By: Jørgen Larsen, Ludovica Lot, Stefania Squillante & Patrycja Wirkowska

In Minority Report, a specialised police unit attempts to prevent crimes before they happen by relying on predictions based on large amounts of personal data. While Europol’s work does not involve pre-crime scenarios or Tom Cruise chasing future criminals, the increasing use of large datasets in criminal investigations should make us wonder: how far can data processing go before it challenges fundamental rights safeguards? In order to not have to find out the hard way, preventative measures are required. We therefore believe it is necessary to establish joint controllership over data with regional units and the ability for those responsible for oversight to proactively scrutinize Europol’s actions.

Supervision protocol

Over the past decade, Europol has evolved from a coordination platform for national police forces into the European Union’s central information hub for criminal intelligence. The Agency’s digital tools and databases enable it to dismantle criminal networks, support Member States investigations, coordinate operations, and shape EU policy.

This growing role has raised important regulatory questions, especially concerning the processing of large datasets containing personal data. Under the 2016 Europol Regulation, the processing of personal data can be permitted only in relation to persons suspected of having committed a criminal offence within Europol’s competence, individuals convicted of such offences, or persons for whom there were factual indications or reasonable grounds to believe they would commit them.

The EDPS, short for European Data Protection Supervisor, is the independent authority responsible for monitoring the processing of personal data by EU institutions and agencies. In 2022 the EDPS started an investigation at the end of which it found that Europol had not been compliant with its own Regulation.

Findings pointed to an increasing use of personal data not linked to criminal activity that had been sent to Europol by Member States for intelligence purposes. The EDPS was concerned about the principles of data minimization, proportionality and necessity. As a consequence, the authority ordered Europol to delete all personal data that did not show the required link with criminal activity.

Despite this order, the 2022 Europol Regulation legalised the disputed practice, effectively overriding the EDPS instructions. The new legislation allows Europol to process personal data of individuals not linked to criminal activity when Member States request its support and the processing is considered necessary for investigations. The EDPS challenged these provisions before the General Court in Case T-578/22 (EDPS v Parliament and Council). However, the action was declared inadmissible, as the Court found that the amended regulation did not directly affect the EDPS. As a result, the EDPS was considered not to have standing to bring the case.

This episode reveals a significant gap in the supervision of Europol’s expanding data-processing powers: by declaring the action inadmissible, the Court significantly limited the judicial oversight of Europol’s processing operations, raising pressing questions about who controls Europol and how effective that supervision is.

Expansion: Possible?

Curtailing the ability to scrutinize the agency is a surprising and shocking development, especially so in the light of the agency’s constant expansion into the data processing sphere. Europol has expanded many times already, developing and creating new teams and tools to meet the challenges that are faced by law enforcement. In May 2025, a new proposal to strengthen Europol’s mandate was filed by the European Commission.

For the most part, the proposal boils down to the European Commission having the desire to double the agency’s staff and have it turn into an (autonomous) operational agency. Whereas at this moment Europol essentially requires complete Member State cooperation for most of its activities, giving them increased autonomy would take away that requirement and subsequently also remove any safeguards involved at a Member State level.

Alternatively, doubling the agency’s staff would almost certainly mean significantly higher productivity – bringing with it the ability to harvest significantly more data. The evolution of Europol from a coordination body into an intelligence-fueled operational agency reflects a deliberate policy choice to respond to the growing sophistication of transnational organised crime and terrorism. However, this institutional trajectory creates a structural tension, specifically in relation to data protection.

Although the reform proposal is unlikely to pass as is, the continued push to grow highlights the Commission’s resolve to keep building up the agency. Any such growth in mandate needs to be met with equally robust measures to keep the agency in line and on target, just like the EDPS suggested. After all, as Europol’s data processing capabilities expand, the legal architecture governing those capabilities risks falling behind. Increased operational capacity is not inherently a bad thing. In fact, it is necessary. What is bad however is the absence of a simultaneously evolving oversight framework that can ensure efficiency does not infringe upon the rule of law.

The reckoning of reforms. Proportionality threshold for data processing

The current oversight architecture for Europol can be considered fragmented, since it is distributed across actors with differing mandates, varying degrees of institutional independence, and uneven access to operational information. This “problem of many eyes” on the forum side often results in a multiple accountabilities deficit, where the shift of power to the EU level is not accompanied by a corresponding shift in oversight. A coherent reform framework must therefore address accountability at multiple levels simultaneously to prevent disassembled accountability. This is where mechanisms are disconnected from the actual use of data. A two-level model, encompassing parliamentary and expert layers, offers the most coherent response to this deficiency.

At the parliamentary level, the role of the Joint Parliamentary Scrutiny Group (JPSG) requires substantive reinforcement. The JPSG currently exercises a form of political oversight that lacks the instruments necessary to translate scrutiny into accountability. It cannot veto operational priorities, nor can it compel Europol to produce transparency reports on specific data processing activities. This renders the parliamentary layer largely reactive. It is capable of raising concerns ex post, but limited by information asymmetries in its ability to shape conduct before harm materialises. Reform must therefore extend the JPSG’s mandate to include not merely the right of inquiry, but a power to direct the scope of transparency obligations.

At the expert and administrative level, the EDPS must be repositioned from a supervisory monitor into a watchdog. Under the current framework, the EDPS has the authority to investigate and issue recommendations, but its role remains predominantly advisory. The vulnerability of the current model was exposed when the legislator ignored an EDPS order to delete data lacking subject categorisation, instead retroactively legalising the practice. Elevating the EDPS to a watchdog, tasked with giving prior authorisation for high-risk data processing, would introduce a meaningful and demonstrable compliance with fundamental rights standards.

The theoretical foundation for this reform is rooted in McCubbins and Schwartz’s distinction between “fire alarm” and “police patrol” oversight. This framework captures the structural deficiency currently facing Europol. A fire alarm is reactive and decentralised, relying on external actors to signal failures. In contrast, police patrol oversight involves proactive and systematic monitoring by the legislature itself. While McCubbins and Schwartz argue that legislators prefer “fire alarms” for its cost-efficiency, this model assumes a level of transparency that Europol, given its operational nature, frequently lacks. Because the agency operates in domains where “fires” are often invisible to the public until harm has occurred, the reliance on reactive measures is not sufficient.

