Europol is aiming to become a powerful police force with far-reaching surveillance powers. But in an attempt to deliver in the fight against serious cross-border crime, the agency appears to have gone rogue itself, this investigation reveals.
Europol, the European Union’s police agency, built and operated a parallel data analysis system containing vast amounts of sensitive personal data – using it for years beyond its lawful scope while keeping parts of it hidden, according to internal documents and whistleblower accounts.
Described by former officials as a “shadow IT environment,” the system functioned as a series of platforms that worked in parallel to the agency’s official databases. It allowed Europol staff to access and analyze highly sensitive data such as phone records, identity documents, financial and geolocation information, including that of individuals not suspected of a crime.
This investigation by Solomon, CORRECTIV, and Computer Weekly – based on leaked emails, internal reports obtained through freedom of information (FOI) requests, and testimonies from former officials – found that the system operated for years without basic security and data protection safeguards required under EU law.
In practice, it became the agency’s primary environment for large-scale crime analysis, despite lacking proper controls over who accessed or modified the data. Experts say this left innocent individuals vulnerable to being wrongfully linked to criminal activity, with potential consequences for their personal and family lives, freedom of movement, and careers.
For the first time in the agency’s history, several former high-ranking officials have come forward to reveal that elements of this shadow environment – including a clandestine intelligence tool known internally as the “Pressure Cooker” – appear to have been concealed for years from the EU’s top privacy watchdog, the European Data Protection Supervisor (EDPS). The system could still be in use today.
“They protect the law while breaking it”, one former senior official said. Like other former insiders, the source gave this investigation an interview on the condition of anonymity. Their identity has been verified by the reporting team.
The findings come at a pivotal moment: the European Commission is preparing to propose new legislation that would expand Europol’s mandate and double its annual budget, significantly increasing its ability to amass and process data across the bloc. At the same time, a new executive director will be appointed this year, following Catherine De Bolle, whose term ended on May 1.
Responding to this investigation, a Europol spokesperson said: “Europol has reported to the EDPS about its operational data processing systems and applications in a transparent manner. The allegation that Europol ‘kept hidden’ information about processing environments or systems is a misrepresentation of the facts.”
At the center of the agency’s shady data practices was a system known as the Computer Forensic Network, or CFN: an environment holding vast amounts of sensitive personal information.
According to Europol, the system was established in 2012 to process complex operational data linked to investigations it supported. Its purpose was to provide a “secure, compartmentalised” environment for processing information that could not be handled in its existing systems, due to its volume, format, or potential security risks, including malware from digital devices.
By 2019, the CFN held at least two petabytes of data, almost 420 times larger than Europol’s official criminal databases at the time.
Under EU law, sensitive personal data – whether provided by member states, collected during cross-border investigations, or transferred by online platforms such as Facebook or Telegram – is subject to strict rules governing how it can be stored, accessed, and analyzed. But internal documents and witness accounts indicate that, in this case, those safeguards were absent.
Previously unseen evidence indicates that Europol analysts were granted access to data through this system, despite significant security and privacy flaws. The system did not properly log who accessed data or whether it had been modified or deleted. For years, it operated without adequate official scrutiny, even as it became central to the agency’s analytical work.
The agency is designed to function as a central, AI-powered hub, analysing large volumes of personal and criminal data in near real time to identify patterns and leads. Based in The Hague, Europol’s more than 1,000 staff sit at the center of European policing. The agency pools and analyzes data from national law enforcement authorities across the EU, supporting investigations into terrorism, child sexual abuse, serious organized crime, and cybercrime.
Europol’s shadow IT system took shape in a moment of crisis.
In November 2015, coordinated attacks across Paris killed 130 people and injured hundreds more. Amid reports of police failures, pressure on Europol intensified. “We were really expected to step up at that point,” Europol’s then-director, Rob Wainwright, recalled in an interview two years ago. “That was the moment where we had to deliver.”
Europol set up Task Force Fraternité, and member states’ law enforcement authorities began sending huge volumes of data to the agency: phone records, intelligence reports, travel information. Much of it ended up in the CFN system. Among the data ingested, for example, were phone logs of individuals who happened to be in the vicinity of the Bataclan attacks.
The expectation was clear: Europol would turn this flood of information into actionable intelligence to help trace and prevent new terrorist plots – and quickly.
The shadow IT system did not originate with the attacks. But in their aftermath, its role expanded dramatically.
According to several former Europol officials, the agency’s European Cybercrime Centre (EC3) effectively hijacked the CFN. Typically, the IT department manages and controls such infrastructure. This system, however, went out of its reach.
The CFN, established in 2012, had originally been designed to store and initially process, or filter, the growing amounts of digital material and link it to specific investigations, under strict handling and data protection rules.
Within a few years, though, it evolved beyond its original purpose, becoming what one former senior official described as a “black hole” for unregulated data analysis by Europol’s cybercrime unit.
Large volumes of data could be stored and analyzed with fewer constraints than in the agency’s formal systems.
