This document is an excerpt from the EUR-Lex website
Document 52010DC0588
REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL ON THE DEVELOPMENT OF THE VISA INFORMATION SYSTEM (VIS) IN 2009 (submitted in response to the obligation under Article 6 of Council Decision 2004/512/EC)
REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL ON THE DEVELOPMENT OF THE VISA INFORMATION SYSTEM (VIS) IN 2009 (submitted in response to the obligation under Article 6 of Council Decision 2004/512/EC)
REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL ON THE DEVELOPMENT OF THE VISA INFORMATION SYSTEM (VIS) IN 2009 (submitted in response to the obligation under Article 6 of Council Decision 2004/512/EC)
/* COM/2010/0588 final */
REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL ON THE DEVELOPMENT OF THE VISA INFORMATION SYSTEM (VIS) IN 2009 (submitted in response to the obligation under Article 6 of Council Decision 2004/512/EC) /* COM/2010/0588 final */
[pic] | EUROPEAN COMMISSION | Brussels, 22.10.2010 COM(2010) 588 final REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL ON THE DEVELOPMENT OF THE VISA INFORMATION SYSTEM (VIS) IN 2009 (submitted in response to the obligation under Article 6 of Council Decision 2004/512/EC) Report from the Commission to the European Parliament and the Council on the development of the Visa Information System (VIS) Progress Report Janua ry – December 2009 (COM (2010) 588 final) TABLE OF CONTENTS 1. Introduction 3 2. Progress during the period under review 3 2.1. Development of the Central System – technical deliverables 3 2.2. Development of the Biometric Matching System (BMS) 4 2.3. Site Preparations and Network 4 2.4. Member States' National Planning 4 2.5. Rescheduling the VIS 5 2.6. Roll-out to consular posts and external border-crossing points 6 3. Project management 7 3.1. Legal framework for the VIS 7 3.2. Commission project management 8 3.2.1. Planning and budget 8 3.2.2. Risk management 8 3.2.3. Project management board (PMB) 9 3.3. Friends of the VIS 9 4. Conclusion 10 5. Annex: VIS working groups 11 5.1. SISVIS Committee 11 5.2. VIS National Project Managers (NPM) meetings 11 5.3. Change Management Board (CMB) 11 5.4. Test Advisory Group (TAG) 11 5.5. VIS Mail Expert Group (VIS MEG) 11 1. INTRODUCTION The Commission, in accordance with Article 6 of Council Decision 2004/512/EC of 8 June 2004 establishing the Visa Information System[1], presents to the Council and the European Parliament the sixth progress report on the development of the Visa Information System (VIS)[2]. The report covers the work carried out by the Commission between January and December 2009. As regards compliance testing with Member States and development of most national systems, the VIS project progressed smoothly. By the end of 2009, compliance testing had been completed with 22 out of 25 current Schengen Associated States at a 100% success rate. Compliance tests remain to be executed only by a few Member States before the final testing phase in 2010. However, the tests related to VIS at central level in 2009 proved to be challenging. The technical development of the VIS and Biometric Matching System (BMS) entered the second of four testing phases in April 2009 – the Systems Solutions Test (SST). The Main Development Contractor (MDC) failed to meet the exit criteria for the first attempt to carry out the test, which led to a second and third test campaign during the reporting period. The delay with the SST affected the start of the subsequent testing phases involving the Member States. In parallel, other factors also impacted the re-scheduling of the project, including a significant delay at national level for at least one Member State. The December 2009 target date for start of operations of the VIS could therefore no longer hold. After a presentation to the "Friends of the VIS" and Strategic Committee on Immigration, Frontiers and Asylum (SCIFA) in November 2009, the following new global schedule was presented to the JHA Council on 30 November 2009: - Start of Operational Systems Test (OST) - February 2010 - Provisional Systems Acceptance Test (PSAT) - September 2010 - Central system readiness test - October 2010 - Start of operations of VIS - December 2010. 2. Progress during the period under review 2.1. Development of the Central System – technical deliverables Based on the agreement obtained in December 2008 to implement four functional changes requested by Member States, both the Interface Control Document (ICD) and the Detailed Technical Specification (DTS) needed to be updated. The final version of the ICD 1.82 was accepted in March 2009. These are the technical specifications used by Member States to develop their own national systems to be able to connect to the VIS. The DTS has been finalised but can only be formally accepted after the pending security target issues are resolved, which is planned for mid-2010. The CD simulator was updated several times and most recently in September. 