Caught in complexity: Why EU Fisheries Rules Fail in Practice

If you talk to operators, authorities, and other stakeholders in the fishing sector, you will hear the same complaints: the regulatory framework governing the Common Fisheries Policy (CFP) is too complex, too unclear, and too inconsistently applied. Until the rules are simplified and better supported through cooperation, operators will continue to experience too much administrative burden. If the rules aren’t followed, the CFP will not be enforced.

That’s where the European Fisheries Control Agency (EFCA) comes in. Since 2005, it has been responsible for coordinating inspections and supporting CFP enforcement across the EU. Operators and NGOs view EFCA’s work, particularly training, surveillance, and information sharing, as valuable.

At the same time, they consistently highlight the complexity of the framework itself. Attempts to simplify fisheries control, particularly through the 2009 reform, have not gone far enough. The system remains difficult to navigate, with many provisions still requiring clarification. In practice, rules are often vague, open to interpretation, and applied differently across Member States. At the same time, the standards are also difficult to implement because of their rigidity. Operators have identified the following standards as particularly problematic:

• weighing practices,
• tolerances,
• transport,
• prior notification, and
• transmission deadlines

This vagueness and amount of obligations imposes much administrative burden on the operators, which in turn decreases compliance. While recent changes to the frameworks reduced 28% of administrative burdens to the operators, it must be noted that new obligations have also been imposed. For example, operators must now keep an electronic logbook of all fishing operations. As many vessels conduct several (and up to 20) operations a day, this requirement will increase error risk.

Ultimately, these concerns reflect one underlying issue: the rules are too complicated and insufficiently clear. This lack of understanding leads to continuous high infringement rates at around 10.5% and ineffective protection of fisheries. EFCA, being tasked with the implementation of the CFP, should take additional actions to:

• enhance cooperation,
• exchanging information, and
• clarify applicable standards.

Casting a wide net: Hard or Soft Law?

How then to ensure the right bait is employed to improve the coherence and effectiveness of EFCA’s enforcement? Two approaches may be considered, overhaul EFCA’s formal powers through hard law, and or tackle the problem within the existing legal framework through soft law solution.         

Reeling in more direct enforcement powers for EFCA would require a revision to the EFCA regulation to increase their mandate and powers. Formal expansion of operational powers does not lie entirely in uncharted waters, a similar development can be observed in other EU agencies such as Frontex. Much like EFCA, Frontex started out with merely planning and coordination powers but was granted its own executive staff, resources and decision making powers following the 2015 refugee crisis. Importantly, they gained both supervisory and intervention powers giving the agency direct control over enforcement by national authorities.

Expanding powers through hard law seems attractive from an EU perspective since it can remove national disparities. This can in turn improve uniformity and compliance across Member States. However, this approach may catch EFCA swimming upstream. Revision of regulations requires political consensus, which might prove problematic when the division of powers between the EU and the Member States hangs in the balance. Additionally, the EU legislature seems to want to rely on national enforcement networks for the simple reason that powers are accompanied by resources which could put stress on the Union Budget. 

Alternatively, soft law instruments are not legally binding nor enforceable and are often written off as ineffective. However, the value of such instruments in the case of EFCA cannot be understated. After all, deterrence through sanctioning is not the only fish in the sea when it comes to compliance. In fact, pursuing enforcement based on positive support may better reflect the current reality regarding the CFP’s enforcement.

National authorities are struggling due to the technical nature of the enforceable norms. If the issue does not lie in opposition to the rules but rather inability to comply, direct enforcement would not incentivise national authorities to comply any more than a fish would be incentivised to bite a hook it cannot reach. Use of soft law must be navigated cautiously, overproduction of norms may cause more complexity than clarity. Nevertheless, as demonstrated below, when emphasis is put on clarification of norms to compliment the CFP, EFCA may yet be able to provide operational guidance and improve accessibility through soft law instruments.

Fishing for answers: The ‘AI Act Service Desk’ and ‘Solvit’

AI Act Service Desk

One way to improve accessibility and operational guidance is to create an easy to use mechanism that increases the understanding people have of what their obligations are under the law. This can be done in a number of ways, but it is interesting to see how this issue is already tackled in other areas. For example, the AI Act is another law that is plagued by a large number of complicated rules that could negatively impact effective and consistent application. To increase effective implementation of the AI Act, mechanisms were created to provide information to those who encounter the AI Act in their work and lives. Even though the AI Act and the CFP are not completely similar, looking at how the issue is tackled in this area of EU law is a good source of inspiration.

The AI Act Service Desk was designed to aid stakeholders in navigating EU law requirements on AI. This provides the stakeholders with more legal certainty as to whether they are following the laws, which would ultimately benefit the AI market in the Union. Here, individuals and organizations can ask questions about the rules to experts in the field and get further assistance on their issues. Another part of this Service Desk is the Single Information Platform, which provides online interactive tools to understand the AI Act. For example, the AI Act Explorer allows people to intuitively search for information in the Act that is most important for them, and the Compliance Checker provides a way for people to check whether their AI system is in compliance with the rules in the Act.

Additionally, the Apply AI Alliance forum was created as a space for stakeholders and the Commission to share news, opinions, knowledge and recommendations. This so-called ‘Community Exchange Platform’ is open to everyone and provides a good opportunity for those working in the sector as well as lay-persons to learn about AI and the AI Act. This platform is more focused on innovations in the field of AI rather than on the AI Act itself. However, the idea of an exchange platform where experiences can be shared between those having experience with the legislation is a useful tool to educate people.

Overall, these AI mechanisms provide examples of ways in which people can interact with the EU rules to understand how they work in an easy and user-friendly way. One potential issue with such tools, however, is how to obtain the necessary funding and resources to create and maintain them. All of the examples provided above are managed by the Commission. It remains to be seen whether EFCA can manage to recreate its own tools within their funding or whether the Commission needs to lend a helping hand in this respect. Nonetheless, the tools do provide good examples on which EFCA can build its own framework to help people navigate the vast sea of legislation that is the CFP.

Solvit

Another way through which compliance can be reached is the European Administrative Networks (EAN). One of these EANs is Solvit, an informal non-binding mechanism which handles misapplication of EU law by public authorities in cross-border movement. Solvit is a network of centres staffed by civil servants in every EU Member State, Norway, Liechtenstein, and Iceland. Its general objective is to deliver fast, effective and informal solutions to cross-border problems for citizens and businesses free of charge. This makes it an early problem-solving tool offering an alternative to Courts by bringing about changes in national administrations through exerting peer pressure to ensure compliance. At the same time, it prevents the delegation of national responsibility to supranational organisations.

Its main strength is that it is user-centric, pragmatic and has an informal approach. Solvit has two faces: the first being a formal problem-solving network and the second being an informal network of member states engaging in discussion on the application of EU law. This shows a ‘network spirit’ where civil servants discuss matters beyond the cases and therefore become better equipped to make for an important government tool promoting compliance with the internal market. Solvit is also a strong source of information when it comes to the workings of the Single Market. This is because it also detects and monitors systemic issues in the Single Market due to these being flagged through complaints.

The power of such an EAN lies in the fact that it is a tool to close the gap between EU legislation and national implementation. By providing a middle-ground for networking interactions with a focus on joint problem solving, citizens and businesses are better equipped to use their rights and national administrations are better equipped to comply.

The enforcement of CFP could be heavily improved by this network approach. Just like a school of fishes swimming together for protection, this networking approach of best practices may fend off the non-compliant sharks in the water. This balance of having an informal network of Member States makes enforcement a less individualised matter, but benefits the whole. Not only through enforcement by itself, but through being an information system too. 

In summary, a similar approach as Solvit, would allow citizens and businesses to gain more access to information and allow for increased agency in order to comply with the CFP. An EAN that translates the CFP could close the gap between the legislation and its implementation. Essentially making for smooth sailing in the often choppy waters of enforcement of the CFP and anchoring Member States to cooperative problem-solving and shared responsibility.

Reeling in the solution: Solving  EFCA’s inaccessibility

The current deficiencies within EFCA’s enforcement of the CFP can be largely attributed to its inaccessibility, particularly the disconnection between the provisions and those fishermen and operators who must carry them out. This is not particularly surprising – one look at the agency’s webpage will reveal that it is almost as complex to navigate as the Regulation setting out EFCA’s tasks and competences. The online page contains little information on the agency beyond its general mission and current activities, causing those working in the field who seek clarity on the implementation of certain provisions to feel like fish out of the water.

With this in mind, the following soft-law solution can be brought forward to remedy the agency’s inaccessibility. In light of the widely successful EU initiatives of ‘Solvit’ and the ‘AI Service Desk’, the EFCA could adopt some of these ideas and introduce a direct line of contact with legal experts through its webpage. Much like ‘Solvit’, the EFCA website should include an ‘Ask the experts’ tab where those knowledgeable on how the implementation of the CFP works in practice can answer those who are less experienced in real time.

One might reasonably wonder why this should be an EU matter. At first glance, it might seem that the EU has bigger fish to fry. Why should the EU offer a solution to what seems like a national implementation problem? The answer is simple – EFCA comprises almost 2000 Union inspectors and 3000 trained officials coming from all 27 Member States. As such, it contains a wider circle of experts than any national fisheries agency. An EU-wide ‘Ask the Experts’ line would therefore create a wide and diverse network of specialists in the field who can provide up-to-date information to any fisheries professional within the Union.

