Cooperation with online service providers in counter-terrorism: a snapshot of the Spanish National Unit for the Removal of Illegal Content (UNECI)

Silhouette of a young man looking at a mobile phone screen in a minimalist-style indoor space. The black-and-white image shows a stark contrast between the illuminated walls and the shadows.
A young man looks at his phone in an indoor setting. Photo: Warren Wong (@wflwong).
Isabella Pirlogea
Isabella Pirlogea
Posted on 01 Jun 2026 //
International Security

Key messages

  • The detection and identification of terrorist content online in Spain is carried out by specialised analyst and translation teams in the National Unit for the Removal of Illegal Content (UNECI). The latter is integrated into the Counter-Terrorism Division of the intelligence Centre against Terrorism and Organised Crime (CITCO). Its main function is the monitoring of open sources (OSINT) to detect, analyse and act against threats related to terrorism and violent extremism in the digital environment.
  • The UNECI has a preventative approach based on the generation of strategic intelligence and early risk management in the digital environment. The removal of content is therefore developed as a preventive activity of an administrative, not judicial, nature. Cooperation between the UNECI and online hosting providers aims to promote the self-protection of Internet platforms to reduce the dissemination of harmful, illegal and terrorist content before it generates consequences for society at large.
  • Communication and cooperation with online hosting providers is following the principle of co-responsibility promoted at the level of the EU between law enforcement and private companies. The UNECI works with platforms and online providers mainly through private-public partnerships involving voluntary cooperation.

Analysis

The Internet has become an indispensable tool for terrorist and violent extremist groups. In the EU the legislative response to violent extremist and terrorism on digital platforms has shifted, over the past decade, from voluntary industry self-regulation towards a co-responsibility framework. Online service and hosting providers offering services in the EU must actively take measures to prevent, block and remove terrorist content present on their platforms and services. For the purposes of this paper, online service providers are intermediaries that enable users to access and exchange content, while hosting providers are those that store and make that content technically available on their infrastructure.

Towards this goal, in 2021 the European Commission adopted the Terrorist Content Online Regulation (TCO) (EU 2021/784), which entered into force in June 2022. The TCO Regulation compels hosting providers to remove terrorist content within one hour of receiving a removal order from a national competent authority, and establishes a range of obligations concerning proactive detection, data preservation and notification. Part of the same agenda that strives for a coherent legal framework in digital governance, the Digital Services Act (DSA) (EU 2022/2065), applicable from February 2024 onwards, establishes a comprehensive framework for accountability, transparency and content moderation for digital services across the EU while setting up rules to override industry self-regulation. It updates the Electronic Commerce Directive of 2009 by aiming to harmonise rules for digital services, reduce fragmentation of national laws, and ensure a safe and predictable online environment. Aside from terrorist content, platforms must address illegal content, disinformation and societal risk, making the DSA a more comprehensive regulatory framework than the rest.

Large service and hosting providers and law-enforcement agencies in EU Member States have already established working relationships and public-private cooperation standards for terrorism content removal and prevention. However, cooperation varies from place to place in the Union. In Spain, the work of the Intelligence Centre against Terrorism and Organised Crime (CITCO) and its National Unit for The Removal of Illegal Content are prime examples of how the principle of co-responsibility in the field of security works to include online platforms.

The CITCO’s role and responsibilities in the removal of terrorist content

Spain’s engagement with the governance of terrorist content online has been shaped largely by the CITCO, which has built a distinctive institutional role in the field over the past decade. Appointed as Spain’s representative to the EU Internet Forum and national contact point for Europol’s IRU in 2015, the CITCO progressively expanded its mandate. In 2019 it became Spain’s contact point for the voluntary EU Crisis Protocol, and in 2021 it was formally designated as Spain’s competent national authority under the TCO Regulation, in force since June 2022. To discharge its mandate, the CITCO promoted the creation of the National Unit for The Removal of Illegal Content, formally constituted by Royal Decree 207/2024. In practice, the issue of removal orders, coordination with police forces and cooperation with Europol had been operational functions since early 2021.

The Spanish National Unit for the Removal of Illegal Content (UNECI)

The UNECI operates as an integrated unit within the CITCO’s Counter-Terrorism Division, with a mandate built around the open-source monitoring (OSINT) of the digital environment for terrorist and violent extremist content. The National Unit serves two complimentary purposes: (a) intelligence generation, whereby detected online content feeds into the CITCO’s broader strategic assessment of the terrorist threat; and (b) content removal, where the UNECI acts against illegal material linked to terrorism or radicalisation processes by developing available legal instruments, including voluntary referrals and binding removal orders in coordination with national police forces and international partners such as Europol.

In the spirit of the co-responsibility principle, UNECI works directly with specialised private-sector providers who support (p. 13) the Unit in monitoring, analysing and tracking terrorism and illegal content online.

Three modes of cooperation with service providers

In practice, the UNECI’s cooperation with digital platforms takes three distinct forms, ranging from day-to-day, trust-based interaction to emergency response mechanisms. Each modality reflects a different level of legal obligation and operational urgency, together forming a tiered model that privileges prevention and cooperation over coercive regulatory enforcement.

Ongoing monitoring and referrals

The most routine dimension of the UNECI’s work involves continuous monitoring of online platforms for terrorist and violent extremist content. The UNECI engages with online hosting providers through a tiered model that prioritises voluntary cooperation over formal compulsion. In the first instance, the UNECI sends referrals relying on voluntary cooperation rather than legal obligation. These referrals are often conducted collectively through Europol-coordinated Referral Action Days, in which multiple Member States and platforms jointly review large volumes of content. Removal orders are administrative, not judicial, in nature.

