Out of the five Member States that have not joined the EPPO, Denmark and Ireland - both with an opt-out from the area of freedom, security and justice (AFSJ), Hungary and Poland stated that they did not intend to join. Sweden reported that it was committed to joining the EPPO as soon as possible.

Following the Commission’s recommendations, by the end of 2021, eleven 1 Member States had adopted a NAFS and transmitted it to the Commission (OLAF), although some still needed to be updated. Four 2 had adopted sectoral ones and one 3 Member State a regional NAFS – of these, Germany and Portugal were yet to transmit the documents to the Commission. In eleven 4 Member States no strategies were adopted to date, yet four 5 of these reported that they were in the process of drafting or close to adopting one.

While the overall number of NAFS has improved compared to last year, when fourteen Member States had adopted NAFS, the replies received from Member States show that there are variations in the coverage and content of these strategies. For example, some strategies still needed to be updated to cover the new financial framework, while at the other end of the spectrum several NAFS were already adapted to account for new risks such as COVID-19 or financial risks associated with the implementation of the Recovery and Resilience Facility (RRF). For example, Bulgaria, Greece, France, Italy, and Hungary reviewed their strategies in light of their COVID-19 experience and to account for the new significant risks associated with the implementation of RRF. Czechia noted that new risks would be reflected in the update it had foreseen for the end of 2022.

1.2.Revenue

EU Member States are invited to assess the risks and shortcomings of the national customs control strategies revealed through the COVID-19 pandemic, and to report lessons-learned and remedial measures taken in order to:

·improve flexibility for the type of customs checks;

·diminish the potential impact of unexpected future events;

·ensure the implementation of uniform controls within the EU.

Furthermore, Member States are invited to assess the financial risks that might not have been sufficiently addressed during 2020 and to establish catch-up plans for carrying out appropriate customs checks where due to confinement measures such customs checks had to be cancelled or postponed e.g. checks at operators’ premises and physical checks before releasing goods into free circulation.

EU and national customs policies made a significant contribution to the EU’s COVID-19 response in 2020 ensuring smooth trade flows for Europeans and protecting the EU’s financial interests. Some EU Member States were faster and more flexible in adjusting their control activities. The degree of divergence at national level and the differing length of confinement measures as well as country-specific challenges had an impact on EU Member States’ capacity to adapt to the harsh reality of 2020.

It is now essential to explore all avenues for ensuring that the customs union and EU Member States’ customs authorities operate optimally, remain flexible and resilient in times of crisis and better anticipate problems.

To this end, the responses received showed that sixteen 6 Member States fully implemented the Commission’s recommendation to assess the risks and shortcomings of their national customs measures, four 7 partially implemented, and six 8 did not implement the recommendation. Overall, the responses submitted showed that all Member States successfully adapted to the constraints imposed by the COVID-19 pandemic and implemented flexible arrangements to continue their work as effectively as possible.

Three commonalities between Member States became apparent when analysing their answers. Firstly, nearly all Member States prioritised the verification of COVID-19 related treatment and protective equipment and introduced measures to ensure these were swiftly processed and that no sub-standard goods entered the EU market. To this end Germany and the Netherlands, for example, introduced special codes in customs declaration to facilitate the quick recognition and processing of such equipment.

Secondly, and deriving from the above, all Member States showed flexibility in terms of conducting their controls by relying, except in critical cases, on the use of digital means to carry out their tasks. The introduction of telework, the increased use of documentary evidence, electronic checks, remote interviewing, and the use of IT platforms to prioritise controls were examples of measures introduced during the COVID-19 pandemic. For example, Germany relied on an electronic system to process customs declarations to minimise in-person operations. The Dutch customs authorities adjusted their ship inspection procedures and switched from physical checks to shore-based observation and enhanced surveillance when in-person verifications were not possible due to sanitary restrictions.

Finally, in connection with the identification of risks, Member States relied on risk profiling to prioritise and focus their limited capabilities on operations with a high financial risk, while postponing or at times simplifying controls for medium-low risk operations. Countries such as Latvia upgraded their national IT platforms to enable, for example, the selection of customs declarations for post-clearance inspections. The Netherlands developed a new system for sharing crisis information, to anticipate further similar events, while Poland suggested the use of automatic risk analysis to increase controls on customs declarations in specific risk areas.

Such changes in control practices could inevitably have affected the quality of verifications and could have led to inconsistencies in addressing financial risks. To this end, the Commission invited Member States to report on whether they had assessed the risks that may not have been addressed in 2020 and implemented remedial measures to address them. As a result, sixteen 9 Member States answered that they had fully implemented the recommendation, three 10 implemented it partially, and seven 11 did not implement it.

Most Member States relied on risk profiles or similar arrangements to prioritise their work and therefore assessed that they had properly addressed most financial risks arising in 2020 and did not have to take remedial measures. In certain cases, authorities reported that some high-risk operations were controlled a posteriori, such as in Slovenia, and that in instances where controls had to nevertheless be postponed they were resumed as soon as possible in the second half of 2021 or in the beginning of 2022. The Netherlands noted that in 2022 it would focus on verifying documents of origin, as companies had been allowed to provide only copies during the first period of the COVID-19 pandemic.

1.3.Expenditure

If not already done, EU Member States are invited to launch targeted risk management exercises linked to the impact of COVID-19 and the upcoming implementation of the Recovery and Resilience Facility.

The way in which underlying data, as well as those concerning detected irregularities and fraud, are collected and used, needs to be further improved. The Commission will further develop the Irregularity Management System.

National authorities will need to report quality data that is reliable.

All EU Member States should make use of the integrated and interoperable information and monitoring system that the Commission will make available for the Recovery and Resilience Facility and the EU budget.

Risks can only be mitigated if they have been identified. A lost opportunity in terms of risk identification weakens EU Member States and exposes them to the full extent of the risks both in terms of impact and likelihood. It is therefore critical in the current circumstances that EU Member States perform in-depth and targeted risk assessments. This will contribute to strengthening rules on internal control frameworks.

In this respect, transparency as regards the use of the public resources is key. It does not only constitute a deterrent element, but also involves civil society, contributing to improving taxpayers’ trust in how public authorities manage public money. Data analysis to identify and target suspicious transactions has become an essential part of the fight against fraud and its importance will continue to grow in the coming years.

Asked whether they had launched risk management exercises linked to the impact of COVID-19 and the implementation of the RRF, eleven 12 Member States reported that they had done so, fully implementing the recommendation, eleven 13 did so only partially, and four 14 did not implement the recommendation.

Those Member States who undertook these exercises mostly integrated these risks into their annual risk assessments, particularly for COVID-19, or occasionally conducted separate analyses, as in the case of the RRF. Most Member States that had not yet implemented the recommendation stated their intention to include such risk assessments in the future. A few countries, among which Germany, estimated that there was no need to reassess their risk management strategies in light of the COVID-19 pandemic, for example. Some exceptions existed, mostly in the case of the RRF, whereby authorities noted they were still in the incipient phases of implementation of the RRF and did not have sufficient information to conduct such analyses, as for example in the Netherlands.

When asked whether they had improved the manner in which they collected and used data, including on detected irregularities, fourteen 15 Member States reported that they fully implemented the recommendation, seven 16 did so partially, and five 17 did not implement it.

Those Member States that did not implement the recommendation assessed that the systems they had in place operated at optimal capacity and did not need improvements at the time. Most Member States reported that they had tailored their usage of IT systems such as IMS, Arachne, EDES, as well as a variety of national IT tools, to enhance the quality of the data they worked with. For example, for the management of the common agricultural policy in Croatia, the responsible authorities combined a variety of data sources to continuously monitor and evaluate implementation, including administrative IT resources, publicly available information, remote sensors, earth observation technology and space/satellite technology, mobile application, and geospatial data. Poland added three new IT applications to its system, which could be used to obtain data on entities from public registers, perform cross-checks to detect double financing of expenditure, or carry out electronic controls on projects.

Concerning the final recommendation for the use of the integrated and interoperable information and monitoring system that the Commission made available for both the RRF and the EU budget, nineteen 18 Member States reported they fully implemented it, four 19 partially implemented, and three 20 did not implement the recommendation.

Arachne was the most commonly mentioned IT tool in relation to the implementation of both EU funds and the RRF, as most Member States had either been using it already or were planning to do so in the near future; it was followed by IMS and EDES. While Member States had clear plans concerning the use of these IT tools for the general management of EU funds, they were less specific in relation to the system they planned to use for the implementation of the RRF. Most Member States, however, noted that it was still early in the implementation of the national plans to be able to ascertain which system would fit their needs best, while a few national plans had not been approved yet.

2.Follow-up by recommendation

Methodology and thematic analysis:

The following section provides a comprehensive overview of the state of implementation of each recommendation and summarises the replies received from each Member State. This section is divided in three sub-sections, following the recommendations related to cross-cutting aspects of the fight against fraud, and the revenue and expenditure sides of the budget respectively. Each recommendation is analysed by firstly providing an overview of the number of Member States that addressed each of the questions related to a recommendation and secondly, by providing a summary of the most important details provided by each Member State. For the reader's specific reference, the Member States' original replies are listed in Section 3 of this document, "Member States’ replies".

The analysis is based on 26 Member States’ replies collected during December 2021 – February 2022; Austria noted that they had no replies to the 2021 exercise.

1.4.Cross-cutting aspects of the fight against fraud

The Commission provided the following questionnaire to the Member States with regard to addressing the first recommendation:

Q.1 For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

If YES, can you provide some additional information on the state-of-play?

Q.2 Have you adopted a national anti-fraud strategy?

If YES, did you communicate it to OLAF? If you did not communicate it, why? Please transmit it without delay.

Has the NAFS been recently updated?

If YES (+ date of update), does the strategy/update cover the new significant risks linked to the COVID-19 crisis and the RRF? Can you share what risks the new strategy has taken into account? If the updated strategy doesn’t cover such risks, why is it so?

If NO (+ date of adoption of NAFS), is the update ongoing or are you considering updating it? Can you please indicate a timeline for the adoption of a new / updated anti-fraud strategy?

The table below represents the overall results of the implementation of each question corresponding to the Commission’s recommendations.

1.4.1.Joining the EPPO

Member States who had not joined the EPPO yet were asked whether they had plans to do so in the short-medium term.

Twenty-two 21 Member States had joined the EPPO at the time of reporting. Out of the five Member States that had not, Denmark and Ireland (both holding an opt-out from the area of freedom, security and justice), Hungary, and Poland stated that they did not intend to join. Sweden reported that it planned to join as soon as possible and that the government was working on a legislative proposal to this end that would be ready by the end of 2022.

1.4.2.Adopting a national anti-fraud strategy (NAFS)

In response to the question of whether they adopted a national anti-fraud strategy (NAFS), eleven 22 Member States replied that they adopted a NAFS, four 23 adopted a sectoral one, while eleven 24 were yet to adopt one. The replies showed a diverse picture in terms of the scope and content of the anti-fraud strategies adopted by the Member States, as reflected in the remainder of this section.

Belgium had not yet adopted a NAFS at the time of reporting. The AFCOS was under restructuring, to enable the exchange of information between the various national and regional authorities, and ultimately the establishment of a national anti-fraud strategy. In the interim, its anti-fraud strategy was based on the strategies developed by the competent authorities managing the funds at regional level (e.g. ESF, ERDF) and the strategy implemented by Customs.

Bulgaria adopted a NAFS in November 2020, covering the period 2021-2027, and communicated it to OLAF. It was developed by a working group of representatives of all authorities responsible for managing and controlling EU funds and those responsible for investigating fraud and took into account recommendations from the European Court of Auditors and Commission guidelines. The strategy reflects new significant risks, in particular in response to the outbreak of the COVID-19 pandemic and its economic and social consequences. It contains specific objectives for preventing and combating irregularities and fraud, responsibilities and a mechanism for monitoring the implementation of the measures.

Czechia adopted a NAFS in June 2008 and updated it latest in May 2020; the strategy was communicated to OLAF. It further noted than an updated NAFS reflecting new risks, environment, and programming period would be adopted by the end of 2022.

Denmark had not adopted a national antifraud strategy at the time of reporting, but several of the Danish AFCOS network-members had sectoral anti-fraud strategies, which also covered fraud with EU funds.

Germany reported that it had not adopted a NAFS, but that a sectoral one was in place at the level of ERDF Lower Saxony, complementing the current management and control system and as a proportionate measure to prevent fraud. The authority expected that the risk of fraud and corruption for the 2014-2020 funding period would be low, based on its assessment of Lower Saxony’s performance in the 2007–2013 programming period. The strategy was being updated as part of the reform of the management and control system for the 2021-2027 funding period. Moreover, the ERDF managing authorities in the Länder focused on their own anti-fraud strategies and regarded their own management and control systems as a proportionate measure to prevent fraud. The risk of fraud was reviewed frequently in the context of the COVID-19 pandemic.

Estonia updated its NAFS in February 2021, as the Anti-Corruption Action Plan 2021-2025, and a corresponding Action Report in January 2022. The Anti-Corruption webpage, which has been shared with the Commission, covers topics such as corruption or conflict of interests and consists of different guidelines, handbooks, e-courses.

The Greek National Anti-Fraud Strategy for Structural Actions was adopted in 2014 and updated in 2017, including a comprehensive overview of its associated Action Plan; it was also communicated to OLAF. Although the action plan was completed, the Member State reported that the NAFS continues to be systematically implemented. In the context of the COVID-19 crisis and the new significant risks, a technical meeting of the Internal Cooperation Network on Anti-Fraud Strategy in Structural Actions was held in July 2021 and resulted in the adaptation of the managing authorities’ Fraud Risk Assessment Tool to include risks and measures related to the COVID-19 crisis. In addition, the Management and Control System (MCS) of the Fisheries and Maritime Operational Programme (MCS) incorporated procedures and measures to prevent and combat fraud specifically in the fisheries sector, although no formal anti-fraud strategy document was drafted. Concerning RRF actions, the Special Recovery Fund Coordination Service (ERFA) in Greece reported that an anti-corruption and anti-fraud strategy was developed based on prevention, detection and effective response, which set targets and specified further actions where necessary.

Spain had not yet adopted a strategy but it reported that in 2020, the AFCOS prepared and presented to the Commission its project entitled “A national anti-fraud strategy for Spain”, related to financing within the framework of the Support Programme for Structural Reforms of the EU (SRSP – TSI). This project started in October 2021, with a duration of 19 months, and would serve to prepare a comprehensive NAFS, covering the four phases of the anti-fraud cycle (prevention, detection, investigation, and recovery/sanctions).

France adopted a new anti-fraud strategy in February 2022, developed by the Inter-ministerial Anti-Fraud Coordination Mission (MICAF), as AFCOS, in consultation with its partners, which it communicated to the Commission. The strategy covers significant new risks related to the RRF. The Member State set up a coordinating authority for the RRF - the Secretariat-General of the Recovery Plan (SGPR), under the authority of the Prime Minister and the Minister for the Economy, Finance and Recovery - which will centralise, among other data, any irregularities detected in the implementation of the RRF measures. Additionally, a working group of the various actors involved in the management of the new EU funds, led by MICAF, will work to identify fraud risks specifically linked to the allocation of these funds and exchange information in order to establish a typology of fraud in view of future risk mapping.

Croatia referred to its previous anti-fraud strategies, the latest for 2014-2016 and which was sent to OLAF at the time, and noted it had been fully implemented. As the AFCOS became operational and no major weaknesses were identified, it adopted no new anti-fraud strategies and did not update its existing ones. The AFCOS system has been constantly fine-tuned through softer measures (e.g. irregularity management guidelines, fraud risk assessment at the level of operational programmes). In addition, Croatia adopted in October 2021 a “Strategy for the Prevention of Corruption for the period 2021 – 2030”, which set strategic goals in the field of the fight against corruption for this period. One of the 95 measures elaborated in the Action Plans specifically referred to “Further strengthening of the framework for prevention of irregularities and fraud in the institutional framework for the implementation of ESI Funds”.

