Endless Change Requests: How European LEAs Can Stop Renting Capabilities and Start Owning Their Mission

Introduction: Why Modernization Isn’t Enough

Across Europe, Law Enforcement Agencies are modernising their intelligence environments. Legacy data silos are being consolidated into unified enterprise intelligence platforms for law enforcement. Knowledge graphs, entity resolution engines and digital forensics integration layers are becoming standard. Air-gapped infrastructures are being upgraded to handle digital-era investigative workloads. On paper, this transformation signals progress. In practice, many agencies discover that consolidation does not eliminate friction. It relocates it.

The investigative environment has fundamentally changed. Europol’s EU Serious and Organised Crime Threat Assessment 2025 (1) describes a “fundamental shift in the blueprint of serious and organised crime,” highlighting that criminal activity is increasingly nurtured online, accelerated by AI and embedded in digital infrastructure. ENISA’s Threat Landscape (2) reports similarly describe the rapid expansion of cyber-enabled crime, the industrialisation of fraud, and the growing complexity of digital attack surfaces. These are not abstract assessments; they reflect the daily operational experience of investigative teams managing larger volumes of digital evidence, more varied data formats and faster-moving criminal typologies.

The pressure is not simply one of scale. It is the compound effect of volume, velocity and variety. Mobile device extractions produce gigabytes of data per case. Financial crime investigations span jurisdictions and regulatory regimes. Encrypted communications fragment evidentiary chains across platforms. Cross-border cooperation introduces incompatible schemas and reporting standards. If systems cannot adapt quickly, investigators fall behind. And when investigators fall behind, cases slow down. Suspects disappear. Evidence grows cold. Fraud continues. Threats escalate. Criminal networks adapt faster than the systems meant to stop them.

Many intelligence platforms make this worse because changing the system requires formal change requests and outside engineers. When every new data source or investigative need takes weeks to process, speed is lost. In today’s environment, losing speed means losing control.

The “Consultant Tax” in Enterprise Intelligence Platforms

In the law enforcement and national security software market, platforms are frequently delivered through service-heavy models. During deployment, vendor engineering teams construct ontologies, customize ingestion pipelines and encode analytical workflows. While service-heavy models provide a 'fast start,' they create a permanent gatekeeper. The agency’s analytical logic may effectively be held hostage by the vendor’s engineering backlog.

Over time, this produces what practitioners informally describe as a “consultant tax.” Routine adjustments (such as ingesting a new data source, modifying an entity relationship or adapting to a revised forensic export format) require vendor intervention. The agency submits a statement of work, engineering resources are allocated and timelines extend. The agency pays for a license but rents the intelligence. Without a vendor engineer in the room, the system is static.

This dynamic mirrors patterns observed more broadly in public sector IT. The European Court of Auditors and national audit offices, including the UK National Audit Office, have repeatedly highlighted the risks of over-customised, service-dependent IT programmes that struggle with cost overruns and long-term vendor reliance. The issue is not vendor competence; it is architectural dependency. When institutional knowledge about system evolution resides primarily outside the organisation, autonomy diminishes.

Why Change Requests Undermine Investigative Tempo

Investigations are driven by a combination of events and intelligence. Intelligence loses value as time passes. Europol’s SOCTA emphasises that criminal networks are increasingly adaptive, leveraging AI, encrypted communications and online infrastructure to scale and mutate operations rapidly. Fraud schemes evolve in weeks. Communication channels shift overnight. Criminal collaboration transcends borders with minimal friction.

In this environment, investigative systems must absorb change quickly. If ingesting a new partner dataset or correlating an updated digital forensics format requires weeks of engineering backlog, operational tempo is misaligned with threat tempo. The bottleneck no longer sits in fragmented databases but in contractual processes.

Enterprise IT research reinforces this point. Gartner has consistently warned of “technical debt” and vendor lock-in in heavily customised enterprise systems, noting that organisations often underestimate the long-term cost and agility impact of tightly coupled architectures. While Gartner’s research is commercial, the underlying principle is widely accepted: systems that require specialist intervention for routine evolution slow organisational responsiveness.

For LEAs confronting AI-accelerated crime and networks operating through digital channels, responsiveness is not a convenience. It is a strategic requirement.

Data Sovereignty Beyond Data Residency

European policy discourse increasingly emphasises digital sovereignty. Regulatory frameworks such as the Digital Services Act and broader EU data governance initiatives focus on jurisdiction, control and accountability.

In law enforcement contexts, sovereignty is often interpreted as ensuring that infrastructure resides within EU boundaries. However, operational sovereignty extends further. It includes control over how systems are configured, evolved and governed. If ontology structures, ingestion mappings or analytical applications can only be modified through external vendor access, sovereignty is incomplete in practice, even if data is stored locally.

This distinction is particularly relevant in air-gapped or restricted environments. Agencies operating national security systems frequently impose strict access controls. If routine system evolution depends on external engineering teams (especially those operating outside EU jurisdiction) governance complexity increases and institutional resilience decreases.

True sovereignty implies that vetted internal personnel can evolve the system independently. Ownership of infrastructure must be matched by ownership of configuration.

Air-Gapped Environments and Forward Deployed Engineers

Many service-heavy platforms rely on embedded or “forward deployed” engineers to build and maintain analytical logic. This model can deliver depth and customisation but often embeds ongoing vendor reliance. In air-gapped contexts, where connectivity is limited and access tightly controlled, reliance on external engineering becomes operationally cumbersome.