Following its mandate expansions, Europol’s discretionary scope has grown faster than the mechanisms designed to contain it. The current framework still relies heavily on “fire alarm” measures, including parliamentary questions prompted by media, EDPS investigations triggered by complaints, and judicial review initiated by affected individuals. These instruments do not constitute a system of proportionate control over an agency with the data processing scope that Europol now has. Thus, the reform proposal outlined above is premised on a transition toward police patrol oversight, institutionalising proactive scrutiny at each layer. In this sense, proportionality in Europol’s data processing is not only a matter of data protection law. It is, more fundamentally, a question of institutional design

Joint controllership framework for Europol and national units

As it stands, responsibility is fragmented whenever Europol processes data jointly with a Member State’s national unit. Europol has its own separate special regime when it comes to data processing, contained in the Europol Regulation. That said, Article 3 and Chapter IX of the general regulation EUDPR still apply to operational personal data unless the Europol Regulation provides otherwise.

Because of this special regime, Europol is supervised by the EDPS while national units fall under their national data protection authorities. Cooperation between the EDPS and the national authorities is institutionalised by a Cooperation Board. This board was established to ensure consistent levels of data protection union-wide. The 2022 EDPS case exposed the gaps created by this system, as the Member States were caught sending data to Europol – an infringement over which no single authority had been allocated oversight responsibilities.

Differing national laws, uneven sources and the exclusively advisory nature of the cooperation board are the main problem drivers. Together these factors contribute to weakened protection, lack of supervision and discord in how consistently data is protected across Member States. This led us to an alternate possible solution to improve the current data protection system: the possibility for Europol and the national units to be cast as joint controllers. By designating Europol and contributing national units as joint controllers under a lex specialis provision in the Europol Regulation, uncertainty is stripped away from parties and the availability of a stronger data protection safeguard in cross-border investigations would be ensured. In order to effect this change, publicly accessible policy should be put in place that specifies who does what and is enforceable by both the EDPS and relevant national data protection authorities.

Joint controllership should be guided by Article 26 of the General Data Protection Regulation (GDPR) but adapted for law enforcement use in line with the Law Enforcement Directive. Although joint controllership imposes a bigger administrative burden, its implementation would be proportionate given the fundamental rights impact of data processing. In the case of joint controllership, the parties share responsibility for determining the purposes and/or the means of data processing. Furthermore, in accordance with article 82(146) GDPR, each controller should be fully liable for all damage. This approach would be the most effective as it aligns with the national tort law of different Member States and should ultimately lead to more transparency and greater accountability in joint operations.

 

 

By Oliwia, Kaloyan and Carolin

The problem and regulatory framework

Understanding who enforces medicines regulations in the EU is the real clinical trial - side effects include confusion and legal headaches.

Imagine a pharmaceutical company fails to report a serious side effect. A national authority might detect the issue, the European Medicines Agency (EMA) would investigate it, but the final decision on penalties would be taken elsewhere. Because the responsibility is divided between different institutions, it becomes unclear who is actually accountable.

This post explores why, despite detailed rules and strong institutions, responsibility in EU pharmaceutical enforcement can become so fragmented that no single actor is clearly accountable.

The EU pharmaceutical regulation is built on a comprehensive legal framework. Directive 2001/83/EC sets out the general rules for medical products. For authorised medicines distributed within the EU, Regulation (EC) No 726/2004 establishes EMA’s role and powers. Furthermore, instruments such as the Clinical Trials Regulation and strengthened pharmacovigilance rules further strengthen and monitor safety obligations across the EU. The framework is extensive. However, the way the rules are applied determines whether they actually matter.

Pharmacovigilance rules

Legal requirements and guidelines ensure that medicines are monitored for safety, so their benefits outweigh their risks.

Here is where things get complicated. In practice, enforcement is divided between different actors, each with a specific role:

• National authorities detect problems at the Member State level
• The EMA investigates and assesses possible violations
• The European Commission decides whether to impose fines

This means that while EMA plays a central role in supervision and investigation, it cannot impose fines. Even though the financial penalties can reach up to 5% of a company’s EU turnover for certain infringements, the power to impose the fines rests with the Commission. This creates a gap between the investigation and the ensuring of compliance. When enforcement is shared, establishing accountability becomes more difficult.

Comparative perspective

By contrast, other EU agencies such as the European Securities and Markets Authority (ESMA) and the European Central Bank (ECB) have the power to investigate violations and impose fines directly. Therefore, the EMA model stands in contrast. For example, ESMA can directly supervise specific market actors, adopt binding decisions, including financial penalties, without relying on another EU institution. Similarly, the ECB supervises banks and imposes sanctions for breaches of EU banking rules.

These differences in enforcement powers become clearer when we look at how the system operates in practice.

How Enforcement Works in Practice

Four years, nineteen medicines, zero fines

The only infringement procedure ever opened under EU pharmaceutical law tells us less about wrongdoing than about how the system divides authority.

80 K+ ADVERSE EVENTS LEFT UNREVIEWED

4 yrs EMA INVESTIGATION DURATION

€0 FINANCIAL PENALTY IMPOSED

How it began

In 2012, a routine inspection by the UK’s MHRA uncovered a significant failure in Roche’s pharmacovigilance systems: over 80,000 adverse event reports, including more than 15,000 patient deaths, had never been properly assessed. These were not necessarily drug-related, but under EU law, they were required to be reviewed. They weren’t.

These obligations arise from EU pharmacovigilance rules, which require companies to continuously monitor and report adverse events for authorised medicines.

The MHRA passed its findings to the European Commission, which referred the matter to the EMA.