Italy’s NAFS was updated in November 2021 and communicated to OLAF in December 2021. The AFCOS collaborated with all the competent institutions to revise not only the strategy’s content, but its duration, by extending it to overlap with the resources available from the long-term EU budget and NGEU, and the evolution of the new potential risks of economic illegality (associated with the increasingly extensive use of specially developed IT tools). The Italian AFCOS circulated a questionnaire across all its affiliated institutions to ascertain what measures had been adopted, or were being implemented, to deal with the new risks of fraud linked to the pandemic and strengthen the prevention and fight against corruption, fraud, conflicts of interest, the risk of double funding, and the possible infiltration by organised crime. Measures included a greater collaboration between managing and control authorities, an increase in IT security, a better interoperability of the multiple existing databases, and a more effective use of technological tools.

Cyprus had not adopted a national anti-fraud strategy at the time of reporting. It noted however that it had put in place a national anti-corruption strategy and that its parliament had recently approved a law establishing an Independent Authority against Corruption.

Latvia’s NAFS was adopted in May 2020 to cover the period 2020-2022. It included mostly horizontal activities related to all the funds covered by the AFCOS Network – including the RRF - and all the new risks and circumstances could be taken into account when implementing these activities. An evaluation of the implementation of the strategy would take place in the beginning of 2023, based on which the scope and activities of the following NAFS would be decided.

Luxembourg reported that its NAFS had been drafted and was currently under internal review.

Hungary adopted a national anti-fraud strategy for 2021-2027, signed in August 2021 and transmitted to OLAF in February 2022. The strategy was complemented by a sectoral RRF Anti-Fraud Strategy, adopted by the Head of the National Authority. The COVID-19 crisis was assessed in Hungary’s annual fraud risk analysis.

Malta finalised the update of its 2008 NAFS, which it had communicated to OLAF, in 2021. It included 23 action points related to the strengthening of the fight against fraud and corruption, three of which were also included as milestones and targets under its RRP. It noted that the strategy would be reviewed at regular intervals to reflect new risks linked to the COVID-19 crisis and the RRF.

Portugal adopted a sectoral anti-fraud strategy for 2014-2020, drafted by the Inspectorate-General of Finance (IGF) in its capacity as audit authority and AFCOS for European funds. The strategy was currently under review, to account for the results of the audits conducted during this period and the new key fraud prevention requirements under the new EU regulatory framework 2021-2027. It would be communicated to OLAF as soon as the update was concluded. The IGF further noted that it carried out a targeted audit of the anti-fraud measures adopted by the managing authorities of cohesion policy funds, considered by the Commission to be a pioneering example of best practice, and the update was ongoing.

Romania planned to adopt a NAFS at the end of 2022.

The 'National Strategy for the Protection of the European Union’s Financial Interests in the Slovak Republic’, dating from 2015, was last updated in June 2019. The reporting authority noted that it was aware of the need for an update in order to address new challenges in the area of the protection of the EU’s financial interests, but that an exact timeline for the update had not been determined yet.

1.5.Revenue

The Commission provided the following questionnaire to the Member States with regard to addressing the second recommendation:

Q.3 Have you assessed the risks and shortcomings of the national customs control strategies revealed through the COVID-19 pandemic and reported lessons-learned and remedial measures taken in order to a) improve flexibility for the type of custom checks; b) diminish the potential impact of unexpected future events; and c) ensure the implementation uniform controls within the EU?

If you implemented fully the recommendation, can you share any specific findings of your assessment? Can you share examples of lessons-learned you have reported? Can you please indicate what remedial measures have you taken to a) improve flexibility for the type of custom checks; b) diminish the potential impact of unexpected future events; and c) ensure the implementation uniform controls within the EU? Can you specify any outcomes of the remedial measures you have implemented?

If you implemented partially the recommendation, could you please explain why you think it was a partial implementation and why a full implementation was not possible? Can you indicate at what stage you are currently in the implementation of this recommendation? Can you specify any outcomes of measures adopted so far? Can you indicate any future measures you will implement to achieve full implementation?

If you did not implement the recommendation, could you please explain why?

Q.4 Have you assessed the financial risks that might not have been sufficiently addressed during 2020 and have you established catch-up plans for carrying out appropriate customs checks where due to confinement measures such customs checks had to be cancelled or postponed e.g. checks at operators’ premises and physical checks before releasing goods into free circulation?

If you implemented fully the recommendation, can you please share any findings of your assessment? Which outstanding financial risks have you identified? What measures have you foreseen to address these risks? Can you please give examples of how you plan to catch-up on carrying out appropriate customs checks that had to be cancelled or postponed due to confinement measures? Have you already established a timeline for doing so? What types of checks have you foreseen? Have you anticipated the possibility of recurrent confinement measures and, if so, how have you addressed this in your plans?

If you did not implement the recommendation, could you please explain why?

The table below represents the overall results of the implementation of each question corresponding to the Commission’s recommendations.

1.5.1.Assessment of the national customs controls strategies

Member States were asked whether they had assessed the risks and shortcomings of the national customs control strategies revealed through the COVID-19 pandemic and reported lessons-learned and remedial measures taken in order to a) improve flexibility for the type of custom checks; b) diminish the potential impact of unexpected future events; and c) ensure the implementation uniform controls within the EU. In continuation, they were asked to share any specific examples of such measures or, where applicable, justify the lack of such measures.

Sixteen 25 Member states fully implemented the recommendation and assessed the risk and shortcomings of their national customs strategies, four 26 did so partially, and six 27 did not implement the recommendation.

In Belgium, FPS Finance (Customs and Excise) reported that during the COVID-19 restrictions it prioritised certain risk areas, as its audit capacity was limited. For example, in certain regions, it controlled primarily goods such as facemasks and other COVID-related items. Although, overall, its capacity to carry out documentary checks increased during the pandemic, owing to increased telework, modifications of the type of control were not always allowed and physical checks remained mandatory for certain risks/fraud mechanisms. FPS Finance concluded that a larger number of selections than normal remained unchecked.

Bulgaria referred to the Union Customs Code and the legal requirement that each Member State had to establish its own customs risk management procedures based on specific characteristics and available information. Consequently, customs authorities would have had to carry out risk management to differentiate the levels of risk associated with goods subject to customs control or supervision and to determine whether and where the goods would be subject to special customs controls.

Czechia reported that the Customs Administration did not have to cancel or postpone any post-release controls in connection with the COVID-19 pandemic. The only change was in terms of the manner in which controls were carried out, to account for restrictions to the freedom of movement of persons and limit contact with the persons inspected. Specifically, in-person meetings were often replaced by sending correspondence, such as summons and presentation of documents. Additionally, customs authorities extended the time limits set out in the documents accordingly. These modifications were reflected in a slight increase – in terms of days - in the average length of post-release controls.

Denmark specified that the Customs administration had to cancel only 14 controls during the COVID-19 pandemic, of which only two had a financial impact and were subsequently assessed as releasable without further control. The other 12 controls were either random or regarding hazardous, dangerous, or illegal goods.

Germany reported that the organisational measures and targeted resource management during the COVID-19 pandemic ensured that customs offices operated properly and efficiently. For example, a ‘cohort principle’ and telework were introduced to protect staff; electronic customs declarations were processed with the interoperable computerised clearance system “ATLAS”; and support staff were flexibly relocated to vulnerable areas. The focus during this period was on the speedy clearance of COVID-19 protective equipment, for example via the use of a special code in the customs declaration so that such goods were processed directly and as a priority.

Overall, Germany concluded that the protective measures instituted against COVID-19 affected the activity of the Auditing Service during 2020, in particular by increasing the time required to carry out audits. Consequently, audits mainly focussed on parties with high-risk potential and checks were performed remotely or at customs offices instead of the economic operators’ premises. This was facilitated by the recognition of digital documents and the exchange of documents as PDF/scan by e-mail where this was legally possible, with the subsequent transmission of the original documents as required. In addition, for a limited period of time, medium risk operations were suspended to reduce the number of controls that were not absolutely necessary and ensure a smooth flow of COVID-19 equipment.

Estonia reported that all controls were implemented as foreseen and that it had prioritised safety controls of COVID-19 personal protective equipment.

Ireland reported that the government had designated Customs an essential service and therefore its staff continued to work at ports, airports, and approved premises, which remained fully operational throughout the COVID-19 pandemic. Due to the reduction in passenger numbers additional resources could be directed toward clearance checks such that performance levels were not affected. Safety measures such as the use of PPE, social distancing, team bubbles, and remote working where possible were introduced to protect customs officers and traders and minimise the impact of a potential COVID-19 outbreak. Flexible controls allowed traders, for example, to submit scanned copies of documentation rather than the original for clearance checks, with the requirement that trade retain the originals.

Greece’s Independent Authority for Public Revenue (Directorate-General for Customs and Excise) reported that controls on COVID-19 related items were increased and staff were given appropriate instructions to protect themselves, and the customs services, against the risk of COVID-19 during checks. Continuous feedback from the “first line” services led to adjustments of the measures in order to achieve the necessary flexibility of customs controls.

In Spain, the Tax Agency, responsible for customs controls, noted that the recommendation was impossible to fully implement, because the diversity of effects of and responses to COVID-19 across Member States would make it impossible to adopt national measures to ensure uniform controls within the EU. The Tax Agency nevertheless indicated that the effects of the COVID-19 pandemic had not been significant for its customs control strategy. It noted that the containment measures adopted at EU level led to a radical reduction in international trade, which largely compensated for the difficulty/impossibility of carrying out certain controls. The Agency added that the main effect was in terms of physical customs controls and inspecting operators’ premises, but that overall the need for such controls had been much lower because of the reduction in imports.

France reported that because of the reduced number of in-person staff in favour of teleworking it had to adjust physical controls on traditional own resources (TOR) and that national targeting in this area focused on the EU requirements for handling mutual assistance cases linked to the protection of the EU’s financial interests. Local targeting focused on new operators and those who had changed their trading or supplies during the crisis. Priority was given to documentary checks.

With respect to future crisis management, France referred to the need to review business continuity plans to develop the capacity to redistribute missions to handle exceptional situations. In order to be able to conduct customs missions during new crises, it was important to strengthen the capacity for anticipation and response by defining crisis governance and crisis steers at central level and in devolved services. It was also considering possibilities to assert the role of customs vis-à-vis its external partners and to strengthen inter-ministerial and European partnership synergies.

Croatia reported that no changes had been made in terms of the flexibility of customs checks beyond additional protective equipment for customs officers. Where applicable, control checks were less frequent in order to minimise the exposure of customs officers to COVID-19. Nevertheless, custom authorities made no exceptions for financial risks and all controls were conducted during the release for free circulation, in line with the National Health Administration’s recommendations regarding the COVID-19 pandemic.

Italy noted that priorities for the control of financial risks had been defined more restrictively because of diminished organisational capacity and availability of human resources during the COVID-19 pandemic. In this context, the Customs and Monopolies Agency prioritised high-impact financial risks, as these could not have been managed properly in post clearance controls. This led to a focus on cases in which there was an elevated risk or a high probability of fiscal evasion, the possible disappearance of a subject, or on cases in which the inspection of goods constituted a crucial factor in mitigating the risk. Mid and low level financial risks were addressed with post clearance controls, submitting the declarations to a document review (without physical interaction with the economic operator).

Cyprus reported that the Department of Customs and Excise implemented a series of measures to counteract the impact of the COVID-19 pandemic on customs controls and to ensure the implementation of uniform controls within the EU, aligned with the guidelines prepared by DG TAXUD in collaboration with Member States. Specifically, economic operators in whose case controls showed no irregularities over a certain period of time were excluded from certain profiles and control officers had the leeway to decide not to pursue controls in duly justified circumstances, with the approval of the District Senior Customs Officer. Control officers also had the option to pursue physical controls in cases where they were dissatisfied with the documentary control of declarations that had been selected via the risk profiles included in the national systems. In addition, the national systems enabled some profiles to select a percentage of specific declarations for control.

The authorities reported that even though the shift to remote work was sudden the flexibility implemented, particularly in terms of staff adaptability and the use of technology to produce reliable analytical reports for controls, ensured that the quantity and quality of customs controls remained unaffected. To account for the effects of unexpected future events, the Department of Customs and Excise started to restructure its customs information systems to better monitor customs facilities and perform targeted controls through the collection of data in a user-friendly manner. A new integrated information system, which will enable authorities to communicate better with the customs departments of other Member States and organisations and contribute toward the uniformity of controls within the EU.

Latvia reported that no systematic changes were made to the implementation of control measures, which had taken into account international risk information, including the activities identified in OLAF's mutual assistance reports for each Member State. It mentioned that feedback on control results and risk assessment was always provided in response to OLAF reports. In respect of post-release checks, the authorities implemented an analytical solution in the SAP HANA platform, which was under development to enable the selection of customs declarations for post-clearance inspections. At the time, it had the capacity to assess the level of risk associated with declarations and commodities and select declarations with the highest possible financial risks for inspection.

Lithuania reported that the assessment of the risks and shortcomings of the national customs control strategies was taken into account when drawing up the annual plans for Post-Release Audits (PRAs) and other types of post-release controls. It observed that, during the COVID-19 pandemic, the number, scope, effectiveness, and results of PRAs and other types of post-release controls were similar to and even higher than in previous years. Inspections were more flexible and control methods were modified, while the lack of physical checks was largely offset by the increased use of analytical tools and methods.

Furthermore, Lithuanian customs observed strict protective measures when carrying out controls of vehicles and passenger items and cargo vehicles, with minimal personal contact where possible. Nevertheless, standard physical inspections were maintained for cases with high risk of violations, as determined by risk analyses, and reinforced controls were introduced for goods used to combat the COVID-19 pandemic, especially personal protective equipment. Overall, the authorities noted the lessons learnt in terms of managing high cargo flows with limited human resources and developing techniques to react to and manage emerging threats.

Luxembourg reported that it had carried out a thorough analysis of the customs clearance controls performed during the period of COVID-19 restrictions (16/03/2020 – 24/05/2020). It found, as it had expected, that approx. 24% fewer physical controls were performed overall, approx. 22% fewer in the specific area of financial risks, and that more documentary controls were carried out overall compared to the same period in 2019. Luxembourg anticipated limitations concerning physical controls and focused on the risks of substandard, dangerous, or counterfeit goods related to COVID-19, such as protective or medical equipment. It emphasised, however, that no risk profiles were overlooked during this period. Overall, controls were conducted with the necessary flexibility, by relying on more documentary and post-clearance checks, and in line with EU guidelines, which also ensured the implementation of uniform controls. The lessons learnt would be incorporated into a risk mapping, which should serve as a crisis-management tool to support priority setting and diminish the impact of unforeseen events in the future.

Hungary reported that it instituted, beginning with March 2020, transitional measures to make the types of customs controls more flexible in view of the COVID-19 outbreak. The National Tax and Customs Administration (NTCA) reorganized its core tasks to ensure continued operation and the protection of staff, introducing telework and management rotation, and identified measures and controls that could be cancelled or postponed for the duration of the pandemic. Resources were first directed toward what the administration categorised as ‘primary tasks’, which ensured the continuous operation of the supply chain, economic security, and public safety, among which inspections for high-risk customs operations and for products subject to prohibitions and restrictions, export authorisations, and processing client request where physical presence was not needed. The remaining resources were then focused on ‘secondary tasks’, such as inspections in cases of medium-level risk, post-release and on-the-spot checks, and in-person interviews. Specific measures were implemented to increase the flexibility of post-release controls, primarily by relying on remote, digitally conducted audits whenever possible, to protect staff. On-the-spot checks were carried out only where strictly necessary, with strict sanitary protocols in place. The Hungarian authorities identified the digitalisation of controls and telework to ensure effective controls as strategies to reduce the potential adverse effects of future incidents.