The bottom line is that, as proven by past EU-driven initiatives, the best way to ensure compliance with the agency’s complex rules is to bring these laws closer to the very people who are expected to implement them. By bringing industrial operators and fishermen into direct contact with legal experts who can easily answer their questions, EFCA will streamline the current national and individual compliance of the CFP. In doing so, the agency will strengthen the professional development of these individuals, ensuring the long-term sustainability of our waters and echoing the familiar proverb that “if you give a man a fish, you feed him for a day; if you teach him how to fish, you feed him (and our fisheries) for a lifetime.”

 

By: Jørgen, Ludovica, Stefania  & Patrycja 

In Minority Report, a specialised police unit attempts to prevent crimes before they happen by relying on predictions based on large amounts of personal data. While Europol’s work does not involve pre-crime scenarios or Tom Cruise chasing future criminals, the increasing use of large datasets in criminal investigations should make us wonder: how far can data processing go before it challenges fundamental rights safeguards? In order to not have to find out the hard way, preventative measures are required. We therefore believe it is necessary to establish joint controllership over data with regional units and the ability for those responsible for oversight to proactively scrutinize Europol’s actions.

Supervision protocol

Over the past decade, Europol has evolved from a coordination platform for national police forces into the European Union’s central information hub for criminal intelligence. The Agency’s digital tools and databases enable it to dismantle criminal networks, support Member States investigations, coordinate operations, and shape EU policy.

This growing role has raised important regulatory questions, especially concerning the processing of large datasets containing personal data. Under the 2016 Europol Regulation, the processing of personal data can be permitted only in relation to persons suspected of having committed a criminal offence within Europol’s competence, individuals convicted of such offences, or persons for whom there were factual indications or reasonable grounds to believe they would commit them.

The EDPS, short for European Data Protection Supervisor, is the independent authority responsible for monitoring the processing of personal data by EU institutions and agencies. In 2022 the EDPS started an investigation at the end of which it found that Europol had not been compliant with its own Regulation.

Findings pointed to an increasing use of personal data not linked to criminal activity that had been sent to Europol by Member States for intelligence purposes. The EDPS was concerned about the principles of data minimization, proportionality and necessity. As a consequence, the authority ordered Europol to delete all personal data that did not show the required link with criminal activity.

Despite this order, the 2022 Europol Regulation legalised the disputed practice, effectively overriding the EDPS instructions. The new legislation allows Europol to process personal data of individuals not linked to criminal activity when Member States request its support and the processing is considered necessary for investigations. The EDPS challenged these provisions before the General Court in Case T-578/22 (EDPS v Parliament and Council). However, the action was declared inadmissible, as the Court found that the amended regulation did not directly affect the EDPS. As a result, the EDPS was considered not to have standing to bring the case.

This episode reveals a significant gap in the supervision of Europol’s expanding data-processing powers: by declaring the action inadmissible, the Court significantly limited the judicial oversight of Europol’s processing operations, raising pressing questions about who controls Europol and how effective that supervision is.

Expansion: Possible?

Curtailing the ability to scrutinize the agency is a surprising and shocking development, especially so in the light of the agency’s constant expansion into the data processing sphere. Europol has expanded many times already, developing and creating new teams and tools to meet the challenges that are faced by law enforcement. In May 2025, a new proposal to strengthen Europol’s mandate was filed by the European Commission.

For the most part, the proposal boils down to the European Commission having the desire to double the agency’s staff and have it turn into an (autonomous) operational agency. Whereas at this moment Europol essentially requires complete Member State cooperation for most of its activities, giving them increased autonomy would take away that requirement and subsequently also remove any safeguards involved at a Member State level.

Alternatively, doubling the agency’s staff would almost certainly mean significantly higher productivity – bringing with it the ability to harvest significantly more data. The evolution of Europol from a coordination body into an intelligence-fueled operational agency reflects a deliberate policy choice to respond to the growing sophistication of transnational organised crime and terrorism. However, this institutional trajectory creates a structural tension, specifically in relation to data protection.

Although the reform proposal is unlikely to pass as is, the continued push to grow highlights the Commission’s resolve to keep building up the agency. Any such growth in mandate needs to be met with equally robust measures to keep the agency in line and on target, just like the EDPS suggested. After all, as Europol’s data processing capabilities expand, the legal architecture governing those capabilities risks falling behind. Increased operational capacity is not inherently a bad thing. In fact, it is necessary. What is bad however is the absence of a simultaneously evolving oversight framework that can ensure efficiency does not infringe upon the rule of law.

The reckoning of reforms. Proportionality threshold for data processing

The current oversight architecture for Europol can be considered fragmented, since it is distributed across actors with differing mandates, varying degrees of institutional independence, and uneven access to operational information. This “problem of many eyes” on the forum side often results in a multiple accountabilities deficit, where the shift of power to the EU level is not accompanied by a corresponding shift in oversight. A coherent reform framework must therefore address accountability at multiple levels simultaneously to prevent disassembled accountability. This is where mechanisms are disconnected from the actual use of data. A two-level model, encompassing parliamentary and expert layers, offers the most coherent response to this deficiency.

At the parliamentary level, the role of the Joint Parliamentary Scrutiny Group (JPSG) requires substantive reinforcement. The JPSG currently exercises a form of political oversight that lacks the instruments necessary to translate scrutiny into accountability. It cannot veto operational priorities, nor can it compel Europol to produce transparency reports on specific data processing activities. This renders the parliamentary layer largely reactive. It is capable of raising concerns ex post, but limited by information asymmetries in its ability to shape conduct before harm materialises. Reform must therefore extend the JPSG’s mandate to include not merely the right of inquiry, but a power to direct the scope of transparency obligations.

At the expert and administrative level, the EDPS must be repositioned from a supervisory monitor into a watchdog. Under the current framework, the EDPS has the authority to investigate and issue recommendations, but its role remains predominantly advisory. The vulnerability of the current model was exposed when the legislator ignored an EDPS order to delete data lacking subject categorisation, instead retroactively legalising the practice. Elevating the EDPS to a watchdog, tasked with giving prior authorisation for high-risk data processing, would introduce a meaningful and demonstrable compliance with fundamental rights standards.

The theoretical foundation for this reform is rooted in McCubbins and Schwartz’s distinction between “fire alarm” and “police patrol” oversight. This framework captures the structural deficiency currently facing Europol. A fire alarm is reactive and decentralised, relying on external actors to signal failures. In contrast, police patrol oversight involves proactive and systematic monitoring by the legislature itself. While McCubbins and Schwartz argue that legislators prefer “fire alarms” for its cost-efficiency, this model assumes a level of transparency that Europol, given its operational nature, frequently lacks. Because the agency operates in domains where “fires” are often invisible to the public until harm has occurred, the reliance on reactive measures is not sufficient.

Following its mandate expansions, Europol’s discretionary scope has grown faster than the mechanisms designed to contain it. The current framework still relies heavily on “fire alarm” measures, including parliamentary questions prompted by media, EDPS investigations triggered by complaints, and judicial review initiated by affected individuals. These instruments do not constitute a system of proportionate control over an agency with the data processing scope that Europol now has. Thus, the reform proposal outlined above is premised on a transition toward police patrol oversight, institutionalising proactive scrutiny at each layer. In this sense, proportionality in Europol’s data processing is not only a matter of data protection law. It is, more fundamentally, a question of institutional design

Joint controllership framework for Europol and national units

As it stands, responsibility is fragmented whenever Europol processes data jointly with a Member State’s national unit. Europol has its own separate special regime when it comes to data processing, contained in the Europol Regulation. That said, Article 3 and Chapter IX of the general regulation EUDPR still apply to operational personal data unless the Europol Regulation provides otherwise.

Because of this special regime, Europol is supervised by the EDPS while national units fall under their national data protection authorities. Cooperation between the EDPS and the national authorities is institutionalised by a Cooperation Board. This board was established to ensure consistent levels of data protection union-wide. The 2022 EDPS case exposed the gaps created by this system, as the Member States were caught sending data to Europol – an infringement over which no single authority had been allocated oversight responsibilities.

Differing national laws, uneven sources and the exclusively advisory nature of the cooperation board are the main problem drivers. Together these factors contribute to weakened protection, lack of supervision and discord in how consistently data is protected across Member States. This led us to an alternate possible solution to improve the current data protection system: the possibility for Europol and the national units to be cast as joint controllers. By designating Europol and contributing national units as joint controllers under a lex specialis provision in the Europol Regulation, uncertainty is stripped away from parties and the availability of a stronger data protection safeguard in cross-border investigations would be ensured. In order to effect this change, publicly accessible policy should be put in place that specifies who does what and is enforceable by both the EDPS and relevant national data protection authorities.

Joint controllership should be guided by Article 26 of the General Data Protection Regulation (GDPR) but adapted for law enforcement use in line with the Law Enforcement Directive. Although joint controllership imposes a bigger administrative burden, its implementation would be proportionate given the fundamental rights impact of data processing. In the case of joint controllership, the parties share responsibility for determining the purposes and/or the means of data processing. Furthermore, in accordance with article 82(146) GDPR, each controller should be fully liable for all damage. This approach would be the most effective as it aligns with the national tort law of different Member States and should ultimately lead to more transparency and greater accountability in joint operations.

 

 

By Oliwia, Kaloyan and Carolin

The problem and regulatory framework

Understanding who enforces medicines regulations in the EU is the real clinical trial - side effects include confusion and legal headaches.

Imagine a pharmaceutical company fails to report a serious side effect. A national authority might detect the issue, the European Medicines Agency (EMA) would investigate it, but the final decision on penalties would be taken elsewhere. Because the responsibility is divided between different institutions, it becomes unclear who is actually accountable.

This post explores why, despite detailed rules and strong institutions, responsibility in EU pharmaceutical enforcement can become so fragmented that no single actor is clearly accountable.

