52017PC0352

EXPLANATORY MEMORANDUM

1.CONTEXT OF THE PROPOSAL

·Reasons for and objectives of the proposal

The establishing Regulation of the European Agency in charge of the operational management of large-scale IT systems in the area of freedom, security and justice, (referred to as eu-LISA) was adopted in 2011 (Regulation (EU) No 1077/2011) and amended in 2015 by Regulation (EU) 603/2013 1 . eu-LISA is currently responsible for the operational management at central level of the second generation Schengen Information System (SIS II), the Visa Information System (VIS) and Eurodac. eu-LISA may also be entrusted with the development and operational management of other large-scale IT systems in the area of freedom, security and justice if so provided by relevant legislative instruments.

eu-LISA took up its core tasks on 1 December 2012 and operates the VIS since 1 December 2012, SIS II since May 2013 and Eurodac since June 2013. The seat of the Agency is Tallinn and the systems are operated from the technical site in Strasbourg. The backup site is located in Sankt Johann im Pongau.

The aim of this proposal is to review the Agency establishing Regulation in order to adapt it to the recommendations for legislative amendments stemming from the evaluation, as well as to improve the functioning of the Agency and enhance and strengthen its role to ensure that its mandate meets current challenges at EU level in the area of freedom, security and justice. It also aims at inserting in the Regulation changes deriving from policy, legal or factual developments and in particular to reflect the fact that new systems will be entrusted to the Agency subject to agreement by the co-legislators and that the Agency should be tasked with contributing to the development of interoperability between large-scale IT systems in the follow-up to the 6 April 2016 Commission Communication on Stronger and Smarter Information Systems for borders and security 2 , the final report of the High-level expert group on information systems and interoperability of 11 May 2017 3 and the Commission's Seventh progress report towards an effective and genuine Security Union of 16 May 2017 4 . It also addresses the recommendations for amendments proposed by the Management Board of the Agency, and the possible need for eu-LISA to host and manage joint technical solutions for the national implementation of decentralized systems for interested Member States. Finally, the proposal aligns the Agency's founding act with the principles of the Joint Statement of the European Parliament, the Council and the European Commission on decentralised agencies of 19 July 2012 (hereinafter 'the Common Approach').

In accordance with Article 31 of the establishing Regulation, the Commission carried out an evaluation, on the basis of an external evaluation 5 , in close consultation with the eu-LISA Management Board, to examine the way and extent to which the Agency effectively contributes to the operational management of large-scale IT systems in the area of freedom, security and justice and fulfils its tasks laid down in the establishing Regulation. It also examined the need for revision or extension of the tasks entrusted to eu-LISA in the establishing Regulation. On the basis of that evaluation, the Commission, after consulting the Management Board, should issue recommendations regarding changes to the establishing Regulation and forward them, together with the opinion of the Management Board, as well as appropriate proposals to the European Parliament, the Council and the European Data Protection Supervisor. The recommendations have been included in the Report from the Commission to the European Parliament and the Council on the functioning of the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA) 6 and in the accompanying Commission Staff Working Document on eu-LISA evaluation 7 which are foreseen to be adopted at the same time as this proposal.

This proposal is therefore linked to the evaluation of the Agency but also obeys to other legislative and policy developments and reflects on the recommendations referred to above, as well as the opinion of the Management Board.

·Addressing the recommendations of the external evaluation report of eu-LISA

Four years after the Agency took over its tasks in December 2012, the evaluation showed that the Agency has demonstrated its capacity to fulfil its tasks, as well as new tasks entrusted to it, notably DubliNet 8 , VISION 9 and the execution of the Smart Borders Pilot 10 in an effective and efficient manner. It also found that eu-LISA effectively contributed to the establishment of a coordinated, effective and coherent IT environment for the management of large-scale IT systems supporting the implementation of policies in the area of freedom, security and justice.

However, there are shortcomings to be remedied in order to improve the functioning of the Agency and enhance and strengthen its role, ensuring its mandate is adapted to meet current challenges at EU level in the area of migration and security. Most of the shortcomings identified in the evaluation can be addressed without legislative amendments. The non-legislative recommendations have been followed up by the Executive Director of eu-LISA; the Management Board adopted the relevant Action Plan on 21 March 2017.

The shortcomings which would require legislative amendments as identified in the evaluation are the following:

–the coherence of the management of the communication infrastructure should be improved by transferring the Commission's related tasks (in particular the implementation of the budget, acquisition and renewal and contractual matters) to the Agency, through an amendment of the legislative instruments governing the establishment and operation of the systems operated by the Agency;

–the scope of cooperation with other agencies in the area of freedom, security and justice should be clarified within the eu-LISA mandate;

–an interim report should be adopted by the Management Board by the end of August each year on progress on the implementation of planned activities covering the first six months of that same year;

–the scope of pilot projects which eu-LISA may carry out is limited to those referred to in Article 54(2)a of the Financial Regulation (i.e. without a basic act) and should be extended at least to pilot projects with an existing basic act.

The evaluation also recommended that a risk and ex-ante assessment should be prepared for projects over 500 000 EUR that are carried out by eu-LISA within its current mandate (i.e. not deriving from a legislative instrument entrusting it with a new system for which an impact assessment will be provided by the Commission). This is an important recommendation that shall be appropriately addressed by eu-LISA. However, it does not require a change of the Agency Regulation since Article 29(5) of the Commission delegated Regulation (EU) No 1271/2013 11 and of the Agency's Financial Regulation already require ex-ante and ex-post evaluations of programmes and activities which entail significant spending.

The evaluation also made other recommendations for amendments to the mandate of the Agency. These should be inserted in the systems' legislative instruments and, as regards the extended responsibility for eu-LISA with regard to statistics, would not require an amendment to the Agency's establishing Regulation:

–An extended responsibility for eu-LISA in generating/publishing the statistics for each system.

–A new task for eu-LISA to produce data quality and data analysis reports to improve the control of implementation of the systems' legal instruments.

The Report on the functioning of the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice adopted on the same date as this proposal presents the findings and recommendations of the evaluation. It also noted that the establishing Regulation defining the tasks of the Agency responds to the legal, political and economic environment in which the Agency was created. Recent policy and legislative developments call for further revision or extension of the tasks entrusted to eu-LISA in the establishing Regulation and other relevant legal instruments (i.e. the systems' legal instruments). In 2016 the Commission presented proposals to entrust new systems to the Agency: the Entry/Exit System (EES) 12 , the automated system for registration, monitoring and the allocation mechanism of applications for international protection 13 and the EU Travel Information and Authorisation System (ETIAS) 14 . If these initiatives are adopted by the co-legislators, they would require changes to the eu-LISA Regulation which should enter into force when those proposals will become applicable in order to reflect these new tasks in the eu-LISA Regulation in particular as regards the responsibilities of the Management Board and the Executive Director. The EES proposal includes amendments to Regulation (EU) 1077/2011. In the case of ETIAS and Eurodac recast proposals such amendments have been inserted by the Presidency in the course of discussions in the Council. However, since this proposal is presented before any of the three proposals entrusting new systems to the Agency is adopted, it is necessary to reflect the required amendments as well in this proposal in parenthesis, subject to their final acceptance into the text when the proposals are adopted by the co-legislators.

The Commission also adopted on 6 April 2016 a Communication on Stronger and Smarter Information Systems for Borders and Security 15 . eu-LISA should be given explicit mandate in the establishment Regulation to carry out the tasks entrusted to it as described in this Communication and in the Commission's Seventh progress report toward an effective and genuine Security Union adopted on 16 May 2017. This includes in particular providing support to the Commission and Member States to examine the technical feasibility of developments and actions towards interoperability of the systems including by way of studies and or testing activities.

The changes deriving from the evaluation of the SIS carried out in 2016 as reflected in the proposals revising the SIS legislative instruments 16 as well as from the Eurodac recast proposal 17 should also be inserted in the proposal.

Moreover, there are divergences between the establishing Regulation and the Common Approach annexed to the Joint Statement of the European Parliament, the Council of the EU and the European Commission on decentralised agencies of 19 July 2012 (hereinafter 'the Common Approach') and with the new Financial Regulation and framework Financial Regulation. These should be addressed in the legislative revision. An example is the possible extension of the mandate of the Executive Director for no more than five years instead of the maximum of three years currently foreseen. A second example is the requirement for evaluations of the Agency every five years instead of every four years as is currently foreseen.

The Regulation should also stipulate that eu-LISA may provide advice to the Member States on the national systems' connection to the central systems and ad hoc support/assistance to Member States (such as the support provided in the Greek hotspot in early 2016 during the refugee crisis).

It should also allow eu-LISA to provide assistance/support to the relevant Commission services on technical issues related to existing or new systems, where so requested.

·Addressing the Recommendations for amendments proposed by the Management Board of the Agency

The Management Board of the Agency was consulted on 25 November 2016 on the recommendations for amendments of the Agency establishing Regulation and adopted its opinion on 27 February 2017. The Board welcomed the recommendations for amendments and the intention of the Commission to enlarge the responsibilities of eu-LISA and put forward further recommendations for amendments. Out of these additional recommendations for amendments, the Commission has taken over the extension of the mandate on research, as well as the extension of the mandate of the Chair of the Advisory Groups. The Management Board proposed that the Agency should be able to establish additional technical sites after approval of the Board in addition to the existing ones in Strasbourg and Sankt Johann im Pongau (Austria). The Commission cannot accept this recommendation, as it is not supported by any relevant evidence of need, added value or efficiency gains. It is noted that the location of the central and backup systems for SIS II and VIS in Strasbourg (France) and Sankt Johann im Pongau (Austria) were already fixed by the co-legislators in the legislative instruments on SIS II (adopted in 2006 and 2007 respectively) and VIS (adopted in 2008). During the negotiations of the proposal for the Agency establishing Regulation it was decided by the co-legislators on the basis of a joint offer presented by Estonia and France to host the Agency, that the seat of the Agency would be Tallinn while the technical and backup sites would remain in Strasbourg and in Sankt Johann im Pongau. Moreover, no assessment has been provided by the Agency to justify the need for an additional site. However, in order to ensure further flexibility, this proposal provides for the possibility for the Agency to use the backup site of Sankt Johann im Pongau to operate the backup systems simultaneously in an active mode. This should allow for the processing of business transactions even during normal operation and not only during the failure of the systems.

·Addressing changes required to entrust eu-LISA with tasks referred to in the final report of the High Level Expert Group on information systems and interoperability of 11 May 2017 and the Commission's Seventh progress report towards an effective and genuine Security Union adopted on 16 May 2017.

These changes include:

(a)giving eu-LISA enhanced responsibilities with regard to data quality subject to the adoption of specific legislative amendments/proposals

The High Level Expert Group on information systems and interoperability considered the recommendation foreseen in the Communication on Stronger and Smarter Information Systems for Borders and Security for eu-LISA to develop a central monitoring capacity for data quality. The Expert Group considered that the automated quality, format and completeness checks imposed or suggested by the central systems should be improved or completed. Further analysis is required on the possible development of automated data quality control of the various data fields in SIS, VIS and Eurodac and in any new systems, such as EES. The goal of such a data quality control mechanism will be for the central systems to automatically identify apparently incorrect or inconsistent data submissions so that the originating Member State is able to verify the data and carry out any necessary remedial actions. This activity could be facilitated by a common data repository for producing statistical and data quality reports (data warehouse) containing anonymised data extracted from the systems. The Seventh progress report towards an effective and genuine Security Union noted that the Commission will take forward the Expert Group's recommendations on automated quality control, a 'data warehouse' capable of analysing anonymised data extracted from relevant information systems for statistical and reporting purposes, and training modules on data quality for staff responsible for providing input to the systems at national level.

This new task as well as the creation of a 'data warehouse' would require that specific detailed provisions on data quality be foreseen in the systems' instruments or in a specific legislative instrument.

(b)giving eu-LISA responsibility for the development of interoperability actions subject to the adoption of the relevant legislative proposals.

The Seventh progress report towards an effective and genuine Security Union adopted on 16 May 2017, noted that, in line with the April 2016 Communication, and confirmed by the findings and recommendations of the Expert Group, the Commission sets out a new approach to the management of data for borders and security, where all centralised EU information systems for security, border and migration management are interoperable in full respect of fundamental rights so that:

·the systems can be searched simultaneously using a European Search portal, in full compliance with purpose limitation and access rights, to make better use of existing information systems, possibly with more streamlined rules for law enforcement access;

·the systems use one shared biometric matching service to enable searches across different information systems holding biometric data, possibly with hit/no-hit flags indicating the connection with related biometric data found in another system;

·the systems share a common repository with alphanumeric identity data to detect if a person is registered under multiple identities in different databases.

This proposal aims to allow eu-LISA to carry out the tasks deriving from the Seventh progress report towards an effective and genuine Security Union adopted on 16 May 2017 18 as well as the development of a European Search Portal, a shared biometric matching service and a Common Identity Repository, subject to the adoption of the relevant legislative instrument on interoperability.

(c)addressing the possible need for eu-LISA to develop, manage and/or host joint technical solutions for the national implementation of technical aspects of obligations deriving from EU legislation on decentralised systems in the area of freedom, security and justice for interested Member States.

As recalled in the Seventh progress report towards an effective and genuine Security Union adopted on 16 May 2017, the final report of the High-level expert Group on IT systems and interoperability also highlighted the importance of fully implementing and applying existing information systems. It also looked at the decentralised Prüm framework for the exchange of data regarding DNA, fingerprints and vehicle registration 19 , recommending a feasibility study on moving towards a central routing component and possibly adding new functionalities. Concerning Advance Passenger Information (API), the Expert Group recommended that the Commission should undertake a feasibility study on a centralised mechanism for API including the need for a central router. The aim would be to enable interested Member States to have a one-stop-shop connectivity for airlines and providing API data both to national systems and to central systems (EES, ETIAS). Concerning the decentralised system established by the EU Passenger Name Record (PNR Directive) 20 , the Expert Group recommended a feasibility study on a central component for advance passenger information and passenger name record data as a technical support tool to facilitate the connectivity with air carriers. The aim would be to enable interested Member States to have a one-stop-shop connectivity for airlines and providing PNR data to national systems of Member States that implemented the PNR Directive. The Expert Group considered that this would strengthen the effectiveness of Passenger Information Units once Member States have implemented the EU PNR Directive.

This proposal therefore provides for the possibility that the Agency may also be tasked by a group of Member States to develop, manage and/or host a common IT system for them to jointly implement technical aspects of obligations deriving from EU legislation on decentralised systems in the area of freedom, security and justice subject to prior approval by the Commission and after a decision of the Management Board. This could be done by way of a delegation agreement between the Member States concerned and the Agency entrusting the latter with the above mentioned tasks and the corresponding budget. In such case the Agency shall charge Member States a contribution covering all relevant costs.

As was indicated in the Seventh progress report towards an effective and genuine Security Union the Commission has supported the work that at this stage a group of Member States undertakes to maintain e-CODEX, a system for cross border judicial cooperation and digital access to legal procedures. The Commission has taken note that these Member States consider that this is not a sustainable solution. At Council working group level, the Member States have examined different options and concluded that the best place to ensure maintenance and operability of the e-CODEX system would be eu-LISA. To explore the best solution, the Commission has launched an assessment of the impact of various options for the maintenance of e-CODEX. The result of this impact assessment will be available by autumn 2017.

·Addressing changes required by the adoption of the ECRIS-TCN proposal

Lastly, the proposal also reflects changes required by the adoption of the proposal for a Regulation of the European Parliament and of the Council establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (TCN) to supplement and support the European Criminal Records Information System (ECRIS-TCN system) 21 (hereinafter the ECRIS-TCN system).

As is the case for the other proposals entrusting new systems to the Agency, the ECRIS-TCN proposal will require changes to the eu-LISA Regulation. These changes need to be reflected both in the ECRIS-TCN proposal and in the Agency proposal. Should the ECRIS-TCN proposal be adopted before the Agency proposal the changes proposed in that text to the current eu-LISA Regulation will apply. Once the Agency proposal will be adopted those changes would be superseded by the ones contained in the Agency proposal. Dependent on the speed with which both proposals will be adopted they will be adapted during negotiations to ensure consistency between both texts when it comes to eu-LISA's tasks.

***

The new tasks/systems foreseen for eu-LISA will reinforce the confirmed added value of this Agency which has brought together three large-scale IT systems under one roof. This has enabled the pooling of expertise, harnessing of synergies and allowed a more flexible framework than was possible before the creation of the Agency when the systems were developed and managed by the Commission with certain tasks entrusted to public sector bodies in two Member States. The new tasks will also respond to the need for support by the Agency in order to assist Member States where required.

Whereas the initiative will have a direct impact on the Agency, its staff including the Executive Director, the Member States represented in the Management Board and Advisory Groups as well as the Commission services interacting with the Agency, it will - more broadly - benefit the Member States and the Agencies which are the end-users of the systems since the Agency will have an enhanced role with regard to future developments on IT systems in the area of freedom, security and justice and will provide support to Member States where required.

•Consistency with existing policy provisions in the policy area

This proposal builds on the existing eu-LISA Regulation which was subsequently amended in 2015 by Regulation (EU) 603/2013 22 in order to take into account the changes introduced by the Eurodac recast Regulation including access to Eurodac for law enforcement purposes. This proposal extends the mandate of the Agency to allow it to take over new tasks. The European Agendas on Security 23 and on Migration 24 set the direction for the development and implementation of EU policy to address the parallel challenges of migration management and the fight against terrorism and organised crime. The European Agenda on Migration highlighted the importance of the full use of the SIS, VIS and Eurodac large-scale IT systems which can bring benefits to border management as well as to enhance Europe's capacity to reduce irregular migration and return illegal migrants. It also noted that a new phase would come with the adoption of the proposal establishing an Entry/Exit System (EES) which would strengthen the fight against irregular migration by creating a record of cross-border movements of third-country nationals. The European Agenda on Security recalled that EU agencies play a crucial role in supporting operational cooperation. It encouraged Member States to make full use of the support of agencies to tackle crime through joint action and noted that increased cooperation between the agencies should also be promoted, within their respective mandates.

With this draft Regulation the Commission contributes to rendering border management more effective and secure and to reinforcing security and combatting and preventing crime by enhancing the role and responsibilities of eu-LISA with regard to existing and possible new large-scale IT systems on cooperation and information exchange in the area of freedom, security and justice and to support to Member States and to the Commission.

It also reflects and is fully consistent with the proposed amendments to the legislative instruments governing the development, establishment operation and use of the systems managed currently by eu-LISA and with the proposals entrusting it with future systems.

•Consistency with other Union policies

This proposal is closely linked and complements other Union policies, namely:

(a)Internal Security. As was underlined in the European Agenda on Security, common high standards of border management are essential to prevent cross-border crime and terrorism. This proposal further contributes to achieving a high-level of internal security by enabling eu-LISA to take on the development and operational management of possible new systems (EES, ETIAS and the ECRIS-TCN system) and related tasks which will effectively contribute to that end.

(b)The Common European Asylum System, insofar as the Agency operates Eurodac, DubliNet and will be entrusted with the development and operational management of the automated system for registration, monitoring and the allocation system of applications for international protection (Dublin recast proposal) as well as in terms of cooperation between the Agency and the [European Union Agency for Asylum].

(c)External border management and security insofar as the Agency operates the SIS and VIS systems which contribute to the efficient control of the external borders of the Union and will be entrusted with the EES and ETIAS.

(d)Data protection insofar as this proposal ensures the protection by the Agency of the security of data in the central systems and the communication infrastructure.

2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY

·Legal basis

This legislative proposal is based on Article 74, Article 77(2)a) and b), Article 78(2)e), Article 79(2)c), Article 82(1)d), Article 85(1), Article 87(2)a) and Article 88(2) of the Treaty on the Functioning of the European Union which provide the legal basis for amending the eu-LISA establishing Regulation and the systems' legal instruments.

Article 74 of the TFEU provides for the adoption of appropriate measures to encourage and strengthen administrative cooperation between the relevant departments of Member States' administrations. This constitutes an appropriate legal basis since the Agency will facilitate the communication and cooperation between the relevant departments of the Member States' administrations in the areas mentioned above.

The operational management tasks entrusted to the Agency shall support the policy aspects underlying the SIS and VIS legislative instruments. In accordance with Articles 77(2)(b) and 79(2)(c) of the TFEU, which provide an appropriate legal basis for SIS II-related tasks of the Agency, the Agency shall technically cover matters related to checks on persons at external borders as well as measures in the area of illegal immigration and illegal residence, respectively. As for VIS matters, the Agency's activities shall technically support the procedures for issuing visas by Member States; it is therefore founded on Article 77(2)(a) of the TFEU.

Regarding EURODAC matters, the operational management tasks entrusted to the Agency shall technically support the determination of which Member State is responsible for considering an application for asylum submitted by a national of a third country in one of the Member States (78(2)(e) of the TFEU), the identification of illegally staying third-country nationals or stateless persons (Article 79(2)(c) of the TFEU), the collation, storage, processing, analysis and exchange of relevant information for law enforcement purposes (Article 87(2)(a) of the TFEU) and Europol's field of action and tasks with regard to Eurodac for law enforcement purposes (Article 88(2)(a) of the TFEU).

Article 82(1)(d) of the TFEU provides for the adoption of measures to facilitate cooperation between judicial or equivalent authorities of the Member States in relation to proceedings in criminal matters and the enforcement of decisions. In addition, Article 87(2)(a) of the TFEU provides that for the purpose of establishing police cooperation involving Member States competent authorities, measures concerning the collection, storage, processing, analysis and exchange of relevant information shall be adopted. These provisions constitute an appropriate legal basis for conferring upon the Agency tasks in this area.

Measures referred to in Articles 77(2)(a) and (b), 78(2)(e), 79(2)(c), 82(1)(d) and 87(2)(a) TFEU, shall be adopted in accordance with the ordinary legislative procedure. Therefore, the ordinary legislative procedure applies to the adoption of the Regulation as an integral whole.

· Variable geometry

As the legal basis for this proposal for a Regulation is to be found in Title V of the Treaty on the Functioning of the European Union, it is affected by the variable geometry arising from the Protocols on the positions of the United Kingdom, Ireland and Denmark. This proposal for a Regulation builds upon the Schengen acquis and the provisions of the Eurodac related measures. Therefore the following consequences in relation to the various protocols and association agreements have to be considered.

Denmark:

Under Protocol 22 on the position of Denmark, annexed to the TEU and the TFEU, Denmark does not take part in the adoption by the Council of the measures pursuant to Title V of the TFEU, with the exception of "measures determining the third countries whose nationals must be in possession of a visa when crossing the external borders of the Member States, or measures relating to a uniform format for visas". Given that this Regulation insofar as it relates to SIS and VIS, [EES] and [ETIAS] builds upon the Schengen acquis, Denmark shall, in accordance with Article 4 of that Protocol, decide within a period of six months of the date of adoption of this Regulation whether it will implement it in its national law. In accordance with the similar Article 5 of the predecessor Protocol on the position of Denmark, Denmark decided to implement Regulation (EC) No 1987/2006 and Regulation (EC) No 767/2008 in national law.

As far as this proposal concerns Eurodac [and the automated system for registration, monitoring and the allocation mechanism for applications for international protection referred to in Article 44 of Regulation (EU) XX/20XX establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast)]. However, in accordance with Article 3 of the Agreement between the European Community and the Kingdom of Denmark on the criteria and mechanisms for establishing the state responsible for examining a request for asylum lodged in Denmark or any other Member State of the European Union and 'Eurodac' for the comparison of fingerprints for the effective application of the Dublin Convention 25 , Denmark is to notify the Commission whether it will implement the contents of this Regulation insofar as it relates to Eurodac [and the automated system for registration, monitoring and the allocation mechanism for applications for international protection referred to in Article 44 of Regulation (EU) XX/20XX establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast)]. Denmark applies the current Eurodac Regulation (EU) 603/2013 following a notification pursuant to this agreement.

