by
Regulation […], shall aim at enabling reciprocal exchange of relevant data and information
for the prevention and combating of serious crime and terrorism, notably by enabling Europol
to obtain, upon request, data, including personal data and commercially sensitive data,
available in the EU Customs Data Hub, in accordance with Regulation […].
Article 90
Relations with ENISA
Europol’s cooperation with ENISA shall aim notably at:
(a) enhancing shared situational awareness of the cyber threat and incident
landscape, in particular with respect to cyber threat intelligence; and
(b) improving cybersecurity preparedness, response to and recovery from
ransomware incidents.
75 Regulation (EU) 2023/1322 of the European Parliament and of the Council of 27 June 2023 on the
European Union Drugs Agency (EUDA) and repealing Regulation (EC) No 1920/2006 (OJ L 166,
30.6.2023, p. 6, ELI: http://data.europa.eu/eli/reg/2023/1322/oj).
EN 115 EN
Chapter VII
Relations with partners
SECTION 1
COMMON PROVISIONS
Article 91
Common provisions
1. Where necessary for the performance of its tasks, Europol may establish and
maintain cooperative relations with the authorities of third countries, international
organisations and private parties.
2. Subject to any restriction laid down in Article 33(2) and without affecting Article
129, Europol may directly exchange all information, with the exception of personal
data, with entities referred to in paragraph 1 of this Article, in so far as such an
exchange is relevant for the performance of Europol's tasks.
3. The Executive Director shall inform the Management Board about any regular
cooperative relations which Europol intends to establish and maintain in accordance
with paragraphs 1 and 2, and about the development of such relations once
established.
4. For the purposes set out in paragraphs 1 and 2, Europol may conclude working
arrangements with entities referred to in paragraph 1, which shall be subject to prior
approval of the Commission. Such working arrangements shall not allow the
exchange of personal data, shall not create legal obligations under international or
Union law, and shall not express positions binding upon the Union or its Member
States.
5. Europol may receive and process personal data from entities referred to in paragraph
1 insofar as necessary and proportionate for the legitimate performance of its tasks
and in accordance with Regulation 2018/1725 and this Regulation.
6. Where third countries, international organisations or private parties have received
personal data from Europol, onward transmissions or transfers of such data shall be
prohibited unless Europol has given its prior explicit authorisation.
7. Europol shall ensure that detailed records of all transmissions or transfers of personal
data and of the grounds for such transmissions or transfers are recorded in
accordance with this Regulation.
8. Any information which has clearly been obtained in obvious violation of human
rights shall not be processed by Europol.
SECTION 2
COOPERATION WITH THIRD COUNTRIES AND INTERNATIONAL ORGANISATIONS
Article 92
Priorities for external engagement
Europol shall ensure that its cooperation with third countries and international organisations is
coherent with the Union’s external policies and priorities and is conducted, where appropriate,
EN 116 EN
in coordination with Union delegations. To that end, Europol, within the limits of its mandate,
shall adopt an external strategy as part of the multiannual programming and annual work
programme referred to in Article 73, subject to prior approval by the Commission.
Article 93
Cooperation with Schengen associated countries
1. Europol shall maintain a close cooperation with countries associated with the
implementation, application and development of the Schengen acquis (“Schengen
associated countries”).
2. The scope, modalities, rights and obligations relating to the cooperation referred to in
paragraph 1 may be determined by a dedicated international agreement to be
concluded between the Union and the Schengen associated country concerned.
3. The international agreement referred to in paragraph 2 may provide for:
(a) access to, and the ability to query, the Europol Cross-Matching Service and the
Europol Analytical Environment in accordance with Articles 39 and 41;
(b) observer status in the Management Board and in the ICT/Information
Management Steering Group, which shall not confer voting rights in
accordance with Article 69;
(c) the posting of liaison officers, subject to the same conditions as those
applicable to liaison officers from Member States pursuant to Article 27.
4. Any international agreement providing for the form of cooperation referred to in
paragraph 3 may also provide for:
(a) the provision of information by the Schengen associated country concerned to
Europol under conditions corresponding to those laid down in Article 29(1), (2)
and (5) and the obligation for Europol to take into account the information
provided by the Schengen associated country concerned as set out in Article
29(6);
(b) an appropriate financial contribution to be paid by the Schengen associated
country concerned to Europol.
Article 94
Transfer of personal data to third countries and international organisations
1. Europol may transfer personal data to third countries and international organisations
without affecting Article 129.
5. The Executive Director shall be competent to authorise the transfer of personal data
in accordance with Articles 94b, 94c and 94d of Regulation (EU) 2018/1725.
The Management Board may, following an authorisation by the EDPS, authorise for
a period not exceeding one year, which shall be renewable, a set of transfers where
the conditions of Article 94c of Regulation (EU) 2018/25 are fulfilled.
6. For the purposes of paragraph 2, the Executive Director shall take a decision, without
undue delay, on the basis of all relevant information, including, where appropriate,
input from the Data Protection Officer and the relevant operational centres. As a
general rule, such transfers shall be authorised when the applicable conditions are
EN 117 EN
met and shall be carried out via SIENA. Where the third country or international
organisation concerned does not have access to SIENA, transfers shall take place via
INTERPOL channels.
7. The Executive Director shall as soon as possible inform the Management Board of
the cases in which Articles 94b, 94c and 94d of Regulation (EU) 2018/1725 have
been applied.
Article 95
Relations with the Member States or third countries in the context of their participation
in the Maritime Analysis and Operations Centre (Narcotics)
1. In so far as necessary for the performance of its tasks, Europol shall establish and
maintain cooperation with the Member States and third countries participating in the
Maritime Analysis and Operations Centre (Narcotics) (MAOC (N)) by means of a
working arrangement.
2. Europol may exchange information with third countries participating in MAOC (N)
subject to compliance with the general principles and rules for transfers of
operational personal data to third countries of Regulation (EU) 2018/1725.
3. The Member States participating in MAOC (N) shall connect their liaison officers
posted at MAOC-N to SIENA to submit relevant information to Europol.
4. Europol shall provide analytical support to MAOC (N) for the purpose of criminal
investigations against high-risk criminal networks trafficking drugs at sea.
SECTION 3
COOPERATION WITH PRIVATE PARTIES AND NATURAL PERSONS
Article 96
Exchanges of personal data with private parties
1. Insofar as is necessary for Europol to perform its tasks, Europol may process
personal data obtained from private parties.
2. Europol may receive directly from a private party personal data which that private
party declares it is legally allowed to transmit in accordance with the applicable law.
3. For the purpose of informing the competent authorities of the Member States of any
criminal offence that concerns them and that relates to personal data received from a
private party, and of enabling them to take the necessary measures, Europol shall
forward the personal data and any relevant results from the processing of those data
to the Europol national units concerned.
4. Any cooperation by Europol with private parties shall neither duplicate nor interfere
with the activities of Member States’ FIUs and shall not concern information that is
to be provided to FIUs for the purposes of Directive (EU) 2015/849.
5. Europol shall only transmit or transfer personal data to private parties, when it is
strictly necessary and proportionate, to be determined on a case-by-case basis, and in
particular where it is in the interests of the data subject or necessary to prevent the
imminent commission of a crime, including terrorism.
EN 118 EN
Such transmission or transfer shall only take place when the rights and freedoms of
the data subject do not outweigh the public interest requiring the transmission or
transfer.
The transmission or transfer referred to in the first subparagraph of this paragraph is
subject to any restrictions pursuant to Article 33(2) or (3) and shall not affect Article
129.
6. Where the private party is not established within the Union or in a third country as
referred to in Article 94a of Regulation (EU) 2018/1875, the transfer shall be
authorised by the Executive Director only in the following cases:
(a) the transfer is necessary to protect the vital interests of the data subject
concerned or of another person;
(b) the transfer is necessary to safeguard legitimate interests of the data subject
concerned;
(c) the transfer is essential for the prevention of an immediate and serious threat to
public security of a Member State or a third country;
(d) the transfer is necessary in individual cases for the purposes of the prevention,
investigation, detection or prosecution of a specific crime falling within the
scope of Europol’s competence;
(e) the transfer is necessary in individual cases for the establishment, exercise or
defence of legal claims relating to the prevention, investigation, detection or
prosecution of a specific criminal offence falling within the scope of Europol’s
competence.
Personal data shall not be transferred if the Executive Director determines that the
fundamental rights and freedoms of the data subject concerned override the public
interest that requires the transfer referred to in the first subparagraph, points (d) and
(e).
7. Transmissions or transfers of personal data under paragraphs 5 and 6 shall not be
systematic, massive or structural.
8. Europol may request Member States, via their Europol national units, to share with
Europol, in accordance with their national law, personal data from private parties
which are established or have a legal representative in their territory. Such requests
shall be reasoned and as precise as possible. Such personal data shall be the least
sensitive possible and strictly limited to what is necessary and proportionate for the
purpose of enabling Europol to perform its tasks.
9. Europol’s mechanism referred to in Article 47 may be used for exchanges of
information between the competent authorities of the Member States and private
parties in accordance with the respective Union and national law. Those exchanges
may also cover crimes not falling within the scope of Europol’s competence.
Where Member States use Europol’s mechanism for the exchange of information on
crimes falling within the scope of Europol’s competence, they shall provide Europol
with a copy of such information.
Where Member States use Europol’s mechanism for the exchange of personal data
on crimes not falling within the scope of Europol’s competence, Europol shall not
have access to those data and shall be considered to be a processor in accordance
with Article 87 of Regulation (EU) 2018/1725.
EN 119 EN
Europol shall assess the security risks posed by allowing the use of its infrastructure
by private parties and, where necessary, implement appropriate preventive and
mitigating measures.
10. Europol shall ensure that detailed records of all transmissions or transfers of personal
data and the grounds for such transmissions or transfers are recorded in accordance
with this Regulation and communicated upon request to the EDPS in accordance
with Regulation (EU) 2018/1725.
11. Where the personal data received or to be transmitted or transferred affect the
interests of a Member State, Europol shall immediately inform the Europol national
unit of the Member State concerned.
12. By 31 March, the Management Board shall adopt an annual report on the personal
data exchanged with private parties pursuant to this Article, on the basis of
quantitative and qualitative evaluation criteria established by the Management Board.
13. The annual report shall take into account the obligations of discretion and
confidentiality and the examples shall be anonymised insofar as personal data are
concerned.
The annual report shall be sent to the European Parliament, the Council, the
Commission and national parliaments.
Article 97
Information from natural persons
1. Insofar as is necessary for Europol to perform its tasks, Europol may receive and
process information originating from natural persons.
2. Personal data originating from natural persons shall only be processed by Europol
provided that they are received through one of the following ways:
(a) a Europol national unit in accordance with national law;
(b) the contact point of a third country or an international organisation to which
personal data may be transferred pursuant to Article 94b(2), point (c), of
Regulation (EU) 2018/1725;
(c) an authority of a third country or an international organisation to which
personal data may be transferred pursuant to Article 94a, Article 94b(1) or
Article 94b(2), point (a), of Regulation (EU) 2018/1725.
3. Where Europol receives information, including personal data, from a natural person
residing in a third country in respect of which the conditions for a transfer pursuant
to Articles 94a or 94b of Regulation (EU) 2018/1725 are not fulfilled, Europol shall
forward that information only to a Member State or to such third country.
4. Where the personal data received affect the interests of a Member State, Europol
shall immediately inform the Europol national unit of the Member State concerned.
5. Europol shall not contact natural persons to retrieve information.
6. Without prejudice to Articles 104 and 105, Europol may not provide personal data to
natural persons.
EN 120 EN
Chapter VIII
Data protection
Article 98
Processing of personal data by Europol
1. Unless otherwise provided for in this Regulation, Regulation (EU) 2018/1725 shall
apply to the processing of personal data by Europol.
2. References to ‘personal data’ in this Regulation shall be understood as references to
‘operational personal data’ as defined in Article 3, point (2), of Regulation (EU)
2018/1725, unless otherwise provided for in this Regulation.
3. The Management Board shall adopt rules to determine the time limits for the storage
of administrative personal data.
Article 99
Assessment of reliability of the source and accuracy of information
1. The reliability of the source of information originating from a Member State shall be
assessed as far as possible by the providing Member State using the following source
evaluation codes:
(a) (A): where there is no doubt as to the authenticity, trustworthiness and
competence of the source, or where the information is provided by a source
which has proved to be reliable in all instances;
(b) (B): where the information is provided by a source which has in most instances
proved to be reliable;
(c) (C): where the information is provided by a source which has in most instances
proved to be unreliable;
(d) (X): where the reliability of the source cannot be assessed.
2. The accuracy of information originating from a Member State shall be assessed as far
as possible by the providing Member State using the following information
evaluation codes:
(a) (1): information the accuracy of which is not in doubt;
(b) (2): information known personally to the source but not known personally to
the official passing it on;
(c) (3): information not known personally to the source but corroborated by other
information already recorded;
(d) (4): information not known personally to the source and which cannot be
corroborated.
3. Where Europol, on the basis of information already in its possession, comes to the
conclusion that the assessment provided for in paragraphs 1 or 2 needs to be
corrected, it shall inform the Member State concerned and seek to agree on an
amendment to the assessment. Europol shall not change the assessment without such
agreement.
EN 121 EN
4. Where Europol receives information from a Member State without an assessment
conducted in accordance with paragraphs 1 or 2, it shall attempt to assess the
reliability of the source or the accuracy of information on the basis of information
already in its possession. The assessment of specific data and information shall take
place in agreement with the providing Member State. A Member State may also
agree with Europol in general terms on the assessment of specified types of data and
specified sources. Where no agreement is reached in a specific case, or no agreement
in general terms exists, Europol shall assess the information or data and shall
attribute to such information or data the evaluation codes (X) and (4) referred to in
paragraphs 1 and 2 respectively.
5. Paragraphs 1 to 4 shall apply mutatis mutandis where Europol receives data or
information from a Union institution, body, mission, office or agency, a third
country, an international organisation or a private party.
6. Information from publicly available sources shall be assessed by Europol using the
evaluation codes set out in paragraphs 1 and 2.
7. Where information is the result of an analysis made by Europol in the performance
of its tasks, Europol shall assess such information in accordance with this Article,
and in agreement with the Member States participating in the analysis.
Article 100
Processing of personal data of different categories of data subjects and of special
categories of personal data
1. Processing of personal data in respect of victims of a criminal offence, witnesses or
other persons who can provide information concerning criminal offences shall be
allowed where it is strictly necessary and proportionate for preventing or combating
crime falling within the scope of Europol’s competence.
2. Processing of personal data, by automated or other means, revealing racial or ethnic
origin, political opinions, religious or philosophical beliefs, or trade union
membership, and the processing of genetic data, biometric data for the purpose of
uniquely identifying a natural person, or data concerning health or concerning natural
persons’ sex life or sexual orientation shall be allowed only where strictly necessary
and proportionate for research and innovation projects pursuant to Article 102 and
for operational purposes, within the scope of Europol’s competence, and only for
preventing or combating crime falling within the scope of Europol’s competence.
Such processing shall also be subject to appropriate safeguards laid down in this
Regulation with regard to the rights and freedoms of the data subject, and, with the
exception of biometric data processed for the purpose of uniquely identifying a
natural person, shall be allowed only where those data supplement other personal
data processed by Europol. The selection of a particular group of persons solely on
the basis of such personal data shall be prohibited.
3. The Data Protection Officer shall be informed without undue delay in the case of
processing of personal data pursuant to this Article.
4. Only Europol shall have direct access to personal data referred to in paragraphs 1 and
2. The Executive Director shall duly authorise a limited number of Europol staff to
have such access where it is necessary for the performance of their tasks.
EN 122 EN
5. Notwithstanding the first subparagraph, where it is necessary to grant staff of the
competent authorities of the Member States or Union bodies and agencies, direct
access to personal data for the performance of their tasks and in accordance with this
Regulation, or for research and innovation projects in accordance with Article
102(2), point (c), the Executive Director shall duly authorise a limited number of
such staff to have such access.
6. Personal data as referred to in paragraphs 1 and 2 shall not be transmitted to Member
States or Union institutions, bodies, missions, offices and agencies or transferred to
third countries, international organisations or private parties, unless such
transmission or transfer is required under this Regulation or Union law or is strictly
necessary and proportionate in individual cases concerning crimes falling within the
scope of Europol’s competence and in accordance with Chapters VI and VII.
7. Every year Europol shall provide the EDPS with a statistical overview of all personal
data as referred to in paragraph 2 which it has processed.
Article 101
Time-limits for the storage and erasure of personal data
1. Personal data processed by Europol shall be stored by Europol only for as long as is
necessary and proportionate for the purposes for which the data are processed.
2. Europol shall in any event review the need for continued storage no later than three
years after the start of initial processing of personal data. Europol may decide on the
continued storage of personal data until the following review, which shall take place
after another period of three years, where continued storage is still necessary for the
performance of Europol's tasks. The reasons for the continued storage shall be
justified and recorded. Where no decision is taken on the continued storage of
personal data, that data shall be erased automatically after three years.
3. Where personal data as referred to in Article 100(1) and (2) are stored for a period
exceeding five years, the EDPS shall be informed thereof.
4. Where a Member State, a Union institution, body, mission, office or agency, a third
country or an international organisation has indicated any restriction as regards the
earlier erasure or destruction of the personal data at the moment of transmission or
transfer in accordance with Article 33(2), Europol shall erase the personal data in
accordance with those restrictions. Where continued storage of the data is deemed
necessary, on the basis of information that is more extensive than that possessed by
the data provider, in order for Europol to perform its tasks, Europol shall request the
authorisation from the data provider to continue storing the data and shall present a
justification for such request.
5. A Member State, a Union institution, body, mission, office or agency, a third country
or an international organisation that erases from its own data files personal data
provided to Europol shall inform Europol accordingly. Europol shall erase the data
unless the continued storage of the data is deemed necessary, on the basis of
information that is more extensive than that possessed by the data provider, in order
for Europol to perform its tasks. Europol shall inform the data provider of the
continued storage of such data and present a justification of such continued storage.
6. Personal data shall not be erased in the following cases:
EN 123 EN
(a) such erasure would damage the interests of a data subject who requires
protection, in which case the data shall be used only with the express and
written consent of the data subject;
(b) the accuracy of the personal data is contested by the data subject, for a period
enabling Member States or Europol, where appropriate, to verify the accuracy
of the data;
(c) the data have to be maintained for purposes of proof or for the establishment,
exercise or defence of legal claims;
(d) the data subject opposes their erasure and requests the restriction of their use
instead.
Article 102
Processing of personal data for research and innovation
1. Europol may process personal data for the purpose of the relevant research and
innovation projects, provided that the processing of those personal data is required
and duly justified to achieve the objectives of the project concerned.
As regards special categories of personal data, such processing shall only be carried
out when it is strictly necessary and subject to appropriate safeguards, which may
include pseudonymisation.
The processing of personal data by Europol in the context of research and innovation
projects shall be guided by the principles of transparency, explainability, fairness and
accountability.
2. Without affecting paragraph 1, for the processing of personal data performed in the
context of Europol’s research and innovation projects, the following safeguards shall
apply:
(a) any research and innovation project shall require the prior authorisation by the
Executive Director, based on:
i. a description of the objectives of the project and an explanation of how the
project assists Europol or competent authorities of the Member States in their
tasks;
ii. a description of the envisaged processing activity, setting out the objectives,
scope and duration of the processing and the necessity and proportionality to
process the personal data;
iii. a description of the categories of personal data to be processed;
iv. an assessment of compliance with Article 71 of Regulation (EU) 2018/1725
regarding the time limits for the storage and conditions for access to the
personal data.
(b) the Management Board shall be informed of the launch of the project, in
accordance with the guidelines referred to in Article 32(11);
(c) any personal data to be processed in the context of the project shall:
i. be temporarily copied to a separate, isolated and protected data processing
environment, which may, where appropriate, support iterative development,
EN 124 EN
testing and validation processes, within Europol for the sole purpose of
carrying out that project;
ii. be accessed in accordance with Article 100(4) by specifically authorised
Europol staff and, subject to technical security measures, by specifically
authorised staff of the competent authorities of the Member States and Union
agencies;
iii. not be transmitted or transferred;
iv. not lead to measures or decisions affecting the data subjects as a result of their
processing;
v. be erased once the project is concluded or the time limit for the storage of
personal data has expired in accordance with Article 91;
vi. subject to appropriate safeguards and where duly justified, be reused within
Europol for subsequent research and innovation projects pursuing compatible
objectives, in particular for the improvement, testing or validation of
algorithms and AI models and AI systems;
(d) the logs of the processing of personal data in the context of the project shall be
kept for two years after the conclusion of the project, solely for the purpose of
and only as long as necessary for verifying the accuracy of the outcome of the
data processing.
3. Where Europol considers that a new type of research and innovation project poses a
significant risk to the rights and freedoms of data subjects, it shall, in addition to the
requirements set out under paragraph 2, point (a), of this Article also carry out a data
protection impact assessment in accordance with Article 89 of Regulation (EU)
2018/1725. In such cases, the EDPS shall be informed prior to the launch of the
project.
4. Paragraphs 2 and 3 shall not apply to the adjustment, modification or deployment of
existing capabilities, including in a defined operational context, provided that such
activities do not substantially alter the nature, scope or purpose of the processing in a
manner that would increase the risk to the rights and freedoms of data subjects.
5. The Management Board shall establish in a binding document the general scope for
the research and innovation projects. Such document shall be updated where
appropriate and made available to the EDPS for the purpose of its supervision.
6. Europol shall keep a document containing a detailed description of the process and of
the rationale behind the training, testing and validation of algorithms to ensure
transparency of the process and the algorithms, including their compliance with the
safeguards provided for in this Article, and to allow for verification of the accuracy
of the results based on the use of such algorithms. Upon request, Europol shall make
that document available to interested parties, including Member States and the JPSG.
7. Where the data to be processed for a research and innovation project have been
provided by a Member State, a Union body, a third country or an international
organisation, Europol shall request consent from that provider of data in accordance
with Article 33(2), unless the provider of data has granted its prior authorisation to
such processing for the purpose of research and innovation projects, either in general
terms or subject to specific conditions.
EN 125 EN
8. Europol shall not process data for research and innovation projects without the
consent of the provider of the data. Such consent may be withdrawn at any time.
