1.   Only one JIT collaboration space may be created on the platform for each individual joint investigation team (JIT).

2.   The platform shall not allow for any interactions or cross-cutting functionalities between the individual JIT collaboration spaces.

3.   A JIT collaboration space may be created, or may function, only if JIT members representing at least two Member States are granted access to it.

1.   For every JIT collaboration space, each individual JITs collaboration platform user shall, in accordance with the rules laid down in paragraphs 2 to 6, be assigned only one of the following user profiles:

(a)	standard user;

(b)	limited access user, including access to the communication software;

(c)	limited access user, excluding access to the communication software;

(d)	communication software user;

(e)	JITs Network Secretariat support;

(f)	JITs Network Secretariat administrator;

(g)	Member State administrator;

(h)	EPPO administrator; or

(i)	eu-LISA technical administrator.

2.   The ‘standard user’, ‘limited access user, including access to the communication software’, ‘limited access user, excluding access to the communication software’, and the ‘communication software user’ profiles shall be assigned only to JIT members, Eurojust, Europol, OLAF and other competent Union bodies, offices and agencies, or representatives of an international judicial authority that participates in a JIT.

3.   The ‘JITs Network Secretariat support’ profile and the ‘JITs Network Secretariat administrator’ profile may be assigned to the same individual JITs collaboration platform user. Those user profiles shall be assigned only to representatives of the JITs Network Secretariat.

4.   The ‘Member State administrator’ profile shall be assigned only to JIT members who represent Member States bound by Regulation (EU) 2023/969.

5.   The ‘EPPO administrator’ profile shall be assigned only to EPPO JIT members.

6.   The ‘eu-LISA technical administrator’ profile shall be assigned only to representatives of eu-LISA.

7.   Unless explicitly restricted by this Decision, all functionalities of the platform shall be available to all user profiles.

1.   In the context of the technical support referred to in Article 13(3) of Regulation (EU) 2023/969, the eu-LISA technical administrator shall initiate the creation of a JIT collaboration space, provided that eu-LISA has received the respective JIT agreement, including any appendices, in accordance with Article 7(1), (2) and (3) of this Decision.

2.   Before a JIT collaboration space is created, the eu-LISA technical administrator shall assign the ‘Member State administrator’ or the ‘EPPO administrator’ profile, and shall grant access to that future space, to the JIT space administrators designated in the respective JIT agreement. Once the JIT collaboration space has been created, the eu-LISA technical administrator shall no longer be involved in the management of access rights for that particular JIT collaboration space, except in the cases referred to in paragraph 5 of this Article and in Article 8(4).

3.   Once a JIT collaboration space has been created, the Member State administrator or administrators, and the EPPO administrator or administrators, may grant representatives of the JITs Network Secretariat access to that space by assigning them the ‘JITs Network Secretariat administrator’ profile.

4.   Only the Member State administrator or administrators, the EPPO administrator or administrators, or the JITs Network Secretariat administrator or administrators may assign the ‘Member States administrator’, ‘EPPO administrator’, ‘JITs Network Secretariat administrator’, ‘standard user’, ‘limited access user, including access to the communication software’, ‘limited access user, excluding access to the communication software’, ‘communication software user’ and ‘JITs Network Secretariat support’ profiles to the individual JITs collaboration platform users and may grant them access to the relevant JIT collaboration space.

5.   If none of the Member State administrators can access a JIT collaboration space that has been created, the eu-LISA technical administrator may grant access to that space to a new Member State administrator or administrators, provided that eu-LISA receives an amended JIT agreement.

6.   Each JIT collaboration space shall have at least one Member State administrator at any given moment of its operation.

7.   There may be several Member State administrators from the same Member State in each JIT collaboration space.

8.   Each JITs collaboration platform user assigned the ‘Member State administrator’ or the ‘EPPO administrator’ profile shall have equal rights as regards managing the rights of the JITs collaboration platform users to access the relevant JIT collaboration space.

