The EU's Security Union: A bill of health

Policy brief
Camino Mortera-Martinez
21 June 2019


  • The European Union was hit by a double whammy of a migration crisis and a string of terrorist attacks in 2015 and 2016, which exposed weaknesses in the bloc’s security arrangements and created frictions between member-states. In response the EU vowed to make the safety of its citizens a primary concern. In 2016, the European Commission launched the Security Union and put the last ever British EU commissioner (perhaps) at its helm.
  • The Security Union aims to plug gaps in the EU’s security co-ordination by focusing on five main priority areas: data collection and sharing; border controls; terrorism and organised crime; cyber security; and co-operation with third countries.
  • Over the last three years, the EU has linked together its range of security databases and has given law enforcement agencies wider access to EU data. It has also beefed up its border security and signed deals with African countries to reduce irregular migration.
  • In an effort to thwart terrorist attacks, the EU is improving its ability to track criminals and suspects, and making it more difficult for them to access weapons and money. The EU is also trying to get social media companies to take down content supporting terrorism faster.
  • The EU’s most pressing ‘cyber problems’ are artificial intelligence (AI) and 5G, the next generation of mobile tele communications. AI algorithms are used for everything from self-driving cars to identifying criminals and can be used for malign ends. 5G promises to boost connectivity and spur technological innovation, but Chinese companies – which the EU and the US distrust – are major providers of the underlying infrastructure.
  • The Security Union has had a mixed record. In two years, the EU has achieved more on thorny issues like border controls and counter-terrorism than in the previous decade. It has also led to the EU’s actions on security and migration becoming more open and accountable. But the Security Union’s use of technology and data to prevent incidents before they happen risks upsetting the delicate balance between public security and personal liberty. For example, plans to fight cyber crime may clash with the fundamental right to free speech; and some EU counter-terrorism measures, like tracking suspects, can endanger the fundamental right to be presumed innocent – and hence the rule of law.
  • A stronger focus on restrictive migration policies could also prevent those with a genuine case for coming to Europe from exercising their rights. The EU’s political obsession with migration has shifted the focus from foreign and development policies towards migration control.
  • Nobody knows what the EU’s next big crisis will be. But the EU will need to deal with three major security questions in the future: migration; disruptive technologies like AI and 5G; and China. The next EU administration should make these issues the priority.
  • The EU’s new leaders should be bolder in furthering legal migration, and develop a better understanding of the trade-offs involved in using foreign and development policies to manage the movement of migrants.
  • Disruptive technologies are mostly being developed outside Europe. The EU should be willing to regulate to mitigate any harm they do to society and the economy. The EU will need a strategy that combines several policy areas, from competition to taxation to the single market. Such a strategy should also include a coherent China policy.
  • Finally, when it comes to the EU’s security, the next administration should prioritise institutional reform: security is a cross-cutting issue which requires co-ordination between departments and institutions. The EU could, for example, organise its new security departments by work streams under the common umbrella of a European Commission Vice President for the Security Union.
  • If the next set of EU leaders want the Union to be a credible security provider and a champion of civil rights, they would be wise to learn from the Security Union’s successes and failures.

It has been almost three years since Julian King – perhaps the last British European commissioner – was appointed to lead work on the EU’s newly minted Security Union. As the EU prepares for a changing of the guard after the European Parliament elections, and Britain tries to find the exit door, it is not yet clear whether the Security Union was a one-off idea to keep the UK busy or the start of something new. The answer to this question will shape the way EU institutions, member-states and European citizens see the EU as a security provider. Polls show that Europeans are more worried about security than ever. How safe they feel matters, not only for short-term political gains, but for the future of the EU as a whole. 

The Security Union is overdue for a check-up. This policy brief looks at the Security Union’s origins and aims, and examines its measures and their effectiveness. Drawing on this analysis, the brief provides some suggestions for the next European administration. This policy brief is part of a wider project on the future of the EU’s justice and home affairs policy, sponsored by the Open Society European Policy Institute. 

‘An effective and genuine Security Union’

In April 2016, roughly a month after three suicide bombers killed 32 people in Brussels, the European Commission published its plans for fighting cross-border security threats.1 The Brussels attacks, the latest in a series which had begun on the streets of Paris at the start of 2015, struck at the heart of the European institutions, both literally and figuratively. One of the suicide bombers detonated his device at the Maelbeek metro station, which serves several buildings of the European Commission and the Council of Ministers. And the attacks were linked to the arrest of Belgian national Salah Abdeslam, one of the perpetrators of the November Paris shootings. Abdeslam had managed to slip from the French capital to Brussels undetected – thanks to the lack of border controls within the Schengen area and a failure of co-ordination between the French and Belgian security services. The EU’s borderless Schengen area itself came under fire, as many Europeans felt it was ill-equipped to deal with new challenges like European-born global terrorists or large numbers of refugees. Several member-states, including Sweden, Germany and France, went on to re-establish border controls.

The 2015 and 2016 attacks changed the way the EU viewed its security policies. There are four reasons why what happened in Paris and Brussels may define the EU’s approach to security in the years to come in a way earlier and deadlier incidents did not. The first was their targets: while Europeans had become somewhat used to the brutality of terrorist attacks on planes, metros or trains, the Charlie Hebdo and November Paris shootings were something altogether different: terrorists were now hitting what many consider the very core of the ‘European way of life’ (freedom of speech and France’s fabled joie de vivre). Secondly, the attacks and the four-day lockdown of Brussels which followed highlighted, in a very public manner, the sorry state of intelligence co-operation in Europe. Third, the attacks brought home the fact that terrorists who before seemed like somebody else’s problem, as they waged their far-away wars, could actually be European too. Finally, the timing of the attacks contributed to a general sense of panic, as they happened alongside Europe’s worst refugee crisis since the Second World War. This led to an unfortunate and inaccurate conflation between refugees and terrorists, and fueled the idea that the EU had lost control of its borders and was unable to keep its citizens safe.

The EU’s response to the growing sense of chaos was to put security first. Building on previous security plans, the Commission launched the idea of a Security Union in the spring of 2016. In his autumn State of the Union speech, Commission president Jean-Claude Juncker spoke of a “Europe that protects” – a catchy slogan that would go on to be an essential part of French president Emmanuel Macron’s European policy.2 One of the main elements of this new and safer Europe was the idea of a Security Union, where “a police officer in one member-state should have the same reflex to share relevant information with colleagues over the border, as he would do with fellow officers within his country.”3

It was perhaps entirely coincidental, albeit certainly convenient, that at the same time that the Commission was building its Security Union, the EU-27 were trying to find a way to accommodate the UK within the Union’s institutional structures before it left the EU. Britain gave up an important portfolio after Jonathan Hill resigned as Commissioner for financial services two days after the Brexit referendum, but is still entitled to a Commission position until it formally leaves the EU. The Security Union – a newly-coined concept, vague yet powerful enough to be attractive to an outgoing member of the bloc with a good reputation on security matters – provided the perfect way forward. In September 2016, Julian King, then Britain’s Ambassador to France, took office as the first ever Commissioner for the Security Union.