Public sector digital transformation literature, including OECD reports on digital government, repeatedly stresses the importance of internal capability development and knowledge retention. Systems that cannot be maintained and evolved internally introduce long-term fragility. If contractual relationships change or geopolitical conditions shift, agencies must retain the ability to operate autonomously. In restricted environments, every required vendor 'touch' is a security vulnerability and a procurement delay. True sovereignty requires a system that is secure by autonomy, not just by location.

In intelligence environments, this autonomy is not optional. Analytical logic (the ontology, relationship models and ingestion mappings) forms part of institutional memory. When that logic resides primarily with external teams, agencies risk outsourcing their analytical core.

COTS Intelligence Software and Architectural Autonomy

Commercial-Off-The-Shelf (COTS) intelligence platforms offer a structurally different approach. Rather than conflating software and services, COTS-first architectures are designed so that, after deployment, ingestion configuration, ontology evolution and application logic can be managed internally.

This does not eliminate professional services. It redefines their purpose. Instead of building a bespoke system that remains engineer-dependent, services focus on Internal skill building. Internal teams are trained to configure and extend the platform themselves.

DataWalk moves the configuration from the backend code to the analyst’s workspace. If you can see the connection, you should be able to codify it in the ontology without writing a line of Python or opening a ticket.

Architecturally, this requires user-configurable ingestion tools, visual ontology management and computation models that operate close to the data rather than through rigid transformation pipelines. The objective is not merely flexibility but institutional control.

In practical terms, this becomes visible during digital forensics integration. Modern investigations frequently involve large volumes of UFDR or similar mobile extraction reports. In internally configurable platforms, trained analysts can ingest new exports, map relationships and correlate data without external intervention. The elapsed time between receipt and insight shortens significantly.

The distinction between these models is not ideological. It has a large operational impact. The difference is measured in weeks: the time it takes to submit a Change Request versus the minutes it takes an internal analyst to map a new UFDR export.

From Renting Capability to Owning the Mission

The strategic decision facing European LEAs is not solely about vendor selection. It concerns the long-term control model of their intelligence infrastructure. Service-heavy deployments may deliver advanced capability but embed recurring dependency.

COTS-first platforms built around internal configurability and competency transfer shift authority inward. Over time, this affects cost stability, investigative tempo and governance resilience. Agencies that retain configuration control reduce exposure to vendor lock-in in law enforcement, shorten adaptation cycles and align platform evolution with operational demand.

DataWalk positions itself within this second category, emphasising internal skill development and architectural autonomy. Its argument is not that services are unnecessary, but that services should enable ownership rather than entrench vendor reliance.

The broader lesson extends beyond any single vendor. In an environment defined by AI-accelerated crime, encrypted communications and cross-border data complexity, investigative platforms must evolve at the speed of the threat. Systems that depend on recurring change requests introduce friction at precisely the point where agility is required.

What Agencies Can Do Now

• Measure the average time required to ingest and operationalise a new dataset, and compare that timeframe to investigative urgency.
• Ontology Access Audit: Verify if internal Tier-1 analysts can add a new object type (e.g., "Crypto-Wallet") and link it to an "Identity" in under 10 minutes without backend access.
• The Engineering-to-License Ratio: If your annual spend on "Professional Services" for system maintenance exceeds 30% of your licensing cost, you are paying a "Consultant Tax."
• The "Unseen Data" Test: Attempt to ingest a new, previously unmapped forensic export (e.g., a new version of Cellebrite/GrayKey). If it requires a vendor ticket, you do not own your mission.
• Review air-gapped deployments to ensure full internal configurability and governance control.
• Incorporate configuration autonomy and competency transfer requirements into future procurement processes.
• Invest in developing internal analytical expertise capable of maintaining and extending the system independently.

If these steps are not executed, agencies operate blind to structural dependency. Bottlenecks remain hidden, engineering reliance compounds, air-gapped control is assumed rather than verified, and procurement repeats past mistakes.

The result is unmanaged risk - where investigative tempo, cost stability and sovereignty erode without leadership visibility.

Conclusion

European law enforcement is not constrained by lack of data. It is constrained by friction in adapting to it. The change request bottleneck is not a technical inconvenience; it is a structural vulnerability. Every manual mediation layer - every engineering ticket, every schema rewrite, every delayed ingestion - introduces waste. And waste compounds.

Digital transformation, and the current wave of AI adoption, are ultimately about reducing unnecessary human intervention in repeatable processes. When ontology-driven knowledge graphs automate relationship modelling and ingestion logic, they eliminate vast amounts of manual metadata handling and data rework. The time saved at the point of use is not incremental; it is multiplicative.

Ending the change request bottleneck is not about eliminating vendors, but about selecting architectures that minimise structural waste and preserve internal control. Finally, agencies that outsource the evolution of their logic eventually outsource the success of their mission.

Sources:

1) Europol, The Changing DNA of Serious and Organised Crime: European Union Serious and Organised Crime Threat Assessment 2025 – Executive Summary, Publications Office of the European Union, 2025. DOI: 10.2813/8524220.
2) European Union Agency for Cybersecurity (ENISA), ENISA Threat Landscape 2023, 2023.
3) Gartner, “Avoid Vendor Lock-In When Modernizing Enterprise Applications,” Gartner Research Note, various editions; see also Gartner, “Manage Technical Debt to Improve Agility,” Research Insights.
4) European Parliament and Council of the European Union, Regulation (EU) 2022/2065 on a Single Market for Digital Services (Digital Services Act), Official Journal of the European Union, 2022.
5) OECD, Digital Government Review of the European Union, OECD Publishing, 2023.