EES: A Gateway to Security or an Open Door to Disaster

On Sunday 12 October 2025, the EU Entry/Exit System (EES) came into force, marking the most significant change to EU border control in decades.

The new system impacts anyone entering (and exiting) the European Union’s Schengen zone with a non-EU passport (including those in who have a residence permit for an EU country) and will provide greater tracking of people who overstay their permitted time in the Schengen zone (a maximum of 90 days within a 180 day period). According to the EU, it will also help reduce passport fraud and the tracking of criminals.

However, the new system also brings with it all the usual complaints about data security, governmental overreach and extra time spent in queues at cross border travel terminals as the system beds in. At present, many of the complaints are coming from UK passport holders already frustrated by their post-Brexit inability to use the EU’s faster digital passport gates, forcing them to queue at passport control.

Firstly, the people of the UK really need to get used to what they voted for and decided. Secondly, for a nation currently embroiled in arguments about migrants (legal and “illegal”) coming from and through the EU, one would think that the people in the UK would celebrate the introduction of such border control technology. Thirdly, is it not widely known that people in the UK rigidly adhere to the concept of queuing?

The introduction of the EES will see the traditional activity of passport stamping become a thing of the past. Truth be told, adding some ink to a paper document in an effort to control migration was about as effective as trying to uncover an act of terrorism by asking passengers if they have packed any explosives in their luggage when checking in for a flight. The update to biometric tracking is long overdue and has been in the pipeline since 2013. Unsurprisingly, EU bureaucracy around technical and financial concerns had its hand in the delay and the legal framework was eventually finalised in 2017.

Originally due to be a single “big bang” implementation in November 2024, it soon became obvious to the EU as this date approached that this was not going to be technically feasible. The rollout was subsequently delayed until October this year and the implementation staggered through to April 2026 to ensure all participating countries (and their external territories) would have the necessary infrastructure and procedures in place.

Many, including myself, see the introduction of EES as an overall positive change. Yes, there will be delays caused as travellers utilise the system for the first time, and there will undoubtedly be technical and procedural teething problems given the scale of the project. To suggest otherwise would be foolish, especially as, according to the European Commission, approximately 822,000 non-EU nationals cross in and out of the Schengen zone on a daily basis. Thankfully, the overall process of entering and exiting via the EES should become quicker once each traveller has had their information recorded and the system is fully implemented in 2026.

My main worry are the implications around the use of what the EU refers to as “biometric data” (fingerprints and facial recognition). It is not technology which bothers me - many have used both of these technologies to secure and access digital devices for nearly a decade - but how data gathered via this technology will be stored, protected and utilised. At least with my digital device I had an in-depth list of terms and conditions I could choose to ignore before allowing my phone/laptop to store my biometric information. The fact that the information is stored locally on the device is what allows me to be blasé about skimming through the T&Cs. With the EES I have no idea how or where my information will be stored and I have no access to any terms and conditions about those details.

The EU authorities are, ordinarily, very protective of such data and very particular about what it can and cannot be used for, at least when it is held within the EU. However, the volumes of information which will now be gathered are considerably larger than before and data from each traveller will also be shared and stored across all countries in the Schengen area. Given that the majority of this data will relate almost exclusively to travellers from non-Schengen countries, what happens to their digital sovereignty when such critical biometric information is being shared by, to them, a multitude of foreign countries?

The EU has tried to allay fears regarding digital security by stating that the safeguards in place for the biometric data are government-grade and protected by the highest levels of data security. Similar protocols are also already in use in countries where biometric information is also collected at the border, such as the United States and Australia and these have, up to now, remained secure. But, much as in the EU, we have no idea how that information is being stored, maintained or shared internally in those countries and, yet again, there are no terms and conditions to check.

Digital data is stolen worldwide on a daily basis and the technology behind such data thefts advances on an equally daily basis. The digital encryption used to protect our data is also under increasing threat at all levels from advances in quantum computing and artificial intelligence. Today, we readily give away our dates of birth, contact and passport information in the name of digital security but biometric information takes this to another level, given how it can be used in conjunction with other data and technologies.

Right now, we can feel some sense of safety in believing that the technology required to successfully hack into the information stored on government-grade infrastructure at scale may not exist yet but when it does eventually arrive, the effects could be devastating. 

So devastating that it may make a simple stamp inside a paper passport seem like the safest option of all.