In the wake of 9/11 attacks EU has introduced legislative acts that enshrine regulatory solutions of the security type, justified by the prevention and repression of terrorism. This sword function of European criminal law includes, eg, the Council Framework Decision of 13.06.02 on combating terrorism and the Data Retention Directive (2006/24). Progressively, however, the CJEU, in its capacity as a guardian of fundamental rights, has taken an active role in assessing the compatibility of these acts with the CFR. A paradigmatic example is the jurisprudential line initiated with the Digital Rights Ireland judgment, in which the invalidity of the Directive 2006/24 was declared. We will analyse the reasoning behind this decision, the path the CJEU has taken since then, including the Tele2 Sverige and Prokuratuur cases, and their implications in the national legal systems of the Member States (e.g. Decision of 25th February 2022 of the French Conseil Constitutionnel).