The procedure, step-by-step

2012	● MHRA inspection identifies violations 80,000+ unreviewed adverse events found in Roche’s pharmacovigilance database. The Commission refers the case to the EMA.
2012-16	● EMA conducts a full investigation Four years of review across Roche’s centrally authorized portfolio. The EMA builds a detailed, factual and legal case.
2016	● Violations confirmed across 19 products EMA findings sent to the Commission. The potential fine under Regulation 658/2007 ran to hundreds of millions of euros.
Dec 2017	● Commission closes the procedure Roche provides commitments to fix its reporting systems. The Commission accepts them. No fine is imposed.

Who did what?

 

MHRA identified problem

→

Commission referred to EMA

→

EMA investigated  (4 yrs)

→

Commission decided outcome

 

How to read the outcome

ENFORCEMENT DID HAPPEN Roche implemented remedial measures. The EMA’s investigation produced a detailed record of the failures. Accepting commitments is a standard tool in regulatory practice, used routinely in EU competition law. This shows that enforcement in EU pharmaceutical regulation often focuses on correcting behaviour rather than imposing financial penalties.

DIVISION OF ROLES The institution that spent four years building the case had no formal say in how it ended. The Commission, which decided, was not required under the regulation to give detailed public reasons for preferring commitments to a fine. The Commission’s choice to accept commitments rather than impose a fine fell squarely within its enforcement discretion, which is a discretion the Court of Justice has confirmed in a 2022 European Parliament study, p. 8 – “near absolute,” with individuals holding no standing to challenge the Commission’s reasoning for declining to act.

 

KEY OBSERVATION

The EMA carries the full investigative burden. The Commission carries the full decisional authority. The current framework does not clearly require either institution to publicly explain how investigative findings translate into final decisions.

 

This design is not an accident. Under Commission Regulation 658/2007, enforcement is explicitly split: the EMA investigates, while the European Commission decides on the outcome. What the Roche case shows is not simply how a single procedure unfolded, but how decision-making power is distributed across different actors, and how this affects the visibility of responsibility within the system.

This raises a broader question: when multiple institutions contribute to an enforcement outcome, how can responsibility for that outcome be clearly identified?

Who is responsible? The problem of many hands

The Roche case exposes a recurring difficulty in EU enforcement: when multiple institutions each follow their own rules correctly, yet the final outcome is still flawed, it becomes genuinely unclear who bears responsibility. This is the “problem of many hands”.

Understanding Thompson’s concept

Dennis Thompson identified a challenge that appears in any organisation where tasks are split between multiple bodies. He called it the problem of many hands.

“When responsibility for an outcome is spread across many actors, each of whom has followed their own rules correctly, it becomes very difficult to identify who is responsible for the overall result.” 

Dennis Thompson, 1980

Applying this to EU pharmaceutical enforcement

In the Roche case, the EMA, the Commission, and the MHRA each performed their role within their legal powers. At the same time, enforcement did take place: violations were identified, investigated, and addressed through corrective measures.

However, because these steps are carried out by different actors, no single institution oversees the entire process. When the procedure ended without a fine and without a detailed public explanation, it became difficult to identify who was responsible for that outcome. This is not a failure of any single institution, but a feature of the system itself. This means that responsibility becomes structurally diffused across different stages of enforcement, rather than clearly attributable to any single actor.

Where responsibility sits, and where it does not

Political oversight does not focus on individual enforcement decisions, and where no formal sanction is imposed, judicial review may be unavailable, raising concerns under Article 47 of the Charter of Fundamental Rights, which guarantees the right to an effective remedy.

Accontability and design

Mark Bovens explains that accountability requires a clear forum, meaning there must be a body to which an actor explains and justifies its decisions. In this case, there is no point in the system where the overall enforcement outcome must be fully justified. As a result, accountability is missing precisely at the level where responsibility should be established. While individual steps can be reviewed, the final result of the procedure is not clearly subject to full accountability.

 

Unlike the EMA, both ESMA and the ECB can investigate and impose sanctions directly, meaning the institution that builds the case also bears responsibility for the outcome.

The issue is therefore not that enforcement is absent, but that responsibility is not clearly visible within the current system. Addressing this does not require a complete redesign, but targeted adjustments that make responsibility more transparent. Granting the EMA limited sanctioning powers,  following the ESMA model,  would close the gap between investigation and outcome. Requiring the Commission to publish reasoned decisions when closing cases would make the exercise of its discretion visible to Parliament, courts, and the public alike. As enforcement increasingly operates through shared structures, making responsibility visible is not optional, it is a precondition for accountability to function at all.

While defence is and has always been a national responsibility of each European Union (EU) Member State, defence coordination and efficiency is now more important than ever. The European Defence Agency (EDA) was founded in 2004 to promote defence collaboration in the EU and to promote integration within the EU’s Common Security and Defence Policy (CSDP) between Member States. Although defence spending has gone up in Member States, the EDA has consistently failed to meet its collaborative procurement benchmark and has been criticised for lacking teeth.

This blog post will therefore explore the economic reasoning of collaborative procurement behind the EDA and its historical development, after which the current geopolitical context will be analysed and how the EDA could and should react to this. This blog post argues that the EDA could be redesigned, by implementing several reforms and aligning its tasks with the current geopolitical context.

Spending More, Wasting Less

Europe is arming up. The EU’s 27 Member States spent €343 billion on defence in 2024 alone. But more money does not automatically buy more security. Better results mean more real military capability per euro spent.

This can be achieved through quicker procurement, fewer duplicated national projects, and forces that can work together when it matters. That is the core economic argument for European defence cooperation. If Member States keep spending, buying, and developing in parallel, a great deal of that money risks being lost to fragmentation and inefficiency instead of being turned into usable collective strength.

At its core, the idea is straightforward, cooperation can help Member States to get more value from every Euro they spend. Defence equipment is extremely costly to research, produce, maintain, and upgrade. When each State follows its own path, defence orders stay small, due to limited national demand and technical standards that differ. Furthermore, national forces may end up utilizing systems that do not work well together within cross-border integrated forces. Economists describe this as a problem of fragmentation and the loss of economies of scale. In simple terms, the Member States individually, without coordinating their efforts, can end up paying more for less.