1.   The centralised information system shall have the following functionalities, in particular:

(a)	management of the JITs collaboration platform;

(b)	management of the JIT collaboration space;

(c)	management of the personal information and settings of the JITs collaboration platform users’;

(d)	a JIT collaboration space dashboard;

(e)	email and in-platform notifications;

(f)

search;

(g)	upload and download of operational data, individually or in batches;

(h)	upload and download of non-operational data, individually or in batches;

(i)	evidence traceability;

(j)	management of files;

(k)	calendar and management of tasks;

(l)	an information board;

(m)	JIT funding information referred to in Article 6(4);

(n)	administrative reporting;

(o)	machine translation of non-operational data;

(p)	evaluation of a JIT;

(q)	technical and business support;

(r)	training courses and user manuals; and

(s)	statistics.

2.   eu-LISA, in consultation with the Advisory Group referred to in Article 12 of Regulation (EU) 2023/969 (‘JITs CP Advisory Group’), shall set out the business and technical specifications of the functionalities referred to in paragraph 1, in accordance with the requirements set out in this Decision.

3.   The ‘management of the JITs collaboration platform’ functionality shall be available only to the ‘eu-LISA technical administrator’ profile.

4.   The ‘management of the JIT collaboration space’ functionality shall be available only to the ‘Member State administrator’, ‘EPPO administrator’ and ‘JITs Network Secretariat administrator’ profiles.

5.   The functionality of uploading and downloading operational data shall be available only to the ‘Member State administrator’, ‘EPPO administrator’ and ‘standard user’ profiles.

6.   The ‘evidence traceability’ functionality shall be available only to the ‘Member State administrator’, ‘EPPO administrator’ and ‘standard user’ profiles, except for the standard users who are not JIT members.

7.   All other functionalities of the centralised information system shall be available only to the ‘Member State administrator’, ‘EPPO administrator’, ‘JITs Network Secretariat administrator’, ‘standard user’, ‘limited access user, including access to the communication software’, ‘limited access user, excluding access to the communication software’ and ‘JITs Network Secretariat support’ profiles, except for the technical and business support functionality, as well as the notifications functionality, which shall also be available to the ‘communication software user’.

8.   The functionality of uploading and downloading operational data to and from the centralised information system shall enable the JITs collaboration platform users to transmit files in all formats and up to a set size limit, and to exchange harmful files under stringent security conditions and appropriate operating procedures. The technical specifications of the size limit shall be set by eu-LISA in consultation with the JITs CP Advisory Group, taking into account the needs of JIT members and the issue of evidence admissibility. The operating procedures for exchanging harmful files shall be set out by eu-LISA.

9.   In order to upload or download extraordinarily large volumes of operational data, the JITs collaboration platform users shall make use of a dedicated IT tool provided by eu-LISA. The technical specifications of that tool, as well as the size threshold above which the tool shall be used when uploading or downloading operational data, shall be set by eu-LISA in consultation with the JITs CP Advisory Group.

10.   When uploading operational data, each JITs collaboration platform user shall indicate one or more data recipients and set a deadline for downloading the data, which shall not exceed the period referred to in Article 21(1) of Regulation (EU) 2023/969. As soon as the process of downloading has been completed by all recipients or, at the latest, upon expiry of the deadline, the uploaded data shall be automatically and permanently erased from the centralised information system.

11.   The functionality of uploading and downloading non-operational data shall enable the JITs collaboration platform users to exchange files only in predefined formats and up to a set size limit. The technical specifications of these aspects shall be set out by eu-LISA in consultation with the JITs CP Advisory Group.

12.   It shall be optional for each JITs collaboration platform user to make use of the ‘evidence traceability’ functionality, which may be enabled only before the user’s first access to a given JIT collaboration space. The evidence traceability log shall contain only the data uploaded to or downloaded from a given JIT collaboration space by that user.

13.   The ‘machine translation of non-operational data’ functionality may be used in the context of the following functionalities:

(a)	management of files;

(b)	evaluation of a JIT; and

(c)	technical and business support.

14.   If the ‘machine translation of non-operational data’ functionality uses artificial intelligence, eu-LISA shall inform the JITs collaboration platform users of the use of such technology and of the accuracy of the results.