Essentially, the Security Union is a rebranding of the 2015 European Agenda on Security which, in turn, replaced previous policy guidelines on EU justice and home affairs (JHA).4 Since 1999, the European Council had been adopting multi-annual plans (‘programmes’) to set out the EU’s JHA objectives.5 Over time, the plans became excessively detailed. The five-year 2009 Stockholm programme was so exhaustive that member-states decided not to renew it, citing ‘legislative fatigue’. The Juncker Commission, preferring better regulation to more regulation, agreed with the member-states, and made successor JHA plans vague enough to allow the EU to adapt to new threats. The Security Union is similar: there is no shopping list detailing what it should entail, but rather rough clusters of broadly-defined measures.

The Security Union is the EU’s attempt to plug the gaps in security co-ordination which were laid bare by the Paris and Brussels attacks, and also contributed to a sense of panic at the peak of the migration crisis. As such, the Security Union focuses on cross-border challenges such as border controls, information sharing, money laundering, trafficking of firearms and the investigation and prosecution of serious crimes like terrorism. These dossiers traditionally fell within the remit of the Commission’s Directorate-Generals for justice and home affairs (DG JUST and DG HOME), but also of the EU’s newer foreign policy department, the European External Action Service (EEAS).

The Security Union is modelled on the Commission’s structure focused around Vice-Presidents, whereby there is one Vice-President overseeing several Commissioners’ portfolios. The idea is not only to avoid overlap but also to ensure that there is a good understanding of how apparently unrelated issues interact, for example migration and cyber security. The Security Union has five main priority areas: data collection and data sharing; border controls; terrorism and organised crime; cyber security; and co-operation with third countries. This section discusses each in turn.

1. Data collection and sharing

Much of the well-founded criticism of the EU’s response to its recent security and migration crises has been directed at Europe’s inefficient use of data. It is not that Europe lacks the means. Over the past 20 years, the EU has built an array of databases. Each serves a different purpose, from catching criminals to gathering information on visa applications.6 But, most of the time, these databases do not talk to each other. This means that a law enforcement or border official trying to find out, for example, whether a foreigner’s Schengen visa was valid, would be unable to see that they were wanted for murder in another member-state. This is because of the EU’s principle of ‘purpose limitation’, whereby a database built for border control purposes should not be used for something else, like arresting a criminal. That principle was intended to protect the privacy of EU citizens.

The Commission is trying to change this by doing two things: first, it wants border guards and law enforcement agents to be able to get all the information they need on a person with just one click (see graphic on page 9). The EU has now passed a law which will ensure the interoperability of the EU’s main databases.7 At this stage, these include:

  • the Schengen Information System (SIS), a law enforcement database which member-states now consult over five billion times per year;
  • the Visa Information System (VIS), a database containing fingerprints and digital photographs of those applying for Schengen visas;
  • the European Criminal Records Information System (ECRIS), a system to share information on the criminal records of both EU citizens and third country nationals who have been convicted in an EU member-state;
  • and the newly created EU Entry/Exit System, a database which records data on third country citizens’ entry, exit or denial of entry, and the European Travel Information and Authorisation System (ETIAS), a travel authorisation system similar to the US’s ESTA. In time, customs data will be included too.

The EU is also planning to allow wider criminal law enforcement use of migration and border control databases like VIS and Eurodac (a database storing fingerprints of asylum seekers). Currently, data stored in Eurodac can be used to prevent and investigate serious crimes but only under stringent conditions, including having to exhaust other search means first. The Commission wants member-states to input more biometric data, such as photographs, into Eurodac and to allow law enforcement units to use the database to identify and deport overstaying third-country nationals. The European Parliament and the Council of Ministers are currently discussing this proposal. Once it passes, the new Eurodac database will also be connected to all other systems.

2. Border controls

The fallout of the 2015 refugee crisis and the rising tide of populism have encouraged the EU to try to keep would-be immigrants out. Europe has beefed up its border forces (Frontex, the European Border and Coast Guard Agency) and also stepped up the fight against smugglers by giving more powers to the European police agency Europol.

The EU has agreed to boost the powers and mandate of Frontex to establish a fully-fledged EU border force, by creating a standing corps of 10,000 border guards and increasing its budget from €321 million in 2019-2020 to €11.3 billion by 2027. The first 5,000 Frontex border guards will begin operations in January 2021. Frontex will work alongside national border guards in the day-to-day management of member states’ borders, but also intervene at short notice in a crisis. Frontex will be able to send teams to a member-state that is unable to police its borders within ten working days of declaring a crisis. Before, the agency had to rely on member-states sending border guards and equipment, such as helicopters or boats, to help control Schengen’s external borders. Now, the agency will have its own budget, so it will be able to purchase its own equipment.8 The new Frontex will also monitor and assess what member-states are doing to protect their borders.

The proposal was agreed in record time, but it is less ambitious than the Commission’s initial idea. Juncker’s original plan was to force member-states to accept the deployment of EU border guards on their territory if the Commission deemed they were not doing enough to protect Schengen’s external borders. But this idea failed to gain traction after several member-states opposed it. Many EU countries remain wary of letting the EU, let alone other countries, manage their borders. In October 2018, Italy’s Deputy Prime Minister, Matteo Salvini, accused France of a “hostile act” after French police crossed the border to return a migrant to Italian soil.9 Frontex will still be able to monitor and urge member-states to accept its help, but will not have the means to enforce a binding decision upon them. The agency will also be allowed to perform border controls and carry out forced and voluntary returns from the territory of a member-state if that state has authorised the agency to do so.

In 2016, Europol set up its European Migrant Smuggling Centre (EMSC). Europol helps the member-states fight against migrant smuggling, human trafficking and document fraud by providing intelligence and resources to national law enforcement and border agencies. For example, in 2018 Europol co-ordinated an operation between Germany, Romania, Serbia and the UK to dismantle a network smuggling migrants to Germany in lorry containers. To support member-states, Europol uses information sometimes collected at sea, as it deploys a team (‘Joint Operational Team Mare’) in charge of monitoring suspicious vessels and processing information gathered by European border forces when they debrief migrants.10

3. Terrorism and organised crime

The fight against cross-border terrorism and crime is a major part of the Security Union. In recent years, the Commission has come up with action plans to address situations before, during and after terrorist attacks. 

