A strengthened Schengen Information System
Regulation (EU) 2018/1860 on the use of the Schengen Information System (SIS) for the return of illegally staying third-country nationals
Regulation (EU) 2018/1861 on the establishment, operation and use of the SIS in the field of border checks, and amending the Convention implementing the Schengen Agreement
Regulation (EU) 2018/1862 on the establishment, operation and use of the SIS in the field of police cooperation and judicial cooperation in criminal matters
WHAT IS THE AIM OF THESE REGULATIONS?
The Schengen Information System (SIS), created in 1995 following the abolition of internal border controls in the EU, is a large-scale database supporting external border control and law enforcement cooperation between member countries of the Schengen Agreement.
The 3 regulations are designed to strengthen the existing measures in SIS II — established in 2006 and operational from 2013 — particularly in light of the new migration and security challenges. They will replace the current legislation laid down in Regulations (EC) No 1986/2006 and (EC) No 1987/2006, and Decision 2007/533/JHA.
This summary describes how the SIS will operate once the 3 new regulations are fully in force.
SIS consists of:
a central system (Central SIS) with
- a technical support function (CS-SIS), containing a database (SIS database) performing technical supervision and administrative tasks, and a backup CS-SIS;
- a uniform national interface (NI-SIS) in each country which members use to enter, update, delete and search SIS data;
- a national system (N.SIS) in each country to communicate with Central SIS, including at least one national or shared backup N.SIS. It is not possible to search data files in another N.SIS, unless the countries concerned have agreed to share the file;
a communication infrastructure between CS-SIS, backup CS-SIS and NI-SIS provides an encrypted virtual network for SIS data and their exchange between SIRENE bureaux.
The European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA):
implements technical solutions to strengthen the uninterrupted availability of SIS;
in exceptional circumstances, may develop an additional copy of the SIS database;
must present a report no later than 28 December 2019 on options for technical solutions, containing an independent impact assessment and cost-benefit analysis;
publishes a list of the N.SIS offices and SIRENE Bureaux.
Procedural rules state:
alerts* should remain in SIS only as long as required for their specific purpose and be deleted when they achieve their purpose;
alerts must be reviewed within defined periods. The member country may then decide to prolong them, otherwise they are automatically deleted. The review periods are
- 5 years: persons wanted for arrest for surrender or extradition purposes and missing persons who may, or may not, need to be placed under protection
- 3 years: people sought to assist with a judicial procedure and unknown wanted persons
- 1 year: children at risk, vulnerable persons who need to be protected from travelling and persons for discreet, inquiry or specific checks
- 10 years: objects for discreet inquiry or specific checks or for seizure or use as evidence in criminal proceedings;
categories of data to be entered into the system. These are designed to help end-users take decisions quickly. They include minimum requirements (surname, date of birth, reason for the alert and action to be taken) and other data, such as type of offence, photographic and dactyloscopic* information, if available;
use of biometric and dactyloscopic data must respect EU law and fundamental rights, and meet minimum quality standards and technical specifications;
a case must be adequate, relevant and sufficiently important to warrant an SIS alert, for example, an alert linked to a terrorist offence meets these criteria;
only the issuing member country may modify, add to, correct, update or delete data in SIS;
a country which considers acting on an alert would be incompatible with its national law, international obligations or essential interests may attach a flag* to the alert. This indicates it will not take any action on its territory.
the EU budget covers the operational, maintenance and development costs of Central SIS and the communication infrastructure;
Schengen member countries cover the operational, maintenance and development costs of their own N.SIS.
Alert categories per regulation
Regulation (EU) 2018/1860 strengthens enforcement of the EU’s return policy and reduces incentives for illegal immigration into the EU:
it lays down common conditions and procedures for entering and processing alerts and exchanging supplementary information on non-EU nationals subject to return decisions*;
it requires national authorities to enter alerts as soon as a return decision is taken;
it establishes harmonised procedures on
- categories of data to be included in the alert
- verification if a return decision has been complied with and, if not, the follow-up between the relevant authorities
- retention and deletion of alerts to ensure there is no delay between the departure of a non-EU national and the activation of an entry ban
- compulsory consultation between national authorities before
- granting or extending a residence permit or long-stay visa for a non-EU national who may be the subject of a return alert in another EU country
- entering an alert on a return decision if the person is legally staying elsewhere in the EU.
Regulation (EU) 2018/1861 covers the use of SIS for entry bans and border checks:
it establishes the conditions and procedures for entering and processing alerts and exchange of supplementary information* on non-EU nationals refused entry or the right to stay in the EU;
it introduces harmonised procedures on
- categories of data to be included in the alert
- compulsory entry of an alert when a non-EU national is refused entry or the right to stay because they pose a security threat or are subject to a restrictive order preventing entry into, or transit through, an EU country
- non-EU nationals with the right of free movement within the EU
- mandatory consultation between national authorities before granting or extending a residence permit or long-stay visa to a non-EU national refused the right of entry or stay in another EU country;
it guarantees non-EU nationals the right to be informed in writing if they are the subject of an alert.