Article 103
Notification of a personal data breach to the authorities concerned
1. Without affecting Article 92 of Regulation (EU) 2018/1725, in the event of a
personal data breach, Europol shall notify the competent authorities of the Member
States concerned of that breach, without undue delay, and the provider of the data
concerned unless the personal data breach is unlikely to result in a risk to the rights
and freedoms of natural persons.
2. The notification referred to in paragraph 1 shall, as a minimum:
(a) describe the nature of the personal data breach including, where possible and
appropriate, the categories and number of data subjects concerned and the
categories and number of data records concerned;
(b) describe the likely consequences of the personal data breach;
(c) describe the measures proposed or taken by Europol to address the personal
data breach;
(d) where appropriate, recommend measures to mitigate the possible adverse
effects of the personal data breach.
Article 104
Communication of a personal data breach to the data subject
Without affecting Article 93 of Regulation (EU) 2018/1725, where Europol does not have the
contact details of the data subject concerned, it shall request the provider of the data to
communicate the personal data breach to the data subject concerned and to inform Europol
about the decision taken. Member States providing the data shall communicate the personal
data breach to the data subject concerned in accordance with national law.
Article 105
Right of access for the data subject
1. Any data subject wishing to exercise the right of access referred to in Article 80 of
Regulation (EU) 2018/1725 to personal data that relate to the data subject may make
a request to that effect to the authority appointed for that purpose in the Member
State of their choice, or to Europol. That authority shall refer the request to Europol
without undue delay and within one month of receipt.
2. Europol shall confirm receipt of the request referred to in paragraph 1. Europol shall
answer it without undue delay, and in any case within four months of receipt by
Europol of the request., without prejudice to Article 81 of Regulation (EU)
2018/1725.
3. Europol shall consult the competent authorities of the Member States and the
provider of the data concerned on a decision to be taken. A decision on access to
personal data shall be conditional on close cooperation between Europol and the
Member States and the provider of the data directly concerned by the access of the
data subject to such data. Member States and the provider of the data concerned shall
EN 126 EN
cooperate closely with Europol and shall reply to the consultation carried out by
Europol without undue delay. Where a Member State or the provider of the data
objects to Europol's proposed response, it shall notify Europol of the reasons for its
objection. Europol shall take the utmost account of any such objection. Europol shall
subsequently notify its decision to the competent authorities of the Member States
concerned and to the provider of the data.
Article 106
Right to rectification, erasure and restriction
1. Any data subject wishing to exercise the right to rectification or erasure of personal
data or of restriction of processing of personal data that relate to them referred to in
Article 82 of Regulation (EU) 2018/1725 may make a request to that effect, through
the authority appointed for that purpose in the Member State of their choice, or to
Europol. Where the request is made to that authority, it shall refer the request to
Europol within one month of receipt.
2. Without prejudice to Article 82(3) of Regulation (EU) 2018/1725, Europol shall
restrict the processing of personal data rather than erase personal data where there are
reasonable grounds to believe that erasure could affect the legitimate interests of the
data subject.
3. Restricted data shall be processed only to protect the rights of the data subject, where
that is necessary to protect the vital interests of the data subject or of another person,
or for the purposes laid down in Article 82(3) of Regulation (EU) 2018/1725.
4. Where personal data as referred to in paragraphs 1 and 2 held by Europol have been
provided to it by third countries, international organisations or Union institutions,
bodies, missions, offices or agencies, have been directly provided by private parties,
have been retrieved by Europol from publicly available sources or result from
Europol’s own analyses, Europol shall rectify or erase such data or restrict their
processing and, where appropriate, inform the providers of the data.
5. Where personal data referred to in paragraphs 1 and 2 held by Europol have been
provided to it by Member States, the Member States concerned shall rectify or erase
such data or restrict their processing in cooperation with Europol, within their
respective competences.
6. Europol shall rectify or erase data in collaboration with the provider of the data
concerned in all of the following cases:
(a) incorrect personal data have been transmitted or transferred by another
appropriate means;
(b) the errors in the data provided by Member States are due to faulty transmission
or transfer or transmission or transfer in breach of this Regulation;
(c) the errors in the data result from data being input, taken over or stored in an
incorrect manner or in breach of this Regulation by Europol.
7. In the cases referred to in paragraphs 3, 4 and 5, all addressees of the data concerned
shall be notified forthwith. In accordance with the rules applicable to them, the
addressees shall then rectify, erase or restrict those data in their systems.
EN 127 EN
Article 107
Responsibility in data protection matters
1. Europol shall process personal data in a manner that ensures that their source, in
accordance with Article 28, can be established.
2. The responsibility for the accuracy of personal data as referred to in Article 71(1),
point (d), of Regulation (EU) 2018/1725 shall lie with:
(a) the Member State or the Union body which provided the personal data to
Europol;
(b) Europol in respect of personal data provided by third countries or international
organisations or directly provided by private parties, of personal data retrieved
by Europol from publicly available sources or resulting from Europol's own
analyses and of personal data stored by Europol in accordance with Article
101(5).
3. Where Europol becomes aware that personal data provided pursuant to Article 28(1),
points (a) and (b), are factually incorrect or have been unlawfully stored, it shall
inform the provider of those data accordingly.
4. The responsibility for the legality of a data transmission or transfer shall lie with:
(a) the Member State which provided the personal data to Europol;
(b) Europol in the case of personal data provided by it to Member States, third
countries or international organisations.
5. In the case of a transmission between Europol and a Union institution, body, mission,
office or agency, the responsibility for the legality of the transmission shall lie with
Europol.
Without affecting the first subparagraph, where the data are transmitted by Europol
following a request from the recipient, both Europol and the recipient shall be
responsible for the legality of such a transmission.
6. Europol shall be responsible for all data processing operations carried out by it, with
the exception of the bilateral exchange of data using Europol’s infrastructure
between Member States, Union institutions, bodies, missions, offices and agencies,
third countries, international organisations and private parties to which Europol has
no access. Such bilateral exchanges shall take place under the responsibility of the
entities concerned and in accordance with their law. The security of such exchanges
shall be ensured in accordance with Article 91 of Regulation (EU) 2018/1725.
Article 108
Prior consultation
1. Europol may initiate processing operations which are subject to prior consultation of
the EDPS pursuant to Article 90(1) of Regulation (EU) 2018/1725 unless the EDPS
has provided written advice pursuant to Article 90(4) of that Regulation within a
period of eight weeks, which starts on the date of submission of the initial request for
consultation and is not to be suspended or extended.
2. Where the processing operations referred to in paragraph 1 of this Article have
substantial significance for the performance of Europol’s tasks and are particularly
urgent and necessary to prevent and combat an immediate threat of a crime falling
EN 128 EN
within the scope of Europol’s competence or to protect vital interests of the data
subject or another person, Europol may exceptionally initiate processing.
In that case, Europol shall inform the EDPS prior to the start of processing operations
and shall provide it with a reasoned description of the intended purpose of the
processing, the categories of data concerned and an initial assessment of the risks to
data subjects. Europol shall submit to the EDPS the additional information required
for the purpose of the prior consultation of the EDPS within four weeks following
the start of processing operations.
Written advice of the EDPS pursuant to Article 90(4) of Regulation (EU) 2018/1725
shall be taken into account retrospectively, and the way the processing is carried out
shall be adjusted accordingly.
The Data Protection Officer shall be involved in assessing the urgency of such
processing operations and shall oversee the processing in question.
Article 109
Data Protection Officer
1. The Management Board shall appoint a member of Europol staff as Data Protection
Officer, who shall be designated for that sole position.
2. To support the Data Protection Officer in carrying out his or her tasks, a member of
Europol staff may be designated as assistant Data Protection Officer
3. The Data Protection Officer shall report directly to the Management Board.
4. The Management Board shall adopt implementing rules concerning the Data
Protection Officer. Those implementing rules shall in particular concern the
procedure for the selection of the Data Protection Officer and his or her dismissal,
tasks, duties and powers, as well as safeguards for his or her independence.
5. The Data Protection Officer shall be appointed for a term of four years and shall be
eligible for reappointment.
6. The provisions applicable to the Data Protection Officer shall apply mutatis mutandis
to the assistant Data Protection Officer.
7. Where the Data Protection Officer considers that the provisions of this Regulation or
of Regulation (EU) 2018/1725 concerning the processing of personal data have not
been complied with, he or she shall inform the Executive Director and shall require
him or her to resolve the non-compliance within a specified period. Where the
Executive Director does not resolve the non-compliance of the processing within the
specified period, the Data Protection Officer shall inform the Management Board.
The Management Board shall reply within a specified time limit agreed with the Data
Protection Officer. Where the Management Board does not resolve the non-
compliance within the specified period, the Data Protection Officer shall refer the
matter to the EDPS.
Article 110
Fundamental Rights Officer
EN 129 EN
1. The Management Board shall, upon a proposal of the Executive Director, designate a
Fundamental Rights Officer. The Fundamental Rights Officer may be a member of
Europol staff who received special training in fundamental rights law and practice.
2. The Fundamental Rights Officer shall perform the following tasks:
(a) advise Europol where he or she deems it necessary or where requested on any
activity of Europol without impeding or delaying those activities;
(b) monitor Europol’s compliance with fundamental rights;
(c) provide non-binding opinions on working arrangements;
(d) inform the Executive Director about possible violations of fundamental rights
in the course of Europol’s activities;
(e) promote Europol’s respect of fundamental rights in the performance of its tasks
and activities;
(f) any other tasks where provided for by this Regulation.
3. The Fundamental Rights Officer shall report directly to the Executive Director and
prepare annual reports on his or her activities, including the extent to which the
activities of Europol respect fundamental rights. Those reports shall be made
available to the Management Board.
Article 111
Fundamental Rights Training
Europol staff shall receive mandatory training on the protection of fundamental rights and
freedoms. All Europol staff involved in operational tasks involving personal data processing
should receive dedicated training concerning the processing of personal data. This training
shall be developed in cooperation with the European Union Agency for Fundamental Rights
and CEPOL.
Article 112
Supervision by the national supervisory authority
1. For the purpose of exercising their supervisory function, the national supervisory
authorities referred to in Article 41 of Directive (EU) 2016/680 shall have access, at
the Europol national unit or at the liaison officers’ premises, to data submitted by
their Member State to Europol in accordance with the relevant national procedures
and to logs as referred to in Article [...] of Regulation (EU) 2018/1725.
2. National supervisory authorities shall have access to the offices and documents of
their respective liaison officers at Europol.
3. National supervisory authorities shall, in accordance with the relevant national
procedures, supervise the activities of Europol national units and the activities of
liaison officers, insofar as such activities are relevant to the protection of personal
data. They shall also keep the EDPS informed of any actions they take with respect
to Europol.
4. Any person shall have the right to request the national supervisory authority to verify
the legality of any transmission or transfer or communication to Europol of data
concerning him or her in any form and of access to those data by the Member State
EN 130 EN
concerned. That right shall be exercised in accordance with the national law of the
Member State in which the request is made.
Article 113
Cooperation between the EDPS and national supervisory authorities
1. The EDPS shall act in close cooperation with the national supervisory authorities on
issues requiring national involvement, in particular where the EDPS or a national
supervisory authority finds major discrepancies between the practices of Member
States or potentially unlawful transmissions or transfers in the use of Europol's
channels for exchanges of information, or in the context of questions raised by one or
more national supervisory authorities on the implementation and interpretation of
this Regulation.
2. In the cases referred to in paragraph 1, coordinated supervision shall be ensured in
accordance with Article 62 of Regulation (EU) 2018/1725. The EDPS shall use the
expertise and experience of the national supervisory authorities in carrying out his or
her duties as set out in Regulation (EU) 2018/1725.
In carrying out joint inspections together with the EDPS, members and staff of
national supervisory authorities shall, taking due account of the principles of
subsidiarity and proportionality, have powers equivalent to those laid down in
Regulation (EU) 2018/1725 and be bound by an obligation equivalent to that laid
down in Article 129 of this Regulation
3. The EDPS shall keep national supervisory authorities fully informed of all issues
directly affecting or otherwise relevant to them. Upon the request of one or more
national supervisory authorities, the EDPS shall inform them of specific issues.
4. In cases relating to data originating from one or more Member States, including the
cases referred to in Article 114, the EDPS shall consult the national supervisory
authorities concerned. The EDPS shall not decide on further action to be taken before
those national supervisory authorities have informed the EDPS of their opinion,
within a deadline specified by him or her which shall not be shorter than one month
and not longer than three months from when the EDPS consults the national
supervisory authorities concerned. The EDPS shall take the utmost account of the
respective positions of the national supervisory authorities concerned. Where the
EDPS intends not to follow the position of a national supervisory authority, he or she
shall inform that authority, provide a justification and submit the matter to the
European Data Protection Board.
Chapter IX
Remedies and liability
Article 114
Procedure for the handling of complaints by the EDPS
1. Where a complaint relates to a decision referred to in Articles 105 or 106 of this
Regulation or Articles 81 or 82 of Regulation (EU) 2018/1725, the EDPS shall
consult the national supervisory authorities of the Member State that provided the
data or of the Member State directly concerned. In adopting his or her decision,
EN 131 EN
which may extend to a refusal to communicate any information, the EDPS shall take
into account the opinion of the national supervisory authority.
2. Where a complaint relates to the processing of data provided by a Member State to
Europol, the EDPS and the national supervisory authority of the Member State that
provided the data shall, each acting within the scope of their respective competences,
ensure that the necessary checks on the lawfulness of the processing of the data have
been carried out correctly.
3. Where a complaint relates to the processing of data provided to Europol by Union
institutions, bodies, offices or agencies, third countries or international organisations,
or of data retrieved by Europol from publicly available sources or resulting from
Europol’s own analyses, the EDPS shall ensure that Europol has correctly carried out
the necessary checks on the lawfulness of the processing of the data.
Article 115
General provisions on liability and the right to compensation
1. Europol's contractual liability shall be governed by the law applicable to the contract
in question.
2. The Court of Justice of the European Union shall have jurisdiction to give judgment
pursuant to any arbitration clause in a contract concluded by Europol.
3. In the case of non-contractual liability, Europol shall, in accordance with the general
principles common to the laws of the Member States, make good any damage caused
by its departments or by its staff in the performance of their duties.
4. The Court of Justice of the European Union shall have jurisdiction in disputes
relating to compensation for damage as referred to in paragraph 3.
5. The personal liability of Europol staff vis-à-vis Europol shall be governed by the
provisions laid down in the Staff Regulations or in the Conditions of Employment of
Other Servants applicable to them.
Chapter X
Joint parliamentary scrutiny
Article 116
Joint parliamentary scrutiny
1. Pursuant to Article 88 TFEU, the scrutiny of Europol's activities shall be carried out
by the European Parliament together with national parliaments. That shall constitute
a specialised JPSG established jointly by the national parliaments and the competent
committee of the European Parliament. The organisation and the rules of procedure
of the JPSG shall be determined together by the European Parliament and the
national parliaments in accordance with Article 9 of Protocol No 1 on the role of
National Parliaments in the European Union.
2. The JPSG shall politically monitor Europol's activities in fulfilling its mission,
including as regards the impact of those activities on the fundamental rights and
freedoms of natural persons.
3. The Chairperson of the Management Board, the Executive Director or their Deputies
shall appear before the JPSG at its request to discuss matters relating to the activities
EN 132 EN
referred to in the first subparagraph, including the budgetary aspects of such
activities, the structural organisation of Europol and the potential establishment of
new units and specialised centres, taking into account the obligations of discretion
and confidentiality. The JPSG may decide to invite to its meetings other relevant
persons, where appropriate.
4. The EDPS shall appear before the JPSG at its request, and at least once a year, to
discuss general matters relating to the protection of fundamental rights and freedoms
of natural persons, and in particular the protection of personal data, with regard to
Europol's activities, taking into account the obligations of discretion and
confidentiality.
5. Europol shall consult the JPSG in relation to the multiannual programming of
Europol in accordance with Article 73(1).
6. Europol shall transmit the following documents, for information purposes, to the
JPSG, taking into account the obligations of discretion and confidentiality:
(a) strategic analyses, threat assessments, trend reports and situational briefings
relating to Europol's competence and the results of studies and evaluations
commissioned by Europol;
(b) the administrative arrangements concluded pursuant to Article 79(3);
(c) the document containing the multiannual programming and the annual work
programme of Europol, referred to in Article 73(1);
(d) the consolidated annual activity report on Europol’s activities, referred to in
Article 73(2), including relevant information on Europol’s activities and results
obtained in processing large data sets, without disclosing any operational
details and without prejudice to any ongoing investigations;
(e) the evaluation report drawn up by the Commission, referred to in Article 130;
(f) annual information pursuant to Article 96(12) on the personal data exchanged
with private parties pursuant to Articles 96, including an assessment of the
effectiveness of cooperation, specific examples of cases demonstrating why
those requests were necessary and proportionate for the purpose of enabling
Europol to carry out its tasks, and, as regards personal data exchanges pursuant
to Article 96, the number of children identified as a result of those exchanges
to the extent that this information is available to Europol;
(g) annual information about the number of cases where it was necessary for
Europol to process personal data that do not relate to the categories of data
subjects listed in Annex II, alongside information on the duration and outcomes
of the processing, including examples of such cases demonstrating why that
data processing was necessary and proportionate;
(h) annual information about transfers of personal data to third countries and
international organisations pursuant to Article 94, including the number of
cases authorised transfers pursuant to Article 94(2);
(i) annual information about the number of cases in which Europol proposed the
possible entry of information alerts in accordance with Article 30, including
specific examples of cases demonstrating why the entry of those alerts was
proposed;
EN 133 EN
(j) annual information about the number of research and innovation projects
undertaken, including information on the purposes of those projects, the
categories of personal data processed, the additional safeguards used, including
data minimisation, the law enforcement needs those projects seek to address
and the outcome of those projects;
(k) annual information on the number and types of cases where special categories
of personal data were processed, pursuant to Article 100.
The examples referred to in points (f) and (i) shall be anonymised insofar as personal
data are concerned.
The examples referred to in point (g) shall be anonymised insofar as personal data
are concerned, without disclosing any operational details and without prejudice to
any ongoing investigations.
7. The JPSG may request other relevant documents necessary for the fulfilment of its
tasks relating to the political monitoring of Europol's activities, subject to Regulation
(EC) No 1049/2001 of the European Parliament and of the Council76 and without
affecting Articles 117 and 129 of this Regulation.
8. The JPSG may draw up summary conclusions on the political monitoring of
Europol’s activities, including non-binding specific recommendations to Europol,
and submit those conclusions to the European Parliament and national parliaments.
The European Parliament shall forward those conclusions, for information purposes,
to the Council, the Commission and Europol.
Article 117
Access by the European Parliament to information processed by or through Europol
1. For the purpose of enabling it to exercise parliamentary scrutiny of Europol's
activities in accordance with Article 116, access by the European Parliament and the
JPSG to sensitive non-classified information processed by or through Europol, upon
the European Parliament's request, shall comply with the rules referred to in Article
129(1).
2. Access by the European Parliament to EU classified information processed by or
through Europol shall be consistent with the applicable Interinstitutional Agreement
between the European Parliament and the Council concerning the forwarding to and
the handling by the European Parliament of classified information held by the
Council on matters other than those in the area of the common foreign and security
policy, and shall comply with the rules referred to in Article 129(2) of this
Regulation.
3. The necessary details regarding access by the European Parliament to the
information referred to in paragraphs 1 and 2 shall be governed by working
arrangements concluded between Europol and the European Parliament.
76 Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001
regarding public access to European Parliament, Council and Commission documents (OJ L 145,
31.5.2001, p. 43, ELI: http://data.europa.eu/eli/reg/2001/1049/oj)
EN 134 EN
Chapter XI
Staff
Article 118
General provisions
1. The Staff Regulations, the Conditions of Employment of Other Servants and the
rules adopted by agreement between the institutions of the Union for giving effect to
the Staff Regulations and to the Conditions of Employment of Other Servants shall
apply to Europol staff.
2. Europol staff shall consist of temporary staff and contract staff. The Management
Board shall be informed on a yearly basis of contracts of an indefinite duration
granted by the Executive Director. The Management Board shall decide which posts
to be occupied by temporary agents provided for in the establishment plan can be
filled only by staff from the competent authorities of the Member States. The
Management Board shall regularly review those posts in light of operational
requirements and the need to preserve specialised expertise. Staff recruited to occupy
such posts may be awarded only fixed-term contracts, renewable once. The overall
maximum period of such temporary agent contracts shall not exceed ten years.
Article 119
Seconded national experts
1. Europol may make use of seconded national experts.
2. The Management Board shall adopt a decision laying down rules on the secondment
of national experts to Europol.
Chapter XII
Financial provisions
Article 120
Budget
1. Estimates of all revenue and expenditure for Europol shall be prepared each financial
year, which shall correspond to the calendar year, and shall be shown in Europol's
budget.
2. Europol's budget shall be balanced in terms of revenue and of expenditure.
3. Without prejudice to other resources, Europol's revenue shall comprise of:
(a) a contribution from the Union entered in the general budget of the Union;
(b) contributions from countries associated with the implementation, application
and development of the Schengen acquis, where such contributions are
provided for in the relevant international agreements;
(c) any voluntary financial contributions from Member States, in accordance with
the rules adopted by the Management Board.
EN 135 EN
4. Europol may benefit from Union funding in the form of contribution agreements or
ad hoc grants in accordance with its financial rules referred to in Article 124 and with
the provisions of the relevant instruments supporting the policies of the Union.
5. Europol’s expenditure shall include staff remuneration, administrative and
infrastructure expenses, and operating costs.
6. Budgetary commitments for actions extending over more than one financial year may
be broken down into several annual instalments.
Article 121
Establishment of the budget
1. Each year the Executive Director shall draw up a draft statement of estimates of
Europol's revenue and expenditure for the following financial year, including an
establishment plan, and shall send it to the Management Board. The draft statement
of estimates shall be established in a manner that ensures a clear differentiation of
appropriations by sub-activity, in accordance with the structure of the Single
Programming Document.
2. The Management Board shall, on the basis of the draft statement of estimates, adopt
a provisional draft estimate of Europol's revenue and expenditure for the following
financial year, including the provisional establishment plan. The Management Board
shall send it to the European Parliament, to the Council and to the Commission by 31
January each year, as part of the draft single programming document.
3. The Management Board shall send the final draft estimate of Europol's revenue and
expenditure, which shall include a draft establishment plan, to the Commission by 31
March each year.
4. The Commission shall send the statement of estimates to the European Parliament
and the Council, together with the draft general budget of the Union.