First, the Commission wants to prevent radicalisation. To this end the EU gives money to civil society organisations and local authorities active in the field, and has set up a pan-European network against radicalisation (Radicalisation Awareness Network, or RAN). Second, to improve the identification and tracking of criminals and suspects, the Commission has come up with new measures like the Passenger Name Record directive (PNR) and introduced EU-wide security standards for national ID documents.11 The new ID rules do not force member-states to issue national identity cards. But if they do, these need to follow EU standards and include at least one picture and two fingerprints.

To carry out an attack, terrorists need money and, more often than not, weapons. The EU has tried to crack down on the funding of terrorist activities and organised crime by legislating against money laundering and the use of the financial system to pay for terrorist activities.12 The Council and the Parliament have agreed to a Commission proposal to make it easier for national law enforcement agencies to access and share financial intelligence throughout the EU.13 The EU has also passed laws to make it more difficult for criminals to access weapons and make explosives.14

Governments across the world are also facing new problems, like how to deal with a live broadcast of a terrorist attack. On March 15th, a gunman killed 50 people in two mosques in Christchurch, New Zealand. He live-streamed the attack on Facebook, and the video was viewed 4,000 times before it was removed less than 15 minutes after the shooting. Facebook subsequently ‘hashed’ the original video, meaning that any similar content could be automatically detected and deleted. Within the first 24 hours, Facebook removed around 1.5 million copies of the video.15 But even after that, the footage is still circulating.

The Christchurch shooting was a stark reminder of the predicament facing governments and social media platforms alike. Privacy activists and officials complained that while Facebook’s use of artificial intelligence (AI) algorithms to remove, for example, nude pictures, is highly efficient, it did nothing to stop the Christchurch massacre from being broadcast to the world. Facebook contends that AI is not perfect and is still work in progress. In the EU, national governments and the European Parliament have been at loggerheads about the removal of online terrorist content. The Parliament has recently approved a Commission proposal to require social media companies to remove flagged content within an hour.16 Fines for non-compliance can amount to up to 4 per cent of a company’s total turnover. MEPs were wary of the short time span as they thought it could harm smaller companies and curtail freedom of speech. This latest inter-institutional row reflects a much wider problem, as the EU tries to define the role social media companies should play in the fight against terrorism and crime. If, in the words of New Zealand’s Prime Minister Jacinda Ardern, social networks are “the publisher and not just the postman”,17 should they not be held criminally responsible for the content their users upload?

Finally, arresting cross-border criminals is not easy. It may be even harder to put together a solid case before a national court. The Commission has tried to help with that, by proposing new rules which will help member-states to access electronic evidence stored outside their territory. The Commission also wants to give new powers to the yet to be operational European Public Prosecutor’s Office (EPPO), so it can deal with transnational terrorism cases in addition to financial crime.18 

4. Cyber security

Cyber security makes up at least half of the workload of Commissioner King and his team. Cyber security overlaps to some extent with some of the preceding Commission priorities and covers two main things: cyber crime, such as online fraud; and cyber attacks, for instance hacking into a nuclear plant, but also disrupting an election.19 In addition, the EU’s cyber security strategy includes fighting disinformation campaigns.20

The EU has been legislating on cyber crime for almost a decade, but has only recently woken up to the threat of private or state-sponsored cyber attacks and disinformation campaigns. In recent months, the focus has shifted from more traditional elements of cyber security like protecting banking systems, harmonising standards or imposing sanctions, to the new risks stemming from the use of AI, the development of 5G mobile networks and the impact of social media on elections. All three are technically complex issues that raise tricky questions for the EU, from moral considerations to the Union’s relationship with China and the US.

In the run-up to the May 2019 European Parliament elections, the Commission launched several plans to protect the integrity of the process. The EU elections are run by the member-states, not the EU. So the Union’s role was limited to helping EU countries ensure that their systems did not get hacked and that social media companies did not help to spread fake news ahead of the poll.21 The Commission wants to boost what it calls Europe’s ‘electoral resilience’, by, for instance, ensuring that even the tiniest, remotest of polling stations complies with minimum security standards; or by fact-checking content uploaded on social media.22 Time will tell if the EU has managed to convince all member-states of the importance of secure elections. But so far, the Commission does not seem to be impressed with the progress made by social media. In October 2018, Facebook, Google, Twitter and others signed a voluntary code of good practices to fight disinformation.23 In its last review of the code in March, the Commission said that social media companies were not doing enough to take down fake social media personas (‘trolls’) and automated accounts (‘bots’). The Commission had said earlier that it would consider proposing binding laws if it found that the code was not useful.

Like many of their Western allies, EU governments worry about artificial intelligence (AI). AI technologies have been around for a while – a thermostat that keeps the house at exactly the same temperature every day is a form of AI. But the development of much more complex technologies has put the matter at the top of EU governments’ agendas. The evolution of the internet of things, for example, allows household devices like fridges and phones to talk to each other with little or no human intervention – thanks to Radio Frequency Identification (RFID) tags, a fridge can send an automatic message to a phone to say the milk has run out. AI algorithms are now used for everything from self-driving cars to personalised travel suggestions and facial recognition techniques to identify criminals. Like any other technology, AI can have malign uses.

In April 2018, the Commission published a document which considered the security aspects of AI.24 The Commission highlighted three security challenges: cyber security and AI; the use of AI to fight crime and terrorism; and hindering the use of AI for criminal purposes. The Commission has also recently published the world’s first ethical guidelines for the development and use of AI.25 AI developers should follow four principles, according to the Commission: they should preserve human autonomy; prevent harm; be fair; and be easily explainable to users. While the guidelines are obviously voluntary, in the future the EU could think of establishing a system of certificates of compliance, particularly in areas where the use of AI could directly harm consumers, such as healthcare.

The EU’s latest ‘cyber’ challenge relates to 5G – the new generation of broadband connections which promises to speed up mobile internet connections and increase capacity. More advanced technologies, like the internet of things or autonomous AI, need more powerful networks to work properly. Networks work by making use of radio spectrum which is allocated by governments, so both national authorities and technology companies are already preparing for 5G. Currently, China is leading the world’s 5G race and intends to roll out services this year. This has become a thorn in the side of EU leaders: on the one hand, they need companies with the technical skills to get their 5G networks up and running, and Chinese companies like Huawei seem to be ahead of the game; on the other, the EU is still unclear on how to deal with the Chinese dragon, a key partner and yet a ‘systemic rival’ to Europe, as the EU’s recent update of its China strategy put it.26 Donald Trump’s escalating trade war against China is making matters trickier for the EU.