The EU pharmaceutical regulation is built on a comprehensive legal framework. Directive 2001/83/EC sets out the general rules for medical products. For authorised medicines distributed within the EU, Regulation (EC) No 726/2004 establishes EMA’s role and powers. Furthermore, instruments such as the Clinical Trials Regulation and strengthened pharmacovigilance rules further strengthen and monitor safety obligations across the EU. The framework is extensive. However, the way the rules are applied determines whether they actually matter.

Pharmacovigilance rules

Legal requirements and guidelines ensure that medicines are monitored for safety, so their benefits outweigh their risks.

Here is where things get complicated. In practice, enforcement is divided between different actors, each with a specific role:

• National authorities detect problems at the Member State level
• The EMA investigates and assesses possible violations
• The European Commission decides whether to impose fines

This means that while EMA plays a central role in supervision and investigation, it cannot impose fines. Even though the financial penalties can reach up to 5% of a company’s EU turnover for certain infringements, the power to impose the fines rests with the Commission. This creates a gap between the investigation and the ensuring of compliance. When enforcement is shared, establishing accountability becomes more difficult.

Comparative perspective

By contrast, other EU agencies such as the European Securities and Markets Authority (ESMA) and the European Central Bank (ECB) have the power to investigate violations and impose fines directly. Therefore, the EMA model stands in contrast. For example, ESMA can directly supervise specific market actors, adopt binding decisions, including financial penalties, without relying on another EU institution. Similarly, the ECB supervises banks and imposes sanctions for breaches of EU banking rules.

These differences in enforcement powers become clearer when we look at how the system operates in practice.

How Enforcement Works in Practice

Four years, nineteen medicines, zero fines

The only infringement procedure ever opened under EU pharmaceutical law tells us less about wrongdoing than about how the system divides authority.

80 K+ ADVERSE EVENTS LEFT UNREVIEWED

4 yrs EMA INVESTIGATION DURATION

€0 FINANCIAL PENALTY IMPOSED

How it began

In 2012, a routine inspection by the UK’s MHRA uncovered a significant failure in Roche’s pharmacovigilance systems: over 80,000 adverse event reports, including more than 15,000 patient deaths, had never been properly assessed. These were not necessarily drug-related, but under EU law, they were required to be reviewed. They weren’t.

These obligations arise from EU pharmacovigilance rules, which require companies to continuously monitor and report adverse events for authorised medicines.

The MHRA passed its findings to the European Commission, which referred the matter to the EMA.

The procedure, step-by-step

2012	● MHRA inspection identifies violations 80,000+ unreviewed adverse events found in Roche’s pharmacovigilance database. The Commission refers the case to the EMA.
2012-16	● EMA conducts a full investigation Four years of review across Roche’s centrally authorized portfolio. The EMA builds a detailed, factual and legal case.
2016	● Violations confirmed across 19 products EMA findings sent to the Commission. The potential fine under Regulation 658/2007 ran to hundreds of millions of euros.
Dec 2017	● Commission closes the procedure Roche provides commitments to fix its reporting systems. The Commission accepts them. No fine is imposed.

Who did what?

 

MHRA identified problem

→

Commission referred to EMA

→

EMA investigated  (4 yrs)

→

Commission decided outcome

 

How to read the outcome

ENFORCEMENT DID HAPPEN Roche implemented remedial measures. The EMA’s investigation produced a detailed record of the failures. Accepting commitments is a standard tool in regulatory practice, used routinely in EU competition law. This shows that enforcement in EU pharmaceutical regulation often focuses on correcting behaviour rather than imposing financial penalties.

DIVISION OF ROLES The institution that spent four years building the case had no formal say in how it ended. The Commission, which decided, was not required under the regulation to give detailed public reasons for preferring commitments to a fine. The Commission’s choice to accept commitments rather than impose a fine fell squarely within its enforcement discretion, which is a discretion the Court of Justice has confirmed in a 2022 European Parliament study, p. 8 – “near absolute,” with individuals holding no standing to challenge the Commission’s reasoning for declining to act.

 

KEY OBSERVATION

The EMA carries the full investigative burden. The Commission carries the full decisional authority. The current framework does not clearly require either institution to publicly explain how investigative findings translate into final decisions.

 

This design is not an accident. Under Commission Regulation 658/2007, enforcement is explicitly split: the EMA investigates, while the European Commission decides on the outcome. What the Roche case shows is not simply how a single procedure unfolded, but how decision-making power is distributed across different actors, and how this affects the visibility of responsibility within the system.

This raises a broader question: when multiple institutions contribute to an enforcement outcome, how can responsibility for that outcome be clearly identified?

Who is responsible? The problem of many hands

The Roche case exposes a recurring difficulty in EU enforcement: when multiple institutions each follow their own rules correctly, yet the final outcome is still flawed, it becomes genuinely unclear who bears responsibility. This is the “problem of many hands”.

Understanding Thompson’s concept

Dennis Thompson identified a challenge that appears in any organisation where tasks are split between multiple bodies. He called it the problem of many hands.

“When responsibility for an outcome is spread across many actors, each of whom has followed their own rules correctly, it becomes very difficult to identify who is responsible for the overall result.” 

Dennis Thompson, 1980

Applying this to EU pharmaceutical enforcement

In the Roche case, the EMA, the Commission, and the MHRA each performed their role within their legal powers. At the same time, enforcement did take place: violations were identified, investigated, and addressed through corrective measures.

However, because these steps are carried out by different actors, no single institution oversees the entire process. When the procedure ended without a fine and without a detailed public explanation, it became difficult to identify who was responsible for that outcome. This is not a failure of any single institution, but a feature of the system itself. This means that responsibility becomes structurally diffused across different stages of enforcement, rather than clearly attributable to any single actor.

Where responsibility sits, and where it does not

Political oversight does not focus on individual enforcement decisions, and where no formal sanction is imposed, judicial review may be unavailable, raising concerns under Article 47 of the Charter of Fundamental Rights, which guarantees the right to an effective remedy.

Accontability and design

Mark Bovens explains that accountability requires a clear forum, meaning there must be a body to which an actor explains and justifies its decisions. In this case, there is no point in the system where the overall enforcement outcome must be fully justified. As a result, accountability is missing precisely at the level where responsibility should be established. While individual steps can be reviewed, the final result of the procedure is not clearly subject to full accountability.

 

Unlike the EMA, both ESMA and the ECB can investigate and impose sanctions directly, meaning the institution that builds the case also bears responsibility for the outcome.

The issue is therefore not that enforcement is absent, but that responsibility is not clearly visible within the current system. Addressing this does not require a complete redesign, but targeted adjustments that make responsibility more transparent. Granting the EMA limited sanctioning powers,  following the ESMA model,  would close the gap between investigation and outcome. Requiring the Commission to publish reasoned decisions when closing cases would make the exercise of its discretion visible to Parliament, courts, and the public alike. As enforcement increasingly operates through shared structures, making responsibility visible is not optional, it is a precondition for accountability to function at all.

By Martin, Alexandra, Gillis and Julia

While defence is and has always been a national responsibility of each European Union (EU) Member State, defence coordination and efficiency is now more important than ever. The European Defence Agency (EDA) was founded in 2004 to promote defence collaboration in the EU and to promote integration within the EU’s Common Security and Defence Policy (CSDP) between Member States. Although defence spending has gone up in Member States, the EDA has consistently failed to meet its collaborative procurement benchmark and has been criticised for lacking teeth.

This blog post will therefore explore the economic reasoning of collaborative procurement behind the EDA and its historical development, after which the current geopolitical context will be analysed and how the EDA could and should react to this. This blog post argues that the EDA could be redesigned, by implementing several reforms and aligning its tasks with the current geopolitical context.

Spending More, Wasting Less

Europe is arming up. The EU’s 27 Member States spent €343 billion on defence in 2024 alone. But more money does not automatically buy more security. Better results mean more real military capability per euro spent.

This can be achieved through quicker procurement, fewer duplicated national projects, and forces that can work together when it matters. That is the core economic argument for European defence cooperation. If Member States keep spending, buying, and developing in parallel, a great deal of that money risks being lost to fragmentation and inefficiency instead of being turned into usable collective strength.

At its core, the idea is straightforward, cooperation can help Member States to get more value from every Euro they spend. Defence equipment is extremely costly to research, produce, maintain, and upgrade. When each State follows its own path, defence orders stay small, due to limited national demand and technical standards that differ. Furthermore, national forces may end up utilizing systems that do not work well together within cross-border integrated forces. Economists describe this as a problem of fragmentation and the loss of economies of scale. In simple terms, the Member States individually, without coordinating their efforts, can end up paying more for less.

Defence can also be described as a special market. Governments do not buy ammunition, tanks or missile systems the way consumers buy groceries, phones or cars. National security concerns, political sensitivities, and domestic industrial interests often keep procurement focused and protected within national borders. This makes coordination harder, but also more necessary. The more procurement remains nationally fragmented, the greater the risk of duplication, incompatibility, and inefficient spending. The European Commission has repeatedly argued that a more integrated European defence market would support larger-scale production, stronger innovation, and more efficient procurement outcomes across borders.

Seen from this perspective, the economic rationale behind the EDA is not simply about “more Europe”. It is about reducing costs, overcoming coordination problems, and helping Member States turn rising defence budgets into stronger, more compatible, and more efficient capabilities.

The European Defence Agency

The EDA when European governments were increasingly aware of a growing contradiction in their defence policies. On the one hand, security challenges were becoming more complex and often required collective responses. On the other hand, defence remained highly fragmented, with each Member State’s planning, spending, and procuring largely on its own.