Defence can also be described as a special market. Governments do not buy ammunition, tanks or missile systems the way consumers buy groceries, phones or cars. National security concerns, political sensitivities, and domestic industrial interests often keep procurement focused and protected within national borders. This makes coordination harder, but also more necessary. The more procurement remains nationally fragmented, the greater the risk of duplication, incompatibility, and inefficient spending. The European Commission has repeatedly argued that a more integrated European defence market would support larger-scale production, stronger innovation, and more efficient procurement outcomes across borders.

Seen from this perspective, the economic rationale behind the EDA is not simply about “more Europe”. It is about reducing costs, overcoming coordination problems, and helping Member States turn rising defence budgets into stronger, more compatible, and more efficient capabilities.

The European Defence Agency

The EDA when European governments were increasingly aware of a growing contradiction in their defence policies. On the one hand, security challenges were becoming more complex and often required collective responses. On the other hand, defence remained highly fragmented, with each Member State’s planning, spending, and procuring largely on its own.

This fragmentation was not a new problem, but it became more visible in the early 2000s. The EU’s experience in the Balkans during the 1990s exposed limitations in Europe’s ability to act cohesively in crisis situations. At the same time, global developments such as the September 11 attacks reinforced the need for more coordinated approaches to security and defence. European countries were also facing increasing pressure to do more with limited resources, while still maintaining a wide range of national military capabilities.

In light of these developments, the EDA was established to help address a key question: how can European countries cooperate more effectively in defence without giving up control over their own armed forces?

The Agency’s original legal basis was set out in a 2004 Joint Action under the EU’s Common Foreign and Security Policy. Its role was later formalised in the Treaty of Lisbon, where Article 45 of the Treaty on European Union defines its main tasks. These include identifying capability gaps, encouraging cooperation between Member States, supporting defence research and industry, and evaluating whether agreed commitments are being followed. Its current structure and functioning are further detailed in Council Decision (CFSP) 2015/1835.

Notably, the EDA was not designed as a powerful central authority. Instead, it was conceived as a facilitator, an institution that could bring Member States together, provide expertise, and promote cooperation, without overriding national sovereignty. In other words, it reflects a broader EU approach to defence: improving coordination rather than centralising control.

Academic observations highlight this balancing act. Some scholars argue that the EDA represents a pragmatic solution, allowing states to work more closely together while keeping ultimate authority at the national level. Others point out that this same design also limits its impact, as cooperation ultimately depends on whether Member States choose to follow through on shared priorities.

In this context, the creation of the EDA was less about transforming European defence overnight, and more about managing an existing tension: the need for collective action in a policy area that remains deeply tied to national sovereignty. This tension continues to shape both the Agency’s role and its limitations today.

A New Geopolitical Era

After Russia’s invasion of Ukraine, which led to ammunition shortages in the Ukraine and the EU, supply-chain pressure and wider uncertainty about European security, Member States have faced pressure to procure their military goods as quickly and efficiently as possible. The last years have however shown that this increase in urgency has not led to increased cooperation and that Member States still often value their sovereignty more than collectively procuring military goods. This may lead to duplication and over-reliance on non-EU suppliers.

This is also shown by the EDA’s collaborative procurement benchmark, set since 2007. As mentioned previously in this blog post, this benchmark has never been met. While the EU has estimated that the total EU defence expenditure has reached €381 billion in 2025, this increased spending has not been accompanied by a proportional increase in joint procurement among Member States.

An example of this is the French and German Future Combat Air System (FCAS), EU’s next generation fighter jet program, which aimed to improve the EU’s strategic autonomy and increase cooperation. While this could have been a great way to enlarge collaborative procurement among Member States, the FCAS has been described as potentially collapsed after Germany chose to purchase United States’ F-35 combat aircrafts instead of developing and procuring these via the FCAS-program.

The European Defence Agency 2.0

As described above, the geopolitical context in which the EDA operates has changed significantly since its establishment in 2004. Defence procurement has grown and become more urgent, but not necessarily more coordinated. While the industry grows, the economic inefficiencies, as described in section I, remain. This is where the redesigned role of the EDA comes in. By increasing coordination along the procurement chain, the EDA can address inefficiencies. Putting this into practice, requires structural rethinking the role of the EDA.

According to André Denk, EDA’s chief executive, the desire from Member States to do more on defence at EU level in line with the EU’s Defence Readiness 2030 programme, has increased. Denk introduced the redesigned role of the EDA in response to this call from Member States and the current turbulent geopolitical times. While the EDA’s traditional role remains, in essence, to coordinate rather than to centralise control, the amount of Member States in favour of expansion of the EDA’s mandate is rising. The EDA has called upon the Member States to: “use us to take forward the projects that one member state cannot.”

This call for a redesign of the EDA was also supported by former Estonian president and chief coordinator for the Common Foreign and Security Policy, Kaja Kallas. Kallas made a statement on the inefficiencies in EU defence procurement. She spoke about the lack of complementary procurement, the focus on national interest, and persisting fragmentation. Kallas concluded that the EDA needs to lead, not just facilitate, thereby expressing her vision for a stronger EDA.

Coming back to the EDA’s core tasks, these were designed to be open norms. The redesign does not change the architecture, but the political willingness to use it. As defence ministers increasingly speak with a sense of urgency, the EDA’s role naturally increases in terms of coordination. In other words, a revised role for the EDA does not require a new agency, rather, it requires Member States to make fuller use of the one they already have.

The EDA proposed five revised lines of action:

1. Scaling up research;
2. Consolidating EDA’s central capability role;
3. Support joint procurement;
4. Secure resources;
5. Leveraging existing partnerships.

Apart from increasing budgets for already existing competences, the EDA’s goal is to take a more prominent role in the supply chain. In practice, this results in the EDA to target shared requirements for joint acquisition before contracts are put to market. This strategy can improve efficiency in concrete ways. When demand is aggregated earlier and common requirements are established at the EU level, Member States can benefit from larger production runs, reduced unit costs, and greater leverage with suppliers. Furthermore, existing partnerships with, for example, Ukraine, Turkey and Canada are to be strengthened under the EDA procurement framework. This redesigned EDA is stepping beyond pure facilitation and increasingly towards centralisation, answering the Member States’ calls.