5. On the basis of the statement of estimates, the Commission shall enter in the draft
general budget of the Union the estimates that it considers necessary for the
establishment plan and the amount of the contribution to be charged to the general
budget, which it shall place before the European Parliament and the Council in
accordance with Articles 313 and 314 TFEU.
6. The European Parliament and the Council shall authorise the appropriations for the
contribution from the Union to Europol.
7. The European Parliament and the Council shall adopt Europol's establishment plan.
8. Europol's budget shall be adopted by the Management Board. It shall become final
following the final adoption of the general budget of the Union. Where necessary, it
shall be adjusted accordingly.
9. Delegated Regulation (EU) 2019/715 shall apply to any building projects that are
likely to have significant implications for Europol’s budget.
Article 122
Implementation of the budget
1. The Executive Director shall implement Europol's budget.
EN 136 EN
2. Each year the Executive Director shall send to the European Parliament and the
Council all information relevant to the findings of any evaluation procedures.
Article 123
Presentation of accounts and discharge
1. Europol's accounting officer shall send the provisional accounts for the financial year
(year N) to the Commission's accounting officer and to the Court of Auditors by 1
March of the following financial year (year N + 1).
2. Europol shall send a report on the budgetary and financial management for year N to
the European Parliament, the Council and the Court of Auditors by 31 March of year
N + 1.
3. The Commission's accounting officer shall send Europol's provisional accounts for
year N, consolidated with the Commission's accounts, to the Court of Auditors by 31
March of year N + 1.
4. On receipt of the Court of Auditors’ observations on Europol’s provisional accounts
pursuant to Article 252 of Regulation (EU, Euratom) 2024/2509 of the European
Parliament and of the Council, Europol’s accounting officer shall draw up Europol’s
final accounts for that year. The Executive Director shall submit those final accounts
to the Management Board for an opinion.
5. The Management Board shall deliver an opinion on Europol's final accounts for year
N.
6. Europol's Executive Director shall, by 1 July of year N + 1, send the final accounts
for year N to the European Parliament, the Council, the Commission, the Court of
Auditors and national parliaments, together with the Management Board's opinion
referred to in paragraph 5.
7. The final accounts for year N shall be published in the Official Journal of the
European Union by 15 November of year N + 1.
8. The Executive Director shall send to the Court of Auditors, by 30 September of year
N + 1, a reply to the observations made in its annual report. He or she shall also send
the reply to the Management Board.
9. Upon the request of the European Parliament, the Executive Director shall submit to
it any information required for the smooth application of the discharge procedure for
year N, in accordance with Article 261(3) of Regulation (EU, Euratom) 2024/2509.
10. On a recommendation from the Council acting by a qualified majority, the European
Parliament shall, before 15 May of year N + 2, grant a discharge to the Executive
Director in respect of the implementation of the budget for year N.
Article 124
Financial rules
1. The financial rules applicable to Europol shall be adopted by the Management Board
after consultation with the Commission. They shall not depart from Delegated
Regulation (EU) 2019/715 unless such a departure is specifically required for the
operation of Europol and the Commission has given its prior consent.
2. Europol may award grants related to the achievement of its tasks.
EN 137 EN
3. Europol may award grants without a call for proposals to Member States, third
countries and international organisations for the performance of activities falling
within the scope of Europol’s competence.
4. Where duly justified for operational purposes, following authorisation by the
Management Board, financial support may cover the full investment costs of
equipment and infrastructure.
5. The financial rules referred to in paragraph 1 may specify the criteria under which
financial support may cover the full investment costs referred to in the first
subparagraph of this paragraph.
6. In respect of the financial support to be given to joint investigation teams’ activities,
Europol and Eurojust shall jointly establish the rules and conditions upon which
applications for such support are to be processed.
Chapter XIII
Miscellaneous provisions
Article 125
Privileges and immunities
1. Protocol No 7 on the privileges and immunities of the European Union, annexed to
the TEU and to the TFEU, shall apply to Europol and its staff.
2. Privileges and immunities of liaison officers and members of their families shall be
subject to an agreement between the Kingdom of Netherlands and the other Member
States. That agreement shall provide for such privileges and immunities as are
necessary for the proper performance of the tasks of liaison officers.
Article 126
Language arrangements
1. The provisions laid down in Regulation No 1 shall apply to Europol.
2. The Management Board shall decide by a majority of two-thirds of its members on
the internal language arrangements of Europol.
3. Translation and all other linguistic services required by Europol, other than
interpretation, shall be provided by the Translation Centre for the bodies of the
Union established by Council Regulation (EC) No 2965/9477.
Article 127
Transparency
1. Regulation (EC) No 1049/2001 shall apply to documents held by Europol. When
Europol supports the investigations of the EPPO, the application of Regulation (EC)
No 1049/2001 by Europol shall not affect Article 109 of Regulation (EU) 2017/1939.
2. Decisions taken by Europol under Article 8 of Regulation (EC) No 1049/2001 may
be the subject of a complaint to the European Ombudsman or of an action before the
77 Council Regulation (EC) No 2965/94 of 28 November 1994 setting up a Translation Centre for bodies
of the European Union (OJ L 314, 7.12.1994, p. 1, ELI: http://data.europa.eu/eli/reg/1994/2965/oj).
EN 138 EN
Court of Justice of the European Union, in accordance with Articles 228 and 263
TFEU respectively.
3. Europol shall publish on its website a list of the Management Board members and
summaries of the outcome of the meetings of the Management Board. The
publication of those summaries shall be temporarily or permanently omitted or
restricted where such publication would jeopardise the performance of Europol's
tasks, taking into account its obligations of discretion and confidentiality and the
operational character of Europol.
Article 128
Prevention and combating fraud and irregularities
1. The Court of Auditors shall have a power of audit, on the basis of documents and on-
the-spot checks, over all grant beneficiaries, contractors and subcontractors who have
received Union funds from Europol.
2. OLAF may carry out investigations, including on-the-spot checks and inspections, to
establish whether there has been fraud, corruption or any other illegal activity
affecting the financial interests of the Union in connection with a grant or a contract
awarded by Europol, or serious matters relating to the discharge of professional
duties constituting a dereliction of the obligations of members or staff members
liable to result in disciplinary or, as the case may be, criminal proceedings. Such
investigations shall be carried out in accordance with the provisions and procedures
laid down in Regulation (EU, Euratom) No 883/2013 of the European Parliament and
of the Council78 and in Council Regulation (Euratom, EC) No 2185/9679.
3. In accordance with Regulation (EU) 2017/1939, the EPPO investigates and
prosecutes fraud and other illegal activities affecting the financial interests of the
Union as provided for in Directive (EU) 2017/1371 of the European Parliament and
of the Council80.
Article 129
Rules on the protection of sensitive non-classified and classified information
1. Europol shall adopt its security rules that shall be based on the principles and rules
laid down in the Commission's security rules for protecting European Union
classified information (EUCI) and sensitive non-classified (SNC) information
including, inter alia, provisions for the exchange of such information with third
78 Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of
11 September 2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF)
and repealing Regulation (EC) No 1073/1999 of the European Parliament and of the Council and
Council Regulation (Euratom) No 1074/1999 (OJ L 248, 18.9.2013, p. 1, ELI:
http://data.europa.eu/eli/reg/2013/883/oj). 79 Council Regulation (Euratom, EC) No 2185/96 of 11 November 1996 concerning on-the-spot checks
and inspections carried out by the Commission in order to protect the European Communities' financial
interests against fraud and other irregularities (OJ L 292, 15.11.1996, p. 2,
ELI: http://data.europa.eu/eli/reg/1996/2185/oj). 80 Directive (EU) 2017/1371 of the European Parliament and of the Council of 5 July 2017 on the fight
against fraud to the Union's financial interests by means of criminal law (OJ L 198, 28.7.2017, p. 29,
ELI: http://data.europa.eu/eli/dir/2017/1371/oj).
EN 139 EN
countries, and processing and storage of such information as set out in Commission
Decisions (EU, Euratom) 2015/44381 and (EU, Euratom) 2015/44482.
2. The management board shall adopt Europol’s security rules following approval by
the Commission. When assessing the proposed security rules, the Commission shall
ensure that they are compatible with Decisions (EU, Euratom) 2015/443 and (EU,
Euratom) 2015/44483.
Article 130
Evaluation and review
1. Not later than … [five years after the entry into force of this Regulation], and every
five years thereafter, the Commission shall carry out an evaluation of Europol’s
performance in relation to its competence, mandate, tasks and governance in
accordance with Commission's guidelines. The Management Board shall be heard in
the evaluation process. When assessing the impact of Europol’s activities on
fundamental rights, the Commission shall seek input from the European Union
Agency for Fundamental Rights.
2. The evaluation shall, in particular, address the possible need to modify the mandate
of Europol, and the financial implications of any such modification.
3. On the occasion of every second evaluation, there shall be an assessment of the
results achieved by Europol having regard to its competence, mandate, governance
and tasks, including an assessment of whether the continuation of the Agency is still
justified with regard to such competence, mandate, governance and tasks.
4. The Commission shall report to the European Parliament, the Council and the
Management Board on the evaluation findings. The findings of the evaluation shall
be made public.
Article 131
Administrative inquiries
The activities of Europol shall be subject to inquiries by the European Ombudsman in
accordance with Article 228 TFEU.
Article 132
Headquarters
The necessary arrangements concerning the accommodation to be provided for Europol in the
Kingdom of the Netherlands and the facilities to be made available by the Kingdom of the
Netherlands, together with the specific rules applicable there to the Executive Director,
members of the Management Board, Europol staff and members of their families, shall be laid
down in a headquarters agreement between Europol and the Kingdom of the Netherlands, in
accordance with Protocol No 6.
81 Commission Decision (EU, Euratom) 2015/443 of 13 March 2015 on Security in the Commission (OJ L
72, 17.3.2015, p. 41, ELI: http://data.europa.eu/eli/dec/2015/443/oj). 82 Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 on the security rules for protecting
EU classified information (OJ L 72, 17.3.2015, p. 53, ELI: http://data.europa.eu/eli/dec/2015/444/oj). 83 Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 on the security rules for protecting
EU classified information (OJ L 72, 17.3.2015, p. 53).
EN 140 EN
This shall be without prejudice to the possibility for Europol to host operational, technical or
administrative functions and capacities in other Member States.
Chapter XIV
Transitional provisions
Article 133
Legal succession
1. Europol as established by this Regulation shall be the legal successor of Europol as
established by Regulation (EU) 2016/794 for all its rights and obligations under the
applicable national, Union and international law.
2. This Regulation shall not affect the validity of the cooperation agreements and
working arrangements concluded by Europol under the Europol Convention,
Decision 2009/371/JHA or Regulation (EU) 2016/794. Such cooperation agreements
and working arrangements shall remain in force and shall be applied until they expire
or are replaced.
Article 134
Transitional arrangements
1. Europol may continue the activities initiated pursuant to Regulation (EU) 2016/794
that are not concluded before the date of application of this Regulation. Such
activities shall be continued in accordance with this Regulation.
2. Personal data processed by Europol before the date of application of this Regulation
in compliance with Regulation (EU) 2016/794 may continue to be processed by
Europol where such processing complies with this Regulation.
3. Any set of transfers to third countries and international organisations authorised by
the Management Board under the terms and conditions set out in Article 25(6) of
Regulation (EU) 2016/794 shall remain valid under this Regulation until the date of
expiry of the period for which the transfer was authorised.
4. Decisions, implementing measures, rules and arrangements adopted pursuant to
Regulation (EU) 2016/794 shall remain in force until repealed or replaced under this
Regulation.
5. The Management Board shall repeal decisions and measures adopted pursuant to
Regulation (EU) 2016/794, which do not comply with this Regulation.
6. Staff employed by Europol on the date of application of this Regulation shall retain
the rights and obligations arising from their contracts of employment and
appointments.
7. The Executive Director and the Deputy Executive Directors appointed on the basis of
Regulation (EU) 2016/794 shall, for the remaining period of his or her term of office,
have the respective responsibilities of Executive Director and Deputy Executive
Directors, as provided for in this Regulation.
Where, on the date of application of this Regulation, the Executive Director or a
Deputy Executive Director is serving his or her first term of office, that term of
office shall be of 5 years. Any extension of that term of office shall follow the
procedure set out in Article 76(3)-(7) of this Regulation.
EN 141 EN
Where, on the date of application of this Regulation, the Executive Director or a
Deputy Executive Director is serving his or her second term of office, that term of
office shall be of 5 years. It shall not be subject to any further extension.
8. The members of the Management Board and their alternates appointed under
Regulation (EU) 2016/794 shall continue to exercise their functions until the end of
their respective terms of office as determined under Regulation (EU) 2016/794.
Chapter XV
Amendments to other existing instruments
Article 135
Amendments to Regulation (EU) 2018/1726
In Regulation (EU) 2018/1726, the following Article 41a is inserted:
’Article 41a
Cooperation with Europol
1. eu-LISA may cooperate with Europol in areas of common interest related to the
development, deployment and operation of information systems and related
communication infrastructure.
2. The cooperation between eu-LISA and Europol referred to in paragraph 1 shall in
particular include, where appropriate and in accordance with their respective
mandates:
(a) the participation in, or use of, procurement procedures, including joint
procurement actions, framework contracts or other procurement instruments
for the acquisition of works, supplies or services;
(b) the sharing, re-use or adaptation of technical components, tools, services or
building blocks developed or operated by either agency;
(c) the provision of technical support, expertise or services, including in the field
of system development, testing, maintenance and security;
(d) the establishment of joint project teams and the exchange of staff, expertise and
other resources necessary for the implementation of common projects and
technical activities.
3. Upon request by Europol in accordance with Article 86 of Regulation (EU) …/…. of
the European Parliament and of the Council*, eu-LISA shall provide public key
infrastructure certificates from eu-LISA’s Certification Authority to Europol and,
where appropriate, to the competent authorities of the Member States for the
purposes of Europol’s services, tools and applications.
4. Cooperation under paragraphs 1 to 3 shall take place within the framework of
working arrangements setting out the practical modalities, including financial
aspects, governance arrangements, arrangements for staff exchanges and temporary
assignments, and the establishment and operation of joint project teams.’.
* Regulation (EU) …/… of the European Parliament and of the Council [on the European
Union Agency for Law Enforcement Cooperation (Europol), amending Regulations
(EU) 2018/1726 and (EU) 2024/982, and repealing Regulation (EU) 2016/794]’.
EN 142 EN
Article 136
Amendments to Regulation (EU) 2024/982
Article 49 of Regulation (EU) 2024/982 is amended as follows:
(1) in paragraph 5, the following second subparagraph is added:’
‘Europol may conduct such searches using:
(a) data provided by third countries;
(b) data originating from Member States.’;
(2) the following paragraphs are inserted:
‘5a. For searches performed with DNA profiles, dactyloscopic data and facial images,
Europol may only use data originating from Member States where authorised by the
data-owning Member State. This authorisation may be granted in the following
cases:
(a) on a case-by-case basis;
(b) pursuant to a standing authorisation, subject to conditions defined by the
Member State.
5b. When conducting searches with biometric data originating from Member States, Europol
shall act as a technical and forensic service provider on behalf of the authorising
Member State and respecting any restrictions on access, transfer, transmission,
deletion, destruction or further use of information indicated by that Member State.
(3) in paragraph 6, the first subparagraph is replaced by the following:
‘Where the procedures referred to in Articles 6, 11 or 20 show a match between the
data used for the search and data held in the national database of the requested
Member State or Member States, Europol shall inform only the Member State or
Member States involved and, where applicable, the Member State or Member States
that authorised the use of data pursuant to paragraph 6.’;
(4) in paragraph 6, second subparagraph, point (c) is replaced by the following:
‘(c) the name of the third country or Member State which provided the
data has been transmitted.’;
(5) paragraph 7 is replaced by the following:
‘7. Europol’s use of information obtained from a query made in accordance with this Article,
and from the exchange of a set of core data in accordance with paragraph 6, shall be
subject to the consent of the Member State in whose database the match occurred and,
where applicable, of the Member State that authorised the use of data pursuant to
paragraph 6. Where the Member State allows such information to be used, its handling
by Europol shall be governed by Regulation (EU) …/… of the European Parliament
and of the Council* [this Regulation].
_____________
EN 143 EN
* Regulation (EU) …/… of the European Parliament and of the Council [on the European
Union Agency for Law Enforcement Cooperation (Europol), amending Regulations
(EU) 2018/1726 and (EU) 2024/982, and repealing Regulation (EU) 2016/794]’.
Chapter XVI
Final provisions
Article 137
Start of operations
1. The Commission shall determine the date from which the Member States can start
using the data loader solutions referred to in Article 38(3) to upload information to
the Europol cross-checking service by means of an implementing act as referred to in
paragraph 8 of that Article.
The Commission shall determine, by means of the implementing act referred to in
the first subparagraph, the date from which the Member States are to start using the
data loader solutions.
The Commission shall determine the date from which Europol is to start using the
Europol cloud infrastructure referred to in Article 50, by means of an implementing
act as referred to in paragraph 9 of that Article.
2. The Commission shall determine the date from which Europol and the Member
States can start using the Police Shared Data Platform referred to in Article 42, by
means of an implementing act as referred to in paragraph 5 of that Article.
The Commission shall determine, by means of the implementing act referred to in
the first subparagraph, the date from which Europol and the Member States are to
start using the Police Shared Data Platform.
3. The Commission shall determine the date from which the Member States can start
using the EU DNA matching application referred to in Article 54 by means of an
implementing act as referred to in Article 49.
4. The Commission shall determine the date from which Europol, the Member States
and the Commission are to start using the statistics and reporting tools referred to in
Article 52, by means of an implementing act as referred to in paragraph 6 of that
Article.
5. The Commission shall determine the date from which other Union bodies, offices
and agencies are to start using the Hit/No-hit system referred to in Article 80, by
means of an implementing act as referred to in paragraph 9 of that Article.
Article 138
Committee procedure
1. The Commission shall be assisted by a committee. That committee shall be a
committee within the meaning of Regulation (EU) No 182/2011.
2. Where reference is made to this Article, Article 5 of Regulation (EU) No 182/2011
shall apply. Where the committee delivers no opinion, the Commission shall not
adopt the draft implementing act and Article 5(4), third subparagraph, of Regulation
(EU) No 182/2011 shall apply.
EN 144 EN
Article 139
Exercise of the delegation
1. The power to adopt delegated acts is conferred on the Commission subject to the
conditions laid down in this Article.
2. The power to adopt delegated acts referred to in Article 19 shall be conferred on the
Commission for an indeterminate period of time from … [the date of entry into force
of this Regulation].
3. The delegation of power referred to in Article 19 may be revoked at any time by the
European Parliament or by the Council. A decision to revoke shall put an end to the
delegation of the power specified in that decision. It shall take effect the day
following the publication of the decision in the Official Journal of the European
Union or at a later date specified therein. It shall not affect the validity of any
delegated acts already in force.
4. Before adopting a delegated act, the Commission shall consult experts designated by
each Member State in accordance with the principles laid down in the
Interinstitutional Agreement of 13 April 2016 on Better Law-Making.
5. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to
the European Parliament and to the Council.
6. A delegated act adopted pursuant to Article 19 shall enter into force only if no
objection has been expressed either by the European Parliament or by the Council
within a period of two months of notification of that act to the European Parliament
and the Council or if, before the expiry of that period, the European Parliament and
the Council have both informed the Commission that they will not object. That
period shall be extended by two months at the initiative of the European Parliament
or of the Council.
Article 140
Repeal
1. Regulation (EU) 2016/794 is repealed with effect from [date of application of this
Regulation].
2. References to Regulation (EU) 2016/794 shall be construed as references to this
Regulation.
Article 141
Entry into force and application
1. This Regulation shall enter into force on the twentieth day following that of its
publication in the Official Journal of the European Union.
2. It shall apply from [date].
EN 145 EN
3. This Regulation shall be binding in its entirety and directly applicable in the Member
States in accordance with the Treaties.
Done at Brussels,
For the European Parliament For the Council
The President The President
[...] [...]
EN 146 EN
LEGISLATIVE FINANCIAL AND DIGITAL STATEMENT- AGENCIES
1. FRAMEWORK OF THE PROPOSAL/INITIATIVE
1.1. Title of the proposal/initiative
Proposal for a Regulation of the European Parliament and of the Council on the
European Union Agency for Law Enforcement Cooperation (Europol), amending
Regulation (EU) 2018/1726 and Regulation (EU) 2024/982, and repealing
Regulation (EU) 2016/794
1.2. Policy area(s) concerned
Policy area: Home Affairs
Activity: 12 Security
12 02 01: Internal Security Fund (ISF)
12 10 01: Europol
1.3. Objective(s)
1.3.1. General objective(s)
The general objective of this initiative is to strengthen Europol’s capacity to support
Member States in preventing and combating serious and organised crime and
terrorism in an increasingly complex and cross-border security environment, and
hence to contribute to the overall security and safety of the EU. In particular, it is to
ensure that Europol can effectively provide operational and analytical support,
facilitate information exchange, and contribute to coordinated EU responses to
emerging and evolving criminal threats,
1.3.2. Specific objective(s)
Specific objective No 1
Reinforce Europol’s role as an information hub for law enforcement
This objective aims to strengthen Europol’s capacity to collect, process, analyse and
share high-quality criminal information across borders. It seeks to improve the
timeliness, interoperability and usability of information exchanges with Member
States and EU bodies and agencies. The objective addresses fragmentation and
under-utilisation of existing tools, while ensuring robust data protection and
fundamental rights safeguards.
Specific objective No 2:
Europol as an operational hub
The objective is to strengthen Europol’s capacity to provide timely, actionable and
comprehensive operational support in investigations into serious and organised crime
and terrorism. This includes enabling Europol to engage more effectively in cross-
border cases, by strengthening its ability to identify operational links between
national investigations, coordinate operational follow-up between Member States,
and provide continuous criminal intelligence, analytical, technical, forensic and
financial investigation support.
The aim is also to strengthen Europol’s cooperation with Union bodies and agencies,
in particular the European Public Prosecutor's Office (EPPO). It seeks to ensure a
EN 147 EN
continuum of Union-level support throughout the operational lifecycle by improving
information flow, operational coordination, and the complementary use of Union-
level capabilities
Specific objective No 3:
Europol as a technology and innovation hub
The proposal aims to strengthen Europol’s capacity to support the competent
authorities of the Member States along the full research, innovation and capability
development cycle. This includes enabling Europol to identify common capability
needs, drive research and innovation activities, support the testing, validation and
scaling of innovative solutions, and develop or provide shared capabilities addressing
common operational requirements. The aim is also to position Europol as a central
platform for cooperation on technology and innovation, facilitating the pooling of
expertise, resources and investments and supporting the strategic technological
autonomy and resilience of the Union in the field of internal security.
