Explanatory Memorandum to COM(2017)352 - European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice

Please note

This page contains a limited version of this dossier in the EU Monitor.

1. CONTEXT OF THE PROPOSAL

Reasons for and objectives of the proposal

The establishing Regulation of the European Agency in charge of the operational management of large-scale IT systems in the area of freedom, security and justice, (referred to as eu-LISA) was adopted in 2011 (Regulation (EU) No 1077/2011) and amended in 2015 by Regulation (EU) 603/20131 . eu - LISA is currently responsi b le for the operational management at central level of the second generation Schengen Information System (SIS II), the Visa Information System (VIS) and Eurodac. eu-LISA may also be entrusted with the development and operational management of other large-scale IT systems in the area of freedom, security and justice if so provided by relevant legislative instruments.

eu-LISA took up its core tasks on 1 December 2012 and operates the VIS since 1 December 2012, SIS II since May 2013 and Eurodac since June 2013. The seat of the Agency is Tallinn and the systems are operated from the technical site in Strasbourg. The backup site is located in Sankt Johann im Pongau.

The aim of this proposal is to review the Agency establishing Regulation in order to adapt it to the recommendations for legislative amendments stemming from the evaluation, as well as to improve the functioning of the Agency and enhance and strengthen its role to ensure that its mandate meets current challenges at EU level in the area of freedom, security and justice. It also aims at inserting in the Regulation changes deriving from policy, legal or factual developments and in particular to reflect the fact that new systems will be entrusted to the Agency subject to agreement by the co - le g islators and that the Agency should be tasked with contributing to the development of interoperability between large-scale IT systems in the follow-up to the 6 April 2016 Commission Communication on Stronger and Smarter Information Systems for borders and security2, the final report of the High-level expert group on information systems and interoperability of 11 May 20173 and the Commission's Seventh progress report towards an effective and genuine Security Union of 16 May 201 7 . It also addresses the recommendations for amendments proposed by the Management Board of the Agency, and the possible need for eu-LISA to host and manage joint technical solutions for the national implementation of decentralized systems for interested Member States. Finally, the proposal aligns the Agency s founding act with the principles of the Joint State ment of the European Parliament, the Council and the European Commission on decentralised agencies of 19 July 2012 (hereinafter the Common Approach).

2.

In accordance with Article 31 of the establishing Regulation, the Commission carried out an evaluation, on the basis of an external evaluation , in close consultation with the eu-LISA


Regulation (EU No 603/2013 of the European Parliament and of the Council on the establishment of Eurodac for the comparison of fingerprints for the effective application of {Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member States responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person}, and on requests for the comparison with Eurodac data by Member States' law enforcement authorities and Europol for law enforcement purposes, and amending Regulation (EU) 1077/2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (recast). OJ L 180, 9.6.2013.

Communication from the Commission to the European Parliament and the Council Stronger and Smarter Information Systems for Borders and Security. COM(2016) 205 final, 6.4.2016. ec.europa.eu/transparency/regexpert COM(2017) 261 final. bookshop.europa.eu/is-bin/INTERSHOP.enfinity/WFS-

2

Management Board, to examine the way and extent to which the Agency effectively contributes to the operational management of large-scale IT systems in the area of freedom, security and justice and fulfils its tasks laid down in the establishing Regulation. It also examined the need for revision or extension of the tasks entrusted to eu-LISA in the establishing Regulation. On the basis of that evaluation, the Commission, after consulting the Management Board, should issue recommendations regarding changes to the establishing Regulation and forward them, together with the opinion of the Management Board, as well as appropriate proposals to the European Parliament, the Council and the European Data Protection Supervisor. The recommendations have been included in the Report from the Commission to the European Parliament and the Council on the functioning of the European Agency for the operational management of large-scale IT systems in the area of freedom, security an d justice (eu-LISA)6 and in the accompanying Commission Staff Working Docu ment on eu-LISA evaluation which are foreseen to be adopted at the same time as this proposal .

This proposal is therefore linked to the evaluation of the Agency but also obeys to other legislative and policy developments and reflects on the recommendations referred to above, as well as the opinion of the Managem ent Board.

Addressing the recommendations of the external evaluation report of eu-LISA

Four years after the Agency took over its tasks in December 2012, the evaluation showed that the Agency has demonstrated its capacity to fulfil its tasks, as well as new tasks entrusted to it, notably DubliNet8, VISION9 and the execution of the Smart Borders Pilot10 in an effective and efficient manner. It also found that eu-LISA effectively contributed to the establishment of a coordinated, effective and coherent IT environment for the management of large-scale IT systems supporting the implementation of policies in the area of freedom, security and justice.

However, there are shortcomings to be remedied in order to improve the functioning of the Agency and enhance and strengthen its role, ensuring its mandate is adapted to meet current challenges at EU level in the area of migration and security. Most of the shortcomings identified in the evaluation can be addressed without legislative amendments. The non-legislative recommendations have been followed up by the Executive Director of eu-LISA; the Management Board adopted the re le v ant Action Plan on 21 March 2017.

The shortcomings which would require legislative amendments as identified in the evaluation are the following:

COM(2017) 346, 29.6.2017.

SWD(2017) 249, 29.6.2017.

3.

Certain operational and security tasks concerning DubliNet were transferred to eu-LISA by a service


level agreement dated of 31 July 2014 between the Agency and the Director General for Migration and

Home Affairs. The Commission retained responsibility for budget and contractual matters. DubliNet

shall be legally transferred to the Agency by a provision amending Regulation (EU) 1077/2011 of the

Eurodac recast proposal. COM(2016) 272 final, 4.5.2016.

4.

The functioning of VISION (the Schengen Consultation Network) was entrusted to eu-LISA by a


service level agreement signed between the Member States and Iceland, Liechtenstein and Norway

using VISION, represented by the Presidency of the Council of the European Union and the Agency on

27 May 2013.

5.

During the negotiations of the Smart Borders Package adopted by the Commission on 28 February 2013


a number of technical, operational and cost concerns emerged which were deemed to require further

investigation. On 4 February 2014 COREPER endorsed a proof of concept exercise consisting of a

Commission-led exercise and a test phase or Pilot to be conducted by eu-LISA. The pilot was entrusted

9

10

– the coherence of the management of the communication infrastructure should be

improved by transferring the Commission's related tasks (in particular the implementation of the budget, acquisition and renewal and contractual matters) to the Agency, through an amendment of the legislative instruments governing the establishment and operation of the systems operated by the Agency;

– the scope of cooperation with other agencies in the area of freedom, security and

justice should be clarified within the eu-LISA mandate;

– an interim report should be adopted by the Management Board by the end of August

each year on progress on the implementation of planned activities covering the first six months of that same year;

– the scope of pilot projects which eu-LISA may carry out is limited to those referred

to in Article 54(2)a of the Financial Regulation (i.e. without a basic act) and should be extended at least to pilot projects with an existing basic act.

