52009DC0473

[pic] | COMMISSION OF THE EUROPEAN COMMUNITIES |

Brussels, 15.9.2009

COM(2009) 473 final

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

ON THE DEVELOPMENT OF THE VISA INFORMATION SYSTEM (VIS) IN 2008 (submitted in response to the obligation under Article 6 of Council Decision 2004/512/EC)

Report from the Commission to the European Parliament and the Council on the development of the Visa Information System (VIS)

Progress Report Janu ary – December 2008 (COM (2009)473)

TABLE OF CONTENTS

1. Introduction 3

2. Project status 3

2.1. Progress during the period under review 3

2.1.1. Legal framework for the VIS 4

2.1.2. Rescheduling the VIS 4

2.1.3. Development of the Central System - deliverables 5

2.1.4. Development of the Biometric Matching System (BMS) 5

2.1.5. Site Preparations and Network 6

2.1.6. Testing and related deliverables 6

2.1.7. National Planning and coordination 7

2.1.8. Friends of VIS 8

2.1.9. Roll-out to consular posts and border crossing points 8

2.2. Commission project management 8

2.2.1. Planning and budget 8

2.2.2. Risk management 9

2.2.3. Project management board (PMB) 9

2.3. SIS II Committee meetings 9

2.3.1. SISVIS Committee 9

2.3.2. Change Management Board (CMB) 10

2.3.3. Test Advisory Group (TAG) 10

2.3.4. VIS Mail Expert Group (VIS MEG) 10

3. Conclusions and Perspectives 10

1. INTRODUCTION

This is a report on the work carried out by the Commission in 2008 (January – December 2008) on the development of the Visa Information System (VIS). It is the fifth progress report[1] presented by the Commission to the Council and the European Parliament in accordance with Article 6 of Council Decision 2004/512/EC of 8 June 2004 establishing the Visa Information System (VIS)[2]. This decision provides that the Commission, assisted by the SIS II Committee[3], is responsible for developing the VIS, whereas the national systems shall be adapted and/or developed by the Member States. In 2007, the SISVIS Committee[4] was established to assist the Commission in the exercise of its implementing powers for matters relating to the operational phase of both the SIS II and VIS projects. The first meeting of the VIS formation of the SISVIS Committee took place in November 2008, following the entry into force of Regulation (EC) 767/2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation)[5] .

2. Project status

2.1. Progress during the period under review

Summary of main activities

At the end of the reporting period pre-Compliance Testing with several Member States was underway in the second phase, after successful completion of the Factory Acceptance Test (FAT).

A "Friends of VIS" group was established under the French Presidency to follow up national VIS projects and provide a link between ministerial and expert levels, ensuring that Member States' developments are also followed up closely.

The Change Management Board (CMB) was established in March 2008 to maintain stable specifications and to give advice about any change requests brought forward that impact the technical specifications of the VIS.

The Test Advisory Group (TAG) was also established for the purpose of discussing and agreeing all testing-related issues with Member States.

During the period under review, several changes to the VIS and Biometric Matching System (BMS) were requested for implementation before the Operational Systems Test (OST). It became clear that additional time would be necessary to implement these changes. On advice from the "Friends of VIS", COREPER agreed in December 2008 that the VIS project shall be rescheduled to take account of these final changes to the system, whilst ensuring that VIS retains a start of operations date in 2009[6].

2.1.1. Legal framework for the VIS

Although political agreement was achieved between the European Parliament and the JHA Council on the "VIS legislative package", consisting of the Regulation concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas[7] (VIS Regulation) and a third pillar Council Decision[8] in June 2007, the legal instruments were only formally adopted in June 2008, after two parliamentary reservations were lifted.

Regulation (EC) No 767/2008 defines the purpose and functionalities of the VIS and the responsibilities for this system. It also establishes conditions and procedures for the exchange of data between Member States on applications for short-stay visas and on the decisions taken in relation thereto. The data to be processed in the VIS include alphanumeric data, photographs and fingerprints of the visa applicant, in order to ensure reliable verification and identification of individuals.

Council Decision 2008/633/JHA concerns access for consultation of the Visa Information System (VIS) by designated authorities of Member States and by Europol for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offences.

Both legal instruments were published in the Official Journal on 13 August 2008 and entered into force on 2 September 2008.

The adoption of the aforementioned legal instruments meant that technical specifications could be finalised and the development, carried out on the basis of the politically agreed legal draft in 2007, could continue as planned according to the new schedule. Before the VIS can begin operations, however, the Common Consular Instructions[9] and Schengen Borders Code[10] must also be amended to take into account VIS operations at consular posts and border crossing points, respectively. Political agreement was reached on both amending legal instruments at the end of the reporting period. The proposal for a Visa Code[11] also continued to be discussed throughout the reporting period but has not yet been adopted.