The Commission recently published its plans to find a common European approach to 5G.27 The Commission has asked member-states to identify the weak spots in their network infrastructures so they can prevent attacks on their national security. In a not-so-veiled nod to China’s Huawei, the Commission stresses that EU countries can refuse to allow foreign companies to use 5G bands if they are a threat to the country’s security or do not comply with national rules. The Commission has also asked member-states to share information on 5G cyber threats with each other and the EU’s cyber security agency ENISA, so the EU can better understand the challenges facing the Union.

5. Co-operation with third countries

The EU’s push for greater co-operation with third countries on matters of security and justice reflects a recent shift in the way Europeans look at their internal security. For years, JHA was considered a matter for the EU’s domestic policy sphere. EU leaders failed to take into account the impact of the EU’s foreign relations on domestic migration and security policies, but also on things like criminal law and police and judicial co-operation.

This failure had consequences: had the EU had the foresight to consider the internal and external aspects of JHA together at an earlier stage, some of the fallout of the 2015-2016 migration and Schengen crises could have been averted.

King’s team has taken this criticism on board. The Security Union devotes part of its resources to making sure that the EU successfully manages the international dimension of border management and the fight against crime. For example, in a bid to crack down on smuggling along the Western Balkan route, the EU has reached agreements with Albania, Bosnia and Herzegovina, Montenegro, North Macedonia and Serbia to allow the new Frontex to operate in those countries.

Following significant differences between American and European authorities on counter-terrorism strategy, mainly around the question of data sharing, the US and EU have now opened several channels of communication, such as the EU-US justice and home affairs ministerial meeting. Europe has also stepped up counter-terrorism co-operation with other Western partners, including Australia and Canada.

The EU is, somewhat controversially, also seeking to engage partners in counter-terrorism efforts in the Sahel, India, Pakistan and Kuwait and in anti-corruption strategies in the Western Balkans.28 The EU has opened preliminary talks on co-operation against crime with other partners like Algeria, Egypt, Jordan, Lebanon, Morocco and Tunisia, and is training Iraqi forces to collect evidence in the field. Europol has also begun negotiations with Ankara for the first ever Turkey-EU data sharing agreement.

If and when the UK leaves the EU, the bloc will also have to rethink its security relationship with Britain. The EU and the UK will have to sign co-operation agreements to plug Britain into EU agencies like Europol and Eurojust; reach a deal allowing them to share data with each other; and find ways to facilitate extradition between Britain and the continent.29

The record so far: Successes, work in progress and risks

Security will remain a priority for the EU in the years to come.30 Back in 2014, when the last European Parliament elections were held, Europeans were more worried about employment and the economy than crime and terrorism.31 But since the events of 2015, the trend has reversed and security is now one of the biggest concerns for EU citizens. The EU’s work in recent years reflects this change.

The outgoing European Commission has vowed to improve the EU’s security record by, in the Commission’s words, ‘completing’ the Security Union. Exactly what that means is not clear. On the face of it, the Commission appears to be proposing a ‘single market for security’, where practices, laws and standards are very much the same across the continent. Hence the analogy with the EU’s single market for workers, services, goods and capital – the ‘completion’ of which has been in the works for decades. However, unlike the single market, which aims to reduce barriers to trade, the Security Union must be able to constantly adapt to new and evolving challenges and threats, which in turn makes it difficult to set a finishing line for achieving the Union’s goals. What follows is first, a survey of those things that the EU has managed to achieve so far; second, some things that the Union has not yet achieved; and third, some risks that could undermine the Security Union. 


The EU moved unusually quickly to bring its Agenda on Security to life. This was not coincidental: the intense political pressure which followed events in 2015 accelerated the adoption of laws which, in the past, would have taken years to agree. The EU managed to achieve more on thorny issues such as data protection, PNR, border control and counter-terrorism in two years than it had in the previous decade. At the time of writing, the EU’s institutions have passed 15 out of the 22 Security Union laws proposed by the Commission since November 2015 and have reached a baseline agreement at least on another one. Some of the suggested measures will help keep European citizens safe in the short-term. Others may take longer to bear fruit or turn out to be unnecessary – like the proposal to confer more powers on the European Public Prosecutor, as discussed below.

The Security Union has improved the EU’s transparency and accountability in the JHA field. King’s team publishes regular progress reports and the Commission holds consultations with citizens, think-tanks, NGOs and other civil society organisations – although some feel that consultations on counter-terrorism and migration policies could be better.32 The development of a proper and structured EU security agenda with its own devoted team and institutional backing gives a sense of continuity to a patchwork of previously unco-ordinated responses to security challenges.33

Whereas international co-operation on migration control may be worrying, a more geopolitical view of the EU’s security policy was long overdue. The EU was slow to react to the 2015 refugee crisis partly because it failed to anticipate that the Syrian and Libyan conflicts would put the borderless arrangements of the Schengen area under stress. The EU’s renewed efforts to bring together the internal and external dimensions of security by, for instance, posting law enforcement and counter-terrorism specialists to EU delegations abroad; improving co-ordination between national immigration liaison officers deployed to third countries; or drawing on the input of the bloc’s diplomatic service to draft its security plans, make it easier for Europe to tackle fast-moving security threats.

Work in progress

There are two fundamental problems which may stall the next European administration’s ability to make progress on the Security Union. The first is the power dynamic between the Commission and EU member-states; the second is the Security Union’s institutional set-up.

The Commission’s push to legislate on a number of security files has alienated a few member-states. Some national capitals, like Rome or Athens, feel that the EU is encroaching on member-states’ competences. This tension is unlikely to fade soon: with nativist parties at the helm of governments in Italy, Hungary and Poland, and a growing eurosceptic presence in governments elsewhere, efforts to repatriate some powers from Brussels will probably be stronger in the next five years. Politics will play a big role in the Security Union’s survival. If the next European Commission wants to press on with ambitious security plans for Europe, it will probably need to pay more attention to criticisms from national governments.

The Security Union’s latest progress report shows that the Commission has had to open infringement procedures because some member-states did not implement EU policy as they should have. There is nothing odd about this – after all, it is the Commission’s business to monitor how the EU member-states implement and enforce EU law. But some files have an exceptionally high number of laggards: as of mid-March 2019, 22 member-states had not fully implemented the directive on the control of acquisition and possession of weapons;34 19 member-states had not completely transposed EU data protection rules in the area of law enforcement into their own laws;35 and the Commission has opened infringement procedures against all 28 member-states because it does not think any of them have transposed the fourth anti-money laundering directive correctly.

