52009DC0133

EN

Brussels, 24.3.2009

COM(2009) 133 final

REPORT FROM THE COMMISSION TO THE COUNCIL AND THE EUROPEAN PARLIAMENT

on the Development of the Second Generation Schengen Information System (SIS II)

Progress Report

July 2008 – December 2008

TABLE OF CONTENTS

1. Introduction (...)3

2. Project Status (...)3

2.1. Progress during the period under review (...)3

2.1.1. Global SIS II Schedule (...)3

2.1.2. Preparations for Migration (...)3

2.1.2.1. Migration Legal Instruments (...)3

2.1.2.2. Converter Specification (...)4

2.1.3. Network Installation (...)4

2.1.4. Testing Central SIS II (...)4

2.1.5. Tests involving Member States and users (...)4

2.1.5.1. Connectivity Test (ICT) (...)4

2.1.5.2. Compliance Test (CT) (...)4

2.1.5.3. Operational Systems Test (OST) (...)5

2.1.6. Operational Management (...)6

3. Management (...)6

3.1. Scheduling (...)6

3.2. Financial Management (...)6

3.3. Project Management (...)6

3.3.1. Project Management Board (...)7

3.3.2. SIS II Committee (...)7

3.3.3. National Planning and Coordination (...)7

3.3.4. Council (...)8

4. Priorities for the Next Reporting Period (...)8

4.1. Setting up and implementing a repair plan to address the failure of the OST (...)8

4.2. Global project management approach (...)8

4.3. Testing (...)8

4.3.1. Towards a global testing approach (...)8

4.3.2. Provisional System Acceptance Test (PSAT) (...)9

4.3.3. Global Test Preparations (GT) (...)9

4.4. Migration Development (...)9

4.5. Operational Management (...)9

4.6. Security and Data Protection (...)9

5. Conclusions (...)9

1. Introduction

This progress report describes the work carried out by the Commission in the second semester of 2008 on the development of the second generation Schengen Information System (SIS II). It is presented to the Council and the European Parliament in accordance with Article 6 of Regulation (EC) No 2424/2001 of 6 December 2001 [1] on the development of the second generation Schengen Information System (SIS II). This report also constitutes a test status report as foreseen by Council Regulation (EC) No 189/2008 and Council Decision 2008/173/EC on the tests of the second generation Schengen Information System (SIS II).

The SIS II Project is divided into three phases. Phase 1 was concerned with system design and was completed prior to this reporting period. Phase 2 deals with development and testing of the central system which has been problematic during this reporting period. Phase 3 addresses final test and migration activities from the currently used SIS 1+ to SIS II. In order to provide a complete picture of the range of activities associated with the SIS II project, this report will describe real and potential risks and the actions taken or envisaged in each of the areas covered by the report. Additionally there are specific sections on financial, operational and project management.

2. Project Status

2.1. Progress during the period under review

2.1.1. Global SIS II Schedule

In the early months of 2008 the Commission, in very close cooperation with the Member States' and users’ experts and the 'Friends of SIS II' [2], focussed on revising the SIS II schedule. Unfortunately, despite all preventative measures taken by the Commission to ensure that the tests should be conducted as planned (with an end date of September 2009), the main development contractor for SIS II encountered significant problems in the central system.

The immediate consequence was the suspension of the Operational Systems Test (OST) on the 4 September 2008, placing the global schedule, endorsed by the Council of Ministers in June 2008, in question.

These and other issues were comprehensively discussed by the 'Friends of SIS II', in the competent preparatory bodies of the Council and at the Council Meetings.

2.1.2. Preparations for Migration

2.1.2.1. Migration Legal Instruments

In April 2008, the Commission presented the legal instruments governing the migration from SIS 1+ to SIS II - Council Regulation (EC) No 1104/2008 [3] and Council Decision 2008/839/JHA on migration from the Schengen Information System (SIS 1+) to the second generation Schengen Information System (SIS II) [4]. These instruments were adopted at the JHA Council on 24 October 2008. The relevant budget required to perform further development and migration-associated tasks in 2009 is estimated at a total of € 14 million for 2009. If necessary, the date (of migration) may be changed in accordance with the procedure defined in Article 17(2) of both instruments. Both instruments expire on the date to be fixed by the Council and in any case no later than on 30 June 2010.