15.   The ‘evaluation of a JIT’ functionality may be used even if the platform was not used in the operational phase of the JIT. It shall provide for two distinct processes, namely collaborative and user-by-user evaluations.

16.   Operational data transmitted from and to the centralised information system and stored therein shall not be backed up by the platform and shall be end-to-end encrypted in transit and at rest.

17.   Non-operational data transmitted from and to the centralised information system and stored therien shall be regularly backed up by the platform and shall be end-to-end encrypted in transit.

18.   For each JIT collaboration space, the centralised information system shall allow only the ‘Member State administrator’, ‘EPPO administrator’ and ‘standard user’ profiles to view the respective JIT agreement.

19.   With the exception of the languages of the Member States not bound by this Decision, the interface of the centralised information system shall be available in all official languages of the Union.

1.   The communication software shall have the following functionalities, in particular:

(a)	instant messaging (bilateral or multilateral);

(b)	audio- and video- conferencing;

(c)	exchange of files; and

(d)	notifications.

2.   eu-LISA, in consultation with the JITs CP Advisory Group, shall set out the business and technical specifications of the functionalities referred to in paragraph 1 in accordance with the requirements set out in this Decision.

3.   The ‘exchange of files’ functionality shall enable the JITs collaboration platform users to transmit files only in predefined formats and within a set size limit. The technical specifications of those aspects shall be set out by eu-LISA in consultation with the JITs CP Advisory Group.

4.   The communication software’s functionalities shall be available only to the ‘Member State administrator’, ‘EPPO administrator’, ‘standard user’, ‘limited access user, including access to the communication software’ and ‘communication software user’ profiles.

5.   The retention period for data in the communication software shall automatically be four weeks from the date of entry of those data in the communication software. However, the users of the communication software, to the extent necessary for the performance of their tasks, may set a different retention period for the storage of such data in the communication software in accordance with their national law, transposing the Directive (EU) 2016/680 of the European Parliament and of the Council (2), which provides for appropriate time limits or for a periodic review of the need for the storage.

6.   Upon expiry of the retention period referred to in paragraph 5, the data shall be automatically and permanently erased from the communication software.

7.   Access to the communication software and operations carried out therein shall not be traceable.

8.   The data exchanged through the communication software shall not be backed up by the platform and shall be end-to-end encrypted in transit.

9.   With the exception of the languages of the Member States not bound by this Decision, the interface of the communication software shall be available in all official languages of the Union.

1.   The centralised information system shall be connected with the following IT tools hosted externally and managed by the JITs Network Secretariat:

(a)	the JITs system; and

(b)	the JITs restricted area.

2.   The business and technical specifications of the connections referred to in paragraph 1 shall be set out by eu-LISA in consultation with the JITs CP Advisory Group.

3.   The connection with the JITs restricted area shall allow the ‘Member State administrator’, ‘EPPO administrator’, ‘JITs Network Secretariat administrator’, ‘standard user’, ‘limited access user, including access to the communication software’, ‘limited access user, excluding access to the communication software’ and ‘JITs Network Secretariat support’ profiles, to access the JITs restricted area via a link integrated in the respective JIT collaboration space, without needing to re-enter their credentials for the purpose of authentication.

4.   The connection with the JITs system shall enable the JITs collaboration platform users to automatically retrieve and consume certain data on JIT funding from that IT tool, provided that no personal data are included. Those data shall be transmitted through an interface to the centralised information system in either a synchronous or asynchronous way.

5.   The JITs collaboration platform users shall not be able to modify the data retrieved from the JITs system and included in the centralised information system.

6.   The platform shall not retrieve any data from the JITs restricted area.

1.   Upon receipt of the relevant JIT agreement from a Member State which is bound by Regulation (EU) 2023/969, and which is a party to that JIT agreement, eu-LISA shall initiate the process of creating a JIT collaboration space. To that end, eu-LISA shall verify whether the JIT agreement provides for the use of the platform in accordance with Regulation (EU) 2023/969.

2.   To ensure the authenticity of the JIT agreement, each JIT agreement shall be signed electronically with a qualified electronic signature that complies with Regulation (EU) No 910/2014 of the European Parliament and of the Council (3), for the purpose of its transmission to eu-LISA.