The evaluation also recommended that a risk and ex-ante assessment should be prepared for projects over 500 000 EUR that are carried out by eu-LISA within its current mandate (i.e. not deriving from a legislative instrument entrusting it with a new system for which an impact assessment will be provided by the Commission). This is an important recommendation that shall be appropriately addressed by eu-LISA. However, it does not require a change of the Agency Regulation since Article 29(5) of the Commission delegated Regulation (EU) No 1271/201311 and of the Agency's Financial Regulation already require ex-ante and ex-post evaluations of programmes and activities which entail significant spending.

The evaluation also made other recommendations for amendments to the mandate of the Agency. These should be inserted in the systems' legislative instruments and, as regards the extended responsibility for eu-LISA with regard to statistics, would not require an amendment to the Agency's establishing Regulation:

– An extended responsibility for eu-LISA in generating/publishing the statistics for

each system.

– A new task for eu-LISA to produce data quality and data analysis reports to improve

the control of implementation of the systems' legal instruments.

The Report on the functioning of the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice adopted on the same date as this proposal presents the findings and recommendations of the evaluation. It also noted that the establishing Regulation defining the tasks of the Agency responds to the legal, political and economic environment in which the Agency was created. Recent policy and legislative developments call for further revision or extension of the tasks entrusted to eu-LISA in the establishing Regulation and other relevant legal instruments (i.e. the systems' legal instruments). In 2016 the Commission presented proposals to entrust new systems to the Agency: the Entry/Exit System (EES)12, the automated system for registration, monitoring

Commission delegated Regulation (EU) No 1271/2013 of 30 September 2013 on the framework financial regulation for the bodies referred to in Article 208 of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council, OJ L 328, 7.12.2013, p. 42.

Proposal for a Regulation of the European Parliament and of the Council establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States of the European Union and determining the conditions for access to the EES for law enforcement purposes and amending Regulation (EC) No 767/2008 and

11

12

and the allocation mechanism of applications for international protection13 and the EU Travel Information and Authorisation System (ETIAS)14. If these initiatives are adopted by the co-legislators, they would require changes to the eu-LISA Regulation which should enter into force when those proposals will become applicable in order to reflect these new tasks in the eu-LISA Regulation in particular as regards the responsibilities of the Management Board and the Executive Director. The EES proposal includes amendments to Regulation (EU) 1077/2011. In the case of ETIAS and Eurodac recast proposals such amendments have been inserted by the Presidency in the course of discussions in the Council. However, since this proposal is presented before any of the three proposals entrusting new systems to the Agency is adopted, it is necessary to reflect the required amendments as well in this proposal in parenthesis, subject to their final acceptance into the text when the proposals are adopted by the co-legislators.

The Commission also adopted on 6 April 2016 a Communication on Stronger and Smarter Information Systems for Borders and Security15. eu-LISA should be given explicit mandate in the establishment Regulation to carry out the tasks entrusted to it as described in this Communication and in the Commission's Seventh progress report toward an effective and genuine Security Union adopted on 16 May 2017. This includes in particular providing support to the Commission and Member States to examine the technical feasibility of developments and actions towards interoperability of the systems including by way of studies and or testing activities.

The changes deriving from the evaluation of the SIS carried out in 2016 as reflected in the proposals revising the SIS legislative instruments16 as well as from the Eurodac recast proposal17 should also be inserted in the proposal.

Moreover, there are divergences between the establishing Regulation and the Common Approach annexed to the Joint Statement of the European Parliament, the Council of the EU and the European Commission on decentralised agencies of 19 July 2012 (hereinafter the Common Approach) and with the new Financial Regulation and framework Financial

Proposal for a Regulation of the European Parliament and of the Council establishing the criteria and mechanisms for determining the Member State responsible for examining the application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast) COM(2016) 270 final, 4.5.2016.

Proposal for a Regulation of the European Parliament and of the Council establishing a European Travel Information and Authorisation Information System and amending Regulations (EU) No 515/2014, (EU) 2016/794 and (EU) 2016/1624. COM(2016) 731 final, 16.11.2016.

Communication from the Commission to the European Parliament and the Council Stronger and Smarter Information Systems for Borders and Security. COM(2016) 205 final, 6.4.2016.

Proposal for a Regulation of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) No 1987/2006. COM(2016) 882 final.21.12.2016; Proposal for a Regulation of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) No 1986/2006, Council Decision 2007/533/JHA and Commission Decision 2016/261/EU. COM(2016) 883 final, 21.12.2016.

Proposal for a Regulation of the European Parliament and of the Council on the establishment of Eurodac for the comparison of fingerprints for the effective application of {Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member States responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person}, for identifying an illegally staying third-country national or stateless person and on requests for the comparison with Eurodac data by Member States' law enforcement authorities and Europol for law enforcement purposes (recast). COM(2016) 272 final,

3

4

5

6

17

Regulation. These should be addressed in the legislative revision. An example is the possible extension of the mandate of the Executive Director for no more than five years instead of the maximum of three years currently foreseen. A second example is the requirement for evaluations of the Agency every five years instead of every four years as is currently foreseen.

The Regulation should also stipulate that eu-LISA may provide advice to the Member States on the national systems connection to the central systems and ad hoc support/assistance to Member States (such as the support provided in the Greek hotspot in early 2016 during the refugee crisis).

It should also allow eu-LISA to provide assistance/support to the relevant Commission services on technical issues related to existing or new systems, where so requested.

Addressing the Recommendations for amendments proposed by the Management Board of the Agency

The Management Board of the Agency was consulted on 25 November 2016 on the recommendations for amendments of the Agency establishing Regulation and adopted its opinion on 27 February 2017. The Board welcomed the recommendations for amendments and the intention of the Commission to enlarge the responsibilities of eu-LISA and put forward further recommendations for amendments. Out of these additional recommendations for amendments, the Commission has ta ken over the extension of the mandate on research, as well as the extension of the mandate of the Chair of the Advisory Groups. The Management Board proposed that the Agency should be able to establish additional technical sites after approval of the Board in addition to the existing ones in Strasbourg and Sankt Johann im Pongau (Austria). The Commission cannot accept this recommendation, as it is not supported by any relevant evidence of need, added value or efficiency gains. It is noted that the location of the central and bac ku p system s for SIS II and VIS in Strasbourg (France) and San kt Johann im Pongau (Austria) were already fixed by the co- le g isl ators in the legislative instruments on SIS II (adopted in 2006 and 2007 respectively) and VIS (adopted in 2008). During the negotiations of the proposal for the Agency establishing Regulation it was decided by the co-legislators on the basis of a joint offer presented by Estonia and France to host the Agency, that the seat of the Agency would be Tallinn while the technical and backup sites would remain in Strasbourg and in Sankt Johann im Pongau. Moreover, no assessment has been provided by the Agency to justify the need for an additional site. However, in order to ensure further flexibility, this proposal provides for the possibility for the Agency to use the backup site of Sankt Johann im Pongau to operate the backup systems simultaneously in an active mode. This should allow for the processing of business transactions even during normal operation and not only during the failure of the systems.

Addressing changes required to entrust eu-LISA with tasks referred to in the final report of the High Level Expert Group on information systems and interoperability of 11 May 2017 and the Commission's Seventh progress report towards an effective and genuine Security Union adopted on 16 May 2017.

