On 8 January 2025, the new legal EU framework on the collection and transfer of advance passenger information (API) for border control and law enforcement purposes was published in the EU's Official Journal. The legislative package consists of two regulations:

• Regulation (EU) 2025/12 of the European Parliament and of the Council of 19 December 2024 on the collection and transfer of advance passenger information for enhancing and facilitating external border checks, amending Regulations (EU) 2018/1726 and (EU) 2019/817, and repealing Council Directive 2004/82/EC, OJ L, 2025/12;
• Regulation (EU) 2025/13 of the European Parliament and of the Council of 19 December 2024 on the collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, and amending Regulation (EU) 2019/818, OJ L, 2025/13.

The new legal framework was proposed by the Commission in December 2022 (COM(2022) 729 final and COM(2022) 731 final). The need for two different legal instruments is due to the different legal basis: Arts. 77(2) and 79 TFEU for border management and migration; Arts. 82(1)(d) and 87(2) TFEU for judicial cooperation in criminal matters and law enforcement cooperation. Both regulations will replace Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data. The Commission found divergences at the national level in the application of the Directive. In addition, the Commission identified security gaps since the Directive primarily focuses on facilitating border checks at the EU's external borders and on combating illegal immigration. Even though the Directive allowed Member States to use API data for law enforcement purposes, it did not further specify the scope, conditions, and safeguards for the processing of API data for these purposes. Since Directive 2016/681 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (PNR Directive) allows for the joint processing of API data and PNR data, clearer, more harmonised and more effective rules on API data were held necessary, so that law enforcement authorities can benefit from combining the two data sets. API refers to data collected by air carriers at check-in and sent to competent authorities in the country of destination prior to take-off. PNR refers to data from air travellers' ticket reservations.

The Regulations will cover flights within, into and from the EU. However, as regards intra-EU flights, Regulation 2025/13 includes specific provisions that align the new legal framework with the PNR Directive and the CJEU's case law. In its 2022 judgement on the validity of the PNR Directive (→eucrim 2/2022, 113-115), the CJEU set strict limits to the processing of PNR data and ruled that PNR data cannot be processed automatically for all intra-EU flights. Such processing was only allowed when a Member State is "confronted with a terrorist threat which is shown to be genuine and present or foreseeable."

As a consequence, Member States can decide, in accordance with Art. 2 of Directive 2016/681, to apply that Directive and consequently Regulation 2025/13 to intra-EU flights, but they must select such intra-EU flights before API data can be transmitted to the national passenger information units (PIUs). Regulation 2025/13 specifies the elements of the assessment needed for selecting the intra-EU flights. This selection would have to be limited to what is strictly necessary.

Furthermore, the Regulation includes the following:

• Setting of a mandatory list of API data to be collected by air carriers from passengers;
• In order to increase the quality of the data, obligation for air carriers to collect data from passengers (family and first name, date of birth, nationality, etc.) using automated means, with manual insertions of the data in exceptional cases;
• Mandatory transfer of data to the Member States which will reduce time spent for border controls;
• Establishment of a single router via which API and PNR data are transferred from the air carriers to the PIUs. The router system will replace the current system of multiple connections between air carriers and national authorities. The router is developed and managed by eu-LISA and will include a secure channel to receive real-time flight traffic information. The measures to be taken in case of technical impossibility to use the router are specified.
• Data protection responsibilities: Air carriers will be controllers for the processing of API data constituting personal data in relation to their collection of that data and their transfer thereof to the router under the Regulation. Each Member State will designate a competent authority as data controller. Air carriers will provide passengers, on flights covered by the Regulation, with information on the purpose of the collection of their personal data, the type of personal data collected, the recipients of the personal data and the means to exercise their rights as data subjects.
• Governance structure for the transfer of API data consisting of the Programme Management Board, the API-PNR Advisory Group, the API-PNR Contact Group, and the API Expert Group.
• Sanctions: Member States will ensure that a recurrent failure to transfer API data is subject to proportionate financial penalties of up to 2% of the air carrier's global turnover for the preceding financial year. Failure to comply with other obligations set out in the Regulation will be subject to proportionate penalties, including financial penalties.

Regulation 2025/12 and Regulation 2025/13 entered into force on 28 January 2025. They will apply after the router is put into service. A longer transitional period is foreseen for the transmission of PNR data via the router.