Malta specified that customs control strategies during the pandemic did not have any particular impact on the Department’s operations at the border and physical controls were in line with pre-pandemic levels. Risk-profiles, based on information received, inter alia, through RIF Alert, were nevertheless updated regularly.

The Netherlands reported that it did not assess the shortcomings of its national control strategy explicitly, but that these aspects had been indirectly addressed in its handling of the COVID-19 crisis. It identified and prioritised to the extent possible several vital customs processes, such as physical surveillance activities at sea ports and airports and the processing of transactions to levy and collect import duties and excise duties, including providing information to businesses. Overall, the Dutch Customs scaled down the level of enforcement only to a limited extent, while risk-based checks were carried out fully throughout this period. Random checks and checks for risk detection were not carried out for a period of approximately three weeks, to prioritise the safety of staff.

‘COVID-19 protocols’ were implemented to ensure the continuity of controls. For example, for administrative checks, Dutch custom authorities agreed with companies to share documents electronically in a secure environment or by email and interviews were held via a conference call or via Webex. Additional substantive checks were also carried out entirely digitally. Specifically for ship inspections, shore-based observation and enhanced surveillance replaced physical controls on board in the beginning of the pandemic.

To anticipate future lockdown situations, the Dutch authorities drew up a protocol for the scaling-up and scaling-down of the level of enforcement of customs checks. Furthermore, they developed a new system for sharing crisis information – the National Crisis Management System – that includes all functionalities necessary in a crisis to swiftly collect and share information with internal and external parties.

Poland’s National Revenue Administration reported that the impact of the COVID-19 pandemic on the capacity to perform pre-release controls was low. Measures taken to increase the flexibility of customs controls included intensifying controls on security and safety risks and maintaining control levels on high-risk customs declarations, while temporarily reducing the levels of reservations in customs declaration acceptance systems for other risk areas. For post-release controls, the Revenue Administration ensured the continuity of tasks by implementing strict sanitary protocols and relying on documentary inspections that were carried out at the office’s premises instead of the operators’.

With respect to the possible impact of unexpected future events, the Polish authorities assessed that it would be possible to use automatic risk analysis to intensify checks on customs declarations in specific risk areas while lowering the levels of control in lower priority areas. To ensure the implementation of uniform controls within the EU, measures included the harmonisation of pre-release controls in the area of risk of undervaluation covered by the EU Reference Price System and the introduction of two-step checks in this area, whereby requests for post-release controls at importers’ premises could be requested where the results of pre-release controls were suspicious.

In terms of the results of the measures implemented during the pandemic, Poland referred to the Commission’s Customs Union Performance (CUP) draft report for 2020, which showed that the number of import declarations increased by 10 % and the control rates in standard declarations and the levels of effectiveness of these controls were close to or higher than the levels achieved in 2019.

Portugal reported that the Authority for Tax and Customs continuously monitored, supervised, and controlled the supply chain of COVID-19 related goods during the course of 2021, as it had been the case in 2020. It assessed that its activity helped facilitate the flow of legitimate and essential goods, protect the citizens against unsafe, unlicensed or substandard goods and at the same time, protect the financial interests of the EU and European companies. The authority implemented a series of risk profiles across entry, import, and control systems, which facilitated supervision, profiling, targeting, and control. Customs experts’ work included the responsibility to immediately share intelligence, risk information, alerts, and general knowledge throughout all regional and local customs offices.

In Romania, the Directorate for Customs Supervision and Inspection asked the regional customs directorates to carry out specific risk analyses and select, for post-clearance checks, customs declarations for the release into free circulation of goods intended to combat the effects of COVID-19 and likely to contain incorrect data. It accounted for the urgent need for customs formalities for goods related to the management of the COVID-19 pandemic and the introduction of measures to prevent and combat criminal activities. The National Agency for Fiscal Administration approved a customs action plan for medical devices, health supplies, and medicines for the prevention and treatment of conditions relating to COVID-19.

Slovenia referred to the Customs Action Plan, which ensured uniform controls within the EU and defined priorities for 2022-2023, and reported that due to the particular circumstances around the COVID-19 pandemic some associated actions could not be finalised within the schedule. As a result, actions from the current action plan that would not be concluded until the end of June 2022 and needed to be continued would be transferred into the 11th LEWP Custom Action Plan.

Slovakia noted that the period during which physical checks could not be carried out was relatively short and all cases during that time were submitted to post-release checks.

Finland noted that they had not observed any special risks that affected controls. The checks at operators’ premises were replaced with documentary controls and video conferences and, in its assessment, the change of control type did not affect the results.

Sweden reported that, due to existing contingency plans in the form of steering and supporting documents, Swedish Customs were able to react rapidly and adapt their organisation when the flow of goods changed as a result of the COVID-19 pandemic. It noted that Swedish Customs work in accordance with EU recommendations concerning customs controls.

1.5.2.Assessment of the financial risks insufficiently addressed during 2020

Member States were asked to report whether they had assessed the financial risks that might not have been sufficiently addressed during 2020 and if they had established catch-up plans for carrying out appropriate customs checks where due to confinement measures such customs checks had to be cancelled or postponed e.g. checks at operators’ premises and physical checks before releasing goods into free circulation.

Sixteen 28 Member States answered that they had fully implemented the recommendation, three 29 partially implemented, and seven 30 did not implement; they also provided details concerning the types of risks they had identified and compensatory measures for checks that had to be cancelled, some of which are summarised in this section.

Belgium reported that declarations with a high potential financial impact, which could not be checked in 2020, were analysed a posteriori and the riskiest ones were controlled post-release. It mentioned that it was not, however, possible to include all selected but unaudited declarations for a posteriori control due to the limited capacity in the second line (post - release). The General Administration of Customs and Excise was considered an essential service during the crisis and critical controls continued to be carried out subject to some operational adjustments.

Bulgaria reported that customs authorities assessed the newly emerging risks and updated their actions to control risky goods, operators or events in the context of the introduction of COVID-19 containment measures. They put in place risk profiles that identified risky goods that may not have met established standards — masks, protective clothing, disinfectants, tests - and risky companies entering the EU with substandard goods. The flexibility of customs controls was improved by introducing additional controls to identify financial risk events. It noted that improving customs controls, mitigating possible negative consequences of unforeseeable events, and ensuring consistency in the application of customs legislation was a constant priority for the administration.

Germany considered that all financial risks were sufficiently addressed, as the appropriate measures had already been taken in 2020.

Estonia reported no changes in custom control practices due to the COVID-19 pandemic and assessed that all controls were implemented as foreseen.

Ireland referred to its multi-faceted risk focussed Customs annual compliance program that underpinned compliance with EU and national Customs legislation. The program combines frontier controls at clearance, both physical and documentary, with a post-clearance program ranging from single aspect checks to Customs audits. It identifies cases for both pre-clearance and post-clearance using sophisticated electronic risk assessment, including risks identified during both pre and post-clearance checks, and risk profiling tools. Ireland further reported that clearance checks were temporarily suspended for approximately three months in the beginning of the pandemic, but that no specific risks associated with the pandemic were identified in either pre or post clearance checks. Consequently, no controls targeting pandemic issues were pending. It noted however that the overall customs control and monitoring framework was dynamic and the national compliance program would be adapted to ensure it addressed any potential new risks.

The Greek Independent Authority for Public Revenue (Directorate-General for Customs and Excise) reported that it identified no fiscal risks that had not been sufficiently addressed. Customs authorities prioritised controls according to established risk profiles drawn from the risk analysis system.

The Spanish Tax Agency referred to its annual tax and customs controls plan, which covered all companies to be controlled and complemented the controls prior to customs clearance. The plan covered the risks related to the difficulties of carrying out controls under the restrictions imposed by COVID-19 sanitary measures. It noted that physical inspections during pre-clearance customs controls were maintained in areas in which such control was essential.

France reported that during the COVID-19 crisis inspections associated with traditional own resources were maintained where mandatory, in particular as a result of mutual assistance cases or where they could only be carried out in the form of a documentary check. In addition, authorities requested that ex-post controls take into account the difficulties faced by companies in the context of the lockdown. To this end, the scope of requests for disclosure of documents had to be clearly defined. As part of the three-phase recovery plan, the documentary checks at the time of clearance were intended to prepare for ex-post controls. A specific inspection campaign was put in place to verify compliance with the obligations relating to exemption entitlements.

Croatia reported that there had been no exceptions in addressing financial risks, as all of the detected ones were checked during the release of goods into free circulation.

Italy’s Customs and Monopolies Agency reported that financial risks faced during 2020 had been managed adequately by the Italian system of risk management. There were no control activities leading to invalidation. Post-clearance controls (ex officio or at the economic operator’s request) were based on documentary evidence requested from economic operators. In addition, ex-post inspections were carried out to ensure that EU measures of exemption from import customs duties had been correctly applied for goods aimed at fighting the effects of the COVID-19 pandemic.

The Department of Customs and Excise in Cyprus assessed that it was able to carry out all necessary checks during the period of confinement triggered by COVID-19, but noted that it had prioritised controls related to security and safety risks linked to it. In this respect, the department reported that the high demand for personal protective equipment during the pandemic led to an increase in IPR infringements for these types of products and the production of non-compliant goods.

The Latvian Customs Administration developed a risk management policy and produced annual reports on the effectiveness of its customs risk management system, accompanied by plans for risk mitigation measures for the coming year. This included setting levels of specific financial risks based on potential impact and probability, and planning appropriate control measures. It concluded that the risk mitigation measures in 2020 were implemented in accordance with the prepared plans, set priorities, and international risk information and guidelines, and therefore no compensatory measures were required.

Lithuania reported that the number, scope, effectiveness, and financial results of post-release audits (PRAs) and other kinds of post-release controls during the COVID-19 pandemic years were similar to and even higher than in previous years. There were no cases when, due to confinement measures, PRAs or other customs controls were cancelled or postponed for an unacceptable period and therefore there was no need to develop catch-up plans.

Luxembourg referred to the results of its analysis of the customs clearance controls performed during the period of COVID-19 confinement (16/03/2020 – 24/05/2020) and noted that the report allowed the identification of customs declarations selected for control at clearance stage by electronic risk profiles, including financial risk profiles. The analysis showed that all financial risks had been addressed, at least by documentary control. By indicating amongst other elements the type of control, i.e. physical or documentary, as well as control results, the report served as a basis for the planning and focusing of post-clearance controls. A “safety-net” for any shortcomings in terms of customs controls would become part of the risk mapping mentioned under Q3.

Hungary reported that it did not need to establish any catch-up plans since the customs authorities did not have to cancel or postpone checks because of COVID-19. Inspections of the premises of economic operators took place where necessary, in consultation with them and respecting sanitary conditions. It noted, however, that the post-clearance verification of the conditions for the exemption from customs duty for protective equipment related to the virus represented an additional burden for the directorates concerned.

Malta reported that all planned controls and checks were conducted on time, prior to release into free circulation, which therefore eliminated the emergence of possible financial risks due to lack of planned customs controls.

The Netherlands reported that it did not scale down at all the level of enforcement with respect to financial risks. Random checks and checks for risk detection were only scaled down for a short period of approximately three weeks. In terms of financial risks, it underlined that in 2022 administrative checks would focus on the original documents of origin, as companies were allowed to provide copies of these documents during the initial phase of the crisis. In addition, authorities continuously prioritised COVID-19 protective equipment with the exemption code C26.

Poland noted that no physical checks carried out before goods were released into free circulation had to be cancelled or postponed due to restrictions on movement. Similarly, no checks at the premises of operators had to be cancelled or postponed for post-release controls. Consequently, it was not necessary to establish supplementary plans for carrying out the checks in question.

Portugal referred to specific methodologies that were designed and implemented for audits and other controls when checks on site (at economic operators’ premises) cold not take place. Level one checks were carried out by relying on the information available on the tax and customs authority’s systems - concerning accounts, movements of goods, stocks in warehouses, internal sales/purchases, intracommunity information on sales and acquisition of goods and services - as well as open sources, to prepare for future checks at economic operators’ premises. It noted, however, that services at border and customs offices were always delivered physically, even during the hardest times of the pandemic.

Romania reported that during 2020 the authorities controlled companies that released into free circulation goods necessary to combat the effects of the COVID-19 pandemic and that benefited from relief from customs duties and from import VAT exemption. Related risk analyses were carried out at regional and local level, including the selection of customs import declarations.

Slovenia specified that in the first half of 2020, a number of post-release controls were postponed due to the lower availability of taxpayers due to the COVID-19 epidemic and no checks were carried out at the headquarters of companies. However, these postponed controls were resumed in the second half of 2020 and an appropriate number of ex-post controls were carried out on an annual basis.

Slovakia reported that physical inspections of goods were carried out, in full compliance with COVID-19 hygiene measures, as soon as checks were possible again. It noted a lower number of reported irregularities (fraudulent and non-fraudulent) compared to previous years, due to the overall decrease in the import volume caused by the COVID-19 pandemic.

Finland noted that the number of controls before releasing goods into free circulation was the same as in the previous year and did not have to be replaced with post-clearance controls. Audits and post-clearance controls were carried out according to the audit plan. Auditors inspected documents or electronic material in their offices and had video conferences with companies; they visited premises only if necessary.

Sweden reported that the pandemic did not affect, from an operational perspective, the Swedish Customs’ capabilities in terms of profiling, risk-assessment and intelligence operations. The organisation was never in lockdown, staff absenteeism was not critical, and the adaptation to telework was quick and not affected by the circumstances.

1.6.Expenditure

The Commission provided the following questionnaire to the Member States with regard to addressing the third recommendation:

Q.5 Have you launched targeted risk management exercises linked to the impact of COVID-19 and the upcoming implementation of the Recovery and Resilience Facility?

If you implemented fully the recommendation, can you please describe what type of exercises have you launched? Can you share any specific findings of such exercises?

If you implemented partially the recommendation, could you please explain why you think it was a partial implementation and why a full implementation was not possible?

If you did not implement the recommendation, could you please explain why?

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

If you implemented fully the recommendation, can you indicate how this was achieved? Could you indicate which new data collection methods you have introduced and/or how you have improved existing ones? Could you indicate which measures you have implemented to improve the usage of data? Could you specify how these measures strengthen the existing framework for data collection and usage? What measures have you put in place to ensure the quality and reliability of data? Can you share any specific findings in relation to these measures? Has the quality and reliability of data, including those concerning detected irregularities, increased or remained stable overall?

If you implemented partially the recommendation, could you please explain why you think it was a partial implementation and why a full implementation was not possible? What was the outcome of the procedures you have introduced so far?

If you did not implement the recommendation, could you please explain why? Could you explain how your current framework already ensures high quality and reliability of data?

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

If you implemented fully the recommendation, can you indicate whether it is already fully or partially operational? By when will it be fully operational? Add any useful detail to explain the state of play.

If you implemented partially the recommendation, could you please explain why you think it was a partial implementation and why a full implementation was not possible? To what extent will the use of the system cover the RRF and the programmes for the programming period 2021-2027?

If you did not implement the recommendation, could you please explain why?

The table below represents the overall results of the implementation of each question corresponding to the Commission’s recommendations.

1.6.1. Targeted risk management exercises linked to COVID-19 and the RRF

In response to the Commission’s recommendation that Member States launch risk management exercises linked to the impact of COVID-19 and the implementation of the RRF, eleven 31 Member states reported that they had fully implemented it, eleven 32 partially implemented, and four 33 did not implement the recommendation.