The second question hanging over the EU’s security plans is how these will fit within the next administration – will the next Commission president keep the Security Union department in place? How would it relate to other departments? Will the Commission make the necessary resources available? Despite having a dedicated Commissioner, the Security Union does not have its own Directorate General (the EU’s equivalent to a national ministry). Instead, the Union draws on the expertise of various EU teams, from the Commission’s DG HOME and DG JUST to the EEAS. This cross-cutting approach makes sense, as the EU wants the Security Union to be as flexible as possible so it can best tackle evolving threats. But such an unusual configuration (at least in EU terms) may prove tricky to maintain. Co-ordinating different services and making sure their work did not overlap was one of the Security Union’s main challenges and, because they were scattered across different units, officials sometimes complained that they were not always aware of what colleagues in different institutions were doing.

The Lisbon treaty, which gave more competences to the EU to legislate on matters of justice and security, brought with it a number of problems. For example, by expanding the mandate of the European Parliament in JHA matters, the treaty has led to internal and international rows over who is better placed to do what. Right after the Lisbon treaty came to force in December 2009, the Parliament rejected an EU-US counter-terrorism treaty; and the Council of Ministers has been wary of giving MEPs access to intelligence and sensitive information so they can take informed decisions on matters of internal EU security. Also, the division of the former DG justice, liberty and security into two separate DGs (home and justice) has brought sometimes competing agendas to the EU’s already complex JHA landscape. These two examples show that EU decision-making processes on justice and security need to be carefully planned. The security and rights of EU citizens cannot be left to improvisation or be vulnerable to institutional power-grabbing.

The Commission will need to organise its security departments and distribute responsibilities accordingly if it does not want to encourage further problems. A clear division of labour and a rational distribution of portfolios across Commission departments can help to overcome these problems. And both the Commission and the Council of Ministers should take into account that working with the European Parliament on security matters may become even trickier than before. With eurosceptic, populist parties winning more votes than ever before in this year’s European Parliament elections, the EU will probably become even harder to govern. The European Parliament is likely to be more fragmented and less consensual, as it will be more difficult to find majorities for anything, let alone in sensitive and difficult areas like security. The Parliament has struck down EU security laws in the past because it did not feel its voice was being taken into consideration.

The current state of Brexit paralysis will not help, either. In case of an extension of Britain’s membership beyond October 31st, the EU’s security plans may be put on hold. If the UK ends up staying in the EU for longer than expected (or for good), Brussels will need to find a way not only to accommodate the UK within the next administration but also to avoid blockages in a number of policy areas, including security. Britain’s EU membership will determine much of what will happen with the Commission’s Security Union department in the next few months: if the UK leaves, the Security Union may end up being one of the shortest-lived Commission departments ever; if there is another extension, Commissioner King and his team may continue well into the next European administration, if only for lack of a better compromise about Britain’s position within the EU. 


Like national governments, the EU faces trade-offs when passing security laws. Because the Security Union gives considerable weight to preventive measures, like tracking people’s movements or removing online content, it risks upsetting the delicate balance between individual liberty and public security. There are four areas where this is particularly likely to happen: data sharing; cyber security; preventive justice; and border controls.

First, legislation providing for the use and sharing of personal data for law enforcement purposes (like those granting police authorities the right to access migration-only databases) can breach European and international data protection laws – and even asylum laws – if they are not used carefully. In recent years, the EU has used data more intensively to fight crime. This has caused problems not only for citizens but also for the European institutions: while the Council of Ministers, the member-states and to some extent the European Commission favour this new, data-driven approach, the Parliament and the European Court of Justice (ECJ) have been very critical and have sometimes limited what the EU can do with data. The ECJ has, for example, annulled an EU law which obliged communication services providers to keep users’ data, like phone call records, for between six months and two years so law enforcement authorities could access them.36 The next European Commission and Parliament will have to tread carefully to ensure the measures they take to keep European citizens safe are proportional and effective.

Second, plans to fight cyber crime and disinformation campaigns, like asking internet companies to take down content or shut down accounts, sometimes clash with the fundamental right to free speech and pit regulators against the private sector. Resolving these tensions is difficult, because the EU’s approach to technology platforms is as much about security as it is about trade, competition rules or foreign policy – and essentially boils down to a conflict between Silicon Valley’s ‘disruptive’, libertarian attitude and the EU’s more conservative, pro-regulation stance. Many policy-makers and tech experts in the EU believe social media companies are not doing as much as they could to fight disinformation and terrorism online. The social media companies argue that there is only so much they can do to monitor content and tweak their algorithms to identify and remove fake news or automated accounts without engaging in censorship or intruding on users’ privacy.

Third, some EU measures to counter crime and terrorism, like tracking (and sometimes prosecuting) people who have travelled to Syria, or using artificial intelligence to identify suspects, can endanger the fundamental right to be presumed innocent – and hence the rule of law. For the last four years, the EU has been passing laws which make it easier for law enforcement, border and intelligence agencies to identify suspects or stop people from crossing borders. This focus on preventive justice has many critics, since it encourages practices like profiling – the use of data to decide, for example, who is more likely to commit a crime. The next European administration will need to decide whether to continue in this direction now that the sense of political urgency has eased.

Fourth, a stronger focus on restrictive migration policies can have the effect of preventing those with a genuine case for coming to Europe from exercising their rights (and may play into the hands of populist and illiberal politicians who advocate such restrictions). To win public support, the EU’s migration policies must serve both migrants and European citizens. EU leaders need to look beyond short-term solutions focused on shutting down borders and outsourcing controls to non-European countries. The EU’s political obsession with migration has shifted the focus from foreign and development policies to migration control. And this trend is likely to continue under the next European administration, which will be managing a larger foreign and development budget (the so-called European Peace Facility) with a stronger emphasis on migration control.37

Apart from questions of the balance between human rights and security, some of the Commission’s ideas to keep Europe safe may not work well – or at all. Take the suggestion to give the forthcoming European Public Prosecutor’s Office (EPPO) powers to prosecute terrorists. Once it becomes operational, the EPPO will initially be tasked with prosecuting people who have misused EU funds. The Commission wants to extend the EPPO’s competences so it can also prosecute terrorists who have committed a crime in one member-state but have ties to another (because they come from or have fled there). This may be a good way to counter headlines accusing the EU of being unable to prevent cross-border terrorism, but it has very little chance of succeeding and even less of making a real difference. This is because there are no EU-wide laws on criminal procedures – and very little harmonisation on criminal law itself – and this will remain the case for years to come. Member-states are likely to oppose such a plan, in order to preserve their competence over the prosecution of terrorists.