[Insofar as it relates to the ECRIS-TCN system, in accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the TEU and the TFEU, Denmark does not take part in the adoption of this Regulation and is not bound by it nor subject to its application.]

United Kingdom and Ireland:

To the extent that its provisions relate to SIS II as governed by Regulation (EC) No 1987/2006 and VIS, and [EES] and [ETIAS] this proposal builds on the provisions of the Schengen acquis, in which the United Kingdom and Ireland do not participate, in accordance with Council Decision 2000/365/EC of 29 May 2000 concerning the request of the United Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen acquis and Council Decision 2002/192/EC of 28 February 2002 concerning Ireland's request to take part in some of the provisions of the Schengen acquis. Therefore, to the extent that its provisions relate to SIS II as governed by Regulation (EC) No 1987/2006 and VIS, [EES] and [ETIAS] the United Kingdom and Ireland are not bound by this proposed Regulation or subject to its application. The United Kingdom and Ireland may request to be authorised to take part in the adoption of this Regulation in accordance with Article 4 of the Protocol (No 19) on the Schengen acquis integrated into the framework of the European Union.

Insofar as its provisions relate to SIS II as governed by Decision 2007/533/JHA, the United Kingdom and Ireland are taking part in this Regulation in accordance with Article 5(1) of Protocol (No 19) on the Schengen acquis integrated into the framework of the European Union, annexed to the TEU and to the TFEU (Protocol on the Schengen acquis) and Article 8(2) of Council Decision 2000/365/EC of 20 May 2000 concerning the request of the United Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen acquis and Article 6(2) of Council Decision 2002/192/EC of 28 February 2002 concerning Ireland's request to take part in some of the provisions of the Schengen acquis.

Insofar as its provisions relate to Eurodac, [and the automated system for registration, monitoring and the allocation mechanism for applications for international protection referred to in Article 44 of Regulation (EU) XX/20XX establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast))]the United Kingdom and Ireland may notify to the President of the Council their wish to take part in the adoption and application of this Regulation in accordance with Article 3 of Protocol (No 21) on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice annexed to the TEU and to the TFEU. The United Kingdom and Ireland are bound by Regulation (EU) No 603/2013 following their notice of their wish to take part in the adoption and application of that Regulation based on the Protocol (No 21) on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice.

[Insofar as its provisions relate to the ECRIS-TCN system, in accordance with Articles 1 and 2 and Article 4a(1) of Protocol (No 21) on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the TEU and the TFEU, those Member States are not taking part in the adoption of this Regulation and are not bound or subject to its application. In accordance with Article 3 and Article 4a(1) of Protocol 21, those Member States may notify their wish to take part in the adoption of this Regulation.]

Since the United Kingdom notified on 29 March 2017 its intention to leave the Union, pursuant to Article 50 of the Treaty on European Union, the Treaties will cease to apply to the United Kingdom from the date of the entry into force of the withdrawal agreement or, failing that, two years after the notification, unless the European Council, in agreement with the United Kingdom, decides to extend that period. As a consequence, and without prejudice to any provisions of the withdrawal agreement, this above-mentioned description of the participation of the UK in this proposal only applies until the United Kingdom ceases to be a Member State.

Norway and Iceland:

As regards Norway and Iceland, this proposal constitutes, insofar as it relates to SIS II and VIS, [to EES] [and to ETIAS] a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis 26 .

In parallel to the association of four non-Member States to the Schengen acquis, the Union also concluded agreements associating those countries to the Dublin-related measures including Eurodac. The agreement associating Iceland and Norway was concluded in 2001 27 .

Switzerland:

As regards Switzerland, insofar as its provisions relate to SIS and VIS {EES} and {ETIAS} this proposal constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the European Union, the European Community and the Swiss Confederation on the latter's association with the implementation, application and development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation concerning the association of the Swiss Confederation with the implementation, application and development of the Schengen acquis 28 which fall within the area referred to in Article 1, points A, B and G of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/146/EC 29 .

As regards the Dublin-related measures, the agreement associating Switzerland was concluded on 28 February 2008 and is applicable as of 12 December 2008 30 .

Liechtenstein:

As regards Liechtenstein, insofar as its provisions relate to SIS and VIS {EES} and {ETIAS} this proposal constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis which falls within the area referred to in Article 1, point A, B and G of Council Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/261/EC 31 .

As regards the EURODAC {and Dublin} related measures, the agreement associating Liechtenstein was was concluded on 7 March 2011 32 .

Common provisions for the countries associated with the EURODAC {and Dublin} related measures:

In accordance with the three above-cited agreements, the associated countries shall accept the EURODAC {and Dublin} related measures and its development without exception. They do not take part in the adoption of any acts amending or building upon the EURODAC related measures (including therefore this proposal) but have to notify to the Commission within a given time-frame of their decision whether or not to accept the content of that act, once approved by the Council and the European Parliament.

In order to create rights and obligations between Denmark – which as explained above has been associated to the EURODAC {and Dublin} related measures via an international agreement – and the associated countries mentioned above, two other instruments have been concluded between the former Community (now the Union) and the associated countries. 33

•Subsidiarity

The proposal respects the principle of subsidiarity, as the objective of the proposed action, is to confirm the conferral of the operational management of Central SIS, Central VIS and the National Interfaces, Central Eurodac, their communication infrastructures, as well as other systems and to entrust new additional tasks on eu-LISA. These tasks cannot be achieved by the Member States individually and can be better accomplished by action at the level of the Union in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union.

•Proportionality

The draft Regulation is intended to respond both to the recommendations of the evaluation and to the developments stemming from new challenges and realities faced by the Union both as regards migration management and internal security. It therefore reflects the new tasks of the Agency as regards proposed new systems in the area of freedom, security and justice. It also gives the Agency limited new tasks subject, where required, to the adoption of relevant legislative instruments.

The Agency, financed from the EU budget, is given the competences to manage only the central parts of SIS II, central parts of VIS and the national interfaces, the central part of EURODAC, as well as the respective communication infrastructures, without having responsibility for the data entered in the systems. Member States are competent for their national systems even if the Agency will be now given extended tasks for advice and support to Member States in specific cases. Therefore, the Agency's competences are kept to the minimum necessary for supporting effective, secure and continuous data exchange between the Member States. Confirming the Agency's establishment as dedicated structure for the management of large-scale IT systems in the area of freedom, security and justice and extending its mandate and tasks to the extent proposed is considered proportionate to the legitimate interests of users and the high-security, high-availability and mission-critical nature of the systems.

•Choice of the instrument

Having regard to the fact that the Agency for the operational management of large-scale IT systems in the area of freedom, security and justice was established by means of a Regulation, the same legal instrument is also appropriate for this proposal.

3.RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS

•Ex-post evaluations/fitness checks of existing legislation

In accordance with Regulation (EU) 1077/2011 within three years from 1 December 2012 the Commission, in close cooperation with the Management Board, performed an evaluation of the action of the Agency. The Commission evaluation was based on an external evaluation report carried out by Ernst & Young between March 2015 and March 2016 which covers the period from December 2012 to September 2015. The external evaluation report was published in March 2016 34 . The Commission's Report on the functioning of the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA) 35 and the accompanying Commission Staff Working Document on eu-LISA evaluation are presented at the same time as this proposal. The results of the evaluation and its recommendations are summarised under point 1.

•Stakeholder consultations

The Commission proposal is based on the evaluation referred to above which builds on consultations with relevant stakeholders. This included EU Member States, in particular the representatives in the Management Board and Advisory Groups; Schengen and Dublin/Eurodac Associated Countries; European Parliament; Council of the European Union; European Data Protection Supervisor; European Court of Auditors; EU Agencies, in particular CEPOL, Frontex, EASO, Europol, Eurojust, FRA; and the eu-LISA contractors.

In addition, the Commission has consulted the Agency on their recommendations for possible amendments to the establishing Regulation which could derive from technical developments and requested it to carry out short impact assessments to justify such changes.

As foreseen by the Regulation, the Management Board of the Agency was consulted on the recommendations by the Commission to amend the Agency Regulation. As explained under point 1 the Commission has taken over to the extent possible the recommendations of the Board in particular to extend the mandate of the Agency as regards research, to extend the mandate of the Chairs of the Advisory Groups and to provide for the possibility to use the site of Sankt Johann im Pongau to operate the systems simultaneously in an active mode. The opinion of the Management Board on the recommendations of the Commission is annexed to the above mentioned Commission report.

•Collection and use of expertise

The independent external evaluation of the Agency was carried out by Ernst & Young which used its long-standing experience and expertise to carry out the evaluation of the Agency and did an extensive consultation of stakeholders. It also took into account eu-LISA reports on the technical functioning of SIS II and VIS and annual reports on the activities of the Central Unit of Eurodac and the Commission overall evaluation reports on VIS and SIS II.

•Impact assessment

The proposal is based to a large extent on the results and recommendations of the independent external evaluation report referred to under point 1.

No impact assessment was carried out since the evaluation concluded that the amendments are essentially technical in the sense that they are either required to improve the functioning and operational effectiveness of the Agency or because of other legislative and policy developments i.e. entrusting it with new systems or tasks. On the one hand, these amendments would extend the mandate of the Agency in a limited way and do not entail significant impacts. On the other, and with regard to those amendments which derive from legislative or policy developments, the Commission has no discretion on policy choices since the relevant changes are imposed by those same developments.

•Fundamental rights

This proposal respects the fundamental rights and observes the principles set out in the Charter of Fundamental Rights of the European Union. It enlarges the scope of tasks and responsibilities of the Agency, in particular by entrusting it with new large-scale IT systems in the area of freedom, security and justice. Its impact on fundamental rights is however limited as the Agency has proved to effectively ensure the operational management of SIS, VIS and Eurodac as well as the new tasks entrusted to it while respecting fundamental rights and in particular Article 8 on the protection of personal data. The new proposed systems that will be entrusted to the Agency will include in accordance with the relevant legislative instruments appropriate safeguards in terms of data protection that will have to be ensured by the Agency.

The proposal is thus in line with Articles 2 and 6 of the Treaty on European Union and with the Charter of Fundamental Rights of the European Union.

4.BUDGETARY IMPLICATIONS

The subsidy for the Agency for the operational management of large-scale IT systems in the area of freedom, security and justice already forms part of the Union's budget. The present proposal widens the scope of tasks of the Agency. Whilst any new system entrusted to it will be subject to a specific legislative act based on Title V TFEU which will also allocate the necessary budget for its development and operational management, other new tasks envisaged in this proposal require specific resources and budget as described more in detail in the legislative financial statement annexed to this proposal.

This is the case for the tasks concerning the communication infrastructure of the SIS which will be transferred to the Agency, the tasks deriving from the Communication on Stronger and Smarter Information Systems for Borders and Security of 6 April 2016 and the Commission's Seventh progress report towards an effective and genuine Security Union of 16 May 2017. Budget should also be foreseen to cover the Agency's new tasks to provide advice and ad-hoc support to Member States and to provide assistance to the Commission's services on technical issues related to existing or new systems, where required.

The extension of tasks concerning research as regards the implementation of the parts of the Framework Programme for Research and Innovation which relate to large- scale IT systems in the area of freedom, security and justice should be covered by the Union contribution foreseen in the relevant instrument of delegation from the Commission to the Agency.

The possibility for a group of Member States to entrust eu-LISA to develop, manage and/or host centralised solutions for the implementation of technical aspects of obligations deriving from EU law on decentralised systems should be fully financed by contributions to be paid by the relevant Member States covering all relevant costs.

For the Agency to adequately address its new tasks as foreseen in this proposal, from 2018 to 2020 an amount of EUR 78,354 million will need to be added to the Agency's Union subsidy and an additional 52 posts during the same period, will be necessary, including 23 establishment plan posts (temporary agents), 2 contract agents, 2 seconded national experts and 25 contract agents following the insourcing of interim staff. This amount does not include the budget required for the new systems which is foreseen under the relevant legislative proposals nor that required for the proposals amending existing systems. The detailed breakdown per year and per system is provided under section 3.2.2. of the legislative financial statement annexed to this proposal.

5.OTHER ELEMENTS

·Monitoring, evaluation and reporting arrangements

eu-LISA has a number of duties to report on its activities and to monitor its work. Most importantly the Agency must compile a consolidated annual activity report of the Agency's activities for the previous year comparing, in particular, the results achieved with the objectives of the annual work programme.

One of the tasks of the Executive Director is to establish and implement an effective system enabling regular monitoring and evaluations of large-scale IT systems and of the Agency, including the effective and efficient achievement of its objectives.

The Agency will have an enhanced role for the production of statistics related to the systems it operates. It is also responsible for the publication of system related statistics. The detailed provisions in this regard will be foreseen in the specific legislative instruments governing the different systems.

The Management Board will adopt every two years the reports on the technical functioning of SIS and VIS required by the legislative instruments governing these systems as well as the annual report on the activities of the Central System of Eurodac. It will also adopt the development reports and the reports on the technical functioning of the new systems entrusted to it.

The Commission must conduct an evaluation the Agency's work not later than five years from the entry into force of this Regulation and every five years thereafter. The Commission shall report to the European Parliament, the Council and the Management Board on the evaluation findings. The Executive Director will ensure adequate follow-up to the findings and recommendations stemming from the evaluation.

Furthermore, the European Parliament and the Council may also invite the Executive Director to report to those institutions as to the carrying out of his or her tasks and the Executive Director shall also be invited to make a statement before the European Parliament and answer questions from the competent Committee members before appointment and before the extension of his/her mandate.

The key role of the Agency for the operational management of large-scale IT systems in the area of freedom, security and justice is and should continue to be to ensure the operational management of existing large-IT systems in this policy area and to prepare, develop and manage new systems if so provided by relevant legislative instruments based on Articles 69 to 89 TFEU. In particular, the following systems will have to be developed in the short term by the Agency: the EES and the ETIAS systems subject to the adoption of the relevant legislative instruments. However, the first evaluation of the Agency showed that it is necessary to extend the mandate of the Agency. In order to take account of the recommendations of the evaluation as well as further legal, policy and factual developments as summarised in point 1 this proposal sets out the following elements reinforcing the role the Agency as compared to its mandate of the Agency under Regulation (EU) 1077/2011.

·Extending the mandate of eu-LISA

Article 1: This provision now lists the competencies of the Agency. In particular it provides that the Agency may be made responsible for the following new tasks:

–the preparation, development and operational management of the Entry/Exit System (EES) 36 , DubliNet 37 , the European Travel Authorisation System (ETIAS) 38 , the automated system for registration, monitoring and the allocation mechanism for applications for international protection 39 and the ECRIS-TCN system 40 (subject to the adoption of the relevant legislative instruments);

–ensuring data quality in accordance with Article 8;

–developing the necessary actions to enable interoperability in accordance with Article 9;

–providing support to Member States and the Commission in accordance with Article 12.

·Specific tasks for new systems (these tasks are subject to the adoption of the relevant legislative instruments)

Article 5a refers to the tasks relating to the Entry/Exit System which the Commission proposed on 6 April 2016 and is currently under negotiation by the co-legislators.

Article 5b refers to the tasks relating to the European Travel Information and Authorisation System. The ETIAS proposal adopted on 16 November 2016 is envisaged to be adopted in the autumn of 2017.

Article 5d refers to the tasks relating to the automated system for registration, monitoring and the allocation mechanism for applications for international protection (Dublin allocation system). The Dublin recast proposal adopted on 4 May 2016 is currently under negotiation by the co-legislators.

Article 5e refers to the tasks relating to a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (TCN) to support the European Criminal Records Information System (ECRIS) (ECRIS-TCN system). The ECRIS-TCN system proposal was adopted on 29 June 2017.

·Transfer of the Commission tasks related to the Communication infrastructure of SIS and VIS to the Agency

Article 7 is adapted to reflect the transfer to the Agency of the tasks of the Commission relating to the communication infrastructure between the central system and the Uniform National Interface in each Member State enabling the connection of the SIS and VIS central systems to the national infrastructures in Member States. It will also clarify that the transfer will not be done for those systems using the EuroDomain (currently only Eurodac) which is a secured telecommunications infrastructure provided by TESTA-ng (Trans-European Services for Telematics between Administrations) 41 operated and financed by the Commission and therefore no contractual tasks or budget will be transferred to eu-LISA in the near future.

·Ensuring Data Quality

Article 8 gives the Agency the task of establishing automated data quality control mechanisms and common data quality indicators and developing a central repository for reporting and statistics subject to specific legislative amendments to existing systems' instruments and/or to specific provisions in new instruments.

·Developing the necessary actions to enable interoperability

Article 9 gives the Agency the task of developing the necessary actions to enable interoperability of the systems, subject where required to the adoption of the relevant legislative instruments.

·Extension of the tasks of eu-LISA concerning research

Article 10 extends the scope of the mandate of the Agency with regard to research. In particular it gives eu-LISA the task of implementing the parts of the Framework Programme for Research and Innovation which relate to IT systems in the area of freedom, security and justice.

·Extension of the scope of pilot projects

Article 11 extends the scope of the pilot projects that can be entrusted to eu-LISA. The Agency may be entrusted by the Commission with budget implementation tasks for proofs of concept funded under the instrument for financial support for external borders and visa foreseen under Regulation (EU) No 515/2014 by way of a delegation agreement. The Agency may also plan and implement testing activities on matters covered by this Regulation and the legislative instruments governing the development, establishment, operation and use of all large-scale IT systems managed by the Agency, after a decision of the Management Board.

·Providing support to Member States and the Commission

Article 12 provides that the Agency may be requested to provide advice to Member States with regard to the national systems' connection to the central systems and ad-hoc support to Member States. The Agency may also be requested to provide advice and/or support to the Commission on technical issues related to existing or new systems including by way of studies and testing.

Article 12 further provides that the Agency may be tasked to develop, manage and/or host a common IT system by a group of at least six Member States opting on a voluntary basis for a centralised solution assisting them in implementing technical aspects of obligations deriving from EU legislation on decentralised IT systems in the area of freedom, security and justice, subject to prior approval by the Commission and after a decision of the Management Board. In such case the Member States will entrust the Agency with the abovementioned tasks by way of a delegation agreement including the conditions for the delegation and setting out the calculation of all relevant costs and the invoicing method.

·Extension of possible use of the backup site for active operation of systems

Article 13 provides for the possibility of using the backup site in Sankt Johann im Pongau simultaneously for active operation of the large-scale IT systems operated by the Agency provided that it is also capable of ensuring their operation in case of failure of the system. Any further specificities of the use of the backup for each system shall be foreseen in the specific systems' legislative instruments.

·Added tasks for the Management Board

Article 15 clarifies the tasks to be assigned to the Management Board, in order to reflect among other things on its responsibility to give the general orientations for the agency's activities. Article 15 is completed to align its provisions with the Common Approach annexed to the Joint Statement of the European Parliament, the Council of the European Union and the European Commission on decentralised agencies of 19 July 2012. It is also amended in order to insert a new obligation for the Management Board to adopt an interim report by the end of August each year on progress on the implementation of planned activities covering the first six months of that same year; to reflect developments related to the new Financial Regulation 42 and Framework Financial Regulation 43 and to reflect new tasks for the Management Board resulting from entrusting it with additional systems.

·Amendments with regard to the Management Board

Article 18 extends the mandate of the Chair of the Management Board from two to four years which may be renewed once in line with the Common Approach.

Article 19 has been completed by providing for the possibility for certain EU agencies to attend the meetings of the Management Board when a question concerning a new system to which they have access as end user under the relevant legislative instruments once adopted is on the agenda.

·Amendments with regard to the tasks and mandate of the Executive Director

Article 21 clarifies the tasks of the Executive Director in order to reflect her or his responsibility for the administrative management of the agency and for the implementation of the duties assigned to the agency. Article 21 is completed in line with the Common Approach and in order to take into account new tasks deriving from the adoption of legislative instruments entrusting new systems to the Agency. The obligation for the Executive Director to submit to the Management Board the draft for the terms of reference for the evaluation has been suppressed.

Article 22 provides that the mandate of the Executive Director may be extended for no more than five years in line with the Common Approach, instead of for up to three years as is currently the case.

·Amendments concerning the Advisory Groups (subject to adoption of relevant legislative instruments)

Article 23 provides for the establishment of Advisory Groups foreseen in relevant legislative proposals for EES, ETIAS and the ECRIS-TCN system.

·Requirement for prior approval by the Commission of security rules based on Commission legislative instruments

Article 33 introduces an obligation for the security rules of the Agency on the protection of classified information and non-classified sensitive information based on Commission rules to be adopted by the Management Board following approval by the Commission.

·Amendment to the Article on evaluation

Article 35 is amended to clarify that the Commission will assess the Agency's work and report to the European Parliament, the Council and the Management Board on the evaluation findings. The evaluation will take place every five years instead of every four years as is the case now to align with the Common Approach on decentralised agencies.

·Insertion of a provision on cooperation with Union institutions, bodies offices and agencies

Article 37 establishes the rules on cooperation with Union institutions, bodies, offices and agencies, in particular with those established in the area of freedom, security and justice.

·Alignment of the budget provisions to delegated Regulation (EU) No 1271/2013

Articles 39 to 42 are aligned to the provisions of Commission delegated Regulation (EU) No 1271/2013 on the framework financial regulation for the bodies referred to in Article 208 of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council 44 , as reflected in the Agency's Financial rules.

·Insertion of a provision on prevention of conflicts of interest

Article 43 requires the Agency to adopt internal rules to avoid conflicts of interest.

·Chapter VI concerns amendments to other Union instruments

In Articles 46 and 47, amendments are proposed to the SIS II legal instruments in order to reflect the transfer of the Commission tasks related to the communication infrastructure of SIS to the Agency. This amendment is not necessary with regard to the VIS Regulation, since the EES proposal provides an amendment to Article 26(2) of the VIS Regulation in the sense that the Management Authority (the Agency) shall become responsible for the tasks of the Commission concerning the communication infrastructure six months after the entry into force of the EES Regulation. As regards Eurodac, no change is needed since the communication infrastructure of Eurodac is covered by EuroDomain, operated and financed by the Commission, and therefore no contractual tasks or budget will be transferred to eu-LISA in the near future. Provided the legislative instrument is adopted by the co-legislators, the ECRIS-TCN system will also use the EuroDomain infrastructure and therefore the Commission will be responsible for the implementation of the budget, the acquisition and renewal and contractual matters of the ECRIS-TCN communication infrastructure.

Following adoption of this proposal, the Memorandum of Understanding between the European Commission and the Agency for the operational management of large-scale IT systems in the area of freedom, security and justice 45 , should be amended by agreement between the Commission and eu-LISA to reflect the above mentioned changes to the systems' legislative instruments with regard to the communication infrastructure.

2017/0145 (COD)

Proposal for a

REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

on the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice, and amending Regulation (EC) 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) 1077/2011

The EUROPEAN PARLIAMENT and the COUNCIL,

Having regard to the Treaty on the Functioning of the European Union and in particular Article 74, Article 77(2)(a) and (b), Article 78(2)(e), Article 79(2)(c), Article 82(1)(d), Article 85(1), Article 87(2)(a) and Article 88(2) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Acting in accordance with the ordinary legislative procedure ( 46 ),

Whereas:

(1)The Schengen Information System (SIS) was established by Regulation (EC) No 1987/2006 of the European Parliament and of the Council 47 and by Council Decision 2007/533/JHA 48 . Regulation (EC) No 1987/2006 and Decision 2007/533/JHA provide that the Commission is to be responsible, during a transitional period, for the operational management of Central SIS II. After that transitional period, a Management Authority is to be responsible for the operational management of Central SIS II and certain aspects of the communication infrastructure.