Former Europol officials interviewed by this investigation described how personnel within the Operations Directorate – responsible for criminal investigations – installed additional computing and storage capacity to the system outside of regular procedures. New data processing tools and applications were developed within this environment, without external oversight, the former officials said.
By early 2019, as the newly introduced General Data Protection Regulation (GDPR) made data protection a legal imperative, the scale of Europol’s noncompliant data practices had become impossible to ignore.
On February 15, a five-page report from Daniel Drewer, the agency’s internal data protection officer to this day, landed on the desks of the agency’s three deputy executives.
The message was blunt: 99 percent of Europol’s operational data was being stored and processed in the CFN, without basic data protection and security safeguards. In effect, a system designed to pre-process raw bulk data had become the agency’s main platform for crime analysis.
Europol analysts were able to sift through vast troves of personal data, including information they were not legally entitled to retain, and repurpose it for crime analysis.
“There are indications that the CFN is practically not only being used for actual forensic work but also for other forms of operational analysis,” Drewer wrote in the report, obtained via FOI. The volume and diversity of files in the system suggested that the “CFN has factually evolved into the environment of choice for all possible forms of crime analysis”.
The data, according to Europol, originated from member states’ law enforcement authorities and other operational partners, or was collected by the agency through open-source intelligence activities. At least one of the projects, “Focal Point Travellers,” also contained data provided by the U.S. Federal Bureau of Investigation (FBI).
Unless Europol overhauled the entire parallel data system, Drewer warned of a possible ban on the CFN, which “might factually come close to a complete shutdown of operational business at Europol”, while “severely affecting trust” by member states.
“Having a parallel processing environment where guardrails cease to exist is cheaper, faster, and more effective,” a former senior Europol official told this investigation. “But without these, anyone is at the mercy of the guy in front of the screen.”
When asked, Europol answered that this statement “is a misrepresentation of the facts”. The spokesperson did not answer questions on whether member states and the FBI are aware that data they provided ended up in this unregulated environment.
The massive scale of irregular practices unveiled by this investigation has remained unknown to the public as well as lawmakers until now.
On April 1, 2019, Europol’s then-executive director, Catherine De Bolle, formally notified the EU’s data protection authority, the EDPS, of Drewer’s findings, after intense internal deliberations over how to respond.
The disclosure triggered what became known as the “Big Data Challenge” – a years-long standoff between Europol and the external watchdog, culminating in an order from the EDPS that Europol delete data it kept in breach of EU law.
Publicly, the dispute came to focus on Europol unlawfully retaining data longer than permitted by law. But previously-unpublished internal documents reviewed by this investigation suggest the concerns ran deeper.
They pointed to massive security vulnerabilities embedded in the system itself.
Inside the agency, staff were working to grasp the scale of the problem.
A comprehensive security assessment, triggered by Drewer’s findings and conducted in early 2019, found that CFN lacked “baseline security controls”. Addressing the issues would require Europol to abandon the system “as it stands today and implement a new set up” – from scratch.
Dozens of grave security vulnerabilities within the CFN system, listed in reports obtained via FOI, reveal a pattern of systemic failures:
Taken together, these failures meant that access to sensitive data could not be reliably tracked, controlled, audited, or safeguarded. At the same time, access to the system appears to have expanded significantly over time.
Among the most concerning gaps are access controls and audit logs. Experts say these are not technical formalities, but fundamental security and accountability safeguards, required under EU law.
“The alleged existence of large numbers of administrator accounts is very concerning and an obvious breach of the integrity and confidentiality requirements,” said Peter Sommer, an independent digital forensics expert. He explained that administrators can access, modify, or delete any data – including system logs – making it difficult to trace activity, and increasing the risk of abuse and external attacks.
“Unnecessary multiplication of administrator facilities makes it easy for rogue employees to cause harm, but also is a strongly favoured gateway for external hackers,” Sommer said.
In response to this investigation, Europol said system access was “limited to authorised staff working for Europol.” It said that a “Use and Management Policy” had been in place since 2012. The policy, it added, “contained dedicated user access and audit logging provisions with respect to the CFN” and “was still in force in 2019 and known to all relevant stakeholders.”
By the time the scale of the problem became clear, the CFN system had become deeply embedded in Europol’s operations.
After a project expected to deliver an alternative setup in partnership with the U.S. tech company Palantir Technologies collapsed in 2017, abandoning the CFN platform was no longer a realistic option.
Instead, Europol sought to bring it into compliance by restricting access and implementing security and data protection mitigation measures – a process that would take years of negotiation with the EDPS.
In a written response, Europol said it had disclosed the system in 2019 “in the interest of full transparency”, describing it as a necessary environment for processing complex operational data, particularly large or technically challenging datasets. The agency said reforms had been underway since 2019 to replace the CFN with a new forensic environment and align practices with data protection requirements.
A spokesperson added: “Europol provided the EDPS in a proactive manner information about the required improvements of the CFN back in 2019, hence Europol addressed its identified improvement needs in full transparency towards its data protection supervisor”.