These changes include:

(a) giving eu-LISA enhanced responsibilities with regard to data quality subject to the

adoption of specific legislative amendments/proposals

The High Level Expert Group on information systems and interoperability considered the recommendation foreseen in the Communication on Stronger and Smarter Information Systems for Borders and Security for eu-LISA to develop a central monitoring capacity for data quality. The Expert Group considered that the automated quality, format and completeness checks imposed or suggested by the central systems should be improved or

completed. Further analysis is required on the possible development of automated data quality control of the various data fields in SIS, VIS and Eurodac and in any new systems, such as EES. The goal of such a data quality control mechanism will be for the central systems to automatically identify apparently incorrect or inconsistent data submissions so that the originating Member State is able to verify the data and carry out any necessary remedial actions. This activity could be facilitated by a common data repository for producing statistical and data quality reports (data warehouse) containing anonymised data extracted from the systems. The Seventh progress report towards an effective and genuine Security Union noted that the Commission will take forward the Expert Groups recommendations on automated quality control, a data warehouse capable of analysing anonymised data extracted from relevant information systems for statistical and reporting purposes, and training modules on data quality for staff responsible for providing input to the systems at national level.

This new task as well as the creation of a data warehouse would require that specific detailed provisions on data quality be foreseen in the systems instruments or in a specific legislative instrum ent.

(b) giving eu- LISA responsibility for the development of interoperability actions subject

to the adoption of the relevant legislative proposals.

The Seventh progress report towards an effective and genuine Security Union adopted on 16 May 2017, noted that, in line with the April 2016 Communication, and confirmed by the findings and recommendations of the Expert Group, the Commission sets out a new approach to the management of data for borders and security, where all centralised EU information systems for security, border and migration management are interoperable in full respect of fundamental rights so that:

the systems can be searched simultaneously using a European Search portal, in full compliance with purpose limitation and access rights, to make better use of existing information systems, possibly with more streamlined rules for law enforcement access;

the systems use one shared biometric matching service to enable searches across different information systems holding biometric data, possibly with hit/no-hit flags indicating the connection with related biometric data found in another system;

the systems share a common repository with alphanumeric identity data to detect if a person is registered under multiple identities in different databases.

6.

This proposal aims to allow eu - LIS A to carry out the tasks deriving from the Seventh progress report towards an effective and genuine Security Union adopted on 16 May 2017 as well as


The Seventh progress report towards an effective and genuine Security Union invited the European Parliament and the Council to hold a joint discussion on the way forward on interoperability as set out in communication. To this end the Commission will present and discuss these ideas with the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) on 26 May 2017 and with the Member States at the 9 June 2017 Justice and Home Affairs Council. Building on those discussions, it is expected that the three institutions hold tripartite technical level meetings in autumn 2017 further to discuss the way forward on interoperability as set out in this Communication including the operational needs for borders and security and how to ensure proportionality and full compliance with fundamental rights. The goal is to reach as soon as possible, and at the latest before the end of 2017, a common understanding on the way forward and on the necessary steps to be taken to achieve interoperability of information systems by 2020. On the basis of such common understanding the Commission will present in early spring 2018 a legislative proposal on interoperability. In parallel to the joint discussions between the three institutions, and without anticipating its outcome, the Commission and eu-LISA will need to conduct further technical analysis on the proposed solutions for interoperability in the course of

8

the development of a European Search Portal, a shared biometric matching service and a Common Identity Repository, subject to the adoption of the relevant legislative instrument on interoperability.

(c) addressing the possible need for eu-LISA to develop, manage and/or host joint

technical solutions for the national implementation of technical aspects of obligations deriving from EU legislation on decentralised systems in the area of freedom, security and justice for interested Member States.

As recalled in the Seventh progress report towards an effective and genuine Security Union adopted on 16 May 2017, the final report of the High-level expert Group on IT systems and interoperability also highlighted the importance of fully implementing and applying existing information systems. It also looked at the decentralised Prüm framework for the exchange of data regarding DNA, fingerprints and vehicle registration19, recommending a feasibility study on moving towards a central routing component and possibly adding new functionalities. Concerning Advance Passenger Information (API), the Expert Group recommended that the Commission should undertake a feasibility study on a centralised mechanism for API including the need for a central router. The aim would be to enable interested Member States to have a one-stop-shop connectivity for airlines and providing API data both to national systems and to central systems (EES, ETIAS). Concerning the decentralised system established by the EU Passenger Name Record (PNR Directive)20, the Expert Group recommended a feasibility study on a central component for advance passenger information and passenger name record data as a technical support tool to facilitate the connectivity with air carriers. The aim would be to enable interested Member States to have a one-stop-shop connectivity for airlines and providing PNR data to national systems of Member States that implemented the PNR Directive. The Expert Group considered that this would strengthen the effectiveness of Passenger Information Units once Member States have implemented the EU PNR Directive.

This proposal therefore provides for the possibility that the Agency may also be tasked by a group of Member States to develop, manage and/or host a common IT system for them to jointly implement technical aspects of obligations deriving from EU legislation on decentralised systems in the area of freedom, security and justice subject to prior approval by the Commission and after a decision of the Management Board. This could be done by way of a delegation agreement between the Member States concerned and the Agency entrusting the latter with the above mentioned tasks and the corresponding budget. In such case the Agency shall charge Member States a contribution covering all relevant costs.

As was indicated in the Seventh progress report towards an effective and genuine Security Union the Commission has supported the work that at this stage a group of Member States undertakes to maintain e-CODEX, a system for cross border judicial cooperation and digital access to legal procedures. The Commission has taken note that these Member States consider that this is not a sustainable solution. At Council working group level, the Member States have examined different options and concluded that the best place to ensure maintenance and operability of the e-CODEX system would be eu-LISA. To explore the best solution, the Commission has launched an assessment of the impact of various options for the maintenance of e-CODEX. The result of this impact assessment will be available by autumn 2017.

the European Parliament and the Council on progress made in this technical analysis. Taking advantage of the exchanges with the European Parliament and the Council the Commission is working intensively to present, as soon as possible, a legislative proposal on interoperability. 19 Council Decision 2008/615/JHA (23.6.2008).

20

Addressing changes required by the adoption of the ECRIS- TCN proposal

Lastly, the proposal also reflects changes required by the adoption of the proposal for a Regulation of the European Parliament and of the Council establishing a centralised system for the identification of Member States holding conviction information on third - country nationals and stateless persons (T CN) to supplement and support the European Criminal Records Information System (ECRIS-TCN system)21 (he reinafter the ECRIS-TCN system).

As is the case for the other proposals entrusting new systems to the Agency, the ECRIS- TCN proposal will require changes to the eu - LISA Regulation. These changes need to be reflected both in the ECRIS-TCN proposal and in the Agency proposal. Should the ECRIS-TCN proposal be adopted before the Agency proposal the changes proposed in that text to the current eu - LISA Regulation will apply. Once the Agency proposal will be adopted those changes would be superseded by the ones contained in the Agency proposal. Dependent on the speed with which both proposals will be adopted they will be adapted during negotiations to ensure consistency between both texts when it comes to eu - LISA s tasks.