(2)The Visa Information System (VIS) was established by Council Decision 2004/512/EC 49 . Regulation (EC) No 767/2008 of the European Parliament and of the Council 50 provides that the Commission is to be responsible, during a transitional period, for the operational management of the VIS. After that transitional period, a Management Authority is to be responsible for the operational management of the Central VIS and of the national interfaces and for certain aspects of the communication infrastructure.

(3)Eurodac was established by Council Regulation (EC) No 2725/2000 51 . Council Regulation (EC) No 407/2002 52 laid down necessary implementing rules. These instruments were repealed and replaced by Regulation (EU) No 603/2013 of the European Parliament and of the Council 53 with effect from 20 July 2015.

(4)The European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice was established by Regulation (EU) No 1077/2011 of the European Parliament and of the Council 54 in order to ensure the operational management of SIS, VIS and Eurodac and of certain aspects of their communication infrastructures, and potentially that of other large-scale information technology (IT) systems in the area of freedom, security and justice, subject to the adoption of separate legislative instruments. Regulation (EU) 1077/2011 was amended by Regulation (EU) No 603/2013 in order to reflect the changes introduced to Eurodac.

(5)Since the Management Authority required legal, administrative and financial autonomy, it was established in the form of a regulatory agency (Agency) having legal personality. As was agreed, the seat of the Agency was established in Tallinn (Estonia). However, since the tasks relating to technical development and the preparation for the operational management of SIS and VIS were already being carried out in Strasbourg (France) and a backup site for those IT systems had been installed in Sankt Johann im Pongau (Austria) in line also with the locations of the SIS and VIS systems decided under the relevant legislative instruments, this should continue to be the case. Those two sites should also continue to be the locations, respectively, where the tasks relating to operational management of Eurodac should be carried out and where a backup site for Eurodac should be established. Those two sites should also be the locations, respectively, for the technical development and operational management of other large-scale IT systems in the area of freedom, security and justice, and, if so provided in the relevant legislative instrument, for a backup site capable of ensuring the operation of a large-scale IT system in the event of failure of that system. In order to maximise the possible use of the backup site, this site should also be able to operate systems simultaneously in an active mode provided that it remains capable of ensuring their operation in case of failure of the systems.

Since taking up its responsibilities on 1 December 2012, the Agency took over the tasks conferred on the Management Authority in relation to VIS by Regulation (EC) No 767/2008 and Council Decision 2008/633/JHA 55 . It took over the tasks conferred to the Management Authority in relation to SIS II by Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA in April 2013 following the system's go-live and it took up the tasks conferred on the Commission in relation to Eurodac in accordance with Regulations (EC) No 2725/2000 and (EC) 407/2002 in June 2013. The first evaluation of the Agency's work based on an independent external evaluation and carried out in 2015-2016, concluded that eu-LISA effectively ensures the operational management of the large-scale IT systems and other tasks entrusted to it but also that a number of changes to the establishing Regulation are necessary such as the transfer to the Agency of the communication infrastructure tasks retained by the Commission. Building on the external evaluation, the Commission took into account policy, legal and factual developments and proposed in particular in its Report on the functioning of the European Agency on the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA) 56 that the mandate of the Agency should be extended to carry out the tasks derived from the adoption by the co-legislators of proposals entrusting new systems to the Agency, the tasks referred to in the Commission's Communication on Stronger and Smarter Information Systems for Borders and Security of 6 April 2016, the High Level Expert Group's final report of 11 May 2017 and in the Commission's Seventh progress report towards an effective and genuine Security Union of 16 May 2017, subject where required to the adoption of the relevant legislative instruments. In particular, the Agency should be tasked with the development of a European Search Portal, a shared biometric matching service and a Common Identity Repository, subject to the adoption of the relevant legislative instrument on interoperability. Where relevant, any actions carried out on interoperability should have to be guided by the Commission Communication on the European Interoperability Framework – Implementation Strategy. 57

(6)The above mentioned Commission report also concluded that the Agency's mandate should be extended to provide advice to Member States with regard to the national systems' connection to the central systems and for ad-hoc assistance/support where required as well as to provide assistance/support to the Commission services on technical issues related to new systems.

(7)[The Agency should therefore be entrusted with the preparation, development and operational management of the Entry/Exit system, established by Regulation XX/XX of XX [establishing an Entry/Exit system (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of Member States of the European Union and determining the conditions for access to the EES for law enforcement purposes and amending Regulation (EC) No 767/2008 and Regulation (EU) No 1077/2011].]

(8){[It should be entrusted with the operational management of DubliNet, a separate secure electronic channel set up under Article 18 of Commission Regulation (EC) No 1560/2003 58 , in accordance with Regulation XX/XX of XX on the establishment of 'Eurodac' for the comparison of fingerprints for the effective application of [Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person, for identifying an illegally staying third country national or stateless person and on requests for the comparison with Eurodac data by Member States' law enforcement and Europol for law enforcement purposes (recast)].

(9)[It should be entrusted with the preparation, development and operational management of the European Travel Authorisation System (ETIAS) established by Regulation XX/XX [of XX establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 515/2014, (EU) 2016/399, (EU) 2016/794 and (EU) 2016/1624].]

(10)[It should be entrusted with the preparation, development and operational management of the automated system for registration, monitoring and the allocation mechanism for applications for international protection referred to in Article 44 of Regulation (EU) XX/20XX [establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast)].

(11)[It should also be entrusted with the preparation, development and operational management of the centralised system for the identification of Member States holding criminal information on third-country nationals and stateless persons established by Regulation XX/XX [of XX establishing a centralised system for the identification of Member States holding criminal information on third-country nationals and stateless persons (TCN) to supplement and support the European Criminal Records Information System (ECRIS) and amending Regulation (EU) No 1077/2011 (ECRIS-TCN system), and the maintenance of the ECRIS reference implementation referred to in that Regulation.].

(12)The Agency should remain the same legal person, with full continuity of all its activities and procedures.

(13)The core function of the Agency should continue to be to fulfil the operational management tasks for SIS, VIS and Eurodac, [EES], [DubliNet], [ETIAS], [the automated system for registration, monitoring and the allocation mechanism for applications for international protection] and [the ECRIS-TCN system] and, if so decided, other large-scale IT systems in the area of freedom, security and justice. The Agency should also be responsible for technical measures required by the tasks entrusted to it, which are not of a normative nature. Those responsibilities should be without prejudice to the normative tasks reserved to the Commission alone or to the Commission assisted by a Committee in the respective legislative instruments governing the systems operationally managed by the Agency. It is no longer justified for the Commission to retain certain tasks related to the communication infrastructure of the systems and therefore these tasks should be transferred to the Agency in order to improve the coherence of its management. However, for those systems which use EuroDomain, a secured communications infrastructure provided by TESTA-ng (Trans-European Services for Telematics between Administrations-new generation) which is a project in the form of a network service on the basis of Article 3 of Decision No 922/2009/EC of the European Parliament and of the Council 59 , the tasks of the implementation of the budget, acquisition and renewal and contractual matters should be retained by the Commission.

(14)In addition, the Agency should continue to perform tasks relating to training on the technical use of SIS, VIS and Eurodac and other large-scale IT systems entrusted to it in the future.

(15)Furthermore, the Agency could also be made responsible for the preparation, development and operational management of additional large-scale IT systems in application of Articles 67 to 89 of the Treaty on the Functioning of the European Union (TFEU). The Agency should be entrusted with such tasks only by means of subsequent and separate legislative instruments, preceded by an impact assessment.

(16)The mandate of the Agency with regard to research should be extended in order to increase its ability to be more proactive suggesting relevant and necessary technical changes in the IT systems under its responsibility. The Agency might not only monitor but also contribute to the implementation of research activities relevant to the operational management of the systems it manages. It should send information on such monitoring to the European Parliament, the Council and the European Data Protection Supervisor regularly.

(17)The Agency should be responsible for carrying out pilot projects, in accordance with Article 54(2)(a) of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council 60 . The Agency may in addition be entrusted by the Commission with budget implementation tasks for proofs of concept funded under the instrument for financial support for external borders and visa provided for in Regulation (EU) No 515/2014 of the European Parliament and of the Council 61 in accordance with Article 58(1)(c) of Regulation (EU, Euratom) No 966/2012. The Agency may also plan and implement testing activities on matters strictly covered by this Regulation and the legislative instruments governing the development, establishment, operation and use of the large-scale IT systems managed by the Agency. When tasked with carrying out a pilot project, the Agency should pay particular attention to the European Union Information Management Strategy.

(18)The Agency should provide advice to Member States with regard to the national systems' connection to the central systems.

(19)The Agency should also provide ad-hoc support to Member States where required by security or migratory extraordinary needs. In particular, where a Member State faces specific and disproportionate migratory challenges at particular areas of its external borders characterised by large inward migratory flows, the Member States should be able to rely on technical and operational reinforcements. This should be provided in hotspot areas by migration management support teams composed of experts from relevant Union agencies. Where the support of eu-LISA would be required in this context with regard to issues related to the large-scale IT systems it manages, the request for support should be sent to the Agency by the Commission.

(20)The Agency should also support the Commission services on technical issues related to existing or new systems, when required, in particular for the preparation of new proposals on large-scale IT systems to be entrusted to the Agency.

(21)It should also be possible that the Agency is tasked with developing, managing and/or hosting a common IT system for a group of Member States opting on a voluntary basis for a centralised solution assisting them to implement technical aspects of obligations deriving from Union legislation on decentralised large-scale IT systems in the area of freedom, security and justice. This should require prior approval by the Commission and a decision of the Management Board and should be reflected in a delegation agreement between the Member States concerned and the Agency and financed by way of a contribution charged to the relevant Member States to cover all the costs.

(22)Entrusting the Agency with the operational management of large-scale IT systems in the area of freedom, security and justice should not affect the specific rules applicable to those systems. In particular, the specific rules governing the purpose, access rights, security measures and further data protection requirements for each large-scale IT system the operational management of which the Agency is entrusted with, are fully applicable.

(23)The Member States and the Commission should be represented on a Management Board, in order to control the functions of the Agency effectively. The Management Board should be entrusted with the necessary functions, in particular to adopt the annual work programme, carry out its functions relating to the Agency’s budget, adopt the financial rules applicable to the Agency, appoint an Executive Director and establish procedures for taking decisions relating to the operational tasks of the Agency by the Executive Director. The Agency should be governed and operated taking into account the principles of the Common approach on Union decentralised agencies adopted on 19 July 2012 by the European Parliament, the Council and the Commission.

(24)As regards SIS II, the European Police Office (Europol) and the European Judicial Cooperation Unit (Eurojust), both having the right to access and search directly data entered into SIS II in application of Decision 2007/533/JHA [or Regulation XX of XX on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation in criminal matters, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) No 1986/2006, Council Decision 2007/533/JHA and Commission Decision 2010/261/EU},], should have observer status at the meetings of the Management Board when a question in relation to the application of Decision 2007/533/JHA is on the agenda. The European Border and Coast Guard which has the right to access and search SIS in application of Regulation (EU) 2016/1624 of the European Parliament and of the Council 62 and of Regulation XXX [on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters] 63 should have observer status in the Management Board when a question in relation to the application of Regulation (EU) 2016/1624 or of Regulation XXX of XXX [on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters] is on the agenda. Europol, Eurojust and the European Border and Coast Guard should each be able to appoint a representative to the SIS Advisory Group established under this Regulation.

(25)As regards VIS, Europol should have observer status at the meetings of the Management Board, when a question in relation to the application of Council Decision 2008/633/JHA is on the agenda. Europol should be able to appoint a representative to the VIS Advisory Group established under this Regulation.

(26)As regards Eurodac, Europol should have observer status at the meetings of the Management Board, when a question in relation with the application of Regulation (EU) No 603/2013 [or Regulation XX of XX on the establishment of 'Eurodac' for the comparison of fingerprints for the effective application of Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person}]for identifying an illegally staying third country national or stateless person and on requests for the comparison with Eurodac data by Member States' law enforcement and Europol for law enforcement purposes (recast)} is on the agenda; Europol should be able to appoint a representative to the Eurodac Advisory Group.

(27)[As regards EES, Europol should have observer status at the meetings of the Management Board when a question concerning Regulation XX/XXXX [establishing the EES] is on the agenda.]

(28)[As regards ETIAS, Europol should have observer status at the meetings of the Management Board when a question concerning Regulation XX/XXXX [establishing ETIAS] is on the agenda. The European Border and Coast Guard should also have observer status at the meetings of the Management Board when a question concerning ETIAS in relation with the application of Regulation XX/XX establishing ETIAS is on the agenda. Europol and the European Border and Coast Guard should be able to appoint a representative to the [EES-[ETIAS] Advisory Group.

(29)[As regards the automated system for registration, monitoring and the allocation mechanism for applications for international protection referred to in Article 44 of Regulation (EU) …/… [establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person] EASO should have observer status in the meetings of the Management Board when a question concerning this system is on the agenda.]

(30)[As regards the ECRIS-TCN system, Eurojust, Europol [and the European Public Prosecutor's Office] should have observer status in the meetings of the Management Board when a question concerning Regulation XX/XXXX [establishing the ECRIS-TCN system] is on the agenda}. Eurojust, Europol and [the European Public Prosecutor's Office] should be able to appoint a representative to the ECRIS-TCN system Advisory Group].

(31)Member States should have voting rights on the Management Board of the Agency concerning a large-scale IT system, if they are bound under Union law by any legislative instrument governing the development, establishment, operation and use of that particular system. Denmark should also have voting rights concerning a large-scale IT system, if it decides under Article 4 of the Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union (TEU) and the TFEU, to implement the legislative instrument governing the development, establishment, operation and use of that particular system in its national law.

(32)Member States should appoint a Member to the Advisory Group concerning a large-scale IT system, if they are bound under Union law by any legislative instrument governing the development, establishment, operation and use of that particular system. Denmark should, in addition, appoint a Member to the Advisory Group concerning a large-scale IT system, if it decides under Article 4 of the Protocol No 22 on the position of Denmark to implement the legislative instrument governing the development, establishment, operation and use of that particular system in its national law.

(33)In order to guarantee its full autonomy and independence, the Agency should be granted an autonomous budget with revenue from the general budget of the European Union. The financing of the Agency should be subject to an agreement by the budgetary authority as set out in point 47 of the Interinstitutional Agreement of 17 May 2006 between the European Parliament, the Council and the Commission on budgetary discipline and sound financial management 64 . The Union budgetary and discharge procedures should be applicable. The auditing of accounts and of the legality and regularity of the underlying transactions should be undertaken by the Court of Auditors.

(34)For the purpose of fulfilling its mission and to the extent required for the accomplishment of its tasks, the Agency should be allowed to cooperate with Union institutions, bodies, offices and agencies, in particular those established in the area of freedom, security and justice, in matters covered by this Regulation and the legislative instruments governing the development, establishment, operation and use large-scale IT systems managed by the Agency in the framework of working arrangements concluded in accordance with Union law and policy and within the framework of their respective competences. Those working arrangements should receive the Commission's prior approval. The Agency should also consult and follow up the recommendations of the European Network and Information Security Agency regarding network security, where appropriate.

(35)When ensuring the development and the operational management of large-scale IT systems, the Agency should follow European and international standards taking into account the highest professional requirements, in particular the European Union Information Management Strategy.

(36)Regulation (EC) No 45/2001 65 [or Regulation XX/2018 of the European Parliament and of the Councilon the protection of personal data for Union institutions and bodies] should apply to the processing of personal data by the Agency. The European Data Protection Supervisor should be able to obtain from the Agency access to all information necessary for his or her enquiries. In accordance with Article 28 of Regulation (EC) No 45/2001, the Commission consulted the European Data Protection Supervisor, who delivered his opinion on XX XX.

(37)In order to ensure the transparent operation of the Agency, Regulation (EC) No 1049/2001 of the European Parliament and of the Council 66 should apply to the Agency. The Agency should be as transparent as possible about its activities, without jeopardising the attainment of the objective of its operations. It should make public information on all of its activities. It should likewise ensure that the public and any interested party are rapidly given information with regard to its work.

(38)The activities of the Agency should be subject to the scrutiny of the European Ombudsman in accordance with Article 228 TFEU.

(39)Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council 67 should apply to the Agency, which should accede to the Inter-institutional Agreement of 25 May 1999 between the European Parliament, the Council of the European Union and the Commission of the European Communities concerning internal investigations by the European Anti-Fraud Office (OLAF) 68 .

(40)In order to ensure open and transparent employment conditions and equal treatment of staff, the Staff Regulations of Officials of the European Union ('Staff Regulations') and the Conditions of Employment of Other Servants of the European Union ('Conditions of Employment of other Servants'), laid down in Regulation (EEC, Euratom, ECSC) No 259/68 69 (together referred to as the ‘Staff Regulations’), should apply to the staff (including the Executive Director of the Agency), including the rules of professional secrecy or other equivalent duties of confidentiality.

(41)The Agency is a body set up by the Union in the sense of Article 208 of Regulation (EU, Euratom) No 966/2012 and should adopt its financial rules accordingly.

(42)Commission Delegated Regulation (EU) No 1271/2013 70 on the framework financial regulation for the bodies referred to in Article 208 of Regulation (EU, Euratom) No 966/2012 should apply to the Agency.

(43)Since the objectives of this Regulation, namely the establishment of an Agency at Union level responsible for the operational management and where appropriate the development of large-scale IT systems in the area of freedom, security and justice cannot be sufficiently achieved by the Member States and can therefore, by reason of the scale and effects of the action, be better achieved at Union level, the Union may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 TEU. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary to achieve those objectives.

(44)In accordance with Articles 1 and 2 of Protocol No 22 on the Position of Denmark, annexed to the Treaty on European Union and to the Treaty on the functioning of European Union, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application. Given that this Regulation, insofar as it relates to SIS II and VIS, [EES] [and ETIAS] builds upon the Schengen acquis, Denmark shall, in accordance with Article 4 of that Protocol, decide within a period of six months after the adoption of this Regulation whether it will implement it in its national law. In accordance with Article 3 of the Agreement between the European Community and the Kingdom of Denmark on the criteria and mechanisms for establishing the State responsible for examining a request for asylum lodged in Denmark or any other Member State of the European Union and ‘Eurodac’ for the comparison of fingerprints for the effective application of the Dublin Convention 71 , Denmark is to notify the Commission whether it will implement the contents of this Regulation, insofar as it relates to Eurodac. [and the automated system for registration, monitoring and the allocation mechanism for applications for international protection referred to in Article 44 of Regulation (EU) XX/XX establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast)]. [Insofar as it relates to the ECRIS-TCN system, in accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the TEU and the TFEU, Denmark does not take part in the adoption of this Regulation and is not bound by it nor subject to its application.]

(45)Insofar as its provisions relate to SIS as governed by Decision 2007/533/JHA, the United Kingdom is taking part in this Regulation, in accordance with Article 5(1) of Protocol No 19 on the Schengen acquis integrated into the framework of the European Union, annexed to the Treaty on European Union and to the Treaty on the functioning of the European Union (Protocol on the Schengen acquis) and Article 8(2) of Council Decision 2000/365/EC of 29 May 2000 concerning the request of the United Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen acquis 72 .

Insofar as its provisions relate to SIS as governed by Regulation (EC) No 1987/2006 and to VIS, [to EES] [and to ETIAS] which constitute developments of provisions of the Schengen acquis in which the United Kingdom does not take part in accordance with Decision 2000/365/EC, the United Kingdom may request to the President of the Council, to be authorised to take part in the adoption of this Regulation, in accordance with Article 4 of the Protocol on the Schengen acquis. Furthermore, insofar as its provisions relate to Eurodac, [and the automated system for registration, monitoring and the allocation mechanism for applications for international protection referred to in Article 44 of Regulation (EU) XX/XX establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast)] the United Kingdom may notify to the President of the Council, its wish to take part in the adoption and application of this Regulation, in accordance with Article 3 of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the TEU and to the TFEU (Protocol on the position of the United Kingdom and Ireland). Insofar as its provisions relate to the ECRIS-TCN system, in accordance with Articles 1 and 2 and Article 4a(1) of Protocol 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the TEU and the TFEU the United Kingdom is not taking part in the adoption of this Regulation and is not bound or subject to its application. In accordance with Article 3 and Article 4a(1) of Protocol 21, the United Kingdom may notify its wish to take part in the adoption of this Regulation.

Since the United Kingdom notified on 29 March 2017 its intention to leave the Union, pursuant to Article 50 of the Treaty on European Union, the Treaties will cease to apply to the United Kingdom from the date of the entry into force of the withdrawal agreement or, failing that, two years after the notification, unless the European Council, in agreement with the United Kingdom, decides to extend that period. As a consequence, and without prejudice to any provisions of the withdrawal agreement, this above-mentioned description of the participation of the UK in proposal only applies until the United Kingdom ceases to be a Member State.

(46)Insofar as its provisions relate to SIS II as governed by Decision 2007/533/JHA, Ireland is taking part in this Regulation, in accordance with Article 5(1) of Protocol No 19 on the Schengen acquis integrated into the framework of the European Union, annexed to the Treaty on European Union and to the Treaty on the functioning of the European Union (Protocol on the Schengen acquis), and Article 6(2) of Council Decision 2002/192/EC of 28 February 2002 concerning Ireland's request to take part in some of the provisions of the Schengen acquis 73 .

Insofar as its provisions relate to SIS as governed by Regulation (EC) No 1987/2006 and to VIS, [to EES] [and to ETIAS] this Regulation constitutes a development of provisions of the Schengen acquis in which Ireland does not take part, in accordance with Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions in some of the provisions the Schengen acquis 74 . Ireland may request to the President of the Council to be authorised to take part in the adoption of this Regulation, in accordance with Article 4 on the Protocol on the Schengen acquis.

Furthermore, insofar as its provisions relate to Eurodac [and the automated system for registration, monitoring and the allocation mechanism for applications for international protection referred to in Article 44 of Regulation (EU) XX/XX establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast)], Ireland may notify to the President of the Council, its wish to take part in the adoption and application of this Regulation, in accordance with Article 3 of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the Treaty on European Union and to the Treaty on the functioning of the European Union (Protocol on the position of the United Kingdom and Ireland). Insofar as its provisions relate to the ECRIS-TCN system, in accordance with Articles 1 and 2 and Article 4a(1) of Protocol 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the TEU and the TFEU Ireland is not taking part in the adoption of this Regulation and are not bound or subject to its application. In accordance with Article 3 and Article 4a(1) of Protocol 21, Ireland may notify its wish to take part in the adoption of this Regulation.

(47)As regards Iceland and Norway, this Regulation constitutes, insofar as it relates to SIS II and VIS, [to EES] [and to ETIAS] a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis 75 which fall within the area referred to in Article 1, points A, B and G of Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of that Agreement 76 . As regards Eurodac [and the automated system for registration, monitoring and the allocation mechanism for applications for international protection referred to in Article 44 of Regulation (EU) XX/XX establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast)], this Regulation constitutes a new measure within the meaning of the Agreement between the European Community and the Republic of Iceland and the Kingdom of Norway concerning the criteria and mechanisms for establishing the State responsible for examining a request for asylum lodged in a Member State or in Iceland or Norway 77 . Consequently, subject to their decision to implement it in their internal legal order, delegations of the Republic of Iceland and the Kingdom of Norway should participate in the Management Board of the Agency. In order to determine further detailed rules allowing for the participation of the Republic of Iceland and the Kingdom of Norway in the activities of the Agency, a further arrangement should be concluded between the Union and these States.