2.1.2. Rescheduling the VIS

According to the revised schedule agreed in September 2007, taking into account all technical changes to be made to the central system resulting from the adoption of the legal basis, the Central VIS was due to be ready for operations in June 2009. Work towards this deadline continued throughout the reporting period and this schedule was strictly followed and nearly all milestones were achieved in accordance with the agreed plan. During discussions with Member States experts in the VIS National Project Managers and at the Change Management Board (see section 2.3), Member States submitted a number of requests for changes[12] that would impact the development of the VIS and BMS and require an update of technical specifications. In November, the CMB recommended implementing these changes before the VIS becomes operational and the SIS II Committee agreed this approach. Since the changes would impact the development of the VIS by six months as assessed by the Main Development Contractor, the recommendations of the CMB and SIS II Committee were forwarded to the "Friends of VIS" group for discussion and orientation. In their first meeting in December, the group confirmed the Member States' unanimous desire to implement these changes before VIS begins operations. During their last meeting in 2008, the COREPER asked the Commission to prepare a detailed updated schedule for the VIS, which would include the above-mentioned changes and move the date of operations to the end of 2009.

2.1.3. Development of the Central System - deliverables

Development of several iterations of main deliverables and many testing deliverables[13] continued throughout the reporting period. The full functional Detailed Technical Specifications were accepted in April along with the Interface Control Document (ICD),[14] and the functional and architectural specification baseline was frozen. As planned, the final version of the Detailed Technical Specifications (DTS) that comprised the functional specifications, architectural aspects as well as technical specifications was received at the end of September. Since the agreement was obtained during 2008 to implement the requested changes, the DTS and ICD will need to be updated to reflect these changes. The second release of the CD simulator based on ICD/XSD 1.76 was provided to Member States in October and contained corrections after the Factory Acceptance Test (FAT) campaign, which was conducted and completed successfully in September.

2.1.4. Development of the Biometric Matching System (BMS)

After political agreement was achieved between the Council and European Parliament on the VIS Regulation and the related Decision, the Main Development Contractor conducted an analysis of the system development work needed to ensure that VIS is fully compatible with the legal framework and that it can interface with the BMS. The suspension of the BMS contract[15] was lifted on 1 April, after which the BMS environment was connected to VIS in order to carry out the Factory Acceptance Test (FAT).

Software kits for biometric functionalities were also immediately delivered to Member States. During the year, Member States received software kits for use in their fingerprint capture devices and made use of the BMS web portal for their national biometric implementation. In 2008 several visits were made by a number of invited groups to the BMS Showcase/ Demonstrator which simulates the use of VIS at consular posts and at border-crossing points. Member States delegations, Members of the European Parliament and Commission Vice-President Barrot with members of his Cabinet were shown the practical aspects and workflow of biometric visa applications in a mock-up setting.

Draft implementing measures laying down the technical specifications for the resolution and use of fingerprints for biometric identification and verification complementing the minimum specifications set by Commission Decision 2006/648/EC were prepared in 2008. They are due to be discussed in the SISVIS Committee in 2009.

The first part of the BMS Systems Solutions Test was completed at the end of the reporting period, but accuracy and performance testing will continue in 2009. Preparations for subsequent testing and the development of tools continued. A guide to BMS fingerprints Best Practices was developed and distributed to Member States in the last VIS National Project Managers' meeting of 2008.

2.1.5. Site Preparations and Network

The VIS Central Unit and Backup Central Unit were installed at both sites in Strasbourg (France) and St. Johann im Pongau (Austria) in February. The connection between the Central Unit and Backup Central Unit was made on 1 April, ahead of the expected contractual deadline. Installation of the hardware at both sites started as planned and was finalised at the end of July.

Network installation was launched in January 2008 when a site survey questionnaire was sent to all Member States. All 48 site visits were completed by March and the delivery of circuits continued throughout the spring, although six sites were placed on hold at the request of MS until the end of the year. The network installation was fully completed by the end of June as planned for all Member States' sites except for four main sites and five backup sites, mostly due to the lack of room readiness.

The Commission Decision 2008/602/EC laying down the physical architecture and requirements of the National Interfaces and of the communication infrastructure between the Central VIS and the National Interfaces for the development phase was adopted by the Commission on 17 June 2008.