2.2. Development of the Biometric Matching System (BMS) The BMS, which will provide fingerprint matching services to the VIS, was largely implemented according to the project plan during the reporting period, and the Systems Solutions Test (SST) for BMS was carried out successfully in March 2009. Since that point, the system has been supporting the VIS SST, while performing its own OST, without any issues until November when some operational problems were encountered. These included a delay in the BMS switchover procedure during VIS failover tests, issues with the Oracle database and BMS transaction performance. The root causes for each issue were identified and presented to Member States along with the solutions implemented. Member States also continued to use the software kits provided by the BMS contractor in their fingerprint capturing devices, as well as the BMS web portal for their national biometric implementation. Following discussions in the SISVIS Committee meeting (VIS formation) the Commission adopted in October 2009 a Decision[3] laying down specifications for the resolution and use of fingerprints for biometric identification and verification in the Visa Information System. 2. 3. Site Preparations and Network Throughout 2009, staff members at the Central Unit and Backup Central Unit in Strasbourg and Salzburg respectively were trained on the use and maintenance of the VIS equipment. The network remained to be installed in only two Member States during 2009. The main projects for 2009 concerning the network were to secure the operations of the "failover mechanism" from the primary site to the backup site and to set up the VIS Mail Relay. This mechanism is required in case the national system fails and the backup system takes over operations temporarily. The deployment of the network to one main site and three backup sites in Member States was completed between March and July. The "failover exercise" was successfully completed in five Member States by October. In nine other Member States the appropriate technical solution was still to be determined. The exercise will continue for those Member States that are interested in implementing this solution. 2. 4. Member States' National Planning Apart from the availability of the central VIS, the key dependency for the system becoming operational is the progress of national projects. The state of progress varies between the Member States, due to different circumstances at national level. Through the monthly reporting mechanism developed in the framework of the Friends of the VIS (see section 3.2.4.), most Member States consistently reported their progress as being on time to achieve the targeted milestones. In the reports it also became apparent that a number of Member States encountered difficulties with the development of their national systems. Nevertheless, the vast majority of Member States had successfully completed their compliance tests and were prepared for the start of OST and PSAT. By the end of the reporting period, 22[4] out of 25 current Member States and Schengen Associated Countries had completed their compliance tests as initially planned. In 2009, FRONTEX invited Member States' experts to Warsaw to participate in several VIS-related workshops. These workshops were attended by representatives of 26 Member States and Schengen Associated Countries and aimed to aid in the implementation of the VIS by fostering the sharing of experiences among Member States. The results of the workshops, presented at the Friends of the VIS meetings as well as at the last NPM meeting of the reporting period, showed that Member States are still at different stages of project development nationally and allowed for a number of issues to be identified and followed up. 2.5. Rescheduling the VIS The re-scheduling of the VIS project occurred due to delays at both central and national levels. Central level From a central level perspective, the MDC began the SST on 20 April 2009. In mid-June the assessment of the SST results indicated that the exit criteria were not met due to various technical issues, concerning functional and non-functional aspects of the system. It became clear that the SST would not be completed by the time OST was scheduled to start in July 2009. The SST phase was therefore extended to the end of September 2009. In their official SST report, the MDC claimed that exit criteria had been met contrary to the assessment by the Commission, the Quality Assurance contractor, as well as the Member State experts in the Test Advisory Group (TAG). In October, the MDC proposed to implement certain corrective measures in order to meet the performance requirements of the system as well as to lower the service-level agreement (SLA) on performance. Member States assessed the impact of these measures on their national systems and agreed at the end of the reporting period that the MDC shall implement these measures. At the same time, it was agreed to de-couple the corrective measures from the discussion on lowering the service-level agreement (SLA). Once corrective measures are implemented and tested, the MDC will re-submit a proposal for an SLA. By the end of the reporting period these corrective measures had not yet been fully implemented and tested. In the meantime and pending the acceptance of the corrective