(48)As regards Switzerland, this Regulation constitutes, insofar as it relates to SIS II and VIS, [to EES] [and to ETIAS] a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation concerning the association of the Swiss Confederation with the implementation, application and development of the Schengen acquis 78 which fall within the area referred to in Article 1, points A, B and G of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/146/EC 79 . As regards Eurodac [and the automated system for registration, monitoring and the allocation mechanism for applications for international protection referred to in Article 44 of Regulation (EU) XX/XX establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast)], this Regulation constitutes a new measure related to Eurodac within the meaning of the Agreement between the European Community and the Swiss Confederation concerning the criteria and mechanisms for establishing the State responsible for examining a request for asylum lodged in a Member State or in Switzerland 80 . Consequently, subject to its decision to implement it in their internal legal order, the delegation of the Swiss Confederation should participate in the Management Board of the Agency. In order to determine further detailed rules allowing for the participation of the Swiss Confederation in the activities of the Agency, a further arrangement should be concluded between the Union and the Swiss Confederation.

(49)As regards Liechtenstein, this Regulation constitutes, insofar as it relates to SIS II and VIS, [to EES] [and to ETIAS] a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis 81 which fall within the area referred to in Article 1, points A, B and G of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU 82 . As regards Eurodac, [and the automated system for registration, monitoring and the allocation mechanism for applications for international protection referred to in Article 44 of Regulation (EU) XX/XX establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast)] this Regulation constitutes a new measure within the meaning of the Protocol between the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Community and the Swiss Confederation concerning the criteria and mechanisms for establishing the State responsible for examining a request for asylum lodged in a Member State or in Switzerland 83 . Consequently, the delegation of the Principality of Liechtenstein should participate in the Management Board of the Agency. In order to determine further detailed rules allowing for the participation of the Principality of Liechtenstein in the activities of the Agency, a further arrangement should be concluded between the Union and the Principality of Liechtenstein,

HAVE ADOPTED THIS REGULATION:

CHAPTER I
SUBJECT MATTER

Article 1
Subject matter

1.This Regulation concerns the European Union agency for the operational management of large-scale IT systems in the area of freedom, security and justice (the Agency) which was established by Regulation (EU) No 1077/2011.

2.The Agency shall be responsible for the operational management of the Schengen Information System (SIS) the Visa Information System (VIS) and Eurodac.

3.[The Agency shall be responsible for the preparation, development and/ the operational management of [the Entry/Exit System (EES)] 84 , [DubliNet] 85 , [the European Travel Authorisation System (ETIAS] 86 , [the automated system for registration, monitoring and the allocation mechanism for applications for international protection] 87 and [the ECRIS-TCN system and the ECRIS reference implementation 88 ].

4.The Agency may be made responsible for the preparation, development and/or the operational management of large-scale IT systems in the area of freedom, security and justice other than those referred to in paragraphs 2 and 3 including existing systems, only if so provided by relevant legislative instruments, based on Articles 67 to 89 TFEU, taking into account, where appropriate, the developments in research referred to in Article 10 of this Regulation and the results of pilot projects and proofs of concept referred to in Article 11 of this Regulation.

5.Operational management shall consist of all the tasks necessary to keep large-scale IT systems functioning in accordance with the specific provisions applicable to each of them, including responsibility for the communication infrastructure used by them. Those large-scale systems shall not exchange data or enable sharing of information or knowledge, unless so provided in a specific legal basis.

6.The Agency shall also be responsible for the following tasks:

–ensuring data quality in accordance with Article 8;

–developing the necessary actions to enable interoperability in accordance with Article 9;

–carrying out research activities in accordance with Article 10;

–carrying out pilot projects, proofs of concept and testing activities in accordance with Article 11, and

–providing support to Member States and the Commission in accordance with Article 12.

Article 2
Objectives

Without prejudice to the respective responsibilities of the Commission and of the Member States under the legislative instruments governing large-scale IT systems, the Agency shall ensure:

(a)the development of large-scale scale IT systems using an adequate project management structure for efficiently developing large-scale IT systems;

(b)effective, secure and continuous operation of large-scale IT systems;

(c)the efficient and financially accountable management of large-scale IT systems;

(d)an adequately high quality of service for users of large-scale IT systems;

(e)continuity and uninterrupted service;

(f)a high level of data protection, in accordance with the applicable rules, including specific provisions for each large-scale IT system;

(g)an appropriate level of data and physical security, in accordance with the applicable rules, including specific provisions for each large-scale IT system.

CHAPTER II
TASKS OF THE AGENCY

Article 3
Tasks relating to SIS

In relation to SIS II, the Agency shall perform:

(a)the tasks conferred on the Management Authority by Regulation (EC) No 1987/2006 and Decision 2007/533/JHA [or by Regulation XX of XX of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) No 1987/2006; by Regulation XX of XX of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation in criminal matters, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) No 1986/2006, Council Decision 2007/533/JHA and Commission Decision 2010/261/EU and by Regulation XX of XX of the European Parliament and of the Council on the use of the Schengen Information System for the return of illegally staying third-country nationals];

(b)tasks relating to training on the technical use of SIS II, in particular for SIRENE-staff (SIRENE — Supplementary Information Request at the National Entries) and training of experts on the technical aspects of SIS II in the framework of Schengen evaluation.

Article 4
Tasks relating to VIS

In relation to VIS, the Agency shall perform:

(a)the tasks conferred on the Management Authority by Regulation (EC) No 767/2008 and Decision 2008/633/JHA;

(b)tasks relating to training on the technical use of VIS.

Article 5
Tasks relating to Eurodac

In relation to Eurodac, the Agency shall perform:

(a)the tasks conferred on it by Regulation (EU) No 603/2013 [or by Regulation XX of XX on the establishment of 'Eurodac' for the comparison of fingerprints for the effective application of [Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person], for identifying an illegally staying third country national or stateless person and on requests for the comparison with Eurodac data by Member States' law enforcement and Europol for law enforcement purposes (recast)];

(b)tasks relating to training on the technical use of Eurodac.

[Article 5a
Tasks relating to EES

In relation to EES the Agency shall perform:

(a) the tasks conferred on it by Regulation (EU) XXX/20XX of the European Parliament and of the Council [of X.X.X establishing an Entry/Exit System to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States of the European Union and determining the conditions for access to the EES for law enforcement purposes and amending Regulation (EC) No 767/2008 and Regulation (EU) No 1077/2011 (COM(2016) 194 final – 2016/0106 COD)];

(b) tasks relating to training on the technical use of EES.]

[Article 5b
Tasks relating to ETIAS

In relation to ETIAS, the Agency shall perform:

(a) the tasks conferred on it by [Regulation (EU) XXX/20XX of the European Parliament and of the Council establishing the European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 515/2014, (EU) 2016/399, (EU) 2016/794 and (EU) 2016/1624 (COM(2016) 731 final -2016/0357 (COD)];

(b) tasks relating to training on the technical use of the ETIAS.]

[Article 5c
Tasks relating to DubliNet

In relation to DubliNet, the Agency shall perform:

(a) the tasks conferred on it by [Regulation (EU) No Regulation XX of XX on the establishment of 'Eurodac' for the comparison of fingerprints for the effective application of [Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person], for identifying an illegally staying third-country national or stateless person and on requests for the comparison with Eurodac data by Member States' law enforcement and Europol for law enforcement purposes (recast) (COM(2016) 272 final – 2016/0132 (COD)];

(b) tasks relating to training on the technical use of DubliNet.]

[Article 5d
Tasks relating to the automated system for registration, monitoring and the allocation mechanism for applications for international protection

In relation to the automated system for registration, monitoring and the allocation mechanism for applications for international protection referred to in Article 44 of Regulation (EU) XX/20XX [establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast) COM(2016) 270 final -2016/0133(COD)], the Agency shall perform:

(a) the tasks conferred on it by that Regulation [establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast) COM(2016) 270 final -2016/0133(COD)];

(b) tasks relating to training on the technical use of the automated system for registration, monitoring and the allocation mechanism for applications for international protection.]

[Article 5e
Tasks related to the ECRIS-TCN system

In relation to the ECRIS-TCN system, the Agency shall perform:

(a) the tasks conferred on it by Regulation XX/XXX [establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (TCN) to supplement and support the European Records Information System (ECRIS) and amending Regulation (EU) No 1077/2011 (ECRIS TCN-system), including the further development and maintenance of the ECRIS reference implementation.];

(b) tasks relating to training on the technical use of the ECRIS-TCN system and the ECRIS reference implementation.]

Article 6
Tasks relating to the preparation, development and operational
management of other large-scale-IT systems

When entrusted with the preparation, development or operational management of other large- scale IT systems referred to in Article 1(4), the Agency shall perform the tasks conferred on it pursuant to the legislative instrument governing the relevant system, as well as tasks relating to training on the technical use of those systems, as appropriate.

Article 7
Tasks relating to the communication infrastructure

1.The Agency shall carry out all the tasks relating to the communication infrastructures of the systems operated by the Agency conferred on it by the legislative instruments governing the large-scale IT systems operated by the Agency, with the exception of those systems making use of the EuroDomain for their communication infrastructure for which the Commission shall be responsible for the tasks of implementation of the budget, acquisition and renewal and contractual matters. According to the legislative instruments governing the systems using the EuroDomain 89 , the tasks regarding the communication infrastructure (including the operational management and security) are divided between the Agency and the Commission. In order to ensure coherence between the exercise of their respective responsibilities, operational working arrangements have been made between the Agency and the Commission and reflected in a Memorandum of Understanding.

2.The communication infrastructure shall be adequately managed and controlled in such a way as to protect it from threats, and to ensure its security and that of large-scale IT systems for which the Agency is responsible, including that of data exchanged through the communication infrastructure.

3.Appropriate measures including security plans shall be adopted by the Agency inter alia, to prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal data or transport of data media, in particular by means of appropriate encryption techniques. All system-related operational information circulating in the communication infrastructure shall be encrypted.

4.Tasks relating to the operational management of the communication infrastructure may be entrusted to external private-sector entities or bodies in accordance with Regulation (EU, Euratom) No 966/2012. In such a case, the network provider shall be bound by the security measures referred to in paragraph 3 and shall have no access to SIS II, VIS, Eurodac, [EES], [ETIAS], [the automated system for registration, monitoring and the allocation mechanism for applications for international protection] [or the ECRIS-TCN system] operational data, or to the SIS II-related SIRENE exchange, by any means.

5.Without prejudice to the existing contracts on the communication infrastructures of SIS II, VIS and Eurodac, the management of the encryption keys shall remain within the competence of the Agency and shall not be outsourced to any external private-sector entity.

Article 8
Data quality

The Agency, together with the Commission, shall work towards establishing for all systems under the Agency's operational responsibility, automated data quality control mechanisms and common data quality indicators and towards developing a central repository for reporting and statistics, subject to specific legislative amendments to the existing systems' instruments and/or to specific provisions in new instruments.

Article 9
Interoperability

The Agency shall also develop the necessary actions to enable interoperability of the systems, subject, where required, to the adoption of the relevant legislative instruments.

Article 10
Monitoring of Research

1.The Agency shall monitor the developments in research relevant for the operational management of SIS II, VIS, Eurodac, [EES], [ETIAS], [the automated system for registration, monitoring and the allocation mechanism for applications for international protection], the [ECRIS-TCN system] and other large-scale IT systems as referred to in Article 1(4).

2.The Agency may contribute to the implementation of the parts of the Framework Programme for Research and Innovation which relate to large-scale IT systems in the area of freedom, security and justice. For that purpose, and where the Commission has delegated the relevant powers to it the Agency shall have the following tasks:

(a)managing some stages of programme implementation and some phases in the lifetime of specific projects on the basis of the relevant work programmes adopted by the Commission;

(b)adopting the instruments of budget execution and for revenue and expenditure and carrying out all the operations necessary for the management of the programme;

(c)providing support in programme implementation.

3.The Agency shall on a regular basis keep the European Parliament, the Council, the Commission, and, where data protection issues are concerned, the European Data Protection Supervisor informed on the developments referred to in paragraph 1.

Article 11
Pilot projects, proofs of concept and testing activities

1.Upon the specific and precise request of the Commission, which shall have informed the European Parliament and the Council at least 3 months in advance, and after a decision by the Management Board, the Agency may, in accordance with Article 15(1)(u)) of this Regulation, carry out pilot projects as referred to in Article 54(2)(a) of Regulation (EU, Euratom) No 966/2012, for the development or the operational management of large-scale IT systems, in the application of Articles 67 to 89 TFEU, in accordance with Article 58(1)(c) of Regulation (EU, Euratom) No 966/2012, by way of a delegation agreement.

The Agency shall on a regular basis keep the European Parliament, the Council and, where data protection issues are concerned, the European Data Protection Supervisor, informed of the evolution of the pilot projects referred to in the first subparagraph.

2.Financial appropriations for pilot projects as referred to in Article 54(2)(a) of Regulation (EU, Euratom) No 966/2012 requested by the Commission shall be entered in the budget for no more than two consecutive financial years.

3.At the request of the Commission or the Council and after a decision of the Management Board the Agency may be entrusted with budget implementation tasks for proofs of concept funded under the instrument for financial support for external borders and visa provided for in Regulation (EU) No 515/2014 in accordance with Article 58(1)(c) of Regulation (EU, Euratom) No 966/2012, by way of a delegation agreement.

4.The Agency may plan and implement testing activities on matters covered by this Regulation and the legislative instruments governing the development, establishment, operation and use of all large-scale IT systems managed by the Agency after a decision of the Management Board.

Article 12
Support to Member States and the Commission

1.The Agency may be requested to provide advice to Member States with regard to the national systems' connection to the central systems and ad-hoc support to Member States. The requests for ad-hoc support shall be submitted to the Commission which shall transmit them to the Agency. It may also be requested to provide advice or support to the Commission on technical issues related to existing or new systems including by way of studies and testing.

2.The Agency may also be tasked to develop, manage and/or host a common IT system by a group of at least six Member States opting on a voluntary basis for a centralised solution assisting them in implementing technical aspects of obligations deriving from Union legislation on decentralised systems in the area of freedom, security and justice, subject to prior approval by the Commission and after a decision of the Management Board. In such case the Member States concerned shall entrust the Agency with those tasks by way of a delegation agreement including the conditions for the delegation and setting out the calculation of all relevant costs and the invoicing method.

CHAPTER III
STRUCTURE AND ORGANISATION

Article 13
Legal status and location

1.The Agency shall be a body of the Union and shall have legal personality.

2.In each of the Member States, the Agency shall enjoy the most extensive legal capacity accorded to legal persons under national law. It may, in particular, acquire or dispose of movable and immovable property and may be a party to legal proceedings.

3.The Agency shall be represented by its Executive Director.

4.The seat of the Agency shall be Tallinn, Estonia.

The tasks relating to development and operational management referred to in Article 1(3) and (4) and Articles 3, 4, 5, [5a], [5b], [5c], [5d], [5e], 6 and 7 shall be carried out in Strasbourg, France.

Where a backup site or a second technical site is provided for in the legislative instruments governing the development, establishment, operation and use of each of the systems, this site shall be installed in Sankt Johann im Pongau, Austria.

5.Both technical sites may be used simultaneously for active operation of the large- scale IT systems provided that the second site remains capable of ensuring their operation in case of failure of one or more of the systems. No further technical sites can be established without an amendment to this Regulation.

Article 14
Structure

1.The Agency’s administrative and management structure shall comprise:

(a)a Management Board;

(b)an Executive Director;

(c)Advisory Groups.

2.The Agency's structure shall include:

(a)a Data Protection Officer;

(b)a Security Officer;

(c)an Accounting Officer.

Article 15
Functions of the Management Board

1.The Management Board shall:

(a)give the general orientations for the Agency's activities;

(b)adopt, by a majority of two-thirds of members entitled to vote, the annual budget of the Agency and exercise other functions in respect of the Agency's budget pursuant to Chapter V;

(c)appoint, the Executive Director, and where relevant extend his/her term of office or remove him or her from office, in accordance with Article 22;

(d)exercise disciplinary authority over the Executive Director and oversee his performance including the implementation of the Management Board’s decisions;

(e)take all decisions on the establishment of the Agency’s organisational structure and where necessary their modification taking into consideration the Agency's activity needs and having regard to sound budgetary management;

(f)adopt the Agency's Staff Policy;

(g)establish its the rules of procedure of the Agency;

(h)adopt an anti-fraud strategy, proportionate to the risk of fraud, taking into account the costs and benefits of the measures to be implemented;

(i)adopt rules for the prevention and management of conflicts of interest in respect of its members;

(j)authorise the conclusion of working arrangements in accordance with Article 37;

(k)approve, following a proposal by the Executive Director, the Headquarters Agreement concerning the seat of the Agency and Agreements concerning the technical and backup sites, set up in accordance with Article 13(4) to be signed by the Executive Director with the host Member States;

(l)in accordance with paragraph 2, exercise, with respect to the staff of the Agency, the powers conferred by the Staff Regulations on the Appointing Authority and by the Conditions of Employment of Other Servants on the Authority Empowered to Conclude a Contract of Employment ("the appointing authority powers");

(m)in agreement with the Commission, adopt the necessary implementing rules for giving effect to the Staff Regulations and the Conditions of Employment of other Servants in accordance with Article 110 of the Staff Regulations;

(n)adopt the necessary rules on the secondment of national experts to the Agency;

(o)adopt a draft estimate of the Agency's revenue and expenditure, including the provisional establishment plan and submit them by 31 January each year to the Commission;

(p)adopt the draft single programming document containing the Agency's multiannual programming and its work programme for the following year and a provisional draft estimate of the Agency's revenue and expenditure, including the provisional establishment plan and submit it by 31 January each year to the European Parliament, the Council and the Commission as well as any updated version of that document;

(q)Before 30 November each year, adopt by a two-thirds majority of its members with the right to vote, and in accordance with the annual budgetary procedure, the single programming document taking into account the opinion of the Commission and ensure that the definitive version of this single programming document is transmitted to the European Parliament, the Council and the Commission and published;

(r)adopt an interim report by the end of August of each year on progress on the implementation of planned activities of the current year and submit it to the Commission;

(s)assess and adopt the consolidated annual activity report of the Agency's activities for the previous year comparing, in particular, the results achieved with the objectives of the annual work programme and send both the report and its assessment, by 1 July of each year to the European Parliament, the Council, the Commission and the Court of Auditors; the annual activity report shall be published;

(t)carry out its functions relating to the Agency’s budget, including the implementation of pilot projects and proofs of concept as referred to in Article 11;

(u)adopt the financial rules applicable to the Agency in accordance with Article 44;

(v)appoint an Accounting Officer, who may be the Commission's Accounting Officer, subject to the Staff Regulations and the Conditions of Employment, who shall be totally independent in the performance of his or her duties;

(w)ensure adequate follow-up to the findings and recommendations stemming from the various internal or external audit reports and evaluations as well as from investigations of the European Antifraud Office (OLAF);

(x)adopt the communication and dissemination plans referred to in Article 30(4) and regularly update them;

(y)adopt the necessary security measures, including a security plan and a business continuity and disaster recovery plan, taking into account the possible recommendations of the security experts present in the Advisory Groups;

(``)adopt the security rules on the protection of classified information and non-classified sensitive information following approval by the Commission;

(aa)appoint a Security Officer;

(bb)appoint a Data Protection Officer in accordance with Regulation (EC) No 45/2001;

(cc)adopt the detailed rules for implementing Regulation (EC) No 1049/2001;

(dd)[adopt the reports on the development of the EES pursuant to Article 64(2) of Regulation (EU) XX/XX of XXX establishing the EES] [adopt the reports on the development of ETIAS pursuant to Article 81(2) of Regulation (EU) XX/XX of XXX establishing the ETIAS];

(ee)[adopt the reports on the development of the ECRIS/TCN system pursuant to Article 34(3) of Regulation (EU)XX/XXX establishing the ECRIS/TCN system.];

(ff)adopt the reports on the technical functioning of SIS II pursuant to Article 50(4) of Regulation (EC) No 1987/2006 and Article 66(4) of Decision 2007/533/JHA respectively [or Article 54(7) of Regulation XX of XX of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) No 1987/2006 and Article 71(7) of Regulation XX of XX of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation in criminal matters, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) No 1986/2006, Council Decision 2007/533/JHA and Commission Decision 2010/261/EU]and of VIS pursuant to Article 50(3) of Regulation (EC) No 767/2008 and Article 17(3) of Decision 2008/633/JHA, [of EES pursuant to Article 64(4) of Regulation (EU) XX/XX of XXX and of ETIAS pursuant to Article 81(4) of Regulation (EU) XX/XX of XXX, and of the ECRIS-TCN system and the ECRIS reference implementation pursuant to Article 34(4) of Regulation (EU) XX/XXX;

(gg)adopt the annual report on the activities of the Central System of Eurodac pursuant to Article 40(1) of Regulation (EU) No 603/2013 [or to Article 42 of Regulation XX of XX on the establishment of 'Eurodac' for the comparison of fingerprints for the effective application of [Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person], for identifying an illegally staying third-country national or stateless person and on requests for the comparison with Eurodac data by Member States' law enforcement and Europol for law enforcement purposes (recast)];

(hh)adopt formal comments on the European Data Protection Supervisor's reports on the audits pursuant to Article 45(2) of Regulation (EC) No 1987/2006, Article 42(2) of Regulation (EC) No 767/2008 and Article 31(2) of Regulation (EU) No 603/2013, [Article 50(2) of Regulation (EU) XX/XX of XXX (establishing the EES)] and [Article 57 of Regulation (EU) XX/XX of XXX (establishing the ETIAS)] and to [Article 27(2) of Regulation (EU) XX/XXXX(establishing the ECRIS-TCN system)] and ensure appropriate follow-up of those audits;

(ii)publish statistics related to SIS II pursuant to Article 50(3) of Regulation (EC) No 1987/2006 and Article 66(3) of Decision 2007/533/JHA respectively;

(jj)compile and publish statistics on the work of the Central System of Eurodac pursuant to Article 8(2) of Regulation (EU) No 603/2013 [or to Article 9(2) of Regulation XX of XX on the establishment of 'Eurodac' for the comparison of fingerprints for the effective application of [Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person ], for identifying an illegally staying third-country national or stateless person and on requests for the comparison with Eurodac data by Member States' law enforcement and Europol for law enforcement purposes (recast)];

(kk)[publish statistics related to the EES pursuant to Article 57 of Regulation (EU) XXX/XX establishing the EES;]

(ll)[publish statistics related to the ETIAS pursuant to Article 73 of Regulation (EU) XX/XXX establishing the ETIAS;]

(mm)[Publish statistics related to the ECRIS-TCN system and to the ECRIS reference implementation pursuant to Article 30 of Regulation XXXX/XX;]

(nn)ensure annual publication of the list of competent authorities authorised to search directly the data contained in SIS II pursuant to Article 31(8) of Regulation (EC) No 1987/2006 and Article 46(8) of Decision 2007/533/JHA, together with the list of Offices of the national systems of SIS II (N.SIS II) and SIRENE Bureaux as referred to in Article 7(3) of Regulation (EC) No 1987/2006 and Article 7(3) of Decision 2007/533/JHA respectively [or by Article 36(8) of Regulation XX of XX of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) No 1987/2006 and by Article 53(8) of Regulation XX of XX of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation in criminal matters, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) No 1986/2006, Council Decision 2007/533/JHA and Commission Decision 2010/261/EU together with the list of Offices of the national systems of SIS II (N.SIS II) and SIRENE Bureaux as referred to in Article 7(3) of Regulation XX of XX of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks and Article 7(3) of Regulation XX of XX of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation in criminal matters respectively; [as well as the list of competent authorities pursuant to Article 8(2) of Regulation (EU) XX/XXXX establishing the EES]; [the list of competent authorities pursuant to Article 11 of Regulation (EU) XX/XXXX establishing the ETIAS] and [the list of competent authorities pursuant to Article 32 of Regulation XX/XXX establishing ECRIS-TCN};]

(oo)ensure annual publication of the list of units pursuant to Article 27(2) of Regulation (EU) No 603/2013;

(pp)ensure that all decisions and actions of the Agency affecting European scale IT systems in the area of freedom security and justice respect the principle of independence of the judiciary;

(qq)perform any other tasks conferred on it in accordance with this Regulation.

