Legalize / European Union / Regulation

Regulation (EU) 2025/13 of the European Parliament and of the Council of 19 December 2024 on the collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, and amending Regulation (EU) 2019/818

Type Regulation

Publication 2024-12-19

State In force

Department Council of the European Union, European Parliament

Source EUR-Lex

Reform history JSON API

CHAPTER 1

GENERAL PROVISIONS

Article 1

Subject matter

For the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime, this Regulation lays down the rules on:

(a) the collection of advance passenger information (API) by air carriers on extra-EU flights and intra-EU flights;

(b) the transfer of API data and other PNR data by air carriers to the router;

(c) the transmission of API data and other PNR data from the router to the passenger information units (PIUs) on extra-EU flights and selected intra-EU flights.

This Regulation is without prejudice to Regulation (EU) 2016/679, Regulation (EU) 2018/1725 and Directive (EU) 2016/680.

Article 2

Scope

This Regulation applies to air carriers conducting:

(a) extra-EU flights;

(b) intra-EU flights that will depart from, arrive in or make a stop-over on the territory of at least one Member State that notified the Commission of its decision to apply Directive (EU) 2016/681 to intra-EU flights in accordance with Article 2(1) of that Directive.

Article 3

Definitions

For the purposes of this Regulation, the following definitions apply:

(1) ‘air carrier’ means an air carrier as defined in Article 3, point (1), of Directive (EU) 2016/681;

(2) ‘extra-EU flight’ means any extra-EU flight as defined in Article 3, point (2), of Directive (EU) 2016/681;

(3) ‘intra-EU flight’ means any intra-EU flight as defined in Article 3, point (3), of Directive (EU) 2016/681;

(4) ‘scheduled flight’ means a scheduled flight as defined in Article 3, point (5), of Regulation (EU) 2025/12;

(5) ‘non-scheduled flight’ means a non-scheduled flight as defined in Article 3, point (6), of Regulation (EU) 2025/12;

(6) ‘passenger’ means a passenger as defined in Article 3, point (4), of Directive (EU) 2016/681;

(7) ‘crew’ means any person on board of an aircraft during the flight, other than a passenger, who works on or operates the aircraft, including flight crew and cabin crew;

(8) ‘advance passenger information’ or ‘API data’ means the data and the flight information referred to in Article 4(2) and (3) respectively;

(9) ‘other passenger name record data’ or ‘other PNR data’ means the passenger name record as defined in Article 3, point (5), of Directive (EU) 2016/681, and as listed in Annex I to that Directive, with the exception of point 18 of that Annex;

(10) ‘passenger information unit’ or ‘PIU’ means the passenger information unit, as contained in the Member States’ notifications to the Commission and modifications thereof published by the Commission pursuant to Article 4(5) of Directive (EU) 2016/681;

(11) ‘terrorist offences’ means terrorist offences as referred to in Articles 3 to 12 of Directive (EU) 2017/541 of the European Parliament and the Council (¹);

(12) ‘serious crime’ means serious crime as defined in Article 3, point (9), of Directive (EU) 2016/681;

(13) ‘the router’ means the router referred to in Article 9 of this Regulation and in Article 11 of Regulation (EU) 2025/12;

(14) ‘personal data’ means personal data as defined in Article 3, point (1), of Directive (EU) 2016/680, and Article 4, point 1, of Regulation (EU) 2016/679;

(15) ‘real-time flight traffic data’ means information on the inbound and outbound flight traffic of an airport covered by this Regulation.

CHAPTER 2

COLLECTION, TRANSFER, STORAGE AND DELETION OF API DATA

Article 4

Collection of API data by air carriers

The API data shall consist only of the following data relating to each passenger and crew member on the flight:

(a) the surname (family name), first name or names (given names);

(b) the date of birth, sex and nationality;

(d) the date of expiry of the validity of the travel document;

(e) the number identifying a passenger name record used by an air carrier to locate a passenger within its information system (PNR record locator);

(f) the seating information corresponding to the seat in the aircraft assigned to a passenger, where such information is available;

(g) the baggage tag number or numbers and the number and weight of checked bags, where such information is available;

(h) a code indicating the method used to capture and validate the data referred to in points (a) to (d).

