There are three related reasons for this:
1. Each EU member state has a different legal framework and so a Regulation (which has direct effect, meaning it applies as-is and does not have to be "transposed" into national law) would not be appropriate when dealing with criminal investigations;
2. The EU can only act in areas where it has been given "competence" to do so under the Treaty on the European Union and Treaty on the Functioning of the European Union. Member states are reluctant to give the EU broad competence to establish criminal offences or to regulate the investigation and prosecution of offences;
3. The treaties explicitly exclude almost all activities related to national security because that is a fundamental feature of being sovereign, which EU member states are and the EU is not.
Due to points 1 and 2, the EU passed the Law Enforcement Directive (2016/680/EC) which regulates processing of personal data in a law enforcement context. Being a Directive (and not a Regulation) means that each member state has latitude to adapt it to their respective legal frameworks when transposing it into national law.
Incidentally, point 3 will cause huge problems for the UK when we eventually leave the EU. The Court of Justice of the European Union - the EU's highest court - cannot take in to account laws of a member state relating to national security (insofar as they _only_ relate to national security) due to their exclusion by the treaties, but they can take in to account laws of a third country.
