27.7.2021 |
EN |
Official Journal of the European Union |
L 267/1 |
COMMISSION IMPLEMENTING REGULATION (EU) 2021/1217
of 26 July 2021
laying down the rules and conditions for verification queries by carriers, provisions for data protection and security for the carriers’ authentication scheme as well as fall-back procedures in case of technical impossibility
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (1), and in particular Article 45(2) and (3) and Article 46(4) thereof,
Whereas:
(1) |
Regulation (EU) 2018/1240 establishes the European Travel Information and Authorisation System (ETIAS) applicable to visa exempt third-country nationals seeking to enter the territory of the Member States. |
(2) |
The purpose of this Regulation is to lay down the rules and conditions for the verification query by carriers as well as to establish provisions for data protection and security for the carriers’ authentication scheme and fall-back procedures in case of technical impossibility. The obligations set out in this Regulation are applicable to air carriers, sea carriers and international carriers transporting groups overland by coach, coming into the territory of the Member States. |
(3) |
Pursuant to Article 45(1) of Regulation (EU) 2018/1240, air carriers, sea carriers and international carriers transporting groups overland by coach are to send a query to the European Travel Information and Authorisation System in order to verify whether travellers subject to travel authorisation requirement are in possession of a valid travel authorisation. Such a query is to be made by means of secure access to a carrier gateway. |
(4) |
Carriers should access the carrier interface by means of an authentication scheme. This Implementing Regulation should provide for data protection and security rules applicable to the authentication scheme pursuant to Article 45(3) of Regulation (EU) 2018/1240 in order to allow carriers exclusive access to the carrier gateway. |
(5) |
In order to fulfil their obligation, access to the carrier gateway should be provided to carriers operating and transporting passengers into the territory of the Member States. |
(6) |
Technical rules on the message format and authentication scheme should be laid down in order to enable carriers to connect and use the carrier gateway to be specified in the technical guidelines, which are part of the technical specifications referred to in Article 73 of Regulation (EU) 2018/1240, to be adopted by the European Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA). |
(7) |
Carriers should be able to indicate that the passengers fall outside the scope of the Regulation (EU) 2018/1240 and in such case carriers should receive an automatic ‘Not applicable’ reply from the carrier gateway, without querying the Read Only Database and without logging. |
(8) |
This Regulation should apply to air carriers, sea carriers and international carriers transporting groups overland by coach, coming into the territory of the Member States. Border checks for entry into the territory of the Member States may precede boarding. In such cases, carriers should be relieved of the obligation to verify the travel authorisation status of travellers. |
(9) |
In accordance with Article 83 of Regulation (EU) 2018/1240, during the transitional and the grace periods, rules applicable to carriers should be adapted to the specificities of these periods. Travellers should be allowed to enter without a travel authorisation during the transitional period as such authorisation should be optional. The transitional period is followed by a grace period, during which travellers should be allowed to enter the Schengen territory without a travel authorisation if it is their first entry during that grace period. |
(10) |
In order to ensure that the verification query is based on as up-to-date information as possible, queries should not be introduced earlier than 48 hours prior to the scheduled time of departure. |
(11) |
Passengers who are required to be in possession of a valid travel authorisation should be considered as being in possession of such an authorisation where carriers have queried the carrier interface within 48 hours prior to scheduled time of departure and received ‘OK’. There may be circumstances in which a carrier may not be able to proceed with a query referred to in Article 45(1) of Regulation (EU) 2018/1240 on account of a technical failure occurring within any part of the European Travel Information and Authorisation System. In order to limit possible adverse consequences resulting from such a failure, it is necessary to lay down the detailed rules for the fall-back procedures as provided for in Article 46 of Regulation (EU) 2018/1240. |