The API data shall also consist only of the following flight information relating to the flight of each passenger and crew member:

(a) the flight identification number or, where the flight is code-shared between air carriers, the flight identification numbers, or, if no such number exists, other clear and suitable means to identify the flight;

(b) where applicable, the border crossing point of entry into the territory of the Member State;

(c) the code of the airport of arrival or, where the flight is planned to land in one or several airports within the territories of one or more Member States to which this Regulation applies, the codes of the airports of call on the territories of the Member States concerned;

(d) the code of the airport of departure of the flight;

(e) the code of the airport of the initial point of embarkation, where available;

(f) the local date and time of departure;

(g) the local date and time of arrival;

(h) the contact details of the air carrier;

(i) the format used for the transfer of API data.

Where air carriers provide an online check-in process, they shall enable passengers to provide the API data referred to in paragraph 2, points (a) to (d), by automated means during that online check-in process. For passengers that do not check in online, air carriers shall enable those passengers to provide those API data by automated means during check-in at the airport with the assistance of a self-service kiosk or of air-carriers’ staff at the counter.

Where the use of automated means is not technically possible, air carriers shall exceptionally collect the API data referred to in paragraph 2, points (a) to (d), manually, either as part of the online check-in or as part of the check-in at the airport, in such a manner as to ensure compliance with paragraph 4.

Article 5

Obligations for air carriers regarding transfers of API data and other PNR data

Air carriers shall transfer the API data:

(a) for passengers: (i) per passenger at the moment of check-in, but not earlier than 48 hours prior to the scheduled flight departure time; and (ii) for all boarded passengers immediately after flight closure, namely once the passengers have boarded the aircraft in preparation for departure and it is no longer possible for passengers to board or to leave the aircraft;

(b) for all members of the crew immediately after flight closure, namely once the crew is on board the aircraft in preparation for departure and it is no longer possible for them to leave the aircraft.

Article 6

Storage period and deletion of API data

Air carriers shall store, for a period of 48 hours from the moment of receipt by the router of the API data transferred to it in accordance with Article 5(3), point (a)(ii) and point (b), the API data relating to all passengers and crew that they collected pursuant to Article 4. They shall immediately and permanently delete such API data after the expiry of that period, without prejudice to the possibility for air carriers to retain and use the data where necessary for the normal course of their business in compliance with applicable law, and to Article 16(1) and (3).

Article 7

Correcting, completing and updating API data

Article 8

Fundamental rights

CHAPTER 3

PROVISIONS RELATING TO THE ROUTER

Article 9

The router

The router shall be composed of:

(a) a central infrastructure, including a set of technical components enabling the reception and transmission of encrypted API data and other PNR data;

(b) a secure communication channel between the central infrastructure and the PIUs, and a secure communication channel between the central infrastructure and the air carriers, for the transfer and transmission of API data and other PNR data and for any communications relating thereto, and for the insertion by the Member States of selected flights as referred to in Article 12(4) into the router and any related updates;

eu-LISA shall design the router, to the extent technically and operationally possible, in a way that is coherent and consistent with the obligations for air carriers set out in Regulations (EC) No 767/2008, (EU) 2017/2226 and (EU) 2018/1240.

Article 10

Exclusive use of the router

For the purposes of this Regulation, the router shall be used only:

(a) by air carriers to transfer encrypted API data and other PNR data in accordance with this Regulation;

(b) by PIUs to receive encrypted API data and other PNR data in accordance with this Regulation;

(c) on the basis of international agreements enabling the transfer of PNR data via the router, concluded by the Union with third countries that have concluded an agreement providing for their association with the implementation, application and development of the Schengen acquis.

This Article is without prejudice to Article 12 of Regulation (EU) 2025/12.

Article 11

Data format and transfer verifications

Article 12

Transmission of API data and other PNR data from the router to the PIUs

For the purposes of such transmission, eu-LISA shall establish and keep up to date a table of correspondence between the different airports of origin and destination and the countries to which they belong.

However, for intra-EU flights, the router shall transmit only API data and other PNR data of the flights included in the list referred to in paragraph 4 to the relevant PIUs.

Member States shall, by the relevant date of application of this Regulation referred to in Article 45, second paragraph, insert the selected flights or routes into the router, by automated means through the secure communication channel referred to in Article 9(2)(b), and thereafter provide the router with any updates thereof.

Article 13

Selection of intra-EU flights

The assessment referred to in paragraph 3 shall:

(a) be carried out in an objective, duly reasoned and non-discriminatory way in accordance with Article 2 of Directive (EU) 2016/681;

(b) take into account only criteria which are relevant for the prevention, detection, investigation and prosecution of terrorist offences and serious crime having an objective link, including an indirect link, with the carriage of passengers by air, and not be purely based on the grounds as listed in Article 21 of the Charter of any passengers or groups of passengers;

Article 14

Deletion of API data and other PNR data from the router

API data and other PNR data, transferred to the router pursuant to this Regulation shall be stored on the router only insofar as necessary to complete the transmission to the relevant PIUs in accordance with this Regulation and shall be deleted from the router, immediately, permanently and in an automated manner, in both of the following situations:

(a) where it is confirmed, in accordance with Article 12(3), that the transmission of the API data and other PNR data to the relevant PIUs has been completed;

(b) where the API data or other PNR data relate to intra-EU flights other than those included in the lists referred to in Article 12(4).