1.3.3. General objective(s)
Overall impact:
The initiative is expected to improve the effectiveness, speed and coordination of
cross-border investigations, enabling earlier identification of criminal actors and
networks and more effective disruption of serious and organised crime and terrorism
affecting the security of the Union. The initiative is also expected to strengthen the
Union’s capacity to detect and combat fraud, corruption, money laundering and other
criminal activities that affect the financial interests of the EU.
As a result, EU citizens are expected to benefit from safer communities, better
protection of victims, reduced infiltration of criminal networks into the economy and
public institutions, lower financial and societal harm caused by criminal activities,
and a more secure environment for businesses for legitimate economic activity and
investment across the Union. The proposal does not contain regulatory obligations
for citizens/consumers and does not create additional costs in that regard.
The proposal is expected to generate significant economies of scale for public
authorities by pooling specialised operational, analytical, technical and digital
forensic capabilities at EU level, thereby reducing duplication of resources and
investments across Member States. National authorities will benefit from more
efficient access to advanced expertise, operational support and technological
capacities that would be costly and resource-intensive to develop individually at
national level.
More specifically:
Benefits to Member States law enforcement authorities and EU bodies and
agencies:
– Increased availability at Union level of relevant operational and analytical
information supporting national and cross-border investigations.
– Earlier and more effective operational coordination in cross-border
investigations, including faster initiation of operational cooperation, more
timely judicial follow-up where needed, and joint analytical activities across
Member States.
EN 148 EN
– Faster, more accessible and more operationally relevant support from
Europol for national and joint investigations, including more timely, reliable
and enriched operational analytical products, financial investigation support
and operational follow-up.
– Improved identification of criminal networks, cross-border operational links
and illicit financial flows across jurisdiction.
– More effective handling of complex investigations involving digital
evidence and large unstructured datasets through increased access to
specialised analytical, technical, forensic and digital forensic capabilities at
Union level.
– Increased analytical and operational support to relevant Union bodies and
agencies, in particular the European Public Prosecutor's Office, facilitating
complementarity, coordinated investigative follow-up and more coherent
Union-level action across the investigative and judicial lifecycle.
– Increased efficiency:
– Increased share of national investigations benefiting from Union-level
information, operational support and specialised capabilities.
– Faster operational follow-up and reduced delays in cross-border
investigations.
– Reduced costs associated with access to specialised analytical,
technical and digital forensic capabilities through economies of scale
at Union level.
– Reduced duplication of efforts and parallel investigations through
improved information sharing, operational coordination and
deconfliction mechanisms.
– More efficient use of existing Union information systems through
increased interoperability and shared operational use.
– Reduced need for the development of separate analytical capacities by
relevant Union bodies and agencies, in particular the EPPO, unless
such latter capacities are made necessary by the specific mandate of
the relevant Union bodies and agencies, through increased access to
Europol’s Union-level analytical capabilities.
Benefits to the Union’s internal security:
– Strengthened capacity to anticipate, detect and respond to evolving serious
and organised crime and terrorism.
– Earlier identification of criminal structures operating across multiple
jurisdictions.
– Stronger evidential support for judicial proceedings through enhanced
analytical, technical and forensic capabilities.
– Strengthened public trust in the Union’s capacity to protect citizens,
businesses and public finances against serious and organised crime.
1.3.4. Indicators of performance
Specify the indicators for monitoring progress and achievements.
EN 149 EN
Specific Objective 1:
- Europol maintains up to 5 standards and reference guidance document on
information exchange (number of standards and guidance on data format and
exchange actively supported by Europol; baseline 0; target 5.)
- Half of the criminal investigators in EU have been issued an EU digital Police
ID and given an effective access to the EU Police Shared Data Space (share of
police officers in the EU with criminal investigative powers registered as users of
the EU Police Shared Data Space; baseline 0%; target 50%)
- Half of the criminal investigations warranting the use of high-end analytical tools
rely on tools made available by Europol (share of criminal cases opened within
the year across the EU for which investigations relied on analytical tools either
jointly procured or made available online by Europol through the EU Police
Shared Data Space; baseline 0%; target 10%84)
- All individuals found suspect or convicted of a criminal offense85 over the year
have been checked against Europol data, in every Member State (number of
Member States for which the ratio “number of yearly searches into Europol
databases” against Eurostat figures on persons suspect or offender within the year
is over 1.00; baseline 1; target = 26)
- Law enforcement authorities have systematically followed-up with other
Member States for cross-border cases (number of Member States for which the
ratio “new cross border cases initiated such as with SIENA, or JOAC…” against
“new cases over the year having triggered a hit in Europol databases” is over
0.90; target = 26)
- Law enforcement authorities have provided information to Europol on cross-
border case half of the times (number of Member States for which the ration
“provision of information to Europol via SIENA or other means” vs “number of
new cases over the year having triggered a hit in Europol database” is over 50%;
baseline = 5; target = 26)
- The information on all individuals convicted of a criminal offense over the year
has been shared with Member States and Europol into Europol information
system (ratio “records uploaded or updated into EIS within the year” against
Eurostat number of persons convicted; target = 100%)
Specific Objective 2:
- Increased share of cross-border investigations benefiting from Europol’s
operational, analytical or technical support.
(target: +30%)
- Reduction in the average time between receipt of operational information by
Europol and dissemination of analytical outputs to Member States
(target: < 24 hours)
- Increased number of investigations involving digital evidence supported through
Europol analytical and digital forensic capabilities
84 Commission assessment that 10% to 15% of criminal investigation warrants the use of AI tools. 85 Offences, suspects and offenders, as defined
https://ec.europa.eu/eurostat/cache/metadata/en/crim_sims.htm.
EN 150 EN
(target: +50%)
- Increased number or value of financial investigations, asset tracing or asset
recovery cases supported by Europol.
(target: +40%)
- Number of cases in which Europol issues proposals for urgent freezing or asset-
preservation measures to Member States’ Asset Recovery Offices.
- Increased number of operational links identified by Europol between
investigations conducted in different Member States.
(target: +40%)
- Increased number of national investigations supported directly through Europol
Support Offices.
- Increased share of cases handled by the EPPO requiring analytical support that
benefit from Europol.
(target: 90%)
Specific Objective 3:
- Number of capability gaps and technology development priorities identified
through the Foresight and Capability Development Framework leading to
concrete follow-up actions at Union or Member State level.
(target: 10 actions/year)
- Number of advanced capabilities or technological solutions made available by
Europol for operational use by Member States.
(target: 5/year)
- Number of specialised training activities supported by Europol on advanced
technologies, digital investigations and forensic capabilities.
(target: 6/year)
1.4. The proposal/initiative relates to:
a new action
a new action following a pilot project / preparatory action86
the extension of an existing action
a merger or redirection of one or more actions towards another/a new action
1.5. Grounds for the proposal/initiative
1.5.1. Requirement(s) to be met in the short or long term including a detailed timeline for
roll-out of the implementation of the initiative
The implementation of the legislative initiative will require the progressive
deployment of legal, organisational, operational and technological measures at Union
and national level. The roll-out should start upon the entry into force and application
of the Regulation and will require a gradual scaling-up of resources, in particular
human and ICT resources, in line with the increasing demand for Europol services
and capabilities.
86 As referred to in Article 58(2), point (a) or (b) of the Financial Regulation.
EN 151 EN
Implementation will notably require: (i) the adoption of tertiary legislation and
technical standards; (ii) the establishment of new governance, operational support
and capability-development structures within Europol; (iii) major investments in
secure, interoperable and cloud-based information management and analytical
infrastructures; (iv) the progressive development and deployment of advanced
analytical, artificial intelligence-enabled and digital forensic capabilities; and (v) the
integration of Europol services, systems and operational support into national
investigative workflows and cross-border law enforcement cooperation mechanisms.
The implementation will also require reinforced cooperation and updated working
arrangements between Europol, and relevant Union bodies and agencies, notably the
European Public Prosecutor's Office.
Indicative milestones are counted from the year of entry into application of the new
Regulation, and referred to Y.
Commission:
– Y+1 and subsequent years: adoption of tertiary legislation, notably on the
information hub (SO1).
Europol organisational, operational and governance measures:
– Y: establishment of the ICT and Information Management Steering and
Advisory Groups, the Capabilities and Innovation Advisory Group and the
Executive Board.
– Y: establishment of a dedicated operational capability supporting EPPO-
related cases.
– Y+3: fully staffed and structured EPPO operational support capability.
– Y: simplified rules on data subject categorisation become applicable.
– Y: establishment of Union Centres of specialised expertise, Operational and
Analysis Service (SO2) and Capabilities and Innovation Service (SO3),
including adoption by the Management Board of relevant implementing
rules.
– Y+3: full staffed Union Centres of specialised expertise, Operational and
Analysis Service (SO2) and Capabilities and Innovation Service (SO3).
– Y: establishment of Europol Support Offices in Member States.
– Y+1 to Y+3: staff seconded to national Europol Support Office.
– Y+1 to Y+3: update of relevant working arrangements between Europol and
Union bodies.
– Y+3 to Y+4: progressive development, together with relevant Union bodies,
of automated hit/no-hit cross-checking mechanisms against Europol data.
– Y+1: development of specialised EU-level support for national authorities
seeking to obtain electronic evidence from online service providers.
Europol capability development, ICT, innovation:
– Y+1: establishment of the Foresight and Capability Development
Framework and central joint procurement capability for technical
components (SO3).
EN 152 EN
– Y+2: first update of the UMF standard under Europol leadership and
availability of the DNA capability (SO1).
– Y+2: establishment of a scalable and secure hybrid cloud infrastructure at
Basic Protection Level (BPL) equivalent to sensitive non-classified
information.
– Y+5: extension of the cloud infrastructure to classified information
environments.
– Y+2: first integration test with a national police identity credential.
– Y+3 to Y+5: progressive integration of national police digital identity
credentials.
– Y+2: migration of a first major information management platform and
analytical tools to the cloud infrastructure.
– Y+3 to Y+5: progressive migration of remaining Europol systems and
analytical tools to the cloud infrastructure at BPL level.
– Y+6: migration of relevant systems to classified cloud environments.
– Y+1 to Y+6: gradual upgrade of core information management and
analytical platforms, including SIENA, cross-matching services and the
Europol analytical environment, through enhanced automation, artificial
intelligence-enabled functionalities, improved usability, increased
performance, data standardisation and expanded biometric functionalities.
– Y: first enhanced interconnection with national databases under Prüm II
using a first biometric modality.
– Y+2: extension to additional biometric modalities.
– Y to Y+6: progressive expansion of innovative and AI-based analytical
tools available to Europol and Member States.
– Y onwards: progressive consolidation of open-source intelligence (OSINT)
capabilities.
Member States:
– Y to Y+7 (continuous): Progressively adjust their national organisation and
introduce or reinforce automation for information exchange with Europol.
– Y to Y+7 (continuous): Upgrade of national systems and criminal
investigation workflows to progressively integrate Europol services,
analytical tools and interoperability standards.
– Y+1: first Member States upgrade national law enforcement digital
credentials in line with harmonised Union standards.
– Y+2 to Y+4: progressive issuance of the EU Digital Police ID to national
criminal investigators.
– Y+6: all national systems connected to Europol require prior authentication
through the EU Digital Police ID.
– Y+1: harmonisation of investigators’ digital endpoints to facilitate access to
EU Police Cloud infrastructure, platforms and tools.
EN 153 EN
– Y: establishment and hosting of Europol Support Offices by Member States.
Union bodies:
– Y+1 to Y+3: update of relevant working arrangements with Europol.
– Y: the EPPO to progressively implement the technical and organisational
measures necessary to support enhanced operational cooperation and access
to Europol analytical support.
– Y+3 to Y+4: progressive development, together with Europol, of automated
hit/no-hit cross-checking mechanisms.
1.5.2. Added value of EU involvement
Ex ante EU added value:
Serious and organised crime and terrorism increasingly operate across borders, rely
on digital technologies and infrastructures, and exploit differences between national
legal, operational and technical frameworks. The scale, speed and complexity of
these threats require coordinated action, interoperable systems and shared
capabilities at Union level. Action by Member States alone would not be sufficient to
ensure effective cross-border operational coordination, large-scale criminal
intelligence analysis, or the development and deployment of advanced technological
and analytical capabilities across the Union.
EU added value of the existing legal framework:
The evaluation of the current legal framework confirmed, based on a large
stakeholder consultation, that Europol delivers a clear EU added value by serving as
a centralised platform for criminal intelligence sharing and cross-border operational
coordination. Its infrastructure enables real-time information exchange among
Member States, helping identify links between investigations that would otherwise
remain undetected. Without Europol, cooperation would depend on slower, less
effective bilateral channels, making it harder to combat sophisticated transnational
criminal networks. Stakeholders agree that Europol’s analytical and coordination
support significantly improves the efficiency of cross-border investigations
compared to national or bilateral efforts alone.
According to the evaluation, Europol also provides specialised EU-level capabilities,
such as digital forensics, financial intelligence, and cybercrime expertise, which
many Member States, particularly smaller or less-resourced ones, could not develop
independently. This pooling of resources avoids duplication and ensures all Member
States benefit from advanced tools. Case studies show that Europol’s involvement
often proves critical in dismantling complex criminal networks operating across
multiple jurisdictions. Additionally, it acts as a single gateway for EU-international
law enforcement cooperation, reducing the need for multiple bilateral agreements.
EU added value of the proposed action
The proposed action provides clear added value at Union level by establishing
common operational, technical and interoperability frameworks that cannot be
effectively developed through isolated national measures or bilateral cooperation
arrangements. In particular, the development of harmonised standards for law
enforcement digital credentials, digital endpoints, data formats and investigative data
EN 154 EN
workflows requires Union-level coordination to ensure interoperability, secure
information exchange and coherent cross-border investigations across Member States
and relevant Union bodies.
The proposal also provides added value by enabling Union-level operational support,
coordination and cross-checking mechanisms based on Europol data and information
systems. Enhanced access to, and operational use of, Europol capabilities by Member
States and relevant Union bodies, notably the EPPO can by their nature only be
organised effectively at Union level.
In addition, the proposal generates economies of scale by pooling advanced
technological, analytical and digital forensic capabilities at Union level, including
artificial intelligence-based tools, secure cloud infrastructures, advanced forensic
technologies and joint procurement mechanisms. This reduces duplication of
investments and operational fragmentation across Member States and allows
capabilities to be developed and deployed more efficiently and at lower cost than
through parallel national solutions.
.
1.5.3. Lessons learned from similar experiences in the past
The evaluation of the current legal framework, and notably the stakeholder
consultation, confirmed that:
• EU-level coordination is indispensable. Astransnational crime demands
structured, centralised cooperation (and national efforts alone are insufficient)
Europol’s criminal intelligence-sharing systems and operational and
analytical capabilities are critical for effective cross-border investigations.
• Advanced technological and analytical capabilities are essential. With the
rising relevance of digital evidence, encryption, and cybercrime requiring
specialised expertise beyond individual Member States’ capacities, Europol
must continuously innovate (e.g., digital forensics, AI-driven analysis) to be
able to meet Member States’ operational needs.
• Systematic, automated information sharing must be strengthened.
Inconsistent data-sharing practices among Member States reduce operational
effectiveness, which could be addressed by a greater use of automated
exchange systems and standardised procedures.
• Coherence within the EU security framework is crucial: Clear mandates,
aligned data-protection rules, and efficient information exchange are needed
for seamless cooperation between Europol and other Union bodies.
• REFIT principles should guide procedural efficiency. Simplifying
processes, enhancing interoperability, and reducing administrative burdens
would boost operational speed. Digital tool upgrades (e.g., AI, secure data
platforms) should therefore be prioritised to support real-time collaboration.
Therefore,Europol’s current legal framework remains effective but needs to
evolve to address emerging threats and operational needs. Future adaptations
should focus on technology, interoperability, and streamlined cooperation to ensure
the resilience of the EU security framework.
In view of ensuring an effective implementation of the proposed measures, past
experience has also shown the importance of ensuring clear governance structures,
EN 155 EN
robust prioritisation mechanisms and effective coordination between Europol,
Member States, the Commission and other relevant Union bodies to avoid
duplication of efforts and ensure coherent operational and technological development
at Union level.
In addition, experience from previous capability development and ICT modernisation
projects demonstrated the need for clear allocation and traceability of Union
resources across operational and technological support activities, combined with
strong monitoring, reporting and accountability arrangements. The proposal therefore
reinforces governance, planning and reporting mechanisms. Moreover, there are
clear synergies that can be achieved in ICT projects through the cooperation between
Europol and eu-LISA, the EU Agency for the Operational Management of Large-
Scale IT Systems in the Area of Freedom, Security and Justice. Building on its
expertise, experience and cooperation with external service providers, eu-LISA can
effectively and efficiently provide Europol with services related to Information
Management and ICT. To that end, the proposal establishes a structured cooperation
between Europol and eu-LISA when it comes to the development, deployment and
operation of information systems and related communication infrastructure.
1.5.4. Compatibility with the multiannual financial framework and possible synergies with
other appropriate instruments
In the Political Guidelines for the 2024-2029 European Commission, the President of
the European Commission announced the objective “to make Europol a truly
operational police agency and more than double its staff over time. This should come
with a strengthened oversight and mandate”, to enhance support to national law
enforcement authorities.
On 16 July 2025, the Commission presented its proposal for the Multiannual
Financial Framework87 (“MFF”) for 2028-2034 amounting to almost EUR 2 trillion.
In light of the increasing security threats facing the Union and the demonstrated
added value of coordinated EU and Member State action in the area of internal
security, the proposed MFF aims to support the implementation of ProtectEU – a
European Internal Security Strategy and to strengthen the EU prevention,
preparedness and response capacity.
Within that framework, the Commission proposed a significant reinforcement of the
resources allocated to Justice and Home Affairs decentralised agencies including
Europol.
The figures presented in this LFDS exclusively concern the additional financial and
human resources required to implement the new measures introduced by the proposal
compared to the current Europol Regulation88. The proposal is estimated to require
additional resources for Europol and for eu-LISA, linked to the implementation of
the tasks delegated to the agency in this Regulation, amounting to approximately
EUR 1.053 billion and 910 additional staff89 posts over the 2028-2034 MFF,
87 COM(2025) 570 final; https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:52025DC0570 88 Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the
European Union Agency for Law Enforcement Cooperation (Europol)
http://data.europa.eu/eli/reg/2016/794/2026-01-11 89 In principle, the governance functions of Europol are expected to remain broadly stable in staffing
terms. The proposal is expected to generate efficiency gains, notably through the simplification and
EN 156 EN
compared to the 2027 baseline budget amounting to 1 226 staff and EUR 256.557
million in appropriations.
Those figures should therefore be read together with the resources necessary to
implement the existing measures under the current legal framework, estimated at
EUR 1.946 billion and 1 226 staff over the 2028-2034 MFF, based on the 2027
annual budget projected over seven years with a 2% annual inflation rate. When
summed, those amount to a global envelope of EUR 2.999 billion over the next MFF
and 2 336 staff at the end of the 2034, which align with Commission legislative
proposal for the 2028-2034 MFF
The activities to be carried out by Member States over the same period in support of
enhanced interoperability, integration of Europol systems into national investigative
workflows, deployment of digital police credentials and reinforced information
exchange capacities are estimated at approximately EUR 590 million over the first
seven years implementation period, notably for the adaptation of national systems,
workflows and technical interfaces necessary to support more integrated and
automated cooperation with Europol systems and tools.
The estimated impact on expenditure and staffing for 2028 and beyond is added for
illustrative purposes only and does not pre-judge the next Multiannual Financial
Framework. The source of financing and scope of Union financial commitment in the
post-2027 period remain subject to the outcome of interinstitutional negotiations on
the 2028-2034 MFF and thereafter shall be determined through the annual budgetary
procedure. All appropriations and staffing allocations as of 2028 are indicative.
1.5.5. Assessment of the different available financing options, including scope for
redeployment
The 2022 revision of Europol’s mandate represented a significant step towards
modernising the Agency’s mandate, notably by reinforcing its capacities in data
processing, innovation and support in response to the increasingly digital, cross-
border and complex nature of serious and organised crime and terrorism. That
revision was accompanied by an increase of approximately EUR 178 million
compared to the EUR 1 285 million budget initially adopted for Europol in the 2021-
2027 MFF proposal, corresponding to an increase of 14%.
Since then, the operational environment has evolved significantly. Criminal networks
have rapidly expanded their use of digital technologies, artificial intelligence,
encrypted communications and online infrastructure, while increasingly combining
cyber-enabled crime, financial crime, trafficking and other illicit activities into
highly adaptive and transnational criminal models. At the same time, the volume and
strategic importance of operational data in criminal investigations have increased
substantially. This has led to a continuous increase in Member States’ and Union
bodies’ expectations regarding Europol’s operational, analytical, technological,
forensic and coordination support, resulting in repeated requests for annual
reinforcements of Europol’s budget and staffing beyond the levels initially
programmed under the current MFF.
This proposal introduces substantial new operational, technological and capability-
streamlining of procedures relating to data protection, thereby limiting additional staffing needs for
horizontal governance and administrative functions.
EN 157 EN
development tasks, while also integrating and consolidating existing activities within
a more coherent operational and governance framework. Achieving the intended
operational impact and strengthening the Union’s law enforcement capabilities
accordingly requires substantial additional investments in specialised staff, advanced
technological infrastructure, secure cloud and analytical environments, artificial
intelligence-enabled tools and operational support mechanisms. Such investments
cannot be accommodated within the current financial envelope and therefore require
additional financial support from the Union budget.
All estimations of additional resource needs under the proposal are based on
Europol’s 2027 baseline budget, including operational appropriations and staff. The
Commission has carried out an extensive assessment of redeployment possibilities
within the Agency to identify whether the new tasks introduced by the proposal
could be accommodated within the existing resource framework. That assessment
concluded that Europol is already operating at or close to maximum operational
capacity. In particular, the Management Board already adopted reprioritisation
measures in 2024 in response to resource constraints. In this context, no significant
redeployment possibilities were identified that would allow Europol to absorb the
additional tasks envisaged by the proposal without negatively affecting the
implementation of existing operational activities and support to Member States.
