The EU agency eu-LISA continues its work on linking fingerprints and facial images. Following the establishment of a super-database, even more systems are now being connected. A new roadmap has been drawn up extending to 2030.

The “Interoperability Project” merges the major European databases. The agency responsible is the European Union Agency for the Operational Management of Large-Scale IT Systems (eu-LISA), headquartered in Tallinn, Estonia. Most of the related initiatives are scheduled for completion in 2026. The project covers the Schengen Information System (SIS II), used for law enforcement searches; Eurodac, which to date has primarily stored fingerprints of asylum seekers; the Visa Information System (VIS); and the soon-to-launch European Criminal Records Information System for Third-Country Nationals (ECRIS-TCN).

Also being connected is the new Entry/Exit System (EES), which is due to be fully operational across the entire Schengen Area from 10 April. All travellers holding short-stay visas – so-called Schengen visas – will then have their fingerprints, facial image, and personal data stored for three years each time they cross an EU external border. In autumn, the European Travel Information and Authorisation System (ETIAS) will go live. This will require even visa-exempt travellers to register their border crossing in advance by answering several questions online.

The linking of existing systems is being carried out in stages via a so-called interoperability architecture. At its core is a shared Biometric Matching Service (sBMS), which enables cross-system searches using biometric data. It is already operational and, according to eu-LISA, uses artificial intelligence to improve the speed and accuracy of matching.

The Interoperability Project also encompasses a Common Identity Repository (CIR), a European Search Portal (ESP), and a Multiple Identity Detector (MID). Together, these create a biometric super-database within the Schengen Area that ranks among the largest in the world: the EES alone will store the fingerprints and photographs of several hundred million travellers each year.

“Interoperability roadmap” for the coming years

At EU level, a roadmap for the coming years is currently under discussion; responsibility on the member states’ side lies with the Council working party on “Information Exchange in the JHA Area” (IXIM). eu-LISA set out further details in a strategy paper for the period 2026 to 2028, published in February. EU ministers are also discussing the matter at this week’s Justice and Home Affairs (JHA) Council meeting.

In November 2025, eu-LISA’s Management Board adopted an “Interoperability Roadmap”. This includes the expansion of SIS II and Eurodac with facial recognition capabilities. The regulation governing the Eurodac fingerprint system was already adopted in May 2024 as part of the EU’s new Pact on Migration and Asylum, with deployment planned for June 2026. The agency anticipates that this will make it easier to track when people seeking protection move irregularly between countries within the Schengen Area.

The Schengen Information System also stores data predominantly on migrants: the largest category of persons subject to alerts are those required to leave the country, for example following the rejection of their asylum application. Unlike the EES, this data is not held in Tallinn but at a technical centre in Strasbourg operated by eu-LISA. No timetable for activating the facial recognition function has yet been announced: eu-LISA has said it intends to draw up a corresponding roadmap during the current year.

Completely overhauled visa platform

All EU member states must also gradually bring the revised Visa Information System (R-VIS) into operation by the first quarter of 2030. This is set out in a “roadmap” approved by the JHA Council in December 2025. In addition to short-stay visas, long-stay visas and residence permits are also to be integrated. eu-LISA is furthermore developing a digital platform through which visa applications can in future be submitted online. This system, known as EU-VAP, is designed to automatically determine which member state is responsible for processing an application – including in cases involving travel to multiple countries.

Among the key elements of the new R-VIS is an automated procedure at the application stage. Upon entry, the data record is cross-checked against all other systems within the interoperability architecture – the EES, ETIAS, SIS, Eurodac, ECRIS-TCN, and the VIS itself – as well as additional databases such as the Europol Information System (EIS). In the event of a match, the state issuing the visa is responsible for a manual review, and also decides whether to grant or refuse it.

Europe-wide facial queries under Prüm II

The costs of the new surveillance infrastructure are considerable. The facial recognition system within the Interoperability Project alone was budgeted at €300 million. For the further development of Eurodac, just under €10.3 million has been earmarked for the current year, just under €6.8 million for 2027, and around €20.6 million for 2028. The interoperability components – which include the shared Biometric Matching Service – amount to a combined total of more than €168 million over the same period.

In addition, it is not only the jointly operated biometric systems that are being expanded. National police databases containing facial images are also being linked across the Schengen Area under the “Prüm II” Regulation. Queries will be possible via a so-called “hit/no-hit” principle: authorities will initially be informed only whether a data record exists. They can then request it through European mutual legal assistance procedures.

The network will operate via a new Prüm II central router, intended to consolidate the exchange of biometric data between European police authorities. Facial image queries within Prüm II are due to be activated from mid-2027, at which point the system will also be connected to the shared Biometric Matching Service.

Access for US authorities

Via “Prüm International”, third countries can also be connected to the Europe-wide query system. The first to make use of this option, following Brexit, was the United Kingdom; further partner countries may now follow. This will most likely be offered first to EU candidate countries, including Balkan states and Ukraine. According to “Politico”, the government in Kyiv has already sent Europol a list of 200,000 active or former Russian “combatants” so that individual member states can enter them into SIS II for the purpose of refusing entry.

One bitter pill the Schengen states are expected to swallow is the “Enhanced Border Security Partnership” (EBSP) – an agreement demanded by the United States that all participants in the Visa Waiver Programme must conclude in order to allow their citizens to continue travelling to the US without a visa. It provides for US authorities to receive automated, direct access to the national police databases of “partner” states – specifically to fingerprints and facial images.

Those affected would not only be travellers to the United States, but potentially all individuals whose data has been released for access by the relevant national authorities. In Germany, this would likely include the INPOL file maintained by the Federal Criminal Police Office (BKA), which holds records on 5.4 million people with nearly 8 million photographs – the majority of them asylum seekers or individuals required to leave the country. The brutal US deportation enforcement agency ICE could also make use of this data. Any country that does not sign the EBSP faces exclusion from the Visa Waiver Programme. The deadline is 31 December 2026; the European Commission is currently conducting confidential negotiations with the United States on a framework agreement.

Image: Released under a Commons-like licence via unsplash.com (Christelle Hayek).