measures by Member State experts, the MDC continued its efforts to remedy the blocking technical issues and subsequently submitted a new report on the SST in November. Although results had improved, they were still not satisfactory especially as regards performance aspects. Consequently, by the end of the reporting period the exit criteria for the SST were still not met. As a result, contractual penalties were applied. National level From a national perspective, in 2009, the Commission also learned that one Member State experienced major contractual setbacks with the development of its national system, and would not be ready to connect to the VIS until the end of 2010. This particular Member State has not yet confirmed its slot for compliance testing. Two other Member States experienced some delays of a less significant nature with the development of their national system. In order to start operations, all Member States need to be connected to the VIS. Therefore, the delay of one Member State immediately affects the starting date of operations of the VIS. All of these issues together impacted the planned date for the start of operations of the VIS and a new schedule needed to be prepared. The main elements of the new VIS Master Project Schedule were presented in SCIFA and at the JHA Council in November and December and the Council took note of the new schedule, which declares central system readiness in October 2010 after the acceptance of the PSAT. Due to the significant delay in one Member State, and to the delays caused by the MDC regarding the SST, however, VIS will not be able to start operations before December 2010. 2.6. Roll-out to consular posts and external border-crossing points According to the adopted Visa Code, Member States shall collect biometric identifiers comprising the facial image and ten fingerprints from visa applicants at their consular posts. In preparation for the rollout in consular posts, several Member States have continued to test the capturing of biometrics for visa applications at a number of consular posts. The pilot project for the capture, storage and verification of biometric data from visa applicants (BIODEV II) ran until the second quarter of 2009 and a few of the participating Member States continued to test capturing procedures throughout the course of 2009 aiming to improve the quality of the captured fingerprints. Results have shown that obtaining good quality fingerprints from visa applicants requires extensive training of operators and possible re-capturing in order to reduce failure to enrol rates. Most Member States have already equipped their consular posts in North Africa to be able to capture fingerprints and photographs of visa applicants, and are preparing to equip the subsequent regions. Intense discussion on the determination of the first regions was held in the SISVIS Committee meetings throughout 2009. In accordance with Article 48 of the VIS Regulation,[5] the Commission shall determine the sequence of the regions for the VIS consular deployment, on the basis of three criteria: the risk of illegal immigration, the threats to the internal security of the Member States and the feasibility of collecting biometrics from all locations in that particular region. After several months of discussion, the Commission Decision[6] determining the first regions for the start of operations of the VIS was adopted on 30 November 2009. The first region will be North Africa, followed by the Near East and the Gulf Region. Subsequent regions for the rollout of the VIS will be determined by separate Decisions after another evaluation has taken place in accordance with the above criteria. As concerns visas issued at the external border, external border-crossing points are considered to constitute a separate region. Therefore, the collection and transmission of data to the VIS from borders will begin as soon as Member States notify the Commission that they have made the necessary technical and legal arrangements to collect and transmit data to the VIS on all visa applications handled at their own external border-crossing points. 3. PROJECT MANAGEMENT 3.1. Legal framework for the VIS In 2009, the legal instruments required before the VIS begins operations, namely the amendments to the Schengen Borders Code[7] and the Common Consular Instructions[8], were adopted and published in February and May 2009, respectively. The amendment to the Schengen Borders Code provides that the use of the VIS for entry checks at the external borders will be compulsory from twenty days after the start of operations in the first region. The use of the VIS should entail a systematic search in the VIS using the visa sticker number in combination with a verification of fingerprints. However, during a three-year transition period, it should be possible for Member States to use the VIS without verification of the fingerprints. The amendment of the Common Consular Instructions was necessary in order to establish a legal framework for the collection of biometric identifiers, including provisions on the organisation of the reception and processing of visa applications. These provisions are