This fragmentation was not a new problem, but it became more visible in the early 2000s. The EU’s experience in the Balkans during the 1990s exposed limitations in Europe’s ability to act cohesively in crisis situations. At the same time, global developments such as the September 11 attacks reinforced the need for more coordinated approaches to security and defence. European countries were also facing increasing pressure to do more with limited resources, while still maintaining a wide range of national military capabilities.

In light of these developments, the EDA was established to help address a key question: how can European countries cooperate more effectively in defence without giving up control over their own armed forces?

The Agency’s original legal basis was set out in a 2004 Joint Action under the EU’s Common Foreign and Security Policy. Its role was later formalised in the Treaty of Lisbon, where Article 45 of the Treaty on European Union defines its main tasks. These include identifying capability gaps, encouraging cooperation between Member States, supporting defence research and industry, and evaluating whether agreed commitments are being followed. Its current structure and functioning are further detailed in Council Decision (CFSP) 2015/1835.

Notably, the EDA was not designed as a powerful central authority. Instead, it was conceived as a facilitator, an institution that could bring Member States together, provide expertise, and promote cooperation, without overriding national sovereignty. In other words, it reflects a broader EU approach to defence: improving coordination rather than centralising control.

Academic observations highlight this balancing act. Some scholars argue that the EDA represents a pragmatic solution, allowing states to work more closely together while keeping ultimate authority at the national level. Others point out that this same design also limits its impact, as cooperation ultimately depends on whether Member States choose to follow through on shared priorities.

In this context, the creation of the EDA was less about transforming European defence overnight, and more about managing an existing tension: the need for collective action in a policy area that remains deeply tied to national sovereignty. This tension continues to shape both the Agency’s role and its limitations today.

A New Geopolitical Era

After Russia’s invasion of Ukraine, which led to ammunition shortages in the Ukraine and the EU, supply-chain pressure and wider uncertainty about European security, Member States have faced pressure to procure their military goods as quickly and efficiently as possible. The last years have however shown that this increase in urgency has not led to increased cooperation and that Member States still often value their sovereignty more than collectively procuring military goods. This may lead to duplication and over-reliance on non-EU suppliers.

This is also shown by the EDA’s collaborative procurement benchmark, set since 2007. As mentioned previously in this blog post, this benchmark has never been met. While the EU has estimated that the total EU defence expenditure has reached €381 billion in 2025, this increased spending has not been accompanied by a proportional increase in joint procurement among Member States.

An example of this is the French and German Future Combat Air System (FCAS), EU’s next generation fighter jet program, which aimed to improve the EU’s strategic autonomy and increase cooperation. While this could have been a great way to enlarge collaborative procurement among Member States, the FCAS has been described as potentially collapsed after Germany chose to purchase United States’ F-35 combat aircrafts instead of developing and procuring these via the FCAS-program.

The European Defence Agency 2.0

As described above, the geopolitical context in which the EDA operates has changed significantly since its establishment in 2004. Defence procurement has grown and become more urgent, but not necessarily more coordinated. While the industry grows, the economic inefficiencies, as described in section I, remain. This is where the redesigned role of the EDA comes in. By increasing coordination along the procurement chain, the EDA can address inefficiencies. Putting this into practice, requires structural rethinking the role of the EDA.

According to André Denk, EDA’s chief executive, the desire from Member States to do more on defence at EU level in line with the EU’s Defence Readiness 2030 programme, has increased. Denk introduced the redesigned role of the EDA in response to this call from Member States and the current turbulent geopolitical times. While the EDA’s traditional role remains, in essence, to coordinate rather than to centralise control, the amount of Member States in favour of expansion of the EDA’s mandate is rising. The EDA has called upon the Member States to: “use us to take forward the projects that one member state cannot.”

This call for a redesign of the EDA was also supported by former Estonian president and chief coordinator for the Common Foreign and Security Policy, Kaja Kallas. Kallas made a statement on the inefficiencies in EU defence procurement. She spoke about the lack of complementary procurement, the focus on national interest, and persisting fragmentation. Kallas concluded that the EDA needs to lead, not just facilitate, thereby expressing her vision for a stronger EDA.

Coming back to the EDA’s core tasks, these were designed to be open norms. The redesign does not change the architecture, but the political willingness to use it. As defence ministers increasingly speak with a sense of urgency, the EDA’s role naturally increases in terms of coordination. In other words, a revised role for the EDA does not require a new agency, rather, it requires Member States to make fuller use of the one they already have.

The EDA proposed five revised lines of action:

1. Scaling up research;
2. Consolidating EDA’s central capability role;
3. Support joint procurement;
4. Secure resources;
5. Leveraging existing partnerships.

Apart from increasing budgets for already existing competences, the EDA’s goal is to take a more prominent role in the supply chain. In practice, this results in the EDA to target shared requirements for joint acquisition before contracts are put to market. This strategy can improve efficiency in concrete ways. When demand is aggregated earlier and common requirements are established at the EU level, Member States can benefit from larger production runs, reduced unit costs, and greater leverage with suppliers. Furthermore, existing partnerships with, for example, Ukraine, Turkey and Canada are to be strengthened under the EDA procurement framework. This redesigned EDA is stepping beyond pure facilitation and increasingly towards centralisation, answering the Member States’ calls.

Important to note is that the EDA operates within fixed structural limits. The EDA does not control national defence budgets, cannot compel Member States to procure jointly, and works alongside existing power frameworks (e.g. NATO). Therefore, it is likely that a lot of core defence industry will remain at national level. The shift towards a modern, strategic EDA 2.0 depends not on institutional reform alone but remains dependant on genuine political willingness among Member States to use the EDA for the projects that no single country can advance on its own.

Coordination Is No Longer Enough

The EDA coordinates EU Member States to work together more effectively in defence. The idea is simply that cooperation can help countries avoid inefficiency waste, save money, and build military capabilities that work better together. But the EDA was never given strong powers of its own. It was designed to support and coordinate, not to force Member States to act. This has become a growing problem under current geopolitical developments. Defence spending is rising fast, yet joint procurement remains limited. In today’s security environment, this is harder to defend. If the EU wants better results from higher spending, the EDA must move beyond coordination alone and play a stronger strategic role.

By Ella, Mafalda, Daria, Melanie and Samantha

The 2026 World Cup is not the only thing FIFA (Fédération Internationale de Football Association) must keep an eye on. Behind the dynamic and thrilling world of football, lies a concealed truth. Through the exorbitant transfer fees and the hidden ownership structures, football clubs became the ideal target for money laundering. This is why this area will be regulated by the Anti-Money Laundering Agency (AMLA), an EU (European Union) agency which aims to investigate and prevent money laundering. Since May 2024, football clubs have been included in the anti-money laundering framework by the Regulation 2024/1624 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (AMLR), and, therefore, need to streamline their corporate structure, prepare information and documents for upcoming transactions, and ensure operation of a solid compliance function by July 2029. However, as of 2026, no guidelines or standards that target football clubs have been issued, leaving football clubs in the dark about how to interpret the new requirements. The decision to include football clubs in the AML regulation has been surprising and somewhat counterintuitive, because football clubs do not even qualify as financial entities.   So why is money laundering so prolific in football clubs that it needs to be regulated by AMLR? What is the role of the newly established AMLA when it comes to the regulation and supervision of football clubs?

1. Why can football clubs attract dirty money? 

Money laundering works by making illicit funds appear legitimate, often by moving them through ordinary businesses and transactions. Football clubs are especially attractive for that purpose because it combines high financial volume, cross-border transactions and often opaque ownership structures. As AMLA itself explains, money laundering often disguises the criminal origin of funds by routing them through legitimate businesses and football clubs can offer exactly that kind of cover. 

The football sector has a number of characteristics that make it vulnerable. The Financial Action Task Force (FATF) has long warned that football has become a global industry with rapidly growing investment, whilst its regulatory frameworks have not always kept pace with the risks associated with that growth. This sector involves substantial financial flows that are sometimes difficult to assess, including transfer fees, sponsorship deals, payments to intermediaries and cross-border investments. This creates a lot of opportunities for criminals to funnel dirty money into seemingly normal business activities. 

Scholars argue that the football industry has become increasingly vulnerable to illicit financial activities due to its complex organisation, large financial flows and opaque ownership structures. These characteristics are significant because they facilitate the concealment of the true origin of funds, the disguising of beneficial ownership and the justification of unusual payments as part of standard football business practice. In other words, the problem is not football itself, but the way its financial ecosystem can be exploited. 

The point is not that football clubs are inherently criminal. The problem is that its financial ecosystem can convert suspicious funds into transactions that look commercially and socially legitimate. These structural vulnerabilities become especially visible in the transfer market, where large sums, cross-border deals and multiple intermediaries create clear opportunities for money laundering. 

2. How can money be laundered through player transfers?

One of the money laundering tactics used in the football sector to disguise the illicit funds is through the over-evaluation of players in transfers. Since the Bosman ruling in 1995 international player transfers have rapidly increased. In 2022 FIFA reported that international transfers had surpassed 20,000 players. In 2023 FIFA reported transfer fees reached up to 9,63 billion dollars, which shows a staggering 48.1% increase from 2022. The report also showed a record in cross-border transfers of 74,836 dollars.

The difficulty of assessing the value of a player, makes it easy to artificially inflate the price and move money. In football players are often transferred prior to their contracts ending, thereby the high transfer fee comes from the compensation of the new employer to the previous employer. In order to attract players, clubs and managers, benefits such as housing, cars or family arrangements may be included in deals, which increases the number of financial transactions and further obscures the transfer prices.