***

The new tasks/systems foreseen for eu - LISA will reinforce the confirmed added value of this Agency which has brought together three large-scale IT systems under one roof. This has enabled the pooling of expertise, harnessing of synergies and allowed a more flexible framework than was possible before the creation of the Agency when the systems were developed and managed by the Commission with certain tasks entrusted to public sector bodies in two Member States. The new tasks will also respond to the need for support by the Agency in order to ass ist Mem ber States where requi re d.

Whereas the initiative will have a direct impact on the Agency, its staff including the Executive Director, the Member States represented in the Management Board and Advisory Groups as well as the Commission services interacting with the Agency, it will - more broadly - benefit the Member States and the Agencies which are the end-users of the systems since the Agency will have an enhanced role with regard to future developments on IT systems in the area of freedom, security and justice and will provide support to Member States where required.

Consistency

with existing policy provisions in the policy area

This proposal builds on the existing eu-LISA Regulation which was subsequently amended in 2015 by Regulation (EU) 603/201322 in order to take into account the changes introduced by the Eurodac recast Regulation including access to Eurodac for law enforcement purposes. This proposal extends the mandate of the Agency to allow it to take over new tasks. The European Agendas on Security23 and on Migration24 set the direction for the development and

22

Proposal for a Regulation of the European Parliament and of the Council establishing a centralised mechanism for the identification of Member States holding conviction information on third-country nationals and stateless persons (TCN) to supplement and support the European Criminal Records Information System (ECRIS), and amending Regulation (EU) 1077/2011 (ECRIS-TCN system). COM(2017) 344, 29.6.2017.

Regulation (EU No 603/2013 of the European Parliament and of the Council on the establishment of Eurodac for the comparison of fingerprints for the effective application of {Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member States responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person}, and on requests for the comparison with Eurodac data by Member States' law enforcement authorities and Europol for law enforcement purposes, and amending Regulation (EU) 1077/2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (recast). OJ L 180, 9.6.2013.


21

23

implementation of EU policy to address the parallel challenges of migration management and the fight against terrorism and organised crime. The European Agenda on Migration highlighted the importance of the full use of the SIS, VIS and Eurodac large-scale IT systems which can bring benefits to border management as well as to enhance Europes capacity to reduce irregular migration and return illegal migrants. It also noted that a new phase would come with the adoption of the proposal establishing an Entry/Exi t System (EES) which would strengthen the fight against irregular migration by creating a record of cross-border movements of thi rd - cou ntry nationals. The European Agenda on Security recalled that EU agencies play a crucial role in supporting operational cooperation. It encouraged Member States to make full use of the support of agencies to tackle crime through joint action and noted that increased cooperation between the agencies should also be promoted, within their respective mandates.

With this draft Regulation the Commission contributes to rendering border management more effective and secure and to reinforcing security and combatting and preventing crime by enhancing the role and responsibilities of eu - LISA with regard to existing and possible new large-scale IT systems on cooperation and information exchange in the area of freedom, security and justice and to support to Member States and to the Commission.

It also reflects and is fully consistent with the proposed amendments to the legislative instruments governing the development, establishment operation and use of the systems managed currently by eu-LISA and with the proposals entrusting it with future systems.

Consistency with other Union policies

This proposal is closely linked and complements other Union policies, namely:

(a) Internal Security. As was underlined in the European Agenda on Security, common high standards of border manage ment are essential to prevent cross-border crime and terrorism. This proposal further contributes to achieving a high-level of internal security by enabling eu-LISA to take on the development and operational management of possible new systems (EES, ETIAS and the ECRIS-TCN system) and related tasks which will effectively contribute to that end.

(b) The Common European Asylum System, insofar as the Agency operates Eurodac, DubliNet and will be entrusted with the development and operational management of the automated system for registration, monitoring and the allocation system of applications for international protection (Dublin recast proposal) as well as in terms of cooperation between the Agency and the [European Union Agency for Asylum] .

(c) External border management and security insofar as the Agency operates the SIS and VIS systems which contribute to the efficient control of the external borders of the Union and will be entrusted with the EES and ET IAS.

(d) Data protection insofar as this proposal ensures the protection by the Agency of the security of data in the central systems and the communication infrastructure.

2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

Legal basis


24

This legislative proposal is based on Article 74, Article 77(2)a) and b), Article 78(2)e), Article 79(2)c), Article 82(1)d), Article 85(1), Article 87(2)a) and Article 88(2) of the Treaty on the Functioning of the European Union which provide the legal basis for amending the e u - LISA establishing Regulation and the systems legal instruments.

Article 74 of the TFEU provides for the adoption of appropriate measures to encourage and strengthen administrative cooperation between the relevant departments of Member States administrations. This constitutes an appropriate legal basis since the Agency will facilitate the communication and cooperation between the relevant departments of the Member States administrations in the areas mentioned above.

The operational management tasks entrusted to the Agency shall support the policy aspects underlying the SIS and VIS legislative instruments. In accordance with Articles 77(2)(b) and 79(2)(c) of the TFEU, which provide an appropriate legal basis for SIS II -related tasks of the Agency, the Agency shall technically cover matters related to checks on persons at external borders as well as measures in the area of illegal immigration and illegal residence, respectively. As for VIS matters, the Agency s activities shall technically support the procedures for issuing visas by Member States; it is therefore founded on Article 77(2)(a) of

the TFEU.

Regarding EURODAC matters, the operational management tasks entrusted to the Agency shall technically support the determination of which Member State is responsible for considering an application for asylum subm itted by a national of a third country in one of the Member States (78(2)(e) of the TFEU), the identification of illegally staying third - country nationals or stateless persons (Article 79(2)(c) of the TFEU), the collation, storage, processing, analysis and exchange of relevant information for law enforcement purposes (Article 87(2)(a) of the TFEU) and Europol's field of action and tasks with regard to Eurodac for law enforcement purposes (Article 88(2)(a) of the TFEU).

Article 82(1)(d) of the TFEU provides for the adoption of measures to facilitate cooperation between judicial or equivalent authorities of the Member States in relation to proceedings in criminal matters and the enforcement of decisions. In addition, Article 87(2)(a) of the TFEU provides that for the purpose of establishing police cooperation involving Member States competent authorities, measures concerning the collection, storage, processing, analysis and exchange of relevant information shall be adopted. These provisions constitute an appropriate legal basis for conferring upon the Agency tasks in this area.

Measures referred to in Articles 77(2)(a) and (b), 78(2)(e), 79(2)(c), 82(1)(d) and 87(2)(a) TFEU, shall be adopted in accordance with the ordinary legislative procedure. Therefore, the ordinary legislative procedure applies to the adoption of the Regulation as an integral whole.

Variable geometry

As the legal basis for this proposal for a Regulation is to be found in Title V of the Treaty on the Functioning of the European Union, it is affected by the variable geometry arising from the Protocols on the positions of the United Kingdom, Ireland and Denmark. This proposal for a Regulation builds upon the Schengen acquis and the provisions of the Eurodac related measures. Therefore the following consequences in relation to the various protocols and association agreements have to be considered.

