🇪🇺 EUR-Lex ·

EU sets technical rules for automated cross-border police-records exchange via EPRIS

Member State police authorities and Europol must build and configure EPRIS to the Decision's technical, security and logging specifications to exchange police records

Data Privacy Cybersecurity Criminal Justice
Save
Change
On 8 June 2026, the European Commission adopted Implementing Decision (EU) 2026/1065, setting the technical rules for automated cross-border exchange of police records via EPRIS under the Prüm II Regulation (EU) 2024/982; participating Member States and Europol must deploy and operate national indexes and services to the specified standards. It enters into force 20 days after its 10 June 2026 publication.
Why it matters
The Decision establishes the binding technical and operational framework for EPRIS, the system for automated cross-border exchange of police records under Prüm II. Each participating Member State must deploy a national police record index and query/search micro-services, update the index at least every 24 hours, and apply the specified transaction workflow, pseudonymisation, mTLS encryption, logging and statistics requirements; Europol operates the central routing infrastructure as a trusted intermediary that cannot read the encrypted data payload. The Annex fixes entity codes, search concepts (strict and tolerant), a 100-match technical cap, high-availability/redundancy obligations, configuration-data management and access controls. Denmark is not bound; Ireland is.
Implications
  • Participating Member States' law-enforcement IT authorities must deploy and operate at least one national police record index plus query and search micro-services, update the index at least every 24 hours, and conform to the specified transaction workflow, pseudonymisation and mTLS encryption, or be unable to participate in EPRIS exchanges.
  • Europol must build and run the EPRIS central routing infrastructure as a high-availability, fully redundant system that routes encrypted, pseudonymised queries without reading the data payload, and operate the centralised statistics platform, in line with the Decision's specifications.
  • Member State and Europol data-protection and security functions must implement individual-user access controls, structured logging of the specified fields, and regular rotation of pseudonymisation parameters, since these are binding conditions of EPRIS operation under the Decision and Regulation (EU) 2024/982.

See full brief

Use 1 free preview to unlock implications, who’s affected, what to watch, and Clarify for this brief.

2 free previews left this month · Resets 1 Jul

Source
EUR-Lex
View on EUR-Lex
Clarify with AI

Unlock this brief free to ask your question.

Decision prompts

Clarify with AI — Pro only

You asked:

Clarify turns any brief into answers specific to your role and exposure.

Pro includes

Implications — what this change may force you to review
Who is affected — which people, workflows, or obligations are touched
What to watch — dates, deadlines, and triggers that matter next
Real-time alerts — delivered when a decision-forcing change is published
Clarify with AI — ask what this change means for you

$29/month · Founding rate, locked for life. Cancel anytime.

Start your trial to clarify this brief

You asked:

Clarify is part of Pro. Start a 14-day trial for full access to every brief, unlimited Clarify questions, and real-time alerts.

Pro includes

Implications — what this change may force you to review
Who is affected — which people, workflows, or obligations are touched
What to watch — dates, deadlines, and triggers that matter next
Real-time alerts — delivered when a decision-forcing change is published
Clarify with AI — ask what this change means for you

$29/month after trial. No credit card required. Cancel anytime.

Start 14-day trial Sign in

Unlock this brief to clarify it

Use 1 free preview to unlock the full brief — implications, who’s affected, what to watch, and Clarify for this brief.

2 free previews left this month · Resets 1 Jul