Consequently, the proposal foresees additional financial and human resources for
Europol over the next MFF period to ensure the sustainable implementation of the
revised mandate and avoid structural underfunding of the Agency’s expanded
responsibilities.
The implementation of the proposal will entail additional activities for eu-LISA to
provide Europol with services related to Information Management and ICT.
Consequently, the proposal provides for targeted changes of the mandate of eu-LISA
and foresees that a limited number of additional human resources for eu-LISA over
the next MFF period to ensure the sustainable implementation of the structured
cooperation between Europol and eu-LISA as set out in the revised mandates of the
Agencies. At this point, it is not possible to quantify the operational expenditure for
these activities to be allocated to eu-LISA, as it is not yet clear which services
exactly Europol would implement through the services provided by eu-LISA.
Therefore, operational expenditure for these activities to be allocated to eu-LISA
from the total operation expenditure foreseen in this LFDS will be assessed at a later
date.
The implementation of the proposal will also entail additional activities for the
Commission services, notably the Directorate-General for Migration and Home
Affairs (DG HOME), in relation to governance, oversight, policy coordination and
the preparation and adoption of implementing acts. Additional support will also be
required from the Directorate-General for Digital Services (DG DIGIT), notably
regarding the establishment and management of ICT supply chain and cloud-
computing contractual frameworks supporting Europol’s technological infrastructure.
EN 158 EN
1.6. Duration of the proposal/initiative and of its financial impact
limited duration
– in effect from [DD/MM]YYYY to [DD/MM]YYYY
– financial impact from YYYY to YYYY for commitment appropriations and
from YYYY to YYYY for payment appropriations.
unlimited duration
– Implementation with a start-up period from YYYY to YYYY,
– followed by full-scale operation.
1.7. Method(s) of budget implementation planned
Direct management by the Commission
– by its departments, including by its staff in the Union delegations;
– by the executive agencies
Shared management with the Member States
Indirect management by entrusting budget implementation tasks to:
– third countries or the bodies they have designated
– international organisations and their agencies (to be specified)
– the European Investment Bank and the European Investment Fund
– bodies referred to in Articles 70 and 71 of the Financial Regulation
– public law bodies
– bodies governed by private law with a public service mission to the extent that
they are provided with adequate financial guarantees
– bodies governed by the private law of a Member State that are entrusted with
the implementation of a public-private partnership and that are provided with
adequate financial guarantees
– bodies or persons entrusted with the implementation of specific actions in the
common foreign and security policy pursuant to Title V of the Treaty on
European Union, and identified in the relevant basic act
– bodies established in a Member State, governed by the private law of a
Member State or Union law and eligible to be entrusted, in accordance with
sector-specific rules, with the implementation of Union funds or budgetary
guarantees, to the extent that such bodies are controlled by public law bodies or
by bodies governed by private law with a public service mission, and are provided
with adequate financial guarantees in the form of joint and several liability by the
controlling bodies or equivalent financial guarantees and which may be, for each
action, limited to the maximum amount of the Union support.
2. MANAGEMENT MEASURES
2.1. Monitoring and reporting rules
The monitoring and reporting of activities implemented by Europol under indirect
management will follow the provisions laid down in the new Europol’s Regulation,
EN 159 EN
the Financial Regulation90 and in line with the Common Approach on decentralised
agencies91.
Europol will annually submit a Single Programming Document (SPD) to the
Commission, the European Parliament, and the Council, setting out its multiannual
and annual work programmes, objectives, expected results, and performance
indicators. This document is prepared taking into account the opinion of the
Commission and the Joint Parliamentary Scrutiny Group (JPSG). Additionally,
Europol will adopt a Consolidated Annual Activity Report (CAAR), which assesses
progress against the SPD’s objectives. The Management Board approves this report
before it is transmitted to the Commission, the European Parliament, the Council, the
Court of Auditors, and national parliaments by 1 July each year.
Under the proposed Article 130 of the revised Europol Regulation, the Commission
will conduct an evaluation of Europol every five years, assessing its added value,
impact, effectiveness, efficiency, and working methods. The evaluation may propose
structural or operational modifications, including financial implications. The
Commission submits its report to the Management Board, which provides
observations within three months. The final report, along with the Commission’s
conclusions and the Board’s observations, is then sent to the European Parliament,
Council, national parliaments, and Management Board, with key findings made
public where appropriate.
The proposal further reinforces the role of the Management Board in defining and
monitoring the performance indicators, objectives and implementation priorities set
out in the SPD, the corresponding annual work programmes and the Consolidated
Annual Activity Report. To support those functions, the proposal establishes an
Executive Board and specialised ICT and Information Management Steering
structures responsible for supporting strategic oversight, budgetary monitoring and
follow-up of operational and technological implementation. The proposal also
strengthens the link between performance reporting and strategic programming by
aligning the evaluation criteria of the CAAR more closely with the objectives and
performance indicators established under the SPD and with the establishment of the
annual budget.
Finally, the proposal further enhances Europol’s governance, monitoring and
accountability framework. It reinforces the oversight role of the Management Board
by extending its supervision beyond performance indicators to the effective exercise
of the powers conferred on the Executive Director, and to the monitoring of strategic
and operational priorities. The Management Board will also be able to take action
where concerns are raised by at least one third of its members regarding a specific
operational or governance issue.
To support transparency, accountability and effective cooperation between Member
States and Europol, Europol will report annually to the Commission, the European
Parliament, the Council and national parliaments on the information contributed by
Member States, including in relation to Union priority crime areas. Those reports
will be based on quantitative and qualitative criteria established by the Management
Board. The Joint Parliamentary Scrutiny Group (JPSG) will continue to exercise
political scrutiny over Europol’s activities, notably with regard to operational
90 Financial regulation applicable to the general budget of the Union 91 Joint Statement on decentralised agencies.
EN 160 EN
effectiveness, accountability and compliance with fundamental rights obligations.
2.2. Management and control system(s)
2.2.1. Justification of the budget implementation method(s), the funding implementation
mechanism(s), the payment modalities and the control strategy proposed
Considering that the proposal impacts the annual EU contribution to Europol, the EU
budget will be implemented via indirect management.
Pursuant to the principle of sound financial management, the budget of Europol shall
be implemented in compliance with effective and efficient internal control. Europol
is therefore bound to implement an appropriate control strategy coordinated among
appropriate actors involved in the control chain.
Regarding ex-post controls, Europol, as a decentralised agency, is notably subject to:
- internal audit by the Internal Audit Service of the Commission.
- annual reports by the European Court of Auditors, giving a statement of
assurance as to the reliability of the annual accounts and the legality and
regularity of the underlying transactions.
- annual discharge granted by the European Parliament.
- possible investigations conducted by the European Anti-Fraud Office (OLAF)to
ensure, in particular, that the resources allocated to agencies are put to proper
use.
- As partner DG to Europol, DG HOME will implement its Control Strategy on
decentralised agencies to ensure reliable reporting in the framework of its Annual
Activity Report (AAR). While decentralised agencies have full responsibility for
the implementation of their budget, DG HOME is responsible for regular
payment of annual contributions established by the Budgetary Authority.
- Finally, the European Ombudsman provides a further layer of control and
accountability at Europol.
Based on the evaluation of the current legal framework, the Impact Assessment
accompanying the proposal for a new Europol Regulation, and the significant
increase in financial and human resources expected to support the implementation of
the proposal, additional governance, management and control mechanisms are
introduced to strengthen financial oversight, accountability and compliance with
principles of sound financial management:
- Under the proposed framework, where the European Commission considers that
a draft decision of the Management Board, including the Single Programming
Document (SPD), raises concerns regarding compliance with Union law,
Europol’s mandate or principles of sound financial management, it may request
the Management Board to reconsider the draft decision before its adoption.
- The Management Board is empowered with disciplinary authority over the
Executive Director, thereby strengthening accountability regarding operational
and financial management.
- the proposal establishes an Executive Board responsible, inter alia, for
monitoring follow-up to findings and recommendations resulting from internal
EN 161 EN
and external audits, including investigations conducted by OLAF and EPPO, and
for preparing and, where necessary, adopting provisional budgetary decisions
subject to subsequent validation by the Management Board.
These measures are intended to strengthen internal control, financial governance and
oversight of Europol’s budgetary implementation.
2.2.2. Information concerning the risks identified and the internal control system(s) set up
to mitigate them
The following risks are identified:
- Imbalances between short-term operational needs and long-term strategic
investments, notably concerning the migration towards secure cloud
infrastructures and automation of operational workflow.
- Misalignment between legal obligations, strategic priorities, multiannual
planning and annual implementation, notably in the domain of Information
Management and ICT capabilities.
- Pressure on operational resources resulting from increasing data volumes,
operational requests and evolving security threats.
- Capacity for Europol to reinforce staff and competences on IM and ICT and
address broadening of the agency’s mission and tasks.
- Delays in recruitment and retention of specialised ICT and analytical staff
necessary to support major technological developments.
- Increasing costs of ICT maintenance.
- Lack of long-term ICT asset management and procurement strategy.
- Additional compliance and conformity costs linked to the deployment of
advanced analytical and artificial intelligence-enabled tools under the Union
regulatory framework, including the AI Act.
- Increased workload related to the handling of data subject access requests.
- Dependencies on the timely implementation of technical and organisational
arrangements by other Union bodies and agencies, notably EPPO.
Regarding mitigation measures:
- Europol implements a specific Internal Control Framework based on the Internal
Control Framework of the European Commission and on the original Committee
of Sponsoring Organisations’ integrated internal control framework. The Single
Programming Document must provide information on the internal control
systems, while the Consolidated Annual Activity Report (CAAR) must contain
information on the efficiency and effectiveness of the internal control systems,
including as regards risk assessment. The CAAR 2024 reports that, based on the
analysis of the internal control components and principles which have been
monitored in the course of 2019, using both quantitative and qualitative elements,
the Europol Internal Control System is assessed as present and functioning in an
integrated manner across the agency.
- Another level of internal supervision is also provided by Europol’s Internal Audit
Capability, on the basis of an annual audit plan notably taking into consideration
the assessment of risks in Europol. The Internal Audit Capability helps Europol
EN 162 EN
in accomplishing its objectives by bringing a systematic and disciplined approach
to evaluate the effectiveness of risk management, control, and governance
processes, and by issuing recommendations for their improvement.
- As partner DG of Europol, DG HOME runs an annual risk management exercise
to identify and assess potential high risks related to agencies’ operations,
including Europol. Risks considered as critical are reported annually in DG
HOME management plan and are accompanied by an action plan stating the
mitigating action.
- The Executive Board, introduced by the legal proposal, plays a critical auditing
role by monitoring and ensuring accountability in Europol’s financial operations.
It is responsible for overseeing the implementation of Europol’s budget, ensuring
compliance with financial rules and sound financial management principles,
while preparing financial and budgetary decisions for adoption by the
Management Board. A key function is its obligation to ensure adequate follow-up
to findings and recommendations from internal and external audits, and
investigations conducted by OLAF and EPPO, thereby reinforcing financial
integrity and transparency. While the Board itself does not conduct audits, it
reviews audit reports, assesses their implications, and proposes corrective
measures to address identified weaknesses or irregularities, thereby acting as a
gatekeeper for financial probity within Europol.
- Finally, the ICT and Information Management steering group and advisory group
and the Innovation and Capability advisory group will support the Management
Board in delineating activities and sub activities related to budget planning and
execution of the Agency’s mandate and strategic priorities, notably by identifying
concrete and representative indicators for the Agency’s activity in the domain,
and the monitoring of the Agency’s implementation of the ICT related objectives
and tangible deliverables.
2.2.3. Estimation and justification of the cost-effectiveness of the controls (ratio between
the control costs and the value of the related funds managed), and assessment of the
expected levels of risk of error (at payment & at closure)
The ratio of “control costs/value of payments” is reported on by the Commission.
The 2024 AAR of DG HOME reports 0.10% for this ratio in relation to Indirect
Management Entrusted Entities and Decentralised Agencies, including Europol.
The European Court of Auditors confirmed the legality and regularity of Europol’s
annual accounts for 2024, which implies an error rate below 2%. There are no
indications that the error rate will worsen in the coming years.
Moreover, Article 80 of Europol’s Financial Regulation provides for the possibility
for the agency to share an internal audit capability with other Union bodies
functioning in the same policy area if the internal audit capability of a single Union
body is not cost-effective.
2.3. Measures to prevent fraud and irregularities
The proposal includes measures to ensure sound financial management and prevent
EN 163 EN
fraud, irregularities and conflicts of interest in the implementation of Union funding
and operational activities, notably Article 128 and the financial provisions under
Chapter XII.
Within this legal framework, the Management Board of Europol is required to adopt
and regularly update an internal anti-fraud strategy. Europol adopted an updated anti-
fraud strategy on 25-26 June 2025. In accordance with that framework, Europol will
continue to participate in fraud prevention activities carried out by OLAF and report
suspected fraud and financial irregularities to the Commission without delay.
The proposal also strengthens internal governance and financial oversight through
the establishment of an Executive Board responsible for monitoring audit findings
and ensuring follow-up to audit and control recommendations. In addition, the
Commission retains powers to object to Management Board decisions that may give
rise to risks of financial mismanagement or non-compliance with Union law.
Europol’s activities will remain subject to the applicable Union financial, audit, data
protection and accountability frameworks, including oversight and investigations by
OLAF, EPPO, the Court of Auditors and the Europol Cooperation Board.
DG HOME will continue to apply its Anti-Fraud Strategy in line with the
Commission's Anti-Fraud Strategy (CAFS), which also covers decentralised agencies
within its remit, including Europol.
EN 164 EN
3. ESTIMATED FINANCIAL IMPACT OF THE PROPOSAL/INITIATIVE
The estimated impact on expenditure and staffing for 2028 and beyond is added for
illustrative purposes only and does not pre-judge the next Multiannual Financial
Framework. The source of financing and scope of Union financial commitment in the
post-2027 period remain subject to the outcome of interinstitutional negotiations on
the MFF 2028-2034 and thereafter shall be determined through the annual budgetary
procedure. All appropriations and staffing allocations as of 2028 are indicative.
3.1. Heading(s) of the multiannual financial framework and expenditure budget
line(s) affected
• Existing budget lines
In order of multiannual financial framework headings and budget lines.
Heading of
multiannual
financial
framework
Budget line Type of
expenditure Contribution
1: Economic, social and territorial cohesion,
agriculture, rural and maritime prosperity and
security
Diff./Non-
diff.92
from
EFTA
countries 93
from
candidate
countries
and
potential
candidates 94
From
other
third
countries
other assigned
revenue
Decentralised agencies
Europol Non-diff.
YES/N
O YES/NO
YES/N
O YES/NO
92 Diff. = Differentiated appropriations / Non-diff. = Non-differentiated appropriations. 93 EFTA: European Free Trade Association. 94 Candidate countries and, where applicable, potential candidates from the Western Balkans.
EN 165 EN
3.2 Estimated financial impact of the proposal on appropriations
3.2.1. Summary of estimated impact on operational appropriations
– The proposal/initiative does not require the use of operational appropriations
– The proposal/initiative requires the use of operational appropriations, as explained below
3.2.1.1. Appropriations from voted budget
EUR million (to three decimal places)
Heading of multiannual financial framework 1 Economic, social and territorial cohesion, agriculture, rural and maritime prosperity and
security / National and Regional Partnership Plans
EUR million (to three decimal places)
[Agency]: Europol Year 2028 Year 2029 Year 2030 Year 2031 Year 2032 Year 2033 Year 2034 TOTAL MFF 2028-
2034
Budget line: 12 10 01 Europol / EU Budget contribution to
the agency95 57.512 92.346 120.831 150.385 178.830 207.164 234.384 1041.452
Budget line: 11 10 02 eu-LISA / EU Budget contribution
to the agency 96
0.756 1.687 1.863 1.863 1.863 1.863 1.863 11.758
Total Europol and eu-LISA 58,268 94,033 122,694 152,248 180,693 209,027 236,247 1053,21
Year Year Year Year Year Year Year TOTAL MFF 2028-
2034 2028 2029 2030 2031 2032 2033 2034
95 Commitments and Payments are identical. 96 Commitments and Payments are identical.
EN 166 EN
TOTAL operational
appropriations
(including contribution
to decentralised
agency)
Commitments (4) 58,268 94,033 122,694 152,248 180,693 209,027 236,247 1053,21
Payments (5) 58,268 94,033 122,694 152,248 180,693 209,027 236,247 1053,21
TOTAL appropriations of an
administrative nature financed from the
envelope for specific programmes
(6) 0 0 0 0 0 0 0 0
TOTAL
appropriations
under HEADING 1
Commitments =4+6 58 26894 033122 694152 248180,693209,027236,247 1053,21
of the multiannual
financial framework Payments =5+6 58 26894 033122 694152,248180,693209,027236,247 1053,21
EUR million (to three decimal places)
Heading of multiannual financial framework 4 ‘Administrative expenditure’
EUR million (to three decimal places)
DG: HOME Year Year Year Year Year Year Year TOTAL MFF 2028-
2034 2028 2029 2030 2031 2032 2033 2034
Human resources 0.496 0.496 0.690 0.690 0.884 0.884 1.078 5.218
Other administrative expenditure 0.268 0.518 0.268 0.518 0.268 0.518 0.268 2.626
TOTAL DG
HOME 0.764 1.014 0.958 1.208 1.152 1.402 1.346 7.844
EN 167 EN
TOTAL appropriations under HEADING 4 of
the multiannual financial framework
(Total commitments = Total payments)
0.764 1.014 0.958 1.208 1.152 1.402 1.346 7.844
EUR million (to three decimal places)
Year Year Year Year Year Year Year TOTAL MFF
2028-2034 2028 2029 2030 2031 2032 2033 2034
TOTAL
appropriations
under
HEADINGS 1
to 4
Commitments 59 032 95 047 123 652 153 456 181 845 210 429 237 593 1 061 054
of the
multiannual
financial
framework
Payments 59 032 95 047 123 652 153 456 181 845 210 429 237 593 1 061 054
The estimated impact on expenditure and staffing for 2028 and beyond is added for illustrative purposes only and does not pre-judge the next
Multiannual Financial Framework. The source of financing and scope of Union financial commitment in the post-2027 period remain subject
to the outcome of interinstitutional negotiations on the MFF 2028-2034 and thereafter shall be determined through the annual budgetary
procedure. All appropriations and staffing allocations as of 2028 are indicative.
3.2.2. Estimated output funded from operational appropriations
The additional operational appropriations and resources required exclusively for Europol to reach the three different Specific Objectives and
implement the corresponding actions, and for eu-LISA linked to the implementation of the tasks delegated to the agency in this Regulation,
amount to EUR 1,053 billion and 910 additional staff under the budget of both agencies. Those additional appropriations and resources add up
to the cost of existing measures of Europol’s budget (EUR 1,946 billion and 1226 staff) to an overall sum of EUR 2.999 billion and 2 126 staff
EN 168 EN
under the Europol budget, and 10 additional staff for the eu-LISA budget linked to the implementation of the tasks delegated to the agency in
this Regulation. Those additional operational appropriations and resources will be fully dedicated to support:
– SO1: Europol’s Information Management and ICT.
– SO2: the Union Centres of specialised expertise, Europol Support Offices, EPPO-dedicated support.
– SO3: Europol’s research, innovation and capability-building capacity.
At the same time, governance functions of Europol are expected to remain broadly stable in staffing terms, due to efficiency gains generated
by the proposal, notably through the simplification and streamlining of procedures relating to data protection, thereby limiting additional
staffing needs for horizontal governance and administrative functions.
Specific Objective Cost EUR million Staff
Baseline 2027 1 796,200 1 226
N/A Inflation 149,590 0
Existing measures 1 945,790 1 226
SO1
Upgrade to existing systems and tools 130,070 115
Access to national databases 37,857 53
Integration with national systems 25,400 34
EU Digital Police Cloud 415,415 194
SO2
Europol support offices 112,163 157
Union Centres of specialised expertise 118,703 171
Inter-agency cooperation 18,801 26
EPPO-dedicated support 40,895 70
SO3 Advanced capabilities 117,615 50
Technical support & procurement 36,292 40
New measures 1 053,210 910
TOTAL 2 990,000 2 136
EN 169 EN
3.2.3 Summary of estimated impact on administrative appropriations
– The proposal/initiative does not require the use of appropriations of an
administrative nature
– The proposal/initiative requires the use of appropriations of an administrative
nature, as explained below
3.2.3.1. Appropriations from voted budget
VOTED
APPROPRIATIONS
Year Year Year Year Year Year Year TOTAL
2028 -
2034 2028 2029 2030 2031 2032 2033 2034
HEADING 4
Human resources 0.496 0.496 0.690 0.690 0.8840.8841.078 5.218
Other administrative
expenditure 0.268 0.518 0.268 0.518 0.2680.5180.268 2.626
Subtotal HEADING 4 0,764 1,014 0,958 1,208 1,152 1,402 1,346 7,844
Outside HEADING 4
Human resources 0.000 0.000 0.000 0.000 0.0000.0000.000 0.000
Other expenditure of an administrative nature
0.000 0.000 0.000 0.000 0.0000.0000.000 0.000
Subtotal outside
HEADING 4 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000
TOTAL 0,764 1,014 0,958 1,208 1,152 1,402 1,346 7,844
The appropriations required for human resources and other expenditure of an
administrative nature will be met by appropriations from the DG that are already
assigned to management of the action and/or have been redeployed within the DG,
together, if necessary, with any additional allocation which may be granted to the
managing DG under the annual allocation procedure and in the light of budgetary
constraints.
The estimated impact on expenditure and staffing for 2028 and beyond is added for
illustrative purposes only and does not pre-judge the next Multiannual Financial
Framework. The source of financing and scope of Union financial commitment in the
post-2027 period remain subject to the outcome of interinstitutional negotiations on
the MFF 2028-2034 and thereafter shall be determined through the annual budgetary
procedure. All appropriations and staffing allocations as of 2028 are indicative.
