Key data
| Regulation | Commission Implementing Decision (EU) 2026/1064, of 8 June 2026 |
|---|---|
| Publication | 10 June 2026 |
| Entry into force | Not specified in the regulation |
| Affected parties | Security forces and bodies, judicial authorities and police cooperation bodies of the EU |
| Category | European Regulation |
| Base regulation | Regulation (EU) 2024/982 of the European Parliament and of the Council |
| Technical system | Prüm II router |
| Types of biometric data | Fingerprints, DNA profiles, facial images |
European security forces and judicial authorities face a significant technical transformation: the Prüm II system, which allows automated cross-border exchange of biometric data between EU countries, is launching its final technical specifications. The Implementing Decision (EU) 2026/1064, published on 10 June 2026, develops the Regulation (EU) 2024/982 and sets the technical rules for cross-border police cooperation to function in an interoperable manner throughout the Union.
What was previously a general regulatory framework now has a name, format and protocol. Each Member State—and its competent bodies—knows exactly how to structure its queries, what communication standards it must comply with and under what conditions it can access biometric data from another country.
What does this regulation establish?
Implementing Decision 2026/1064 develops the implementing provisions of Regulation (EU) 2024/982 with regard to automated search and exchange of biometric data through the Prüm II router. Its central elements are:
| Regulated element | Specific content |
|---|---|
| Types of biometric data | Fingerprints, DNA profiles and facial images |
| Data format | Technical format specifications for exchange between Member States |
| Communication protocols | Communication standards that national systems must follow to connect to the Prüm II router |
| Access conditions | Requirements and conditions under which automated cross-border queries can be performed |
| Operational procedures | Internal processes that national authorities must follow to operate within the system |
| Data protection | Safeguards for citizens against automated processing of sensitive biometric information |
The stated objective of the regulation is to improve police and judicial cooperation in the EU, facilitating the identification of suspects or victims in criminal investigations through automated cross-checking of national biometric databases through a common connection point: the Prüm II router.
This Decision does not create the system from scratch: what it does is technically implement Regulation (EU) 2024/982, which already established the general legal framework. Now national bodies have the concrete instructions to connect and interoperate.
Economic and operational impact
The regulation does not set specific economic amounts, but its operational impact is significant for affected organizations. The practical implications are concentrated in three areas:
- Adaptation of IT systems: National bodies must review and, where necessary, modify their technological platforms to comply with the formats and communication protocols established. This may involve investment in software development, system integration and interoperability testing with the Prüm II router.
- Review of internal procedures: Beyond technology, internal operational procedures must be aligned with the new standards. This includes query protocols, access logging and management of automated search results.
- Data protection compliance: As these are biometric data—a particularly sensitive category under the General Data Protection Regulation (GDPR)—organizations must ensure that new cross-border data flows have the required safeguards. This may require updating impact assessments (DPIA) and records of processing activities.
- Staff training: Operators managing queries through the Prüm II router will need specific training on the new procedures and regulated access conditions.
Who does it affect?
The regulation has a very specific institutional scope. The directly affected bodies are:
- State security forces and bodies (in Spain: National Police, Civil Guard and regional police forces with competence in the matter)
- Judicial authorities with competence in cross-border criminal investigation
- EU police cooperation bodies participating in the Prüm II system
- Technical and IT units of security forces responsible for technological integration
- Data Protection Officers (DPO) of affected authorities, who must review implications regarding sensitive biometric data
- Technology providers that develop or maintain IT systems for competent authorities
Private companies are not directly obligated by this regulation. However, technology providers working with security forces or judicial authorities may be indirectly affected if they need to adapt their solutions to the new technical standards.
Practical example
Imagine that the Spanish National Police are investigating a crime committed in Spain by an unidentified individual. The investigators have fingerprints and a facial image obtained at the crime scene, but find no matches in national databases.
With the Prüm II system operational and the technical standards of Decision 2026/1064 implemented, the competent unit can launch an automated cross-border search against the databases of other Member States. The Prüm II router receives the query in the technical format established by this Decision, distributes it to connected national systems and returns the results of possible matches.
For this to work, the National Police's IT system must speak "the same technical language" as the router: same biometric data formats, same communication protocols, same access conditions. If systems are not adapted to the standards set by Decision 2026/1064, the query cannot be executed and cross-border cooperation is blocked.
This example illustrates why technical adaptation is not optional: without it, national authorities are excluded from a key mechanism of European police cooperation.
What should organizations do now?
- Identify affected systems: Map which internal technological platforms manage or could manage biometric data (fingerprints, DNA profiles, facial images) that could be queried or shared through the Prüm II router.
- Review technical compliance: Compare current data formats and communication protocols with the technical specifications set in Decision 2026/1064. Identify compliance gaps that require system development or adaptation.
- Update data protection impact assessments: Cross-border flows of biometric data are high-risk processing. Existing DPIAs must be reviewed to incorporate the new context of the Prüm II router and regulated access conditions.
- Review and update internal operational procedures: Document new query, access and results management procedures in accordance with established standards. Ensure that operational staff are aware of regulated access conditions.
- Coordinate with technology providers: If systems are developed or maintained by third parties, communicate the technical requirements of the Decision to them and establish timelines for adaptation.
- Train staff: Design specific training actions for operators who will use the Prüm II system, with special emphasis on access conditions and data protection safeguards.
Frequently asked questions
What types of biometric data does the Prüm II system regulate?
Decision 2026/1064 regulates the automated exchange of three categories of biometric data: fingerprints, DNA profiles and facial images. This data can be queried cross-border between EU Member States through the Prüm II router to identify suspects or victims in criminal investigations.
When does Implementing Decision 2026/1064 enter into force?
The regulation was published on 10 June 2026, but the specific date of entry into force is not specified in the available information. It is recommended to consult the full text in the EU Official Journal to verify the exact date and applicable transposition or adaptation deadlines.
What must security forces adapt to comply with Prüm II?
Police and judicial authorities must adapt two areas: (1) their IT systems, to comply with the data formats and communication protocols established in the Decision; and (2) their internal operational procedures, to align with regulated access conditions and query processes. Without this adaptation, they will not be able to participate in automated cross-border exchange.
Does the Prüm II system have data protection implications?
Yes, and they are relevant. Biometric data (fingerprints, DNA, facial images) are a particularly sensitive category under the GDPR. Decision 2026/1064 establishes safeguards for citizens against automated processing of their biometric information. Affected authorities must review their data protection impact assessments (DPIA) and ensure that new cross-border flows have the required safeguards.
Does this regulation affect private companies?
Directly, no. Decision 2026/1064 is directed exclusively at security forces and bodies, judicial authorities and police cooperation bodies of the EU. However, technology providers that develop or maintain IT systems for these authorities may be indirectly affected if they need to adapt their solutions to the new technical standards of the Prüm II router.
Official source
Consult full regulation in official source
Notice: This article is for informational purposes only and does not constitute legal advice. For specific decisions, consult a qualified professional. Source: https://eur-lex.europa.eu/./legal-content/AUTO/?uri=OJ:L_202601064