(12) |
To ensure that the data accessed by carriers is accurate and consistent with the data stored in the European Travel Information and Authorisation System, the read only database referred to in Article 45(4) of Regulation (EU) 2018/1240 should be updated as necessary. |
(13) |
The Commission, eu-LISA and the Member States should endeavour to inform all known carriers of how and when they can register. Upon successful completion of the registration procedure as well as, where relevant, the successful completion of testing, eu-LISA should connect the carrier to the carrier interface. |
(14) |
Carriers should have access to a web form on a public website allowing them to request assistance. When requesting assistance carriers should receive an acknowledgement of receipt containing a ticket number. eu-LISA or the ETIAS Central Unit may contact carriers that have received a ticket by any means necessary, including by phone, in order to provide an adequate response. |
(15) |
This Regulation is without prejudice to the application of Directive 2004/38/EC of the European Parliament and the Council (2). |
(16) |
In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark did not take part in the adoption of Regulation (EU) 2018/1240 and is not bound by it or subject to its application. However, given that Regulation (EU) 2018/1240 builds upon the Schengen acquis, Denmark notified on 21 December 2018, in accordance with Article 4 of that Protocol, its decision to implement Regulation (EU) 2018/1240 in its national law. |
(17) |
This Regulation constitutes a development of the provisions of the Schengen acquis in which Ireland does not take part (3). Ireland is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application. |
(18) |
As regards Iceland and Norway, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis (4), which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC (5). |
(19) |
As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (6), which fall within the area referred to in Article 1, point A of Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/EC (7). |
(20) |
As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (8) which fall within the area referred to in Article 1, point A of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU (9). |
(21) |
As regards Cyprus, Bulgaria and Romania and Croatia, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within, respectively, the meaning of Article 3(1) of the 2003 Act of Accession, Article 4(1) of the 2005 Act of Accession and Article 4(1) of the 2011 Act of Accession. |
(22) |
The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (10) and delivered an opinion on 30 April 2021. |
(23) |
The measures provided for in this Regulation are in accordance with the opinion of the Smart Borders Committee (ETIAS), |
HAS ADOPTED THIS REGULATION:
Article 1
Subject matter
This Regulation establishes:
(a) |
the detailed rules and conditions for the operation of the carrier gateway and the data protection and security rules applicable to the carrier gateway provided for in Article 45(2) of Regulation (EU) 2018/1240; |
(b) |
an authentication scheme for carriers to enable them to fulfil their obligations pursuant to Article 45(3) of Regulation (EU) 2018/1240 as well as detailed rules and conditions on registration of carriers in order to gain access to the authentication scheme; |
(c) |
details of the procedures to be followed where it is technically impossible for carriers to access the carrier gateway, in accordance with Article 46(4) of Regulation (EU) 2018/1240. |
Article 2
Definitions
For the purposes of this Regulation:
(1) |
‘carrier interface’ means the carrier gateway to be developed by eu-LISA in accordance with Article 73(3) of Regulation (EU) 2018/1240 and consisting of an IT interface connected to a read only database; |
(2) |
‘technical guidelines’ means the part of the technical specifications, referred to in Article 73(3) of Regulation (EU) 2018/1240, that is relevant for carriers for the implementation of the authentication scheme and the development of the message format of the Application Programming Interface referred to in Article 4(2)(a); |
(3) |
‘duly authorised staff’ means natural persons that are employees of or contractually engaged by the carrier or other legal or natural persons under that carrier’s direction or supervision, assigned with the tasks of verifying the status of travellers on behalf of the carrier, in accordance with Article 45(1) of Regulation (EU) 2018/1240. |
Article 3
Obligations of carriers
1. Carriers shall launch a query referred to in Article 45(1) of Regulation (EU) 2018/1240 (‘verification query’), through the carrier interface.