In Belgium, the Brussels-Capital Region ERDF Programme Management Authority set up a targeted risk management exercise for the implementation of the RRF, fully implementing the recommendation. It deployed a system for detecting, preventing, and sanctioning serious irregularities (fraud, corruption and conflicts of interest) among the projects selected. Project managers participated in collective and individual trainings on the specifics of their projects in terms of irregularities. Project fiches were drawn up for each project containing all the information project managers are required to send periodically to ensure there are no irregularities. It therefore assessed it fully implemented the recommendation.

In addition, Belgium’s ERDF Wallonia authority reported partial implementation. It noted that the main COVID-related risks concerning ERDF expenditure were covered by the existing control systems and subject to the same requirements. Specifically for the RRF, the authority would carry out risk management exercises in the very near future and would audit the management and control system before the first payment request to the Commission. Notably, an inter-federal monitoring committee was set up to coordinate the work of the various RRF stakeholders, including in terms of anti-fraud strategy.

Bulgaria carried out an assessment of the risks related to the COVID-19 pandemic, including the lack of sufficient time for verifications, less rigorous controls by managing authorities in general and reduction of on-the-spot checks, poor communication during teleworking, and pressure for speedy payments for measures financed in response to the COVID-19 crisis. As a result, the audit methodology for project verification and contractor selection procedures were adapted, as well as the methodology for verifying compliance with state aid rules.

In relation to the risk management of the implementation of the RRF, in 2021 the Bulgarian National Fund Directorate - the RRF central coordinating unit – circulated a questionnaire to help the structures responsible for the implementation, monitoring, and reporting of the Recovery and Resilience Plan (RRP) assess their internal financial management and control systems, including administrative capacity, in order to identify areas that needed to be strengthened. Additionally, the draft management and control system for the facility required the National Fund Directorate and each monitoring and reporting structure to conduct a fraud risk assessment to identify effective and proportionate anti-fraud measures concerning the investments it monitors. It covered risks and restrictive controls in three key areas — selection of proposals to implement investments, implementation of investments and public procurement – and would be implemented after the launch of the RRP and the implementation of its management and control activities.

Czechia reported full implementation concerning COVID-19 and partial in reference to RRF. The National Coordination Authority (NCA) identified several risks in connection with the impact of the COVID-19 pandemic, including the non-eligibility of expenses, delays in supply and suspension of some activities financed from ESI funds due to force majeure, and not meeting project objectives. In response, the NCA in cooperation with the Ministry of Finance prepared methodological instructions on the eligibility of expenditure and preventive measures due to force majeure, which the managing authorities implemented by, for example, adjusting the implementation time schedule or the range of project activities. The managing authority of national programmes in the area of home affairs (i.e. ISF and AMIF) continued its standard yearly risk analysis, which included risks linked to the impact of COVID-19, both on the level of programmes and supported projects. As a result, it adopted measures to mitigate such risks and provide more flexibility to beneficiaries (e.g. providing remote services) to successfully complete these projects, while focusing on the audit trail.

In relation to the implementation of the RRF, the NCA categorised component owners into one of three ‘readiness’ groups – most, medium, and least prepared - based on an assessment of the opportunities and risks/uncertainties of implementation that included its management and control system. The least prepared groups took action to address existing deficiencies. Among the most common risks identified were the setup of the information system for data collection or project intake and staff capacity. The NCA noted that the assessment only reflected initial risks and expected that these would continuously change as implementation progressed (e.g. unavailability of certain materials, extending delivery times).

Denmark reported that the different bodies that were executing the projects under the RRF were included in an assessment regarding project-specific risks and resulting controls. Furthermore, auditing would be based upon an overall risk assessment for every project conducted by the responsible bodies.

Germany reported that no new targeted risk management was to be introduced with regard to the impact of COVID-19 on the federal ESF programme. However, the ESF managing authority was planning to examine and include possible new risks arising from the COVID-19 pandemic in its next self-assessment.

ERDF Berlin concluded that there was no need to reassess, in the context of the COVID-19 pandemic, the risk of fraud related to measures under the ERDF operational programme for Berlin. Its review considered, in particular, the relaxations introduced as part of the adjustment of the legal framework in connection with the Corona Response Investment Initiative (CRII and CRII+), the temporary framework for state aid and simplifications in public procurement. Similarly, the Bremen ERDF Management Authority did not implement any additional targeted risk management exercises. However, one of the intermediate bodies, the Bremer Aufbau Bank (BAB), launched control mechanisms for COVID-19 financial aid. ERDF Lower Saxony relied on its own systems, which it considered sufficient. ERDF Rhineland-Palatinate reported that it was not directly affected by the implementation of the RRF in the ERDF, but that it had coordinated the new ERDF OP with the Federal Government’s recovery and resilience plans (DARP) and, as part of the ERDF approval process, carried out crosschecks with the beneficiaries of special COVID-19 aid.

Estonia reported that in the autumn of 2020, at the start of its annual risk assessment exercise, the ESIF Managing Authority (State Shared Service Centre) held a workshop focused on the potential impact of the COVID-19 crisis, both in terms of finances and action indicators; it aimed to map, assess, and identify possible risks. Managing authorities used risk assessments in their day-to-day controls to inspect the costs of COVID-19 (e.g., procurement of medical supplies and vaccines, vaccination costs), in conformity with the required two-level checks of procurements. Concerning measures for the reimbursement of vaccination costs, the managing authority validated the control procedures of the beneficiary (Estonian Health Insurance Fund) to guarantee the effectiveness of their controls and performed additional random checks.

When implementing the RRF the respective ministry, as the developer of the measure, was obliged to assess possible risks in the project implementation in the following categories: double funding; target group risks, including fraud and conflict of interest; state aid, and ensuring competition. In addition, an annual assessment of cross-administrative risks was carried out in the context of all external instruments implemented – for example, in 2021 Estonia assessed the RRF risks, the 2014-2020 period, the 2021+ period, and the Norwegian / EEA risks together.

Ireland noted that its current focus was on implementing the projects in the National Recovery and Resilience Plan in compliance with the RRF regulation.

The Greek Financial and Economic Crime Unit reported that it increased controls of undertakings marketing critical products for the management of the COVID-19 pandemic, such as antiseptic solutions and surgical masks, to ensure that products that did not meet the necessary specification and posed a threat to public health did not enter the market. The Financial Audit Committee (Audit Authority) noted that the operations/sub-projects addressing the consequences of the COVID-19 outbreak constituted a separate stratum per fund in its audit strategy, because the risk associated with these operations was different from the other operations. In addition, it drew up specific instructions concerning the audit of these operations/subprojects, aimed at risks related to, among others, the eligibility of expenditure, on-the-spot verifications, and public procurement procedures.

Concerning the National Recovery and Resilience Plan (NNRP), the Greek Audit Authority reported that it adopted an initial audit strategy in October 2021, focused on aspects such as specificity, value, materiality and retroactivity of NRRP actions. The authority noted that the strategy would be updated and more specific planning based on risk analysis for audits related to the RRF would be reflected in its 2022 report.

Spain referred to the Recovery, Transformation, and Resilience Plan Management System, which introduced the obligation that the entities responsible for the implementation of the Recovery, Transformation, and Resilience Plan carry out fraud risk assessments of the activities they undertook. However, given the date of the approval of the plan and the progress with its implementation, these evaluations were still under development. Concerning other EU funds, periodic evaluations of the risk of fraud were carried out, but included those associated with the COVID-19 pandemic only for certain programmes.

France’s ANCT, as coordinating authority, communicated to the managing authorities in March 2021 the European Commission’s recommendations concerning COVID-19 impact risk assessments, in a letter titled “Necessity to update fraud risk assessments and to adapt anti-fraud measures by the managing authority in the context of CRII/CRII + and REACT-EU measures”. These elements were clarified in a working group addressed to the internal control correspondents of the French managing authorities in May 2021.

Croatia reported that the risks associated with the COVID-19 pandemic were taken into account in the annual risk assessment of the Operational Programme Competitiveness and Cohesion 2014-2020, to which all bodies in the management and control system of the ESI funds participate. The findings showed an increased risk in relation to the extension of the deadlines for the submission of documentation by the beneficiaries and those for the grant award procedure. In addition, it identified the risk of an increased number of requests for contract changes in the implementation phase due to the circumstances caused by the COVID-19 pandemic. No information was yet available regarding risks associated with the implementation of the RRF.

Italy’s Agency for Territorial Cohesion reported that in 2020 it modified several operational projects in order to maximise the opportunities offered by EU structural funds that targeted needs arising, directly or indirectly, from COVID-19 emergencies. The Ministry for Sustainable Infrastructures and Mobility analysed, in December 2021, the impact of COVID-19 and related measures put in place to reduce the risk of fraud and concluded that the operational project it managed was exposed to a tolerable risk. The Ministry of Economy and Finance – DRGS IGRUE and the Agency for Territorial Cohesion issued "Operational guidelines for the Management Authorities and Audit Authorities for the execution of the verifications of their respective competence on the operations implemented to deal with the health emergency ". The document provided indications on the methods of controls in the new simplified regulatory context, in order to guarantee the legality and regularity of the operations in any case. In particular, it advised audit authorities to examine the composition of the population in order to obtain an appropriate sampling method and recommended the use of the stratification of expenses related to the COVID-19 health emergency.

Cyprus reported that it conducted separate fraud risk assessments concerning the implementation of the RRF and COVID-19 schemes, which accounted for all relevant risks associated with several key pillars: selection, implementation, verification, certification, payment, and procurement. All potential risks were identified and described, and controls were designed in order to mitigate the risks associated with each pillar. A specific action plan was put together to eliminate any material impact of any remaining risks resulting from potentially ineffective controls.

Additionally, it designed several other procedures to be implemented from 2022 onward. The Treasury of the Republic of Cyprus and the Directorate General Growth developed a circular to align national and EU measures for public procurement and ensure the prevention, detection, and correction of any possible suspicions of fraud or conflict of interest. Additionally, all procurement and grant schemes selection procedures above specific thresholds would be controlled for conflicts of interest, facilitated by the use of the Arachne tool and the Ultimate Beneficial Owner (UBO) national register. A modification of the applicable national regulation granted all European level audit and control bodies (OLAF, EPPO, ECA, EC) access to the UBO registers.

Several of Latvia’s ministries reported that they had carried out risk assessments concerning both the impact of the COVID-19 pandemic and the RRF. The Ministry of Finance informed that the risks of the Recovery and Resilience Facility (RRF) were evaluated and approved during a risk management group meeting held in 2021, during which it also assessed the impact of COVID-19 on human resources and capacity. At the end of 2020 the Ministry of Agriculture, which performs yearly updates of its risk register, assessed that the probability of manipulation of cost demands and delivery of non-compliant products had increased. In order to prevent possible fraud, the Rural Support Service performed remote controls and in suspicious cases carried out enhanced controls and, as far as possible, suspended the approval of payment claims until the situation improved. The Ministry of Environmental Protection and Regional Development identified the risk of increased supplies of non-compliant goods or unjustified changes to contracts and took corrective measures. It performed remote controls and, where there were doubts about the projects, carried out on-the-spot inspections when COVID restrictions were lifted. Finally, the Ministry of Welfare and the Ministry of the Interior informed that risk assessments included the impact of COVID-19 risk and that mitigation measures were identified accordingly.

Luxembourg informed that its Recovery and Resilience Plan contained an assessment of all relevant risks related to control systems and outlined the different actions to be taken to implement an adequate system that managed these risks. However, it noted that the plan included only a small number of projects, mainly linked to the digital and green transition, which were not specifically vulnerable to the impact of COVID-19 related risks and concluded that the specific risks related to COVID-19 were limited.

Hungary reported that its national legislation had to be amended as a consequence of the emergency measures associated with the COVID-19 pandemic, but that these measures were provisional. The impact of the COVID-19 crisis was included in the yearly fraud risk analysis and managing authorities would continue to address these risks at first level controls. The authorities identified no increased risk in the area of public procurement, as the derogations related to the state of emergency triggered by COVID-19 were not applicable in the case of EU development funds.

Concerning the RRF, it recalled that negotiations on Hungary’s Recovery and Resilience Plan (RRP) were still ongoing. It specified that Chapter 3 of the Plan would set out in detail all the planned control and audit activities to ensure that implementation risks would be mitigated and that funds would be used properly.

Malta reported that work on its risk register linked to the Recovery and Resilience Plan was in its final stages under the responsibility of the Planning and Priorities Coordination Division (PPCD). It specified that the foreseen measures would strengthen the internal control system by putting in place mitigation measures for the prevention, detection and correction of cases of irregularities, conflict of interest, corruption, fraud and double funding.

The Netherlands noted that the modalities for the implementation of the RRF were not sufficiently clear yet to complete a full risk management exercise, but that risk assessments would nevertheless be included during implementation. In respect of shared management funds, it reported that its assessments of COVID-19 related risks concluded that since only a few additional activities were undertaken, there had been few additional risks that the money were used improperly.

In the context of the COVID-19 outbreak, Poland set up several mechanisms to ensure that the spending, accounting, and control of EU funds continued to be properly monitored, based on the so-called ‘special fund law’ that was extended until 31 December 2023 34 . The law introduced measures such as extensions of the deadlines for submitting applications for funding in individual competitions; conducting extraordinary calls for projects; extending/suspending deadlines in administrative proceeding; and allowing controls and audits to be suspended in exceptional circumstances (provided they would be supplemented subsequently, where justified by the risks involved) or, if possible, carrying them out remotely or using electronic means of communication. The application of part of the ‘Guidelines for monitoring the implementation of 2014-2020 operational programmes’ was suspended to ensure that controls continued to be carried out efficiently. Specific measures included carrying out on-the-spot checks remotely, based on the documentation provided/available and planning to carry out monitoring visits to project sites to confirming the initial verifications once the pandemic restrictions were lifted. Furthermore, two specific IT applications developed by Poland, SKANER (for the verification of entities based on data from public registers) and Cross-Checks (correlated invoices which could be used to detect double financing of expenditure), assisted in both the implementation of the RRF and with measures associated with the impact of COVID-19.

Portugal reported that it had collected information to identify risks of fraud, including those related to the impact of COVID-19 and the implementation of the National Recovery and Resilience Plan (NRRP), as part of the update to its NAFS but that it had no definitive results that could be shared yet. The Institute for the Financing of Agriculture and Fisheries (IFAP) explained that they systematically weighed risk analysis in several of their areas of activity, namely administrative checks, on-the-spot checks and audits, including related to the impact of COVID-19 and the RRP. The Agency for Development and Cohesion (IP - AD&C) stated that under the RRP, there had been systemic analyses of double funding from cohesion policy funds and RRP financing.

Romania’s Ministry of Investments and European Projects — Managing Authority for the Operational Programme ‘Technical Assistance’ (AM-POAT) reported that, in the context of the COVID-19 pandemic, most training activities, conferences, and seminars planned for 2021 as part of technical assistance programmes were held online where possible or were postponed to 2022. A series of programmes were consequently modified to account for the changes in the implementation of the corresponding activities. AM-POAT also identified two main risks linked to the impact of COVID-19, in relation to the emergency procurement procedure and management verifications. It noted that management verifications were carried out at the same high level as in previous years and that there were no specific findings resulting from these checks. As in previous years, the number and amount of irregularities remained at the lowest level. No emergency procurement had been submitted to AM-POAT for ex-post verification by January 2022.

The Ministry of European Investment and Projects — Managing Authority for Competitiveness Operational Programme (AM-COP) finalised the fraud risk assessment based on the need to adapt anti-fraud measures in the context of the CRII/CRII + and REACT-EU objectives. The Ministry of Investment and European Projects — Directorate-General for Management of Recovery and Resilience Mechanism (MIPE — DGMMRR) noted that it had already defined a set of risks identified for all components/reforms and investments in the preparation phase of the RRP. Concerning the implementation phase of the RRP, it was in the process of defining risks in terms of both impact and probability.