2.The Management Board shall adopt in accordance with Article 110 of the Staff Regulations, a decision based on Article 2(1) of the Staff Regulations and on Article 6 of the Conditions of Employment of Other Servants, delegating relevant appointing authority powers to the Executive Director and defining the conditions under which this delegation of powers can be suspended. The Executive Director shall be authorised to sub-delegate those powers.

Where exceptional circumstances so require, the Management Board may by way of a decision temporarily suspend the delegation of the appointing authority powers to the Executive Director and those sub-delegated by the latter and exercise them itself or delegate them to one of its members or to a staff member other than the Executive Director.

3.The Management Board may advise the Executive Director on any matter strictly related to the development or operational management of large-scale IT systems and on activities related to research, pilot projects, proofs of concept and testing activities.

Article 17
Composition of the Management Board

1.The Management Board shall be composed of one representative from each Member State and two representatives of the Commission all with a right to vote, in accordance with Article 20.

2.Each Member of the Management Board shall have an alternate. The alternate shall represent the member in his/her absence. The members of the Management Board and their alternates shall be appointed on the basis of the high level of their relevant experience and expertise in the field of large-scale IT systems in the area of freedom, security and justice, knowledge in data protection taking into account their relevant managerial, administrative and budgetary skills. All parties represented in the Management Board shall make efforts to limit the turnover of their representatives, in order to ensure continuity of the board's work. All parties shall aim to achieve a balanced representation between men and women on the Management Board.

3.The term of office of the members and their alternates shall be four years, extendable. Upon expiry of their term of office or in the event of their resignation, members shall remain in office until their appointments are renewed or until they are replaced.

4.Countries associated with the implementation, application and development of the Schengen acquis and Eurodac-related measures shall participate in the activities of the Agency. They shall each appoint one representative and an alternate to the Management Board.

Article 18
Chairperson of the Management Board

1.The Management Board shall elect a Chairperson and a deputy Chairperson from among those members of the Management Board who are appointed by Member States which are fully bound under Union law by the legislative instruments governing the development, establishment, operation and use of all large-scale IT systems managed by the Agency. The Chairperson and the Deputy Chairperson shall be elected by a majority of two thirds of the members of the Management Board with voting rights.

The Deputy Chairperson shall automatically replace the Chairperson if he/she is prevented from attending to his/her duties.

2.The term of office of the Chairperson and the deputy Chairperson shall be four years. Their term of office may be renewed once. If, however, their membership of the Management Board ends at any time during their term of office, their term of office shall automatically expire on that date.

Article 19
Meetings of the Management Board

1.The Chairperson shall convene the meetings of the Management Board.

2.The Executive Director shall take part in the deliberations, without the right to vote.

3.The Management Board shall hold at least two ordinary meetings a year. In addition, it shall meet on the initiative of its Chairperson, at the request of the Commission, or at the request of at least one third of its members.

4.Europol and Eurojust may attend the meetings of the Management Board as observers when a question concerning SIS II, in relation to the application of Decision 2007/533/JHA, is on the agenda. [The European Border and Coast Guard may attend the meetings of the Management Board as observers when a question concerning SIS in relation to the application of Regulation (EU) 2016/1624 or of Regulation XXX of XXX 90 is on the agenda]. Europol may also attend the meetings of the Management Board as observer when a question concerning VIS, in relation to the application of Decision 2008/633/JHA, or a question concerning Eurodac, in relation to the application of Regulation (EU) No 603/2013, is on the agenda. [Europol may also attend the meetings of the Management Board as an observer when a question concerning EES in relation to the application of Regulation XX/XXXX (establishing the EES) is on the agenda or when a question concerning ETIAS in relation to Regulation XX/XXXX (establishing ETIAS) is on the agenda. The European Border and Coast Guard may also attend the meetings of the Management Board when a question concerning ETIAS in relation with the application of Regulation XX/XX of XXX is on the agenda.] [EASO may also attend the meetings of the Management Board as an observer when a question concerning the automated system for registration, monitoring and the allocation mechanism for applications for international protection referred to in Article 44 of Regulation (EU) establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast) COM(2016) 270 final-2016/0133(COD), is on the agenda.] [Eurojust, Europol [the European Public Prosecutor's Office] may also attend the meetings of the Management Board as observers when a question concerning Regulation XX/XXXX (establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (TCN) to supplement and support the European Criminal Records Information System (ECRIS), and amending Regulation (EU) No 1077/2011 (ECRIS-TCN system) is on the agenda.] The Management Board may invite any other person whose opinion may be of interest, to attend its meetings as an observer.

5.The members of the Management Board and their alternates may, subject to its Rules of Procedure, be assisted by advisers or experts who are members of the Advisory Groups.

6.The Agency shall provide the secretariat for the Management Board.

Article 20
Voting rules of the Management Board

1.Without prejudice to paragraph 5 of this Article, and to Article 15(1)( b) and Article 22(1) and (8), decisions of the Management Board shall be taken by a majority of all its members with voting rights.

2.Without prejudice to paragraph 3, each member in the Management Board shall have one vote. In the absence of a member with the right to vote, his/her alternate shall be entitled to exercise his/her right to vote.

3.Each member appointed by a Member State which is bound under Union law by any legislative instrument governing the development, establishment, operation and use of a large-scale IT system managed by the Agency may vote on a question which concerns that large-scale IT system.

Denmark may vote on a question which concerns such a large-scale IT system, if it decides under Article 4 of the Protocol No 22 on the position of Denmark to implement the legislative instrument governing the development, establishment, operation and use of such a large-scale IT system in its national law.

4.In the case of a disagreement among members about whether a specific large- scale IT system is affected by a vote, any decision that it is not so affected shall be taken by a two-thirds majority of the members of the Management Board.

5.The Chairperson shall take part in the voting.

6.The Executive Director shall not take part in the voting.

7.The Management Board's rules of procedure shall establish more detailed voting arrangements, in particular the conditions under which a member may act on behalf of another member as well as any quorum requirements, where appropriate.

Article 21
Responsibilities of the Executive Director

1.The Executive Director shall manage the Agency. The Executive Director shall assist and be accountable to the Management Board. The Executive Director shall report to the European Parliament on the performance of his or her duties when invited to do so. The Council may invite the Executive Director to report on the performance of his/her duties.

2.The Executive Director shall be the legal representative of the Agency.

3.The Executive Director shall be responsible for the implementation of tasks assigned to the Agency by this Regulation. In particular, the Executive Director shall be responsible for:

(a)the day-to-day administration of the Agency;

(b)the Agency’s operation in accordance with this Regulation;

(c)preparing and implementing the procedures, decisions, strategies, programmes and activities adopted by the Management Board, within the limits set out by this Regulation, its implementing rules and the applicable law;

(d)preparing the single programming document and submitting it to the Management Board after consulting the Commission;

(e)implementing the single programming document and reporting to the Management Board on its implementation;

(f)preparing the consolidated annual report of the Agency's activities and presenting it to the Management Board for assessment and adoption;

(g)preparing an action plan following up on the conclusions of internal or external audit reports and evaluations, as well as investigations by the European Anti-fraud Office (OLAF) and reporting on progress twice a year to the Commission and regularly to the Management Board;

(h)protecting the financial interests of the Union by applying preventing measures against fraud, corruption and any other illegal activities, without prejudicing the investigative competence of OLAF, by effective checks and, if irregularities are detected, by recovering amounts wrongly paid and, where appropriate, by imposing effective, proportionate and dissuasive administrative including financial penalties;

(i)preparing an anti-fraud strategy for the Agency and submitting it to the Management Board for approval;

(j)preparing draft financial rules applicable to the Agency and submitting them to the Management Board for adoption after consulting the Commission;

(k)preparing the draft budget for the following year, established on the basis of activity-based budgeting;

(l)preparing the Agency's draft statement of estimates of revenue and expenditure;

(m)implementing its budget;

(n)establishing and implementing an effective system enabling regular monitoring and evaluations of:

(i) large- scale IT systems, including statistics; and

(ii) the Agency, including the effective and efficient achievement of its objectives;

(o)without prejudice to Article 17 of the Staff Regulations, establishing confidentiality requirements in order to comply with Article 17 of Regulation (EC) No 1987/2006, Article 17 of Decision 2007/533/JHA, Article 26(9) of Regulation (EC) No 767/2008 Article 4(4) of Regulation (EU) No 603/2013; [Article 34(4) of Regulation XX/XXXX (establishing the EES), [Article 64(2) of Regulation XX/XXXX (establishing the ETIAS)] and [Article 11(16) of Regulation XX/XXX (establishing the ECRIS-TCN system).];

(p)negotiating and, after approval by the Management Board, signing a Headquarters Agreement concerning the seat of the Agency and Agreements concerning technical and backup sites with the Governments of the host Member States;

(q)preparing the practical arrangements for implementing Regulation (EC) No 1049/2001 and submitting them to the Management Board for adoption;

(r)preparing the necessary security measures including a security plan, and a business continuity and disaster recovery plan and submitting them to the Management Board for adoption;

(s)preparing the reports on the technical functioning of each large-scale IT system referred to in Article 15(1)(ff) and the annual report on the activities of the Central System of Eurodac referred to in Article 15(1)(gg), on the basis of the results of monitoring and evaluation and submitting them to the Management Board for adoption;

(t)[preparing the reports on the development of EES referred to in Article 64(2) of Regulation XX/XXX [establishing the EES] and on the development of ETIAS referred to in Article 81(2) of Regulation XX/XXXX [establishing ETIAS], the report on the development of the ECRIS-TCN system referred to in Article 34(3) of Regulation XX/XXXX [establishing the ECRIS-TCN system] and submitting them to the Management Board for adoption;]

(u)preparing the annual list, for publication, of competent authorities authorised to search directly the data contained in SIS II, including the list of N.SIS II Offices and SIRENE Bureaux [and the list of competent authorities authorised to search directly the data contained in the EES, the ETIAS and the ECRIS-TCN system] referred to in Article 15(1)(nn) and the lists of units referred to in Article 15(1)(oo) and submitting them to the Management Board for adoption.

4.The Executive Director shall perform any other tasks in accordance with this Regulation.

5. The Executive Director shall decide whether it is necessary to locate one or more staff in one or more Member States for the purpose of carrying out the Agency's tasks in an efficient and effective manner. Before deciding to establish a local office the Executive Director shall obtain the prior consent of the Commission, the Management Board and the Member State(s) concerned. The decision shall specify the scope of the activities to be carried out at the local office in a manner that avoids unnecessary costs and duplication of administrative functions of the Agency. Activities carried out in technical sites may not be carried out in a local office.

Article 22
Appointment of the Executive Director

1.The Management Board shall appoint the Executive Director from a list of candidates proposed by the Commission following an open and transparent selection procedure. The selection procedure shall provide for publication in the Official Journal of the European Union and elsewhere of a call for expressions of interest. The Management Board shall appoint the Executive Director on the basis of personal merit, experience in the field of large-scale IT systems and administrative, financial and management skills as well as knowledge in data protection. The Management Board shall take its decision to appoint the Executive Director by a two-thirds majority of all its members with a right to vote.

2.Before appointment, the candidate selected by the Management Board shall be invited to make a statement before the competent committee(s) of the European Parliament and answer questions from the committee members. After the statement, the European Parliament shall adopt an opinion setting out its view of the selected candidate and send it to the Management Board. The Management Board shall inform the European Parliament of the manner in which that opinion has been taken into account. The opinion shall be treated as personal and confidential until the appointment of the candidate.

3.The term of office of the Executive Director shall be five years. By the end of that period, the Commission shall undertake an assessment that takes into account an evaluation of the Executive Director's performance and the Agency's future tasks and challenges.

4.The Management Board, acting on a proposal from the Commission that takes into account the assessment referred to in paragraph 3 may extend the term of office of the Executive Director once for no more than five years.

5.The Management Board shall inform the European Parliament if it intends to extend the Executive Director’s term of office. Within one month before any such extension, the Executive Director shall be invited to make a statement before the competent committee(s) of the European Parliament and answer questions from the committee members.

6.An Executive Director whose term of office has been extended may not participate in another selection procedure for the same post at the end of the overall period.

7.The Executive Director may be removed from office only upon a decision of the Management Board, acting on a proposal from the Commission.

8.The Management Board shall reach decisions on appointment, extension of the term of office or removal from office of the Executive Director on the basis of a two thirds majority of votes of its members with the right to vote.

9.For the purpose of concluding the contract with the Management Board, the Agency shall be represented by the Chairperson of the Management Board. The Executive Director shall be engaged as a temporary agent of the Agency under Article 2(a) of the Conditions of Employment of other Servants.

Article 23
Advisory Groups

1.The following Advisory Groups shall provide the Management Board with expertise relating to large-scale IT systems and, in particular, in the context of the preparation of the annual work program and the annual activity report:

(a)SIS II Advisory Group;

(b)VIS Advisory Group;

(c)Eurodac Advisory Group;

(d)[EES-][ETIAS] Advisory Group];

(e)[ECRIS-TCN system Advisory Group];

(f)any other Advisory Group relating to a large-scale IT system when so provided in the relevant legislative instrument governing the development, establishment, operation and use of that large-scale IT system.

2.Each Member State which is bound under Union law by any legislative instrument governing the development, establishment, operation and use of a particular large-scale IT system, as well as the Commission, shall appoint one member to the Advisory Group relating to that large-scale IT system, for a four-year term, which may be renewed once.

Denmark shall also appoint a member to an Advisory Group relating to a large-scale IT system, if it decides under Article 4 of the Protocol No 22 on the position of Denmark to implement the legislative instrument governing the development, establishment, operation and use of that particular large-scale IT system in its national law.

Each country associated with the implementation, application and development of the Schengen acquis, Eurodac-related measures and the measures related to other large-scale IT systems which participates in a particular large-scale IT system shall appoint a member to the Advisory Group relating to that large- scale IT system.

3.Europol and Eurojust [and the European Border and Coast Guard] may each appoint a representative to the SIS II Advisory Group. Europol may also appoint a representative to the VIS and Eurodac [and EES/ETIAS] Advisory Groups. [The European Border and Coast Guard may also appoint a representative to the EES-ETIAS Advisory Group.] [Eurojust, Europol, [and the European Public Prosecutors Office] may also appoint a representative to the ECRIS-TCN system Advisory Group.]

4.Members of the Management Board and their alternates shall not be members of any of the Advisory Groups. The Executive Director or the Executive Director’s representative shall be entitled to attend all the meetings of the Advisory Groups as observers.

5.The procedures for the operation and cooperation of the Advisory Groups shall be laid down in the Agency’s rules of procedure.

6.When preparing an opinion, the members of each Advisory Group shall do their best to reach a consensus. If such a consensus is not reached, the opinion shall consist of the reasoned position of the majority of members. The minority reasoned position(s) shall also be recorded. Article 20(3) and (4) shall apply accordingly. The members representing the countries associated with the implementation, application and development of the Schengen acquis and Eurodac-related measures shall be allowed to express opinions on issues on which they are not entitled to vote.

7.Each Member State and each country associated with the implementation, application and development of the Schengen acquis and Eurodac-related measures shall facilitate the activities of the Advisory Groups.

8.For the chairmanship of the Advisory Groups, Article 18 shall apply mutatis mutandis.

CHAPTER IV
GENERAL PROVISIONS

Article 24
Staff

1.The Staff Regulations and the Conditions of Employment of Other Servants and the rules adopted by agreement between the institutions of the Union for giving effect to the Staff Regulations and the Conditions of Employment of Other Servants shall apply to the staff of the Agency, including the Executive Director.

2.For the purpose of implementing the Staff Regulations, the Agency shall be considered an agency within the meaning of Article 1a(2) of the Staff Regulations.

3.The staff of the Agency shall consist of officials, temporary staff or contract staff. The Management Board shall give its consent on an annual basis where the contracts that the Executive Director plans to renew would become indefinite pursuant to the Conditions of Employment.

4.The Agency shall not recruit interim staff to perform what are deemed to be sensitive financial duties.

5.The Commission and the Member States may second officials or national experts to the Agency on a temporary basis. The Management Board shall adopt a decision laying down rules on the secondment of national experts to the Agency.

6.Without prejudice to Article 17 of the Staff Regulations of Officials, the Agency shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality.

7.The Management Board shall, in agreement with the Commission, adopt the necessary implementing measures referred to in Article 110 of the Staff Regulations.

Article 25
Public interest

The members of the Management Board, the Executive Director and the members of the Advisory Groups shall undertake to act in the public interest. For that purpose they shall issue an annual, written, public statement of commitment.

The list of members of the Management Board shall be published on the Agency’s Internet site.

Article 26
Headquarters Agreement and Agreements concerning the technical
sites

1. The necessary arrangements concerning the accommodation to be provided for the Agency in the host Member States and the facilities to be made available by those Member States, together with the specific rules applicable in the host Member States to the Executive Director, the members of the Management Board, staff of the Agency and members of their families shall be laid down in a Headquarters Agreement concerning the seat of the Agency and in Agreements concerning the technical sites, concluded between the Agency and the host Member States after obtaining the approval of the Management Board.

2. The Agency's host Member States shall provide the best possible conditions to ensure the proper functioning of the Agency, including multilingual, European-oriented schooling and appropriate transport connections.

Article 27
Privileges and immunities

The Protocol on the Privileges and Immunities of the European Union shall apply to the Agency.

Article 28
Liability

1.The contractual liability of the Agency shall be governed by the law applicable to the contract in question.

2.The Court of Justice of the European Union shall have jurisdiction to give judgment pursuant to any arbitration clause contained in a contract concluded by the Agency.

3.In the case of non-contractual liability, the Agency shall, in accordance with the general principles common to the laws of the Member States, make good any damage caused by its departments or by its staff in the performance of their duties.

4.The Court of Justice of the European Union shall have jurisdiction in disputes over compensation for the damage referred to in paragraph 3.

5.The personal liability of its staff towards the Agency shall be governed by the provisions laid down in the Staff Regulations or Conditions of Employment of Other Agents applicable to them.

Article 29
Language arrangements

1.The provisions of Regulation No 1 91 shall apply to the Agency.

2.Without prejudice to decisions taken pursuant to Article 342 TFEU, the single programming document and the annual activity report referred to in Article 15(1) (r) and (s) of this Regulation, shall be produced in all official languages of the institutions of the Union.

3.The Management Board may adopt a decision on working languages without prejudice to the obligations set out in paragraphs 1 and 2.

4.The translation services necessary for the activities of the Agency shall be provided by the Translation Centre for the Bodies of the European Union.

Article 30
Transparency and communication

1.Regulation (EC) 1049/2001 shall apply to documents held by the Agency.

2.The Management Board shall adopt the detailed rules for applying Regulation (EC) No 1049/2001On the basis of a proposal by the Executive Director the Management Board shall adopt rules concerning access to the Agency’s documents, in accordance with Regulation (EC) No 1049/2001.

3.Decisions taken by the Agency pursuant to Article 8 of Regulation (EC) No 1049/2001 may form the subject of a complaint to the European Ombudsman or of an action before the Court of Justice of the European Union, under the conditions laid down in Articles 228 and 263 TFEU respectively.

4.The Agency shall communicate in accordance with the legislative instruments governing the development, establishment, operation and use of large-scale IT-systems and may engage in communication activities on its own initiative within its field of competence. It shall ensure in particular that in addition to the publications specified in Article 15(1)(r), (s), (ii), (jj), [(kk)], [(ll)], [(mm)] and Article 42(9), the public and any interested party are rapidly given objective, accurate, reliable comprehensive and easily understandable information with regard to its work. The allocation of resources to communication activities shall not be detrimental to the effective exercise of the Agency's tasks as referred to in Articles 3 to 12. Communication activities shall be carried out in accordance with relevant communication and dissemination plans adopted by the Management Board.

5.Any natural or legal person shall be entitled to address written correspondence to the Agency in any of the official languages of the Union. He or she shall have the right to receive an answer in the same language.

Article 31
Data protection

1.Without prejudice to the provisions on data protection laid down in the legislative instruments governing the development, establishment, operation and use of large-scale IT systems, the processing of personal data by the Agency shall be subject to Regulation (EC) No 45/2001 [Regulation (EU) XX/2018 on protection of personal data for Union institutions and bodies].

2.The Management Board shall establish measures for the application of Regulation (EC) No 45/2001 [Regulation (EU) XX/2018 on protection of personal data for Union institutions and bodies] by the Agency, including those concerning the Data Protection Officer. Those measures shall be established after consultation of the European Data Protection Supervisor.

Article 32
Purposes of processing personal data

1.The Agency may process personal data only for the following purposes:

(a)performing its tasks related to the operational management of large-scale IT systems entrusted to it by Union law;

(b)administrative tasks.

2.Where the Agency processes personal data for the purpose referred to paragraph 1(a), the specific provisions concerning data protection and data security of the respective legislative instruments governing the development, establishment, operation and use of the large-scale IT systems managed by the Agency shall apply.

Article 33
Security rules on the protection of classified information and sensitive non-classified information

1.The Agency shall adopt its own security rules based on the principles and rules laid down in Commission's security rules for protecting European Union Classified Information (EUCI) and sensitive non-classified information including inter alia provisions for the exchange , processing and storage of such information as set out in Commission Decisions (EU, Euratom) 2015/443 92 and 2015/444 93 . Any exchange of classified information with the relevant authorities of a third State shall have received the Commission's prior approval.

2.The security rules shall be adopted by the Management Board following approval by the Commission. The Agency may take all necessary measures to facilitate the exchange of information relevant to its tasks with the Commission and the Member States and where appropriate, the relevant Union agencies. It shall develop and operate an information system capable of exchanging classified information with those actors in accordance with Council Decision 2013/488/EU and Commission Decision (EU, Euratom) 2015/444. The Management Board shall, pursuant to Article 2 and Article 15(1)(y) of this Regulation, decide on the Agency’s internal structure necessary to fulfil the appropriate security principles.

Article 34
Security of the Agency

1.The Agency shall be responsible for the security and the maintenance of order within the buildings, premises and land used by it. The Agency shall apply the security principles and relevant provisions of the legislative instruments governing the development, establishment, operation and use of large-scale IT systems.

2.The host Member States shall take all effective and adequate measures to maintain order and security in the immediate vicinity of the buildings, premises and land used by the Agency and shall provide to the Agency the appropriate protection, in accordance with the relevant Headquarters Agreement concerning the seat of the Agency and the Agreements concerning the technical and backup sites, whilst guaranteeing free access to these buildings, premises and land to persons authorised by the Agency.

Article 35
Evaluation

1.No later than five years from the entry into force of this Regulation, and every five years thereafter, the Commission shall assess the Agency's performance in relation to its objectives, mandate, tasks and locations in accordance with the Commission's guidelines. The evaluation shall also assess the contribution of the Agency to the establishment of a coordinated, cost-effective and coherent IT environment at Union level for the management of large scale IT systems supporting the implementation of Justice and Home Affairs (JHA) policies. The evaluation shall in particular assess the possible need to modify the mandate of the Agency and the financial implications of any such modification.

