Exactly one month ago, the European Commission unveiled their new European Strategy for Internal Security: ProtectEU. While welcomed by law enforcement for the new tools and powers it would offer to protect European citizens, the latter have however showed less enthusiasm as some proposed provisions are seen as going against their Fundamental Rights, especially those highlighted in chapter 2 of the Charter: respect for private life; protection of personal data; freedom of thought and expression.
A lot has hastily been said, as many fear this is the beginning of an authoritarian turn of the EU. This process will however take time. Unlike other proposals and provisions of the ProtectEU text, the Commission wants to set a roadmap to ensure that the access to data is “lawful”. This adjective comes multiples times, highlighting its importance and the understanding of the EU Institution over the difficulties it will create.
To better understand the situation, let’s explore that text and see what it entails. Let’s dive in!
ProtectEU's Purpose
ProtectEU’s inception was first motivated by a desire to improve continental security in a “new era of security threats”, as EU citizens, businesses and experts all see security or its lack thereof as a growing security concern. Set out to allow Europeans to “be able to go about their lives free from fear, whether on the streets, at home, in public places, on the metro, or on the internet”, the Commission outlined the following goals:
- Change the Union’s culture on security and response to new and traditional threats with a new proactive approach involving all members of civil society, including citizens, researchers, academia and businesses. It also means for the Commission to consider security when preparing, reviewing and implementing new policies and programmes.
- Tackle hybrid threats from hostile states, which NATO describes as methods that “blur the lines between war and peace, attempting to sow doubt in the minds of target populations”. They include disinformation (false information, polarisation, baseless narratives), cyber attacks, economic pressure, deployment of irregular armed groups or use of regular forces.
- Recent examples include the multiple propaganda campaigns such as: the online justification of Russia’s war in Ukraine, Russian interference in the 2024’s EU elections or the blanket disinformation aimed at Romanian citizens on TikTok during their latest elections, in direct breach of the Digital Services Act.
- Stop the proliferation of evolving criminal and/or terrorist networks who become faster and more organised as their online coordination gets more sophisticated. The EU especially focuses its attention on radicalisation of the populations, human trafficking, child exploitation and terror attacks.
- Notably, the Commission based its reasoning on a January 2025 report from Europol on the changing DNA of serious organised crimes.
- Allocate more resources and public spending for law enforcement tools, equipment, technology, manpower and skills in order to safeguard “democracy, the rule of law, fundamental rights, the wellbeing of Europeans, competitiveness and prosperity”.
ProtectEU is also a part of the Commission’s larger security strategy, seen as a complement to the ReArm Europe Plan which aims to improve defence capabilities across the EU and the Preparedness Union Strategy, which sets out an “integrated all-hazards approach to preparedness for conflicts, disasters and crises”. The ambition behind these plans and an upcoming “European Democracy Shield” to strengthen democratic resilience in the EU is to contain to the best of our abilities the threats against European citizens, either internal or external, man-made or natural.
With the purpose established, what are the Key Objectives and Actions ProtectEU want to achieve?
ProtectEU's Key Objectives
The first element of the strategy is the European Internal Security Governance, a new approach to internal security at both a strategic and operational level between member states. It is set to identify potential security and preparedness implications of new and revised Commission initiatives, ensure cross-sectoral coordination across the institution, and then discuss them with the Parliament and European Council, among others, to be considered for policy-making, debates and implementations.
Beyond the intricacies of policy-making, however, the Commission identified six practical objectives. Most didn’t raise concerns, as the actions identified to reach their objective seemingly align with the interests of EU citizens:
- Increase threat awareness: Better anticipation of security threats by regular EU-wide threat analyses and improved intelligence-sharing between member states and the EU’s Intelligence Office.
- Build resilience against hybrid threats and other hostile acts: Better protection of critical infrastructure (e.g. energy interconnectors, cross-border communication cables) against acts of sabotage, reinforcing cybersecurity, securing transport hubs and ports and combatting online threats.
- Tighten the net on serious and organised crime: Stronger rules to root out organised crime and tackle their networks, to make EU youth less vulnerable to recruitment, and to step up measures to cut off access to criminal tools and assets by following the money.
- Combat terrorism and violent extremism: Introduction of a counter-terrorism agenda and toolbox to prevent radicalisation, secure online and public spaces, throttle financing channels and respond to attacks when they occur. Tracking of terrorist financing.
- Transform the EU into a Global Security player: Boost operational cooperation through partnerships with key regions, among them the EU candidate countries who will be integrated in the EU’s security architecture.
- Boost capabilities for law enforcement: New tools for law enforcement, such as a revamped Europol, and better means of coordinating and ensuring secure data exchange and lawful access to data.
As you may know, this last key action is where problems for the public lie, as the “lawful access to data” for law enforcement objective means backdoors will need to be implemented among the main chatting applications in use in the European Union such as WhatsApp, Messenger or Signal, signalling a potential end to privacy.