Regulation 2018/1862 improves and extends the use of SIS for cooperation between police and judicial authorities:
it establishes the conditions and procedures for entering and processing alerts in the SIS on people and objects, and for exchanging supplementary information and data in police and judicial cooperation on criminal matters;
it covers procedures on alerts on:
- people wanted for arrest, for surrender or extradition purposes;
- missing persons;
- vulnerable persons who need to be prevented from travelling, either for their own protection or to prevent a threat to public order or security;
- children at risk, notably of abduction, trafficking or becoming involved in terrorism;
- individuals being sought to assist with a judicial procedure as witnesses or because they have been summoned in connection with criminal proceedings;
- unknown wanted persons whose identity is being sought;
- discreet or specific checks and inquiries to prevent, detect, investigate or prosecute criminal offences, execute a criminal sentence or prevent threats to public security;
- items to be seized or used as evidence in criminal proceedings, especially readily identifiable objects such as cars, boats, aircraft, firearms, identity documents and banknotes.
Individuals have the right to:
know whether or not their personal data are being processed, for what purposes and under what conditions;
lodge a complaint with a supervisory authority;
correction of inaccurate personal data without undue delay;
erasure of personal data if their use is no longer necessary or these have been unlawfully processed;
take action to access, rectify, erase, obtain information or compensation for an alert that concerns them;
compensation from a member country for any material or non-material damage they suffer from unlawful processing of their personal data.
SIS member governments:
are committed to enforcing rulings on data protection rights;
report annually to the European Data Protection Board on the number of requests they receive to access data and correct inaccuracies, and the volume of court cases and their outcome.
Independent supervisory authorities monitor the legality of national processing of personal data in SIS; the European Data Protection Supervisor set up under Regulation (EU) 2018/1725 performs the same role for eu-LISA. The two cooperate to ensure coordinated supervision of SIS.
Data processed in SIS and related supplementary information may not be transferred or made available to non-EU countries or international organisations.
Regulation (EU) 2018/1725 applies to personal data processed by eu-LISA, the European Border and Coast Guard Agency and Eurojust.
Regulation (EU) 2016/679 and Directive (EU) 2016/680 apply to personal data processed by national competent authorities and services.
The following have access to data in SIS:
National authorities responsible for
- border control, police and customs checks;
- prevention, detection, investigation or prosecution of terrorist acts or other serious criminal offences;
- decisions, including on residence permits and long-stay visas, on the entry, stay and return of non-EU nationals;
- security checks on non-EU nationals applying for international protection;
- naturalisation decisions;
- public prosecutions in criminal proceedings and judicial inquiries;
- issuing registration certificates for vehicles, boats, aircraft and firearms;
the EU agencies below have the right to access and search for the data in SIS they require to carry out their responsibilities. They inform the issuing member country when a search reveals the existence of an alert. They may not connect parts of SIS or transfer any of its data to their own system
- Europol: may access all data, not just some as previously. SIS member countries must inform the law enforcement agency of any hits or alerts relating to terrorist offences;
- Eurojust, which handles judicial cooperation of criminal matters;
- European Border and Coast Guard, teams involved in return-related tasks and migration management support teams.
The European Commission evaluates every 5 years the use these agencies make of SIS.
Each SIS member country:
ensures the data are accurate, up-to-date and entered and stored in SIS lawfully, and respect general data processing rules;
sets up, operates, maintains and develops its N.SIS, according to common standards, protocols and technical procedures, and connects it to NI-SIS;
ensures the uninterrupted availability of SIS data to end-users;
transmits its alerts through its N.SIS;
designates an N.SIS Office with central responsibility to ensure the smooth operation and security of its N.SIS, access of the competent authorities to the SIS, overall compliance with the regulation and appropriate availability of the SIS for all end-users;
appoints a national authority (the SIRENE Bureau) as a single contact point operational 24/7 for the exchange and availability of all supplementary information on alerts and to facilitate follow-up action;
adopts security, business continuity and disaster recovery plans to protect data and prevent unauthorised access;
applies professional secrecy and confidentiality rules, including close monitoring of external contractors. Private companies and organisations are banned from operational management of the N.SIS;
keeps electronic logs, normally deleted after 3 years, on alerts, access and exchange of personal data to check whether the search was lawful and ensure data integrity and security;
operates a national SIS training programme for staff with access to SIS on data security, fundamental rights, including data protection, and data processing rules and regulations.