2.Where the Commission considers that the continuation of the Agency is no longer justified with regard to its assigned objectives, mandate and tasks, it may propose that this Regulation be amended accordingly or repealed.

3.The Commission shall report to the European Parliament, the Council, and the Management Board on the evaluation findings. The findings of the evaluation shall be made public.

Article 36
Administrative enquiries

The activities of the Agency shall be subject to the enquiries of the European Ombudsman in accordance with Article 228 of the Treaty.

Article 37
Cooperation with Union institutions, bodies, offices and agencies

1.The Agency shall cooperate with the Commission, with other Union institutions and with other Union bodies, offices and agencies in particular those established in the area of freedom, security and justice, and in particular the European Agency for Fundamental Rights, in matters covered by this Regulation.

2.The Agency shall cooperate with the Commission within the framework of a working arrangement laying down operational working methods.

3.The Agency shall consult and follow the recommendations of the European Network and Information Security Agency regarding network security, where appropriate.

4.Cooperation with Union bodies, offices and agencies shall take place within the framework of working arrangements. Such arrangements shall have received the Commission's prior approval. Such arrangements may provide for the sharing of services between agencies where appropriate either by proximity of locations or by policy area within the limits of the respective mandates and without prejudice to their core tasks.

5.The Union institutions, bodies, offices and agencies referred to in paragraph 1, shall use information received from the Agency only within the limits of their competences and insofar as they respect fundamental rights, including data protection requirements. Onward transmission of other communication of personal data processed by the Agency to Union institutions, bodies, offices or agencies shall be subject to specific working arrangements regarding the exchange of personal data and subject to the prior approval of the European Data Protection Supervisor. Any transfer of personal data by the Agency shall be in line with the data protection provisions laid down in Articles 31 and 32. As regards the handling of classified information, those arrangements shall provide that the Union institution, body, office or agency concerned shall comply with security rules and standards equivalent to those applied by the Agency.

Article 38
Participation by countries associated with the implementation,
application and development of the Schengen acquis and Eurodac-
related measures

1.The Agency shall be open to the participation of third countries that have entered into association agreements with the Union to this effect.

2.Under the relevant provisions of the association agreements referred to in paragraph 1, arrangements shall be made specifying, in particular, the nature, extent and manner of, and the detailed rules for, the participation by countries associated with the implementation, application and development of the Schengen acquis and Eurodac-related measures in the work of the Agency, including provisions on financial contributions, staff and voting rights.

CHAPTER V
ESTABLISHMENT AND STRUCTURE OF THE BUDGET

SECTION 1
SINGLE PROGRAMMING DOCUMENT

Article 39
Single programming document

1.Each year the Executive Director shall draw up a draft single programming document containing multiannual and annual programming for the following year, as set out in Article 32 of Delegated Regulation (EU) No 1271/2013 and of the Agency's financial rules referred to in Article 44 and taking into account guidelines set by the Commission.

The single programming document shall contain a multiannual programme, an annual work programme as well as its budget and information on its resources, as set out in detail in the Agency's financial rules referred to in Article 44.

2.The Management Board shall adopt the draft single programming document after consulting the Advisory Groups and shall send it to the European Parliament, the Council and the Commission no later than 31 January each year as well as any updated version of that document.

3.Before 30 November each year, the Management Board shall adopt, by a two-thirds majority of its members with the right to vote, and in accordance with the annual budgetary procedure and the Union's, the single programming document, taking into account the opinion of the Commission. The Management Board shall ensure that the definitive version of this single programming document is transmitted to the European Parliament, the Council and the Commission and is published. Before 30 November each year, and taking into account the opinion of the Commission, the Management Board shall adopt by a two-thirds majority of its members with the right to vote, and in accordance with the annual budgetary procedure and the Union legislative programme in areas under Articles 67 to 89 TFEU, the single programming document for the following years and ensure that the adopted programming document is transmitted to the European Parliament, the Council and the Commission and published.

4.The single programming document shall become definitive after final adoption of the general budget of the Union and if necessary shall be adjusted accordingly. The adopted single programming document shall then be transmitted to the European Parliament, the Council and the Commission and be published.

5.The annual work programme for the following year shall comprise detailed objectives and expected results including performance indicators. It shall also contain a description of the actions to be financed and an indication of financial and human resources allocated to each action, in accordance with the principles of activity-based budgeting and management. The annual work programme shall be coherent with the multiannual work programme referred to in paragraph 6. It shall clearly indicate tasks that have been added, changed or deleted in comparison with the previous financial year. The Management Board shall amend the adopted annual work programme when a new task is given to the Agency. Any substantial amendment to the annual work programme shall be adopted by the same procedure as the initial annual work programme. The Management Board may delegate the power to make non-substantial amendments to the annual work programme to the Executive Director.

6.The multi-annual programme shall set out the overall strategic programming including objectives, expected results and performance indicators. It shall also set out resource programming including multi-annual budget and staff. The resource programming shall be updated annually. The strategic programming shall be updated where appropriate and in particular to address the outcome of the evaluation referred to in Article 35.

Article 40
Establishment of the Budget

1.Each year the Executive Director shall draw up, taking into account the activities carried out by the Agency, a draft statement of estimates of the Agency’s revenue and expenditure for the following financial year, including an establishment plan, and shall send it to the Management Board.

2.The Management Board shall, on the basis of the draft statement of estimates drawn up by the Executive Director, adopt a draft estimate of the revenue and expenditure of the Agency for the following financial year, including the draft establishment plan. The Management Board shall send them to the Commission and to the countries associated with the implementation, application and development of the Schengen acquis and Eurodac-related measures, as a part of the single programming document, by 31 January each year.

3.The Commission shall send the draft estimate to the European Parliament and the Council ("the budgetary authority") together with the preliminary draft general budget of the European Union.

4.On the basis of the draft estimate, the Commission shall enter in the draft general budget of the European Union the estimates it deems necessary for the establishment plan and the amount of the subsidy to be charged to the general budget, which it shall place before the budgetary authority in accordance with Articles 313 and 314 TFEU.

5.The budgetary authority shall authorise the appropriations for the contribution to the Agency.

6.The budgetary authority shall adopt the establishment plan for the Agency.

7.The Management Board shall adopt the Agency’s budget. It shall become final following the final adoption of the general budget of the European Union. Where appropriate, it shall be adjusted accordingly.

8.Any modification to the budget, including the establishment plan, shall follow the same procedure.

9.The Management Board shall, as soon as possible, notify the budgetary authority of its intention to implement any project, which may have significant financial implications for the funding of its budget, in particular any projects relating to property such as the rental or purchase of buildings. It shall inform the Commission thereof. If either branch of the budgetary authority intends to issue an opinion, it shall, within 2 weeks after receipt of the information on the project, notify the Management Board of its intention to issue such an opinion. In the absence of a reply, the Agency may proceed with the planned operation. For any building project likely to have any significant implications for the budget of the Agency the provisions of Delegated Regulation (EU) No 1271/2013 shall apply.

SECTION 2
PRESENTATION, IMPLEMENTATION AND CONTROL OF THE BUDGET

Article 41
Structure of the budget

1.Estimates of all revenue and expenditure for the Agency shall be prepared each financial year, corresponding to the calendar year, and shall be shown in the Agency's budget.

2.The Agency's revenue shall be balanced in terms of revenue and of expenditure.

3.Without prejudice to other types of income, the revenue of the Agency shall consist of:

(a)a contribution from the Union entered in the general budget of the European Union (Commission section);

(b)a contribution from the countries associated with the implementation, application and development of the Schengen acquis and Eurodac-related measures, participating in the work of the Agency as established in the respective association agreements and in the arrangement referred to in Article 38 that specify their financial contribution;

(c)Union funding in the form of delegation agreements in accordance with the Agency's financial rules referred in Article 44 and with the provisions of the relevant instruments supporting the policies of the Union;

(d)contributions paid by Member States for the services provided to them in accordance with the delegation agreement referred to in Article 12;

(e)any voluntary financial contribution from the Member States.

4.The expenditure of the Agency shall include staff remuneration, administrative and infrastructure expenses and operational expenditure.

Article 42
Implementation and control of the budget

1.The Executive Director shall implement the Agency’s budget.

2.Each year the Executive Director shall forward to the budgetary authority all information relevant to the findings of evaluation procedures.

3.By 1 March of a financial year N+1, the Agency’s Accounting Officer shall communicate the provisional accounts for financial year N to the Commission’s Accounting Officer and the Court of Auditors The Commission’s Accounting Officer shall consolidate the provisional accounts of the institutions and decentralised bodies in accordance with Article 147 of Regulation (EU, Euratom) No 966/2012.

4.The Agency shall send a report on the budgetary and financial management for year N to the European Parliament, the Council, the Court of Auditors and the Commission by 31 March of year N+1.

5.The Commission's Accounting Officer shall send the Agency's provisional accounts for year N, consolidated with the Commission's accounts, to the Court of Auditors by 31 March of year N+1.

6.On receipt of the Court of Auditors’ observations on the Agency’s provisional accounts, pursuant to Article 148 of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council, the Executive Director shall draw up the Agency’s final accounts under his own responsibility and forward them to the Management Board for an opinion.

7.The Management Board shall deliver an opinion on the Agency’s final accounts for year N.

8.By 1 July of year N+1, the Executive Director shall send the final accounts, together with the opinion of the Management Board, to the European Parliament, to the Council, to the Commission and to the Court of Auditors as well as to the countries associated with the implementation, application and development of the Schengen acquis and Eurodac-related measures.

9.The final accounts for year N shall be published in the Official Journal of the European Union by 15 November of year N+1.

10.The Executive Director shall send the Court of Auditors a reply to its observations by 30 September of year N+1. The Executive Director shall also send that reply to the Management Board.

11.The Executive Director shall submit to the European Parliament at its request, any information required for the smooth application of the discharge procedure for the year N, in accordance with Article 165(3) of Regulation (EU, Euratom) No 966/2012.

12.On a recommendation from the Council acting by a qualified majority, the European Parliament shall, before 15 May of year N+2, give a discharge to the Executive Director in respect of the implementation of the budget for year N.

Article 43
Prevention of conflicts of interest

The Agency shall adopt internal rules requiring the members of its bodies and its staff members to avoid any situation liable to give rise to a conflict of interest during their employment or term of office and to report such situations.

Article 44
Financial rules

The financial rules applicable to the Agency shall be adopted by the Management Board after consulting the Commission. They shall not depart from Delegated Regulation (EU) No 1271/2013 unless such departure is specifically required for the Agency’s operation and the Commission has given its prior consent.

Article 45
Combating fraud

1.In order to combat fraud, corruption and other unlawful activities, Regulation (EU, Euratom) No 883/2013 shall apply.

2.The Agency shall accede to the Inter-institutional Agreement of 25 May 1999 concerning internal investigations by the European Anti-fraud Office (OLAF) and shall adopt, without delay, the appropriate provisions applicable to all the employees of the Agency using the template set out in the Annex to that Agreement.

The Court of Auditors shall have the power of audit, on the basis of documents and of on-the-spot inspections, over all grant beneficiaries, contractors and subcontractors who have received Union funds from the Agency.

3.OLAF may carry out investigations including on-the-spot checks and inspections with a view to establishing whether there has been fraud, corruption or any other illegal activity affecting the financial interests of the Union in connection with a grant or a contract funded by the Agency, in accordance with the provisions and procedures laid down in Regulation (EU, Euratom) No 883/2013 and Council Regulation (Euratom, EC) No 2185/96 94 .

4.Without prejudice to paragraphs 1, 2 and 3, contracts, grant agreements and grant decisions of the Agency shall contain provisions expressly empowering the Court of Auditors and OLAF to conduct such audits and investigations, according to their respective competences.

CHAPTER VI
AMENDMENTS TO OTHER UNION INSTRUMENTS

Article 46

Amendment to Regulation (EC) No 1987/2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II) [or to Regulation XX of XX on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) 1987/2006]

In Regulation (EC) No 1987/2006 [or in Regulation XX of XX on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) 1987/2006], Article 15(2) and (3) are replaced by the following:

"(2) The Management Authority shall be responsible for all tasks relating to the communication infrastructure, in particular:

(a) supervision;

(b) security;

(d) tasks relating to implementation of the budget;

(e) acquisition and renewal, and

(f) contractual matters."

Article 47

Amendment to Council Decision 2007/533/JHA on the establishment, operation and use of the second generation Schengen Information System (SIS II) [or to Regulation XX of XX of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation in criminal matters, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) No 1986/2006, Council Decision 2007/533/JHA and Commission Decision 2010/261/EU]

In Council Decision 2007/533/JHA [or, in Regulation XX of XX of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation in criminal matters, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) No 1986/2006, Council Decision 2007/533/JHA and Commission Decision 2010/261/EU], Article 15(2) and (3) are replaced by the following:

"2. The Management Authority shall also be responsible for all tasks relating to the communication infrastructure, in particular:

(a) supervision;

(b) security;

(d) tasks relating to implementation of the budget;

(e) acquisition and renewal, and

(f) contractual matters."

CHAPTER VII
TRANSITIONAL PROVISIONS

Article 48
Transitional arrangements concerning the Executive Director

The Executive Director of eu-LISA appointed on the basis of Article 18 of Regulation (EU) No 1077/2011 shall, for the remaining term of his office, be assigned to the responsibilities of the Executive Director, as provided for in Article 21 of this Regulation.

CHAPTER VIII
FINAL PROVISIONS

Article 49 Repeal

Regulation (EU) No 1077/2011 is repealed.

References to the repealed Regulation shall be construed as references to this Regulation.

Article 50
Entry into force and applicability

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.

Done at Brussels,

For the European Parliament For the Council

The President The President

LEGISLATIVE FINANCIAL STATEMENT

1.FRAMEWORK OF THE PROPOSAL/INITIATIVE

1.1.Title of the proposal/initiative

1.2.Policy area(s) concerned in the ABM/ABB structure

1.3.Nature of the proposal/initiative

1.4.Objective(s)

1.5.Grounds for the proposal/initiative

1.6.Duration and financial impact

1.7.Management mode(s) planned

2.MANAGEMENT MEASURES

2.1.Monitoring and reporting rules

2.2.Management and control system

2.3.Measures to prevent fraud and irregularities

3.ESTIMATED FINANCIAL IMPACT OF THE PROPOSAL/INITIATIVE

3.1.Heading(s) of the multiannual financial framework and expenditure budget line(s) affected

3.2.Estimated impact on expenditure

3.2.1.Summary of estimated impact on expenditure

3.2.2.Estimated impact on operational appropriations

3.2.3.Estimated impact on appropriations of an administrative nature

3.2.4.Compatibility with the current multiannual financial framework

3.2.5.Third-party contributions

3.3.Estimated impact on revenue

LEGISLATIVE FINANCIAL STATEMENT

1.FRAMEWORK OF THE PROPOSAL/INITIATIVE

1.1.Title of the proposal/initiative

Regulation of the European Parliament and of the Council on the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice repealing Regulation (EU) 1077/2011 and amending Regulation (EC) 1987/2006 and Council Decision 2007/533/JHA.

1.2.Policy area(s) concerned in the ABM/ABB structure 95

Policy area: Migration and Home Affairs (title 18)

Activity: Internal Security (chapter 18.02)

1.3.Nature of the proposal/initiative

◻ The proposal/initiative relates to a new action

◻ The proposal/initiative relates to a new action following a pilot project/preparatory action 96

⌧ The proposal/initiative relates to the extension of an existing action

◻ The proposal/initiative relates to an action redirected towards a new action

1.4.Objective(s)

1.4.1.The Commission's multiannual strategic objective(s) targeted by the proposal/initiative

Specific Objective 1.2 Border management: Save lives and secure EU external borders

- Use of IT systems and technologies for Smart Borders to better ensure internal security and facilitate the border crossing of bona fide travellers.

Managing our borders more efficiently also implies making better use of the opportunities offered by IT systems and technologies. The EU today has three large-scale IT systems under responsibility of DG HOME, dealing with the administration of asylum (Eurodac), visa applications (the Visa Information System – VIS) and the sharing of information about persons or objects for which an alert has been created by the competent authorities (Schengen Information System – SIS II). The Agency shall continue to be given a responsibility for these three large-scale IT systems.

DG HOME presented a proposal on 6 April 2016 on the establishment of the EU Entry Exit System which should be developed by eu-LISA with a view of ensuring entry into operations by 2020. The implementation of an EU wide Entry/Exit System will result, amongst other things, in the automation of certain tasks and activities related to border controls. This automation will ensure a homogeneous and systematic control of the authorised period of stay of third-country nationals. The system will register the name, type of travel document and biometrics and the date and place of entry and exit. This will facilitate the border crossing of bona fide travellers, detect over-stayers and identify undocumented persons in the Schengen area. By doing so, the EU Entry/Exit System will be instrumental in the effective implementation of the visa policy and in maximising the positive economic impact of attracting more tourists and other visitors travelling on personal or professional grounds while minimising the irregular migration and security risks.

In addition, subject to the adoption of the relevant legislative instruments, eu-LISA will be entrusted with the development of other large-scale IT systems, such as the automated system for registration, monitoring and for the allocation system of applications for international protection and the European Travel Information and Authorisation System (ETIAS), a central EU system for assessing in advance of their actual arrival at the border the eligibility of visa-exempt third-country nationals to enter the Schengen area and, in particular, whether their presence in the Schengen area would represent a security threat. ETIAS will introduce an additional layer of systematic control compared to the current situation (without ETIAS) by allowing for early checks against relevant databases and assessment of the security, irregular migration and public health risk. The process applied in ETIAS involves Member State authorities in risk assessment for the most complex or problematic cases.

Eu-LISA will be also entrusted with the ECRIS-TCN 97 a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (TCN) to supplement and support the European criminal Records Information System (ECRIS).

Specific objective(s) and ABM/ABB activity(ies) concerned:

Specific objective No 1.2

Border management: Save lives and secure EU external borders.

ABM/ABB activity(ies) concerned

Related to spending programme ISF Borders and Visa, Horizon 2020.

1.4.2.Expected result(s) and impact

Specify the effects which the proposal/initiative should have on the beneficiaries/groups targeted.

Allow the Agency to continue to ensure:

- the efficient development of large-scale IT systems using an adequate project management structure for efficiently developing large-scale IT systems;

- the effective, secure and continuous operation of large-scale IT systems;

- the efficient and financially accountable management of large-scale IT systems;

- an adequately high quality of service for users of large-scale IT systems;

- continuity and uninterrupted service;

- a high level of data protection, in accordance with the applicable rules, including specific provisions for each large-scale IT system;

- an appropriate level of data and physical security, in accordance with the applicable rules, including specific provisions for each large-scale IT system.

1.4.3.- Indicators of results and impact

Specify the indicators for monitoring implementation of the proposal/initiative.

The Programming Document of eu-LISA for the following year shall comprise detailed objectives and expected results including performance indicators (KPIs and SLAs). It shall also contain a description of the actions to be financed and an indication of financial and human resources allocated to each action, in accordance with the principles of activity-based budgeting and management. It shall clearly indicate tasks that have been added, changed or deleted in comparison with the previous financial year. The annual report on the Agency's activities should report on the achievements against those indicators.

Every five years as from 2017, the Commission shall commission an independent external evaluation of the action of the Agency. The evaluation shall examine the Agency's performance in relation to its objectives, mandate, tasks and location. The evaluation shall also assess the contribution of the Agency to a coordinated, cost-effective and coherent IT environment at Union level for the management of large-scale IT systems supporting the implementation of Justice and Home Affairs (JHA) policies. The evaluation shall in particular assess the possible need to modify the mandate of the Agency (and the financial implications of any such modification).

1.5.Grounds for the proposal/initiative

1.5.1.Requirement(s) to be met in the short or long term

The first evaluation of the Agency's work based on an independent external evaluation and carried out in 2015-2016, concluded that eu-LISA effectively ensures the operational management of the large-scale IT systems and other tasks entrusted to it but also that a number of changes to the establishing Regulation are necessary such as the transfer to the Agency of the communication infrastructure tasks retained by the Commission. Building on the external evaluation, the Commission took into account policy, legal and factual developments and proposed in particular that the mandate of the Agency should be expanded to carry out the tasks derived from the adoption by the co-legislators of proposals entrusting new systems to the Agency, the tasks referred to in the Commission's Communication on Stronger and Smarter Information Systems for Borders and Security of 6 April 2016, in the final report of the High-level expert group on Systems and Interoperability of 11 May 2017 and the Commission's Seventh progress report towards an effective and genuine Security Union adopted on 16 May 2017. The Agency's mandate should also be extended to provide advice to Member States with regard to the national systems' connection to the central systems and for ad-hoc assistance/support where required as well as to provide assistance/support to the Commission services on technical issues related to new systems. The Agency should contribute to developments in research relevant to the operational management of the systems it manages. It should disseminate information on such developments to the European Parliament, the Council and the European Data Protection Supervisor.

The mandate of the Agency should also be extended to develop, operate, maintain and/or host joint technical solutions for the national implementation of obligations deriving from EU legislation on decentralised large-scale systems in the area of freedom, security and justice for interested Member States. This could be done by way of a delegation agreement between the Member States concerned and the Agency entrusting the latter with the above mentioned tasks and the corresponding budget.

The core function of the Agency should continue to be to fulfil the operational management tasks for SIS II, VIS and Eurodac and, if so decided by the co-legislators, other large-scale IT systems in the area of freedom, security and justice. In addition, the Agency should perform tasks relating to training on the technical use of IT systems entrusted to it. Furthermore, the Agency could also be made responsible for the preparation, development and operational management of additional large-scale IT systems in application of Articles 67 to 89 of the Treaty on the Functioning of the European Union (TFEU). The Agency should be entrusted with such tasks only by means of subsequent and separate legislative instruments, preceded by an impact assessment.

1.5.2.Added value of EU involvement

The objective of the proposed action is to confirm the conferral of the operational management of Central SIS, Central VIS and the National Interfaces, Central Eurodac, their communication infrastructures, as well as other systems and to entrust new additional tasks to eu-LISA. These tasks cannot be achieved by the Member States individually and can be better accomplished by action at the level of the Union.

The European Agenda on Migration identifies "border management" as one of the "four pillars to manage migration better". Securing external borders and managing them more efficiently implies making better use of the opportunities offered by IT systems and technologies.

This proposal will continue to provide a long term solution for managing SIS II, VIS, EURODAC and other large-scale IT systems in the area of freedom, security and justice, optimising synergies and ensuring economies of scale.

1.5.3.Lessons learned from similar experiences in the past

The initiative is based inter alia on a thorough analysis of the experience gained from the application of Regulation (EU) 1077/2011 including the evaluation of the action of the Agency conducted under Article 31 of that Regulation.

1.5.4.Compatibility and possible synergy with other appropriate instruments

This proposal builds on the existing eu-LISA Regulation which was subsequently amended in 2015 by Regulation (EU) 603/2013 98 in order to take into account the changes introduced by the Eurodac recast Regulation including access to Eurodac for law enforcement purposes. This proposal extends the mandate of the Agency to allow it to take over new tasks. The European Agendas on Security 99 and on Migration 100 set the direction for the development and implementation of EU policy to address the parallel challenges of migration management and the fight against terrorism and organised crime. The European Agenda on Migration highlighted the importance of the full use of the SIS, VIS and Eurodac large-scale IT systems which can bring benefits to border management as well as to enhance Europe's capacity to reduce irregular migration and return illegal migrants. It also noted that a new phase would come with the adoption of the proposal establishing an Entry/Exit System (EES) which would strengthen the fight against irregular migration by creating a record of cross-border movements of third-country nationals. The European Agenda on Security recalled that EU agencies play a crucial role in supporting operational cooperation. It encouraged Member States to make full use of the support of agencies to tackle crime through joint action and noted that increased cooperation between the agencies should also be promoted, within their respective mandates.