Denmark:

Under Protocol 22 on the position of Denmark, annexed to the TEU and the TFEU, Denmark does not take part in the adoption by the Council of the measures pursuant to T itle V of the TFEU, with the exception of measures determining the third countries whose nationals must be in possession of a visa when crossing the external borders of the Member States, or

measures relating to a uniform format for visas". Given that this Regulation insofar as it relates to SIS and VIS, [EES] and [ETIAS] builds upon the Schengen acquis, Denmark shall, in accordance with Article 4 of that Protocol, decide within a period of six months of the date of adoption of this Regulation whether it will implement it in its national law. In accordance with the similar Article 5 of the predecessor Protocol on the position of Denmark, Denmark decided to implement Regulation (EC) No 1987/2006 and Regulation (EC) No 767/2008 in national law.

As far as this proposal concerns Eurodac [and the automated system for registration, monitoring and the allocation mechanism for applications for international protection referred to in Article 44 of Regulation (EU) XX/20XX establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast)]. However, in accordance with Article 3 of the Agreement between the European Community and the Kingdom of Denmark on the criteria and mechanisms for establishing the state responsible for examining a request for asylum lodged in Denmark or any other Member State of the European Union and Eurodac for the comparison of fingerprints for the effective application of the Dublin Convention25, Denmark is to notify the Commission whether it will implement the contents of this Regulation insofar as it relates to Eurodac [and the automated system for registration, monitoring and the allocation mechanism for applications for international protection referred to in Article 44 of Regulation (EU) XX/20XX establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast)]. Denmark applies the current Eurodac Regulation (EU) 603/2013 following a notification pursuant to this agreement.

[Insofar as it relates to the ECRIS-TCN system, in accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the TEU and the TFEU, Denmark does not take part in the adoption of this Regulation and is not bound by it nor subject to its application.]

United Kingdom and Ireland:

To the extent that its provisions relate to SIS II as governed by Regulation (EC) No 1987/2006 and VIS, and [EES] and [ETIAS] this proposal builds on the provisions of the Schengen acquis, in which the United Kingdom and Ireland do not participate, in accordance with Council Decision 2000/365/EC of 29 May 2000 concerning the request of the United Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen acquis and Council Decision 2002/192/EC of 28 February 2002 concerning Ireland's request to take part in some of the provisions of the Schengen acquis. Therefore, to the extent that its provisions relate to SIS II as governed by Regulation (EC) No 1987/2006 and VIS, [EES] and [ETIAS] the United Kingdom and Ireland are not bound by this proposed Regulation or subject to its application. The United Kingdom and Ireland may request to be authorised to take part in the adoption of this Regulation in accordance with Article 4 of the Protocol (No 19) on the Schengen acquis integrated into the framework of the European Union.

Insofar as its provisions relate to SIS II as governed by Decision 2007/533/JHA, the United Kingdom and Ireland are taking part in this Regulation in accordance with Article 5(1) of Protocol (No 19) on the Schengen acquis integrated into the framework of the European Union, annexed to the TEU and to the TFEU (Protocol on the Schengen acquis) and Article 8(2) of Council Decision 2000/365/EC of 20 May 2000 concerning the request of the United


25

Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen acquis and Article 6(2) of Council Decision 2002/192/EC of 28 February 2002 concerning Ireland's request to take part in some of the provisions of the Schengen acquis.

Insofar as its provisions relate to Eurodac, [and the automated system for registration, monitoring and the allocation mechanism for applications for international protection referred to in Article 44 of Regulation (EU) XX/20XX establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast))]the United Kingdom and Ireland may notify to the President of the Council their wish to take part in the adoption and application of this Regulation in accordance with Article 3 of Protocol (No 21) on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice annexed to the TEU and to the TFEU. The United Kingdom and Ireland are bound by Regulation (EU) No 603/2013 following their notice of their wish to take part in the adoption and application of that Regulation based on the Protocol (No 21) on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice.

[Insofar as its provisions relate to the ECRIS-TCN system, in accordance with Articles 1 and 2 and Article 4a(1) of Protocol (No 21) on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the TEU and the TFEU, those Member States are not taking part in the adoption of this Regulation and are not bound or subject to its application. In accordance with Article 3 and Article 4a(1) of Protocol 21, those Member States may notify their wish to take part in the adoption of this Regulation.]

Since the United Kingdom notified on 29 March 2017 its intention to leave the Union, pursuant to Article 50 of the Treaty on European Union, the Treaties will cease to apply to the United Kingdom from the date of the entry into force of the withdrawal agreement or, failing that, two years after the notification, unless the European Council, in agreement with the United Kingdom, decides to extend that period. As a consequence, and without prejudice to any provisions of the withdrawal agreement, this above-mentioned description of the participation of the UK in this proposal only applies until the United Kingdom ceases to be a Member State.

Norway and Iceland:

As regards Norway and Iceland, this proposal constitutes, insofar as it relates to SIS II and VIS, [to EES] [and to ETIAS] a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis26.

In parallel to the association of four non-Member States to the Schengen acquis, the Union also concluded agreements associating those countries to the Dublin-related measures including Eurodac. The agreement associating Iceland and Norway was concluded in 200127.

Switzerland:

As regards Switzerland, insofar as its provisions relate to SIS and VIS {EES} and {ETIAS} this proposal constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the European Union, the European Community and

26 OJ L 176, 10.7.1999, p. 36.

27 Agreement between the European Community and the Republic of Iceland and the Kingdom of Norway

7.

concerning the criteria and mechanisms for establishing the State responsible for examining a request


the Swiss Confederation on the latter's association with the implementation, application and development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation concerning the association of the Swiss Confederation with the implementation, application and development of the Schengen acquis28 which fall within the area referred to in Article 1, points A, B and G of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/146/EC29.

As regards the Dublin-related measures, the agreement associating Switzerland was concluded on 28 February 2008 and is applicable as of 12 December 200830.

Liechtenstein:

As regards Liechtenstein, insofar as its provisions relate to SIS and VIS {EES} and {ETIAS} this proposal constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis which falls within the area referred to in Article 1, point A, B and G of Council Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/261/EC31.

As regards the EURODAC {and Dublin} related measures, the agreement associating Liechtenstein was was concluded on 7 March 201132.

Common provisions for the countries associated with the EURODAC {and Dublin} related measures:

In accordance with the three above-cited agreements, the associated countries shall accept the EURODAC {and Dublin} related measures and its development without exception. They do not take part in the adoption of any acts amending or building upon the EURODAC related measures (including therefore this proposal) but have to notify to the Commission within a given time-frame of their decision whether or not to accept the content of that act, once approved by the Council and the European Parliament.

In order to create rights and obligations between Denmark – which as explained above has been associated to the EURODAC {and Dublin} related measures via an international agreement – and the associated countries mentioned above, two other instruments have been concluded between the former Community (now the Union) and the associated countries.33

8.

28 29 30


9.

31 32


OJ L 53, 27.2.2008, p. 52.