3.2.4. Estimated requirements of human resources
– The proposal/initiative does not require the use of human resources
– The proposal/initiative requires the use of human resources, as explained
below
3.2.4.1. Financed from voted budget
Estimate to be expressed in full-time equivalent units (FTEs)
VOTED APPROPRIATIONS Year Year Year Year Year Year Year
2028 2029 2030 2031 2032 2033 2034
Establishment plan posts (officials and temporary staff)
20 01 02 01 (Headquarters and
Commission’s Representation Offices) 2 2 3 3 4 4 5
20 01 02 03 (EU Delegations) 0 0 0 0 0 0 0
EN 170 EN
(Indirect research) 0 0 0 0 0 0 0
(Direct research) 0 0 0 0 0 0 0
Other budget lines (specify) 0 0 0 0 0 0 0
• External staff (in FTEs)
20 02 01 (AC, END from the ‘global
envelope’) 1 1 1 1 1 1 1
20 02 03 (AC, AL, END and JPD in the EU
Delegations) 0 0 0 0 0 0 0
Admin. Support line • at
Headquart
ers
0 0 0 0 0 0 0
[XX.01.YY.YY] • in EU
Delegation
s
0 0 0 0 0 0 0
(AC, END - Indirect research) 0 0 0 0 0 0 0
(AC, END - Direct research) 0 0 0 0 0 0 0
Other budget lines (specify) - Heading 4 0 0 0 0 0 0 0
Other budget lines (specify) - Outside Heading 4
0 0 0 0 0 0 0
TOTAL 3 3 4 4 5 5 6
Considering the overall strained situation in Heading 4, in terms of both staffing and the level
of appropriations, the human resources required will be met by staff from the DG who are
already assigned to the management of the action and/or have been redeployed within the DG
or other Commission services.
The staff required to implement the proposal (in FTEs):
To be covered by
current staff
available in the
Commission
services
Exceptional additional staff*
To be
financed
under
Heading 4
or Research
To be
financed from
BA line
To be financed
from fees
Establishment plan posts 5 N/A
External staff (CA, SNEs,
INT) 1
Description of tasks to be carried out by:
Officials and temporary
staff
2 AD in setup phase dedicated for the 2028-2029 period in
charge of the adoption of the secondary legislation, maintained
in the “running” phase, to cater for the growing implementing
acts related to Information Management platforms and systems,
which need to be adapted on a regular basis in line with
EN 171 EN
constant evolution of law enforcement tools notably related to
forensics and analytics, and the corresponding data protection
aspects
1 AD specialist in cost accounting and IM and R&I strategy, in
relation to both Executive IM and ICT Steering group
1 AD with budgetary skills to support doubling of the
representation to the MB, to the creation of the Executive
Board and additional monitoring obligations
1 AST: support and preparation of the additional meetings and
briefings of the additional bodies (14+ per year)
External staff 1 SNE: expertise support in information management, data
protection, research and innovation: participate to IM and ICT
advisory group
The estimated impact on expenditure and staffing for 2028 and beyond is added for
illustrative purposes only and does not pre-judge the next Multiannual Financial Framework.
The source of financing and scope of Union financial commitment in the post-2027 period
remain subject to the outcome of interinstitutional negotiations on the MFF 2028-2034 and
thereafter shall be determined through the annual budgetary procedure. All appropriations and
staffing allocations as of 2028 are indicative.
3.2.5. Overview of estimated impact on digital technology-related investments
3.2.6. Compatibility with the current multiannual financial framework (not to be completed
for decentralised agencies)
3.2.7. Third-party contributions
The proposal/initiative:
– does not provide for co-financing by third parties
– provides for the co-financing by third parties estimated below:
Appropriations in EUR million (to three decimal places)
Year Year Year Year Year Year Year Total
2028 2029 2030 2031 2032 2033 2034
Specify the co-financing
body
TOTAL appropriations co-
financed
3.2.8. Estimated human resources and the use of appropriations required in a
decentralised agency
The amount of appropriations to be allocated to the agencies in the next MFF is indicative and
subject to the agreement on the MFF. It should be integrated into the Agencies’ subsidy due to
the permanent nature of the tasks allocated by this proposal and will be compensated, if
EN 172 EN
relevant, by an equivalent reduction of a relevant programme envelope under the same MFF
heading. If a compensatory reduction is needed, the resources allocated to the Agencies may
also need to be revised through the annual budgetary procedure.
Staff requirements (full-time equivalent units):
Agency: Europol Year
2028
Year
2029
Year
2030
Year
2031
Year
2032
Year
2033
Year
2034
Temporary agents
(AD Grades) 109 216 322 429 535 637 749
Temporary agents
(AST grades) 0 0 0 0 0 0 0
Temporary agents (AD+AST)
subtotal 109 216 322 429 535 637 749
Contract agents 0 10 19 36 51 64 77
Seconded national experts 12 22 34 45 53 64 74
Contract agents and seconded
national experts subtotal 12 32 53 81 104 128 151
TOTAL staff 121 248 375 510 639 765 900
Appropriations covered by the EU budget contribution in EUR million (to three decimal
places)97:
Agency: Europol Year
2028
Year
2029
Year
2030
Year
2031
Year
2032
Year
2033
Year
2034
TOTAL
2028 - 2034
Title 1: Staff expenditure 12 491 37 722 63 154 89 056 115 069 140 307 166 197 623 996
Title 2: Infrastructure and
operating expenditure
Title 3: Operational expenditure 45 021 54 624 57 677 61 329 63 761 66 857 68 187 417 456
TOTAL of appropriations
covered by the EU budget 57 512 92 346 120 831 150 385 178 830 207 164 234 384 1 041 452
97 Please refer to footnote Error! Bookmark not defined..
EN 173 EN
Overview/summary of human resources and appropriations (in EUR million) required by the
proposal/initiative in a decentralised agency98:
Agency: Europol Year
2028
Year
2029
Year
2030
Year
2031
Year
2032
Year
2033
Year
2034
TOTAL
2028 -
2034
Temporary agents (AD+AST) 109 216322429535 637 749 749
Contract agents 0 10193651 64 77 77
Seconded national experts 12 22344553 64 74 74
Total staff 121 248 375 510 639 765 900 900
Appropriations covered by the
EU budget 57 512 92 346 120 831 150 385 178 830 207 164 234 384 1 041 452
Appropriations covered by fees
(if applicable) 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000
Appropriations co-financed
(if applicable) 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000
TOTAL appropriations 57 512 92 346 120 831 150 385 178 830 207 164 234 384 1 041 452
Staff requirements (full-time equivalent units):
Agency: eu-LISA Year
2028
Year
2029
Year
2030
Year
2031
Year
2032
Year
2033
Year
2034
Temporary agents
(AD Grades) 7 7 7 7 7 7 7
Temporary agents
(AST grades) 0 0 0 0 0 0 0
Temporary agents (AD+AST)
subtotal 7777777
Contract agents 0 3 3 3 3 3 3
Seconded national experts 0 0 0 0 0 0 0
Contract agents and seconded
national experts subtotal 0333333
TOTAL staff 7 10 10 10 10 10 10
Appropriations covered by the EU budget contribution in EUR million (to three decimal
places)99:
98 Please refer to footnote Error! Bookmark not defined..
EN 174 EN
Agency: eu-LISA Year
2028
Year
2029
Year
2030
Year
2031
Year
2032
Year
2033
Year
2034
TOTAL
2028 - 2034
Title 1: Staff expenditure 0.756 1.687 1.863 1.863 1.863 1.863 1.863 11.758
Title 2: Infrastructure and
operating expenditure
Title 3: Operational expenditure p.m. p.m. p.m. p.m. p.m. p.m. p.m. p.m.
TOTAL of appropriations
covered by the EU budget 0.756 1.687 1.863 1.863 1.863 1.863 1.863 11.758
Any additional budget needs for eu-LISA linked to the implementation of the tasks delegated
to the agency in this Regulation will be offset against the appropriations allocated to Europol
within this LFDS.
99 Please refer to footnote Error! Bookmark not defined..
EN 175 EN
Overview/summary of human resources and appropriations (in EUR million) required by the
proposal/initiative in a decentralised agency100:
Agency: eu-LISA Year
2028
Year
2029
Year
2030
Year
2031
Year
2032
Year
2033
Year
2034
TOTAL
2028 -
2034
Temporary agents (AD+AST) 7 7777 7 7 7
Contract agents 0 3333 3 3 3
Seconded national experts 0 0000 0 0 0
Total staff 7 10 10 10 10 10 10 10
Appropriations covered by the
EU budget 0.756 1.687 1.863 1.863 1.863 1.863 1.863 11.758
Appropriations covered by fees
(if applicable) 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000
Appropriations co-financed
(if applicable) 0.000 0.000 0.000 0.000 0.000 0.000 0.000 0.000
TOTAL appropriations 0.756 1.687 1.863 1.863 1.863 1.863 1.863 11.758
Any additional budget needs for eu-LISA linked to the implementation of the tasks delegated
to the agency in this Regulation will be offset against the appropriations allocated to Europol
within this LFDS.
100 Please refer to footnote Error! Bookmark not defined..
EN 176 EN
DIGITAL DIMENSIONS
4.1. Requirements of digital relevance
Reference to the
requirement
Requirement description Actors affected or
concerned by the
requirement
High-level Processes Categories
Article 8(7) Member States respond to Europol
request for information and criminal
intelligence to contribute to coordination
measures.
Europol
MS CA
Information exchange
Access to MS
information
Process digitalisation
and automation
Data
Digital public service
Article 9(2) Member States ensure Europol access to
information accessible by Asset
Recovery Offices (ARO) and maintains
level of direct accessibility.
Europol
MS AROs
Information exchange
Access to MS
information
Digital public
services
Data
Article 9(3) Member States to inform Europol on
decision not to freeze upon Europol
request MS LEA to take immediate
action in case of risk of disappearance of
property.
Europol
MS LEA
Information exchange
Request for freezing
Digital public
services
Data
Articles 9(4) and
9(5)
Member State Financial Investigation
Units (FIU) to reply to Europol requests
(mirrors Directive 2019/1153 Article
12).
Europol
MS FIU
MS ENU
Eropol-FIU information
exchange
Analysis
Digital public
services
Data
Articles 7(1) and
7(2)
Europol analytical products of
operational and strategical nature on the
Europol,
Commission, MS
Analysis Process digitalisation
and automation
EN 177 EN
basis of information provided by
Member States, relevant Union bodies
and from OSINT.
LEA, Council Report Data
Article 7(2) Europol support to common
methodologies and standards on
analytical products.
Europol
And beneficiaries:
MS LEA, Council,
Commission,
Eurojust/EUBOAs
Standardisation
Analysis
Data
Articles 7(3) and
7(4)
MS, EUBOA provide information to
Europol for strategic and operational
analytical products.
Europol
MS (in general)
EUBOAs
Analysis
Information exchange
share to Europol
Digital public
services
Data
Article 11 Data flows in the context of requests by
Europol for the initiation of a criminal
investigation.
Europol
Member States
(national units)
Eurojust
EPPO
Operational cooperation Data
Articles 12 and 13 Europol coordination for handling
incoming and outgoing provision and
request for information.
Europol
MS CA, TC, IO,
EUBOAs
Information Exchange
Analysis
Process digitalisation
and automation
Digital public service
Article 18(a) Europol cooperation with competent
authorities in the context of removal
order of terrorist online content.
Europol
MS CA
Private parties
Information Exchange
with CA and PP
TCO removal orders
Digital public
services
Data
EN 178 EN
Article 18(a) Europol referrals to online service
providers.
Europol
MS CA
Private parties
Information exchange
with PP
TCO referrals
Digital public
services
Data
Article 18(c) Europol support to crisis response. Europol
MS CA
Private parties
Information exchange
Crisis response
Digital public service
Data
Article 16(a) Europol supports ARO in the tracing
and identification of instrumentalities,
proceeds, and properties, which are, or
might become, the object of a freezing
or confiscation order, in accordance
with Article 6.
Europol
MS AROs
Information exchange
Freezing procedure
Digital public service
Data
Article 16(c) Europol operational and analytical
support to the EPPO.
Europol
EPPO
Information exchange
Analysis
Digital public service
Data
Article 21(4) Europol may process information while
part of JIT
Europol
MS CA
collect
analysis of information
Data
Article 22(5)(a) ENU receive messages exchanged
between Europol their competent
authorities.
MS ENU
MS CA
Europol
Europol-MS information
exchange
Process digitalisation
and automation
Data
Digital public service
Article 22(5)(b) ENU have access to national law
enforcement data and relevant data
necessary for cooperation with Europol.
MS ENU
Europol
access to MS data Data
Process digitalisation
and automation
EN 179 EN
Digital public service
Articles 22(8),
25(6) and 26
Technical and operational uptake of
Europol systems and tools nationally by
ENU and by Europol Support offices
(ESO).
Europol staffs ESO, covers cost of ENU
connection, and provides ENU technical
and financial support.
Europol
MS ENU
MS LEA
Uptake Process digitalisation
and automation
Article 28 Information sources available to
Europol.
Europol, the
EPPO,
MS law
enforcement
authorities (LEA)
Private parties
Third countries and
international
organisations
Collect information Data
Article 29 Member States’ mandatory provision of
information to Europol via the SIENA
channel, including immigration liaison
officers.
MS CA
Europol
Immigration liaison
officers
share to Europol Data
Digital public service
Article 29(3) Use of SIENA channel by Member
States.
MS CA
Europol
share to Europol
Europol access to MS
data
Process digitalisation
and automation
Article 29(6) Europol report on information provided Europol Report Data
EN 180 EN
by Member States. Council
European
Parliament
Article 30 Europol to support Member States in
application of SIS Regulations57.
Member shall inform Europol of
insertion and hits on information alerts.
Europol
Member States
LEA
SIS information
exchange
Digital public Service
Data
Articles 32 and 33 Limitation to Europol processing by
nature (i.e. category of data subject as
victim vs. suspect) by purpose (analysis,
cross-checking, research & innovation).
Europol
All beneficiaries of
analytical products
Cross-check
Analysis
Innovation
Process digitalisation
and automation
Articles 32 and 33 Limitations to Europol processing of
information, by restrictions set by the
data owner (data ownership principle) at
the moment of sharing.
Europol,
Europol MB
MS LEA
EDPS
Collection
Analysis
Cross-check
Analysis
information exchange
innovation
Process digitalisation
and automation
Article 34 Europol notification to Member States
law enforcement authorities when
relevant operational information is
found, across all processes.
Europol
MS LEA
Information exchange
Europol notification to
LEA
Digital public service
Data
Article 35 to
Article 39
Creation of a cross-checking service:
nature, format, and quality of data (IA);
automated cross-check upon insertion.
Commission
Europol
Member States
Development
Information exchange
Data
Process digitalisation
and automation
EN 181 EN
Available to Europol, Member States
LEA and EU information systems.
LEA
EU Information
Systems
Cross-check
ETIAS and VIS security
checks
Digital solution
Digital public service
Article 35 to 39 Member States to connect their case
management systems to the cross-
checking service (IA), to upload data
(IA) to query the data (IA)
Commission
Europol
MS CA
Development
Collection
share to Europol
Cross checking
Data
Process digitalisation
and automation
Article 35 to
Article 40
Creation of Europol analytical
environment, to support Europol’s
analytical activities for the storage,
processing, cross-checking, visualisation
and analysis of data, including in
support of criminal investigations and
operational coordination. specialised
analytical, technical, digital, forensic or
multidisciplinary capabilities, including
through investigative, analytical,
technical and strategic services
Europol
Indirectly, MS CA,
EUBOAs,
International
organisations, Third
countries
Collection, Analysis,
Cross-check, exchange,
report.
Data
Digital solution
Process digitalisation
& automation
Article 41 Conditions for searching Europol
analytical environment.
Europol
MS CA,
EU Information
systems
Cross-check
Data
Digital public service
Digital solution
Articles 42, 43, 44
and 45
Creation of a Police Shared Data
Space, using the Europol cloud
infrastructure, and hosting analytical
and communication tools for Member
Commission
Europol
MS CA, TC
Development
Information exchange
Joint analysis
Data
Process digitalisation
& automation
EN 182 EN
States investigators(IA); creation of
joint operational analysis cases.
Digital solution
Digital public service
Article 46 Creation of Europol Secure Information
Exchange Network Application
(SIENA) for facilitating the exchanges
of information. Responsibilities,
Architecture, Obligations to use by
Member States and Europol, and
functionalities (IA).
Commission
Europol
MS, TC, IO, PP
Development
Information exchange
Data
Digital solution
Process digitalisation
& automation
Digital public Service
Article 47 Creation of a platform for cooperation
with private parties.
Private Parties
Europol
Member States
Development Digital solution
Digital public Service
Article 47(2)(a) Private parties to report and to notify to
Europol under TCO Regulation55 and
Digital Services Act56 via the Platform.
Europol TCO removal orders,
referrals
DSA
Process digitalisation
& automation
Article 47(2)(b) Europol to provide private parties with
the information necessary to identify
relevant online content, services,
accounts, infrastructures or digital
activities via the Platform.
Europol
Private Parties
Online crisis situation Process digitalisation
& automation
Article 48 Europol support the operation of the
European Police Record Index System
in application of the Prüm II
regulation58.
Europol System development and
Operation
Digital solution
Digital public service
EN 183 EN
Article 49 Additional services and tools can be
developed (IA) under the Police Shared
Data Space
Commission
Europol Committee
Europol
MS CA, TC,
EUBOA, II, PP
Development
Collection, Information
exchange, Analysis,
Cross-checking, report,
joint analysis
Data
Digital solution
Process digitalisation
& automation
Digital public Service
Article 50 Europol Cloud infrastructure:
creation,use as the standard
infrastructure for Europol systems,
services and tools offered to Member
States, including existing ones, secure
access (IA).
Commission
Europol
Development
Procurement
Digital solution
Digital public service
Article 51 EU Police Digital Identity: creation of
a harmonized scheme for identifying
and granting police staff direct or
indirect (via national systems) access
Europol cloud infrastructure (IA).
Commission
MS, Third countries
Europol
Standardization of Police
ID data
Development
Identification and access
management
Data
Digital solution
Digital public service
Article 52 Statistics and reporting tools: creation,
use of tools for the purpose of
evaluation, monitoring, analysis and
reporting (IA).
Europol
Member States
LEA, Commission
Development
Reports
Data
Digital solution
Digital public service
Article 53 Europol support to the development and
uptake of Universal Message format.
Europol
eu-LISA
Member States
LEA
Standardization
Information exchange
Data
Process digitalisation
and automation
EN 184 EN
Commission Digital public service
Articles 55 and 56 Creation of, the ICT and Information
Management Steering Group and
Advisory Group, supporting the
Management Board decisions on ICT
architecture, data management,
interoperability, alignment with MS
business needs.
Europol
Member States
LEA
Commission
Development
Standardization
Uptake
Data
Process digitalisation
and automation
Digital public service
Article 54 Creation of an EU DNA matching
application, for the benefit of Europol
and Member States.
Europol
Member States
LEA
Commission
Development
Standardization
Procurement
Uptake
Cross-checking
Analysis
Data
Digital Solution
Digital public service
Articles 57 to
64
Europol, through the Innovation
Advisory Group and supported by the
Capabilities and Innovation Advisory
Group, develops and regularly reviews
and updates a Foresight and
Capability Development Framework
to ensure the coordination and
complementarity between Europol,
relevant Union bodies and Member
States in relation to research,
innovation, testing, development,
piloting, and uptake of advanced
capabilities for law enforcement,
Europol
Member States
EUBOAs
Commission
Development
Standardisation
Procurement
Uptake
Innovation
Process digitalisation
and automation
EN 185 EN
including through pooling of existing
capabilities, coordinated participation in
standardisation processes and joint
procurements.
Article 61 Use of regulatory sandbox for
developing AI based advanced
capabilities.
Europol Development
Innovation
Data
Articles 80 and 81 Union bodies and national VIS
designated authorities have an indirect
access to Europol. (IA). EPPO receives
automatically information relevant to it.
EUBOA
VIS designated
authorities
Commission
Cross check by EUBOAs
VIS security check
Process digitalisation
and automation
Digital public
services
Data
Article 94 Transfer of personal data to third
countries and international
organisations.
Europol
Third countries
International
organisations
Member States
Data transfer Data
Article 96(1) to
96(3)
Europol processes data from private
parties.
Europol
Private parties
Exchange with private
parties
Collect
Digital public
services
Data
Article 96(3) Result of processing private party-
sourced information forwarded to the
ENU.
Europol
Private parties
MS ENU
Exchange with private
parties
Process, Analyse, Report
Process digitalisation
and automation
EN 186 EN
Articles 96(4) to
96(6).
Europol allowed to transfer data to
private parties in specific cases.
Europol
PP, Data Subject
Data owner
Exchange with private
parties
Process digitalisation
and automation
Data
Article 86(8) Europol sends request for information to
private parties via ENU.
Europol
MS ENU
Private parties
Exchange with private
parties
Digital public
services Process
digitalisation and
automation
Data
Article 97 Europol to forward information from
natural persons to relevant Member
State or third country.
Europol Exchange with private
parties
Digital public
services
Process digitalisation
and automation
Data
Article 98 Europol has access to exchanges
between Member States and private
parties.
Europol
Private parties
Exchange with private
parties
Process digitalisation
and automation
Digital public service
Articles 99, 100,
101, 102 and 107
Limitations and responsibilities to the
processing of personal data including
for research and innovation, limitations
for the storage and erasure of personal
data; on the basis on verifications to be
carried out on the reliability of the
source, on the accuracy of information,
on the category of data subjects, on
special categories of personal data.
Europol All processing of
operational data
Data
Process digitalisation
and automation
EN 187 EN
Article 103 Notification of a personal data breach to
the authorities concerned.
Europol
MS LEA
Personal Data breach Digital public
services
Data
Article 104 Communication of a personal data
breach to the data subject.
Europol
Data Subject
Personal Data breach Digital public
services
Data
Articles 105 and
106
Right of access, to rectification, erasure
and restriction for the data subject.
Europol
Data Subject
Right of data subject Digital public
services
Data
Article 102 Europol to keep logs of all processing
information.
Europol All processing of
operational information
Data
Process digitisation
and automation
Article 116(3) Europol to inform regularly Joint
Parliamentary Scrutiny Group (JSPG).
Europol
JSPG
Report Digital public
services
Data
Article 117 European Parliament to access to
Sensitive non confidential (SNC)
operational data.
Europol
European
Parliament
Access to information Digital public
services
Data
Article 130 Commission shall submit every five
years an evaluation report to the
European Parliament, the Council, the
national parliaments and the
Management board.
Commission Report Data
EN 188 EN
Article 136 Europol queries national database via
the Prüm II router mechanism.