Football agents are under the microscope of Regulation 2024/1624 (AMLR) alongside football clubs as football agents often negotiate contracts in player transfers. In 2019, Portuguese authorities’ Operation Red Card investigation uncovered a player transfer from Porto to Real Madrid worth 50 million euros of which 9 million was paid to two agents. According to the financial reports, Porto earned 28,4 million euros from the transfer. The remaining sum of 21,6 million euros was split between three parties: two of whom were football agents.

In 2020, Spanish authorities uncovered a criminal network of several European football clubs which made fake player transfers to launder profits. The investigation uncovered 10 million euros laundered through ghost transfers through a Cypriot football club. To conceal the origins of the dirty money it was invested into Spanish luxury assets such as yachts and real estate.

3. What do the new AML obligations for football clubs entail?

The logic is straightforward. The same features that make football economically successful also make it vulnerable to financial crime. 

European authorities have seen how standard football deals can be inflated artificially and these risks are now considered structural to the industry. With that logic in mind, AMLR aims to close the regulatory gap and ensure consistent supervision across Member States.

Football clubs and agents are now classified as “obliged entities” among some other non-financial actors, who must implement customer due diligence (CDD) to prevent financial crime under the AMLR. 

In practice, this means that football clubs need to:

• Check who they deal with verifying the identity of buyers, investors, sponsors, players and agents (conduct CDD).
• Understand where the money from sponsors and investors comes from.
• Monitor transactions and watch for unusual payments, inflated transfer fees, or complex ownership structures.
• Report suspicious activity to authorities if the activity looks like money laundering.
• Keep records storing documents and transaction data for several years.

This provision aligns the clubs with other high-risk sectors and, when suspicious activity is identified, AMLA will play an indirect, yet important coordinating role: directing national supervisors, harmonising standards, and – in extreme cases – supervising risky companies itself. 

4. However, what legal mechanisms actually give AMLA the power to regulate this area?

AMLA is an EU agency based in Frankfurt, Germany. The agency derives its powers from the regulatory framework established in Regulation 2024/1620 (AMLA Regulation). This framework was part of the AML/CFT (Anti-Money Laundering and Combatting the Financing of Terrorism) package adopted in 2024. The legal basis of these provisions is Article 114 TFEU, which serves to ensure the proper functioning of the internal market. Its powers are set out in Article 6 of the AMLA Regulation and include the supervision and investigation of high-risk entities and supporting Financial Intelligence Units (FIUs) in their tasks by issuing recommendations and harmonising national frameworks when it comes to AML. AMLA also has the power to impose pecuniary sanctions. On 1 January 2026, the European Banking Authority (EBA) completed the transfer of all its AML/CFT to AMLA, thus giving it the power to enforce EU law.

AMLA extends its powers to non-financial entities as well. Given the fact that this is traditionally an area regulated by national provisions, the rollout of AMLA’s powers is delayed to 2027 when it comes to non-financial entities, and to 2029 when it comes to football clubs. As we know from ESMA, agencies can only exercise discretionary powers as long as they are within a clearly defined framework. Indeed, AMLA must assess the limits of these powers and how exactly to effectively play its role when it comes to non-financial entities while staying within its legal mandate. As financial and non-financial entities are different in nature, AMLA also possesses a different role when it comes to implementing EU law. It therefore must make sure it remains within the bounds of Article 5 TEU and does not take any measure which could undermine the principles of subsidiarity and the conferral of powers.

The delay of the supervision of football clubs proves how difficult this area is to effectively regulate. In that case, we can ask ourselves whether AMLA is truly ready to effectively regulate this area.

5. Is AMLA ready to take on the challenge of regulating football clubs and agents?

With football clubs now forming part of the EU AML framework as non-financial obliged entities, subject to due diligence and monitoring of regulated transactions (Article 3(3)(o) AMLR), compliance considerations become increasingly prominent. 

Although the relevant requirements will only take effect from 10 July 2029, their implementation requires significant preparatory work. For instance, football clubs will require time and resources to streamline their corporate structures, conduct CDD on prospective investors and sponsors, adopt new procedures, and perform necessary training for the employees.

While AMLA will not act as a direct supervisory body for football clubs, it has two general means of influencing the sector. First, AMLA will develop guidelines and standards applicable across the industry (e.g. Articles 19(9), 28(1) AMLR). Second, the agency may take direct control over an entity posing a threat to the AML/CFT regime as the measure “of the last resort” under Article 42 of the Anti Money Laundering Directive 2024/1640. Other enforcement obligations rest primarily on the shoulders of the national competent authorities of the Member States, which may, among other things, grant compliance exemptions for football clubs falling below the 5,000,000 euros annual turnover threshold (Article 5 AMLR).

While the measures “of the last resort” are unlikely to become relevant until AMLR applies to football clubs in 2029, the need for standardisation and guidance is already evident. To address this, in 2026, AMLA intends to map out the supervisory practices in relation to non-financial obliged entities, including football clubs. By the fourth quarter of 2026, AMLA aims to create benchmarks and methodology for assessing and classifying the risk profiles of obliged entities and the frequency of reviews of those risk profiles. 

In parallel, AMLA is developing regulatory technical standards (RTS) on CDD and identification of business relationships, which will apply both to financial and non-financial obliged entities (currently in public consultation). Once adopted, RTS will apply directly to football clubs, especially in the context of players’ transfer arrangements. 

The RTS on business relationships (under Article 19(9) AMLR) will establish criteria for distinguishing occasional transactions from ongoing business relationships requiring CDD and monitoring.  While AMLR attempted to clarify the overall terminology, the methodology for assessing the factors that distinguish transactions as repeated (e.g. a single purpose of several agreements, connected parties, common intermediaries, same infrastructure) remains to be determined. 

The RTS on CDD (under Article 28(1) AMLR) will set out verification procedures, as well as documents and information that an obliged entity needs to obtain in order to enter into continuous contractual or other obligations with a third party. For football clubs, these standards will explain who to contract with, for how long, and on what terms and conditions and subject to which procedures.

Once adopted, these standards are expected to form the compliance framework for the obliged entities to determine compliance strategies and develop procedures. However, the absence of a clear regulatory strategy and delayed deadlines for finalising the standards may create regulatory uncertainty. In practice, football clubs may need to rely on general rules of money laundering when defining their compliance strategies in 2026. 

Even once guidelines are in place, it will be the development of enforcement practice that will determine whether more stringent regulation or another supervisory body will be required to sufficiently address the money laundering practices of football clubs. 

Frontex Could Play a Key Role in Preventing Member States from Keeping in Place Unjustified Internal Border Controls

By Noëlle, Isabel, Henrike, Hannah

This year, during March and April, the periodic Schengen evaluation programme targets Germany to assess the alignment of its policies with the Schengen acquis. Its record regarding the “absence of internal borders” (Article 1(3) Council Regulation (EU) 2022/922) will look very grim. The objective of establishing an area without internal frontiers (Article 3 TEU) has always been accompanied by commitments to effective migration management at external borders. Within the current political dynamic this interdependency materialises as “quasi-permanent” internal border controls. This seriously undermines the promise of Schengen as a borderless area. The paralysis to address these ongoing breaches of EU law and values calls for alternative, innovative approaches to “save Schengen”.

Notwithstanding the limitation of its mandate to external borders, it seems worth exploring what (indirect) impact the EU’s border and coast guard agency, Frontex, has on the internal dimension. This allows to identify three main stages in which Frontex’s stronger involvement could mitigate uncoordinated national measures: enhanced operational support at external borders, making its risk assessment a mandatory criterion for reinstating unilateral internal border controls, and independent monitoring of such controls by Frontex. Of course, concerns about Frontex’s fundamental rights and accountability obligations must be taken very seriously. However, strengthening such a supranational actor could resolve credibility issues and help re-establish a rule-based management of an area without internal frontiers.

Putting Schengen at risk 

The Schengen Borders Code (SBC) balances rules for managing external borders against the default mode of an area without internal border controls. Only as an exception and under strict conditions does Article 25 SBC allow Member States to reinstate internal border controls: they must be temporary, a means of last resort, and address a serious threat to public policy and national security. Depending on the reasons, Member States can prolong internal border controls beyond the initial period of six months. Their overall duration must not exceed two years and under all circumstances be proportionate (note that before the adoption of the SBC’s reform, these time limits were even stricter). 

However, the current reality looks quite different. As of May 2025, a total of eleven Schengen states had put in place internal border controls for concerns about irregular migration and security. Germany has continuously expanded the scope of its internal border controls. Since September 2024, controls take place at all land borders, with the latest renewal on 15 March 2026. Given that since 2015, France, Denmark, Norway, Sweden and Germany have continuously prolonged internal border controls for migration-related security concerns, it is fair to speak of de facto permanent internal border controls which are in effect burying Schengen.

 

There is wide-spread scholarly critique on the weak justification for internal border checks and their continuing renewal. Also, national courts are positioning themselves to bring Schengen back to life. The Bavarian administrative court declared Germany’s current border controls to be in violation of the time limits laid down in Article 25 SBC. In its ruling, the court relies on a previous ruling by the European Court of Justice (CJEU), which came to similar conclusions in the case of Austrian border controls. The CJEU emphasized that the free movement of persons is a fundamental achievement of EU integration. Thus, exceptions are to be interpreted strictly (para. 65 and 74). It also confirmed that Article 25 is sufficiently clear in striking a balance between the competing objectives of protecting national security and maintaining an area without internal borders (para. 89).