Important to note is that the EDA operates within fixed structural limits. The EDA does not control national defence budgets, cannot compel Member States to procure jointly, and works alongside existing power frameworks (e.g. NATO). Therefore, it is likely that a lot of core defence industry will remain at national level. The shift towards a modern, strategic EDA 2.0 depends not on institutional reform alone but remains dependant on genuine political willingness among Member States to use the EDA for the projects that no single country can advance on its own.

Coordination Is No Longer Enough

The EDA coordinates EU Member States to work together more effectively in defence. The idea is simply that cooperation can help countries avoid inefficiency waste, save money, and build military capabilities that work better together. But the EDA was never given strong powers of its own. It was designed to support and coordinate, not to force Member States to act. This has become a growing problem under current geopolitical developments. Defence spending is rising fast, yet joint procurement remains limited. In today’s security environment, this is harder to defend. If the EU wants better results from higher spending, the EDA must move beyond coordination alone and play a stronger strategic role.

By Ella, Mafalda, Daria, Melanie and Samantha

The 2026 World Cup is not the only thing FIFA (Fédération Internationale de Football Association) must keep an eye on. Behind the dynamic and thrilling world of football, lies a concealed truth. Through the exorbitant transfer fees and the hidden ownership structures, football clubs became the ideal target for money laundering. This is why this area will be regulated by the Anti-Money Laundering Agency (AMLA), an EU (European Union) agency which aims to investigate and prevent money laundering. Since May 2024, football clubs have been included in the anti-money laundering framework by the Regulation 2024/1624 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (AMLR), and, therefore, need to streamline their corporate structure, prepare information and documents for upcoming transactions, and ensure operation of a solid compliance function by July 2029. However, as of 2026, no guidelines or standards that target football clubs have been issued, leaving football clubs in the dark about how to interpret the new requirements. The decision to include football clubs in the AML regulation has been surprising and somewhat counterintuitive, because football clubs do not even qualify as financial entities.   So why is money laundering so prolific in football clubs that it needs to be regulated by AMLR? What is the role of the newly established AMLA when it comes to the regulation and supervision of football clubs?

1. Why can football clubs attract dirty money? 

Money laundering works by making illicit funds appear legitimate, often by moving them through ordinary businesses and transactions. Football clubs are especially attractive for that purpose because it combines high financial volume, cross-border transactions and often opaque ownership structures. As AMLA itself explains, money laundering often disguises the criminal origin of funds by routing them through legitimate businesses and football clubs can offer exactly that kind of cover. 

The football sector has a number of characteristics that make it vulnerable. The Financial Action Task Force (FATF) has long warned that football has become a global industry with rapidly growing investment, whilst its regulatory frameworks have not always kept pace with the risks associated with that growth. This sector involves substantial financial flows that are sometimes difficult to assess, including transfer fees, sponsorship deals, payments to intermediaries and cross-border investments. This creates a lot of opportunities for criminals to funnel dirty money into seemingly normal business activities. 

Scholars argue that the football industry has become increasingly vulnerable to illicit financial activities due to its complex organisation, large financial flows and opaque ownership structures. These characteristics are significant because they facilitate the concealment of the true origin of funds, the disguising of beneficial ownership and the justification of unusual payments as part of standard football business practice. In other words, the problem is not football itself, but the way its financial ecosystem can be exploited. 

The point is not that football clubs are inherently criminal. The problem is that its financial ecosystem can convert suspicious funds into transactions that look commercially and socially legitimate. These structural vulnerabilities become especially visible in the transfer market, where large sums, cross-border deals and multiple intermediaries create clear opportunities for money laundering. 

2. How can money be laundered through player transfers?

One of the money laundering tactics used in the football sector to disguise the illicit funds is through the over-evaluation of players in transfers. Since the Bosman ruling in 1995 international player transfers have rapidly increased. In 2022 FIFA reported that international transfers had surpassed 20,000 players. In 2023 FIFA reported transfer fees reached up to 9,63 billion dollars, which shows a staggering 48.1% increase from 2022. The report also showed a record in cross-border transfers of 74,836 dollars.

The difficulty of assessing the value of a player, makes it easy to artificially inflate the price and move money. In football players are often transferred prior to their contracts ending, thereby the high transfer fee comes from the compensation of the new employer to the previous employer. In order to attract players, clubs and managers, benefits such as housing, cars or family arrangements may be included in deals, which increases the number of financial transactions and further obscures the transfer prices.

Football agents are under the microscope of Regulation 2024/1624 (AMLR) alongside football clubs as football agents often negotiate contracts in player transfers. In 2019, Portuguese authorities’ Operation Red Card investigation uncovered a player transfer from Porto to Real Madrid worth 50 million euros of which 9 million was paid to two agents. According to the financial reports, Porto earned 28,4 million euros from the transfer. The remaining sum of 21,6 million euros was split between three parties: two of whom were football agents.

In 2020, Spanish authorities uncovered a criminal network of several European football clubs which made fake player transfers to launder profits. The investigation uncovered 10 million euros laundered through ghost transfers through a Cypriot football club. To conceal the origins of the dirty money it was invested into Spanish luxury assets such as yachts and real estate.

3. What do the new AML obligations for football clubs entail?

The logic is straightforward. The same features that make football economically successful also make it vulnerable to financial crime. 

European authorities have seen how standard football deals can be inflated artificially and these risks are now considered structural to the industry. With that logic in mind, AMLR aims to close the regulatory gap and ensure consistent supervision across Member States.

Football clubs and agents are now classified as “obliged entities” among some other non-financial actors, who must implement customer due diligence (CDD) to prevent financial crime under the AMLR. 

In practice, this means that football clubs need to:

• Check who they deal with verifying the identity of buyers, investors, sponsors, players and agents (conduct CDD).
• Understand where the money from sponsors and investors comes from.
• Monitor transactions and watch for unusual payments, inflated transfer fees, or complex ownership structures.
• Report suspicious activity to authorities if the activity looks like money laundering.
• Keep records storing documents and transaction data for several years.