3.   Each JIT agreement destined for eu-LISA shall be uploaded by the designated representatives of the Member States bound by Regulation (EU) 2023/969 to a secure online space, external to the platform, determined by eu-LISA (‘JIT agreements space’). Only eu-LISA shall be able to preview and download the JIT agreements uploaded to the JIT agreements space. The representatives of the Member States bound by Regulation (EU) 2023/969 shall be designated via their counterparts in the JITs CP Advisory Group.

4.   JIT agreements shall be stored in the JIT agreements space for a maximum of four weeks.

5.   eu-LISA shall set up and maintain the JIT agreements space, as well as manage its access rights.

1.   Access to the platform shall be safeguarded by means of the European Commission’s authentication service (‘EU Login’) or its equivalent. A two-factor authentication that uses an individual email address and one other authentication factor shall be required to access the platform.

2.   Access to the platform shall be granted only to those individual JITs collaboration platform users who have authenticated themselves using an email address that uses a domain name registered in the list of permitted JITs collaboration platform domain names. That list shall be created and maintained by eu-LISA based on the information provided in writing individually by any Member State, third country, Union body, office or agency, or international judicial authority, seeking to use the platform.

3.   eu-LISA shall not have access to the email addresses of the JITs collaboration platform users, apart from those JITs collaboration platform users who have been assigned the ‘Member State administrator’ or the ‘EPPO administrator’ profile.

4.   Where the conduct of an individual JITs collaboration platform user arouses suspicion, such as in the form of abnormal access patterns, or any other activity that may give rise to concern that an attack or data breach may have taken place, the eu-LISA technical administrator shall immediately block that user’s access to the platform and shall notify all Member State administrators of the JIT collaboration spaces affected by the suspicious activity.

5.   Any event that has or may have an impact on the security of the platform, and may cause damage to or loss of data stored in the platform, shall be considered to be a security incident, in particular where unauthorised access to data may have occurred or where the availability, integrity or confidentiality of data has or may have been compromised.

6.   eu-LISA shall respond promptly and effectively to any security incident that may affect the components of the platform under their control. To that end, eu-LISA shall implement a security monitoring mechanism to detect the activities referred to in paragraph 4.

7.   Where a security incident constitutes a personal data breach within the meaning of Regulation (EU) 2018/1725 of the European Parliament and of the Council (4), eu-LISA shall notify the affected individual JITs collaboration platform user without undue delay and, in any case, no later than 48 hours after becoming aware of it.

8.   All security incidents, and the responses to those incidents, shall be communicated by eu-LISA to the JITs CP Advisory Group.

1.   The JITs collaboration platform logs, namely infrastructure logs referred to in paragraph 6 of this Article and technical logs referred to in Article 25 of Regulation (EU) 2023/969, shall be securely stored and monitored in the centralised log repository of the JITs collaboration platform.

2.   The centralised log repository of the JITs collaboration platform shall be accessible only by eu-LISA.

3.   The logs shall be regularly backed up by the platform.

4.   The logs shall be stored in a format enabling their analysis, correlation and further processing.

5.   Upon expiry of the retention periods referred to in Article 25(2), second subparagraph, of Regulation (EU) 2023/969 and paragraph 8 of this Article, all logs, including the backups, shall be automatically and permanently erased.

6.   The infrastructure logs shall concern the centralised information system and the communication software, and shall include all logs that make it possible to monitor the infrastructure, performance and security of the platform.

7.   Appropriate technical measures shall be put in place to protect infrastructure logs from modification and unauthorised access.

8.   The infrastructure logs shall be kept for one year or for such longer period as required to complete ongoing monitoring procedures.

9.   eu-LISA shall be responsible for:

(a)	creating a list of staff authorised to access the centralised log repository of the JITs collaboration platform;

(b)	specifying logging standards, practices and procedures, including the specific format of the logs and the procedure for sharing them;

(c)	inspecting the logs in response to incidents, in a proactive manner, where possible;

(d)	carrying out log management tasks such as safe storage, backing up, traceability of log access and protection against unauthorised access; and

(e)	erasing the logs.