 Rethinking Schengen 

Yet, it seems like the legislature felt urged to correct the CJEU’s conclusion in its reform of the Schengen Borders Code in 2024. It inserted the “sudden large-scale unauthorised movements of third-country nationals between the Member States” as an explicit justification ground (Article 25(1)(c) SBC) for reinstating temporary border controls. Already the previous episodes of internal border controls could be considered a “valve that signals a malfunction of the Schengen Area.” The amendment reflects the underlying political dynamic in which northern Member States aim to prevent high inflows of secondary movement. This refers to migrants’ irregular onward journey whereas under existing EU rules other Member States should take responsibility for their asylum and return procedures. In the view of countries like Germany, secondary movements are a sign of the dysfunctional management of external borders. For the German government, strengthening external borders is a prerequisite for reopening the Schengen area. This interdependency fuels distrust between Northern Member States and Member States at the external borders. Moreover, it risks recourse to uncoordinated unilateralism, further putting the premises of the Schengen Area under pressure.

What remains is the search for solutions that again succeed in reconciling these interdependencies. In that regard, it is important to recall the supranational procedure in Article 29 SBC. It is specifically designed for situations “where exceptional circumstances put the overall functioning of the area without internal border control at risk”. Such cases require the Council to adopt a common recommendation on reinstating internal border controls. Frontex is plays a role in this supranational procedure as well as for Member States’ individual decisions under Article 25 SBC.

Frontex’s involvement in border control

 The EU is increasingly creating agencies to delegate certain responsibilities, especially for implementing policies more effectively and depoliticising technical tasks. Frontex is the answer to this agencification in the area of border management. It is a EU body created to offer support in all aspects of border management within a system without internal border checks. The EU’s competence for this area is enshrined in Article 67(2) TFEU for common external border control and Article 77 TFEU, which provides the legal basis for border management policy. Frontex’s mandate and competences are set out in the Regulation on the European Border and Coast Guard, focusing on support for the Member States at external borders through coordination, operational assistance, and risk analysis. The primary responsibility for border control remains with the Member States, which exercise their sovereign powers. Frontex acts through joint operations that always involve the host state’s consent and cooperation. The staff usually acts under the command of national authorities and under national law, within the EU framework. The Member States’ cooperation with the agency includes sending national personnel and technology. Germany, for example, currently supplies Frontex with 160 federal and state police officers. Frontex’s role is deliberately focused on external borders, as mentioned in recitals 1 and 34 of the Regulation’s preamble, having practically no mandate at internal borders.

Frontex’s internal reach?

Nevertheless, Frontex has indirect influence on internal border controls through different interacting mechanisms. The basis for this is the risk assessment laid down in Article 29 Regulation 2019/1896 (Frontex Regulation). This assessment should give an evidence-based view of the pressures and threats at the EU’s external frontiers and should provide Member States with the data intelligence, and strategic insights required to prepare effectively. Frontex receives information for the assessment to a large extent from national border agencies, making it highly depended on the Member States. However, this makes Frontex’s reports more comprehensive than reports of other organisations and creates motivation for policy makers to use them.

In recent years, also surveillance, which had previously been limited to external borders, has been expanded to include collecting data on the movement of persons inside the EU. Although Frontex’s focus is on external borders, the risk assessment always includes information on secondary movement. This is especially interesting for Member States like Germany, which have no external borders but can take Frontex’s risk analysis as a reference point. An incentive to do so constitutes the Schengen evaluation and monitoring mechanism. Using this mechanism, the Commission assesses Member States’ compliance with the Schengen acquis. Based on Frontex’s risk assessment, it will be evaluated what Member States can do in regard to internal border controls. Here, Member States’ willingness to integrate Frontex’s risk assessment as a systemic part of their national border control strategies counts as a proxy for compliance. In the beginning of this evaluation mechanism, the evaluation and monitoring were conducted by the Schengen Evaluation Working Party of the Council, which was composed of Member States’ representatives. Later it was shifted to Frontex, based on typical arguments in favour of agencification. The Commission criticised the process as an insufficiently strict and transparent peer-review. The Council, on the other hand, wanted to limit the Commission’s power in this procedure.

Can Frontex save Schengen?

Based on these existing competences in risk assessment and Schengen evaluation, Frontex could play a key role in breaking the vicious cycle created by the interdependency between controlling external borders and abolishing internal borders.

Ideally, Frontex becomes more strongly involved in supporting Member States at external borders. This is essential to safeguard the foundational premise for a functioning Schengen Area: effective control of access to the territory in the first place.

In the meantime, Frontex’s mandate should contribute to restoring credibility of commitment to EU law on border management. Member States shall be obliged to justify their internal border controls solely on Frontex’s risk assessment in relation to the ground of unauthorised movement in Article 25(1)(c) SBC. This can be part of a broader framework of benchmarks for the incremental abolishment of internal controls.

In the alternative, and as the weakest form of involvement, Frontex should obtain a leading role in monitoring and evaluating the compatibility of unilaterally reinstated border controls. This means that Frontex should assess their effectiveness considering the national security objectives that Member States have presented as well as the negative effects of such reinstated border controls. Both approaches mitigate the competing objectives between national control over territorial access, and the long-standing come back of an area without internal frontiers.

 

This blogpost can just be a first glimpse in this direction, and it invites for innovative thinking on institutional solutions for breaking the current deadlock in Schengen governance. Also, every expansion of Frontex’s mandate must clearly go hand in hand with more robust fundamental rights protection and accountability mechanisms. That being stated clearly, strengthening the involvement of a supranational agency like Frontex could contribute to recovering common, rule-based management of the Schengen area. Eventually, such an approach must not lose sight of the Member States’ and the Commission’s responsibility for ensuring respect for the law. Frontex’s role in internal border management may provide a promising starting point.

By Arailym, Patrick and Sondra

The road to what might be called regulatory maturity is often a long one. In EU cybersecurity regulation, a culture of vertical and horizontal collaboration is optimistic but seemingly ineffective. It likely leaves the European Union Agency for Cybersecurity (ENISA) feeling somewhat envious of the centralised enforcement powers recently vested in the Anti-Money Laundering Authority (AMLA). How feasible would it be for ENISA to follow in AMLA’s footsteps? This blog post examines whether there is regulatory space, or even a solid legal basis for such an evolution. Due to the differing contexts of financial crime prevention and cybersecurity, the limits of an analogy between the trajectories of the two agencies will become clear.

What is ENISA?

ENISA – the European Union Agency for Cybersecurity, previously known as the European Network and Information Security Agency, was established in 2004 by Regulation No 460/2004. It was reformed by Regulation No 526/2013, which was later repealed by the Cybersecurity Act.

The Cybersecurity Act granted ENISA a permanent mandate along with increased responsibilities, transforming it from a “Cinderella” agency into a key cybersecurity entity in the EU. ENISA aims to achieve a high common level of cybersecurity across the Union. Its main tasks include:

• Supporting EU legislation implementation and the development of EU-wide cybersecurity standards
• Enhancing operational cooperation and coordination among Member States, Union institutions and private sector actors
• Managing cybersecurity certification schemes to increase trust in information and communication technology (ICT)

                                   Photo credits: ENISA website

The Emergence of AMLA

The evolution of the EU’s anti-money laundering framework has seen notable advancements, starting from the initial anti-money laundering Directive (AMLD1) in 1990 to the latest updates with AMLD6, Anti-Money Laundering Regulation (AMLR), and Anti-Money Laundering Authority Regulation (AMLAR). This development signifies an expanding regulatory focus that originally targeted drug trafficking in the 1990s, evolving into a robust framework that addresses intricate financial crimes like cyber-enabled money laundering. A significant shift occurred with AMLD3, which embraced risk-based approaches for customer due diligence (CDD). The enactment of AMLD4 improved transparency by creating mandatory central registers for beneficial ownership information, a refinement further augmented by AMLD5 (2018), which required public accessibility. The recent introductions of AMLR, AMLAR, and AMLD6 establish centralised oversight while adapting to technological advancements by creating a unified supervisory body across the EU, effectively standardising anti-money laundering initiatives among member states and confronting new technological hurdles. This evolution exemplifies direct enforcement and is a new form of functional spillover that arises from internal pressure and functional necessity, rather than from external crises. This indicates that achieving the established policy goals necessitates the expansion and uniform application of EU law. Below, we delve into why and how direct enforcement is essential for ENISA to attain a high common level of cybersecurity throughout the EU.

Why should ENISA follow the same trajectory as AMLA?

The increasing frequency and sophistication of cyber threats pose significant risks to economic activities, public services, and citizens’ privacy. In recent years, the EU has implemented several legislation addressing cybersecurity, such as the Cybersecurity Act, NIS 2 Directive, Cyber Resilience Act, and Cyber Solidarity Act.

These legislations have expanded ENISA’s capacities, but they are insufficient for the EU’s ambition to enhance cybersecurity across the Union, as the success of EU cybersecurity policies relies on implementation by Member States. For example, the NIS 2 Directive has so far been transposed by only four Member States, prompting the European Commission to open infringement proceedings against 23 Member States. This presents a real risk of fragmentation across the EU, which hinders effective cybersecurity. From a functional spillover perspective, the increasing cybersecurity threats and divergent approaches among Member States suggest that ENISA’s role may need to evolve beyond its original advisory and coordinative function towards enforcement powers.

The situation facing ENISA mirrors AMLA’s earlier context – both agencies emerged in response to fragmented national practices and cross-border threats that require unified, robust responses. However, while AMLA was granted limited enforcement powers due to the ineffectiveness of the previous decentralised approach and the lack of cooperation among national AML/CFT supervisors, ENISA remains confined to coordination and advisory functions. To some extent, one could argue that ENISA’s case resembles AMLA, and granting ENISA enforcement powers would ensure compliance with EU cybersecurity standards and achieve a high common level of cybersecurity across the Union.

However, this might be an impossible mission or one that lies in the fairly distant future… Direct enforcement for the wandering ENISA faces a steep climb, blocked by the EU’s limited competences in security matters, an area still fiercely guarded by the Member States.