OJ L 53, 27.2.2008, p. 1.

10.

Council Decision of 28 January 2008 on the conclusion on behalf of the European Community of the


Agreement between the European Community and the Swiss Confederation concerning the criteria and

mechanisms for establishing the State responsible for examining a request for asylum lodged in a

Member State or in Switzerland, OJ L 53, 27.2.2008, p. 3.

OJ L 83, 26.3.2008, p. 3.

11.

Protocol between the European Community, the Swiss Confederation and the Principality of


Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the

European Community and the Swiss Confederation concerning the criteria and mechanisms for

establishing the State responsible for examining a request for asylum lodged in a the Member State or in

Switzerland, OJ L 160, 18.6.2011.

12.

Protocol between the European Community, the Swiss Confederation and the Principality of


Liechtenstein to the Agreement between the European Community and the Swiss Confederation

concerning the criteria and mechanisms for establishing the State responsible for examining a request

33

Subsidiarity

The proposal respects the principle of subsidiarity, as the objective of the proposed action, is to confirm the conferral of the operational management of Central SIS, Central VIS and the National Interfaces, Central Eurodac, their communication infrastructures, as well as other systems and to entrust new additional tasks on eu-LISA. These tasks cannot be achieved by the Member States individually and can be better accomplished by action at the level of the Union in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union.

Proportionality

The draft Regulation is intended to respond both to the recommendations of the evaluation and to the developments stemming from new challenges and realities faced by the Union both as regards migration management and internal security. It therefore reflects the new tasks of the Agency as regards proposed new systems in the area of freedom, security and justice. It also gives the Agency limited new tasks subject, where required, to the adoption of relevant legislative instruments.

The Agency, financed from the EU budget, is given the competences to manage only the central parts of SIS II, central parts of VIS and the national interfaces, the central part of EURODAC, as well as the respective communication infrastructures, without having responsibility for the data entered in the systems. Member States are competent for their national systems even if the Agency will be now given extended tasks for advice and support to Member States in specific cases. Therefore, the Agency's competences are kept to the minimum necessary for supporting effective, secure and continuous data exchange between the Member States. Confirming the Agency's establishment as dedicated structure for the management of large-scale IT systems in the area of freedom, security and justice and extending its mandate and tasks to the extent proposed is considered proportionate to the legitimate interests of users and the high-security, high-availability and mission-critical nature of the systems.

Choice of the instrument

Having regard to the fact that the Agency for the operational management of large-scale IT systems in the area of freedom, security and justice was established by means of a Regulation, the same legal instrument is also appropriate for this proposal.

3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER

Contents

1.

CONSULTATIONS


ANDIMPACTASSESSMENTS


Ex-post evaluations/fitness checks of existing legislation

In accordance with Regulation (EU) 1077/2011 within three years from 1 December 2012 the Commission, in close cooperation with the Management Board, performed an evaluation of the action of the Agency. The Commission evaluation was based on an external evaluation report carried out by Ernst & Young between March 2015 and March 2016 which covers the period from December 2012 to September 2015. The external evaluation report was published in March 201634. The Commission's Report on the functioning of the European Agency for

Agreement between the European Community, the Republic of Iceland and the Kingdom of Norway concerning the criteria and mechanisms for establishing the State responsible for examining a request for asylum lodged in a Member State or in Iceland or Norway OJ L 57, 28.2.2006, p.16. bookshop.europa.eu/is-bin/INTERSHOP.enfinity/WFS-

34

the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA)35 and the accompanying Commission Staff Working Document on eu-LISA evaluation are presented at the same time as this proposal. The results of the evaluation and its recommendations are summarised under point 1.

Stakeholder consultations

The Commission proposal is based on the evaluation referred to above which builds on consultations with relevant stakeholders. This included EU Member States, in particular the representatives in the Management Board and Advisory Groups; Schengen and Dublin/Eurodac Associated Countries; European Parliament; Council of the European Union; European Data Protection Supervisor; European Court of Auditors; EU Agencies, in particular CEPOL, Frontex, EASO, Europol, Eurojust, FRA; and the eu-LISA contractors.

In addition, the Commission has consulted the Agency on their recommendations for possible amendments to the establishing Regulation which could derive from technical developments and requested it to carry out short impact assessments to justify such changes.

As foreseen by the Regulation, the Management Board of the Agency was consulted on the recommendations by the Commission to amend the Agency Regulation. As explained under point 1 the Commission has taken over to the extent possible the recommendations of the Board in particular to extend the mandate of the Agency as regards research, to extend the mandate of the Chairs of the Advisory Groups and to provide for the possibility to use the site of Sankt Johann im Pongau to operate the systems simultaneously in an active mode. The opinion of the Management Board on the recommendations of the Commission is annexed to the above mentioned Commission report.

Collection and use of expertise

The independent external evaluation of the Agency was carried out by Ernst & Young which used its long-standing experience and expertise to carry out the evaluation of the Agency and did an extensive consultation of stakeholders. It also took into account eu-LISA reports on the technical functioning of SIS II and VIS and annual reports on the activities of the Central Unit of Eurodac and the Commission overall evaluation reports on VIS and SIS II.

Impact assessment

The proposal is based to a large extent on the results and recommendations of the independent external evaluation report referred to under point 1.

No impact assessment was carried out since the evaluation concluded that the amendments are essentially technical in the sense that they are either required to improve the functioning and operational effectiveness of the Agency or because of other legislative and policy developments i.e. entrusting it with new systems or tasks. On the one hand, these amendments would extend the mandate of the Agency in a limited way and do not entail significant impacts. On the other, and with regard to those amendments which derive from legislative or policy developments, the Commission has no discretion on policy choices since the relevant changes are imposed by those same developments.

Fundamental rights

This proposal respects the fundamental rights and observes the principles set out in the Charter of Fundamental Rights of the European Union. It enlarges the scope of tasks and responsibilities of the Agency, in particular by entrusting it with new large-scale IT systems in


35

the area of freedom, security and justice. Its impact on fundamental rights is however limited as the Agency has proved to effectively ensure the operational management of SIS, VIS and Eurodac as well as the new tasks entrusted to it while respecting fundamental rights and in particular Article 8 on the protection of personal data. The new proposed systems that will be entrusted to the Agency will include in accordance with the relevant legislative instruments appropriate safeguards in terms of data protection that will have to be ensured by the Agency.

The proposal is thus in line with Articles 2 and 6 of the Treaty on European Union and with the Charter of Fundamental Rights of the European Union.

4. BUDGETARY IMPLICATIONS

The subsidy for the Agency for the operational management of large-scale IT systems in the area of freedom, security and justice already forms part of the Union s budget. The present proposal widens the scope of tasks of the Agency. Whilst any new system entrusted to it will be subject to a specific legislative act based on Title V TFEU which will also allocate the necessary budget for its development and operational manage ment, other new tasks envisaged in this proposal require specific resources and budget as described more in detail in the legislative financial statement annexed to this proposal.

