A proposal for two annexes to the Europol Regulation, published by the Council on 26 June 2026, specifies the list of crimes the agency can handle and the categories of individuals whose data it may process. The annexes, which will be discussed at a Council meeting on 9 July 2026, define Europol's competence for 33 forms of crime under Article 5(1), including terrorism, organised crime, drug trafficking, money laundering, migrant smuggling, trafficking in human beings, computer crime (including cyberattacks), corruption, environmental crime (including ship-source pollution), sexual abuse and exploitation, gender-based violence, genocide, crimes against humanity, war crimes, and violation of Union restrictive measures. Annex 2 defines six categories of data subjects under Article 32: persons suspected or convicted of a relevant criminal offence; persons believed likely to commit such offences; potential witnesses; victims or potential victims; contacts and associates (sporadic or regular contacts of persons in the first two categories, not falling into other categories); and persons who can provide information on the offences.
if analysis shows a person belongs to a different category, Europol may only process data permitted for that new category and must delete all other data. If a person fits two or more categories, Europol may process all data allowed under those categories. The annexes aim to clarify Europol's operational scope and data-processing boundaries, impacting law enforcement authorities, data protection regulators, and civil liberties groups.
The Council is expected to examine the proposal on 9 July 2026, with the European Parliament and Council to adopt the regulation in co-decision.