2. The verification query shall be introduced at the earliest 48 hours prior to the scheduled time of departure.
3. Carriers shall ensure that only duly authorised staff have access to the carrier interface. The carriers shall put in place at least the following mechanisms:
(a) |
physical and logical access control mechanisms to prevent unauthorised access to the infrastructure or the systems used by the carriers; |
(b) |
authentication; |
(c) |
logging to ensure access traceability; |
(d) |
a regular review of the access rights. |
Article 4
Connection and access to the carrier interface
1. Carriers shall connect to the carrier interface through one of the following:
(a) |
a dedicated network connection; |
(b) |
an internet connection. |
2. Carriers shall access the carrier interface through one of the following:
(a) |
a system to system interface (Application Programming Interface); |
(b) |
a web interface (browser); |
(c) |
an application for mobile devices. |
Article 5
Queries
1. In order to send the verification query, the carrier shall provide the following traveller data:
(a) |
surname (family name); first name or names (given names); |
(b) |
date of birth, sex and nationality; |
(c) |
the type and number of the travel document and the three letter code of the issuing country of the travel document; |
(d) |
the date of expiry of the validity of the travel document; |
(e) |
the scheduled day of arrival at the border of the Member State of entry; |
(f) |
one of the following:
|
(g) |
the details (local date and time of scheduled departure, identification number where available or other means to identify the transport) of the means of transportation used to access the territory of a Member State. |
2. For the purposes of providing the information referred to in paragraph 1, points (a) to (d), carriers may scan the machine-readable zone of the travel document.
3. Where the passenger is exempt from the scope of Regulation (EU) 2018/1240 in accordance with Article 2 of that Regulation or is in airport transit, the carrier shall be able to specify it in the verification query.
4. Carriers shall be able to send a verification query for one or more passengers. The carrier interface shall include the reply referred to in Article 6 for each passenger included in the query.
Article 6
Reply
1. Where the passenger is exempt from the scope of Regulation (EU) 2018/1240 in accordance with Article 2 of that Regulation or is in airport transit, the reply shall be ‘Not applicable’. In all other cases, the reply shall be ‘OK’ or ‘Not OK’.
Where a verification query returns a ‘Not OK’ reply, the reply shall specify that the response is coming from the European Travel Information and Authorisation System.
2. During the transitional period referred to in Article 83(1) of Regulation (EU) 2018/1240, replies to the verification queries shall be determined in accordance with the following rules:
(a) |
if the third country national has a valid travel authorisation for the date of entry: OK; |
(b) |
if the third country national has no valid travel authorisation for the date of entry: OK; |
(c) |
if the third country national has no valid travel authorisation for the date of entry but the carrier confirms in the verification query that one of the conditions referred to in the first sentence of paragraph 1 are fulfilled: Not applicable; |
(d) |
if the third country national has a valid travel authorisation for the date of entry with Limited Territorial Validity (‘LTV’) and the Member State of entry corresponds to the Member State of the LTV: OK; |
(e) |
if the third country national has a valid travel authorisation for the date of entry with LTV and the Member State of entry does not correspond to the Member State of the LTV: OK. |
3. During the grace period referred to in Article 83(3) of Regulation (EU) 2018/1240 replies to the queries shall be determined in accordance with the following rules:
(a) |
if the third country national has a valid travel authorisation for the date of entry: OK; |
(b) |
if the third country national has no valid travel authorisation for the date of entry and it is the first time since the end of the transitional period the third country national is entering the territory of a Member State operating the Entry/Exit System (EES): OK; |
(c) |
if the third country national has a valid travel authorisation for the date of entry with LTV, it is the first time since the end of the transitional period the third country national is entering the territory of a Member State operating the Entry/Exit System and the Member State of entry corresponds to the Member State of the LTV: OK; |
(d) |
if the third country national has a valid travel authorisation for the date of entry with LTV, it is the second or more time since the end of the transitional period the third country national is entering the territory of a Member State operating the Entry/Exit System and the Member State of entry corresponds to the Member State of the LTV: OK; |
(e) |
if the third country national has no valid travel authorisation for the date of entry and it is the second or more time since the end of the transitional period that the third country national is entering the territory of a Member State operating the Entry/Exit System: Not OK; |
(f) |
if the third country national has no valid travel authorisation for the date of entry but the carrier confirms in the verification query that one of the conditions referred to in the first sentence of paragraph 1 are fulfilled: Not applicable; |
(g) |
if the third country national has a valid travel authorisation for the date of entry with LTV, it is the first time since the end of the transitional period the third country national is entering the territory of a Member State operating the Entry/Exit System and the Member State of entry does not correspond to the Member State of the LTV: OK; |
(h) |
if the third country national has a valid travel authorisation for the date of entry with LTV and it is the second or more time since the end of the transitional period the third country national is entering the territory of a Member State operating the EES and the Member State of entry does not correspond to the Member State of the LTV: Not OK.; |
