On 1st April 2025, the Commission launched ProtectEU[1], a European Internal Security Strategy to bolster the EU’s ability to keep its citizens safe and to better counter future threats through a sharper legal toolbox, enhanced cooperation between Member States and EU agencies as well as increased information sharing.
Complementing the ReArm Europe Plan[2] and the Preparedness Union Strategy[3], the Proposal finds its rationale in the need to review the EU’s approach to internal security in light of an evolving geopolitical landscape characterized by proliferating organised crime networks, hybrid threats by hostile foreign states and state-sponsored actors as well as terrorists increasingly operating online. Despite, in the last decade, the EU improved its collective mechanisms for action areas such as, amongst the others, law enforcement, judicial cooperation, border security and counter-terrorism, indeed, the nature of the nowadays threats requires a step further. The Strategy, therefore, provides a comprehensive response aimed at promoting a cohesive approach to security, which should enhance the EU’s ability to prevent, detect and respond to upcoming threats.
First, the Strategy highlights the importance for the EU to rely on a comprehensive and up-to-date situational awareness and threat analysis. Building on the risk and threat assessments produced at EU level and for specific sectors, therefore, the Commission will prepare regular EU internal security threat analyses to identify the main security challenges and to enable targeted policy interventions in a timely manner. In this regard, the Commission will revise its corporate security governance framework and establish an Integrated Security Operations Centre (ISOC) to protect people and businesses.
Second, in order to develop new law enforcement tools as well as better means to ensure secure data exchange and lawful access, the Commission will, on the one hand, propose to reinforce Europol’s mandate to bolster its technological expertise and capacity to support national law enforcement agencies and, on the other hand, create a European Critical Communication System (EUCCS) based on operational mobility, strong resilience and strategic autonomy to link Member States’ next generation critical communication systems. Moreover, the Schengen Information System (SIS)[4] will be enhanced in 2026 to enable Member States to enter alerts about third-country nationals involved in terrorism and other serious crimes, based on data shared by third countries with Europol.
Third, Member States should strengthen their resilience against threats to critical infrastructures by timely transposing and implementing the CER[5] and NIS2[6] Directives as well as exchanging good practices on national strategies and on risk assessments as regards essential services. The Commission, on its part, will focus on the security and resilience of ICT supply chains and infrastructure in the ongoing revision of the Cybersecurity Act[7] and introduce new measures to secure cloud and telecom services.
Fourth, the Strategy emphasizes the need for stronger rules in the fight against organised crime networks. In this regard, the EU institutions are working on an anti-corruption framework and on a strategy to strengthen coordination among all relevant authorities and stakeholders in this area, and a legislative proposal for modernized rules on organised crime is expected to be proposed in 2026. Moreover, the Commission will introduce a renewed EU Strategy on combatting trafficking in human beings covering all stages from prevention to prosecution, with a focus on victim support at both EU and international level.
Finally, Member States need to ensure that the EU is well equipped to anticipate threats, to prevent radicalization and to protect citizens and public spaces from terrorist attacks. Therefore, a new Agenda on preventing and countering terrorism and violent extremism will be presented in 2025, with the EU Knowledge Hub on Prevention of Radicalization[8] stepping up its support to practitioners and policymakers with a new prevention toolbox to allow for early identification and interventions focusing on vulnerable individuals.
[1] Com. Comm. COM(2025) 148 final of 01.04.2025, Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions on ProtectEU: a European Internal Security Strategy.
[2] For further information see our previous article, available at the following LINK.
[3] For further information see our previous article, available at the following LINK.
[4] For further information see the following LINK.
[5] Directive (EU) 2022/2557 of the European Parliament and of the Council, of 14 December 2022, on the resilience of critical entities and repealing Council Directive 2008/114/EC, OJ L 333 of 27.12.2022.
[6] Directive (EU) 2022/2555 of the European Parliament and of the Council, of 14 December 2022, on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148, OJ L 333 of 27.12.2022.
[7] Regulation (EU) 2019/881 of the European Parliament and of the Council, of 17 April 2019, on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013, OJ L 151 of 07.06.2019.