With this initiative the Commission contributes to rendering border management more effective and secure and to reinforcing security and combatting and preventing crime by enhancing the role and responsibilities of eu-LISA with regard not only to existing and new large-scale IT systems on cooperation and information exchange in the area of freedom, security and justice but also to support to Member States and to the Commission.

It also reflects and is fully consistent with the proposed amendments to the legislative instruments governing the development, establishment, operation and use of the systems managed currently by eu-LISA and with the proposals entrusting it with future systems.

This proposal should be seen in conjunction with the actions contained in the Communication of 6 April 2016 on 'Stronger and Smarter Information Systems for Borders and Security' 101 which highlights the need for the EU to strengthen and improve its IT systems, data architecture and information exchange in the area of border management, law enforcement and counter-terrorism.

1.6.Duration and financial impact

◻ Proposal/initiative of limited duration

–◻ Proposal/initiative in effect from [DD/MM]YYYY to [DD/MM]YYYY

–◻ Financial impact from YYYY to YYYY

⌧ Proposal/initiative of unlimited duration

–Implementation with a start-up period from YYYY to YYYY,

–followed by full-scale operation.

1.7.Management mode(s) planned 102

◻ Direct management by the Commission through

–◻ executive agencies

◻ Shared management with the Member States

⌧ Indirect management by entrusting budget implementation tasks to:

◻ international organisations and their agencies (to be specified);

◻the EIB and the European Investment Fund;

⌧ bodies referred to in Articles 208 and 209;

◻ public law bodies;

◻ bodies governed by private law with a public service mission to the extent that they provide adequate financial guarantees;

◻ bodies governed by the private law of a Member State that are entrusted with the implementation of a public-private partnership and that provide adequate financial guarantees;

◻ persons entrusted with the implementation of specific actions in the CFSP pursuant to Title V of the TEU, and identified in the relevant basic act.

Comments

2.MANAGEMENT MEASURES

2.1.Monitoring and reporting rules

Specify frequency and conditions.

Ample mechanisms for monitoring and evaluation of the Agency's action already exist and can be used; in particular the programming document constitutes an effective tool for this purpose. The effectiveness of the action of the Agency on the basis of the proposed measure, once adopted, will be subject to a mandatory evaluation every five years, whilst under the current Regulation the evaluations are carried out every four years.

The annual reporting obligations of the Agency include the preparation of the consolidated annual activity report and the preparation of final accounts.

2.2.Management and control system

2.2.1.Risk(s) identified

The main risk for the short term is whether eu-LISA has the capacity to cope with all the new tasks that are entrusted to it together with possible difficulties that could arise with the technical development of the systems risking putting at stake their timely development. An adequate level of resources is foreseen in this instrument to allow eu-LISA to carry out the expected tasks, however the lack of a proper Activity Based management could render eu-LISA's task more difficult. The COM invited on several occasions eu-LISA to swiftly implement such a monitoring.

2.2.2.Control method(s) envisaged

As a Union Agency eu-LISA applies the applicable control methods of decentralised agencies which have already been laid down in Regulation (EU) 1077/2011.

The eu-LISA Financial Regulation which is based on the Framework Financial Regulation for agencies sets out the appointment of an internal auditor and internal audit requirements.

2.3.Measures to prevent fraud and irregularities

Specify existing or envisaged prevention and protection measures.

Article 45 of the proposed Regulation concerns combatting fraud. It renders Regulation (EU, Euratom) No 883/2013 on investigations conducted by OLAF applicable to eu-LISA and empowers OLAF and the Court of Auditors to conduct further audits and investigations. The article corresponds to the model text for decentralised agencies.

Furthermore, eu-LISA adopted an Anti-fraud Strategy and an Action Plan to the Anti-fraud Strategy on 18 November 2015.

3.ESTIMATED FINANCIAL IMPACT OF THE PROPOSAL/INITIATIVE

3.1.Heading(s) of the multiannual financial framework and expenditure budget line(s) affected

·Existing budget lines

In order of multiannual financial framework headings and budget lines.

Heading of multiannual financial framework	Budget line	Type of expenditure	Contribution
	Heading 3 - Security and Citizenship	Diff./Non-diff. 103	from EFTA countries 104	from candidate countries 105	from third countries	within the meaning of Article 21(2)(b) of the Financial Regulation
3	18.0207 – European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice ('eu-LISA')	Diff.	YES	NO	NO	YES/NO

·New budget lines requested

In order of multiannual financial framework headings and budget lines.

Heading of multiannual financial framework

Budget line

Type of
expenditure

Contribution

Number
[Heading………………………………………]

Diff./non-diff.

from EFTA countries

from candidate countries

from third countries

within the meaning of Article 21(2)(b) of the Financial Regulation

[…]

[XX.YY.YY.YY]

[…]

YES/NO

3.2.Estimated impact on expenditure

3.2.1.Summary of estimated impact on expenditure

EUR million (to three decimal places)

Heading of multiannual financial
framework

Security and citizenship

eu-LISA		Year 2018	Year 2019	Year 2020	Years N+4 and later	TOTAL
Title 1
Baseline as per eu-LISA PD 2018-2020 106	Commitments / Payments	16,326	14,196	14,839		45,361
New instruments
. EES	Commitments / Payments	1,876	1,876	4,221		7,973
. ETIAS	Commitments / Payments	1,638	1,813	2,684		6,135
. SIS II borders	Commitments / Payments	0,210	0,210	0,210		0,630
. SIS II return	Commitments / Payments	0,070	0,070	0,070		0,210
. Eurodac Plus	Commitments / Payments	0,268	0,268	0,268		0,804
. ECRIS	Commitments / Payments	0,263	0,350	0,350		0,963
Additional staff revision 107	Commitments / Payments	2,902	3,178	3,454		9,534
CA cost – insourcing some external services	Commitments / Payments	1,520	1,520	1,520		4,560
Total Title 1	Commitments / Payments	25,073	23,481	27,616		76,170
Title 2:
Baseline	Commitments	10,455	0,125	9,832		20,412
New instruments
. ETIAS	Commitments	1,658	1,395	1,395		4,448
Additional budget revision 108	Commitments
CA cost – insourcing some external services	Commitments	-1,157	-1,157	-1,157		-3,470
Total Title 2	Commitments	10,957	0,363	10,070		21,391
Title 3:
Baseline	Commitments	58,918	73,093	64,492		196,503
New instruments
. EES	Commitments	57,513	144,325	21,605		223,443
. ETIAS	Commitments	23,467	11,023	55,800		90,290
. SIS II borders	Commitments	12,893	2,051	1,982		16,926
. SIS II return	Commitments	2,520	0,447	0,447		3,414
. Eurodac plus	Commitments	11,870	5,600	0		17,470
. Dublin	Commitments	0,983	0,135	0,735		1,853
. ECRIS	Commitments	3,766	3,766	3,766		11,298
Additional budget revision	Commitments	22,577	22,576	22,577		67,730
. CA cost – insourcing some external services	Commitments	-0,644	-0,644	-0,644		-1,933
. Transfer of the communication infrastructure from DG HOME to eu-LISA 109	Commitments	19,221	19,221	19,221		57,663
. Studies / Consultancy	Commitments	4,000	4,000	4,000		12,000
Total Title 3	Commitments	194,507	263,017	171,403		628,927

Title 1, 2, 3 baseline COM(2013)519	Commitments		85,700	87,414	89,163	262,277
	Payments		85,700	87,414	89,163	262,277
Title 1, 2, 3 new instruments
. EES	Commitments		59,389	146,201	25,826	231,416
	Payments		42,135	102,904	19,345	164,384
. ETIAS	Commitments		26,763	14,231	59,879	100,873
	Payments		26,763	14,231	59,879	100,873
. SIS II borders	Commitments		13,103	2,261	2,192	17,556
	Payments		2,710	8,103	4,861	15,674
. SIS II return	Commitments		2,590	0,517	0,517	3,624
	Payments		1,078	2,029	0,517	3,624
. Eurodac plus	Commitments		12,138	5,868	0,268	18,274
	Payments		8,577	4,188	8,908	21,673
. Dublin	Commitments		0,983	0,135	0,735	1,853
	Payments		0,983	0,135	0,735	1,853
. ECRIS	Commitments		4,029	4,116	4,116	12,261
	Payments		2,146	4,116	4,116	10,378
Title 1, 2, 3 Additional budget revision	Commitments / Payments		25,842	26,118	26,394	78,354
TOTAL appropriations for eu-LISA	Commitments	=1+1a +3a	230,537	286,861	209,090	726,488
	Payments	=2+2a +3b	199,380	274,408	216,812	690,600

Heading of multiannual financial
framework

‘Administrative expenditure’

EUR million (to three decimal places)

		Year 2018		Year 2019	Year 2020	Enter as many years as necessary to show the duration of the impact (see point 1.6)	TOTAL
DG: HOME
• Human Resources			2,001	2,001	2,001		6,003
• Other administrative expenditure			0,340	0,340	0,340		1,020
TOTAL DG HOME	Appropriations		2,341	2,341	2,341		7,023

TOTAL appropriations
under HEADING 5
of the multiannual financial framework

(Total commitments = Total payments)

2,341

7,023

EUR million (to three decimal places)

Year
2018

Year
2019

Year
2020

Enter as many years as necessary to show the duration of the impact (see point 1.6)

TOTAL

TOTAL appropriations
under HEADINGS 1 to 5
of the multiannual financial framework

Commitments

232,878

289,202

211,431

733,511

Payments

201,721

276,749

219,153

697,623

3.2.2.Estimated impact on eu-LISA's appropriations

–◻ The proposal/initiative does not require the use of operational appropriations

–⌧ The proposal/initiative requires the use of operational appropriations, as explained below:

Commitment appropriations in EUR million (to three decimal places)

Indicate objectives and outputs ⇩					Year 2018		Year 2019		Year 2020		Enter as many years as necessary to show the duration of the impact (see point 1.6)						TOTAL
	OUTPUTS
	Type 110	Average cost	No	Cost	No	Cost	No	Cost	No	Cost	No	Cost	No	Cost	No	Cost	Total No	Total cost
SPECIFIC OBJECTIVE No 1 operations existing systems 111 …
- Shared System Infrastructure						15,767		8,851		6,666								31,284
- SIS II						15,575		19,740		12,300								47,615
- VIS/BMS						20,053		38,578		39,602								98,233
- Eurodac						2,550		2,825		2,825								8,200
- External Support 112 - Meetings/Missions/Training						5,501		3,626		3,626								12,753

Subtotal for specific objective No 1						59,446		73,620		65,019								198,085
SPECIFIC OBJECTIVE No 2 – Development new systems
- Entry-Exit System						57,513		144,325		21,605								223,443
- ETIAS						23,467		11,023		55,800								90,290
- ECRIS						3,766		3,766		3,766								11,298
- Dublin allocation system						0,983		0,135		0,735								1,853
Subtotal for specific objective No 2						85,729		159,249		81,906
SPECIFIC OBJECTIVE No 3 – review existing systems
- SIS II borders						12,893		2,051		1,982								16,926
- SIS II return						2,520		0,447		0,447								3,414
Eurodac						11,870		5,600		0								17,470

Subtotal for specific objective No 3						27,283		8,099		2,429
SPECIFIC OBJECTIVE No 4 – additional tasks
- CA cost – Insourcing external services						-1,171		-1,171		-1,171								-3,515
- transfer network 113						19,221		19,221		19,221								57,663
-studies/consultancy						4,000		4,000		4,000								12,000
Subtotal for specific objective No 4						22,049		22,049		22,049								66,148
TOTAL COST						194,507		263,017		171,403								628,927

3.2.3.Estimated impact on eu-LISA's human resources

3.2.3.1.Summary

–◻ The proposal/initiative does not require the use of appropriations of an administrative nature

–⌧ The proposal/initiative requires the use of appropriations of an administrative nature, as explained below:

EUR million (to three decimal places)

Year
2018

Year
2019

Year
2020

COM(2013)519 baseline	113	113	113
Seconded National Experts in place	9	9	9
Contract Agents in place	30	30	30
Temporary Agents for development Entry-Exit System COM(2016)194 subject to the adoption of the legal instrument	14	14	14 114
Temporary Agents for development ETIAS COM(2016)731 subject to the adoption of the legal instrument	7	7	7
Contract Agents for development ETIAS COM(2016)731 subject to the adoption of the legal instrument	10	12.5	25
Contract Agents for SIS II recast border /police /return COM(2016) 881, 882 and 883 subject to the adoption of the legal instrument	4	4	4
Temporary Agents for Eurodac recast COM(2016) 272 subject to the adoption of the legal instrument	2	2	2
Contract Agents for development ECRIS	5	5	5
Total temporary Agents in place including EES, ETIAS, Eurodac proposals	136	136	136
Total contract Agents in place including ETIAS, SIS II recast, ECRIS proposals	49	51.5	64
Total Seconded National Experts in place including EES, ETIAS, SIS II recast, Eurodac, ECRIS proposals	9	9	9
TOTAL temporary Agents, Contract Agents and Seconded National Experts including EES, ETIAS, SIS II recast, Eurodac, ECRIS proposals	194	196.5	209
Add’l Contract Agents (insourcing 25 interim staff + 2 Contract Agents (to reinforce the legal and internal audit team))	27	27	27
Add’l Seconded National Experts to support the implementation of the new activities that would need Member States expertise to provide the required business expertise	2	2	2
Add'l Temporary Agents for the Technical Support Office: 18 AD (progressive intake), Ref. Articles 9, 10, 11, 12). (The Technical Support Office will have the following tasks: (a) provide technical support to the rolling-out of the interoperability agenda, (b) help Member States better aligning national infrastructures to EU systems, (c) develop common centralised IT solutions to help (groups of) Member States implementing decentralised IT systems, and (d) monitor and implement relevant research activities). Required job profiles: - 2 project managers (2 AD) - 2 general analysts / business experts, responsible for technical impact asssessments and technical ex-ante evaluations (2 AD) - 2 systems architects, responsible for designing IT solutions to identified challenges (2 AD) - 1 IT expert, responsible for costs assessment (1 AD) - 1 data analyst, responsible for analysing and ensuring data consistency between systems (1 AD) - 2 test experts, responsible for conducting pilots, proofs of concept, prototyping and testing activities (2AD) - 5 security, biometric and network specialists, for the assessment, design and implementation of IT solutions (5 AD) - 3 research officers, for the monitoring and implementation of relevant research activities (2 AD + 1 AST)	14	16	18
Add'l Temporary Agents for other activities (2 AD) - Finance and administration:1 procurement/contractual officer (1 AD) - Network (following the shift of contractual responsibilities for the communication infrastructure (allowing the exchange of information of the VIS and SIS) from COM to eu-LISA) (1 AD)	2	2	2
Add’l Temporary Agents for additional managerial resources (1 AD Head of Department and 2 AD Head of units) to supervise the new Technical Support Office	3	3	3
Total additional Temporary Agents	19	21	23
TOTAL additional Temporary Agents, Contract Agents and Seconded National Experts	48	50	52
OVERALL TOTAL (including staff subject to the adoption of the legal instruments EES, ETIAS, SIS II, Eurodac recast and ECRIS)	242	246.5	261

Estimated impact on the establishment plan 115

A – Additional Temporary Agents

The following additional staff is necessary in order to be able to cope with the new tasks as defined in articles 9, 10, 11 and 12 of this Regulation. These new tasks cannot be carried out within the staff and financial resources profile foreseen in the original programming for the Agency and the reinforcements included in the LFS adopted in 2016 that were solely covering the needs for the setting up of EES, ETIAS and Eurodac Recast.

In order to implement the new tasks entrusted to it the Agency shall set up a permanent and stable dedicated team, aware of the business and technical context of the relevant information systems, both in eu-LISA and in the Member States. This 'Technical Support Office' will have the following tasks:

(a)provide technical support to the rolling-out of the interoperablity agenda

As stipulated in Articles 9 and 11 the Agency will be responsible for further actions to enable interoperability of information systems for borders and security. Tasks will include – inter alia – the undertaking of technical studies and the conducting of pilots, proofs of concept, prototyping and testing activities. These tasks cannot be carried out by the existing resources that are assigned to the operation of existing systems and the development of future systems, without risking to jeopardize the proper functionning/development of these systems.

(b)help Member States better aligning national infrastructures to EU systems

Article 12 entrusts eu-LISA with the task of providing ad hoc support to Member States on issues related to connections to central systems. Tasks would involve emergency responses similar to those carried out during the migration crisis at the hotspots, where eu-LISA was requested to carry out technical assesments and provide recommendations as regards possible alignments of the national infrastructures in relation to EU systems, or to work on the setting up of mobile solutions. In addition eu-LISA would also support the Commission on technical issues related to existing or new systems.

(c)develop common centralised IT solutions to help (groups of) Member States implementing decentralised IT systems

Article 12 allows eu-LISA to respond to requests from (a group of) Member States regarding the development, maintenance and hosting of common centralised IT solutions, responding to obligations that are deriving from Union legislation on decentralised large scale IT systems. eu LISA's intervention is required to respond to a need where an EU added value is clearly identified, and that cannot be provided by commercial IT service providers.

Eu-LISA would carry out a preliminary study to assess the impact of such requests and in particular their financial dimension. Once concrete projects are identified and agreed with the requesting Member States (via a delegation agreement including the Member States' contributions to be recovered) they should be included in the regular programming cycle of eu-LISA. Here again a permanent team, aware of the business and technical context, both in eu-LISA and in the Member states, is needed to carry out the preparatory activities and to accompany the developments. Should these activities increase, and several projects to be carried out in parrallel, the level of resources would have to be adapted accordingly. Examples of such activities are possible developments of common technical platforms to communicate with the air carriers in the context of API/PNR. A progressive intake is foreseen since concrete projects will be gradually identified and implemented.

(d)monitor and implement relevant research activities

Article 10 tasks eu-LISA with some responsibilities in the area of research. The Agency will monitor developments in research that are relevant for the operational management of its sytems. In addition it may contribute to the implementation of relevant parts of the Framework Programme for Research. As a highly specialised body in the field of IT and biometrics eu-LISA can add value to this programme. It is best placed to follow-up projects in these fields since neither the Commission nor the Research Executive Agency have comparable expertise.

In addition to the temporary agents for implementing the new tasks of the 'Technical Support Office' further temporary agents will be necessary for:

–Finance and administration (reinforcement of administrative support linked to the increase of budget managed by the Agency). The external evaluation identified as critical the need for the Agency to set up a proper activity based management system. This is becoming even more important having regard to the high budgetary responsibilities that are entrusted to the Agency.

–The network (the communication infrastructure allowing for the exchange of information of the VIS and SIS), where responsibilities will be shifted from COM to eu-LISA, ref Article 7).

–Management of the Agency: By 2020 the overall number of staff of the Agency is expected to almost double compared to the present situation. As a result the Agency will have to revise its organizational structure, and will need to create new management positions in particular for the supervision of the new Technical Support Office. The external evaluation has clearly identified this need, regardless of the identification of the additional tasks described above (which further add to the need to strengthen the management of the Agency).

In total, 23 additional Temporary Agents are needed in the establishment plan to implemement the above tasks.

Function group	Year 2018	Year 2019	Year 2020
Additional ADs	18	20	22
Additional ASTs	1	1	1
GRAND TOTAL	19	21	23

B – Replacement of existing interim staff by contract agents

There is an identified need to internalise a number of interim staff, in order to adress operational needs in the current fragile security environment, staffing gaps identified at the external evaluation of the Agency, and needs in relation to business continuity and statutory compliance. Where external staff still fits better e.g. for short term replacements or specialists for limited projects the agency intends to keep them. However, in many other cases externalisation is seen as ineffective and inefficient. External interim staff are not equivalent to regular staff of the agency in many respects (turnover rate is very high - poor motivation due to non-existing long-term perspectives and growth possibilities; high skills/knowledge is generally unavailable; no disciplinary accountability, security limitations with regard to access to information and corporate resources (especially relevant to eu-LISA due to its mandate and operational reality); difficult integration: limited access to corporate infrastructure (e.g. financial software, document management system, human resources). For all these reasons it is in the joint interest of all that eu-LISA decreases its dependency on external providers.

The 25 FTE to be insourced as Contract Agents are foreseen to ensure:

·satisfying growing operational needs: The external evaluation underlined that the growing number of IT systems managed by eu LISA, together with their increase in size and capacity (recent upgrades of EURODAC, implementation of the SIS AFIS, capacity upgrade of the VIS…) and increased complexity of their operations require the setting up of a very strict operational framework materialised notably by the implementation of ITSM (IT Service Management). For this system development and management the agency needs motivated, long-term and security-sensitive staff which can efficiently build on continuous experience. In addition the evaluation also recommended setting up an Evaluation and Project management Office (EPMO) to develop further its internal project governance model. Setting up ITSM and EPMO were identified as critical.

·Security: important and sensitive posts like project management, planning and security–related posts should be filled by integrated, accountable and security-sensitive and long-term staff. The evaluation has highlighted as critical the need to strengthen the security management competencies and to segregate some of the duties in the field of security.

·Business continuity: the systems operated by eu-LISA are critical for the functioning of the Schengen area and Europe's security. Business continuity is vital and legally mandatory for them. It should not be compromised by unaccountable, poorly motivated and security-risk carrying external staff.

·Procurement/financial activities: The external evaluation identified as critical the need for the Agency to set up a proper activity based management system. This is becoming even more important having regard to the high budgetary responsibilities that are entrusted to the Agency in order to implement the existing and new tasks and activities. eu-LISA will need additional staff for skilful, correct and efficient procurement and financial management. Again, motivated, responsible and accountable staff that knows the agency and its needs is needed for these tasks that cannot be handled by interim staff.

In addition the Commission identified that two Contract Agents are needed to:

–Reinforce the legal team of eu-LISA (1 Contract Agent) this with a view to improve the quality of all legal production but also to allow eu LISA building an internal legal capacity allowing them to assess the legal impact of their envisaged actions.

–Reinforce the Internal audit team to ensure the implementation of the annual internal audit plan (1 Contract Agent) and to build up an internal capacity to carry out all the necessary ex ante evaluations that are lacking today.

Two Seconded National Experts are needed to provide the necessary business expertise on the national IT environments. This is needed to provide the appropriate technical answers when designing IT solutions and the existing Seconded National Experts pool must be reinforced in light of the new tasks.

In the current security environment where IT systems and interoperability are playing a key role in the envisaged solutions to reinforce security at European level, eu-LISA is a key contributor. Member States and the Commission need the agency to manage reliable IT systems for borders and security, to close security gaps in the IT systems infrastructure and to develop interoperability.

In this context, allowing eu-LISA to count on a pool of stable resources is a key success factor and the envisaged internalisation of staff is needed as soon as possible.

Contract agents		Year 2018	Year 2019	Year 2020
Total		27	27	27

Seconded National Experts		Year 2018	Year 2019	Year 2020
Total		2	2	2

Recruitments will be made in the first semester of each financial year.

3.2.3.2.Estimated requirements of human resources for the parent DG

–◻ The proposal/initiative does not require the use of human resources.