1.   Based on the logs referred to in Article 9, the platform shall automatically produce at least the following statistics:

(a)

regarding the JITs collaboration platform usage indicators: (1) peak usage times of the centralised information system and the communication software; (2) frequency of access and use of the centralised information system and the communication software per individual JITs collaboration platform user; (3) number of open JIT collaboration spaces; (4) number of JIT collaboration spaces created; (5) number of closed JIT collaboration spaces; (6) average duration of the JIT collaboration spaces; (7) number of the individual JITs collaboration platform users, including a breakdown by user profile; (8) number of Member State administrators, EPPO administrators and JITs Network Secretariat administrators per JIT collaboration space; (9) number of JIT collaboration spaces to which Eurojust, Europol, OLAF and other competent Union bodies, offices and agencies or representatives of an international judicial authority that participates in a JIT, are granted access; (10) number of open JIT collaboration spaces pertaining to JITs that have retrieved funding data from the JITs system; (11) number of JIT collaboration spaces not used in the operational phase of a JIT;

(b)

regarding the specific functionality indicators: (1) number of events created in the calendars; (2) number of tasks created; (3) number of tasks assigned to other individual JITs collaboration platform users; (4) number of messages published on the information board; (5) number of invitations to audio- and video- conferencing calls; (6) number of user redirects from the platform to the JITs restricted area; (7) number of administrative reports generated; (8) number of evidence traceability reports generated; (9) number of collaborative JIT evaluations started and finalised; (10) number of user-by-user JIT evaluations started and finalised; (11) number of technical and business support requests submitted; (12) number of downloads of the communication software;

(c)

regarding operational data indicators: (1) number of files uploaded to the centralised information system; (2) number of files downloaded from the centralised information system; (3) total size of files uploaded to the centralised information system; (4) total size of files downloaded from the centralised information system; (5) average deadline within which the uploaded operational data may be downloaded; (6) average period for storing operational data in the centralised information system; (7) number of files uploaded to the centralised information system by the competent authorities of third countries and representatives of international judicial authorities; (8) total size of files uploaded to the centralised information system by the competent authorities of third countries and representatives of international judicial authorities; (9) number of files rejected by the controller of the data uploaded by third countries and representatives of international judicial authorities; (10) total size of files rejected by the controller of the data uploaded by third countries and representatives of international judicial authorities;

(d)

regarding non-operational data indicators: (1) number of files uploaded to the centralised information system; (2) number of files downloaded from the centralised information system; (3) total size of files uploaded to the centralised information system; (4) total size of files downloaded from the centralised information system;

(e)

regarding technical indicators: (1) number of concurrent users of the centralised information system and the communication software; (2) average disk space used by the JIT collaboration spaces to store data in the centralised information system; (3) number of email and in-platform notifications sent by the centralised information system; (4) number of machine translation requests sent, per functionalities referred to in Article 4(13)(a), (b) and (c); (5) average response time of the machine translation service;

(f)	regarding quality of service indicators: (1) response time for every operation carried out in the platform; (2) the period of uptime and downtime of the centralised information system and the communication software; (3) technical success/failure ratio of each operation carried out in the platform;

(g)

regarding other indicators: (1) information about the types of device used by the JITs collaboration platform users to access the centralised information system and the communication software; (2) information about the operating systems used by the JITs collaboration platform users to access the centralised information system and the communication software; (3) information about the web browsers used by the JITs collaboration platform users to access the centralised information system.

2.   The statistics referred to in paragraph 1 shall be produced daily, shall not contain any personal data, and shall not directly or indirectly reveal the identity of individual JITs collaboration platform users or the data exchanged by them.

3.   The statistics referred to in paragraph 1, points (a) and (e), (f) and (g), shall not reveal the identity of individual JIT collaboration spaces or JITs.