(i) |
if the third country national has no valid travel authorisation for the date of entry and is entering the territory of a Member State not operating the Entry/Exit System: Not OK. |
4. After the expiry of the grace period referred to in Article 83(3) of Regulation (EU) 2018/1240 replies to the queries shall be determined in accordance with the following rules:
(a) |
if the third country national has a valid travel authorisation for the date of entry: OK; |
(b) |
if the third country national has no valid travel authorisation for the date of entry: Not OK; |
(c) |
if the third country national has no valid travel authorisation for the date of entry but the carrier confirms in the verification query that one of the conditions referred to in the first sentence of paragraph 1 are fulfilled: Not applicable; |
(d) |
if the third country national has a valid travel authorisation for the date of entry with LTV and the Member State of entry corresponds to the Member State of the LTV: OK; |
(e) |
if the third country national has a valid travel authorisation for the date of entry with LTV and the Member State of entry does not correspond to the Member State of the LTV: Not OK. |
Article 7
Message format
eu-LISA shall specify the data formats and structure of messages to be used for transmitting verification queries and replies to those queries through the carrier interface in the technical guidelines. eu-LISA shall include at least the following data formats:
(a) |
UN/EDIFACT; |
(b) |
PAXLST/CUSRES; |
(c) |
XML; |
(d) |
JSON. |
Article 8
Data extraction requirements for the carrier interface and data quality
1. Data on issued, annulled and revoked travel authorisations shall be regularly and automatically extracted from the European Travel Information and Authorisation System and transmitted to the read-only database.
2. All extractions of data into the read-only database pursuant to paragraph 1 shall be logged.
3. eu-LISA shall be responsible for the security of the carrier interface, for the security of the personal data it contains and for the process of extracting from the European Travel Information and Authorisation System and transmitting the data referred to in paragraph 1 to the read-only database.
4. It shall not be possible to transmit data from the read-only database to the European Travel Information and Authorisation System.
Article 9
Authentication scheme
1. eu-LISA shall develop an authentication scheme, taking into account information on security risk management and the principles of data protection by design and default and allowing to trace the initiator of the verification query.
2. The details of the authentication scheme shall be set out in the technical guidelines.
3. The authentication scheme shall be tested in accordance with Article 12.
4. Where carriers access the carrier interface using the Application Programming Interface referred to in Article 4(2), point (a), the authentication scheme shall be implemented by means of mutual authentication.
Article 10
Registration for the authentication scheme
1. Carriers referred to in Article 45(1) of Regulation (EU) 2018/1240 operating and transporting passengers into the territory of the Member States shall be required to register prior to gaining access to the authentication scheme.
2. eu-LISA shall make available a registration form on a public website to be completed online. Submission of the registration form shall only be possible where all the fields have been correctly completed.
3. The registration form shall include fields requiring carriers to provide the following information:
(a) |
the legal name of the carrier as well as its contact details (email address, telephone number and postal address); |
(b) |
the contact details of the legal representative of the company requesting the registration and of back-up points of contact (names, telephone numbers, email and postal addresses) as well as the functional email address and other means of communication that the carrier intends to use for the purposes of Articles 13 and 14; |
(c) |
the Member State or third country that issued the official company registration referred to in paragraph 6 and the registration number, where available; |
(d) |
where the carrier has attached, in accordance with paragraph 6, an official company registration issued by a third country, the Member States in which the carrier operates or intends to operate within the next year. |
4. The registration form shall inform the carriers of the minimum security requirements, which shall ensure compliance with the following objectives:
(a) |
identifying and managing security risks related to the connection to the carrier interface; |
(b) |
protecting the environments and the devices connected to the carrier interface; |
(c) |
detecting, analysing, responding to and recovering from cyber security incidents. |
5. The registration form shall require carriers to declare:
(a) |
that they operate and transport passengers into the territory of the Member States or intend to do so within the next six months; |
(b) |
that they will access and make use of the carrier interface in accordance with the minimum security requirements set out in the registration form, in accordance with paragraph 4; |
(c) |
that only duly authorised staff will have access to the carrier interface. |
6. The registration form shall require carriers to attach an electronic copy of their instruments of constitution, including statutes, as well as an electronic copy of an extract of their official company registration from either at least one Member State, where applicable, or from a third country in, or officially translated into, one of the official Union or one of the Schengen Associated Countries languages. An electronic copy of an authorisation to operate in one or more Member States, such as an Air Operator Certificate, can substitute the official company registration.