This is the case for the tasks concerning the communication infrastructure of the SIS which will be transferred to the Agency, the tasks deriving from the Communication on Stronger and Smarter Information Systems for Borders and Security of 6 April 2016 and the Com missi on's Seventh progress re po rt towards an effective and genuine Security Union of 16 May 2017. Budget should also be foreseen to cover the Agency s new tasks to provide advice and ad-hoc support to Member States and to provide assistance to the Commission s services on technical issues related to existing or new systems, where required.

The extension of tasks concerning research as regards the implementation of the parts of the Framework Programme for Research and I nnovation which relate to large- scale IT systems in the area of freedom, security and justice should be covered by the Union contribution foreseen in the relevant i nstrument of delegation from the Commission to the Agency.

The possibility for a group of Member States to entrust eu - LISA to develop, manage and/or host centralised solutions for the implementation of technical aspects of obligations deriving from EU law on decentralised systems should be fully financed by contributions to be paid by the relevant Member States covering all relevant costs.

For the Agency to adequately address its new tasks as foreseen in this proposal, from 2018 to 2020 an amount of EUR 78,354 million will need to be added to the Agency s Union subsidy and an additional 52 posts during the same period, will be necessary, including 23 establishment plan posts (temporary agents), 2 contract agents, 2 seconded national experts and 25 contract agents following the insourcing of interim staff. This amount does not include the budget required for the new systems which is foreseen under the relevant legislative proposals nor that required for the proposals amending existing systems. The detailed breakdown per year and per system is provided under section 3.2.2. of the legislative financial statement annexed to this proposal.

5. OTHERELEMENTS

Monitoring, evaluation and reporting arrangements

eu-LISA has a number of duties to report on its activities and to monitor its work. Most im portantly the Agency must compile a consolidated annual activity report of the Agency s activities for the previous year comparing, in particular, the results achieved with the objectives of the annual work programme.

One of the tasks of the Executive Director is to establish and implement an effective system enabling regular monitoring and evaluations of large-scale IT systems and of the Agency, including the effective and efficient achievement of its objectives.

The Agency will have an enhanced role for the production of statistics related to the systems it operates. It is also responsible for the publication of system related statistics. The detailed provisions in this regard will be foreseen in the specific legislative instruments governing the different systems.

The Management Board will adopt every two years the reports on the technical functioning of SIS and VIS required by the legislative instruments governing these systems as well as the annual report on the activities of the Central System of Eurodac. It will also adopt the development reports and the reports on the technical functioning of the new systems entrusted to it.

The Commission must conduct an evaluation the Agency s work not later than five years from the entry into force of this Regulation and every five years thereafter. The Commission shall report to the European Parliament, the Council and the Management Board on the evaluation findings. The Executive Director will ensure adequate follow-up to the findings and recommendations stemming from the evaluation.

Furthermore, the European Parliament and the Council may also invite the Executive Director to report to those institutions as to the carrying out of his or her tasks and the Executive Director shall also be invited to make a statement before the European Parliament and answer questions from the competent Committee members before appointment and before the extension of his/her mandate.

The key role of the Agency for the operational management of large-scale IT systems in the area of freedom, security and justice is and should continue to be to ensure the operational management of existing large-IT systems in this policy area and to prepare, develop and manage new systems if so provided by relevant legislative instruments based on Articles 69 to 89 TFEU. In particular, the following systems will have to be developed in the short term by the Agency: the EES and the ETIAS syste ms subject to the adoption of the relevant legislative instruments. However, the first evaluation of the Agency showed that it is necessary to extend the mandate of the Agency. In order to take account of the recommendations of the evaluation as well as further legal, policy and factual developments as summarised in point 1 this proposal sets out the following elements reinforcing the role the Agency as compared to its mandate of the Agency under Regulation (EU) 1077/2011.

Extending the mandate of eu-LISA

Article 1: T his provision now li sts the com petencies of the Agency. In particular it provides that the Agency may be made responsible for the following new tasks:

the preparation, development and operational management of the Entry/Exit System

(EES)36, DubliNet37, the European Travel Authorisation System (ETIAS)38, the

13.

The amendments concerning EES have been foreseen in the EES proposal. They might be subject to


36

automated system for registration, monitoring and the allocation mechanism for applications for international protection39 and the ECRIS-TCN system40 (subject to the adoption of the relevant legislative instruments);

14.

ensuring data quality in accordance


with Article 8;

developing the necessary actions to enable interoperability in accordance with

Article 9;

providing support to Member States and the Commission in accordance with Article 12.

Specific tasks for new systems (these tasks are subject to the adoption of the relevant legislative instruments)

Article 5a refers to the tasks relating to the Entry/Exit System which the Commission proposed on 6 April 201 6 and is currently under negotiation by the co-legislators.

Article 5b refers to the tasks relating to the European Travel Information and Authorisation System. The ETIAS proposal adopted on 16 November 2016 is envisaged to be adopted in the autum n of 2017.

Article 5d refers to the tasks relating to the automated system for registration, monitoring and the allocation mechanism for applications for international protection (Dublin allocation system). The Dublin recast proposal adopted on 4 May 2016 is currently under negotiation by the co-legislators.

Article 5e refers to the tasks relating to a centralised system for the identification of Member States holding conviction information on th ir d - c ountry nationals and stateless persons (TCN) to support the European Criminal Records Information System (ECRIS) (ECRIS-TCN system). The ECR IS-TCN syste m proposal was adopted on 29 June 2017.

Transfer of the Commission tasks related to the Communication infrastructure of SIS and VIS to the Agency

Article 7 is adapted to reflect the transfer to the Agency of the tasks of the Commission relating to the communication infrastructure between the central system and the Uniform National Interface in each Member State enabling the connection of the SIS and VIS central systems to the national infrastructures in Member States. It will also clarify that the transfer will not be done for those systems using the EuroDomain (currently only Eurodac) which is a secured telecommunications infrastructure provided by TESTA-ng (Trans- Europea n Services

38

15.

The amendments to the eu-LISA Regulation concerning DubliNet have been foreseen in the Eurodac


recast proposal and are subject to the adoption of that proposal. The operation of DubliNet was already

entrusted to the Agency by way of a service level agreement between the Directorate General Home

Affairs and eu-LISA on 31.7.2014.

16.

The amendments to the eu-LISA Regulation on ETIAS have not been foreseen in the ETIAS proposal


but could be inserted during the negotiations of the text. In any event they are subject to adoption of that

proposal.

17.

The amendments to the eu-LISA Regulation have not been inserted in the Dublin recast proposal and in


any event will be subject to adoption of that proposal.

18.

The amendments to the eu-LISA Regulation have been inserted in the ECRIS-TCN proposals and are


37

39

40

for Telematics between Administrations)41 operated and financed by the Commission and therefore no contractual tasks or budget will be transferred to eu-LISA in the near future.

Ensuring Data Quality

Article 8 gives the Agency the task of establ ishing automated data quality control mechanisms and common data quality indicators and developing a central repository for reporting and statistics subject to specific legislative amendments to existing systems instruments and/or to specific provisions in new instruments.

Developing the necessary actions to enable interoperability

Article 9 gives the Agency the task of developing the necessary actions to enable interoperability of the systems, subject where required to the adoption of the relevant legislative instruments.