The Office of the Republic of Slovenia for Recovery and Resilience was established in August 2021 and had only started the implementation system of its RRP. It committed to include targeted risk management exercises in the documents it would prepare.

Slovakia reported variation in how the AFCOS network partners addressed risk management in the context of COVID-19 and the implementation of the RRF. The Ministry of Environment, the Ministry of Health, the Ministry of Agriculture and Rural Development and the Agricultural Paying Agency, in their capacity as managing authorities for various operational programmes, all evaluated the impact of COVID-19 on individual risks within the framework of their regular risk analysis and assessments.

The Ministry of Investments, Regional Development and Informatisation (MIRDI) also noted that it used all IT tools, such as Arachne, to protect the EU's financial interests. In 2021, however, it identified no specific risks associated with the COVID-19 pandemic, as the Interreg programs did not introduce simplified expenditure control rules, but would consider risks in preparation for the following programming period. It had already planned several risk mitigation measures, including avoiding double financing; the interoperability of IT systems for the Cohesion Policy and the Recovery and Resilience Mechanism; and ensuring a fully electronic data exchange between bodies involved in the implementation of EU funds, including setting up a framework for online meetings and control of activities.

The Supreme Audit Office of the Slovak Republic (SAO SR) changed the goals and focus of its planned audits due to the pandemic. In 2021, based on its risk analyses, it planned two audits related to COVID-19 for 2022 and it will present the results in individual reports. Overall, drawing on its activities during the pandemic, the office underlined the need for the increased digitalisation of public administration processes. Representatives of SAO SR were also participating in regular exchange of views, via the international working group for the RRP, to discuss specific issues related to the oversight of the RRF and national RRPs.

Concerning the RRF, the Government Office of the Slovak Republic, acting as the National Implementation and Coordination Authority (NICA) responsible for the implementation, monitoring and overall coordination of the RRP, reported that it had launched the process of risk management concerning its upcoming implementation. It had planned to create a risk database, which would monitor thematic and horizontal risks – e.g. public procurement, Strategic Environmental Assessment (SEA), and Environmental Impact Assessment, political risks - as a tool for detailed monitoring of risks at the level of milestones and targets. Furthermore, NICA imposed an obligation on the executors of the RRP to perform fraud risk self-assessments, before 31 March 2022, which would be centralised into a catalogue/list of risks.

Finland noted that the preparations for the implementation of the RRF were still ongoing, yet it had paid particular attention to the organisation of internal controls to mitigate the risk of fraud, corruption, conflicts of interest, and double funding. The implementation of the RRF would be based on the regular national budget management system, but the latter would need to be supplemented in order to meet EU level requirements related to controls and collection of data.

Sweden noted that the government advocated a risk-based approach when it came to the management of EU-funds and the implementation of the RRF and ensured system-level capacity for an appropriate management through the framework for internal management and control. The managing agencies and the auditing agency were responsible for risk management exercises and had considerable freedom in their daily operational work.

1.6.2. Improved data collection and usage

When asked whether they had improved the manner in which they collected and used data, included on detected irregularities, fourteen 35 Member States reported that they fully implemented the recommendation, seven 36 partially implemented it, and five 37 did not implement it.

In Belgium, the Managing Authority for the ERDF Programme of the Brussels-Capital Region reported partial implementation. It described that it adapted to the new logic of milestones and targets inherent in the RRF and consequently extended the focus of its risk analysis from concentrating exclusively on the regularity of expenditure to analysing projects as a whole. To this end, it had for example asked project managers to communicate the mechanisms for detecting irregularities that were already in place within their organisations, to ensure that these constituted an effective first barrier. The Authority would also collect more systematically the information provided for in Article 22(2)(d) of the RRF Regulation, to optimise its use of the Arachne tool.

The Belgian ERDF Wallonia authority reported that improvements to the data collection system had already been done in 2020, following the Audit Authority’s conclusion that the system was reliable. A new and improved system was currently under design and would be operational in the second quarter of 2022, which is why it assessed it had not yet implemented the recommendation. The system would integrate 2021-2027 ERDF programming period expenses and indicators as well as RRF expenses.

Bulgaria referred to the whistleblowing systems that were set up in the structures administering funds, instruments and programmes co-financed by the EU budget. It explained that the competent bodies established whistleblowing/irregularity files in which all relevant documents would be attached. Overall, the analyses of the procedures for the management of irregularities showed a significant improvement in the mechanisms for reporting irregularities to the European Commission, via the Management and Monitoring Information System 2020 (UMIS 2020) and IMS. Annual analyses of the results and activity reports of the bodies administering funds, instruments and programmes co-financed by the EU budget showed an improvement in the internal financial management and control systems, as well as the reinforcement of anti-fraud measures. The Central Coordination Unit Directorate of the Administration of the Council of Ministers in Bulgaria, the national coordinator of the Arachne system and manager of access profiles, reported that 510 user accounts had been created by the end of 2020. Increasing the number of users helped to identify and assess projects with a high risk of fraud, conflict of interest and irregularities at an early stage.

Czechia noted that while several managing authorities concluded that it was not necessary to improve the manner in which underlying data, as well as those concerning detected irregularities, were collected and used, others focused mainly on improving the quality of collected data concerning the identification of interconnected irregularities. Their aim was to find and identify links between reported cases of irregularities in order to report the irregularity in IMS, even if the currently solved separate irregularity did not exceed the 10000 EUR limit and thus would not require a division of irregularities. This measure aimed to strengthen the relevance and use of the collected data. It added that the existing framework and procedures already provided for close cooperation between beneficiaries and managing authorities, thus enabling lasting and optimal data mining/extraction. Czech authorities assessed that no additional measures were needed since there were no sources of new data linked to the impact of COVID-19 and the functioning of the system so far had proven capable to guarantee high quality and reliability of the data.

Denmark outlined an approach to assess underlying data in collaboration with the relevant bodies, but noted it had not begun the process of including these bodies in examining specific data and identifying what type of data they could deliver.

Germany assessed that, with respect to the federal ESF programme, the established reporting procedures for collecting and reporting information on detected irregularities and fraud at all levels of ESF implementation already provided reliable, high-quality data. Regional authorities provided similar assessments, concluding that the systems in place ensured the high quality and reliability of data. ERDF Bremen pointed to the Transparency Register as an example of good practice, while ERDF Bavaria referred to a database system (FIPS2014) for reporting and monitoring that was also used for programme management. ERDF Rhineland-Palatinate did not consider that any improvements were necessary. ERDF Lower Saxony concluded that the risk of fraud and corruption in Lower Saxony remained low.

Estonia planned for all detected irregularities (ESIF, EGF, Norway/EEA, and in the future RRF) to be entered into a single national database, with no threshold for the irregular amount. This database would allow authorities to analyse irregularities across all funds and, if necessary, plan solutions or additional controls. To ensure high-quality information in the database regular checks were carried out, as a result of which feedback on deficiencies was provided, all mistakes were submitted for corrections, and if needed, training courses or personal consultation could be provided.

Ireland reported that the implementation of the National Recovery and Resilience Plan was underway and it would review the manner in which underlying data, as well as those concerning detected irregularities, were collected and used in the context of implementation.

Greece’s Financial Audit Committee (Audit Authority) reported that the COVID-19 operations co-financed by the ERDF and ESF for 2014-2020 were marked separately in the MIS NSRF, which facilitated the way relevant data were collected and used. Moreover, due to their special labelling, they could be separated and included in a separate stratum per fund for the purposes of sampling by the Audit Authority. The quality and reliability of the relevant data, including those related to irregularities detected in COVID-19 operations, was ensured by the current framework of the Management and Control System procedures governing and the remaining co-financed operations.

Spain reported that some management authorities implemented alert systems, but noted that this was a process of continuous improvement and progress. The ERDF Management Authority highlighted its review of the consistency of the data on contracts entered in the IT tool for fund management "Fondos 2020”. The EMFF Management Authority indicated that, as a measure to better detect irregularities, new mandatory fields were incorporated in the EMFF management monitoring application “ApliFEMP”, corresponding to the identification of the beneficiary as contracting authority. The Management Authority of the European Territorial Cooperation programs implemented an alert system that would identify relevant signs of fraud.

France referred to the various communications from the coordinating authority, which materialised into four dedicated working groups bringing together the anti-fraud control officers of the managing authorities of EU funds. In this context, the Delegation of the European Public Prosecutor’s Office in France gave a presentation of its tasks and the arrangements for communicating reports issued to it by the managing authorities in December 2021 and to the Europe Directors of the French Managing Authorities on 24 March 2022.

In Croatia, irregularity reporting was centralised at the level of the AFCOS service, which checked for technical errors and omissions before sending the data to OLAF. The service kept records of common errors and omissions in irregularity reports, which it used as training material. The AFCOS noted that the quality of 2014-2020 irregularity reports was much higher than of those for the programming period 2007-2013. In addition, the quality of irregularity reports created by experienced users was higher. For example, for the common agricultural policy, the responsible authorities combined a variety of data sources to continuously monitor and evaluate implementation, including administrative IT resources, publicly available information, remote sensors, earth observation technology and space/satellite technology, mobile application, and geospatial data. The Croatia Paying Agency also collected and processed data through the Integrated Administrative Control system (IACS), which was subject to annual quality controls, and would further develop its capabilities with satellite data obtained via the Area Monitoring System that would become obligatory as of January 2023. Croatia had been using Arachne as part of a pilot project launched in 2018, to check if additional controls were needed for suspicious projects.

The Italian Agency for Territorial Cohesion developed "Guidelines for the effective performance of first level controls", which encouraged the use of a "check list for the administrative verification of the main types of operations” and aimed to verify, during the first level control step, compliance with the legal and administrative expenditure procedures in place. It encouraged the detection of irregularities, including fraud, which could result in reporting to the managing authority for the programme for the data entry of records in IMS.

The Italian Ministry of Sustainable Infrastructures and Mobility reported programme-specific measures, whereby it had created a dedicated section in its information system SIPONIER to collect and consult data on detected irregularities. It concluded that this framework already ensured high quality and reliability of data. It also used AFIS-Irregularity Management System (IMS) to communicate irregularities/fraud to the EC. Additionally, the anti-fraud manager participated to a training course in collaboration by the Italian Guardia di Finanza related to the new Anti-fraud National Platform (PIAF-IT). The platform aggregated data from national and European sources, with the overall goal to make available to all national administrations involved in the management of EU funds, a technological tool capable of intensifying the exchange of information and maximizing the "anti-fraud prevention" phase. The Ministry of Economy and Finance - DRGS – IGRUE noted that audit authorities always reported in the annual control report (ARC) on the types of errors found, which the Ministry used for the periodic review of the audit strategy.

Cyprus reported that a new dedicated Management Information System (MIS) was developed for the RRF, to monitor all information regarding measures financed through Cyprus’ RRP and document all detected irregularities. The system would be interconnected with the central government and the cohesion policy systems, which would further improve the manner in which the underlying data will be collected and used. The National control and audit co-ordinator (Treasury of the Republic) was made responsible for collecting and reporting all detected irregularities in the MIS.

Latvia confirmed that the authorities responsible for EU funds paid increased attention to the quality of IMS data and various controls were in place to ensure correct data entry (e.g. four-eye principle, oversight, trainings, as well as opportunities for future development). The authorities also pointed out that although the large amount of data required to be entered in IMS could pose a risk of gaps, the comparative reports received by the institutions from OLAF showed that the data were correct and reliable.

Luxembourg reported that the managing authority of the European Regional Development Fund (FEDER), the Ministry of Economics, the managing authority of the European Social Fund (ESF), the Ministry of Labour, as well as the INTERREG programme, managed by the Ministry for Spatial Planning, all implemented the Arachne tool. Additionally, INTERREG used a Risk Assessment Tool in the framework of the establishment of their management control system and it elaborated more tools to report on fraud, such as a form to notify first level controllers. The Inspectorate General of Finances, which was also ESF’s Audit Authority, could access ESF’s IMS and ESF’s internet platform, used for the daily management of the ESF and its projects to obtain all the available information needed for their second level control.

Hungary reported that staff participated in training to use the Hungarian Monitoring and Information System (EUPR) and the AFCOS provided regular briefings to improve practical knowledge of the use of the IMS system and the recording of reports. The Coordinating Body, in cooperation with the managing authorities and the AFCOS, prepared a compendium of “cases of irregularity and cases classified as “suspected fraud” for the 2014-2020 programming period” which, in addition to the presentation of individual cases, included the experience and good practices of the managing authority, illustrating practical examples of each offence.

Malta informed that the Management Information System for the RRF included additional collection of data, such as UBO data.

The Netherlands emphasised that the way in which underlying data, as well as those concerning detected irregularities and fraud, were collected and used, needed to be further improved. It noted that the Commission would further develop the IMS.

Poland improved the way in which the underlying data on cohesion policy were collected by building a system of micro-services to facilitate the process of evaluating grant applications, monitoring the implementation of contracts, carrying out controls and audits, and settling projects. These tools included the applications SKANER (data on entities from public registers, including their personal and capital links, their projects co-financed by EU funds, beneficial ownership information); Cross-Checks (a bot that combined accounting documents in groups of correlated invoices which could be used to detect double financing of expenditure); and e-Controls (an application to carry out controls on projects, including audit trail collection).

In addition, a system of mutual flagging and exchange of information on potentially risky entities and other risks identified was implemented for operating programmes under the cohesion funds in Poland. In the area of agricultural funds, the Paying Agency had access to dedicated databases that made it possible to record information on irregularities and fraud detected, to update them and to monitor individual cases of irregularities and fraud. These databases were subject to periodic modifications to address new needs for reporting irregularities and analytical activities.

Portugal’s Inspectorate-General of Finance (IGP) audit authority carried out data consistency tests on open cases and made the necessary updates, also following OLAF/Team IMS alerts, which showed that the quality of the data had improved. The Institute for the Financing of Agriculture and Fisheries (IFAP) stated that it had reliable information systems that pooled all the information on the calculation and recording of the amounts to be recovered from the beneficiaries (aid unduly paid) when processing and reporting irregularities. It also provided a platform for that information to be periodically transmitted to the Commission, notably via IMS (OLAF) or as part of the annual submission of accounts (DG AGRI).

The Portuguese Agency for Development and Cohesion (AD&C) pointed out that the completion of the ‘reporting of irregularities’ module in SI Audit 2020 would enable data on irregularities to be filled in and processed automatically. Furthermore, for audits of operations, the IT system in use (SICA) contained a specific field for flagging suspected fraud in relation to each of the transactions audited. When the ‘reporting of irregularities’ module would become operational, this data would be transmitted by SI Audit 2020 automatically. In addition, the Agency developed a debt management system (SPTD), which received data from the managing authorities and enabled faster and more reliable detection of non-compliance.

The Romanian Anti-Fraud Department - Information Management Directorate and the responsible authorities within the Ministry of Investments and European Projects all reported that they improved the way underlying data and data on detected irregularities were collected and used. Specifically, the Managing Authorities for the Operational Programmes ‘Technical Assistance’ (AM-POAT) and ‘Competitivity’ (AM-POC) both described that they implemented several levels of checks to prevent and address irregularities. These included the introduction of internal operational procedures for irregularity management and for fraud risk assessment, and additionally for major risk assessment in the case of AM-POC, and inter-institutional cooperation protocols and agreements. To identify risky projects, contractors, and beneficiaries, both AM-POAT and AM-POC had access to the Commission’s risk-scoring tool Arachne, while AM-POAT also used the ONRC and REGAS systems.