The router shall automatically inform eu-LISA and the PIUs of the immediate deletion of intra-EU flights as referred to in point (b).

Article 15

Processing of API data and other PNR data by PIUs

API data and other PNR data transmitted to PIUs in accordance with this Regulation shall subsequently be processed by the PIUs in accordance with Directive (EU) 2016/681, in particular as regards the rules on the processing of API data and other PNR data by PIUs, including those set out in Articles 6, 10, 12 and 13 of that Directive, and solely for the purposes of the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

The PIUs or other competent authorities shall under no circumstances process API data and other PNR data for the purposes of profiling, as referred to in Article 11(3) of Directive (EU) 2016/680.

Article 16

Actions where it is technically impossible to use the router

During the period of time between those notifications, Article 5(1) shall not apply, insofar as the technical impossibility prevents the transfer of API data or other PNR data to the router. Air carriers shall store the API data or other PNR data until the technical impossibility has been successfully addressed. As soon as the technical impossibility has been successfully addressed, air carriers shall transfer the data to the router in accordance with Article 5(1).

Where it is technically impossible to use the router and in exceptional cases related to the objectives of this Regulation that make it necessary for PIUs to immediately receive API data or other PNR data during the technical impossibility to use the router, PIUs may request air carriers to use any other appropriate means, ensuring the necessary level of data security, data quality and data protection, to transfer the API data or other PNR data directly to the PIUs. The PIUs shall process the API data or other PNR data received through any other appropriate means in accordance with the rules and safeguards set out in Directive (EU) 2016/681.

Following the notification from eu-LISA that the technical impossibility has been successfully addressed, and where it is confirmed in accordance with Article 12(3) that the transmission of the API data or other PNR data through the router to the relevant PIU has been completed, the PIU shall immediately delete the API data or other PNR data received by any other appropriate means.

Where it is technically impossible to use the router and in exceptional cases related to the objectives of this Regulation that make it necessary for PIUs to immediately receive API data or other PNR data during the technical impossibility to use the router, PIUs may request air carriers to use any other appropriate means, ensuring the necessary level of data security, data quality and data protection to transfer the API data or other PNR data directly to the PIUs. The PIUs shall process the API data or other PNR data received through any other appropriate means in accordance with the rules and safeguards set out in Directive (EU) 2016/681.

When the technical impossibility has been successfully addressed, the air carrier concerned shall, without delay, submit to the national API supervision authority referred to in Article 37 a report containing all necessary details on the technical impossibility, including the reasons for the technical impossibility, its extent and consequences as well as the measures taken to address it.

CHAPTER 4

SPECIFIC PROVISIONS ON THE PROTECTION OF PERSONAL DATA AND SECURITY

Article 17

Keeping of logs

eu-LISA shall keep logs of all processing operations relating to the transfer and transmission of API data and other PNR data through the router under this Regulation. Those logs shall cover the following:

(a) the air carrier that transferred the API data and other PNR data to the router;

(b) the air carrier that transferred other PNR data to the router;

(d) the PIUs to which other PNR data were transmitted through the router;

(e) the date and time of the transfer or transmission referred to in points (a) to (d), and the place of that transfer or transmission;

(f) any access by the staff of eu-LISA necessary for the maintenance of the router, as referred to in Article 26(3);

(g) any other information relating to those processing operations necessary to monitor the security and integrity of the API data and other PNR data and the lawfulness of those processing operations.

Those logs shall not include any personal data, other than the information necessary to identify the relevant member of the staff of eu-LISA, referred to in point (f) of the first subparagraph.

However, if those logs are needed for procedures for monitoring or ensuring the security and integrity of the API data or the lawfulness of the processing operations, as referred to in paragraph 3, and those procedures have already begun at the moment of the expiry of the time period referred to in the first subparagraph of this paragraph, air carriers and eu-LISA shall keep those logs for as long as necessary for those procedures. In that case, they shall immediately delete those logs when they are no longer necessary for those procedures.

Article 18

Reading this document does not replace reading the official text published in the Official Journal of the European Union. We assume no responsibility for any inaccuracies arising from the conversion of the original to this format.