Despite the EU’s best efforts to boost cross-border co-operation, intelligence sharing remains patchy. Sharing sensitive information with foreign authorities requires trust between countries. In recent years, problems with the rule of law in some member-states, as well as different approaches to the migration and eurozone crises, have diminished rather than increased mutual trust within the EU.38 While most EU leaders and officials agree that a ‘European FBI’ is neither desirable nor likely, they also recognise that there is a need for better co-ordination of intelligence work. The EU already has two fora where this can happen: its Intelligence and Situation Centre (SITCEN), which pools intelligence information from member-states; and Europol. Some governments complain that SITCEN mostly works for and with the Commission, as many countries are still reluctant to share critical information with all EU governments. And member-states are also still not convinced about pooling their intelligence resources under the supervision of Europol, as was supposed to happen. While there is good bilateral and sometimes multilateral intelligence co-operation between some member-states, a lack of co-ordination at the EU level can have disastrous effects for the Union’s passport-free Schengen area – as seen after the Paris shootings. The new Intelligence College in Europe, a French initiative outside the EU framework, tries to plug some of these gaps. The idea is to bring together intelligence officials from different European countries (including the UK) so they can learn how to work together, and, eventually, trust each other.

Finally, while the EU may have improved the links between internal and external security policies, it will need to find answers to new external security questions. Two will be particularly pressing for the next European administration: the first is the bloc’s relationship with China and its technology companies, at a time when disruptive technologies like AI, drones or quantum computing are changing the world; the second is how to deal with an increasingly assertive Africa, ready to use Europe’s migration woes as leverage for trade and other deals. The EU’s approach to China will also have important implications for transatlantic security co-operation: if the US decides to cut off information channels with European countries that allow Huawei to operate their 5G networks, intelligence sharing between America and Europe will suffer.

No EU internal security strategy will be sustainable in the long term without a plan that can adapt to the threats and opportunities of new technologies, from the use of drones in policing borders to the roll-out of the internet of things. And such a plan cannot ignore the fact that, in many of these areas, the EU will have to learn how to work with mostly foreign companies, many from China and the US. Equally, the EU stands little chance of finding effective migration policies if it ignores the fact that these will come with trade-offs – including having to be creative in its relationship with Africa, where most migrants to the EU come from and which will continue to be a source of legal and irregular migration for the decades to come. 

Looking ahead

As a title, the Security Union may not survive the Commission’s forthcoming reshuffle (or Brexit), but the name matters less than the quality and aims of the policies themselves. The migration crisis and the terrorist attacks of 2015 and 2016 have shown that the EU needs to be better prepared to deal with internal and external shocks to Schengen and, consequently, its area of freedom, security and justice.

The June European Council set the tone for Europe’s internal security plans, by providing strategic guidelines for the next European Commission, European Parliament and President of the European Council. The strategic agenda insists on the need to protect Europe’s external borders and improve data sharing, as well as the importance of upholding individual rights and the rule of law.39 The guidelines are understandably vague (after all, they are written by the outgoing EU administration at a time when there is little clarity of who will take over the reins of the EU institutions) and mostly in tune with the EU’s security priorities over the last three years.

This section tries to look ahead and offers some concrete suggestions for the EU’s future security strategy. 

The next big crisis

Nobody knows where the next big crisis is going to come from. But, with some strategic foresight, we could at least take some educated guesses. In the next few years, the EU will most probably need to deal with three major security questions, all of which have the potential to unlock a fresh crisis: migration; disruptive technologies; and China. The next European administration should make these issues the priority.

The EU’s response to its migration crisis has been successful in reducing the number of people reaching the continent. But it has failed to build a longer term strategy to deal with future migration problems. This makes sense as EU leaders were under pressure to deliver swift solutions to the large inflows of people coming from Libya, Syria and Afghanistan during 2015. But Europe’s next migration headache will probably come from elsewhere. While securing borders and making deals with third countries may help the EU to stop massive flows, they will not do much to ensure that the Union is ready to face emerging migration trends. To be sustainable, the EU’s migration plans should take into account not only security considerations but also economic, geopolitical, climate and demographic factors.

The next European administration should be less shy in bringing up the topic of legal migration. While an EU-wide legal migration scheme will be difficult to agree, member-states could co-ordinate their efforts better, by, for example, setting up co-operation programmes with countries of origin that could benefit both migrants and host societies. Most importantly, EU countries should realise that legal migration cannot be an afterthought. If governments continue to refuse even to consider legal routes to Europe until irregular migration levels are down to near-zero, they will miss out on the economic opportunities legal migration offers. And, perhaps counter-intuitively, they will also encourage irregular migration by failing to deal with pull factors such as labour shortages in some member-states.

The new European Commission should have a better understanding of the trade-offs involved in using foreign and development policies to manage migration. Some of the deals the EU has made with African and other countries depend on the goodwill of dubious security partners, and may end up being counter-productive in the long term. It is perfectly legitimate for the EU to use its soft power to encourage better border management in migrant-sending countries. But migration control cannot be the only criterion for striking deals with third countries. Some African governments have understood that migration is a bargaining chip in their relationship with Europe and are ready to use it as such. Other countries are experiencing economic growth and would like to be treated as serious trade partners. The EU will need to take account of Africa’s new reality if it is to find a mutually beneficial relationship with the continent.

The use of disruptive technologies will be a major challenge for the next European administration, particularly as these technologies are mostly being developed outside Europe. This reduces the control the EU can have in regulating their use. In some cases, like artificial intelligence, the EU aspires to be a global norm-setter, following the relative success the bloc has had at setting the world’s ‘gold standard’ for data protection via its revamped privacy regulations. But two things may trump the EU’s ambitions: the first is that, while the EU is good at technological research and development, it is not so good at the deployment of new technology in markets. This failure matters for things like the ethical use of algorithms – if they are written and marketed by non-European companies, it will become much harder to make them comply with EU non-binding standards.

The second, and more important problem for the EU is that it has not yet worked out how to regulate technology companies. This is not only a security question: technology companies, from the biggest Internet giant to the smallest start-up are now a major part of the day-to-day life of European citizens and the continent’s economy. Yet, some governments think that current EU competition rules fail to cover technology companies properly; their corporate tax arrangements in Europe are a subject of much debate; and their role in building Europe’s digital single market has sometimes been neglected. To adapt to the new realities, the EU will need a strategy that combines several policies, from competition to taxation to the single market.

Such a strategy should also include a coherent China policy. While the EU has been distracted with more pressing matters like migration, Brexit or the eurozone crisis, China has gone on with its technology development. The EU has only recently started to get to grips with the challenges Chinese technological dominance may pose. These are not only related to security: Chinese rivals are competing with European companies to build the world’s communications networks, often with the support of potentially market-distorting methods, such as government subsidies; and the US administration, waging a trade war against China, is pushing EU member-states to exclude Huawei from their 5G networks, and threatening to stop security and even commercial co-operation with those that do not. The EU seems to be the piggy in the middle between the increasingly hostile giants, but it has more at stake than may appear at first sight. EU providers Ericsson and Nokia control 60 per cent of the 5G market (for now, Huawei controls the other 40 per cent, while US tech company Qualcomm is involved in providing micro-chips to develop the technology but does not develop the networks themselves).40 It will be impossible for the EU, or its member-states, to avoid the China question. The next European administration will have to work on an all-encompassing China policy, which will need to answer difficult security, foreign policy and economic questions.