The Managing Authority for the Operational Programme ‘Human Capital’ (AM-POCU) emphasised the importance of applying clear procedures to ensure a uniform approach across all entities involved in the monitoring and implementation of projects. Since the 2014-2020 programming period, the task of identifying suspected irregularities was carried out exclusively by the Managing Authority, through the entity responsible for irregularity management, and the intermediate bodies and entities within the Managing Authority submitted irregularity alerts. The operational procedure for irregularity management was updated to ensure that information concerning suspicions of irregularities was communicated in real time. The use of a digitalised system in the context of the COVID-19 pandemic, whereby beneficiaries submitted their documents through the IT system SMIS 2014+, ensured a more reliable system, faster communication and a safer working environment. Consequently, there were fewer cases of discrepancies between the documents at the level of the beneficiary/partners and those submitted to the Managing Authority/intermediate bodies, which made it easier to identify possible irregularities.

The Directorate-General for Management of the Recovery and Resilience Facility (MIPE-DGMMRR) reported that it was in the process of developing the legislative and procedural framework, as well as the IT system for the implementation of the NRRP, which would include appropriate measures for data collection and the use of information to detect irregularities.

Slovenia reported that the Office for Recovery and Resilience was only established on 2 August 2021 and it was in the initial phase of launching the implementation system of the RRF. Consequently, it had not collected and used, so far, the basic data and those related to detected irregularities, but would include these in the documents they were preparing.

In Slovakia, all but one of the concerned authorities reported they had fully implemented the recommendation. The Supreme Audit Office (SAO SR) reported partial implementation because it lacked access to the Arachne system. The entity described that it collected background data via a multitude of channels, including systematic analyses and other analyses of data from public administration information systems and other sources; analyses of the development of the economic environment, budget revenue and expenditure, fiscal, budgetary and structural policies; and monitoring and analyses of audit findings that may affect the state budget. In 2021 it launched an audit into irregularities related to the 2014-2020 programming period within the Ministry of the Environment and the Ministry of Transport and Construction, due to be published in 2022. It was based on a sample of irregularities extracted from the national monitoring system ITMS2014+.

The various managing authorities for operational programmes within the Ministry of Environment and the Ministry of Investments, Regional Development and Informatisation in Slovakia relied, during the programming period 2014-2020, on the national IT monitoring system ITMS2014+, which ensured the transparent collection and processing of data on irregularities, as well as Arachne, EDES, and other databases/lists of irregularities. The Ministry of Investments added that it intended to use Archne and EDES for the programming period 2021-2027, and furthermore that it would make all data extracted from the system that can be legally disclosed available to the public to increase the transparency of the implementation of EU funds. Similarly, the Ministry of Agriculture and Rural Development and the Agricultural Paying Agency (APA) used Arachne as a risk assessment tool. At the same time, APA used an application that served as a support tool for fraud detection, where information was collected from all available sources, including the detection of direct links to other business entities.

The Ministry of Health of the Slovak Republic relied on proposals for preventive anti-fraud measures submitted by the officer in charge of fraud risk assessment, following an analysis based on data on irregularities and audit findings collected in collaboration with the coordinator of audits and certification verifications. These proposals were discussed at meetings of the Risk Management Working Group, which usually met once a year. Finally, the Ministry of Finance assessed that it did not have to introduce significant improvements for collecting data concerning detected irregularities, except minor modifications to the user interface in 2021, as the existing procedures for the programming period 2014-2020 had ensured the quality and reliability of data.

Finland reported that the preparations for the implementation of the RRF included a project for the development of a new information system, aimed to improve the availability and coverage of the data. The system would collect data from different national authorities’ information systems linked to the RRF and all authorities responsible for audits and controls would be able to use the data. The quality of the data would be reviewed through audit and control measures.

Sweden noted that the managing agencies were responsible for ensuring that the relevant data was collected and used in an appropriate manner and that these processes were continuously revised and improved. To facilitate this, the government created the Swedish Council for the Protection of the EU’s Financial Interests (the SEFI Council), responsible among others for competence development for the agencies and for reporting to the government on the protection of the EU’s financial interests in Sweden. The Council’s role in the implementation of the RRF was strengthened and formalised within the framework of the Swedish Recovery Plan.

1.6.3.Integrated and interoperable information and monitoring system

Concerning the final recommendation for the use of the integrated and interoperable information and monitoring system that the Commission made available for both the RRF and the EU budget, nineteen 38 Member States reported they fully implemented it, four 39 partially implemented, and three 40 did not implement the recommendation. Member States included clarifications as to the systems they chose and details on analytical capabilities, as below.

In Belgium, ERDF Wallonia reported that it already used Arachne with regard to ERDF 2014-2020 and planned on using it also for ERDF 2021-2027 and RRF as soon as technically possible. ERDF Brussels-Capital Region committed to analyse in depth the new system proposed by the EC, once it would receive detailed information from the Commission, and to assess whether it would be appropriate to incorporate it fully or partially into the current system.

As Bulgaria’s Recovery and Resilience Plan was still pending EU approval, the national central coordinating unit for RRF only had access to the test version of the information system for monitoring the facility. The structures responsible under the facility would be ready to implement it as soon as the RRP was approved.

In the framework of the RRF, Czechia used the FENIX system for monitoring vis-à-vis the EC, which enabled the storage and monitoring of data on the achievement of milestones and targets, common indicators, etc. To report irregularities in the RRF, it used IMS. For monitoring of EU funds within the programming period 2021-2027, it used standard national monitoring systems.

Denmark planned to use Arachne as a supplement to controls regarding the RRF, particularly with respect to double funding, but it could not indicate the exact time frame or exact form of implementation. It added that it planned to reach out to the Commission in the near future regarding its implementation.

In Germany, all concerned ERDF authorities - Bremen, Lower Saxony, Rhineland-Palatinate, and Bavaria – noted that they already had adequate national registers in place, which ensured high quality and reliability of data, and therefore did not intend to use any other systems. ERDF Rhineland-Palatinate noted that the last upgrade of its system took place in 2021.

Estonia stated that it would not use the integrated and interoperable information and monitoring system that the Commission made available. It explained that risk management was carried out via the use of a national system that ensured the necessary functionalities and interfaces with other existing systems. In case the authorities needed additional information, they could also consult the EU commercial register or request information from the Tax and Customs Board, with whom they planned further develop cooperation.

Ireland reported it was currently developing an Information System for the NRRP and it was considering the use of Arachne in this context.

Greece’s Financial Audit Committee (Audit Authority) noted that until the Irregularity Management System (IMS) for the needs of the RRF was fully operational, it would inform the EU via the management declaration accompanying each payment request and information would be sent to OLAF by e-mail. Similarly, the Recovery Fund Coordination Agency informed that it planned to implement and make full use of the integrated and interoperable information and monitoring system made available by the Commission once it became fully operational and in the meantime would follow the same procedure as the Audit Authority.

Spain reported that the authority responsible for the RRF, the different Ministerial Departments that participate as executing entities in the RRP, and the Management Authorities of the shared management funds had all expressed their intention to use, as far as possible, some functionalities of the system provided by the Commission. However, the implementation of the system was still under development and it needed further work in order to be operational for certain funds such as EAFG and EAFRD.

France noted that managing authorities used Arachne in connection with funds from the EU budget.

The Croatian agricultural authorities considered the Arachne system that the Commission made available for Member States (although not obligatory) appropriate and efficient in order to enhance the quality and interoperability of the data on beneficiaries and final recipients of support from EU agricultural funds. They noted that, when setting up the national control system for the implementation of RRF and agricultural funds (EAFRD and EAGF), Arachne could be used to strengthen the capacity to detect, report and follow-up on irregularities. The full implementation of Arachne had however not been possible yet because some functionalities need to be improved to tailor it for controls of EAGF beneficiaries (especially those of direct payments). No specific information on the RRF was available to date.

Italy’s Ministry of Sustainable Infrastructures and Mobility stated that they would use the integrated and interoperable information and monitoring system once the Commission made it available. The Guardia di Finanza announced that starting from mid-2022 it would be granted access to the national monitoring system on the RRF plan, named ReGIS, which would also be made available to the other national institutions involved and the EC, OLAF, ECA, and, where appropriate, the EPPO in compliance with the provisions of Article 22(2)(e) of the RRF Regulation. The Ministry of Economy and Finance - DRGS – IGRUE referred to the irregularity monitoring system, where managing authorities submit data for the verification of audit authorities.

Cyprus reported that its authorities will fully use Arachne, the integrated and interoperable information and monitoring system developed by the Commission, for both the Cyprus RRP and cohesion policy programmes. Authorised personnel from the National Co-ordinating Authority and other relevant authorities have been granted access and a training plan has been designed for staff.

Latvia reported that the CFCA used Arachne at the project selection stage, for information on related companies and individuals, and during the project risk assessment, procurement ex-ante checks, procurement checks, payment claims checks and in particular in cases of suspected fraud. The Procurement Monitoring Bureau had also started using it for ex-ante checks related to major EU funds procurements. The Audit Authority used Arachne mainly during audit planning to identify risks that need to be included in the audit plan.

Luxembourg committed, in its Recovery and Resilience Plan, which contained a detailed description of the underlying control and management system, to use the Arachne risk-scoring tool.

Hungary noted that it did not have any information related to the system and kindly requested to be informed when it would be made available by the Commission to the Member State.

Malta noted that the system was not yet in place but that it intended to implement it once it would be.

The Netherlands did not recognise the system described, but mentioned it would consider using it. It added that it already used Arachne for ESI funds, which would be extended to implementation of the RRF.

Poland reported that it would use the scheme in accordance with the obligation under Article 22(4) of the RRF Regulation.

In Portugal, the Institute for the Financing of Agriculture and Fisheries noted that it had already used a system for monitoring under the EAGF/EAFRD in 2021, compulsory under the new CAP reform. It consisted of a satellite-image-based automatic control process enabling checks on all parcels declared to detect and correct non-compliant declarations in a timely manner. Concerning Arachne and EDES, the Agency for Development and Cohesion mentioned that it was conducting consultations, specifically with regard to the scope of audit activities and the follow-up of irregularities and other requirements.

Romania’s Anti-Fraud Department (Information Management Directorate), the Ministry of Investments and European Projects (Managing Authority for the Operational Programme ‘Competitivity’ (AM-POC)), and the Ministry of Investments and European Projects (Directorate-General for Management of the RRF) all stated that they would use the Commission’s system. The latter was currently developing the legislative and procedural framework as well as the IT system for the NRRP. When the IT system would become fully operational, it would provide integrated data that could be used in the monitoring system provided by the Commission.

Slovenia reported that it intended to check the possibilities of using the integrated and interoperable information and monitoring system made available by the Commission for both the RRF and the EU budget.

Slovakia noted that it did not have any exact information about the new integrated and interoperable system and it was not aware that the Commission had made it available for Member States already. It added that it would consider using it if it had more details about the system (e.g. about conditions of its usage) and mentioned several other systems set up by the Commission, which were commonly used in Slovakia, such as SFC, IMS, Arachne, EDES.

Finland reported that the options of using the Commission’s data-mining and risk-scoring tool and to link it with the new national RRF information system were being examined during the preparation phase for the implementation of the RRF, which was still ongoing.

Sweden noted that, in line with the traditional division of responsibilities and practices, each individual managing agency was to decide on whether it would use the system made available by the Commission for the purposed of the RRF and the EU budget.

3.Member States’ replies

1.7.Belgium

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

Belgium is not directly concerned by this issue as it has joined the EPPO. Coordination between EPPO and AFCOS has been initiated. The Belgian Delegated Prosecutors and the Belgian Prosecutor participated in an AFCOS meeting in 2021.

Q.2 Have you adopted a national anti-fraud strategy?

☒NO (AFCOS BE)

Has the NAFS been recently updated?

☒NO (+ date of adoption of NAFS). Is the update ongoing or are you considering updating it? Can you please indicate a timeline for the adoption of a new / updated anti-fraud strategy?

The AFCOS is currently being restructured in order, in particular, to allow the exchange of information between the different national and regional authorities for establishing a national anti-fraud strategy. In the meantime, the anti-fraud strategy is based on strategies developed by the competent authorities that manage the funds at the regional level (ESF, ERDF, etc.) and the strategy implemented by Customs.

Q.3 Have you assessed the risks and shortcomings of the national customs control strategies revealed through the Covid-19 pandemic and reported lessons-learned and remedial measures taken in order to a) improve flexibility for the type of custom checks; b) diminish the potential impact of unexpected future events; and c) ensure the implementation uniform controls within the EU?

☒YES, partly implementing the recommendation FPS Finance (Customs and Excise)

FPS Finance (Customs and Excise)

Risk management:

Since the control capacity was limited, we worked on the basis of priority areas.

In certain regions, the control capacity was mostly deployed to check face masks and other COVID related items.

During the pandemic, there was more capacity to perform documentary checks (owing to increased telework during the pandemic), however, for certain risks/fraud mechanisms a physical control is necessary; so changing the type of control was not always permitted. Ultimately, a greater than usual number of selections could not be checked. See Question 4 also on this point.

☒YES, partly implementing the recommendation FPS Finance (Customs and Excise)

FPS Finance (Customs and Excise)

Risk management:

Since for selections that could not be checked, there were declarations with a significant potential financial impact, it was decided to analyse these further and subject the most high-risk ones to second-line control (post-release, ex post check). It was not possible to record all the selected but not checked declarations in the ex post check range due to the limited second-line (post release) capacity.

Operations:

During the crisis, the General Customs and Excise Administration was considered an essential service by the Government. Consequently, it was possible to continue to perform essential checks, albeit with a few operational adjustments such as working in ‘bubbles’ or carrying out on-site company audits that were strictly necessary.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, fully implementing the recommendation (ERDF Brussels Capital Region)

☒YES, partly implementing the recommendation (ERDF Wallonia)

If you implemented fully the recommendation, can you please describe what type of exercises have you launched? Can you share any specific findings of such exercises?

Brussels Capital Region ERDF

The ERDF Programme Management Authority of the Brussels Capital Region has set up a targeted risk management exercise regarding the implementation of the RFF (Recovery and Resilience Facility).

The ERDF Programme Management Authority of the Brussels Capital Region has set up a system to detect, prevent and punish serious irregularities (fraud, corruption and conflicts of interests) among the projects selected. This system is detailed, among others, in a handbook validated by the Brussels Government and communicated to each project owner.

The content of this handbook was explained to project owners at several joint briefings.

We were later able to have at least one individual steering committee with each project owner, during which we set out in detail the specifics their project presented in terms of irregularities (fraud, corruption and conflicts of interests).

A project fiche was drawn up for each project and communicated to the respective SPOCS. The fiche contained all the information that the project owners would need to communicate to us either once or on a regular basis in order to demonstrate to us that there were no irregularities. The information to be communicated to us regarded the following points in particular:

·For projects where the object was to award grants, the project owner would submit a note detailing the eligibility conditions for the grants and the procedures and controls making it possible to demonstrate there was no fraud, corruption or embezzlement;

·Communicating the list of public procurement contracts considered (or already awarded) during the whole project, both in terms of the project owner and the subsidised contracting authorities if applicable (beneficiaries). The note must also detail the estimated budget and how it will be spent (public procurement, subsidies, operating costs, etc.) and distributed where applicable between the project owner and other beneficiaries;

·Projects where grants or subsidies are to be awarded to third parties must provide all the information and documents to make it possible to demonstrate that the final beneficiaries were chosen in full compliance, on the basis of objective, clear and transparent criteria, and in order to guarantee that there is no fraud, corruption or conflicts of interests;

·Communication of a note detailing the internal mechanisms that will enable it to detect, prevent, and if necessary, punish cases of fraud, conflicts of interests and corruption. The note must include four key elements, i.e. prevention, detection, correction and prosecution;

·Communication of a list identifying all staff members and any consultants working on the project. This list will be used to check that there are no conflict of interests and will be updated if necessary for the half-yearly reports;

·Each half-yearly report will be accompanied by a sworn statement that there is no conflict of interests, fraud or corruption;

·‘In accordance with Article 22(2)(d) of the Regulation, project owners undertake to collect the following standardised data and to provide access to them:

i) name of the final recipient of funds;

ii) name of the contractor and sub-contractor, where the final recipient of the funds is a contracting authority in accordance with Union or national law on public procurement;

iii) first name(s), last name(s) and date of birth of beneficial owner(s) of the recipient of the funds or of the contractor, as defined in Article 3(6) of Directive (EU) 2015/849 of the European Parliament and of the Council’

Since the first payment request under the RRF is scheduled for the first semester of 2022, the ERDF Programme Management Authority of the Brussels Capital Region will collect the information requested at the beginning of 2022 and will then analyse it.