2.1.6. Testing and related deliverables

Major preparations for testing Central VIS and for tests with Member States that will start in early 2009 took place during the reporting period. Member States designated testing managers in April. Six Member States were identified who will be the first to carry out Compliance Tests and will participate in the Operational Systems Tests (OST)[16]. Another nine will also be needed to carry out the Provisional System Acceptance Test (PSAT)[17]. The Member States who will participate in OST were ready with their network connections in June and some had completed their national system development in late September, when pre-compliance testing began on the VIS Playground. Since early October, the testing environment includes all BMS functionalities. At the end of the reporting period, the six OST countries had basic connectivity and were preparing to perform application connectivity tests. Three OST MSs had successfully completed their Compliance Tests by the end of 2008. In parallel, the functional tests of the SST had begun, followed by performance tests. Following the approval of the change requests, some of the testing phases will be rescheduled. A second iteration of the System Solution Tests (SST) will be carried out after the requested changes have been implemented, followed immediately by the OST and concluding with the PSAT, with a view to declaring the VIS ready for operations in late December 2009.

The first version of the Factory Acceptance Test (FAT) Test Design Description (TDD) was received and sent to Member States in January 2008. Member States provided functional test cases to be included in the FAT TDD later in the year. The FAT itself began on 6 August and was carried out in four campaign cycles until 29 September. The final version of the FAT TDD (2.0) delivered in October incorporated the corrections performed during the FAT tests and was used as the basis for preparing the functional SST.

The Compliance Test Protocol (CTP) was updated according to the politically-agreed legal framework and integration with the BMS, and a new version was delivered in March. The final version (2.10) was made available to Member States in April. The CTP is used as a reference document to specify the compliance tests and to develop the Test Design Description for the Compliance Tests (CT TDD). The CT TDD describes in detail all the tests related to Member States' Compliance Testing, following the FAT TDD, and was delivered in October. The Test Plan version 2.30 was accepted in July.

The first draft of the SST non-functional TDD was received in April. This deliverable was extensively commented by Commission services and Member States in a formal review period lasting several months. A few intermediate versions were submitted but version 1.00 of the SST TDD was made available to Member States in September. Non-functional and functional versions were reviewed throughout the second part of the year, and the SST functional tests began in December. Test cases will be re-executed wherever there is any discrepancy found with the TDD.

2.1.7. National Planning and coordination

During the reporting period, ten Working Group meetings for the Member States’ National Project Managers (NPM) were organised by Commission services in the framework of the SIS II Committee, in order to discuss planning issues, risks and activities at central and national project levels. A separate Test Advisory Group (TAG) was also established to support the work of the SIS II Committee, in addition to the Change Management Board (CMB) and VIS Mail expert group. The latter groups were established to discuss specific aspects concerning testing, changes to the system specifications, and the development of the VIS Mail communication mechanism, respectively.

Apart from the availability of the central VIS, the key dependency for the system becoming operational is the progress of national projects. The state of progress varies between the Member States, due to different circumstances at national level. The monthly reporting by Member States for these meetings has enhanced the quality, consistency and usefulness of the information available on their national projects. In 2008, progress was reported by Member States in their monthly progress report according to their status as OST countries, PSAT countries and other Member States. Progress was reported against six different milestones, including readiness to connect to the network and playground, to carry out compliance tests, prepare consular posts in North Africa and to carry out testing with VIS Mail. Commission services also received information on progress at national level in countries that will fully apply the Schengen acquis at a later stage. Most Member States consistently reported their progress as being on time to achieve these milestones, but it is apparent that a number of Member States are encountering difficulties with the development of their national systems. Due to the varying degrees of preparation among Member States, there is a risk that some Member States may not be ready with their national systems to carry out testing activities and connect to the central system in line with the agreed schedule.

2.1.8. Friends of VIS

At the SCIFA meeting of September 2008 a group comprising Member States' senior officials nominated by the relevant Minister was mandated to follow the national VIS projects until the VIS begins operations, ensuring that inter alia Member States make the necessary arrangements to ensure that their visa authorities (or another Member State on their behalf) collect and transmit the visa application data to the VIS, according to the regional rollout.

The first meeting of the group took place in December in Paris under the French Presidency. At this meeting, the group discussed the four change requests to be implemented before the OST, in addition to consular cooperation, regional deployment, project organisation and support to the Member States. The group gave advice to COREPER to approve the changes requested by the Member States, provided that there are no further requests until VIS goes live. This will impact the VIS implementation schedule by six months. The Friends of VIS will also help to coordinate the regional rollout of VIS, the business processes and workflow organisation at consular posts and border crossing points, public relations (all stakeholders) and statistics and reports. In cooperation with the Commission, the group will also develop and follow up a checklist of Member States' activities related to all technical, consular and border preparations.

2.1.9. Roll-out to consular posts and border crossing points

According to the draft amendment of the Common Consular Instructions, Member States shall collect biometric identifiers comprising the facial image and ten fingerprints from visa applicants at their consular posts. In preparation for rollout to consular posts, the pilot project for the capture, storage and verification of biometric data from visa applicants (BIODEV II) has continued to run throughout the reporting period and has in fact been extended until the end of March 2009. The project extension comprises half of the original BIODEV II participants (France, Belgium, Germany and Austria). Results so far have shown that obtaining good quality fingerprints from visa applicants requires extensive training of operators and possible re-capture of sets several times in order to reduce failure to enrol rates.

According to the amended Schengen Borders Code, Member States should be ready to use the VIS at all external border crossing points for verifications against the VIS of all visa holders twenty days after VIS goes live in the first consular region. Council Conclusions under the UK Presidency defined that the first consular region shall be North Africa and that VIS rollout thereafter should be completed over the course of two years in determined regions, the order of which is to be determined in comitology.

2.2. Commission project management

2.2.1. Planning and budget

The total commitment appropriations in the 2008 general budget amounted to € 20 million, of which €2,000,000 were put into the reserve. The main components of expenditure during 2008 were the preparation of additional features for biometrics, external assistance for project management and quality assurance, exploitation costs for the development phase, and changes to the VIS (due to developments with the legal texts and Member State change requests). 88.21% of the total VIS appropriations were committed and 95.13% of payment appropriations had been paid by the end of the reporting period. The budget line for the VIS is 18.02.05.

Commitment and Payment appropriations 2008

Available commitment appropriations | Consumed | Total % | Available payment appropriations | Consumed | Total % |

€18,745,376.30 | €16,535,020.04 | 88.21 % | 14,657,396.30 | 13,943,795.81 | 95.13 % |

2.2.2. Risk management

In accordance with best practice, the project risks are identified, assessed and monitored on an ongoing basis within three risk logs. The Main Development Contractor assesses risks for activities within the scope of its contract (development of the central system, provision of support and training). The Member States monitor risks relating to their national projects. Commission services also assess the global project risks, comprising e.g. the tasks of the main development contractor, the national projects, preparation of the operational sites and adoption of the legal instruments. The risks are divided into high, medium and low exposure risk levels. The Commission discusses risks with the Member States on a regular basis during the NPM meetings and also in the Project Management Board (PMB).

During the reporting period, the most critical risk identified was the risk of the Main Development Contractor not being in a position to present their deliverables with the required level of quality within the timeframe of the agreed schedule. Another critical risk was that of the additional change requests and delays with national systems. A third major risk was the chance that functional changes to the VIS would be caused by the amendment of the Common Consular Instructions. Other risks on the contractor's side include synchronisation during testing phases and release management between VIS and BMS. A risk linked to the Member States concerns readiness for the test phases. The Commission and the Main Development Contractor work closely together to mitigate these risks and their impact on the project.

2.2. 3. Project management board (PMB)

In 2008, the PMB met ten times to discuss project management issues and risks with project stakeholders, the main development contractor and the quality assurance contractor, in addition to the previous and forthcoming Member State Presidencies.

2.3. SIS II Committee meetings

There were seven meetings of the SIS II Committee in 2008 during which progress with the development of the VIS was discussed.

In addition to regular SIS II Committee meetings, VIS working groups composed of Member States’ experts and project managers (NPM) are organised by Commission services to discuss detailed technical issues and to provide a state-of-play on the central project (see Section 2.1.7).

2.3.1. SISVIS Committee

In 2008, the SISVIS Committee[18] was established to assist the Commission in the exercise of its implementing powers for matters relating to the operational phase of both the SIS II and VIS projects. Unlike the SIS II Committee, both projects are not included on one agenda, but Member State experts meet in different formations. Once the VIS Regulation entered into force, the first meeting of the SISVIS Committee in VIS formation could be convened. This took place in November and discussed the rules of procedure and the draft VIS Mail specifications. It will remain responsible for taking comitology decisions related to implementing rules throughout 2009.

2.3.2. Change Management Board (CMB)

The CMB was established during the reporting period as an advisory working group of the SISVIS Committee (VIS formation). It makes recommendations on the configuration management of VIS during the development phase, including testing, for subsequent discussion in the VIS NPM meeting and will report to the SISVIS Committee (VIS formation).

2.3.3. Test Advisory Group (TAG)

The TAG was established during the reporting period as an advisory working group of the SISVIS Committee (VIS formation). The TAG ensures that a structured process is used to address and resolve testing-related issues and advises on the completion of VIS testing campaigns. It makes recommendations on the testing of VIS during all test phases especially where Member States participate directly.

2.3.4. VIS Mail Expert Group (VIS MEG)

To support the implementation of the VIS communication mechanism (VIS Mail), which will use the VIS infrastructure and will be composed of a central mail relay and the national mail servers and applications, the informal VIS Mail Expert Group (VIS MEG) was established in February within the framework of the VIS NPM meeting.

The VIS MEG meets monthly and at least ten Member States participate. After agreeing a high level plan and strategy for the VIS Mail implementation at the VIS NPM in April 2008, the VIS Mail Specifications were drafted. The final version of the draft was informally supported by the VIS NPM in October. The draft Decision on the VIS Mail Specifications was submitted to the SISVIS Committee (VIS formation), which will be asked to deliver an opinion on the Decision in early 2009.

In parallel to preparing the VIS Mail specifications, the group discussed the detailed plan for system implementation. The documentation needed by Member States for testing is partially delivered by the Central Mail Relay contractor (VIS Network Contractor) and partially prepared by the VIS MEG. The work of the Commission and the Member States, in cooperation with the Network Contractor, is supported by the Support and Quality Assistance Contractor.

3. Conclusions and Perspectives

2008 was characterised by the implementation of the new schedule based on the analysis of the adopted legal framework and performance of the work needed to incorporate the BMS into the VIS. Finalising the technical specifications of the system and preparation of the testing deliverables comprised the bulk of the effort during the reporting period. The Factory Acceptance Tests were carried out and accepted and preparations for compliance testing with Member States were underway. Cooperation with Member States at political level was strengthened further through the establishment of the Friends of VIS. The schedule for the VIS approved in 2007 was maintained at central level and could have been achieved if the unanimous request by Member States for the implementation of four changes had not emerged towards the end of the year. These changes have required an extension of the deadline for operations by six months. All stakeholders are closely working together towards achieving this goal in 2009.

[1] For the fourth report, see the Report from the Commission to the Council and European Parliament on the development of the Visa Information System (VIS) in 2007, COM(2008) 714 final of 10.11.2008.

[2] OJ L 213 of 15.6.2004, p. 5.

[3] The Comitology framework for both the SIS II and VIS projects in the development phase, set up by virtue of Article 5 (1) of Regulation No 2424/2001 (OJ L 328, 13.12.2001, p. 4).

[4] Set up by Article 51(1) of Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II).

[5] Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) – OJ L 218 of 13.08.2008, p.60

[6] See section 2.1.2 for more details.

[7] Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) – OJ L 218 of 13.08.2008, p.60

[8] Council Decision 2008/633/JHA of 23 June 2008 concerning access for the consultation of the Visa Information System (VIS) by designated authorities of Member States and by Europol for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offences (VIS Decision) – Council document 11077/07

[9] Draft Regulation of the European Parliament and of the Council amending the Common Consular Instructions on visas for diplomatic missions and consular posts in relation to the introduction of biometrics including provisions on the organisation of the reception and processing of visa applications – Interinstitutional file: 2006/0088 (COD)

[10] Regulation (EC) No 562/2006 of the European Parliament and of the Council of 15 March 2006 establishing a Community Code on the rules governing the movement of persons across borders (Schengen Borders Code) OJ L 105, 13.4.2006, p. 1.

[11] Draft proposal for a Regulation of the European Parliament and of the Council establishing a Community Code on Visas, COM (2006) 403 final

[12] The change requests concerned the implementation of biometrics in the VIS, namely to include the possibility to perform verifications using fewer than four fingers and to avoid indicating the exact finger(s) used for the verification to the system. Two other change requests concerned updating the end-user role matrix for VIS and to extend the access rights of 3rd pillar authorities in accordance with Council Decision 2008/633/JHA of 23 June 2008.

[13] See Section 2.1.6.

[14] DTS version 1.22 and ICD version 1.72

[15] Suspended in 2007 due to the late adoption of the VIS legal basis and its impact on the overall schedule

[16] By the end of the year the six OST countries were Estonia, Germany, Italy, Norway, Slovenia, and Sweden

[17] The PSAT countries are subject to change depending on the status of their national preparations, but at time of writing they have been identified as Austria, Czech Republic, France, Hungary, Latvia, Lithuania, Portugal, Slovakia and Spain.

[18] Set up by Article 51(1) of Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II).