7. The registration form shall notify carriers:
(a) |
that they are required to inform eu-LISA of any changes regarding the information referred to in paragraphs 3, 4 and 5 or in case of technical changes affecting their ‘system to system’ connection to the carrier interface that may require additional testing in accordance with Article 12 through specified contact details of eu-LISA to be used for this purpose; |
(b) |
that they will be automatically deregistered from the authentication scheme if the logs show that the carrier has not used the carrier interface during a period of one year; |
(c) |
that they may be deregistered from the authentication scheme in case of a breach of the provisions of this Regulation, the security requirements referred to in paragraph 4 or the technical guidelines, including in case of abuse of the carrier interface; |
(d) |
that they are obliged to inform eu-LISA of any personal data breach that may occur and regularly review the access rights of their dedicated staff. |
8. Where the registration form has been submitted correctly, eu-LISA shall register the carrier and notify the carrier that it has been registered. Where the registration form has not been submitted correctly, eu-LISA shall refuse registration and notify the carrier of the reasons.
Article 11
Deregistration from the authentication scheme
1. Where the carrier informs eu-LISA that it no longer operates or transports passengers into the territory of the Member States, eu-LISA shall deregister the carrier.
2. Where the logs show that the carrier has not used the carrier interface during a period of one year, it shall be automatically deregistered.
3. Where a carrier no longer fulfils the conditions referred to in Article 10(5), or has otherwise breached the provisions of this Regulation, the security requirements referred to in Article 10(4) or the technical guidelines, including in case of abuse of the carrier interface, eu-LISA may deregister the carrier.
4. eu-LISA shall inform the carrier of its intention to deregister the carrier pursuant to paragraphs 1, 2 or 3, together with the reason for the deregistration, one month before deregistration. Before deregistration, eu-LISA shall give the carrier the opportunity to provide written comments.
5. In case of urgent IT security concerns, including where the carrier is not complying with the security requirements referred to in Article 10(4), or with the technical guidelines, eu-LISA may immediately disconnect a carrier. eu-LISA shall inform the carrier of the disconnection, together with the reason for the disconnection.
6. To the extent appropriate, eu-LISA shall assist carriers that have received a notice of deregistration or disconnection to remedy the deficiencies that gave rise to the notice and, where possible, for a limited time and under strict conditions, provide the opportunity for disconnected carriers to send verification queries by other means than those referred to in Article 4.
7. Disconnected carriers may again be connected to the carrier interface following successful removal of the security concerns that gave rise to the disconnection. Deregistered carriers may submit a new request for registration.
8. eu-LISA shall maintain an up to date register of registered carriers. Personal data contained in the registration of carriers shall be deleted at the latest one year after the carrier has been deregistered.
9. At any time following the registration of carriers pursuant to Article 10, eu-LISA may, in particular where there is reasoned suspicion that one or more carriers are abusing the carrier interface or do not fulfil the conditions referred to in Article 10(4), make inquiries with Member States or third countries.
10. Where the registration form referred to in Article 10(2) is not available for a prolonged period of time, eu-LISA shall ensure that registration in accordance with that Article is possible via other means.
Article 12
Development, testing and connection of the carrier interface
1. eu-LISA shall make available the technical guidelines to carriers in order to enable them to develop and test their carrier interface.
2. Where carriers choose to connect through the Application Programming Interface referred to in Article 4(2), point (a), the implementation of the message format referred to in Article 7 and of the authentication scheme referred to in Article 9 shall be tested.
3. Where carriers choose to connect through the web interface (browser) or application for mobile devices, they shall notify eu-LISA that they have successfully tested their connection to the carrier interface and that their duly authorised staff has been successfully trained in using the carrier interface.