4.   The statistics referred to in paragraph 1 (b), (c) and (d), shall be produced separately for each JIT collaboration space, and separately for each Member State, third country, the EPPO, Eurojust, Europol, OLAF and other competent Union bodies, offices and agencies or representatives of an international judicial authority that participates in a JIT. Those statistics shall be made available in the centralised information system for all JIT members of a given JIT collaboration space from the Member States bound by Regulation (EU) 2023/969. Each JIT member from the Member States bound by Regulation (EU) 2023/969 shall be able to consult the statistics pertaining to that Member State, as well as to third countries, Eurojust, Europol, OLAF and other competent Union bodies, offices and agencies or representatives of an international judicial authority that participates in a JIT.

5.   For monitoring purposes and for the reporting referred to in Article 26(6), first subparagraph, point (a), and second subparagraph, of Regulation (EU) 2023/969, eu-LISA shall have access to the statistics referred to in paragraph 1. That access shall not reveal the identity of individual JIT collaboration spaces or JITs.

6.   Every week after the date of the start of operations of the platform, eu-LISA shall provide the Commission and the JITs Network Secretariat with the aggregated weekly statistics referred to in paragraph 1. Those statistics shall not reveal the identity of individual JIT collaboration spaces or JITs.

7.   For the purpose of the reporting referred to in Article 26(4) of Regulation (EU) 2023/969, at the request of eu-LISA, the competent authorities of the Member States bound by Regulation (EU) 2023/969, Eurojust, Europol, the EPPO, OLAF and other competent Union bodies, offices and agencies, shall provide eu-LISA with information on their assessment of the development process, the scope and the security of the platform.

8.   For the purpose of the evaluation and subsequent reporting referred to in Article 26(6), first subparagraph, point (b), and third subparagraph, of Regulation (EU) 2023/969, at the request of the Commission, eu-LISA, the competent authorities of the Member States bound by Regulation (EU) 2023/969, Eurojust, Europol, the EPPO, OLAF and other competent Union bodies, offices and agencies, shall provide the Commission with information on their usage of the platform, specifically on the platform’s scope, usability, quality of service, performance and security.

9.   For the purpose of the reporting referred to in Article 26(8), second sentence of Regulation (EU) 2023/969, at the request of the JITs Network Secretariat, the competent authorities of the Member States bound by Regulation (EU) 2023/969, Eurojust, Europol, the EPPO, OLAF and other competent Union bodies, offices and agencies, shall provide the JITs Network Secretariat with information on potential improvements to and new functionalities of the platform.

1.   The centralised information system and the communication software shall have an availability ratio of at least 97,6 %, calculated over a calendar year. The planned maintenance shall take place outside the office hours of the technical sites of eu-LISA.

2.   The performance requirements for the platform shall be better than or equal to the values set out in the Annex.

3.   The response times referred to in the Annex shall be measured without taking into account the network latency of the JITs collaboration platform users.

4.   The operations of the platform shall be maintained in case of any potential disruptive event or adverse situation in accordance with the recovery time objective values approved by eu-LISA, in consultation with the JITs CP Advisory Group, in the context of the business continuity and disaster recovery plan.

5.   eu-LISA shall ensure that data included in the centralised information system can be restored in the event of any potential disruptive event or adverse situation, in accordance with the recovery point objective values approved by eu-LISA, in consultation with the JITs CP Advisory Group, in the context of the business continuity and disaster recovery plan.

1.   The ‘technical and business support’ functionality shall allow the JITs collaboration platform users to request the respective support service.

2.   Support service requests shall be submitted through the centralised information system. The follow-up to such requests may take place outside of the platform.

3.   Whereas business support shall be understood as functional assistance on the use of the platform, technical support shall relate to technical incidents experienced by the JITs collaboration platform users.

4.   eu-LISA shall provide the technical support service to the JITs collaboration platform users, as referred to in Article 7(8) of Regulation (EU) 2023/969, including the competent authorities of third countries and representatives of international judicial authorities.

5.   The JITs Network Secretariat shall provide the business support service to the JITs collaboration platform users.

6.   The detailed arrangements of the technical and business support services, including operational hours, incident levels, response times and support procedures, shall be set out in the operator manuals, which shall be designed, in consultation with the JITs CP Advisory Group, by eu-LISA and the JITs Network Secretariat respectively.