How this trajectory can be beneficial

As referred to above, the sole competence of Member States in matters of public and national security (recognised under Article 4(2) TEU) currently limits ENISA’s ability to gain direct enforcement powers; there is, however, precedent for derogation from the national security exemption, as can be observed in the Privacy International case (paragraph 44) in relation to the e-privacy Directive.

For now though, we must not jump ahead but instead envisage some preliminary steps that may take ENISA some distance down AMLA’s beaten path. A prerequisite of any centralisation is an unequivocal delineation of the agency’s role in a crowded regulatory environment. The elaboration of the EU cybersecurity landscape in recent years has led to a blurring of the lines between the competences of the entities involved, particularly with the emergence of several networks and centres at the EU level aiming to prepare for, respond to, or analyse cybersecurity threats and incidents. Although the notion of collaboration seems to be favoured in EU cybersecurity policy, the lack of exclusive specialisation on ENISA’s part would undermine any future enforcement remit for the agency. Thus, policymakers should pinpoint the tasks and responsibilities the execution of which would allow ENISA to contribute most optimally to the improvement of EU cybersecurity. This prioritisation of tasks would enable ENISA to enhance its operational efficiency, and ultimately its reputation, potentially paving the way for a transition to a more substantively empowered role.

 

	ENISA	AMLA
Legal basis	Cybersecurity Act (2019) & NIS2 Directive	AML/CFT Regulation (2024) & AMLD6
Enforcement powers	No direct enforcement (supports national authorities)	Direct enforcement (40+ high-risk financial entities (crypto, cross-border institutions))
Sector focus	All critical sectors (energy, health, transport, digital infra)	Financial sector priority, limited non-financial oversight
Enforcement tools	Technical enforcement i.e., cybersecurity certification, Vulnerability reporting; Operational Tools i.e., Cyber Exercise Platform for crisis simulations, CSIRT Network coordination; Compliance Leverage i.e., National strategy evaluation toolkit Biennial risk trend reports to EU institutions	Corrective measures i.e., operations restrictions, government structures; Financial sanction i.e., fines; Investigative powers.
Dispute resolution	Non-binding recommendations through Cooperation Group	Binding arbitration in cross-border supervisory conflicts

 

By Maria, Guilherme, Emilie and Chris

Source: https://www.cedefop.europa.eu/en

Still Relevant After 50 Years: A Reality Check for Cedefop

Cedefop turns 50!

In a world where labour markets are evolving rapidly, driven by digital transitions, demographic shifts, and green ambitions, it is vital that EU education and skills development is set up for success. Marking its 50th anniversary in 2025, the European Centre for the Development of Vocational Training (Cedefop) has been a cornerstone of EU cooperation in education and skills development. Some critics might question the effectiveness of Cedefop, pointing to its lack of enforcement powers as a barrier to achieving its goals. But when one looks at these goals, the role of Cedefop remains relevant and important in achieving the mission to enhance cooperation and knowledge-sharing among Member States in the field of vocational education and training (VET).

Is ‘soft power’ enough to shape the future of work?

Cedefop’s mandate is broad, and it relies solely on soft powers to achieve this. The term ‘soft power’ usually describes an ability to influence others through shared values, consensus, and cooperation, rather than through legislation or formal authority.

In practice, Cedefop has focused on two main goals: enhancing transparency in qualifications and facilitating transferability of learning outcomes across Member States. These goals support freedom of movement for learners and workers, so that credentials in one country are understood and accepted in another. This naturally raises the question about whether Cedefop has effectively fulfilled these goals.

When outcomes are seen as beneficial, rather than being forced, there is generally less pushback from governments and other actors. For many EU countries, vocational education and training has a direct influence on efforts to reduce unemployment, especially for people who may lack skills relevant to changing labour markets.

 

This figure shows the support from EU citizens to the statement: “Vocational education and training play an important role in reducing unemployment in your country”.

The skills puzzle: solving labour gaps through EU cooperation

Zooming into cooperation, there is still room for improvement. Cedefop’s effectiveness in VET partly depends on how closely it works with Member States, social partners, the European Commission, and the European Parliament. By gathering data and sharing knowledge, Cedefop encourages different national and EU-level actors to align strategies in addressing skills mismatches.

During the European Year of Skills 2023, particular emphasis was placed on upskilling and reskilling, lifelong learning, and fostering both innovation and competitiveness. These aims also support people and businesses in meeting green and digital objectives. Recognising the importance of collective efforts, and in celebrating 50 years of activity, Cedefop joined the  Eurofound, the European Agency for Safety and Health at Work (EU-OSHA), the European Training Foundation (ETF) and the European Labour Authority (ELA), in hosting a major event. This gathering highlighted how the five agencies contribute to enhancing skills development.

In discussions with the Parliament and Commission, Cedefop presented its latest report: Skills in transition – the way to 2035. The report’s key message was that Europe is facing urgent labour shortages, especially in science, technology, engineering, mathematics (STEM) and IT fields. Green and digital transitions are rapidly reshaping Europe’s labour market. To remain competitive and resilient, Europe needs well-targeted policy decisions and a fresh approach to skill-building.

Navigating duplication risks and collaborative leadership

Questions arise about overlapping responsibilities between EU agencies. Cedefop, Eurofound, and EU-OSHA share certain priorities, including improving working conditions and aligning skills with the needs of evolving economies. Nevertheless, Cedefop’s soft-power strategies continue to offer added value. It promotes collaboration by disseminating research, guiding Member States on reskilling, and working closely with other agencies to produce policy recommendations that address real-world challenges. Together, they act as “political entrepreneurs,” pushing Europe’s skills agenda forward.

Still, as Cedefop cannot compel countries to adopt its insights, progress depends on politicians and policymakers embracing them. This reality often leads to uneven outcomes; some countries quickly integrate Cedefop’s recommendations, while others may hold back. Another common concern is “duplication risk,” where different agencies might be seen as doing the same work. Cedefop’s defenders point out that each EU agency has a specific focus: Cedefop zeroes in on vocational training, Eurofound studies broader social and work conditions, and EU-OSHA looks at safety and health. Where their work converges, they aim to coordinate rather than compete.

Inconsistent Adoption of Cedefop’s Recommendations Across EU Member States

Cedefop has made recommendations for improving access to skills development and adult learning, particularly for marginalised groups. One approach Cedefop endorses is the use of financial assistance for vulnerable learners. However, the adoption of these recommendations has been far from uniform across EU Member States, with progress varying widely.

For example, Germany offers support through the National Skills Strategy for low-qualified adults who may otherwise struggle, and France has a similar program, Compte Personnel de Formation, allowing individuals, including those from disadvantaged backgrounds, to access training. Both initiatives align with Cedefop’s goals at making upskilling more accessible.

In contrast,  Bulgaria remains in the early stages of reforming their VET system. Although there are positive indications, reforming VET can take time as it often faces challenges like legislative changes and budgetary allocations which slow the pace of progress. Romania records one of the lowest levels of adult learning participation in the EU, raising concerns about whether people there can adapt to ongoing economic and technological changes.

These discrepancies highlight the need for a more consistent approach to improving skills development across Europe. However, they also indicate that responsibility does not rest with Cedefop. Given the number of EU citizens who agree that VET plays an important role in reducing unemployment, it should be clear there is incentive to work with Cedefop in improving VET.

Shaping the future

Cedefop’s impact is greatest when stakeholders recognise the tangible benefits and engage with Cedefop’s contributions to VET development. By continuing to promote advancements to VET systems, Cedefop reinforces its central role in building a competitive, forward-looking EU workforce. These efforts show that lacking enforcement powers does not necessarily limit an agency’s ability to make a difference.

Even if Cedefop’s goals remain aspirational, its contributions to policy debates and collaborative initiatives show that progress is possible despite the constraints of soft power. With half a century of experience rooted in research, collaboration, and policy, Cedefop remains committed to making VET and skills development accessible to everyone, always keeping a future-oriented perspective.

In the end, the lack of direct enforcement powers reflects the EU’s decision to preserve Member State sovereignty over education. As labour markets continue to evolve, vocational education will likewise transform, and a central EU-level body devoted to coordinating these changes seems likely to remain important. It is still an open question whether exclusive reliance on soft powers is the most effective long-term strategy for shaping vocational education, training, and skills policies, but the work of Cedefop over the past 50 years provides plenty of evidence that such an approach can achieve significant results.

www.wordsandquotes.com

 

 

By Alexandra, Helena, Gennaro and Isabella

“Eco-friendly”.“Sustainable”.“Natural” These words are everywhere — on packaging, websites, and ad-campaigns. But are they always representing the truth? Being an environmentally friendly business is increasingly popular, but not every company does what it claims to do. In fact, many companies use misleading green claims, just to appear sustainable when in reality they are not. This act of pretending is what we call greenwashing. It threatens real progress on climate goals. In this post, we break down what greenwashing is, its impact, how to recognize it, and an example of how the EU is ‘fighting back’.

What is Greenwashing?

Greenwashing refers to the practice of misleading consumers about the environmental practices of a company or the environmental benefits of a product or service. This can involve false claims, exaggerations, vague language, selective disclosure, and even visual manipulation like overusing green colors or nature imagery.

It is a practice of making misleading and false claims, convincing the public to think that the company is contributing to the protection and preservation of the environment.

But it’s not just about outright lies — it can also involve greenhushing, or the omission of relevant environmental harms while promoting minor or unrelated “green” efforts.

“In 2021, 42% of the online claims from various businesses were exaggerated, false or deceptive” according to a screening conducted by the European Union and National Consumer Authorities.