If you implemented partially the recommendation, could you please explain why you think it was a partial implementation and why a full implementation was not possible?

The main Covid-related risks are covered by the current control system insofar as Wallonia controls 100% of ERDF expenditure with the same (high) level of requirement.

All public contracts with an estimated value of over €30,000 and all changes to contracts after award are subject to a legality control. The tender FEDER Wallonia specifications and the award decisions are part of this control. In the same way, the possible use of a simplified procedure or the invocation of force majeure are checked with regard to the regulations in force. The funds are released only when the contracts or modifications in question have received a positive opinion from the administration in charge.

As for RRF, risk management exercises will be carried out in the coming weeks, the management and control system (as well as risk management strategy as it is part of it) will be audited before the first payment request to the Commission, as foreseen by the regulation.

It should be noted that an inter-federal monitoring committee has been set up to coordinate the work of the various “RRF” stakeholders, including in terms of anti-fraud strategy.

A full implementation was not possible in 2021 due to the timeline of adoption of Wallonia’s plan but work in well underway.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒YES, partly implementing the recommendation (ERDF Brussels Capital Region)

☒NO (ERDF Wallonia)

Brussels Capital Region ERDF

As part of the implementation of the RRF, the ERDF Programme Management Authority of the Brussels Capital Region adopted a new approach in collecting and using the underlying data: it is a fund that involves a new philosophy, one that has moved from an expenditure-control based logic to one of achieving milestones and targets.

With that in mind, the ERDF Programme Management Authority of the Brussels Capital Region has had to innovate to move the risk analysis focus in order to no longer solely concentrate on the regularity of the expenditure but to widen that analysis to the project as a whole.

The ERDF Programme Management Authority of the Brussels Capital Region has therefore, for example, asked the project owners to communicate the mechanisms to detect irregularities that are already in place in their organisations, in order to ensure that they constitute an effective first safeguard.

Furthermore, the ERDF Programme Management Authority of the Brussels Capital Region will collect more systematically the information referred to in Article 22(2)(d) of the RRF Regulation, which will enable it to make better use of the Arachne tool.

If you did not implement the recommendation, could you please explain why? Could you explain how your current framework already ensures high quality and reliability of data?

ERDF Wallonia

The key requirement 6: “Reliable system for collecting, recording and storing data for monitoring, evaluation, financial management, verification and audit purposes, including links with electronic data exchange systems with beneficiaries” has been audited by the audit authority which has concluded to a good reliability of the system in place. Following the audit, improvements have already been made to the system in 2020.

It should be noted that a new and improved system is currently being designed, which should be up and running in the second quarter of 2022. This new system will integrate 2021-2027 ERDF programming period expenses and indicators as well as RRF expenses.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒YES, fully implementing the recommendation (ERDF Wallonia)

☒YES, partly implementing the recommendation (ERDF RBC)

ERDF Wallonia:

Wallonia currently already uses ARACHNE with regard to ERDF 2014-2020 and plans on using it also for ERDF 2021-2027 period and RRF as soon as technically possible.

Brussels Capital Region ERDF:

The ERDF Programme Management Authority of the Brussels Capital Region has not yet received any practical information from the Commission as to the functionalities of the new system. It is therefore unable at this stage to take a firm and definitive position regarding any implementation. However, once more detailed information has been received, the ERDF Programme Management Authority of the Brussels Capital Region commits to carrying out an in-depth analysis of the new system proposed by the Commission, and, on that basis, to assess whether or not to deploy it in full or in part in the current system.

1.8.Bulgaria

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

☒YES

In accordance with Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office, Bulgaria is a member of the EPPO.

For the European Public Prosecutor’s Office to operate at national level, it is planned to appoint 10 European Delegated Prosecutors located in Bulgaria. To date, nine European Delegated Prosecutors have been appointed.

In order to ensure the smooth and efficient operation of the European Public Prosecutor’s Office in Bulgaria, the Prosecutor’s Office of the Republic of Bulgaria and the Prosecutors’ College of the Supreme Judicial Council have taken all necessary measures as quickly as possible to ensure the technical and administrative capacity of the office of the European Delegated Prosecutors in Sofia, subject to the conditions and procedures laid down in Bulgarian law.

The Judiciary Act and the Code of Criminal Procedure have been amended in connection with the start of operations of the European Public Prosecutor’s Office and the European Delegated Prosecutors. In view of the amendments to the statutes and procedural law, the structure of the Supreme Prosecutor’s Office of Cassation had to be optimised by setting up a separate unit with functional competence in matters relating to the work of the European Public Prosecutor’s Office and offences affecting the financial interests of the EU.

In order to organise and ensure the interaction between the Supreme Prosecutor’s Office of Cassation and the European Public Prosecutor’s Office, Unit 08 ‘Crimes against the financial interests of the EU and interaction with the European Public Prosecutor’s Office’ was established by Order No RD-04-57 of 18 February 2021 of the Prosecutor General with effect from 15 March 2021. In the newly created Unit 08 of the Supreme Prosecutor’s Office of Cassation, the operational duties of prosecutors are exercised in criminal files and cases concerning: embezzlement, document fraud where the funds belong to or are made available by the EU to the Bulgarian State, submission of false information in order to obtain funds belonging to or made available by the EU, misuse of funds belonging to or made available by the EU; ‘money laundering’ where the proceeds result from crimes detrimental to the EU’s financial interests; cross-border VAT fraud, etc.

Q.2 Have you adopted a national anti-fraud strategy?

☒YES

If YES, did you communicate it to OLAF? If you did not communicate it, why? Please transmit it without delay.

By Decision No 833 of 12 November 2020 the Council of Ministers of the Republic of Bulgaria adopted the National Strategy for Preventing and Combating Irregularities and Fraud affecting the EU’s financial interests for the period 2021-2027.

The national strategy was developed by a working group of representatives of all authorities responsible for managing and controlling EU funds in Bulgaria and the competent authorities responsible for investigating fraud. The strategy contains specific objectives for preventing and combating irregularities and fraud, responsibilities and a mechanism for monitoring the implementation of the measures.

The new significant risks are reflected in the strategy, in particular in response to the outbreak of the COVID-19 pandemic and its economic and social consequences.

The national anti-fraud strategy was the subject of public consultation and all stakeholders had the opportunity to submit comments and suggestions.

The preparation of the strategy took into account Audit Recommendation No 1 of the European Court of Auditors’ recommendations in Special Report No 6/2019, as well as Recommendation No 2 of the 2018 report pursuant to Article 325 of the Treaty on the Functioning of the European Union on the protection of the European Union’s financial interests. The strategy is also in line with the European Commission’s Guidelines for National Anti-Fraud Strategies for European Structural and Investment Funds, the European Commission’s Practical steps towards the drafting of a National Anti-Fraud Strategy and the European Commission’s Guidelines on National Anti-Fraud Strategies.

The national strategy was translated into English and sent to OLAF on 1 December 2020.

Has the NAFS been recently updated?

☒NO (+ date of adoption of NAFS). Is the update ongoing or are you considering updating it? Can you please indicate a timeline for the adoption of a new / updated anti-fraud strategy?

The strategy was adopted on 12 November 2020, reflecting the significant risks resulting from the outbreak of the COVID-19 pandemic and its economic and social consequences.

☒YES, fully implementing the recommendation

The Union Customs Code (Regulation (EU) No 952/2013 of the European Parliament and of the Council of 9 October 2013), which entered into force in May 2016, introduced the uniform application of customs controls as a legal requirement and each Member State had to establish its own customs risk management procedures based on specific characteristics and depending on various data.

Customs authorities also undertake risk management to differentiate between the levels of risk associated with goods subject to customs control or supervision and to determine whether the goods will be subject to specific customs controls, and if so, where.

When identifying emerging risk events, the customs authorities are required to take the necessary measures to minimise the risk.

☒YES, partly implementing the recommendation

Taking into account Recommendation 2 and in the context of the introduction of containment measures, customs authorities have assessed the newly emerging risk (COVID-19 pandemic) and updated their actions to control risky goods, operators or events, namely:

• Risk profiles are in place to identify risky goods in terms of their admission to the EU market — masks, protective clothing, disinfectants, tests that may not meet established standards;

• Risk profiles are in place to identify risky companies that introduce substandard goods into the EU;

• Control activities are also carried out on the above-mentioned goods that infringe intellectual property rights;

• The flexibility of customs controls has been improved by introducing additional controls to identify financial risk events;

• The customs administration ensures that uniform controls are applied within the EU by:

immediately taking the necessary action when receiving risk information from other Member States — information from CRMS and OLAF, investigation АМ/2020/015, national supervisory authorities (the Consumer Protection Commission, the Bulgarian Drug Agency, etc.); and

·immediately taking the necessary action to notify Member States when receiving risk information or identifying such risk on the basis of its own analysis or controls.

Improving customs controls, mitigating possible negative consequences of unforeseeable events and consistency in the application of customs legislation are ongoing priorities for the administration.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, partly implementing the recommendation

The European Commission has sent Draft reflection note: COVID-19 and ‘Recovery plan for Europe’ instruments: risks for the legality and regularity of expenditure and mitigating measures reflecting the common understanding of the EC and Member States’ audit authorities on EU financial instruments to address the crisis, specific risks in spending and auditing of funds, and measures to minimise them.

In line with the recommendations made in the document, an assessment of the risks related to the COVID pandemic was carried out, including the lack of sufficient time for verification, reduction of the depth of controls by Managing Authorities in general and reduction of on-the-spot checks, poor communication during teleworking, a push for speedy payments for measures financed in response to the COVID crisis, etc. The evaluation resulted in the adaptation of the audit methodology for project verification and contractor selection procedures, taking into account the ‘Guidance from the European Commission on using the public procurement framework in the emergency situation related to the COVID-19 crisis’.

The methodology for verifying compliance with State aid rules has also been adapted in line with the Communication from the Commission ‘Temporary framework for State aid measures to support the economy in the current COVID-19 outbreak’.

In order to minimise risks and maintain a high level of assurance within the system audits of all OPs, key requirement 2 ‘Appropriate selection of operations’, including selection procedures for operations with measures to address the consequences of the COVID-19 pandemic, were checked and the recommendations were communicated to the Managing Authorities.

The recovery and resilience plan (RRP) of the Republic of Bulgaria was submitted to the European Commission on 15 October 2021 and its approval is pending. In relation to the preparation and implementation of the management and control system of the Recovery and Resilience Facility at national level, the minimisation of omissions and omission risk management, the following actions have been taken:

1. In 2021, the body designated as the central coordinating unit at national level for issues related to Bulgaria’s participation in the Facility took operational action by developing and sending a questionnaire in order to assist the final recipients and the monitoring and reporting bodies under the Facility in carrying out a self-assessment of their own capacity to implement the RRP activities. The main objective of this assessment tool is to help the bodies involved in the implementation, monitoring and reporting of the RRP to make their own judgement on their internal financial management and control systems, including administrative capacity, in order to identify areas that need to be strengthened, as well as to identify other potential shortcomings. The substantial resources made available under the Facility require that public administrations have sufficient capacity to effectively coordinate and monitor the overall implementation of the RRP and to put in place robust mechanisms for implementation, monitoring, reporting, control and audit.

The questionnaire contained pre-defined criteria for analysis and self-assessment:

• Criterion 1: Clear definition, allocation and separation of functions within the organisation;

• Criterion 2: Acquired qualifications and experience;

• Criterion 3: Level of knowledge of the defined obligations and responsibilities for the provision of funding, including the legal framework relating to the prevention and correction of irregularities, fraud, conflict of interest, double funding;

• Criterion 4: Adequate audit trail.

The summarised information resulting from the replies received indicates the following classification:

• For criterion 1, the assessment is: “Works partially. Essential improvements are needed”;

• For criterion 2, the assessment is: ‘Works well. Only insignificant improvements are needed’;

• For criterion 3, the assessment is: ‘Works well. Only insignificant improvements are needed’;

• For criterion 4, the assessment is: “Works well. Only insignificant improvements are needed”.

In order to strengthen and reinforce the administrative capacity of the bodies involved, the study carried out has helped to identify, in addition to bottlenecks in the project management cycle and weaknesses in available capacity, training needs and timely action by the coordinating unit prior to the actual provision of financial support under the RRP.

2. The draft management and control system for the Facility as an activity to prevent fraud, corruption and conflict of interest provides for the coordinating unit at national level (the National Fund Directorate) and each monitoring and reporting body to carry out a fraud risk assessment in order to identify effective and proportionate anti-fraud measures within the area of investment and implementing investments it monitors. The process involves identifying risks, assessing the effectiveness of the control measures in place and, if necessary, introducing additional measures until the level of risk perceived as acceptable is reached. The instrument includes risks and restrictive control measures in the three key areas — selection of proposals to implement investments, implementation of investments and public procurement. In view of assessing the effectiveness of existing control measures and, where necessary, introducing additional measures, the instrument should be implemented after the launch of the recovery and resilience plan and the implementation of its management and control activities.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒YES, fully implementing the recommendation

Whistleblowing and irregularities administration systems have been set up and operate in the bodies administering funds, instruments and programmes co-financed under the EU budget. The procedures for the administration of irregularities are implemented in accordance with the established rules. The competent bodies establish irregularity report files/irregularity dossiers in which all relevant documents are kept.

Analyses of the procedures for the administration of irregularities in the Republic of Bulgaria show that there has been a significant improvement in the mechanisms for reporting irregularities to the European Commission. Information on irregularities is entered in the information system for management and monitoring of funds 2020 (UMIS 2020) and IMS electronic systems. The necessary timely corrective actions are undertaken to recover irregular expenditure.

The AFCOS Directorate supports the bodies administering European funds, instruments and programmes by providing methodological guidance and/or opinions on the legal and correct application of procedures for the administration of irregularities.

Annual analyses of the results and activity reports of the bodies administering funds, instruments and programmes co-financed under the EU budget show an improvement in the internal financial management and control systems as well as the reinforcement of anti-fraud measures.

Some of the bodies administering European funds, instruments and programmes in Bulgaria use the ARACHNE risk assessment tool. Data collection and analysis serve to systematically monitor and review information from internal and external sources regarding projects, beneficiaries, contracts and contractors. The tool uses information from UMIS and UMIS 2020. Data are analysed and checks focused on highest risk projects. A web-based version of the ARACHNE system has been in place since the end of 2019, allowing for flexible use of the tool, regardless of the specific computer station used by the user. The ‘Central Coordination Unit’ Directorate at the Administration of the Council of Ministers is the national coordinator of the ARACHNE system, managing access profiles. By the end of 2020, 510 ARACHNE user accounts had been created. Increasing the number of users enables projects with a high risk of fraud, conflict of interest and irregularities to be identified and assessed at an early stage.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒YES, fully implementing the recommendation

Currently (January 2022), Bulgaria’s recovery and resilience plan is being assessed by the European Commission and its approval is pending. In this context, the body designated as the central coordination unit at national level for issues related to Bulgaria’s participation in the Recovery and Resilience Facility has access to the test version of the information system for monitoring the Facility developed by the European Commission. The bodies responsible under the Facility are ready to implement the recovery and resilience plan as soon as it is approved.