So let’s dive even deeper on that one.
Boosting Capabilities for Law Enforcement with an European FBI and the Potential Abolition of End-to-End Encryption
In its ProtectEU communication, the Commission describes this objective as needed to effectively counter evolving threats:
As the primary actors against internal security threats, law enforcement and judicial authorities need the right operational tools and capabilities to act promptly and effectively. It is important that these authorities are able to communicate and coordinate across borders and across services to efficiently prevent, detect, investigate and prosecute.
These tools and capabilities come in multiple varieties. We’ll highlight below the most important ones:
- Transform Europol into a truly operational law enforcement agency: Europol is currently an institution limited to supporting cross-border investigations, facilitating information exchange and providing expertise for law bodies. However, the Commission wants to overhaul it and make it a “truly operational police agency” which will then be able to conduct and not just support cross-border investigations.
- Reinforcement of Frontex to further enhance border security and strengthen EU cooperation in the face of evolving threats. It includes an increased workforce (border and coast guards are estimated to triple to 30 000 over time) and new advanced equipment for surveillance and situational awareness (e.g. EU Earth-Observation governmental services).
- Reinforcement of EMPACT (European Multidisciplinary Platform Against Criminal Threats). This framework for joint action against serious and organised crime will be strengthened to further disrupt criminal networks, support joint investigations and help achieve stronger judicial responses.
- Lawful access to data. The Commission notes that:
Law enforcement and the judicial authorities need to be able to investigate and take action against crime [as] nearly all forms of serious and organised crime have a digital footprint. Around 85% of criminal investigations now rely on law enforcement authorities’ ability to access digital information”. The High-Level Group on Access to Data for Effective Law Enforcement highlighted in its concluding report that law enforcement and the judiciary had been losing ground to criminals over the past decade as criminals avail themselves of tools and products provided from other jurisdictions, by providers that have put in place measures that deprive them of the means to cooperate with lawful requests in individual criminal cases.
And among these tools is encrypted data, which the Commission wants law enforcement to access, opening the current can of worms.
The ProtectEU Roadmap for Lawful Access to Data Might Be Less Antidemocratic than You Think
Creating backdoors into encrypted messaging applications to allow law enforcement to intercept private conversations will undermine the digital security and privacy of dozens of millions of European individual users and businesses. That is unfortunately a fact. Under the guise of crime frighting, such accesses become multilayered weaknesses, as they become prime targets for the malicious actors (cybercriminals, ransomware scammers, hostile nations, etc.) they are supposed to fight. Moreover, it is a slippery slope as backdoors first created to fight crime can easily be corrupted to target citizens instead, should their government take a turn for the worse. Something that the European Court of Human Rights agrees with, indicating that weakening encryption can violate the human right to privacy.
Now, the Commission supposedly understand these issues, as instead of going for legislative proposals like for Europol and Frontex, they proposed multiple key actions:
- A Roadmap setting out the way forward on lawful and effective access to data for law enforcement in 2025.
A Technology Roadmap on encryption to identify and assess technological solutions to enable lawful access to data by law enforcement authorities in 2026, safeguarding cybersecurity and fundamental rights.
An impact assessment in 2025 with a view to updating rules on data retention at EU level, as appropriate.
The Technology Roadmap is where all eyes will turn to. But the Commission doesn’t necessarily envision solutions that would develop the weaknesses. Among its recommendations, the High-Level Group mentions that:
Lawful access does not need to be at network level – as used to be the case for traditional phone calls and text (SMS) messaging – but can also be on the user’s device (before the information is sent) or at destination level (e.g. when messages are stored in the cloud).
They also mention that it is important “to distinguish between interception technologies that are implemented by a communication operator and technologies that can be deployed autonomously by law enforcement authorities. These “tactical interceptions” as they dub it, do not require permanent physical installation on a network.
In conclusion, ProtectEU does not sign the end of E2E Encryption. At least, not yet and not under the current terms. Through their communication and studies, access to data has been hammered as something that must be done in a lawful manner and it’s now up to experts to find solutions that will enable this access.
But will this appeal to balance be enough to appease everyone while allowing law enforcement to better face criminal and terrorist networks, or be perceived as naive and doomed? We’ll see to cover that.
Diving Deeper within the Pact on Migration and Asylum
If you want to learn more about ProtectEU, numerous supporting materials are available for deeper dives:
- The European Internal Security Strategy itself
- The concluding report of the High-Level Group on access to data for effective law enforcement
- Europol’s report on organised crime. One of the main motivation behind ProtectEU.
- The Commission’s factsheet on ProtectEU
Ecu Radio needs your support
Ecu Radio is an independent news website and podcast show, run full-time by a single dedicated contributor (for now). Support our work, get exclusive perks and help keep us going, starting from only 3 € per month.
Let's unleash Europe's potential together!