This provision aligns the clubs with other high-risk sectors and, when suspicious activity is identified, AMLA will play an indirect, yet important coordinating role: directing national supervisors, harmonising standards, and – in extreme cases – supervising risky companies itself. 

4. However, what legal mechanisms actually give AMLA the power to regulate this area?

AMLA is an EU agency based in Frankfurt, Germany. The agency derives its powers from the regulatory framework established in Regulation 2024/1620 (AMLA Regulation). This framework was part of the AML/CFT (Anti-Money Laundering and Combatting the Financing of Terrorism) package adopted in 2024. The legal basis of these provisions is Article 114 TFEU, which serves to ensure the proper functioning of the internal market. Its powers are set out in Article 6 of the AMLA Regulation and include the supervision and investigation of high-risk entities and supporting Financial Intelligence Units (FIUs) in their tasks by issuing recommendations and harmonising national frameworks when it comes to AML. AMLA also has the power to impose pecuniary sanctions. On 1 January 2026, the European Banking Authority (EBA) completed the transfer of all its AML/CFT to AMLA, thus giving it the power to enforce EU law.

AMLA extends its powers to non-financial entities as well. Given the fact that this is traditionally an area regulated by national provisions, the rollout of AMLA’s powers is delayed to 2027 when it comes to non-financial entities, and to 2029 when it comes to football clubs. As we know from ESMA, agencies can only exercise discretionary powers as long as they are within a clearly defined framework. Indeed, AMLA must assess the limits of these powers and how exactly to effectively play its role when it comes to non-financial entities while staying within its legal mandate. As financial and non-financial entities are different in nature, AMLA also possesses a different role when it comes to implementing EU law. It therefore must make sure it remains within the bounds of Article 5 TEU and does not take any measure which could undermine the principles of subsidiarity and the conferral of powers.

The delay of the supervision of football clubs proves how difficult this area is to effectively regulate. In that case, we can ask ourselves whether AMLA is truly ready to effectively regulate this area.

5. Is AMLA ready to take on the challenge of regulating football clubs and agents?

With football clubs now forming part of the EU AML framework as non-financial obliged entities, subject to due diligence and monitoring of regulated transactions (Article 3(3)(o) AMLR), compliance considerations become increasingly prominent. 

Although the relevant requirements will only take effect from 10 July 2029, their implementation requires significant preparatory work. For instance, football clubs will require time and resources to streamline their corporate structures, conduct CDD on prospective investors and sponsors, adopt new procedures, and perform necessary training for the employees.

While AMLA will not act as a direct supervisory body for football clubs, it has two general means of influencing the sector. First, AMLA will develop guidelines and standards applicable across the industry (e.g. Articles 19(9), 28(1) AMLR). Second, the agency may take direct control over an entity posing a threat to the AML/CFT regime as the measure “of the last resort” under Article 42 of the Anti Money Laundering Directive 2024/1640. Other enforcement obligations rest primarily on the shoulders of the national competent authorities of the Member States, which may, among other things, grant compliance exemptions for football clubs falling below the 5,000,000 euros annual turnover threshold (Article 5 AMLR).

While the measures “of the last resort” are unlikely to become relevant until AMLR applies to football clubs in 2029, the need for standardisation and guidance is already evident. To address this, in 2026, AMLA intends to map out the supervisory practices in relation to non-financial obliged entities, including football clubs. By the fourth quarter of 2026, AMLA aims to create benchmarks and methodology for assessing and classifying the risk profiles of obliged entities and the frequency of reviews of those risk profiles. 

In parallel, AMLA is developing regulatory technical standards (RTS) on CDD and identification of business relationships, which will apply both to financial and non-financial obliged entities (currently in public consultation). Once adopted, RTS will apply directly to football clubs, especially in the context of players’ transfer arrangements. 

The RTS on business relationships (under Article 19(9) AMLR) will establish criteria for distinguishing occasional transactions from ongoing business relationships requiring CDD and monitoring.  While AMLR attempted to clarify the overall terminology, the methodology for assessing the factors that distinguish transactions as repeated (e.g. a single purpose of several agreements, connected parties, common intermediaries, same infrastructure) remains to be determined. 

The RTS on CDD (under Article 28(1) AMLR) will set out verification procedures, as well as documents and information that an obliged entity needs to obtain in order to enter into continuous contractual or other obligations with a third party. For football clubs, these standards will explain who to contract with, for how long, and on what terms and conditions and subject to which procedures.

Once adopted, these standards are expected to form the compliance framework for the obliged entities to determine compliance strategies and develop procedures. However, the absence of a clear regulatory strategy and delayed deadlines for finalising the standards may create regulatory uncertainty. In practice, football clubs may need to rely on general rules of money laundering when defining their compliance strategies in 2026. 

Even once guidelines are in place, it will be the development of enforcement practice that will determine whether more stringent regulation or another supervisory body will be required to sufficiently address the money laundering practices of football clubs. 

Frontex Could Play a Key Role in Preventing Member States from Keeping in Place Unjustified Internal Border Controls

By Noëlle, Isabel, Henrike, Hannah

This year, during March and April, the periodic Schengen evaluation programme targets Germany to assess the alignment of its policies with the Schengen acquis. Its record regarding the “absence of internal borders” (Article 1(3) Council Regulation (EU) 2022/922) will look very grim. The objective of establishing an area without internal frontiers (Article 3 TEU) has always been accompanied by commitments to effective migration management at external borders. Within the current political dynamic this interdependency materialises as “quasi-permanent” internal border controls. This seriously undermines the promise of Schengen as a borderless area. The paralysis to address these ongoing breaches of EU law and values calls for alternative, innovative approaches to “save Schengen”.

