Europe’s uncertain plans for rolling out the automated border system ETIAS
22 April 2026
The European Travel Information and Authorisation system (ETIAS) is due to launch at the end of this year, yet faces criticism from civil society and European institutions. Even Frontex, the EU border agency known for its own poor data practices, has highlighted concerns about the system's compliance with data protection laws. The European Commission’s failure to release legal guidance on compliance and a pending judgment of the Court of Justice of the European Union (CJEU) adds to the uncertainty surrounding the planned system's start.
Support our work: become a Friend of Statewatch from as little as £1/€1 per month.
ETIAS is a critical part of the EU’s plan to fully digitalise border control. The smart border package, first proposed in 2013, comprises several regulations including the Entry/Exit System, which completed its roll out on 10 April 2026. Due to its highly technical nature, criticism throughout the legislative process has remained restricted to a small group of experts.
Smart borders were presented as a means to “simplify life for foreigners frequently travelling to the EU and to better monitor third-country nationals crossing the EU’s external borders.” However, the system’s rollout has so far been severely contested. This includes airports and airlines calling for the European Commission “to fully suspend the EES when waiting times become excessive.” Airlines Europe, a leading advocacy group representing airlines in Europe, has called the delays in the rollout a “systemic failure”.
The ETIAS regulation, adopted in 2018, aims to implement an automated system that will triage people from visa-exempt countries and identify individuals who pose a “security, migration or health” risk. Individuals posing a supposed risk will be identified by consulting European watchlists and through an automated profiling system, in which data from an individual’s application form will be compared against a series of ‘risk indicators’.
The European Border and Coast Guard agency (Frontex) has been given a key role in operating the ETIAS central unit:
“the primary objective of which is to process travel authorisations and to define the “specific risk indicators” that will be used for the profiling of travel authorisation and visa applicants. When a traveller submits an application for a visa or travel authorisation, the application will be sent to the Central Unit and automatically cross-checked against a variety of databases, run through a profiling tool and checked against a ‘watchlist’ of persons of interest. Any “hits” must be manually reviewed by a member state ETIAS National Unit for approval or refusal.”
The regulation provides that risk indicators must be targeted and proportionate and not based on characteristics. A fundamental rights guidance board has been tasked with providing guidance to Frontex on the system screening rules. In its guidance note on the risk for discrimination, the board cites examples of prohibited risk indicators including “nationality” and “country and city of residence” because they may act as proxies for a person’s colour, race, ethnic origin. The guidance board used the example of a person from Detroit, Michigan in the United States, where 80% of the population are Afro-American, could be at risk of facing increased racial bias whether or not their race is known.
Uncertainty and possible delay
On 31 March 2026, Frontex published a “report to the European Parliament and the Council on the state of preparation of ETIAS”, covering the period from April to September 2025. In it, they describe the agency’s role in developing the system and ensuring its timely deployment.
The document notes: “The likelihood and impact of the compliance risk of not having developed the ETIAS Data Protection Impact Assessment and other data protection documentation, including the data protection guidelines and the privacy notices, has increased since the previous reporting periods.”
It calls out the Commission for “the persistence of legal uncertainty on a significant number of data protection issues” as a consequence of its failure to issue legal guidance due in 2024. When asked by Statewatch whether it had delivered its legal guidance or had a reason for the delay, the Commission did not reply.
For years, academic experts and Statewatch have warned that ETIAS appears to violate data protection rights. This became a more pressing issue when EU Lisa, the agency in charge of maintaining and developing the European information systems’ technical infrastructure, announced that the use of AI would be permitted in the ETIAS system.
While there is still some uncertainty about how AI will be used , academic Niovi Vavoula has warned that “all options are open”. Furthermore, the AI Act exempts any EU information system in operation prior to 2 August 2027 from complying with regulation monitoring and oversight, until at least 31 December 2030.
According to the EU Lisa report, a decision citing an individual as a risk could be processed entirely through the use of AI tools. This will undoubtedly pose some serious compliance issues with existing rulings on data protection and fundamental rights protection, such as the decision of the CJEU on PNR. This decision precludes the use of AI in the identification of “risk criteria” because the lack of transparency could impede an individual’s right to an effective remedy (paragraph 194-195, CJEU C-817/19, 2022).
A legal challenge risks further delays
Since the period reviewed in the report, a new legal challenge to the ETIAS regulation has been brought which could result in further delays to the rollout of the system.
The case, brought by the Belgian NGO La Ligue Des Droits Humains, contests the implementation of the ETIAS regulation in Belgium. The CJEU has been called on to respond to the question of whether the Regulation complies with a core principle of data protection law.
The litigation challenges Belgium's broad definition of risk to security, which includes threats to public order, internal security, or the international relations of one member state. The preliminary question before the CJEU asks whether the Belgian implementation law is contrary to the principle of purpose limitation, which requires data to be processed for specified, explicit, and legitimate purposes.
The lawyer litigating the case, Catherine Forget, said in an interview with Parliament magazine, “This notion of ‘risk’ for public security is very badly defined” and that it “is about crimmigration, not only about the fight against serious crime, but also immigration more broadly.”
Our work is only possible with your support.
Become a Friend of Statewatch from as little as £1/€1 per month.
Further reading
EU member states want to expand police surveillance of travel
In the name of fighting crime and terrorism, EU law requires mandatory police surveillance of international air travel. Governments are now considering surveillance of all other modes of transport, in particular maritime travel. They also want to use data for new purposes, such as immigration control. A working group has been set up to consider new legal proposals.
Risk screening and watchlists: Europol and Frontex reports on development of the “permission to travel” system
Reports circulated by Europol and Frontex to member states last October show that the development of the European Travel Information and Authorisation System (ETIAS) was – at least at the time – still plagued by delays, which both agencies blame on eu-Lisa, the EU’s database agency. Frontex’s report says the delays were causing problems for the “assessment functionality for the risk screening of the ETIAS applications,” through which travellers will be profiled. Meanwhile, Europol continues to develop its new “watchlist” of potential terrorists and criminals, and is seeking permission to use data supplied by non-EU states in the assessment of travel applications.
Spotted an error? If you've spotted a problem with this page, just click once to let us know.