Greenwashing can take many different forms, but it usually happens when a company seeks to promote its products or services. Businesses use misleading labels, or unclear language, such as calling their product “eco-friendly” without explaining what it actually means. Some produce false data to improve their image, or selectively highlight one “green” effort to look good, while hiding their other practices that are harmful to the environment. Others rely on misleading visuals and graphics, such as using pictures of nature or overusing the color green.

Our Role in the Green Fight: A practical Guide

So how can you, as a consumer, spot greenwashing? Here is a breakdown of some tips that may be useful:

1. Start by checking for reliable third-party certifications, such as the EU Ecolabel. Be cautious of fake or self-invented eco-labels, which companies may use to simulate credibility. For example, in the “Six Sins of Greenwashing” report TerraChoice, 2007 highlights common deceptive tactics, including “the sin of the imaginary friend”, using fake third-party endorsements.

2. Be cautious of vague and unclear terminology

Terms like “eco-friendly” or “green” without clear explanations or evidence might signal greenwashing. Genuine sustainable brands usually specify exactly why and how their products or services are environmentally friendly.

3. Look beyond attractive slogans and carefully evaluate transparency

Real sustainability means companies provide thorough and detailed information about their overall environmental impact—not just selectively highlighting one minor positive action. Furthermore, truly sustainable businesses back up their environmental claims with solid evidence and detailed reports. Information about emissions or resource usage should be easily accessible and clearly documented. But this isn’t mandatory yet. Full supply chain disclosure is not required until the Corporate Sustainability Due Diligence Directive (CSDDD) comes into force. Finally, remember that visuals can also be deceptive. Overusing green colors or nature-themed imagery might make products appear more sustainable than they actually are. Such tactics are common strategies used to distract consumers from examining the company’s true environmental impact.

Moreover, consumers often lack the climate literacy needed to interpret sustainability reports, even when made available. A recent study shows that more information doesn’t necessarily lead to better understanding or choices.

Still, the abovementioned three quick steps have been summarized below: 

When Green Turns Grey: How Greenwashing Harms the EU

The consequences of greenwashing are felt at every level—from individual consumers to the broader European economy and regulatory frameworks.

Environmental Consequences

Greenwashing has severe environmental consequences, undermining the progress towards the European Green Deal and the Paris Agreement goals to transition to a low carbon economy. It diverts attention and resources from genuinely sustainable initiatives, as consumers become disillusioned and may allow companies to prosper by pretending that they’re green—without doing the work.

Consumer Deception

Greenwashing not only impacts the environment—it also misleads consumers. When companies falsely claim to be “green” or “eco-friendly,” it becomes more challenging for people to distinguish which products or brands are truly sustainable. As a result, the meaning of these terms becomes weaker and more confusing. Additionally, when consumers realise that despite their efforts, they were misled by a company it also erodes their trust. They may feel discouraged, frustrated, skeptical or even stop trying to make environmentally responsible choices which may halt meaningful change.

Distorts Financial Markets

Greenwashing isn’t just bad PR—it’s bad for markets. Investors may want their money to align with their environmental values. But when companies falsely market their goods or operations as “green”, trust disappears. This creates uncertainty, discourages sustainable investing, and destabilizes financial markets. As a result, capital may flow to undeserving companies, while those that are truly working towards sustainability struggle to compete. In the long run, this risks destabilising efforts to fund the green transition – an effort that relies not only on central banks, but also on public investment, private capital markets, and citizen engagement. According to European Commission estimates, achieving the EU’s 2030 climate and energy targets will require additional annual investments of approximately €620 billion, mobilised through a combination of national budgets, EU funding instruments (such as InvestEU and the Innovation Fund), and private financing.

From Claims to Consequences: The EU’s Legal Response to Greenwashing

Among the many legislative instruments adopted by the EU in the context of the “Green deal”, one of the most recent is the Greenwashing Directive which amends the Unfair Commercial Practice Directive (UCPD) and is central for consumers. It introduces specific rules on companies’ sustainability claims, with the aim to contribute to the EU’s green transition by empowering consumers to make informed purchases using reliable sustainability information about products and traders.  The Directive includes a list of claims that are in any event considered “unfair” and prohibited, such as the use of “sustainability” labels that are not based on an independent, third-party certification scheme. This Directive is a noteworthy advancement as it will have a significant impact on how companies communicate their environmental efforts, thereby increasing safeguards for consumers.

However, even more ambitious is the Green Claims Directive which goes a step further by introducing detailed requirements for the substantiation and verification of voluntary environmental claims. Under this proposal, companies will be required to carry out scientific assessments and undergo third-party verification before making environmental claims about their products or services.

…So, the next time you see a product labeled “green,” ask yourself: is it really? Together, through awareness and accountability, both policy and public pressure can turn the tide against greenwashing – for good.

 

_{Balancing Security Requirements and Fundamental Rights Protection}

By Rebekah, Miruna, Mihai and Vesa

The EU Commission’s 2023 proposal to increase Europol’s authority, especially concerning the systematic processing of biometric data, aims to improve security regarding serious crimes. However, it also raises serious legal concerns for individuals. This blog post critically explores the tension that biometric data poses between increasing surveillance power and fundamental rights under the Charter, which questions: Can this expansion of enforcement powers be justified under the principles of necessity and proportionality, or does it risk going too far?

The Commission proposed a complementary Regulation for Europol regarding migrant smuggling and trafficking in human beings. The proposal aims to improve the coordination between Europol and the Member States regarding sharing information. This entails Member States providing Europol with citizens’ data to effectively address crimes.

But what kind of data does an agency such as Europol need to process? Europol processes biometric data. The EU has defined biometric data as personal information that can be attributed to unique human physical characteristics, such as facial features and fingerprints. Biometric data has been used by law enforcement authorities in the EU through technological advancements to surveil citizens in public spaces. Citizens have raised concerns that the EU provides law enforcement authorities with the right to interfere with citizens’ fundamental rights and freedoms.

How does Europol’s processing of biometric data place it at the center of fundamental rights concerns?

When Europol becomes involved with biometric data, it is concerned about being thrown into the deep end of some of the EU’s most sensitive fundamental rights. Article 7 of the Charter protects our private and family life, while Article 8 gives us a fundamental right to personal data protection. These two fundamental rights are shaped by how the EU needs to handle individuals’ privacy and data protection in practice. Europol is not subject to different rules and must also respect them.

Biometric data became significant with the establishment of the GDPR and the Law Enforcement Directive. This is because biometric data falls under a “special category” of data due to its sensitivity, which means it cannot be handled lightly. Europol can only process this type of data when it is necessary for law enforcement, like preventing or solving serious crimes, and even then, only with solid legal safeguards as outlined by the respective regulations.

Over the years, the Court has made it clear that interfering with fundamental rights is only allowed if it is in accordance with the principles of necessity and proportionality. That means that Europol needs to provide justification for why biometric data is truly essential for carrying out their work and ensure they are not over-collecting or casting too wide a net.

Because without tight rules and accountability, data processing can start to look a lot like surveillance. And that is especially concerning when the individuals being monitored are not even suspects, just non-suspect individuals who might get caught in the digital sweep.

Enhancing security but challenging privacy?

Proponents argue that allowing Europol to process biometric data is crucial in modernising law enforcement and bolstering our security. They claim that by tapping into advanced technologies, such as AI-powered facial recognition systems and machine learning algorithms, Europol can quickly identify and track criminal networks involved in migrant smuggling and human trafficking. This, they argue, helps prevent crimes before they escalate. For everyday citizens, this might mean faster responses during emergencies and more efficient coordination between national police forces across the EU; at the same time, it also raises legitimate concerns regarding individual privacy and data protection.

This approach is similar to the rationale behind the landmark ruling, where the Court underscored the need for a careful balance between state security and individual rights. While that case focused on mass data retention, it highlights the broader principle that privacy interference must be necessary and proportionate.

However, without mandatory measures like independent oversight by the European Data Protection Supervisor (EDPS), robust data retention rules, and enforceable accountability mechanisms, the 2023 proposal risks creating a surveillance apparatus that goes far beyond its intended scope.

How can Europol balance security requirements with fundamental rights, then? 

In contrast to the previous framework, the proposal mandates that Member States consistently provide Europol with biometric data, with no clear limitations on volume, purpose or retention.

The EDPS has raised concerns, stressing that mass collecting of biometric data such as fingerprints or facial scans without proper safeguards and guidelines could interfere with fundamental rights under the Charter. Such concerns have also been raised by citizens as, according to a survey conducted by the EU Agency for Fundamental Rights, only 17% of Europeans are willing to provide their facial photographs to public authorities for identification purposes. The findings also reveal significant differences among the Member States in countries such as Germany and Austria, who show greater resistance to the sharing and processing their biometric data, while others, such as Portugal and Spain, show a more open approach.  Additionally, the  Biometrics Institute’s 2023 Industry Survey found that 54% of participants consider privacy and data protection significant challenges when developing biometric technologies.

As Europol’s powers expand, how do we protect our fundamental rights?

A path forward should come with precise safeguards, not shortcuts. In balancing Europol’s powers on processing large sensitive data such as biometric data with fundamental rights, it is necessary to amend the Europol Regulation by adding more explicit criteria on how biometric data is collected, stored and used. Furthermore, provisions guaranteeing more transparency to avoid misuse of such data or profiling individuals with no criminal links. Lastly, carrying out an independent fundamental rights impact assessment before adopting new powers defines when biometric data can be used and how long it should be strictly limited to migrant smuggling and human trafficking. 

Hence, with clearly defined safeguards in place, the EU and law enforcement agencies, such as Europol, could strike a balance between technological developments and the protection of fundamental rights.