incorporated in the Visa Code[9], adopted in July, which repeals the Common Consular Instructions and will be applicable from 5 April 2010. Several Commission Decisions related to the VIS were adopted under the comitology procedure during the reporting period. The Commission Decision on the VIS Mail specifications[10], which will replace the VISION consultation mechanism, was adopted in May 2009. The second biometrics Decision[11] relating to the resolution and use of fingerprints for identification and verification in the VIS and Biometric Matching System (BMS) was adopted in October 2009. A Commission Decision[12] determining the first regions for the start of operations of the VIS was adopted on 30 November 2009, at the same time as the Decision on technical implementing measures[13] setting out various data processing operations in the VIS. One outstanding legislative instrument concerning security in the VIS remains to be adopted in 2010. 3.2. Commission project management 3.2.1. Planning and budget The total available commitment appropriations for the VIS in 2009 amounted to € 38.3 million. The main components of expenditure during 2009 were the preparation of additional features for biometrics, external assistance for project management and quality assurance, exploitation costs for the development and testing phases, and changes to the VIS (due mostly to Member State change requests). 74.65% of the total VIS appropriations were committed and 76.53% of payment appropriations had been paid by the end of the reporting period. The budget line for the VIS is 18.02.05. VIS Commitment and Payment appropriations 2009 Available commitment appropriations | Consumed[14] | Total % | Available payment appropriations | Consumed | Total % | €38.315.328,00 | €28.601.077,00 | 74,65% | €27.216.095,14 | €20.828.088,00 | 76,53% | The Commission notified the MDC of the launch of penalties, as from 15 June 2009, due to the incapacity of this contractor to run the SST successfully, on time, and within contractual obligations. The total amount of the penalties is to date € 7.6 million. [15] 3.2.2. Risk management The methodology for managing risks in the project changed somewhat during the reporting period as there were only three VIS Project Management Board meetings held in 2009. This forum was initially used to discuss risks with the Member States and MDC. The three separate risk logs approach was changed in the second quarter of the reporting period and instead each month the Commission identified the most important risks in the project and presented them to Member States at the monthly National Project Managers' meetings. Furthermore, in the context of the Friends of the VIS, the Swedish Presidency proposed the creation of a consolidated risk list; the Commission worked together with the Presidency to determine the main risks and to categorise them according to their impact on the project. Risks are adjusted each month in accordance with any changes to the severity of their impact. Actions are identified for each risk in order to mitigate them. These risks and corresponding actions are then presented by the Presidency to the Member States in the Friends of the VIS meetings, where they are discussed openly and transparently. The Commission also maintains a high-level register and follows up the implementation of actions. At the end of 2009, the most critical risks identified were the following: (i) failure to deliver VIS in time for technical, legal or contractual reasons and the possible reputational impact, (ii) difficulties in resource and financial planning at central and national levels due to additional delays to the VIS start of operations, (iii) the risk of not achieving the original performance requirements, and (iv) finally the contractual impact of SIS II on the VIS. The first three risks remain stable while the severity of the fourth one was decreased at the end of the reporting period. For all risks, mitigation actions are identified and the Commission, Member States, and MDC work closely together to limit the impact of these risks on the project. Despite the mitigation actions taken by the Commission, it was evident that the originally agreed performance level requirements would not be achieved by the MDC; therefore, it was expected that the problems related to the Systems Solutions System would continue into 2010. 3.2.3. Project management board (PMB) In 2009, the PMB met twice in the beginning of the year to discuss VIS project management issues and risks with project stakeholders, the MDC and the quality assurance contractor, in addition to the previous and forthcoming Member State Presidencies. A third PMB was held in December between the MDC and the Commission in order to discuss the SST state of play, the change request on corrective measures, the future change request on lowering the Service Level Agreement (SLA) and the amendment of the contract in order to include Operational Management preparatory activities. 