4. For the purpose of paragraph 2, eu-LISA shall develop and make available a testing plan, a test environment and a simulator allowing eu-LISA and carriers to test the carriers’ connection to the carrier interface. For the purpose of paragraph 3, eu-LISA shall develop and make available a test environment allowing carriers to train their staff.
5. Upon successful completion of the registration procedure referred to in Article 10 as well as the successful completion of the testing referred to in paragraph 2 of this Article or reception of the notification referred to in paragraph 3 of this Article, eu-LISA shall connect the carrier to the carrier interface.
Article 13
Technical impossibility
1. Where it is technically impossible to send a verification query because a component of the European Travel Information and Authorisation System failed, the following shall apply:
(a) |
where the failure is detected by a carrier, as soon as it becomes aware of it, it shall notify the ETIAS Central Unit through the means referred to in Article 14. |
(b) |
where the failure is detected or confirmed by eu-LISA, the ETIAS Central Unit shall inform carriers of such failure by email or other means of communication, as soon as they become aware of it, and of the end of the failure when the issue has been solved; |
2. Where it is technically impossible to send a verification query for other reasons than a failure of any component of the ETIAS Information System, the carrier shall notify the ETIAS Central Unit through the means referred to in Article 14.
3. The carrier shall inform the ETIAS Central Unit, through the means referred to in Article 14, as soon as the issue has been solved.
4. For the purpose of this Article and Article 14, eu-LISA shall make available to the ETIAS Central Unit a ticketing tool. That tool shall offer access to the register of carriers.
5. The ETIAS Central Unit shall acknowledge receipt of the notifications referred to in paragraphs 1 and 2.
Article 14
Assistance to carriers
1. A web form as part of the ticketing tool shall be made available to carriers on a public website in order to allow carriers to request assistance.
The web form shall enable the carriers to provide at least the following information:
(a) |
the identification details of the carrier; |
(b) |
a summary of the request; |
(c) |
whether the request is of a technical nature and, in such case, the date and time of the start of the technical issue. |
2. Carriers shall receive an acknowledgement of receipt of the request by the ETIAS Central Unit. This receipt shall contain a ticket number.
3. Where the request for assistance is of a technical nature, the ETIAS Central Unit shall send the request to eu-LISA. eu-LISA shall be responsible for providing technical assistance to carriers.
4. Where the request for assistance is not of a technical nature, the ETIAS Central Unit shall assist carriers by directing them to relevant information.
5. Where it is technically impossible to request assistance in accordance with paragraph 1 using the web form, the carrier shall be able to use an emergency phone line connected to the ETIAS Central Unit or eu-LISA.
6. The assistance provided by the ETIAS Central Unit and eu-LISA shall be available 24/7 and provided in English.
7. The ETIAS Central Unit shall make available online a list of frequent questions and answers relevant for carriers. This list shall be available in all official languages of the Union. It shall be separate from the questions and answers relevant for travellers.
Article 15
Entry into force and applicability
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.
Done at Brussels, 26 July 2021.
For the Commission
The President
Ursula VON DER LEYEN
(1) OJ L 236, 19.9.2018, p. 1.
(2) Directive 2004/38/EC of the European Parliament and of the Council of 29 April 2004 on the right of citizens of the Union and their family members to move and reside freely within the territory of the Member States amending Regulation (EEC) No 1612/68 and repealing Directives 64/221/EEC, 68/360/EEC, 72/194/EEC, 73/148/EEC, 75/34/EEC, 75/35/EEC, 90/364/EEC, 90/365/EEC and 93/96/EEC (OJ L 158, 30.4.2004, p. 77).
(3) This Regulation falls outside the scope of the measures provided for in Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions of the Schengen acquis (OJ L 64, 7.3.2002, p. 20).
(4) OJ L 176, 10.7.1999, p. 36.
(5) Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis (OJ L 176, 10.7.1999, p. 31).
(6) OJ L 53, 27.2.2008, p. 52.
(7) Council Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (OJ L 53, 27.2.2008, p. 1).
(8) OJ L 160, 18.6.2011, p. 21.
(9) Council Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis, relating to the abolition of checks at internal borders and movement of persons (OJ L 160, 18.6.2011, p. 19).
(10) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).