Notwithstanding the limitation of its mandate to external borders, it seems worth exploring what (indirect) impact the EU’s border and coast guard agency, Frontex, has on the internal dimension. This allows to identify three main stages in which Frontex’s stronger involvement could mitigate uncoordinated national measures: enhanced operational support at external borders, making its risk assessment a mandatory criterion for reinstating unilateral internal border controls, and independent monitoring of such controls by Frontex. Of course, concerns about Frontex’s fundamental rights and accountability obligations must be taken very seriously. However, strengthening such a supranational actor could resolve credibility issues and help re-establish a rule-based management of an area without internal frontiers.

Putting Schengen at risk 

The Schengen Borders Code (SBC) balances rules for managing external borders against the default mode of an area without internal border controls. Only as an exception and under strict conditions does Article 25 SBC allow Member States to reinstate internal border controls: they must be temporary, a means of last resort, and address a serious threat to public policy and national security. Depending on the reasons, Member States can prolong internal border controls beyond the initial period of six months. Their overall duration must not exceed two years and under all circumstances be proportionate (note that before the adoption of the SBC’s reform, these time limits were even stricter). 

However, the current reality looks quite different. As of May 2025, a total of eleven Schengen states had put in place internal border controls for concerns about irregular migration and security. Germany has continuously expanded the scope of its internal border controls. Since September 2024, controls take place at all land borders, with the latest renewal on 15 March 2026. Given that since 2015, France, Denmark, Norway, Sweden and Germany have continuously prolonged internal border controls for migration-related security concerns, it is fair to speak of de facto permanent internal border controls which are in effect burying Schengen.

 

There is wide-spread scholarly critique on the weak justification for internal border checks and their continuing renewal. Also, national courts are positioning themselves to bring Schengen back to life. The Bavarian administrative court declared Germany’s current border controls to be in violation of the time limits laid down in Article 25 SBC. In its ruling, the court relies on a previous ruling by the European Court of Justice (CJEU), which came to similar conclusions in the case of Austrian border controls. The CJEU emphasized that the free movement of persons is a fundamental achievement of EU integration. Thus, exceptions are to be interpreted strictly (para. 65 and 74). It also confirmed that Article 25 is sufficiently clear in striking a balance between the competing objectives of protecting national security and maintaining an area without internal borders (para. 89).

 Rethinking Schengen 

Yet, it seems like the legislature felt urged to correct the CJEU’s conclusion in its reform of the Schengen Borders Code in 2024. It inserted the “sudden large-scale unauthorised movements of third-country nationals between the Member States” as an explicit justification ground (Article 25(1)(c) SBC) for reinstating temporary border controls. Already the previous episodes of internal border controls could be considered a “valve that signals a malfunction of the Schengen Area.” The amendment reflects the underlying political dynamic in which northern Member States aim to prevent high inflows of secondary movement. This refers to migrants’ irregular onward journey whereas under existing EU rules other Member States should take responsibility for their asylum and return procedures. In the view of countries like Germany, secondary movements are a sign of the dysfunctional management of external borders. For the German government, strengthening external borders is a prerequisite for reopening the Schengen area. This interdependency fuels distrust between Northern Member States and Member States at the external borders. Moreover, it risks recourse to uncoordinated unilateralism, further putting the premises of the Schengen Area under pressure.

What remains is the search for solutions that again succeed in reconciling these interdependencies. In that regard, it is important to recall the supranational procedure in Article 29 SBC. It is specifically designed for situations “where exceptional circumstances put the overall functioning of the area without internal border control at risk”. Such cases require the Council to adopt a common recommendation on reinstating internal border controls. Frontex is plays a role in this supranational procedure as well as for Member States’ individual decisions under Article 25 SBC.

Frontex’s involvement in border control

 The EU is increasingly creating agencies to delegate certain responsibilities, especially for implementing policies more effectively and depoliticising technical tasks. Frontex is the answer to this agencification in the area of border management. It is a EU body created to offer support in all aspects of border management within a system without internal border checks. The EU’s competence for this area is enshrined in Article 67(2) TFEU for common external border control and Article 77 TFEU, which provides the legal basis for border management policy. Frontex’s mandate and competences are set out in the Regulation on the European Border and Coast Guard, focusing on support for the Member States at external borders through coordination, operational assistance, and risk analysis. The primary responsibility for border control remains with the Member States, which exercise their sovereign powers. Frontex acts through joint operations that always involve the host state’s consent and cooperation. The staff usually acts under the command of national authorities and under national law, within the EU framework. The Member States’ cooperation with the agency includes sending national personnel and technology. Germany, for example, currently supplies Frontex with 160 federal and state police officers. Frontex’s role is deliberately focused on external borders, as mentioned in recitals 1 and 34 of the Regulation’s preamble, having practically no mandate at internal borders.

Frontex’s internal reach?

Nevertheless, Frontex has indirect influence on internal border controls through different interacting mechanisms. The basis for this is the risk assessment laid down in Article 29 Regulation 2019/1896 (Frontex Regulation). This assessment should give an evidence-based view of the pressures and threats at the EU’s external frontiers and should provide Member States with the data intelligence, and strategic insights required to prepare effectively. Frontex receives information for the assessment to a large extent from national border agencies, making it highly depended on the Member States. However, this makes Frontex’s reports more comprehensive than reports of other organisations and creates motivation for policy makers to use them.

In recent years, also surveillance, which had previously been limited to external borders, has been expanded to include collecting data on the movement of persons inside the EU. Although Frontex’s focus is on external borders, the risk assessment always includes information on secondary movement. This is especially interesting for Member States like Germany, which have no external borders but can take Frontex’s risk analysis as a reference point. An incentive to do so constitutes the Schengen evaluation and monitoring mechanism. Using this mechanism, the Commission assesses Member States’ compliance with the Schengen acquis. Based on Frontex’s risk assessment, it will be evaluated what Member States can do in regard to internal border controls. Here, Member States’ willingness to integrate Frontex’s risk assessment as a systemic part of their national border control strategies counts as a proxy for compliance. In the beginning of this evaluation mechanism, the evaluation and monitoring were conducted by the Schengen Evaluation Working Party of the Council, which was composed of Member States’ representatives. Later it was shifted to Frontex, based on typical arguments in favour of agencification. The Commission criticised the process as an insufficiently strict and transparent peer-review. The Council, on the other hand, wanted to limit the Commission’s power in this procedure.