3 .3. Friends of the VIS The Friends of the VIS met nine times during the reporting period – four times under the Czech Presidency (2009/I) and five times under the Swedish Presidency (2009/II). The high-level informal meetings provided a forum in which discussions could be held transparently on all VIS-related matters. The agenda was set by the Presidency in coordination with the Commission and the General Secretariat of the Council. The topics generally included an update by the Commission on the VIS state of play, the new reporting mechanism on national progress, the rollout to consular posts in the first regions, the possibility of developing a centralised information campaign, risk management and the VIS-related workshops hosted by FRONTEX. In the Friends of the VIS group, a new reporting mechanism in the form of a questionnaire was created as a tool for following progress in Member States in relation to their technical, consular and border preparations. This tool replaced the monthly progress reports that were customarily completed by VIS National Project Managers and the questionnaire was split into static and time-related questions towards the end of the reporting period. The questions cover general technical preparation concerning the development of their national system, consular preparations for rollout in the first regions and border preparations in relation to checking biometrics against the VIS. More specific questions on training and other milestones are also included in the questionnaire. Several Member States did not provide clear dates for achieving the specific milestones, which did not allow the Commission to have a complete picture of progress in all Member States. A consolidated Risk List is prepared each month by the Presidency and the Commission prior to the meeting and the current top ten risks to the project are categorised according to the severity of their impact. The organisation of a centralised information campaign was discussed in the Friends of the VIS meetings during the first semester of 2009. However, the discussion was postponed given the delay in the initial planning for the start of operations and the Commission's legal obligations of providing information to visa applicants as laid down in the Visa Code. Intensive discussion was held on the determination of the sequence of the first regions for the consular rollout of the VIS. The reflections of the group were input into the various drafts of the relevant decision before this received a positive opinion by the SISVIS Committee. 4. CONCLUSION During the reporting period (January – December 2009) four implementing measures for VIS were adopted by the Commission, including the Decision determining the first regions for the start of operations of the VIS. The year was characterised by intensive testing, during which the vast majority of Member States successfully completed their compliance tests, a precondition for entering the final test phase before VIS enters into operations. At central level, the technical development of the VIS entered the second of four testing phases in April 2009, the Systems Solutions Test. At this stage the Main Development Contractor encountered a series of technical problems, both functional and non-functional, which relate to the performance of the system. At national level, one Member State has reported significant contractual problems with the development of their national system. These problems will not allow this Member State to connect to the VIS before December 2010. A new global schedule was presented to the JHA Council in November 2009, which would lead to a planned go-live of the VIS in December 2010. All stakeholders in the project have reaffirmed their commitment to working closely together towards the entry into operation of VIS. In parallel, the Commission has informed the LIBE Committee of the European Parliament on a regular basis regarding the development and state of play of the VIS project and will continue to do so in the future. 5. ANNEX: VIS WORKING GROUPS 5 .1. SISVIS Committee There were five meetings of the SISVIS Committee in the VIS formation[16] in 2009, during which four draft Commission Decisions were discussed. Specifically, the draft Commission Decisions concerning the VIS Mail specifications, the first regions for rollout of the VIS, the specifications for the resolution and use of fingerprints for biometric identification and verification in the VIS, and the technical implementing measures were all discussed and voted on during these meetings, all with a positive opinion. The Committee will remain responsible for taking any outstanding VIS-related comitology decisions in 2010. 5.2. VIS National Project Managers (NPM) meetings During the reporting period, eleven expert group meetings for the Member States’ National Project Managers (NPM) were organised by Commission services in order to discuss the status of the VIS project at central level, detailed technical issues, planning issues, risks and activities at central and national project levels. 5.3. Change Management Board (CMB) The CMB, an advisory working group of the SISVIS Committee (VIS formation) met only in January and March during 2009. The CMB made recommendations on the configuration management of VIS during the development phase, including testing and discussed as well change requests. 