Europol
MS LEA
Information exchange
Access to MS
information
Data
Process digitalisation
and automation
Article 137 Start of operations provisions. Commission
Europol
Member States
Start of operations Digital public service
4.2. Data
Constraints on data depend on the operational process
The type of data processed and exchanged highly depend on the process and on the actors involved (see table A). Whilst the different applicable data
format indeed depend on the type of data processes (table C), the applicability and its enforcement depend on the process, as the data is not exchanged
in the same operational situation, and under the same legal constraints, notably on data quality.
– Police officer identification will be the process where constraints on data will be the highest to ensure the highest level of security assurance
when accessing to applications, services and data provided under Europol Cloud infrastructure, including notably the Police Shared data
space.
– Information exchange, analysis, and similarly innovation. Europol operates in an information environment characterised by high volumes
of heterogeneous data, which often originate from multiple sources, jurisdictions, and operational contexts. A substantial portion of this
information is received in an unstructured or mixed form. This reflects the reality of modern law enforcement, in which datasets are complex,
dynamic, and not fully standardised, and where the extraction of information relevant to ongoing investigations constitutes the core
operational task. This is particularly true for electronic evidence such as seized informational material which comes unstructured and most
often encrypted. This data is analysed and processed either by Europol within the Europol analytical environment, or jointly by Member
States competent authorities, EU bodies, private parties under the Police shared data space. Information can be exchanged between parties via
the Police shared data space or SIENA. The Application of standards depends mostly on the source of data and therefore MAY follow the
standards and specifications underpinning the corresponding database. However, as information necessary for Europol to carry out its tasks
are only defined by the purpose, the following list remains not exhaustive.
– Cross-checking A cross-checking service (Articles 35 to 39) is established for the rapid identification of links with previous individuals,
objects, involved in a criminal activity and only relating to convicted, suspects of having committed or to about to commit a crime. Member
EN 189 EN
States can access the Europol Analytical environment (Article 41(4)) on a hit/no-hit basis. A hit/no hit mechanism (Article 80) allows to cross-
check information against the Europol analytical environment for EUBOAs, and can relate to suspects, convicted but as well to victims or
persons indirectly related.
– Administrative Reports while being published in digital form, do not follow strict technical standard requirements.
– Personal data rights related processes, are highly manual; while data processes and shared might be structured and can follow certain
standards, it is not a requirement.
Constraints across processes
Process
Reference to the requirement P o li
ce o
ff ic
er
id en
ti fi
ca ti
o n
C ro
ss c
h ec
k
In fo
rm at
io n e
x ch
an g e
b et
w ee
n L
E A
E x ch
an g e
w it
h p
ri v
at e
p ar
ti es
O p er
at io
n al
a n d
S tr
at eg
ic al
A n
al y si
s
In n o v at
io n
A d m
in is
tr at
iv e
re p o rt
P er
so n al
d at
a ri
g h ts
Article 8(7) X
Article 9(2) X
Article 9(3) X
Article 9(4) X
Article 9(5) X
Article 7(1) X
EN 190 EN
Process
Reference to the requirement P o li
ce o
ff ic
er
id en
ti fi
ca ti
o n
C ro
ss c
h ec
k
In fo
rm at
io n e
x ch
an g e
b et
w ee
n L
E A
E x ch
an g e
w it
h p
ri v
at e
p ar
ti es
O p er
at io
n al
a n d
S tr
at eg
ic al
A n
al y si
s
In n o v at
io n
A d m
in is
tr at
iv e
re p o rt
P er
so n al
d at
a ri
g h ts
Article 7(2) X
Article 7(3) X
Article 7(4) X X
Article 7(5) X X
Article 11 X
Article 18(a) X X
Article 18(b) X
Article 18(c) X X
Article 16(a) X
Article 16(c) X X
Article 21(4) X X
Article 25(5)(a) X
EN 191 EN
Process
Reference to the requirement P o li
ce o
ff ic
er
id en
ti fi
ca ti
o n
C ro
ss c
h ec
k
In fo
rm at
io n e
x ch
an g e
b et
w ee
n L
E A
E x ch
an g e
w it
h p
ri v
at e
p ar
ti es
O p er
at io
n al
a n d
S tr
at eg
ic al
A n
al y si
s
In n o v at
io n
A d m
in is
tr at
iv e
re p o rt
P er
so n al
d at
a ri
g h ts
Article 25(5)(b) X
Article 28 X
Article 29 X X
Article 29(6) X
Article 30 X
Article 34 X
Article 35 X X
Article 36 X X
Article 37 X X
Article 38 X X
Article 39 X X
Article 40 X
EN 192 EN
Process
Reference to the requirement P o li
ce o
ff ic
er
id en
ti fi
ca ti
o n
C ro
ss c
h ec
k
In fo
rm at
io n e
x ch
an g e
b et
w ee
n L
E A
E x ch
an g e
w it
h p
ri v
at e
p ar
ti es
O p er
at io
n al
a n d
S tr
at eg
ic al
A n
al y si
s
In n o v at
io n
A d m
in is
tr at
iv e
re p o rt
P er
so n al
d at
a ri
g h ts
Article 41 X X
Article 42 X X
Article 43 X X
Article 44 X X
Article 45 X X
Article 46 X
Article 49 X X X X X
Article 51 X
Article 52 X
Article 53 X X X
Article 55 X X X X X X
Article 56 X X X X X X
EN 193 EN
Process
Reference to the requirement P o li
ce o
ff ic
er
id en
ti fi
ca ti
o n
C ro
ss c
h ec
k
In fo
rm at
io n e
x ch
an g e
b et
w ee
n L
E A
E x ch
an g e
w it
h p
ri v
at e
p ar
ti es
O p er
at io
n al
a n d
S tr
at eg
ic al
A n
al y si
s
In n o v at
io n
A d m
in is
tr at
iv e
re p o rt
P er
so n al
d at
a ri
g h ts
Article 54 X X X
Article 61 X
Article 80 X
Article 81 X
Article 94 X
Article 96(1) X X
Article 96(2) X X
Article 96(3) X X
Article 96(4) X
Article 96(5) X
Article 96(6) X
Article 96(7) X
EN 194 EN
Process
Reference to the requirement P o li
ce o
ff ic
er
id en
ti fi
ca ti
o n
C ro
ss c
h ec
k
In fo
rm at
io n e
x ch
an g e
b et
w ee
n L
E A
E x ch
an g e
w it
h p
ri v
at e
p ar
ti es
O p er
at io
n al
a n d
S tr
at eg
ic al
A n
al y si
s
In n o v at
io n
A d m
in is
tr at
iv e
re p o rt
P er
so n al
d at
a ri
g h ts
Article 97 X
Article 98 X
Article 99 X
Article 100 X
Article 101 X
Article 102 X
Article 102 X
Article 104 X
Article 105 X
Article 106 X
Article 107 X
Article 102 X X X X X X X X
EN 195 EN
Process
Reference to the requirement P o li
ce o
ff ic
er
id en
ti fi
ca ti
o n
C ro
ss c
h ec
k
In fo
rm at
io n e
x ch
an g e
b et
w ee
n L
E A
E x ch
an g e
w it
h p
ri v
at e
p ar
ti es
O p er
at io
n al
a n d
S tr
at eg
ic al
A n
al y si
s
In n o v at
io n
A d m
in is
tr at
iv e
re p o rt
P er
so n al
d at
a ri
g h ts
Article 116(3) X
Article 117 X
Article 130 X
Article 136 X X
Type of data per process
Process
General data type and standards applicability P o li
ce o
ff ic
er
Id en
ti fi
ca ti
o n
C ro
ss -c
h ec
k
In fo
rm at
io n e
x ch
an g e
b et
w ee
n L
E A
a n d /o
r
E u ro
p o l
E x ch
an g e
w it
h p
ri v
at e
p ar
ti es
O p er
at io
n al
a n d
S tr
at eg
ic al
A n
al y si
s
In n o v at
io n
A d m
in is
tr at
iv e
re p o rt
P er
so n al
d at
a ri
g h ts
EN 196 EN
Do data format standards apply? (Mandatory/Optional) M M O O O O N/A N/A
Type of data
EU digital police identity X
Police and justice records X X X X X
Information held by other administrations X X X X
Information held by private authorities X X X X X
OSINT X X X X X
Digital evidence X X X X X
Operational report X X X X
Strategical report X X X X
Administrative Report X X X
Type of data and applicable data standards
Data type Applicable data standard
EU digital police identity To be determined by
Police and justice records
Prüm II, EPRIS, ECRIS, ECRIS-TCN, SIS record When exchanged under EU framework, the corresponding standards
EN 197 EN
apply as EPRIS, Prüm II, ECRIS, ECRIS-TCN orSIS. UMF applies
to them. UMF sets out a taxonomy of data stored in police records and
help national authorities map their data to other Member States and
Europol law enforcement authorities.
National police and justice databases When not exchanged under EU framework, national databases format
usually prevails, as UMF implementation in national Case
management systems was not made mandatory.
In substance data type covered are found in UMF: Person (identity),
physical description, DNA profile, Face recognition data,
dactyloscopic data, palm print, offence, travel/identification/official
document, photograph, weapon, firearm, organization, criminal case,
flight/journey; means of payment, means of transportation; account,
and associated, action to be taken in case found, conviction, sentence.
Information held by other administrations
Civil register Regulation (EU) 2016/1191 – Multilingual Standard Forms (MSF)
European Civil Registry Network (ECRN) – secure cross-border data
exchange
RISER – uniform electronic service for registry access
Alignment with UN CRVS standards – structured fields, metadata,
unique identifiers
Travel document / Identity card ICAO 9303
Travel information
PNR Directive
EN 198 EN
API Regulations
Immigration records held by administration EU central databases: VIS, EURODAC, EES, ETIAS: standards are
set by the corresponding legislation and should adhere to UMF.
Data held are of related to the persons identity, travel document.
National database information may be exchanged as well.
National real-estate registers or electronic data retrieval
systems and land and cadastral registers
National citizenship and population registers of natural
persons
National motor vehicle, aircraft and watercraft register SIS II, Prüm II
Commercial registers, including business and company
registers
Fiscal data, including data held by tax and revenue
authorities
National social security data
Information held by private authorities
Bank account information As under Directive (EU) 2024/1640,
Transaction records
Information on mortgages and loans
EN 199 EN
information contained in national currency databases and
currency exchange databases
Information on securities
Customs data, including cross-border physical transfers of
cash
Information on annual financial statements by companies
Information on wire-transfers and account balances
Information on crypto-asset accounts and crypto-asset
transfers
As defined in Article 3 of Regulation (EU) 2023/1113 of the European
Parliament and of the Council (44).
OSINT
Applicable multi-media format dependent
Digital evidence
Legal interception ETSI TS 103 705, ETSI TS 104 007
Communication metadata Applicable ETSI standards
Video footage Applicable multi-media format dependent
Operational report
Strategical report
Administrative Report
EN 200 EN
Alignment with the European Data Strategy
Explanation of how the requirement(s) are aligned with the European Data Strategy
The proposed revision of Europol’s mandate fully aligns with Regulation (EU) 2018/1725 (EUDPR), integrating its core principles into Europol’s
operational framework while addressing the specific needs of law enforcement cooperation. The text explicitly subjects Europol’s processing of
personal data to the EUDPR’s requirements in Article 98(1), embedding key obligations such as lawfulness, purpose limitation, and data minimisation
into its legal framework. Article 32(2) restricts data processing to predefined purposes—such as cross-checking, operational analysis, and research—
directly reflecting EUDPR requirement that personal data be collected for specified, explicit, and legitimate purposes. Similarly, the storage limitation
principle is reinforced through Article 101, which requires Europol to review the necessity of data retention every three years and sets a five-year
maximum storage period, aligning with Article 4 EUDPR. The proposal also incorporates the EUDPR’s accountability mechanisms, such as the
requirement for Data Protection Impact Assessments (DPIAs) for high-risk processing (Article 102(3)) and the obligation to consult the European Data
Protection Supervisor (EDPS) prior to engaging in new types of processing (Article 108), mirroring Article 90 of the EUDPR. Additionally, the text
ensures compliance with the EUDPR’s provisions on data subject rights, including access, rectification, and erasure (Articles 105–106), fulfilling the
EUDPR’s documentation and transparency obligations (Article 98). By systematically integrating these substantive requirements, the proposal ensures
that Europol’s expanded operational capabilities remain fully compliant with the EUDPR’s robust data protection standards.
Data Act59 does not apply to this proposal, as no obligation is set out in the proposal requiring business to make data available to other business.
Europol will promote the development of common data standards across EU Member States, on strategical analytical products (Article 7) the
criminal information exchange, notably on DNA, and forensics and data analysis techniques, whilst the policy does not concern public sector
information per se which can be reused as put forward Open Data Directive60, notably for public security reasons.
The Police Shared Data Space put forward in the proposal will be the common space for investigators to bring in common investigative information
for operational analysis, and will constitute an important enabler for feeding Europol’s research and innovation activities (Art 60) for the training,
development, testing and validation of advanced analytical and forensic capabilities within regulatory sandboxes according to AI Act. Both Police
Shared Data Space and R&I activities will benefit from the Europol Cloud infrastructure scalable storage and processing capacities. Those three
components contribute to the emergence of a common law enforcement data space.
Provision of data governance Act61 to transfer to third countries does not apply as concerning law enforcement activity.
Alignment with the once-only principle
EN 201 EN
Explanation of how the once-only principle has been considered and how the possibility to reuse existing data has been explored
Request for information by Europol to private parties are effectively carried out by Member States under Article 96(7). Member States law
enforcement authorities Implementation of the once-only principle is therefore governed by national law and are therefore out of scope of this proposal.
Information gathered by Europol and law enforcement authorities under such conditions are managed centrally under the Platform for cooperation with
private parties (Article 47) to facilitate communication between Europol, the Member States and the private parties, and to ensure Europol does not
request the same information twice. Requests for information directly initiated by Member States under Article 96(8) handled via the Platform and
corresponding exchanges with private parties are made available to Europol in the same spirit of limiting the requests to businesses.
Request for information by Europol to Member States competent authorities, EUBOA, third countries, International Organisation will neither be asked
twice, such requests are managed centrally within the Agency by Europol Operational and Analysis Service in application of Article 12. Conversely
their request for information or for support, be it of analytical, technical, financial or operational nature will be followed up by the same Service
insuring a proper and swift handling. Similarly, Member States ENU being as well informed of all exchange of information between Europol and its
competent authorities, will ensure that no duplicate requests are made (Article 25(5))
Explanation of how newly created data is findable, accessible, interoperable and reusable, and meets high-quality standards
The proposed revision of Europol’s regulatory framework ensures that newly created data adheres to the FAIR principles within the closed
community of Member States law enforcement authorities, and, to a certain extent to third countries’, EU bodies in the JHA domain, and
International Organizations participating to the fight against serious organized crime and terrorism. In that regard, the proposed framework maintains
high-quality standards through structured governance and advanced technical infrastructure.
Findability is achieved by establishing centralised platforms such as the Europol Analytical Environment (Article 40) and the Police Shared Data
Space (Article 42), which provide secure, indexed repositories for criminal intelligence, operational analyses, and joint investigations. These systems
incorporate metadata standards, unique identifiers, and search functionalities (including alphanumeric, biometric, and multimedia queries (Article
41))to enable precise retrieval of data. Accessibility is guaranteed through role-based access controls, the EU Police Digital Identity (Article 51), and
interoperable tools like SIENA (Secure Information Exchange Network Application, Article 46), which facilitate seamless, secure data sharing among
Member States, Union bodies, and authorised partners. The Europol Cloud Infrastructure (Article 50) further ensures scalable, on-demand access to
data while complying with strict security and sovereignty requirements, including compartmentalisation and encryption. Interoperability is embedded
in the proposal through mandatory technical standards, such as the Universal Message Format (UMF) (Article 53), which harmonises data exchange
across Union information systems, and the integration of Europol’s tools with existing EU platforms like the Schengen Information System (SIS) and
EPRIS (European Police Record Index System, Article 48). The cross-checking service (Article 36) and DNA matching application (Article 54)
automate comparisons across datasets, reducing silos and enabling real-time linkages between cases. Reusability is supported by the Foresight and
Capability Development Framework (Article 57), which promotes standardised methodologies, common analytical tools, and modular system designs
EN 202 EN
(e.g., reusable software components in the cloud infrastructure). High-quality standards are enforced through data validation protocols (e.g., "data
loaders" for automated uploads, Article 38), periodic reviews of data accuracy (Article 101), and statistics and reporting tools (Article 48) that monitor
performance, consistency, and compliance with Union law. Additionally, the ICT and Information Management Steering Group (Article 50) oversees
technical coherence, while training programmes (Article 64) ensure that personnel are equipped to maintain data integrity. Together, these measures
create a robust ecosystem where data is not only operationally effective but also aligned with legal, and technical best practices.
EN 203 EN
Data flows
High-level description of the data flows
Type of data Reference(s)
to the
requirement(s)
Actors who
provide the
data
Actors who
receive the
data
Trigger for the
data exchange
Frequency (if
applicable)
Request for information to
contribute for coordination
measure
Art 8(7) Europol MS Europol initiative /
Information and criminal
intelligence
Art 8(7) MS LEA Europol Request from
Europol
/
Request for information Art 9(2) Europol MS ARO Europol initiative /
Information and criminal
intelligence
Art 9(2) MS ARO Europol Request from
Europol
/
Request to act (freezing) Art 9(3) Europol MS LEA Europol initiative,
risk of
disappearing
/
Decision on freezing Art 9(3) MS LEA Europol Request from
Europol
/
Request for information Art 9(4) Europol MS FIU Europol initiative /
Information and criminal
intelligence
Art 9(5) MS FIU Europol Request from
Europol
/
Analytical products Article 7 Europol MS Europol initiative /
EN 204 EN
Council
Commission
Information and criminal
intelligence
Art 7(4) & (5) MS
EUBOAs
Europol Europol request for
operational or
strategic analytical
product
/
Requests for the initiation of a
criminal information
Article 11 Europol MS where Europol
considers that a
criminal
investigation
should be initiated
into a crime falling
within the scope of
its objectives
/
Removal order of online content Art 18 MS LEA Europol MS decision to
request removal
/
Removal order of online content Art 18(a) Europol PP Europol & MS
LEA coordination
/
Referrals of online content Art 18(b) Europol PP Europol or MS
LEA request
/
Information and criminal
intelligence (online content,
services, accounts, infrastructures
or digital activities)
Art 18(e) Europol PP Europol request /
Information and criminal Article 16(a) Europol/ARO ARO/Europol Europol /ARO /
EN 205 EN
intelligence initiative
Information and criminal
intelligence
Article 16(c) Europol/EPPO EPPO/Europol Europol / EPPO
initiative
/
Information and criminal
intelligence
Article 21(4) Europol/JIT JIT/Europol Europol / JIT
initiative
/
Information and criminal
intelligence
Article 25(5)(a) Europol MS ENU When exchanging
with MS LEA
/
Request for information Article 25(5)(a) Europol MS ENU Europol initiative /
Request for information Article 25(5)(c) MS ENU MS authorities Europol request /
Information and criminal
intelligence
Article 25(5)(b) MS authorities
holding
information
MS ENU Europol request /
Information and criminal
intelligence
Article 25(5) MS ENU Europol Europol request /
Publicly available Information Article 28 Publicly
available source
Europol Europol initiative /
Information and criminal
intelligence
Article 29, 32,
33
MS CA
Immigration LO
Europol MS observation
that information is
necessary to fulfil
Europol’s
objectives
/
Report Article 29 Europol Council Regulation Annually
EN 206 EN
European
Parliament
application
Information and criminal
intelligence
Article 34 Europol MS LEA When relevant
operational
information is
found
/
Information and criminal
intelligence
Article 38 MS LEA Cross-
checking
service
without undue
delay when data is
found to fulfil
conditions set
under Article 35 to
38
Systematically
Information and criminal
intelligence
Article 49 MS LEA Cross-
checking
service
When conducting
investigations /
when a case has a
cross-border
dimension
systematically
Information and criminal
intelligence
Article 49 Cross-checking
service
MS LEA Upon MS request
above
/
Information and criminal
intelligence
Article 41 Europol
MS ENU
Europol
Analytical
environment
MS LEA/ENU
initiative
/
Hit/no hit Article 41 Europol
Analytical
environment
MS ENU Upon request
above
/
EN 207 EN
Any information Article 46 Europol, MS,
TC, EUBOA, II
Europol, MS,
TC, EUBOA,
II
/ /
Statistics and reports Article 52 Tool MS, Europol,
other entities
Upon request /
Information and criminal
intelligence
Article 94 Europol Third
countries
Third party or
Europol initiative
/
Information and criminal
intelligence
Article 96(3) PP Europol PP initiative /
Information and criminal
intelligence
Article 96(3) Europol MS CA Europol initiative /
Information and criminal
intelligence
Article 96(4),
Article 96(5)
Europol PP Europol initiative /
Request for information Article 96(7) Europol ENU Europol initiative /
Report Article 96(11)
Article 96(12)
Europol MB, EP,
Council
Regulation
implementation
Yearly
Information and criminal
intelligence
Article 97(1) Natural person Europol PP initiative /
Information and criminal
intelligence
Article 97(3) Europol MS, TC Upon reception of
information above
/
Notification of a personal data
breach
Article 103 Europol MS LEA In the event of a
personal data
/
EN 208 EN
breach
Notification of a personal data
breach
Article 104 Europol Data subject In the event of a
personal data
breach
/
Personal data Article 105 Europol Data subject Upon Data subject
request
/
Information to the JSPG Article 116(3) Europol JSPG Varies along the
specific part of
JSPG information
Varies.
Request for information Article 117(1) European
Parliament
Europol EP initiative /
Information and criminal
intelligence
Article 109(2) Europol European
Parliament
Upon request
above
/
Report Article 130 Europol MB, EP,
Council,
National
Parliaments
Regulation
implementation,
Entry into
application of the
regulation
5 years
Request for information on person
details
Article 136 Europol MS databases
via Prüm
router
Europol initiative /
Person’s identity Article 136 MS databases
via Prüm router
Europol Upon request
above
/
EN 209 EN
Commission implementing acts
determining the start of operations
Article 137 Commission MS Committee
procedure
/
SIS supplementary information Article 30 MS SIRENE Europol Upon hit on SIS
alert
/
Information and criminal
intelligence
Article 30 Europol MS SIRENE In response to
above notification
/
Third country sourced information Article 30 Europol MS Europol initiative /
Notification of insertion Article 30 MS Europol Upon insertion of
SIS alert
/
Supplementary information Article 30 Europol MS Upon request,
when receiving hits
on specific alerts
/
4.3. Digital solutions
Digital
solution
Reference(s)
to the
requirement(s)
Main mandated
functionalities
Responsible
body
How is
accessibility
catered for?