Getting the EU’s house in order

How the EU chooses to arrange its security departments may seem unimportant for the wider security discussion, but it is not. In the past, the EU has struggled to reconcile the views of its different institutions on important security matters, like transatlantic counter-terrorism co-operation or border controls. An inefficient distribution of tasks contributes to the erosion of mutual trust, both between EU governments and between the EU institutions. This, coupled with Europe’s volatile politics will make it more difficult to agree and apply security policy decisions in the EU.

One way to remove that risk would be to organise the EU’s new security departments by work streams. Because security issues cut across so many areas of activity the next EU administration could, for instance, distribute the Security Union’s current priorities among different departments under the common umbrella of a Vice President in charge of the Security Union. This Vice President would oversee the work of several departments, including new ones. It is unlikely that the current distribution of files will remain unchanged. For example, the next European administration will probably give a more prominent role to the rule of law by separating it from justice and consumer matters, as is currently the case. Similarly, DG HOME (or its successor) will probably not retain sole control over migration matters.

For Europe’s security plans to be effective, the Commission could, for example, have a single department in charge of security and technology, bringing together some of the staff working on matters like artificial intelligence, cyber security, data sharing and 5G. These officials are currently scattered amongst several Commission departments, like DG CONNECT, DG HOME and even DG GROW. Likewise, for the EU to strengthen Schengen, the link between rights (no border controls, for instance) and obligations (a functioning external migration policy) should be made clearer. A specifically-devoted department (DG) with a visible head to it (a sort of Mr, or, preferably, Ms Schengen) could help. In any case, the Commission will need to make sure that its security staff remain in close touch with both the European Parliament and the EEAS. 

Europeans doing things

Finally, most officials agree that implementation is one of the Security Union´s biggest problems. In some cases, member-states have not had time to apply EU law domestically, because of the large number of measures the EU has passed since 2015. But in other cases, member-states simply feel the EU is encroaching on their national responsibilities by over-legislating on security matters. While the Juncker Commission has vowed to be stricter in respecting the EU’s subsidiarity principle, whereby the EU only intervenes where it can be more efficient than member-states alone, this does not seem to apply to headline-grabbing security issues like border controls or counter-terrorism measures. The next European administration will need to come back to the question of subsidiarity if it wants to break the implementation gridlock: it will have to decide whether there are more areas where the EU can support member-states with non-binding measures instead of laws. A good way to achieve this would be to maintain the Security Union’s ‘fluid’ policy model: the EU institutions could suggest clusters of policy goals and some measures to achieve them, instead of a prescribing a list of laws to pass, as used to be the case before. 


2015 and 2016 were not good years for the EU. A myriad of crises threatened the Schengen area and the unity of the member-states. But, as the saying goes, in every crisis lies an opportunity. The EU’s struggles changed the way the Union went about security. The Security Union has made the bloc more proactive and far-sighted than it used to be. It has also brought some problems, which the next European administration will need to meet head-on. The most acute is how to protect civil rights in times of populism. The Security Union has allowed the EU to react to problems quickly. This has had the paradoxical effect of fencing off EU critics and emboldening the populists at the same time. By shifting towards harder positions on things like borders and policing, the EU has managed to avoid the collapse of Schengen and regained a general sense of control. But it has also helped the populists’ agenda, by implicitly accepting that Europe is in a state of emergency that requires tougher laws.

The European elections delivered a less cohesive Parliament with more eurosceptic members. And unstable national politics mean that the Council of Ministers is also more divided. With the contest for the top EU jobs in full swing, European leaders would do well to think what sort of EU they want for the next five years. If they want the Union to be a credible security provider and a champion of civil rights, they should think their security policies through and avoid knee-jerk reactions. The Security Union’s successes and failures offer some lessons for the next set of European leaders, from heads of government to the new Commission president and the EU’s incoming foreign policy boss. They would be wise to learn from them.