Extension of the tasks of eu- LISA concerning research

Article 10 extends the scope of the mandate of the Agency with regard to research. In particular it gives eu- LISA the task of implementing the parts of the Framework Programme for Research and Innovation which relate to IT systems in the area of freedom, security and justice.

Extension of the scope of pilot projects

Article 11 extends the scope of the pilot projects that can be entrusted to eu-LISA. The Agency may be entrusted by the Commission with budget implementation tasks for proofs of concept funded under the instrument for financial support for external borders and visa foreseen under Regulation (EU) No 515/2014 by way of a delegation agreement. The Agency may also plan and im pl em ent testi n g activities on matters covered by this Regulation and the legislative instruments governing the development, establishment, operation and use of all large-scale IT systems managed by the Agency, after a decision of the Management Board.

Providing support to Me mber States and the Com m iss ion

Article 12 provides that the Agency may be requested to provide advice to Member States with regard to the national systems connection to the central systems and ad-hoc support to Member States. The Agency may also be requested to provide advice and/or support to the Commission on technical issues related to existing or new systems including by way of studies and testing.

Article 12 further provides that the Agency may be tasked to develop, manage and/or host a common IT system by a group of at least six Member States opting on a voluntary basis for a centralised solution assisting them in implementing technical aspects of obligations deriving from EU legislation on decentralised IT systems in the area of freedom, security and justice, subject to prior approval by the Commission and after a decision of the Management Board. In such case the Member States will entrust the Agency with the abov em entione d tasks by way of a delegation agreement including the conditions for the delegation and setting out the calculation of all relevant costs and the invoicing method.

Extension of

19.

possible use of the backup site for active operation of systems


TESTA-ng is a project developed in the form of a network service on the basis of Article 3 of Decision No 922/2009/EC of the European Parliament and of the Council of 16 September 2009 on

4

Article 13 provides for the possibility of using the backup site in Sankt Johann im Pongau simultaneously for active operation of the large-scale IT systems operated by the Agency provided that it is also capable of ensuring their operation in case of failure of the system. Any further specificities of the use of the backup for each system shall be foreseen in the specific systems legislative instruments.

Added tasks for the Management Board

Article 15 clarifies the tasks to be assigned to the Management Board, in order to reflect among other things on its responsibility to give the general orientations for the agency s activities. Article 15 is completed to align its provisions with the Common Approach annexed to the Joint Statement of the European Parliam ent, the Counc il of the European Union and the European Commission on decentralised agencies of 19 July 2012. It is also amended in order to insert a new obligation for the Management Board to adopt an interim report by the end of August each year on progress on the implementation of planned activities covering the first six months of that same year; to reflect developments related to the new Financial Regulation42 and Framework Financial Regulation43 and to reflect new tasks for the Management Board resulting from entrusting it with additional systems.

Amendments with regard to the Management Board

Article 18 extends the mandate of the Chair of the Management Board from two to four years which may be renewed once in line with the Common Approach.

Article 19 has been completed by providing for the possibility for certain EU agencies to attend the meetings of the Management Board when a question concerning a new system to which they have access as end user under the relevant legislative instruments once adopted is on the agenda.

Amendments with re ga rd to the tasks and mandate of the Executive Director

Article 21 clarifies the tasks of the Executive Director in order to reflect her or his responsibility for the admini strativ e management of the agency and for the implementation of the duties assigned to the agency. Article 21 is com pleted in line with the Common Approach and in order to take into account new tasks deriving from the adoption of legislative instruments entrusting new systems to the Agency. The obligation for the Executive Director to submit to the Management Board the draft for the terms of reference for the evaluation has been suppressed.

Article 22 provides that the mandate of the Executive Director may be extended for no more than five years in line with the Common Approach, instead of for up to three years as is currently the case.

Amendments concerning the Advisory Groups (subject to adoption of relevant legislative instruments)

Article 23 provides for the establishment of Advisory Groups foreseen in relevant legislative proposals for EES, ETIAS and the ECRIS-TCN system.

Regulation (EU, Euratom) No 966/2012 on the financial rules applicable to the general budget of the Union and repealing Council Regulation (EC, Euratom) No 1605/2002, L 298, 26.10.2012, p. 1. Commission Delegated Regulation (EU) No 1271/2013 of 30 September 2013 on the framework financial regulation for the bodies referred to in Article 208 of Regulation (EU, Euratom) No 966/2012

42

43

Requirement for prior approval by the Commission of security rules based on Commission legislative instruments

Article 33 introduces an obligation for the security rules of the Agency on the protection of classified information and non - c lass ified sensitive information based on Commission rules to be adopted by the Management Board following approval by the Commission.

Amendment to the Article on evaluation

Article 35 is amended to clarify that the Commission will assess the Agency s work and report to the European Parliament, the Council and the Management Board on the evaluation findings. The evaluation will take place every five years instead of every four years as is the case now to align with the Common Approach on decentralised agencies.

Insertion of a provision on cooperation with Union institutions, bodies offices and agencies

Article 37 establishes the rules on cooperation with Union institutions, bodies, offices and agencies, in particular with those established in the area of freedom, security and justice.

Alignment of the budget provisions to delegated Regulation (EU) No 1271/2013

Articles 39 to 42 are aligned to the provi sions of Co mm iss ion delegated Regulation (EU) No 1271/2013 on the framework financial regulation for the bodies referred to in Article 208 of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council44, as reflected in the Agency's Financial rules.

Insertion of a provision on prevention of confli cts of inter est

Article 43 requires the Agency to adopt internal rules to avoid conflicts of interest.

Chapter VI concerns amendments to other Union instruments

In Articles 46 and 47, amendments are proposed to the SIS II legal instruments in order to reflect the transfer of the Commission tasks related to the communication infrastructure of SIS to the Agency. This amendment is not necessary with regard to the VIS Regulation, since the EES proposal provides an amendment to Article 26(2) of the VIS Regulation in the sense that the Management Authority (the Agency) shall become responsible for the tasks of the Commission concerning the communication infrastructure six months after the entry into force of the EES Regulation. As regards Eurodac, no change is needed since the communication infrastructure of Eurodac is covered by EuroDomain, operated and financed by the Commission, and therefore no contractual tasks or budget will be transferred to eu-LISA in the near future. Provided the legislative instrument is adopted by the co - le g isl ators, the ECRIS-TCN system will also use the EuroDomain infrastructure and therefore the Commission will be responsible for the implementation of the budget, the acquisition and renewal and contractual m atters of the ECRIS-TCN communication infrastructure.

Following adoption of this proposal, the Memorandum of Understanding between the European Commission and the Agency for the operational management of large-scale IT systems in the area of freedom, security and justice , should be amended by agreement

20.

44 45


OJ L 328, 7.12.2013, p. 42.

Commission Decision of 11.6.2014 on the adoption of a Memorandum of Understanding between the European Commission and the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice, C(2014) 3486 final. The MoU entered into force on

between the Commission and eu-LISA to reflect the above mentioned changes to the systems' legislative instruments with regard to the communication infrastructure.