How is
reusability
considered?
Use of AI
technologies (if
applicable)
Europol
Cross
checking
service
Article 35 to
Article 39
Storage, search and
automated cross-checking
of information via
alphanumeric and
biometric data.
To be composed of: an
Europol N/A
machine
interface
Synergies
with eu-LISA
Article
78(2) possibly
with Prüm II
components
Biometric
matching modules
EN 210 EN
infrastructure for the
storage of information; a
search interface; an
interface for the upload,
update, or deletion of
information; a secure
communication
infrastructure between the
cross-checking service and
Member States/Union
bodies/European Search
Portal.
Article 36(4):
cross-
checking
service shall
make use of
existing
technological
components,
building
blocks and
infrastructure
developed and
managed by
eu-LISA
Europol
Analytical
Environment
Articles 40 and
41
Europol environment for
storage, processing, cross-
checking, visualisation and
analysis of data, including
in support of criminal
investigations and
operational coordination. It
shall comprise analytical
workspaces, case
management
functionalities,
collaborative tools, data
processing services, and
other capabilities. It shall
provide for logically
separated analysis projects
for storing and processing
Europol Europol user
interfaces’
specifications
Cf Police
Shared data
space
Cf Police shared
data space
EN 211 EN
data for distinct analytical
purposes.
hit/no hit Search: shall
enable the querying of the
data stored to find
connections with existing
cases.
Police Shared
Data Space
Article 42 to
Article 45
Member States
environment to initiate
joint operational analysis
cases: upload, store, cross-
check, process and analyse
investigative data, jointly
visualise, edit documents
and reports, securely
communicate and
exchange information.
To be based on the Cloud
infrastructure.
Europol For user
interface,
Implementing
Act referred
to Article
42(4), and
Europol
specifications
Requirement
to share and
re-use the
hardware and
software
components of
the Europol
Analytical
Environment
and to make
available its
tools,
functionalities
and modules.
Tools,
functionalities, and
modules hosted
(defined by
implementing acts)
are likely to
integrate AI
technology.
SIENA Article 46 Secure information
exchange between
Member States, Europol,
other Union bodies, third
countries and international
organisations.
To be composed of: a
Europol Set by
Europol
Specifications
for user
interface
Specific
development.
Inline modules to
aid the insertion,
the interpretation
of exchanged
information
EN 212 EN
central infrastructure for
the storage and processing
of data; web interface(s)
and mobile application(s)
enabling law enforcement
staff to exchange
information; dedicated
programming interface(s)
supporting interoperability
with the IT systems of
Member States and EU
bodies; a secure
communication
infrastructure between
SIENA and Member
States/ Union bodies/ third
countries/ international
organisations.
Platform for
cooperation
with private
parties
(included in
the Europol
Analytical
Environment)
Article 47 Implement the TCO
removal order DSA
referral, and online crisis
situation.
Facilitate communication
between Europol, Member
States, and private parties
offering service in the EU.
Act as a crisis response
platform in online crisis
situations, facilitating
communication and
Europol Set by
Europol
Specifications
for user
interface
The platform
already
accommodates
three different
workflows
/
EN 213 EN
enabling Europol to
provide private parties
with necessary
information.
European
Police
Record Index
System
(EPRIS)
Article 48
No new functionalities
introduced. Article merely
establishes that Europol
shall perform the tasks
conferred to it by
Regulation (EU) 2024/982,
as concerns EPRIS.
Europol // // //
Other
services and
tools
Article 49 The Commission may
adopt implementing acts
laying down the
procedures for defining the
necessary functionalities
of additional services and
tools.
European
Commission
// // //
Europol
cloud
infrastructure
Article 50 Provides scalable, secure
and elastic storage and
processing capacities
enabling creation of the
Police Shared Data Space.
It therefore supports
Europol and Member
States’ competent
authorities to access
Europol’s tools,
Europol N/A
machine
interface
Joint
Procurement
of cloud
computing
services
AI based analytics
will rely on the
expected
scalability
EN 214 EN
collaborative
environments, and other
operational data-
processing capabilities.
May also be used by other
Union bodies and third
countries for the same
purpose.
Shall support the storage,
processing, analysis and
exchange of data.
Shall ensure strict access
control, data
compartmentalisation.
Access rights detailed.
EU Police
Digital
Identity
Article 51 Provides the necessary
authentication and strong
identification scheme for
accessing the Police
Shared Data Space
Member
States
Europol
Implementing
act under
Article 51
Implementing
act should be
developed
with the view
to reuse the
technical
components
Framework
set up by
Regulation
(EU)
910/2014 and
its
implementing
No
EN 215 EN
acts. It should
allow for the
use on EU
Digital
Identity
Wallets when
possible
Statistics and
reporting
tools
Article 52 Provide statistics and
reports for the purposes of
evaluation, monitoring,
analysing and reporting.
Shall collect, generate, and
provide aggregated
statistical information,
indicators, technical logs,
usage metrics, and
analytical reports.
Europol Implementing
act under
Article 52(6)
Article
86(2)(a) re-
use similar
components
from EU large
scale it
systems such
as CRRS
Limited to the
formatting of the
report
EU DNA
matching
application
Article 54 Enable the secure and
reliable comparison of
DNA profiles in support of
Member States’
investigations of criminal
offences
Europol N/A
Machine
interface
The matching
application
shall be used
by Member
States
No
Europol Cross-checking service & al.
Digital and/or sectorial policy (when
these are applicable)
Explanation on how it aligns
EN 216 EN
AI Act Cross-matching algorithms may make use of AI systems or models within the meaning of
the AI Act, notably in the area of biometrics or law enforcement (e.g. fingerprint, facial
image, profiling). Implementing act under Article 37(4) will cater for an ensuring alignment
with the AI Act and the Commission guidelines notably on the classification of high-risk AI
systems. Further guidance by Europol to Member States users on the integration and
implementation within national procedures could be useful, according to different governing
rules whether falling under high risk or not.
Europol Analytical environment & Police shared data space; while the proposal does not
envisage those environments to be based on AI technology, they will be the dedicated
secured environment, respectively for Europol, and for Member States to carry out
advanced criminal analyses on the basis of evidential material and other information, by the
use of tools, mostly based on AI hosted in either environment. Many of the tools pursuing
crime analytics fall outside the scope of the high risk classification (for example processing
of large and complex data sets, such as transcribing audio files, for extracting entities, such
as names and phone numbers from text messages without going through the content of the
message; Image classification and object detection but without biometrics ) Only a sheer
part of the remaining cases (such as the use of lie detectors or profiling tools) would fall
under Annexes I and III to the AI Act. The AI systems in and out of scope of high-risk AI
systems are explained in the COM guidelines on high-risk AI systems classification.
Under this proposal, capability is given to Europol to train and develop its own AI enabled
tools by making use of regulatory sandboxes (Article 61(2)), and mission is given to support
the adoption of the corresponding hosted tools and capabilities by Member States (Article
59(3)) and to provide the associated training (Article 64(1)(b)).
With such large ambitions, Europol will be reinforced according to support its obligations as
a provider, respectively, as a deployer of AI systems, including high-risk (cf.
SO3/Advanced capabilities with EUR117million and 40 FTEs over the next MFF) Training
and support for Member States to comply with AI rules when using Europol-provided tools
will be supported by the creation of Europol support offices (EUR112million, 157 FTEs).
SIENA and Platform cooperation for private parties
EN 217 EN
Such digital solution may only embed non-high-risk in-line AI enabled module such as
natural language processing (translation, transcription, etc) Obligations of transparency will
be taken care of in the context of the effort to upgrade existing system and tools (EUR130
million, 115 FTEs).
Europol Cloud Infrastructure
EU Police digital Identity
Statistics and reporting tools
EU DNA matching application
None of those solutions are set to rely on AI technology
EU Cybersecurity framework The new proposed mandate is aligned with NIS2 (inter alia for the private parties) and with
the Cybersecurity Act, as
a) the new requirements made on the bodies concerned Europol, explicitly require
application of EU cybersecurity framework (i) for the procurement of cloud
services in Article 50(4) and (ii) and the production of statistics in Article 52(5).
b) it reinforces Europol’s role in cybercrime investigations. While Europol itself is
not an NIS2-covered entity, the proposal strengthens organisational
cybersecurity measures (e.g., secure data handling, incident response). It
enhances Europol’s ability to support Member States in investigating cyber
incidents, without imposing direct obligations on private entities.
The EU DNA matching application is also in line with the Cyber resilience act (CRA) as the
product but does not impose requirements that would affect how manufacturer implement
the essential requirements of the CRA.
eIDAS While eIDAS does not apply to civil servants and to staff of Agencies, a EU digital police
Identity will be required to access Europol Cloud infrastructure underpinning the Police
Shared Data Space. Use of such identity may as well extend to other digital solution
EN 218 EN
(SIENA, …).
Implementing acts will cater for the roll out of a digital identification means to all criminal
investigators with an assurance level high. To that end, an alignment and a reuse of existing
schemes and infrastructure set out by the eIDAS regulation will be sought after.
Single Digital Gateway and IMI Single Digital Gateway does not apply to services offered by Europol to Member states
competent authorities, EUBOAs, Private parties or natural persons.
The Internal Market Information System does not apply as the initiative does not fall within
the scope of the internal market.
Others
4.4. Interoperability assessment
High-level description of the digital public service(s) affected by the requirements
Digital public
service or
category of
digital public
services
Description Reference(s) to the requirement(s) Interoperable
Europe
Solution(s)
Not applicable
Other interoperability
solution(s)
Strategical
support
Prepare analytical products of
operational and strategical
nature,
Article 7
Article 49, 50, 51, 52, 53
Europol supports the
development and use of
common analytical
methodologies and
standards
Facilitate
Information
Sharing: obligations for MS
including ARO and FIUs and
Articles 8(7), 9, 16(a), 16(c)
Article 12 13, 25(5)(a), (b), 29, 30,
UMF, standards on
financial and biometric
EN 219 EN
exchange Europol to share information
Cross-checking services: one
central service, incl. DNA
matching application for MS
CA; hit no/hit mechanism for
EUBOAs and EU information
systems; further access by
EPPO to Europol analytical
environment
Exchange Channels: Police
Shared data space for joint
cases, and SIENA for
bilateral / multilateral
exchanges.
34
Articles 35 to 39
Articles 46, 54
Articles 80, 81
Article 45, 46, 47, 49, 50-51, 136
information borne by
sectorial / information
exchange legislation
(ARO, AML, Prüm II,
VIS …)
DNA application will
materialize for the first
time a EU led standard in
the domain.
EU Police Digital Identity
support an easy
addressing of counterparts
in the exchanges.
Cooperation
with private
parties
Provision of information to
private parties in crisis
situation, for removing and
referring terrorist content
online, and illicit content,
based on dedicated platform.
Request information from
private parties via ENU.
Articles 14, 47, 96 to 99
Articles 49, 50, 51, 53, 55, 56
UMF
Support
Criminal
intelligence
analysis
Provide criminal intelligence
analysis
Europol analytical
environment with advanced
forensics.
Set of advanced analytical
Articles 13 to Article 19
Article 48, 49, 50, 51, 53, 55, 56
UMF
Set of governance
measures and frameworks
to steer, standardize,
coordinate, develop,
deploy, support the uptake
EN 220 EN
tools and forensics
Supports the joint criminal
analysis
Police Shared data space for
Member State joint
cooperation.
Same advanced tools as
above.
Article 41 to Article 45
Articles 48, 49, 50, 51, 53, 55, 56,
137
of advanced analytical
capabilities by Member
States including AI-based:
Articles 13 to 19,
22(3)(a), 26, 53, 54, 55,
56, 57 to 64
Data
protection
Rights
Applications of rights of data
subjects related to data
protection, and oversight
Articles 103-106, 116(3), 117 N/A
Reliance of digital public services over digital solutions
X: depends on
P: may depend on E u ro
p o l
cr o ss
ch
ec k in
g
se rv
ic e
E u ro
p o l
A n al
y ti
ca l
en v ir
o n m
en t
P o li
ce S
h ar
ed D
at a
S p ac
e
S IE
N A
P la
tf o rm
fo
r co
o p er
at io
n
w it
h p
ri v at
e p ar
ti es
E P
R IS
O th
er S
er v ic
es a
n d t
o o ls
E u ro
p o l
cl o u d i
n fr
as tr
u ct
u re
E U
P o li
ce D
ig it
al I
d en
ti ty
S ta
ti st
ic s
an d r
ep o rt
in g t
o o l
E U
D
N A
m
at ch
in g
ap p li
ca ti
o n
Strategical support X X X P P P X
Facilitate information exchange X X X X X X P X X X
EN 221 EN
Cooperation with private parties X X X P P P
Support criminal intelligence analysis X X X X P X P X X X
Impact of the requirement(s) as per digital public service on cross-border interoperability
Strategical support
Assessment Measure(s) Potential remaining barriers
(if applicable)
Alignment with existing digital and
sectorial policies
No digital or sectorial policy identified. -
Organisational measures for a
smooth cross-border digital public
services delivery
- Management Board delegation to Executive Board
delegation (Article 75(1)).
- Executive Board to support MB decisions (Article
75(5))
- Regular Meeting of the HENU (Article 25(4)).
-
Measures taken to ensure a shared
understanding of the data
- Europol to develop standards on strategic products
(Article 7(3)).
-
Use of commonly agreed open
technical specifications and
standards
- Europol to develop standards on strategic products
(Article 7(3)).
- Common Statistical and reporting tool, with categories
defined by implementing act (Article 52(6)).
-
Facilitate information exchange
EN 222 EN
Assessment Measure(s) Potential remaining barriers
(if applicable)
Alignment with existing digital and
sectorial policies
New policy reinforces the material reach of the two
instruments
. Prüm II: Regulation (EU) 2024/982 is amended to
extend the capacity for Europol to consult national
databases (Article 136); Europol develops an EU DNA
matching application to support the DNA exchanges
under Prüm II (Article 54) Europol responsibility over
EPRIS is explicated under Article 48.
. Information exchange Directive (EU) 2023/977:
SIENA is used by national SPOC to provide information
to Europol (Article 46(3)), as a default channel to
exchange information with Europol (Article 46(5));
Creation of a JOAC can be the continuation of an
exchange of information under the Directive (Art 46(4));
SIENA can be used for information exchange with third
countries (Article 46(7)).
. EPPO Council Regulation (UE) 2017/1939: under
Article 73(3) information having triggered a hit shall be
shared with EPPO.
. Eurojust Regulation (EU) 2018/1727: reciprocal access
to information for the purpose of cross-checking.
. Asset Recovery Directive (EU) 2024/1260: under the
proposed policy details and extends the responsibilities
and abilities of the agency in the cooperation framework
set out under Article 29 of the Directive. Under Article 9
Europol gains access to data either directly or indirectly
Regulation remains quiet on the
interplay with the following
regulations on specific
provisions related to the
exchange of information for the
purposes of the prevention,
detection, investigation of
criminal activities
. PNR: Directive 2016/681
. API: Regulation (EU) 2025/13
. VIS Regulation (EU)
767/2008, EES Regulation
2017/2226, ETIAS Regulation
(EU) 2018/1240, Eurodac
Regulation (EU) 2024/1358
. Information on crypto-assets
Regulation (EU) 2023/1113
. Firearms Directive (EU)
2021/555 and Regulation (EU)
2025/41
EN 223 EN
accessible by the asset recovery offices.
. Interoperability Regulation (EU) 2019/818: Europol is
entrusted to support UMF development (Article 53).
Clearer responsibilities with Codification of centers &
systems
. Immigration liaison officer Regulation (EU)
2019/1240: obligations to connect to SIENA; obligations
to contribute to the provision of information to Europol
is clarified.
. Financial information Directive (EU) 2019/1153: scope
of cooperation with FIUs is clarified to be possibly
broader than money laundering and financing of
terrorism, and regrouped under a dedicated article 9(4)
& 9(5) on the support to financial investigations and
asset recovery.
. Interoperability Regulation (EU) 2019/818: access by
EU large scale IT systems and Screening regulation to
Europol data for cross-checking (i.e. ETIAS and VIS
central systems) relies on a secure communication
channel established under Article 36(2)(e) with the
European Search Portal (ESP).
. Screening Regulation (EU) 2024/1356: access by
screening authorities now relies on the established
communication channel between the cross-checking
mechanism and the ESP.
Alignment remains as is/ reformulation
. SIS: Regulation (EU) 2018/1860, 1861, 1862 the role
of Europol with regards the analysis of supplementary
EN 224 EN
information, in the insertion of alert for information, on
hits on alerts for information and terrorist activity relate
alerts Regulations.
. FIU Directive (EU) 2015/849: safeguard on the non-
interference with exchanges with private parties under
the Directive remains the same.
. Cybersecurity Regulation (EU) 2019/881: Cooperation
with ENISA remains identical.
Organisational measures for a
smooth cross-border digital public
services delivery
Concerning the development of necessary capabilities to
deliver digital public service
- Creation of ICT and Information Management
Steering group (Article 55).
- Creation of ICT and Information Management
Advisory group (Article 56).
- Europol to provide technical support for integration
(Article 22(2) para. 3).
- Europol National Units tasks are clarified concerning
the uptake of digital public service (Article 25(6))
including technical.
- ENU is supported by the Europol Support Office
(Article 26) staffed over the EU by 150+ Europol
staff.
-
Measures taken to ensure a shared
understanding of the data
- Cf Europol, ENU & Support Offices support. -
Use of commonly agreed open
technical specifications and
standards
Generalisation of UMF:
- Europol to support its development and adoption
(Article 53).
- UMF is not mandated for
building Europol digital
Solutions.
- UMF is not mandated for the
EN 225 EN
- ICT/IM AG (Article 56(5)(c)) contributes to the
identification and promotion of common technical
standards.
- Europol to support standardisation processes,
including the development and promotion of
common standard, interoperability requirements,
operational and technical specifications relevant for
law enforcement cooperation (Article 57(3)(b):
notably (Article 65(2)(b) through its Capabilities and
Innovation Service.
- Europol to provide technical support for integration
(Article 22(2) para. 3).
integration of national
systems.
Exchange with private parties
Assessment Measure(s) Potential remaining barriers (if
applicable)
Alignment with existing digital and
sectorial policies
Clearer responsibilities with Codification of centres &
systems
. TCO Regulation (EU) 2021/784: The newly codified
European Counter Terrorism Centre is untrusted all
tasks from Europol regarding referrals and removals; and
take place on a newly established digital cooperation
platform for cooperation with private parties (Article
47(2)(a)).
. DSA Regulation (EU) 2022/2065: similar as above
under Article 47(2)(a).
. Child sexual abuse material (CSAM) EU framework:
Regulation remains quiet on the
interplay with the following
regulations on specific provisions
related to the exchange of
information for the purposes of
the prevention, detection,
investigation of criminal
activities.
EN 226 EN
Europol tasks and capabilities regarding the exchange of
CSAM is further streamlined with the generic regime of
exchanges with private parties under Article 97.
Alignment remains as is/ reformulation
. FIU Directive (EU) 2015/849: safeguard on the non-
interference with exchanges with private parties under
the Directive remains the same.
Organisational measures for a
smooth cross-border digital public
services delivery
Concerning the development of necessary capabilities to
deliver digital public service to Member States and
EUBOAs: cf supra “information exchange”.
For the deployment / uptake by private parties:
- Europol may establish cooperative relation with
private parties (Article 91).
- Europol establishes a procedure for granting or
withdrawing secure access of private parties to the
platform (Article 43(3),
- Support to private parties
similar to Member State at the
discretion of Europol and to
bilateral agreements.
Measures taken to ensure a shared
understanding of the data
- Cf Europol, ENU & Support Offices support. - Support to private parties
similar to Member State at the
discretion of Europol and to
bilateral agreements
Use of commonly agreed open
technical specifications and
standards
- Europol Invites private parties to contribute to the
work of the Innovation Advisory Group (Article 67).
- Invitation to private parties to
contribute to the work of the
Innovation Advisory Group
not explicitly covering
standard (Article 67)
Support criminal intelligence analysis
EN 227 EN
Assessment Measure(s) Potential remaining barriers (if
applicable)
Alignment with existing digital and
sectorial policies
New policy reinforces the material reach of the two
instruments
Anti money laundering Directive (EU) 2024/1640:
Europol can support joint analysis carried out by the
European Anti-fraud office (AMLA) pursuant to the
Directive in Article 76
Frontex Regulation (EU) 2019/1896: Europol provides
risk analyses to Frontex on the basis of travel
information (Article 77(1))
Alignment remains as is/ reformulation
Regulation remains quiet on the
interplay with the following
regulations on specific provisions
related to the exchange of
information for the purposes of
the prevention, detection,
investigation of criminal activities
. e-codex Regulation (EU)
2022/850
. JIT collaboration platform
Regulation (EU) 2023/969
Organisational measures for a
smooth cross-border digital public
services delivery
Same as for “information exchange”
- Specific interest for new Europol obligations
supporting the uptake of new advanced analytical
and forensic capabilities under Article 59
-
Measures taken to ensure a shared
understanding of the data
Same as for “information exchange” -
Use of commonly agreed open
technical specifications and
standards
Same as for “information exchange” -
4.5. Measures to support digital implementation
EN 228 EN
High-level description of measures supporting digital implementation
Description of the measure Reference(s) to the requirement(s) Commission role
(if applicable)
Actors to be
involved
(if applicable)
Expected
timeline
(if
applicable)
Adoption of implementing /
delegated acts or guidelines
Article 38(3) and 137(1)
Article 50(9) and 137(2)
Article 42(4) and 137(3)
Article 81(8) and 137(4)
Article 52(6) and 137(5)
Adopt the acts Member States Y0+1
Adoption of implementing
rules
Article 13(5)
Article 70(2)(j)
Vote in MB Europol
Member States
Commission
Y0+1
Support to testing,
deployment, integration,
operation uptake incl.
training
Article 25, 26
Article 65(2)(b)
Article 66(1)
Article 59, 62, 63, 64
Supervisory role in
IM/ICT AG,
Steering group
Europol
Member States
Solution
dependent;
see § 1.5.1