1: Communication from the European Commission to the European Parliament, the European Council and the Council, ‘Delivering on the European Agenda on Security to fight against terrorism and pave the way towards an effective and genuine Security Union’, COM(2016) 230 final, Brussels, April 2016.
2: Jean-Claude Juncker, ‘State of the Union address 2016: towards a better Europe – a Europe that protects, empowers and defends’, Strasbourg, September 2016. Emmanuel Macron, ‘Dear Europe, Brexit is a lesson for all of us: it’s time for renewal’, op-ed in The Guardian, El País, Die Welt, Corriere della Sera etc, March 4th 2019.
3: Communication ‘Delivering on the European Agenda on Security to fight against terrorism and pave the way towards an effective and genuine Security Union.’
4: European Commission, ‘The European Agenda on Security’, Strasbourg, April 2015; Council of the European Union, ‘The Stockholm Programme – An open and secure Europe serving and protecting the citizens’, Brussels, December 2009; European Commission, ‘The EU Internal Security Strategy in Action: Five steps towards a more secure Europe’, Brussels, November 2010.
5: Hans Nilsson and Julian Siegl, ‘The Council in the Area of Freedom, Security and Justice’, in Jorg Monar (ed.), ‘The institutional dimension of the EU’s area of freedom, security and justice’, College of Europe Studies, P.I.E. Peter Lang, Brussels, 2010.
6: For a detailed account of the EU’s JHA databases, see Camino Mortera-Martinez, ‘Plugging in the British: Justice and home affairs’ in Sophia Besch, Ian Bond and Camino Mortera-Martinez, ‘Plugging in the British: Completing the circuit’, CER report, June 2018.
7: Regulation (EU) 2019/817 of the European Parliament and of the Council, on establishing a framework for interoperability between EU information systems in the field of borders and visa; and Regulation (EU) 2019/818 of the European Parliament and of the Council, on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration.
8: Camino Mortera-Martinez and Beth Oppenheim: ‘Why Europe needs legal migration and how to sell it’, CER policy brief, December 2018.
9: Luigi Scazzieri: ‘Tearing at Europe’s core: Why France and Italy are at loggerheads’, CER insight, February 2019.
10: Europol, ‘European Migrant Smuggling Centre’, third annual activity report, 2018.
11: Directive (EU) 2016/681 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime; Regulation of the European Parliament and of the Council on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement. Not yet published in the EU’s Official Journal.
12: Directive (EU) 2018/843 amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing; Communication from the Commission to the European Parliament, the European Council, the Council, the European Central Bank, the Economic and Social Committee and the Committee of the Regions, ‘Strengthening the Union framework for prudential and anti-money laundering supervision for financial institutions’, COM(2018) 645 final.
13: Directive of the European Parliament and the Council laying down rules facilitating the use of financial and other information for the prevention, detection, investigation or prosecution of certain criminal offences, COM(2018) 213 final. Not yet published in the EU’s Official Journal.
14: Directive (EU) 2017/853 amending Council Directive 91/477/EEC on control of the acquisition and possession of weapons; Regulation of the European Parliament and the Council on the marketing and use of explosives precursors. Not yet published in the EU’s Official Journal.
15: Chris Sonderby, ‘Update on New Zealand’, Facebook, March 18th 2019.
16: Proposal for a regulation of the European Parliament and of the Council on preventing the dissemination of terrorist content online, COM(2018) 640 final.
17: ‘Christchurch shootings: Ardern vows never to say gunman’s name’, BBC News, March 19th 2019.
18: Proposal for a regulation of the European Parliament and of the Council on European Production and Preservation Orders for electronic evidence in criminal matters COM(2018) 225 final; Proposal for a directive of the European Parliament and the Council laying down harmonised rules on the appointment of legal representatives for the purpose of gathering evidence in criminal proceedings, COM(2018) 226 final; Communication from the Commission to the European Parliament and the European Council, ‘A Europe that protects: An initiative to extend the competences of the European Public Prosecutor’s Office to cross-border terrorist crimes’, COM(2018) 641 final.
19: Camino Mortera-Martinez: ‘Game Over: Europe’s cyber problem’, CER policy brief, July 2019.
20: Camino Mortera-Martinez: ‘What is Europe doing to fight disinformation?’, CER bulletin article, November 2019.
21: Commission recommendation on election co-operation networks, online transparency, protection against cybersecurity incidents and fighting disinformation campaigns in the context of elections to the European Parliament. A contribution from the European Commission to the Leaders’ meeting in Salzburg on 19-20 September 2018, COM(2018) 5949 final. Brussels, September 12th 2018.
22: Communication from the Commission to the European Parliament, the European Council and the Council: 17th Progress Report towards an effective and genuine Security Union, COM(2018) 845 final, Strasbourg, December 11th, 2018.
23: EU Code of Practice on Disinformation, October 2018.
24: Communication from the Commission to the European Parliament, the European Council, the Council, the European Economic and Social Committee and the Committee of the Regions, ‘Artificial intelligence for Europe’, COM(2018) 237 final.
25: Independent high-level expert group on artificial intelligence set up by the European Commission, ‘Ethics guidelines for trustworthy AI’, Brussels, April 8th 2019.
26: The European Commission and the High Representative of the Union for Foreign Affairs and Security Policy, Joint Communication to the European Parliament, the European Council and the Council, ‘EU-China – A strategic outlook’, JOIN(2019) 5 final, Strasbourg, March 12th 2019. For more on EU-China relations, see Ian Bond, ‘China and Europe: Buying hearts and minds?’, CER bulletin article, November 29th 2018; and ‘Huawei, my way or the highway: Which way should the EU turn?’, CER insight, June 18th 2019.
27: European Commission, ‘Cybersecurity of 5G networks’, Brussels, March 26th 2019.
28: In Niger, for example, analysts fear that border control databases storing biometrical information may be used to map security risks and threats in the region – Giacomo Zandonini, ‘Biometrics: The new frontier of EU migration policy in Niger’, The New Humanitarian, June 6th 2019.
29: See ‘Plugging in the British: Completing the circuit’, CER report, June 2018.
30: “Better protecting the security of our citizens” is the first of the EU’s legislative priorities for 2018-2019.
31: According to the Eurobarometer poll, crime and terrorism were ranked 7th and 8th respectively as citizens’ main concerns. (Terrorism fell to number 13th in November that year).
32: Some civil society organisations regret that the sense of political urgency sometimes trumps other considerations when designing EU policies. Most draft EU laws need to attach a so-called ‘impact assessment’, which looks in detail at the possible impact the law may have on, amongst other things, the EU budget and human rights. But some recent security and migration policy proposals, like the directive regulating returns of migrants to their home or transit countries, failed to undergo such an analysis. 
33: Valsamis Mitsilegas in ‘Constitutionalising the Security Union: Effectiveness, rule of law and rights in countering terrorism and crime’, Centre for European Policy Studies, 2017.
34: According to the Commission’s 18th progress report on the Security Union, these are: Belgium, Bulgaria, Czechia, Germany, Estonia, Ireland, Greece, Spain, Cyprus, Latvia, Lithuania, Luxembourg, Hungary, the Netherlands, Poland, Portugal, Romania, Slovenia, Slovakia, Finland, Sweden and the United Kingdom (state of play as of March 11th 2019).
35: Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data. According to the Commission’s 18th progress report, these are: Belgium, Bulgaria, Czechia, Estonia, Greece, Spain, France, Croatia, Cyprus, Latvia, Lithuania, Luxembourg, Hungary, the Netherlands, Poland, Portugal, Romania, Slovenia and Finland. The Commission is receiving replies by Member States, including notifications of the legislation concerned, which are currently being analysed (state of play as of March 11th 2019). Procedures against six member-states (Belgium, France, Croatia, Lithuania, Luxembourg, Hungary) have now been closed.
36: Joined Cases C‑293/12 and C‑594/12, ‘Digital Rights Ireland’, April 8th 2014.
37: For more on the link between the EU’s foreign and migration policies, see Camino Mortera-Martinez and Beth Oppenheim: ‘Why Europe needs legal migration and how to sell it’, CER policy brief, December 2018.
38: Camino Mortera-Martinez; ‘Catch me if you can: The European Arrest Warrant and the end of mutual trust’, CER, April 1st 2019.
39: European Council, ‘A new strategic agenda 2019-2024’, Brussels, June 20th 2019.
40: The recent escalation of US president Donald Trump’s ‘tech war’ against China will probably change these market shares in the medium term. Google’s decision to stop updating its Android operating system on Huawei devices has hit the Chinese company’s global sales. Countries that do not wish to risk being entangled in Sino-American tensions may turn to non-European competitors, like Samsung – whose market share is steadily increasing. 

Camino Mortera-Martinez, Senior research fellow, Centre for European Reform, June 2019

View press release

This paper is part of a series on the future of Europe's migration and security policies supported by the Open Society European Policy Institute.  

Copyright is held by the Centre for European Reform. You may not copy, reproduce, republish or circulate in any way the content from this publication except for your own personal and non-commercial use. Any other use requires the prior written permission of the Centre for European Reform.