A report published by the European Parliament on 8 June 2026 proposes significant amendments to a Council regulation granting the European Public Prosecutor's Office (EPPO) and the European Anti-Fraud Office (OLAF) access to EU VAT information systems. The report, drafted by a single unidentified political group, aims to strengthen cross-border VAT fraud investigations by broadening the scope of accessible data, introducing proactive data transmission, and tightening procedural safeguards.
The report, designated A-10-2026-0159, responds to the Commission's original proposal and introduces 47 amendments. While there is broad support for granting access, the most contested aspects are data protection and proportionality. Many amendments focus on preventing untargeted searches, ensuring strict necessity and proportionality, and mandating robust logging, traceability, and annual reporting. Cost allocation for new IT infrastructure is also a point of contention, with one amendment deleting the provision that costs be borne solely by the EPPO.
Expanded data scope and proactive transmission
Key amendments expand the definition of accessible information. Amendment 18 replaces a narrow reference to customs procedure 42/63 with a comprehensive list covering all importations where a VAT exemption, deferral, or special accounting scheme is claimed, including the Import One-Stop Shop (IOSS). Amendment 13 explicitly lists the main data categories to be accessed: VIES, Surveillance System, and CESOP. Amendment 24 ensures access includes any additional data elements stored under the new broader definition.
A new Article 13a, proposed in Amendments 10 and 17, obliges Member States' customs authorities to spontaneously transmit to Eurofisc, EPPO, and OLAF any data indicating potential VAT fraud. This shifts from a purely reactive, request-based system to a proactive one. Amendment 10 stresses the need for national coordination between customs and VAT authorities to make this work.
Strict safeguards and proportionality
Amendments 25, 26, 27, 29, 31, 34, and 35 introduce strict safeguards. A new Article 49a(1a) explicitly limits EPPO access to active investigations of criminal offences, prohibiting untargeted searches. Amendments require full traceability, logging of all searches, and secure communication channels. OLAF's access is also explicitly limited to what is necessary for the exercise of its mandate. A new Article 49a(5d) sets specific data processing rules for spontaneously transmitted data, including deletion if no investigation is opened.
Cost allocation and interoperability
Amendment 30 deletes the provision that the EPPO alone bears the costs of the new IT infrastructure. Amendments 32 and 33 call for full interoperability of systems and a Commission assessment of the need for additional EU funding to support development and specialised staff.
Follow-up on penalties and annual reporting
Amendment 16 inserts a new Article 2a requiring the Commission to bring forward a proposal on the minimum harmonisation of penalties for VAT fraud within 18 months of the regulation's entry into force, linking this to the post-2027 MFF anti-fraud package. Amendment 28 requires the EPPO to publish annual statistics on its use of the centralised access, including the number of inquiries, investigations advanced, and instances of irrelevant data being deleted.
Impact on stakeholders
The amendments balance enforcement efficiency with data protection. For EPPO and OLAF, the expanded data scope and proactive transmission enhance their ability to detect cross-border VAT fraud, but the strict safeguards and logging requirements may increase administrative burden. For Member States' customs and tax authorities, the new spontaneous transmission obligation requires coordination and IT adjustments, potentially increasing costs. For businesses, especially those using IOSS or claiming VAT exemptions, the broader data access may raise compliance concerns, but the safeguards aim to prevent misuse. For EU taxpayers, the measures could reduce VAT fraud losses, but the cost of new IT infrastructure may ultimately be borne by the EU budget.
Institutional follow-up
The report will now be considered by the Council, which must adopt the regulation. Trilogue negotiations are expected, with the Parliament pushing for stronger safeguards and expanded data access. The Commission will also need to assess additional EU funding and prepare a proposal on minimum harmonisation of penalties within 18 months of the regulation's entry into force.