5.4. Test Advisory Group (TAG) The TAG, an advisory working group of the SISVIS Committee (VIS formation) met quite frequently or held conference calls during the reporting period due to the intensive testing period. The TAG ensures that a structured process is used to address and resolve testing-related issues and advises on the completion of VIS testing campaigns. It makes recommendations on the testing of VIS during all test phases especially where Member States participate directly. 5.5. VIS Mail Expert Group (VIS MEG) The group met on a monthly basis throughout the reporting period with the aim to support the implementation of the VIS communication mechanism (VIS Mail). Significant progress was achieved throughout 2009 with the testing and connection of Member States to the communications mechanism. The Central Mail Relay solution was implemented during this reporting period and VIS MEG participants agreed that it had been sufficiently tested and proved to be operational in accordance with basic requirements. For the national implementation, all 25 participating Member States were preparing to complete VIS Mail Phase 1, in order to start together with the VIS. The draft Commission Decision[17] on the VIS Mail Specifications was submitted to the SISVIS Committee (VIS formation) in January 2009, and the Committee delivered a positive opinion on the Decision at this meeting. The Decision was adopted by the Commission on 5 May 2009. The work of the Commission and the Member States on VIS Mail is performed in cooperation with the Network Contractor and is supported by the Support and Quality Assistance Contractor. [1] OJ L 213 of 15.6.2004, p. 5. [2] For the fifth report, see the Report from the Commission to the Council and European Parliament on the development of the Visa Information System (VIS) in 2008, COM(2009) 473 final of 15.09.2009. [3] Commission Decision of 9 October 2009 laying down specifications for the resolution and use of fingerprints for biometric identification and verification in the Visa Information System (OJ L 270 of 15 October 2009) [4] Liechtenstein had also completed its compliance tests technically, but it does not yet apply the Schengen acquis [5] Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) – OJ L 218 of 13.08.2008, p.60 [6] Commission Decision of 30 November 2009 determining the first regions for the start of operations of the Visa Information System (OJ L 23 of 27 January 2010, p. 62). [7] Regulation (EC) No 81/2009 of the European Parliament and of the Council of 14 January 2009 amending Regulation (EC) No 562/2006 as regards the use of the Visa Information System (VIS) under the Schengen Borders Code (OJ L 35 of 4 February 2009, p. 56); [8] Regulation (EC) No 390/2009 of the European Parliament and of the Council of 23 April 2009 amending the Common Consular Instructions on visas for diplomatic missions and consular posts in relation to the introduction of biometric including provisions on the organisation of the reception and processing of visa applications (OJ L 131 of 28 May 2009, p. 1); [9] Regulation (EC) No 810/2009 of the European parliament and of the Council of 13 July 2009 establishing a Community Code on Visas (Visa Code) (OJ L 243 of 15 September 2008, p. 1). [10] Commission Decision 2009/377/EC of 5 May 2009 adopting implementing measures for the consultation mechanism and the other procedures referred to in Article 16 of Regulation (EC) No 767/2008 of the European Parliament and of the Council concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (OJ L 117 of 12 May 2009); [11] Commission Decision of 9 October 2009 laying down specifications for the resolution and use of fingerprints for biometric identification and verification in the Visa Information System (OJ L 270 of 15 October 2009) [12] Commission Decision of 30 November 2009 determining the first regions for the start of operations of the Visa Information System (OJ L 23 of 27 January 2010, p. 62). [13] Commission Decision of 30 November 2009 adopting technical implementing measures for entering the data and linking applications, for accessing the data, for amending, deleting and advance deleting of data and for keeping and accessing the records of data processing operations in the Visa Information System (OJ L 315 of 2 December 2009, p.30) [14] The Draft Budget 2011 adopted by the Commission on 27 April 2010 specifies the consumed amount of commitment appropriations to be ¬ 37,601,077 fors to be €37,601,077 for 2009. Due to the shift of dates of some project activities originally planned for 2009, the amount of €9,000,000 had to be pre-committed for consumption in 2010. [15] The recovery order for the exact amount of penalties (€ 7,635,000) was issued on 30 March 2010. [16] Set up by Article 51(1) of Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II). [17] Commission Decision of 5 May 2009 adopting implementing measures for the consultation mechanism and other procedures referred to in Article 16 of Regulation (EC) No 767/2008 of the European Parliament and of the Council concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation)