On 24 June 2025, the European Commission published its “roadmap” for ensuring lawful and effective access to data by law enforcement (“Roadmap”). The Roadmap forms a key part of the Commission’s internal security strategy, which was announced in April, and follows on from the November 2024 recommendations of the High-Level Group on Access to Data for Effective Law Enforcement.

Of most immediate relevance to electronic communications service (“ECS”) providers, the Commission intends to propose new data retention requirements, is considering changes to better enable cross-border live interception of communications, and will support the development of tools enabling law enforcement authorities (“LEAs”) to access encrypted data. We describe these proposals, and other elements of the Roadmap, in more detail below.

The Roadmap first sets out the Commission’s view that “[l]aw enforcement and the judiciary have been losing ground to criminals over the past decade as criminals use tools and products from service providers that have put in place measures preventing cooperation with lawful requests.” It then identifies the factors that the Commission believes have prevented LEAs from obtaining access to data, and the steps the Commission intends to take to address those concerns.

1. Providers often delete data in accordance with data protection obligations before they receive demands to disclose it. To address this challenge, the Roadmap states that in 2025, the Commission will prepare an impact assessment “with a view to updating EU rules on data retention as appropriate.” This follows the conclusion of the Commission’s recent consultation on data retention requirements, and it appears likely that the Commission will propose new EU-level data retention legislation to replace the 2006 Data Retention Directive, which the CJEU held in 2014 was incompatible with EU law. A key challenge for the Commission will be to ensure that any new legislation complies with the long line of CJEU judgments holding that data retention obligations must be limited to what is “strictly necessary” for the purpose of fighting “serious crime,” and that “general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication” is not permitted under EU law (see an earlier post on one of these cases here).
   
   In addition, the Roadmap states that the Commission will encourage Europol and Eurojust to work with communications service providers to: (a) streamline cooperation with LEAs; and (b) develop a catalogue of the data communications service providers process, so that LEAs know what information may be available.
2. Conflicts of law can hold up the process of LEAs obtaining access to data. While the forthcoming e-evidence package (described here) will give LEAs in one Member State tools to obtain stored content and metadata from organizations in other Member States, it does not provide powers for LEAs to carry out real-time interception of communications. The Roadmap commits the Commission to, by 2027, propose measures to improve the process for cross-border requests for real-time interception, which may involve changes to the European Investigation Order process. It will also look at ways of encouraging uncooperative providers to comply with real-time interception requests, and take steps to support any secure information-sharing capacity between Member State LEAs and Europol.
3. Encryption prevents law enforcement agencies from reading data. The Roadmap notes that encrypted communications have become widespread, and that this affects the ability of LEAs to investigate and prosecute crimes, because LEAs have limited ability to access the content of the communications in the clear. The Commission does not indicate that it will propose legislation requiring the breaking of encryption. Instead, the Roadmap focuses on developing technical tools allowing LEAs to access this content. In particular, it states that the Commission will create an expert group to prepare a “technology roadmap” on encryption, which will identify and assess tools that enable decryption while safeguarding security and fundamental rights. This roadmap will be completed in Q2 2026, and the Commission will support research and development to give Europol “next-generation decryption capabilities” from 2030.
4. LEAs do not always have access to tools enabling them to retrieve data from devices they obtain, or analyze large quantities of data that they obtain. As set out in the internal security strategy mentioned above, the Commission plans to update Europol’s mandate, which will likely require new legislation. In the interim, the Roadmap calls upon Europol—starting in 2026—to become a center of excellence for digital forensics, coordinate knowledge among Member State LEAs in this area, and facilitate cooperation.
   
   The Roadmap also states that, to help LEAs retrieve data from devices, the Commission will: (a) support Member State LEAs by conducting a gap and needs analysis relating to tools used for digital forensics of devices; (b) support Europol in developing its existing “tool repository,” which provides LEAs with access to investigative tooling; (c) support LEAs and procurement authorities to make joint purchases of licenses for digital forensics tools; and (d) support the creation of new training materials and resources for digital forensics. Given the increased use of encryption for the content of devices, it is possible that this work will overlap with the work described in point 3. above.
   
   In addition, to help LEAs to analyze large quantities of evidence effectively, the Roadmap states that the Commission will work with Europol to develop standardized processes and data formats for LEA access to data, and foster the creation and use of AI tools for analyzing digital evidence. The Commission will also support the creation of guidelines for the use of AI by LEAs.