Can Frontex save Schengen?

Based on these existing competences in risk assessment and Schengen evaluation, Frontex could play a key role in breaking the vicious cycle created by the interdependency between controlling external borders and abolishing internal borders.

Ideally, Frontex becomes more strongly involved in supporting Member States at external borders. This is essential to safeguard the foundational premise for a functioning Schengen Area: effective control of access to the territory in the first place.

In the meantime, Frontex’s mandate should contribute to restoring credibility of commitment to EU law on border management. Member States shall be obliged to justify their internal border controls solely on Frontex’s risk assessment in relation to the ground of unauthorised movement in Article 25(1)(c) SBC. This can be part of a broader framework of benchmarks for the incremental abolishment of internal controls.

In the alternative, and as the weakest form of involvement, Frontex should obtain a leading role in monitoring and evaluating the compatibility of unilaterally reinstated border controls. This means that Frontex should assess their effectiveness considering the national security objectives that Member States have presented as well as the negative effects of such reinstated border controls. Both approaches mitigate the competing objectives between national control over territorial access, and the long-standing come back of an area without internal frontiers.

 

This blogpost can just be a first glimpse in this direction, and it invites for innovative thinking on institutional solutions for breaking the current deadlock in Schengen governance. Also, every expansion of Frontex’s mandate must clearly go hand in hand with more robust fundamental rights protection and accountability mechanisms. That being stated clearly, strengthening the involvement of a supranational agency like Frontex could contribute to recovering common, rule-based management of the Schengen area. Eventually, such an approach must not lose sight of the Member States’ and the Commission’s responsibility for ensuring respect for the law. Frontex’s role in internal border management may provide a promising starting point.

Enforcement of Single Market rules and ensuring a level playing field without unjustified barriers is key in order to make the Single Market work for businesses and citizens. In January 2026 the European Commission presented its first annual Single Market enforcement agenda as part of its annual Single Market and Competitiveness Report of 2026. Although, is it a fully-fledged agenda? The actual size and content of the agenda raise some questions. What does the Commission intend and how will it live up to its initial promises? Would a more comprehensive agenda be desirable and possible and how the Commission could and should give more transparency about enforcement? After a brief description of the initial announcement of the agenda and content of the first Single Market enforcement agenda, I will discuss the last two questions. More transparency is desirable: from a democratic perspective, but also in order to focus enforcement on those areas which matter most for a well-functioning Single Market based on a dialogue between the Commission, Council of Ministers of the European Union and European Parliament.

Continue reading “The Single Market Enforcement Agenda, an example of more transparency?”

Overtredingen van wetten en regels veroorzaken grote maatschappelijke schade: misbruik van zorggeld, schade aan het milieu en uitbuiting van werknemers. Maar de pakkans van ernstige overtredingen is laag. De Algemene Rekenkamer analyseerde 54 onderzoeken over toezicht en handhaving uit de periode 2013-2025. In de publicatie benoemt ze de vier grootste obstakels voor toezicht en handhaving en doet ze aanbevelingen.

Continue reading “[REPOST] Wat zijn de grootste obstakels in toezicht en handhaving?”

 Introduction

The liberalization of the energy market has introduced profound changes both to the structure and efficiency of energy supply, bringing the underpinnings of a competitive market with it.  At the same time, while open to the benefits of competition in some parts of the supply chain, the new energy market has become more prone to shock in relation to price fluctuations, its structure and assurance of demand. The 2021-2023 energy crisis has demonstrated the risks of a liberalized energy market in emergency circumstances, where as a result of unprecedentedly high energy prices, substantial number of energy suppliers became insolvent and were unable to supply the market sufficiently. In response to the crisis fall-out, the Commission proposed several structural tools to reduce risk of default among energy suppliers.

The aim of this blogpost is to highlight the potential role of existing EU insolvency and restructuring laws in mitigating energy supplier default and to explore whether their omission within the current regulatory policy is a missed opportunity for more effective enforcement.

Continue reading “Enforcement of insolvency and restructuring laws: a key to a competitive energy market?”

Data has become one of the most critical assets of the European digital economy. From artificial intelligence and platform markets to public services and industrial innovation, access to and sharing of data increasingly determine competitive dynamics, market entry, and the effectiveness of regulation. At the same time, data sharing raises complex legal questions: how to reconcile openness with the protection of personal data, trade secrets, and intellectual property; how to prevent data-driven market foreclosure; and how to ensure that regulatory interventions foster innovation rather than stifle it.

Over the past decade, the European Union has responded to these challenges with an increasingly dense—and at times fragmented—regulatory framework. The General Data Protection Regulation (GDPR), the Free Flow of Non-Personal Data Regulation, and, more recently, the Data Governance Act (DGA), the Data Act (DA), and the Digital Markets Act (DMA) have profoundly reshaped the legal landscape. Together, these instruments signal a clear policy shift: data sharing is no longer merely encouraged, but in certain contexts actively mandated as a tool to promote competition, innovation, and fairness.

It is against this background that our recently published edited volume, Data Sharing Regulation in Europe (Routledge, 2025), aims to offer a systematic and enforcement-oriented analysis of the EU data-sharing regulatory landscape.

Continue reading “Data Sharing Regulation in Europe: Enforcement, Governance and the Future of the EU Data Economy (A new edited volume)”

Since 1887, (and arguably before that), the United States Congress has created regulatory agencies with a certain degree of independence from the President. The Supreme Court unanimously upheld that model as constitutional in 1935 and again in 1958, but the current Court began to chip away at it in the last two decades. The Trump Administration has now declined to defend independent agencies and the President has fired members appointed by Democratic Presidents. Now the issue is back at the Court and its conservative majority appears to be ready to overrule its precedents and declare many or most independent agencies unconstitutional. This would transfer more power to the Presidency, at Congress’s expense, at a time when many think that office has already become too powerful.

Continue reading “More Power to the President?  The U.S. Supreme Court is Poised to Restrict Congress’ Power to Create Independent Agencies”