Where voluntary notifications are disregarded, the UNECI escalates to a binding removal order under the TCO Regulation, which platforms must comply with within one hour. The compliance is transmitted via Europol’s PERCI tool and in practice occurs within minutes. Removal orders trigger a mandatory data preservation obligation of six months, extendable upon request by the competent authorities. The channel through which these orders are processed varies according to the size of the platform and whether it has a legal presence in the EU. With large platforms that have a legal representative in the EU, the UNECI maintains a permanent direct contact. These platforms are required to designate a contact point or legal representative accessible to the competent national authorities, through whom they receive removal orders electronically, including via Europol’s PERCI tool. The latter serves as a secure, centralised channel to avoid duplication of orders between different Member States. For smaller or more specialised platforms that lack a legal representative in the EU, particularly in the gaming sector, the UNECI turns to the Sirius Project. This is the joint Europol-Eurojust platform that provides guidelines, contact databases and standardised forms for requesting the preservation and disclosure of data from service providers in cross-border contexts.

Imminent threats to life

Within the operational arm of content removal, there are specific circumstances in which the UNECI also handles data which can be later used as electronic evidence in a terrorism investigation. That is the case of Article 14 (5) of the TCO Regulation, whereby online hosting providers are obliged to proactively notify competent authorities in EU Member States when they detect content posing an imminent threat to life. In such cases the platform is legally required to preserve that data for six months, extendable by a further six months if a police investigation is formally opened.

The EU Crisis Protocol

When a terrorist attack occurs, the CITCO has the authority to trigger the EU Crisis Protocol. The latter is a voluntary framework under which major online service and hosting providers, including Meta, Google and Microsoft, have committed to coordinated action. Within a window of typically 72 hours, the CITCO works with platforms through a Europol-managed Crisis Coordination Team to identify and remove content glorifying the attack, propagandising for the perpetrating organisation or offensive to victims, while preserving data for potential judicial use. Platform cooperation rests on established trust rather than legal compulsion, and the CITCO’s role stops entirely short of criminal investigations, which remain the exclusive responsibility of the judicial and police authorities of the country concerned.

Voluntary cooperation as the modus operandi

Spain’s track record under the TCO Regulation shows that voluntary cooperation outperforms legal compulsion. Since the TCO Regulation entered into force, the UNECI has issued more than 100 removal orders, yet the majority if its platform engagement takes the form of voluntary referrals. This preference has become obvious over time. For instance, in 2024 UNECI for the first time issued more autonomous referrals than those conducted through Europol-coordinated Referral Action Days, reflecting the growing bilateral confidence with platforms. Platforms themselves proactively remove over 60% of terrorist content on their own initiative, a capacity the UNECI actively cultivates by sharing intelligence and analytical expertise with the platforms’ moderation teams.

Formal removal orders, of which Spain issued more than 60 in 2023, accounting for nearly 60% of all EU orders that year, remain the secondary choice for when cooperative channels have been exhausted. The broader trend points towards a deepening institutionalisation of this relationship, with the UNECI and platforms increasingly functioning as partners in early risk detection rather than simply as regulator and regulated.

Electronic evidence, content removal and counter-terrorism

The European Commission’s February 2024 TCO implementation report acknowledged that content removal is functioning but noted that data preserved through that process is rarely leveraged systematically for criminal proceedings. Data retention by service and hosting providers in the EU has been the subject of a long debate and extensive case law at the Court of Justice of the EU (CJEU). The Court has progressively narrowed the conditions under which service providers can be required to retain traffic and location data, even for counter-terrorism purposes. This has sparked criticism from law enforcement bodies across the Union who find it hard to conduct an investigation without clear rules on the retention and preservation of data.

In light of this, a new legislative framework was adopted in 2023 to harmonise the evidence preservation and transfer from hosting providers in EU criminal matters. The e-Evidence Regulation applies from 18 August 2026 and introduces two new instruments, the European Production Order and the European Preservation Order, which allow law enforcement bodies to request electronic evidence directly from service providers across borders, entirely bypassing the Mutual Legal Assistance channels. The accompanying Directive, which required Member States to adapt their national procedural law, had a transposition deadline of 18 February 2026.

Whether Spain has transposed the E-Evidence Directive on time is uncertain. The country has a documented history of delayed transposition in the justice and home affairs domain, having previously been fined €15 million by the CJEU in 2021 for failing to transpose Directive 2016/680 on law enforcement data protection, and is currently facing infringement proceedings for the late transposition of the NIS2 Directive. It remains to be seen whether prosecutors will have a new EU instrument available from August 2026 with no national framework through which to use it.

Conclusion

Spain has built one of the most operationally active counter-terrorism frameworks for online content in the EU. Yet the environment in which that cooperation takes place is changing. The platforms Spain relies on are now subject to an expanding and overlapping set of EU regulatory obligations, from the GDPR, DSA, DMA, AI Act, to NIS2, which all are reshaping how private actors engage with public authorities across the board. The E-Evidence Regulation enters into force in August 2026, the EU Crisis Protocol is being placed on a binding legal footing and data retention rules remain unsettled. Counter-terrorism online is no longer a purely technical or operational challenge, but a legal and institutional one as well. How Spain navigates the next phase will say as much about its legislative capacity as about its counter-terrorism expertise.