The EDPS continued to monitor the system in the years that followed. But key problems persisted.
As of late 2023, the watchdog found that it was still not always possible to determine whether specific personal data had been accessed or modified. A spokesperson for the EDPS told this investigation that limitations in the logging system meant that investigators could only “infer” that data had been “accessed” or “modified.”
In February 2026, the EDPS informed the Joint Parliamentary Scrutiny Group – an oversight committee of European and national parliamentarians – that it would close its monitoring of the CFN – even though 15 out of 150 recommendations had not been implemented.
Those outstanding issues, the watchdog noted, concerned “issues of particular importance,” including core security safeguards.
Over the years, even as Europol’s leadership changed and efforts to address concerns with the EDPS continued, parts of its data analysis ecosystem appear to have remained beyond formal oversight.
One such system is known internally as the “Pressure Cooker.”
According to former insiders, it was understood within parts of the agency as a space where operational data could be stored and rapidly analyzed without the constraints of EU law.
In response to questions, Europol said the system referred to internally as the Pressure Cooker is in fact its Internet Facing Operational Environment (IFOE), a platform used to collect and triage data from publicly available sources – including material related to terrorist online activity – before it is entered into the agency’s operational systems.
But internal documents and accounts from former senior officials point to something else: a separate, undisclosed system operating alongside it.
As early as 2019, officials described the Pressure Cooker as an “environment prepared in emergency mode,” distinct from the formal IFOE project, according to emails leaked to this investigation.
According to a top former senior official, the EDPS was made aware of the term in 2022, as its dealings with Europol began to threaten to expose the Pressure Cooker. By then, the system had already been “running for years,” the former official said.
Europol presented the term as shorthand for the IFOE. While its name was mentioned, the Pressure Cooker itself was not presented for review, even during relevant inquiries, the former official claimed.
During a 2022 investigation into the processing of a Dutch activist’s data – which the official said had been processed through the Pressure Cooker – the EDPS examined Europol’s formal databases, but not the Pressure Cooker.
Documents reviewed for this investigation indicate internal unease within parts of the agency around that period.
On October 5, 2022, a Europol staff member sent an email marked “Importance: High” to senior officials, warning that regulators might soon become aware of “irregular situation with the Pressure Cooker and IFOE”.
“We (ICT) flagged multiple times the importance of eliminating the Pressure Cooker and transforming it into [a system] with proper designs, controls, etc,” the staffer wrote. “However, it was usually de-scoped as other projects were prioritized by the business”, the email ends.
A former senior Europol official offered a blunt explanation for how such a system could have escaped scrutiny during the EDPS inspections. “When we say inspection,” he said, “we don’t mean a raid with IT experts monitoring systems and confiscating servers. We are talking about a polite conversation.”
Now, Europol appears to be moving to formalize the system. In October 2025, it consulted the EDPS on a tool called “IFOE – Quick Response Area,” presenting it as a future development.
However, according to a former high ranking Europol official, what was presented to the EDPS is not a new tool at all, but an attempt to formalize the Pressure Cooker.
Europol claims that it consults the EDPS in line with the Europol Regulation on the developments of the IFOE and did not keep information about processing systems hidden. But this only appears to apply to the official system, not the parallel IT infrastructure.
Still, even what was disclosed was enough to alarm the watchdog.
The EDPS warned that the system it reviewed risked becoming “a full-fledged parallel environment to Europol’s regular operational environment”.
Asked by our team, the EDPS said it sees a risk of Europol staff going on “fishing expeditions” involving personal data of individuals without links to any criminal activity.
“The allegation of Europol seeking to collect information without relevance to criminal investigations outside the scope of its tasks under the Europol Regulation is a misrepresentation of the facts”, a Europol spokesperson said.
The new warning by the EDPS points to a broader concern: Even as Europol moves to formalize some parts of its parallel infrastructure, there’s a risk that the issues of limited oversight reappear in new forms.
While at least one email concerning the Pressure Cooker reached deputy directors, it remains unclear to what extent the systems described in internal documents were known to the agency’s then-executive director, Rob Wainwright and, after 2018, Catherine de Bolle.
When asked, Wainwright answered that he does “not recall any specific discussions on this matter during my time.” He added that he did recall “working very closely” with Europol’s data protection officer with Daniel Drewer and that the establishment and promotion of a strong data protection framework “was an essential part of Europol’s mission and a core strategic priority.”
Europol is entering a new phase of expansion.
The European Commission is expected to propose new legislation that would double the agency’s budget and staff as part of a broader effort to turn Europol into a “truly operational police agency”.
The proposed changes would significantly expand the agency’s powers. But they would do so against a backdrop of unresolved questions about how those powers have already been exercised – and what remains hidden.
Executive Director De Bolle, who left Europol at the end of her term on May 1, declined to be interviewed for this investigation.
Before you go, can you chip in?
Quality journalism is not of no cost. If you think what we do is important, please consider donating and becoming a reader who makes our work possible.