adopts implementing and delegated acts on technical aspects of SIS and updates these as necessary;
under Regulation (EU) No 1053/2013, has an overall coordinating role for the evaluation and monitoring mechanism it implements with EU governments to ensure Schengen rules are fully applied nationally. This includes evaluation of the SIS;
will submit a report to the European Parliament and EU governments by 28 December 2019, and every year thereafter, until decides on the date for SIS operations to start, on the state of play of preparations for full implementation of the updated SIS regulation 2018/1862;
carries out an overall evaluation of Central SIS, the supplementary information exchange between national authorities, including an assessment of the automated fingerprint identification system (AFIS) and the SIS information campaigns 3 years after the regulation comes into force and every 4 years thereafter.
eu-LISA is responsible for:
Central SIS: its operational management, including quality checks on the data it contains, and all the tasks necessary to ensure it functions 24/7 every day of the year;
communication infrastructure: key aspects, notably supervision, security, coordination between member countries and providers, and budgetary and contractual issues;
SIRENE Bureaux: coordinating, managing and supporting testing activities, maintaining and updating technical specifications on supplementary information exchange between the Bureaux and the communication infrastructure, and managing technical change;
adopting the necessary measures to protect data and prevent unauthorised access or use, including security, business continuity and disaster recovery plans for Central SIS and the communication infrastructure;
applying professional secrecy and confidentiality rules, and maintenance of electronic logs on the same conditions as national authorities;
making publicly available via the EU’s Official Journal a list of national authorities authorised to search for data in SIS;
producing daily, monthly and annual statistics on the number of records per category of alerts, omitting any personal data. Its reports are made public.
The Commission, in cooperation with supervisory authorities and the European Data Protection Supervisor, runs the campaign. This is launched when the legislation comes into force and is repeated at regular intervals, to inform the public on:
- the aims of SIS;
- the data it holds;
- the authorities with access to it;
- individuals’ data rights.
The Commission maintains a publicly available website with all relevant information on SIS.
EU countries, working with their supervisory authorities, must inform the public about SIS.
FROM WHEN DO THE REGULATIONS APPLY?
They shall apply gradually and in entirety they shall be fully operational byno later than 28 December 2021. The date is to be decided by the Commission after the verification that the following conditions have been met:
implementing acts have been adopted;
national authorities have made the necessary arrangements to process SIS data and the exchange of supplementary information;
eu-LISA has successfully completed all its testing requirements.
Alert: a set of data enabling authorities to identify a person or object and act accordingly.
Dactyloscopic data: data on palm and fingerprints.
Flag: suspension of the validity of an alert at national level.
Return decisions: judicial or administrative decision on a non-EU national considered to be staying illegally who should return to their home country.
Supplementary information: information not forming part of the alert data in SIS, but connected to it.
Regulation (EU) 2018/1860 of the European Parliament and of the Council of 28 November 2018 on the use of the Schengen Information System for the return of illegally staying third-country nationals(OJ L 312, 7.12.2018, pp. 1-13)
Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006 (OJ L 312, 7.12.2018, pp. 14-55)
Successive amendments to Regulation (EU) 2018/1861 have been incorporated into the original document. This consolidated version is of documentary value only.
Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (OJ L 312, 7.12.2018, pp. 56-106)
See consolidated version.
Regulation (EU) 2018/1726 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011 (OJ L 295, 21.11.2018, pp. 99-137)
Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, pp. 6-21)
Regulation (EU) 2016/1624 of the European Parliament and of the Council of 14 September 2016 on the European Border and Coast Guard and amending Regulation (EU) 2016/399 of the European Parliament and of the Council and repealing Regulation (EC) No 863/2007 of the European Parliament and of the Council, Council Regulation (EC) No 2007/2004 and Council Decision 2005/267/EC (OJ L 251, 16.9.2016, pp. 1-76)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, pp. 1-88)
See consolidated version.
Regulation (EU) 2016/399 of the European Parliament and of the Council of 9 March 2016 on a Union Code on the rules governing the movement of persons across borders (Schengen Borders Code) (OJ L 77, 23.3.2016, pp. 1-52)
See consolidated version.
Council Regulation (EU) No 1053/2013 of 7 October 2013 establishing an evaluation and monitoring mechanism to verify the application of the Schengen acquis and repealing the Decision of the Executive Committee of 16 September 1998 setting up a Standing Committee on the evaluation and implementation of Schengen (OJ L 295, 6.11.2013, pp. 27-37)
Directive 2008/115/EC of the European Parliament and of the Council of 16 December 2008 on common standards and procedures in Member States for returning illegally staying third-country nationals (OJ L 348, 24.12.2008, pp. 98-107)
The Schengen acquis as referred to in Article 1(2) of Council Decision 1999/435/EC of 20 May 1999 (OJ L 239, 22.9.2000, pp. 1-473)
last update 04.05.2020