2.1.2.2. Converter Specification

Regular monthly "SIS II Migration" workshops took place with Member States and users and the main development contractor in order to define the requirements and specifications for a converter as well as the SIS II migration procedures. The converter is a technical tool to allow consistent and reliable communication between the central systems of SIS 1+ and SIS II during the migration.

In parallel, a new specific contract was negotiated with the main development contractor to cover the activities related to the development of this converter.

The SIS II converter requirements have been prepared by the Commission in close cooperation with Member States' and users' experts and the main development contractor is proceeding with its development.

2.1.3. Network Installation

The SIS II project includes the provision of a wide area communications network, meeting the requirements of availability, security, geographical coverage and level of service, to enable the national and central systems to communicate [5]. On 1 July 2008 a solution was found to a configuration error at the Strasbourg site which had caused a network outage of two days. Corrective measures have been taken to prevent such incidents in the future.

2.1.4. Testing Central SIS II

The System Solution Test (SST) was designed to verify that the Central SIS II on the central site is compliant with the technical specification. These tests, conducted without national systems, were completed in December 2007, and accepted in early 2008.

2.1.5. Tests involving Member States and users

There are currently three types of testing being undertaken with the participation of Member States and users.

2.1.5.1. Connectivity Test (ICT)

The Connectivity Test (ICT) checks the ability of the SIS II national systems to connect to the SIS II central system.

As of 31 December 2008, the following twenty seven Member States and users had completed the Informal Connectivity Test: Austria, Germany, Portugal, Luxembourg, Greece, Italy, Slovenia, Slovakia, Iceland, Finland, Norway, Hungary, The Netherlands, The Czech Republic, Lithuania, Denmark, Spain, Cyprus, Sweden, Belgium, Poland, Estonia, Malta, Latvia, France, Switzerland, Eurojust.

The following three Member States and users were in the process of conducting the Connectivity Test: Ireland, United Kingdom, Europol.

2.1.5.2. Compliance Test (CT)

The Compliance Test checks the interactions between the SIS II national systems and the SIS II central system for each national system separately, based on a set of pre-defined test cases agreed with the Member States and users. The national systems in each Member State may have different features (e.g. use of national copy, handling of biometrics); therefore the set of pre-defined test cases varies according to each Member State profile.

The following twenty six Member States and users have participated in the formal Compliance Test: Austria, Germany, Portugal, Luxembourg, Greece, Italy, Slovenia, Slovakia, Iceland, Finland, Norway, Hungary, The Netherlands, The Czech Republic, Lithuania, Denmark, Spain, Cyprus, Sweden, Belgium, Poland, Estonia, Malta, Latvia, France, Switzerland.

Significant improvement on both SIS II central and national systems sides has been made since the first semester of 2008. However, no Member State has yet been able to run a full set of pre-defined test cases. Therefore, no Member State has yet been able to demonstrate its full compliance. Whilst this is due partly to SIS II central system issues, almost all Member States and users also encountered issues with their national systems. In view of this outcome Member States and users will re-run formal Compliance Tests after the next SIS II central system software version has been installed.

2.1.5.3. Operational Systems Test (OST)

The Operational System Test (OST) verifies that the central system can operate with a set of connected national systems. This stage of testing involves actual Member States and users, instead of simulators. The Operational Systems Test was suspended on the 4th September 2008 because of a series of major issues affecting the central system. These related inter alia to:

· certain tests verifying data consistency between the data stored in the central system and the national systems, were inconclusive;

· problems have arisen in the transmission of messages between the central system and the national systems: some messages went missing whilst others were duplicated;

· the generation and loading, within the central systems or within the national systems, of the large amounts of data necessary for performance tests proved impossible within the timescale which had been anticipated.

The Commission immediately escalated these matters to the highest level with the company leading the main development contract. In line with the contract, the contractor was allotted a period of twenty days to resolve the problems which had come to light.

On 7 October, the contractor reported on the results of this remediation period. The contractor reported significant progress and affirmed its confidence in the stability and performance of the system for the completion of the OST. However, both the Commission and Member States' and users' experts considered that there still existed too much uncertainty and several unresolved problems. Accordingly, the contractor was allotted the month of October for the purpose of fixing all outstanding issues with the support of those Member States and users who volunteered to test the error corrections.

The OST was resumed on 5 November and ended on 17 December. The evaluation of this test campaign was ongoing at the end of the reporting period. A preliminary analysis indicates that despite the significant improvements achieved during the autumn, the exit criteria for the OST (i.e. zero blocking issues and zero major bugs) have not been reached.

2.1.6. Operational Management

The negotiations with France covering the activities to be undertaken to prepare for the entry into operation of the system, and for the provision and training of staff for the joint management of SIS II, VIS and BMS, took place during the period of this report. Amendments to existing contracts will be signed in early 2009. The French authorities have encountered some difficulties in recruiting suitably qualified staff.

3. Management

3.1. Scheduling

The necessity to discontinue the OST in September, the subsequent delays related to the remediation period of twenty days and the additional testing period have led to the exhaustion of all existing margins in the project plan, thereby implying that a rescheduling of the project is necessary. Such re-scheduling should however be deferred until the completion of the analysis of OST results. In September, the Member States and users outlined a number of pre-requisites to achieve a realistic plan:

(i) a guarantee of a stable central system;

(ii) a sequential approach to testing;

(iii) greater clarity on operational and global tests.

It was also evident that Member States' and users’ financial and legal constraints need to be factored into any revised schedule.

3.2. Financial Management

The total appropriations for SIS II activities provided for in the 2008 General Budget amount to € 29,216,484. A financing decision with a total budget of € 19,000,000 for SIS II (operating expenditure of the Schengen Information System and other operating expenditure which may result from this incorporation) and € 7,620,000 for SIS 1+ (installation of a communication infrastructure for SIS 1+ and operation and management of a communication infrastructure for SIS 1+) was adopted by the Commission on 21 December 2007.

As the budget of € 7,620,000 for SIS 1+ will not be used for this activity, which was taken over by the Council at the beginning of 2008, the amount has been transferred to SIS II for additional activities requested by the Council.

The other main components of SIS II expenditure during 2008 were preparations for operational management, training and tools, network, handover preparation of source code knowledge, contracts with France and Austria (operational management), external assistance for development and quality control, changes to SIS II, studies, legal consultancy services, information campaign, installation, operation and management of a communication infrastructure for the SIS environment. Near the end of the reporting period (early December 2008) 76,1% of the total SIS II appropriations had been committed and payments corresponding to 57,33% of payment appropriations had been made.

3.3. Project Management

Given that the SIS II project entails the development of and communication between a SIS II central system and SIS II national systems, regular meetings between the Commission and the Member States and users as well as transparent bilateral reporting mechanisms are fundamental constituents for effective project management.

3.3.1. Project Management Board

In addition to Commission services and the project contractors, representatives of the Presidencies as well as a representative of the SIS 1+ Centre of the Schengen Information System (C.SIS) are invited to participate in the Project Management Board. This group addresses contract issues and monitors project deliverables and milestones. This board met five times during the period covered by this report.

3.3.2. SIS II Committee

The Commission is assisted in the development of SIS II by the SIS II Committee. There were five meetings of the SIS II Committee in the period July – December 2008.

In addition to regular SIS II Committee meetings, sub-groups of the Committee, involving Member States' and users’ experts, are organised to discuss detailed technical issues. These meetings generally focus on issues arising from specific project deliverables.

– The "Test Advisory Group" (TAG), provides the SIS II Committee with an opinion on issues relating to the organisation, implementation and interpretation of tests. This group held twenty meetings in this reporting period.

– The "Change Management Board" (CMB), provides advice on classification, qualification and the potential impact of correction of reported issues. This working group, which also reports to the SIS II Committee, met four times during the reporting period.

– The SIS II Migration Workshops have been held since the delivery of the conclusions of the Migration Group, to advise the SIS II Committee and pursue activity on this critical topic.

3.3.3. National Planning and Coordination

A working group composed of the Member States' and users’ national project managers (NPM) is organised within the framework of the SIS II Committee. The purpose of these NPM meetings is to deal with detailed planning issues, risks and activities both at the central and national project levels. During this reporting period five NPM meetings have taken place.

Member States and users have been asked to submit monthly reports to the NPM meetings, with a view to providing a detailed update on their state of development.

As a matter of precaution, the Commission and the Member States and users agreed on the desirability of starting to reflect on the work and procedures required should the OST, re-started on 5 November, not be conclusive. This process encompasses a technical diagnosis of the issues encountered in the development of SIS II, as well as the identification of the outline of possible contingency scenarios. To this end, seven expert meetings and three workshops took place between mid-November and mid-December under the auspices of the NPM working group to analyse outstanding technical issues in the IT development and broadly describe strategies to overcome them. Furthermore, the Commission contracted two major IT consultancy companies to provide their expertise for this exercise. Notwithstanding some nuances in their technical assessment, both contractors’ reports agree on the conclusion that the outstanding issues can be solved without major re-design of the SIS II application, and that some repairs and improvements are required, independent of the outcome of the OST. They also recommended revisiting the test methodology and implementing a set of organisational changes with a view to establishing a global programme management approach.

3.3.4. Council

The Commission takes part in the meetings of the Council working parties and each Council of Ministers responsible for the Schengen Information System, presenting them with an oral report on the progress of the SIS II project and the associated risks (the Commission routinely provides a monthly written report to the SIS II Committee on the SIS II project covering progress with the project and risks).

The SIS II Migration Legal Instruments (Council Regulation (EC) No 1104/2008 and Council Decision 2008/839/JHA on migration from the Schengen Information System (SIS 1+) to the second generation Schengen Information System (SIS II)) were adopted at the JHA Council of 24 October 2008. The state of play of the SIS II project was presented at all meetings of the Article 36 Committee.

4. Priorities for the Next Reporting Period

4.1. Setting up and implementing an analysis and repair plan to address the failure of the OST

In order to accurately identify the underlying causes of remaining problems affecting the system, the Commission will complete an in-depth analysis of SIS II (root cause analysis), building on the work already carried out in the final months of 2008 on contingency and mitigation options.

On this basis, a specific "repair" action plan will be set up and implemented. Its declared objective will be to steer the overall system to a level of stability and performance which is at least equivalent to the level required for successfully passing the OST.

This 'bug-fixing' period should also be employed to align national systems by performing systematic, problem-driven testing with the view to identifying and addressing outstanding implementation discrepancies.

4.2. Global programme management approach

In order to ensure the necessary consistency between the development of the central system and national systems, the Commission will implement a global programme management structure encompassing central and national developments, bringing together Member States and users and Commission project managers as well as the contractors. This structure will be responsible for taking forward the SIS II system through the remaining stages of the project, from the repair period, the global testing phase, the migration and up to the system’s entry into operation. One of the very first tasks of this structure will be to work on a new SIS II global schedule without prejudice to the respective competences of the Commission and the Member States.

4.3. Testing

4.3.1. Towards a global testing approach

The tests run since April 2008 have highlighted some shortcomings in the current test plan. In particular, some issues related to understanding the system specifications have only been discovered at a very late stage once systems were connected together.

To address this problem, the Commission will design, together with Member States' and users' experts, a new test plan based on a global approach to testing, which would guarantee a full involvement of Member States and users. This directly reflects the desired new management approach for the project as a whole. This global test team should be directly established on the central system site in Strasbourg to facilitate communication between Commission and Member States' and users’ test experts, the contractors, as well as the future SIS II operators undergoing training at C.SIS. Such a global approach is expected to both enhance the relevance of the tests and to speed up the test phases.

4.3.2. Provisional System Acceptance Test (PSAT)

The Provisional System Acceptance Test (PSAT) campaign (which should provide operationally realistic test scenarios ideally involving all Member States and users) has been delayed due to the problems encountered during the OST. The necessary preparatory steps for this test phase took place in close co-operation with the Member States and users. Although the preparations for the PSAT had formally started in the previous reporting period, these had to be stopped due to the OST problems.

4.3.3. Global Test Preparations (GT)

The aim of the Global Test (GT) is to demonstrate that the central SIS II, the communication infrastructure and the interactions between central SIS II and the national systems (N.SIS II) work in accordance with the technical and functional requirements set out in the SIS II legal instruments. The tests will also demonstrate that the central SIS II, the communication infrastructure and the interactions between the central SIS II and the national systems (N.SIS II) can work in accordance with non-functional requirements such as robustness, availability and performance. Technical discussions are under way as to how the test results can best be evaluated.

4.4. Migration Development

The development of the converter for migration will continue during the next reporting period. Some test activities should also start during this next period. The availability of the SIS 1+ testing environment and Member States' and users' support are crucial for successful migration testing phases.

4.5. Operational Management

Negotiations on the second contract with Austria, dealing with training and other services before go-live, and the completion of the job profile for the Backup Central Unit Administrator in Salzburg by France, will be discussed between the Commission, France and Austria.

Member States' and users’ experts will be consulted on the level of service they expect to be provided in order for the Commission to finalise arrangements well in advance of the go-live date.

4.6. Security and Data Protection

Bilateral meetings between European Data Protection Supervisor staff and the Commission services take place on a regular basis to discuss issues related to SIS II. In the EDPS document "Inventory 2009" it is reported that preparations are taking place for the entry into force of SIS II, which includes the supervisory role of the EDPS.

5. Conclusions

The Operational System Test demonstrates that the number of bugs in the central SIS II reduced between November and December 2008 and that the SIS II functionalities work.

However, during this phase, a number of problems have persisted, and need to be resolved in the area of data consistency (a mechanism to ensure the equivalence of data between the national systems and the central system), performance and robustness of the system.

The facts that some of the bugs are still present and that more time is needed for their resolution show that the date for migration from SIS 1+ to SIS II, set for September 2009, is no longer realistic.

In this situation, it is appropriate to implement immediately a working method that ensures a global approach to the project, including the concepts of thorough analysis, effective test methodology management and monitoring. These elements are covered in the repair plan, comprehensive project management and global testing approach initiatives implemented by the Commission with the support of the Council.

Annex I

SIS II Committee and Working Group Meetings

a) Meetings held during the reporting period

JULY 2008 |

2 | 'National Project Managers' Meeting |

3 | SIS II Committee |

8 | Change Management Board |

9 | Project Management Board |

SEPTEMBER 2008 |

10 | Project Management Board |

17 | 'National Project Managers' Meeting |

18 | SIS II Committee / Change Management Board / Migration Workshop |

23 | SISVIS Committee (SIS II technical) |

24 | Change Management Board |

OCTOBER 2008 |

8 | Project Management Board |

14 | 'National Project Managers' Meeting |

15 | SIS II Committee |

17 | Migration Workshop |

23 | Change Management Board |

NOVEMBER 2008 |

13 | Project Management Board / Migration Workshop |

17 | 'National Project Managers' Meeting |

19 | SIS II Committee |

26 | Change Management Board |

DECEMBER 2008 |

1 | SISVIS Committee (SIRENE) |

10 | Project Management Board |

17 | 'National Project Managers' Meeting / SIS II Committee |

b) Meetings already scheduled for the forthcoming reporting period

JANUARY 2009 |

12 | SIS II Global Project Management Board |

14 | Change Management Board / Migration Workshop |

19 | 'National Project Managers' Meeting |

20 | SISVIS Committee (SIS II technical) |

FEBRUARY 2009 |

2 | SIS II Global Project Management Board |

10 | SIS II Global Project Management Board |

16 | SIS II Global Project Management Board |

18 | Change Management Board |

20 | SISVIS Committee (SIRENE) |

24 | SIS II Global Project Management Board |

25 | 'National Project Managers' Meeting |

26 | SISVIS Committee (SIS II technical) |

MARCH 2009 |

3 | SIS II Global Project Management Board |

9 | SIS II Global Project Management Board |

17 | SIS II Global Project Management Board |

23 | 'National Project Managers' Meeting |

24 | SISVIS Committee (SIS II technical) |

APRIL 2009 |

21 | 'National Project Managers' Meeting |

22 | SISVIS Committee (SIS II technical) |

[1] OJ L 328, 13 December 2001, modified by Council Regulation N° 1988/2006, OJ L 411/1 of 30.12.2006 (the modifications in the 2006 regulation do not concern Article 6).

[2] The Council established in February 2008 the Group 'Friends of SIS II' mainly to follow the implementation of SIS II in the Member States and users and users.

[3] OJ L 299, 8.11.2008, p. 1.

[4] OJ L 299, 8.11.2008, p. 43

[5] The necessary arrangements for the use of the encryption box for SIS II have to be completed.

--------------------------------------------------