–⌧ The proposal/initiative requires the use of human resources, as explained below:

Estimate to be expressed in full amounts (or at most to one decimal place)

		Year 2018	Year 2019	Year 2020	Enter as many years as necessary to show the duration of the impact (see point 1.6)
·Establishment plan posts (officials and temporary staff)
18 01 01 01 (Headquarters and Commission’s Representation Offices)		14.5	14.5	14.5
XX 01 01 02 (Delegations)
XX 01 05 01 (Indirect research)
10 01 05 01 (Direct research)

• External staff (in Full Time Equivalent unit: FTE) 116
XX 01 02 01 (AC, END, INT from the ‘global envelope’)
XX 01 02 02 (AC, AL, END, INT and JED in the Delegations)
XX 01 04 yy 117	- at Headquarters 118
	- in Delegations
XX 01 05 02 (AC, END, INT – Indirect research)
10 01 05 02 (AC, END, INT – Direct research)
Other budget lines (specify)
TOTAL		14.5	14.5	14.5

Additional human resources are required in DG HOME to allow following up the new activities of the Agency. New Advisory groups will be created for the new systems requesting COM attendance and preparatory works. In addition all the new tasks entrusted to the Agency will lead to the production of technical reports, the organisation of pilots and proof of concepts that Commission services will need to revise and follow. In that respect the very limited technical team of DG HOME must be reinforced. In addition to that, 1.5 FTE are added to cover the involvement of DG JUST with the development of ECRIS-TCN, as well as the preparation of the necessary implementing acts concerning the specifications of the system. 9.5 additional posts are needed on top of the existing baseline of 6.5 in DG HOME and DG JUST.

Description of tasks to be carried out:

Officials and temporary staff	Coordination and follow-up of the Agency by the Commission: In addition to the 5 existing FTEs there is a need for 1 biometric expert, 2 general IT experts, 1 security expert, 1 finance officer and 3 policy officers for Management Board / Advisory Group follow-up and Impact Assessment / ex-ante evaluations for DG HOME and 1.5 FTEs for DG JUST.
External staff

Description of the calculation of cost for FTE units should be included in the Annex V, section 3.

3.2.4.Compatibility with the current multiannual financial framework

–⌧ The proposal/initiative is compatible the current multiannual financial framework.

–◻ The proposal/initiative will entail reprogramming of the relevant heading in the multiannual financial framework.

Explain what reprogramming is required, specifying the budget lines concerned and the corresponding amounts.

[…]

–◻ The proposal/initiative requires application of the flexibility instrument or revision of the multiannual financial framework 119 .

Explain what is required, specifying the headings and budget lines concerned and the corresponding amounts.

[…]

3.2.5.Third-party contributions

–The proposal/initiative does not provide for co-financing by third parties.

–The proposal/initiative provides for the co-financing estimated below:

EUR million (to three decimal places)

	Year N	Year N+1	Year N+2	Year N+3	Enter as many years as necessary to show the duration of the impact (see point 1.6)	Total
Specify the co-financing body
TOTAL appropriations co-financed

3.3.Estimated impact on revenue

–◻ The proposal/initiative has no financial impact on revenue.

–⌧ The proposal/initiative has the following financial impact:

on own resources

on miscellaneous revenue

EUR million (to three decimal places)

Budget revenue line:

Appropriations available for the current financial year

Impact of the proposal/initiative 120

Year
2018

Year
2019

Year
2020

Enter as many years as necessary to show the duration of the impact (see point 1.6)

Article 6313

Contribution Schengen associated countries (CH, NO, LI, IS)

p.m.

For miscellaneous ‘assigned’ revenue, specify the budget expenditure line(s) affected.

18.0207 eu-LISA

Specify the method for calculating the impact on revenue.

The budget shall include a contribution from countries associated with the implementation, application and development of the Schengen acquis and the Eurodac related measures as laid down in the respective agreements.

(1) Regulation (EU No 603/2013 of the European Parliament and of the Council on the establishment of 'Eurodac' for the comparison of fingerprints for the effective application of {Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member States responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person}, and on requests for the comparison with Eurodac data by Member States' law enforcement authorities and Europol for law enforcement purposes, and amending Regulation (EU) 1077/2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (recast). OJ L 180, 9.6.2013.

(2) Communication from the Commission to the European Parliament and the Council Stronger and Smarter Information Systems for Borders and Security. COM(2016) 205 final, 6.4.2016.

(3) http://ec.europa.eu/transparency/regexpert/index.cfm?do=groupDetail.groupDetailDoc&id=32600&no=1

(4) COM(2017) 261 final.

(5) http://bookshop.europa.eu/is-bin/INTERSHOP.enfinity/WFS/EU-Bookshop-Site/en_GB/-/EUR/ViewPublication-Start?PublicationKey=DR0116464

(6) COM(2017) 346, 29.6.2017.

(7) SWD(2017) 249, 29.6.2017.

(8) Certain operational and security tasks concerning DubliNet were transferred to eu-LISA by a service level agreement dated of 31 July 2014 between the Agency and the Director General for Migration and Home Affairs. The Commission retained responsibility for budget and contractual matters. DubliNet shall be legally transferred to the Agency by a provision amending Regulation (EU) 1077/2011 of the Eurodac recast proposal. COM(2016) 272 final, 4.5.2016.

(9) The functioning of VISION (the Schengen Consultation Network) was entrusted to eu-LISA by a service level agreement signed between the Member States and Iceland, Liechtenstein and Norway using VISION, represented by the Presidency of the Council of the European Union and the Agency on 27 May 2013.

(10) During the negotiations of the Smart Borders Package adopted by the Commission on 28 February 2013 a number of technical, operational and cost concerns emerged which were deemed to require further investigation. On 4 February 2014 COREPER endorsed a proof of concept exercise consisting of a Commission-led exercise and a test phase or Pilot to be conducted by eu-LISA. The pilot was entrusted to eu-LISA by way of a delegation agreement and successfully carried out in 2015.

(11) Commission delegated Regulation (EU) No 1271/2013 of 30 September 2013 on the framework financial regulation for the bodies referred to in Article 208 of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council, OJ L 328, 7.12.2013, p. 42.

(12) Proposal for a Regulation of the European Parliament and of the Council establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States of the European Union and determining the conditions for access to the EES for law enforcement purposes and amending Regulation (EC) No 767/2008 and Regulation (EU) 1077/2011 COM(2016 194 final, 6.4.2016.

(13) Proposal for a Regulation of the European Parliament and of the Council establishing the criteria and mechanisms for determining the Member State responsible for examining the application for international protection lodged in one of the Member States by a third-country national or a stateless person (recast) COM(2016) 270 final, 4.5.2016.

(14) Proposal for a Regulation of the European Parliament and of the Council establishing a European Travel Information and Authorisation Information System and amending Regulations (EU) No 515/2014, (EU) 2016/794 and (EU) 2016/1624. COM(2016) 731 final, 16.11.2016.

(15) Communication from the Commission to the European Parliament and the Council Stronger and Smarter Information Systems for Borders and Security. COM(2016) 205 final, 6.4.2016.

(16) Proposal for a Regulation of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) No 1987/2006. COM(2016) 882 final.21.12.2016; Proposal for a Regulation of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) No 1986/2006, Council Decision 2007/533/JHA and Commission Decision 2016/261/EU. COM(2016) 883 final, 21.12.2016.

(17) Proposal for a Regulation of the European Parliament and of the Council on the establishment of 'Eurodac' for the comparison of fingerprints for the effective application of {Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member States responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person}, for identifying an illegally staying third-country national or stateless person and on requests for the comparison with Eurodac data by Member States' law enforcement authorities and Europol for law enforcement purposes (recast). COM(2016) 272 final, 4.5.2016.

(18) The Seventh progress report towards an effective and genuine Security Union invited the European Parliament and the Council to hold a joint discussion on the way forward on interoperability as set out in communication. To this end the Commission will present and discuss these ideas with the European Parliament's Committee on Civil Liberties, Justice and Home Affairs (LIBE) on 26 May 2017 and with the Member States at the 9 June 2017 Justice and Home Affairs Council. Building on those discussions, it is expected that the three institutions hold tripartite technical level meetings in autumn 2017 further to discuss the way forward on interoperability as set out in this Communication including the operational needs for borders and security and how to ensure proportionality and full compliance with fundamental rights. The goal is to reach as soon as possible, and at the latest before the end of 2017, a common understanding on the way forward and on the necessary steps to be taken to achieve interoperability of information systems by 2020. On the basis of such common understanding the Commission will present in early spring 2018 a legislative proposal on interoperability. In parallel to the joint discussions between the three institutions, and without anticipating its outcome, the Commission and eu-LISA will need to conduct further technical analysis on the proposed solutions for interoperability in the course of 2017, through a series of technical studies and proofs of concept. The Commission will regularly update the European Parliament and the Council on progress made in this technical analysis. Taking advantage of the exchanges with the European Parliament and the Council the Commission is working intensively to present, as soon as possible, a legislative proposal on interoperability.

(19) Council Decision 2008/615/JHA (23.6.2008).

(20) Directive (EU) 2016/681 (27.4.2016).

(21) Proposal for a Regulation of the European Parliament and of the Council establishing a centralised mechanism for the identification of Member States holding conviction information on third-country nationals and stateless persons (TCN) to supplement and support the European Criminal Records Information System (ECRIS), and amending Regulation (EU) 1077/2011 (ECRIS-TCN system). COM(2017) 344, 29.6.2017.

(22) Regulation (EU No 603/2013 of the European Parliament and of the Council on the establishment of 'Eurodac' for the comparison of fingerprints for the effective application of {Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member States responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person}, and on requests for the comparison with Eurodac data by Member States' law enforcement authorities and Europol for law enforcement purposes, and amending Regulation (EU) 1077/2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (recast). OJ L 180, 9.6.2013.

(23) COM(2015) 185 final, 28.4.2015.

(24) COM(2015) 240 final, 13.5.2015.

(25) O.J. L66,8.3.2006,p. 38.

(26) OJ L 176, 10.7.1999, p. 36.

(27) Agreement between the European Community and the Republic of Iceland and the Kingdom of Norway concerning the criteria and mechanisms for establishing the State responsible for examining a request for asylum lodged in a Member State or in Iceland or Norway, OJ L 93, 3.4.2001, p. 40-47.

(28) OJ L 53, 27.2.2008, p. 52.

(29) OJ L 53, 27.2.2008, p. 1.

(30) Council Decision of 28 January 2008 on the conclusion on behalf of the European Community of the Agreement between the European Community and the Swiss Confederation concerning the criteria and mechanisms for establishing the State responsible for examining a request for asylum lodged in a Member State or in Switzerland, OJ L 53, 27.2.2008, p. 3.

(31) OJ L 83, 26.3.2008, p. 3.

(32) Protocol between the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Community and the Swiss Confederation concerning the criteria and mechanisms for establishing the State responsible for examining a request for asylum lodged in a the Member State or in Switzerland, OJ L 160, 18.6.2011.

(33) Protocol between the European Community, the Swiss Confederation and the Principality of Liechtenstein to the Agreement between the European Community and the Swiss Confederation concerning the criteria and mechanisms for establishing the State responsible for examining a request for asylum lodged in a Member State or in Switzerland OJ L 161,24.6.2009, p.6 and Protocol to the Agreement between the European Community, the Republic of Iceland and the Kingdom of Norway concerning the criteria and mechanisms for establishing the State responsible for examining a request for asylum lodged in a Member State or in Iceland or Norway OJ L 57, 28.2.2006, p.16.

(34) http://bookshop.europa.eu/is-bin/INTERSHOP.enfinity/WFS/EU-Bookshop-Site/en_GB/-/EUR/ViewPublication-Start?PublicationKey=DR0116464

(35) COM(2017) 346, 29.6.2017.

(36) The amendments concerning EES have been foreseen in the EES proposal. They might be subject to amendments in the process of finalisation of negotiations with the EP and Council.

(37) The amendments to the eu-LISA Regulation concerning DubliNet have been foreseen in the Eurodac recast proposal and are subject to the adoption of that proposal. The operation of DubliNet was already entrusted to the Agency by way of a service level agreement between the Directorate General Home Affairs and eu-LISA on 31.7.2014.

(38) The amendments to the eu-LISA Regulation on ETIAS have not been foreseen in the ETIAS proposal but could be inserted during the negotiations of the text. In any event they are subject to adoption of that proposal.

(39) The amendments to the eu-LISA Regulation have not been inserted in the Dublin recast proposal and in any event will be subject to adoption of that proposal.

(40) The amendments to the eu-LISA Regulation have been inserted in the ECRIS-TCN proposals and are subject to the adoption of that proposal.

(41) TESTA-ng is a project developed in the form of a network service on the basis of Article 3 of Decision No 922/2009/EC of the European Parliament and of the Council of 16 September 2009 on interoperability solutions for European Public Administrations, OJ L 260, 3.10.2009, p.20.

(42) Regulation (EU, Euratom) No 966/2012 on the financial rules applicable to the general budget of the Union and repealing Council Regulation (EC, Euratom) No 1605/2002, L 298, 26.10.2012, p. 1.

(43) Commission Delegated Regulation (EU) No 1271/2013 of 30 September 2013 on the framework financial regulation for the bodies referred to in Article 208 of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council OJ L 328, 7.12.2013, p. 42.

(44) OJ L 328, 7.12.2013, p. 42.

(45) Commission Decision of 11.6.2014 on the adoption of a Memorandum of Understanding between the European Commission and the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice, C(2014) 3486 final. The MoU entered into force on 18 June 2014.

(46) Position of the European Parliament of 5 July 2011 (not yet published in the Official Journal) and Decision of the Council of 12 September 2011.

(47) Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II) (OJ L 381, 28.12.2006, p. 4).

(48) Council Decision 2007/533/JHA of 12 June 2007 on the establishment, operation and use of the second generation Schengen Information System (SIS II) (OJ L 205, 7.8.2007, p. 63).

(49) Council Decision 2004/512/EC of 8 June 2004 establishing the Visa Information System (VIS) (OJ L 213, 15.6.2004, p. 5).

(50) Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (OJ L 218, 13.8.2008, p. 60).

(51) Council Regulation (EC) No 2725/2000 of 11 December 2000 concerning the establishment of ‘Eurodac’ for the comparison of fingerprints for the effective application of the Dublin Convention (OJ L 316, 15.12.2000, p. 1).

(52) Council Regulation (EC) No 407/2002 of 28 February 2002 laying down certain rules to implement Regulation (EC) No 2725/2000 concerning the establishment of ‘Eurodac’ for the comparison of fingerprints for the effective application of the Dublin Convention (OJ L 62, 5.3.2002, p. 1).

(53) Regulation (EU) No 603/2013 of the European Parliament and of the Council of 26 June 2013 on the establishment of 'Eurodac' for the comparison of fingerprints for the effective application of Regulation (EU) 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person and on requests for the comparison with Eurodac data by Member States' law enforcement authorities and Europol for law enforcement purposes, and amending Regulation (EU) of the European Parliament and of the Council No 1077/2011 of 25 October 2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (OJ L 180, 29.6.2013, p. 1).

(54) Regulation (EU) 1077/2011 of the European Parliament and of the Council of 25 October 2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (OJ L 286, 1.11.2011, p. 1).

(55) Council Decision 2008/633/JHA of 23 June 2008 concerning access for consultation of the Visa Information System (VIS) by designated authorities of Member States and by Europol for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offences (OJ L 218, 13.8.2008, p. 129).

(56) COM(2017) 346, 29.6.2017.

(57) COM(2017) 134, 23.3.2017. Annex 2 of this Communication provides the general guidelines, recommendations and best practices for achieving interoperability or at least for creating the environment to achieve better interoperability when designing, implementing and managing European public services.

(58) Commission Regulation (EC) No 1560/2003 of 2 September 2003 laying down detailed rules for the application of Council Regulation (EC) No 343/2003 establishing the criteria and mechanisms for determining the Member State responsible for examining an asylum application lodged in one of the Member States by a third-country national (OJ L 222, 5.9.2003, p.3).

(59) Decision No 922/2009/EC of the European Parliament and of the Council of 16 September 2009 on interoperability solutions for European Public Administrations (ISA), OJ L 280, 3.10.2009, p. 20.

(60) Regulation (EU, Euratom ) No 966/2012 of the European Parliament and of the Council of 25 October 2012 on the financial rules applicable to the general budget of the Union and repealing Council Regulation (EC, Euratom) No 1605/2002 (OJ L 298, 26.10.2012, p. 1).

(61) Regulation (EU) No 515/2014 of the European Parliament and of the Council of 16 April 2014 establishing, as part of the Internal Security Fund, the instrument for financial support for external borders and visa and repealing Decision No 574/2007/EC (OJ L 150, 20.5.2014, p. 143).

(62) Regulation (EU) 2016/1624 of the European Parliament and of the Council of 14 September 2016 on the European Border and Coast Guard and amending Regulation (EU) 2016/399 of the European Parliament and of the Council and repealing Regulation (EC) No 863/2007 of the European Parliament and of the Council, Council Regulation (EC) No 2007/2004 and Council Decision 2005/267/EC (OJ L 251, 16.9.2016, p. 1).

(63) Proposal for a Regulation of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) 1986/2006, Council Decision 2007/533/JHA and Commission Decision 2010/261/EU. COM(2016)883 final.

(64) OJ C 139, 14.6.2006, p. 1.

(65) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).

(66) Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).

(67) Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the Anti-Fraud Office (OLAF) and repealing Regulation (EC) No 1073/1999 of the European Parliament and of the Council and Council Regulation (Euratom) No 1074/1999 (OJ L 248, 18.9.2013, p. 1).

(68) OJ L 136, 31.5.1999, p. 15.

(69) OJ L 56, 4.3.1968, p. 1.

(70) Commission Delegated Regulation (EU) No 1271/2013 of 30 September 2013 on the framework financial regulation for the bodies referred to in Article 208 of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council (OJ L 328, 7.12.2013, p. 42).

(71) OJ L 66, 8.3.2006, p. 38.

(72) OJ L 131, 1.6.2000, p. 43.

(73) OJ L 64, 7.3.2002, p. 20.

(74)

OJ L 131, 1.6.2000, p. 43.

(75) OJ L 176, 10.7.1999, p. 36.

(76) OJ L 176, 10.7.1999, p. 31.

(77) OJ L 93, 3.4.2001, p. 40.

(78) OJ L 53, 27.2.2008, p. 52.

(79) OJ L 53, 27.2.2008, p. 1.

(80) OJ L 53, 27.2.2008, p. 5.

(81) OJ L 160, 18.6.2011, p. 21.

(82) OJ L 160, 18.6.2011, p. 19.

(83) OJ L 160, 18.6.2011, p. 39.

(84) The amendments concerning EES have been foreseen in the EES proposal. They might be subject to amendments in the process of finalisation of negotiations with the EP and Council.

(85) The amendments to the eu-LISA Regulation concerning DubliNet have been foreseen in the Eurodac recast proposal and are subject to the adoption of that proposal.

(86) The amendments to the eu-LISA Regulation on ETIAS have not been foreseen in the ETIAS proposal but could be inserted during the negotiations of the text. In any event they are subject to adoption of that proposal.

(87) The amendments to the eu-LISA Regulation have not been inserted in the Dublin recast proposal and in any event will be subject to adoption of that proposal.

(88) The amendments to the eu-LISA Regulation have been inserted in the ECRIS-TCN proposals and are subject to the adoption of that proposal.

(89) This is currently only the case of Eurodac but the ECRIS-TCN system will also use the EuroDomain.

(90) Proposal for a Regulation of the European Parliament and of the Council on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending Regulation (EU) No 515/2014 and repealing Regulation (EC) 1986/2006, Council Decision 2007/533/JHA and Commission Decision 2010/261/EU. COM(2016)883 final.

(91) Regulation No 1 of 15 April 1958 determining the languages to be used by the European Economic Community, OJ P 17, 6.10.1958, p. 385

(92) Commission Decision (EU, Euratom) 2015/443 of 13 March 2015 on Security in the Commission (OJ L 72, 17.3.2015, p. 4).

(93) Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 on the security rules for protecting EU classified information (OJ L 72, 17.3.2015, p. 53).

(94) Council Regulation (Euratom, EC) No 2185/96 of 11 November 1996 concerning on-the-spot checks and inspections carried out by the Commission in order to protect the European Communities' financial interests against fraud and other irregularities (OJ L 292, 15.11.1996, p. 2).

(95) ABM: activity-based management; ABB: activity-based budgeting.

(96) As referred to in Article 54(2)(a) or (b) of the Financial Regulation.

(97) The development of ECRIS-TCN will be financed from the Justice programme and will be budget neutral for the heading 3.

(98) Regulation (EU No 603/2013 of the European Parliament and of the Council on the establishment of 'Eurodac' for the comparison of fingerprints for the effective application of {Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member States responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person}, and on requests for the comparison with Eurodac data by Member States' law enforcement authorities and Europol for law enforcement purposes, and amending Regulation (EU) 1077/2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (recast). OJ L 180, 9.6.2013.

(99) COM(2015) 185 final, 28.4.2015.

(100) COM(2015) 240 final, 13.5.2015.

(101) COM(2016) 205 final, 6.4.2016.

(102) Details of management modes and references to the Financial Regulation may be found on the BudgWeb site: https://myintracomm.ec.europa.eu/budgweb/EN/man/budgmanag/Pages/budgmanag.aspx .

(103) Diff. = Differentiated appropriations / Non-diff. = Non-differentiated appropriations.

(104) EFTA: European Free Trade Association.

(105) Candidate countries and, where applicable, potential candidates from the Western Balkans.

(106) The baseline does not contain additional contractual agents in 2018.

(107) The additional budget covers 23 temporary agents, 2 contractual agents and 2 seconded national experts as explained in section 3.2.3.

(108) A substantial provision for building expenditure might be needed for the extension of the Strasbourg site to expand the hosting capacity needed for the development of further systems. Eu LISA is currently assessing its needs. If such a need is confirmed eu LISA will follow the building procedure with the European Parliament and the Council and the necessary budgetary provisions would be introduced via the Draft Budget Procedure (DB 2019).

(109) The transfer of the communication infrastructure will take place on the one hand for the VIS already in 2018 as per Article 19a (9) of the EES Regulation to be adopted in 2017 and after adoption of the revised eu-LISA Regulation for the SIS (see also footnote 19).

(110) Outputs are products and services to be supplied (e.g.: number of student exchanges financed, number of km of roads built, etc.).

(111) As described in point 1.4.2. ‘Specific objective(s)…’.

(112) The in-sourcing of staff has been deducted as outlined in the memorandum of eu-LISA on draft budget 2018.

(113) The future EES Regulation, once adopted, will amend Article 26 of the VIS Regulation (EC) No 767/2008 of 9 July 2008 stating that six months after the entry into force of the Regulation establishing the EES, the Management Authority shall be responsible for the VIS administrative tasks related to the communication infrastructure managed until now by the Commission. This provision in the future EES regulation will serve as a legal base for the transfer of the related budget (roughly 50% of the 19,221 Mio EUR for VIS and SIS combined) to the Agency even if the new eu-LISA Regulation to which this legislative financial statement is attached would not yet be adopted by then.

(114) 14 posts are added for the development of the Entry Exit System to the establishment plan of eu-LISA. The number of posts for 2020 and the subsequent years will be re-assessed in the course of the preparation of the draft EU budget for 2020, taking into consideration the specific needs for the operation of the system 24 hours a day and 7 days a week.

(115) The additional staff referred to in the tables below does not include the Temporary Agents / Contract Agents that are subject to the adoption of the legal instruments EES, ETIAS, SIS II and Eurodac recast.

(116) AC = Contract Staff; AL = Local Staff; END = Seconded National Expert; INT = agency staff; JED = Junior Experts in Delegations.

(117) Sub-ceiling for external staff covered by operational appropriations (former ‘BA’ lines).

(118) Mainly for the Structural Funds, the European Agricultural Fund for Rural Development (EAFRD) and the European Fisheries Fund (EFF).

(119) See Articles 11 and 17 of Council Regulation (EU, Euratom) No 1311/2013 laying down the multiannual financial framework for the years 2014-2020.

(120) As regards traditional own resources (customs duties, sugar levies), the amounts indicated must be net amounts, i.e. gross amounts after deduction of 25 % for collection costs.