1.9.Czechia

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

Not relevant

Q.2 Have you adopted a national anti-fraud strategy?

☒YES

If YES, did you communicate it to OLAF? If you did not communicate it, why? Please transmit it without delay. Yes

Has the NAFS been recently updated?

☒NO (adopted 06/2008, updated 09/2017 and 05/2020). Is the update ongoing or are you considering updating it? Can you please indicate a timeline for the adoption of a new / updated anti-fraud strategy?

An updated NAFS reflecting new risks, environment and programming period shall be adopted by the end of 2022.

☒YES, fully implementing the recommendation

Within the Customs Administration of the Czech Republic, in view of and in connection with the Covid-19 pandemic, there has been no cancellation or postponement of post-release controls. There were no restrictions on post-release controls’ activities. Only the way in which the controls are carried out has been modified. It was recommended that, in view of the Covid-19 pandemic and possible restrictions on the movement of persons, contact with the persons inspected should be limited. Post-release controls have been carried out more by correspondence over the past period, i.e. oral meetings have often been replaced by sending correspondence – summons and presentation of documents. In addition, based on a methodological recommendation, customs authorities extended the time limits set out in the documents accordingly. This was reflected in a slight increase in the average length of post-release controls, within units of days.

☒YES, fully implementing the recommendation

See the reply to Q.3

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, fully implementing the recommendation

☒YES, partly implementing the recommendation

If you implemented fully the recommendation, can you please describe what type of exercises have you launched? Can you share any specific findings of such exercises?

Covid-19:

The National Coordination Authority (NCA) identified the risk of non-eligibility of expenses, delay in supply and suspension of some activities due to force majeure - proliferation of Covid-19 in connection with pandemic’s impacts on eligibility of expenditure on various activities financed from ESI Funds, not meeting the objectives of projects or non-compliance with the n+3 rule. The following measure was set for this risk: the NCA in cooperation with the Ministry of Finance prepared methodological instructions on the eligibility of expenditures and preventive measures due to force majeure. Disputable points were communicated with the EC. The above mentioned horizontal institutions prepared all related methodological documents. Then the MAs took all possible steps to eliminate the risks of non-compliance by beneficiaries, for example by adjusting the implementation time schedule or the range of project activities.

The Covid-19 pandemic was reflected in the risk management system on the national level also in other risk areas. For example, NCA recommended optimal drawing limits as a tool for successful drawing of total ESI Funds allocation. The limits, which were to be fulfilled by managing authorities, were revised and lowered due to the pandemic. The Ministry of Regional Development has also provided education and methodological support in the area of public procurement. The whole support system from ESI funds was successfully transformed to online form, so that it could provide continual support in constant quality.

The managing authority of national programmes in the area of home affairs (i.e. ISF and AMIF) continues performing a standard risk analysis on a yearly basis taking into account also risks linked to the impact of Covid-19, both on the level of programmes and supported projects. The managing authority has adopted certain measures to mitigate such risks and provide more flexibility to beneficiaries (e.g. distant forms of service provision) in order to facilitate a successful completion of projects, while keeping an emphasis on the audit trail.

If you implemented partially the recommendation, could you please explain why you think it was a partial implementation and why a full implementation was not possible?

RRF:

In the course of setting up the components of the National Recovery Plan (NPO), all component owners were approached to assess the opportunities and risks/uncertainties of implementation. This gathering of information took place in Q1/2021 and was partially reflected in the wording of each component. The aim was that the component owners themselves, who proposed the measures, would reflect the implementation area when drafting the texts.

A questionnaire survey among component owners was then conducted in 6-7/2021. By that time, the design of the individual milestones and targets in the NPO was almost finalised. The questionnaire contained about 70 questions from all areas of the RRF, implementation, information system, management and control system, etc. The questionnaire survey was conducted among all component owners and the subsequent evaluation of the questionnaires was carried out by the NPO Coordination Department - Delivery Unit. The purpose was then to divide the component owners in terms of readiness into 3 groups - most/medium/least prepared. Component owners who ended up in the 3rd least prepared group were then worked with intensively to address any deficiencies.

The questionnaire survey highlighted a number of common themes that component owners perceived as risks. In general, component owners saw the greatest risks in the setup of the information system for data collection or project intake. Risks related to staff capacity were also identified. Component owners very often face manpower constraints. given the fact that the NPO is a one-off time-bound project with a very short implementation period, it is necessary to use existing experts in the ministries of the individual component owners for implementation. This is often not possible well enough, as many of the experts working with EU funds are paid by technical assistance programmes. A further outcome of this risk assessment was the need to secure additional funding from the state budget for technical support to programme administrators and to cover other costs associated with implementation. This is an issue that has been critical in setting up implementation and is becoming even more important in the context of price increases, the energy crisis, etc.

It should be noted, however, that this analysis assessed the risks that existed at a certain point in time. Now that the implementation has progressed, some of the identified risks (e.g. the information system) have become irrelevant and, on the contrary, both the component owners and the Delivery Unit are identifying new risks associated with the implementation. Typical examples are the unavailability of certain materials, extending delivery times for deliveries, etc.

The area of RRF implementation in the risk management context is verified within the risk setting distinction between cohesion policy, new facilities and funds. In this area, the NCA monitors sufficient setting of support from RRF for individual areas in order to connect RRF support with other resources interventions without overlaps.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒YES, fully implementing the recommendation

☒NO

Some managing authorities focused mainly on improving the quality of collected data concerning irregularities in the area of identifying interconnected irregularities. The aim is to find and identify links between reported cases of irregularities in order to report the irregularity to IMS, even if the currently solved separate irregularity does not exceed the limit set, i.e. 10 000 EUR, and thus no division of irregularities should occur. For project managers, this obligation to identify interconnected irregularities (and highlight this identification in the national management system (MS2014+)) was set out in the management documentation of OPs. This measure should strengthen the relevance and use of the collected data.

If you did not implement the recommendation, could you please explain why? Could you explain how your current framework already ensures high quality and reliability of data?

Several managing authorities concluded that it was not necessary to improve the manner in which underlying data, as well as those concerning detected irregularities, are collected and used.

As for one of the OPs, no additional or extraordinary measures were implemented as regards the improvement of the manner in which underlying data are collected and used, even those concerning detected irregularities.

The current framework and procedures in place were implemented right from the start, already accounting for entities involved as beneficiaries in the concerned operational programme. Those entities are in majority SMEs and were from the start contractually bound by a very close cooperation with the managing authority, thus allowing for a lasting and optimal data mining/extraction. As there are no additional sources of new data linked to Covid-19 impact (to the existing ones), no additional measures were found to be needed. Additionally, given the proven quality of the OP and continuous close supervision of the OP by various independent entities and bodies (no significant findings), only implies, there is a structural and consistent ability to adapt procedures as needed/required, thus guarantee high quality and reliability of data used.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒YES, partly implementing the recommendation

In the frame of the RRF, the Czech Republic uses the FENIX system for monitoring vis-à-vis the EC, which has been made available to Member States for keeping and monitoring data on the achievement of milestones and targets, common indicators, etc. For the reporting of irregularities in the RRF, IMS is used.

For monitoring of EU funds within the programming period 2021-2027, standard national monitoring systems are being used.

1.10.Denmark

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

☒NO

Q.2 Have you adopted a national anti-fraud strategy?

☒YES, but sectoral

Has the NAFS been recently updated?

☒NO (+ date of adoption of NAFS). Is the update ongoing or are you considering updating it? Can you please indicate a timeline for the adoption of a new / updated anti-fraud strategy?

No, as there is not Danish NAFS. However, several of the Danish AFCOS network- members have sectoral antifraud strategies, which also cover fraud with EU-funds.

☒NO

If you did not implement the recommendation, could you please explain why?

The Danish Customs Administration has during the Covid-19 pandemic only had to cancel 14 controls – only a fraction (2) of these had financial impact; and both of those have subsequently been found releasable without further control The other 12 controls are either random (7) or regarding hazardous, dangerous or illegal goods (5).

☒NO

If you did not implement the recommendation, could you please explain why?

See the answer above.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, fully implementing the recommendation

If you implemented fully the recommendation, can you please describe what type of exercises have you launched? Can you share any specific findings of such exercises?

The different bodies, that are executing the projects under the RRF have been included in an assessment regarding which risks are at place in different projects and the resulting controls etc. Furthermore, the responsible bodies will perform an overall risk assessment for every project, which the auditing is to be based upon.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒YES, partly implementing the recommendation

An approach to how to assess underlying data in collaboration with the relevant bodies has been outlined. However, the implementation is only partial, as the process for including the relevant bodies in examining specific data and what types of data they can deliver has not been begun yet.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒YES, partly implementing the recommendation

Denmark foresees the use ARACHNE as a supplement to controls regarding the Recovery and Resilience Facility. It will especially be used to examine double funding. It is at this point not possible to indicate the exact time frame or exact form of the implementation of this, hence why we only indicated a partial implementation of this recommendation. However, Denmark plans to reach out to the Commission in the near future regarding the implementation of ARACHNE with regards to the Recovery and Resilience Facility.

1.11.Germany

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

N/A

Q.2 Have you adopted a national anti-fraud strategy?

☒YES, but sectoral

☒NO

If YES, did you communicate it to OLAF? If you did not communicate it, why? Please transmit it without delay.

NO: NAFS

YES, but sectoral: ERDF Lower Saxony:

In general, the following points should be added regarding the Lower Saxony anti-fraud strategy.

Under Article 72(h) of the ESI Regulation, management and control systems also include the prevention, detection and correction of irregularities, including fraud.

Under Article 125(4)(c) of the ESI Regulation, managing authorities must put in place effective and proportionate anti-fraud measures taking into account the risks identified (see also Annex XIII, point 3(vi) of the Regulation).

To assess the risk of fraud and corruption in Lower Saxony’s 2014-2020 multi-fund programme, we used the 2013 index of the anti-corruption organisation Transparency International, the Commission’s anti-fraud report and corruption report and the figures for irregularities and fraud cases in the 2007-2013 funding period.

After analysis of the reports and the figures for the 2007-2013 funding period, it was established that the risk of fraud and corruption in implementation of the Lower Saxony multi-fund programme was low. There are also a number of national and Land regulations that must be observed in implementing a multi-fund programme. A low risk of fraud and corruption was also confirmed for the 2014-2020 funding period.

The Lower Saxony anti-fraud strategy can therefore be regarded as complementing the current management and control system and as a proportionate measure to prevent fraud.

Where necessary, the Lower Saxony anti-fraud strategy will also be deployed in the 2021-2027 funding period.

The strategy is being updated as part of the reform of the management and control system for the 2021-2027 funding period.

Moreover, the ERDF managing authorities in the Länder focus on their own anti-fraud strategies and regard their own management and control systems as a proportionate measure to prevent fraud. The risk of fraud and corruption for the 2014-2020 and 2021-2027 funding periods is considered low. The risk of fraud is reviewed frequently in the context of the Covid-19 pandemic.

☒YES, partly implementing the recommendation

Even during COVID-19 the efficient handling of goods is a high priority for the German customs administration. Thus far, organisational measures and targeted resource management have maintained the proper operation of customs offices. Examples include the introduction of the so-called cohort principle, which has reduced the risk of infection among customs officers. In order to further reduce the risk of infection more and more use has been made of the possibility to carry out activities which do not necessarily have to be carried out at the customs offices by working from home.
An example for this is the processing of electronic customs declarations with the computerised clearance system “ATLAS”.

The presence of customs staff is still necessary for paper clearance and physical inspections.

In addition, a pool of staff has been set up to flexibly support customs offices with an increased clearance volume or increased staff losses due to COVID-19-related operations for all electronically practicable activities. These measures continued to ensure an adequate control regime at customs offices.

The customs offices are particularly focused on the speedy clearance of goods needed to fight the pandemic. For example, importers can enter a special code in the customs declaration for those goods which are then processed directly and as a priority by the customs offices to ensure fast availability to the consignees and to prevent an interruption of the supply chain.

COVID-19 made an impact on the Auditing Service and has led to an impairment in the performance of tasks in 2020. In particular, the necessary protective measures increased the time required for the performance of the audits.

In order to make the most efficient use of the personnel with a view to securing revenue, the audits mainly focussed on parties with high risk potential.

Additionally, the audit activities were partly transferred from the economic operator to the customs office or were performed by working from home.

Therefore, the recognition of digital documents and the transmission of documents as PDF/scan by e-mail was promoted, where this was legally possible. In appropriate cases the subsequent production of the original documents was accepted.

In addition, interfaces between the German customs clearance system ATLAS and the IT systems of cooperation authorities have already been developed independently of the pandemic for submission of documents as electronic datasets (e.g. electronic license).

For a certain period of time some risk profiles with medium risks were suspended in order to reduce the number of controls which were not absolutely necessary and to ensure free flow of Covid 19 protective equipment (e.g. face masks).

☒NO

If you did not implement the recommendation, could you please explain why?

We do not agree on the assessment of not having sufficiently addressed risk. The appropriate measures have been taken already in 2020 (see above answer to Q.3).

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒NO

If you did not implement the recommendation, could you please explain why?

Federal ESF programme: No new targeted risk management is currently being introduced with regard to the impact of Covid-19 on the federal ESF programme. However, for the next self-assessment, the ESF managing authority is planning to examine and include possible new risks arising from the Covid-19 pandemic.

ERDF Berlin: Against the background of the Covid-19 pandemic, the need to reassess the risk of fraud in measures under the ERDF operational programme for Berlin was reviewed, in cooperation between the intermediate bodies and the ERDF managing authority. Special attention was paid to the relaxations introduced as part of the adjustment of the legal framework in connection with the Corona Response Investment Initiative (CRII and CRII+), the temporary framework for State aid and simplifications in public procurement. The conclusion was that no re-assessment of the fraud risk was necessary.

ERDF Bremen: The ERDF Management Authority in Bremen did not implement any additional targeted risk management exercises. One of the Intermediate Bodies, the Bremer Aufbau Bank (BAB) has launched control mechanisms regarding to financial aids relating Covid-19.

ERDF Lower Saxony: Lower Saxony has its own systems, which are sufficient.

ERDF Rhineland-Palatinate: For Rhineland-Palatinate, the answer to question 5 is NO, as it is not directly affected by the implementation of the Recovery and Resilience Facility in the ERDF. However, Rhineland-Palatinate has coordinated the new ERDF OP with the Federal Government’s recovery and resilience plans (DARP). Otherwise, as part of the ERDF approval process, cross-checks are also carried out with the beneficiaries of special coronavirus aid.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒NO

If you did not implement the recommendation, could you please explain why? Could you explain how your current framework already ensures high quality and reliability of data?

Federal ESF programme: For the Federal ESF programme, there are currently established reporting procedures for collecting and reporting information on detected irregularities and fraud at all levels of ESF implementation. These procedures are described in the ‘Guide to the management of irregularities and the assessment of fraud and corruption risks for the European Social Fund in the Federal Republic of Germany in the 2014-2020 funding period’. The procedures already provide reliable, high-quality data.

ERDF Bremen: There are adequate registers in Germany, which already ensure high quality and the reliability of data, e.g. Transparency Register.

ERDF Bavaria: There is already an established procedure for detection, reporting and monitoring of the relevant data in general and especially for data concerning irregularities. For the reporting and monitoring exists a database system (FIPS2014) which is used for the programme management as well. An improvement is not necessary.

ERDF Lower Saxony: The risk of fraud and corruption in Lower Saxony remains low.

ERDF Rhineland-Palatinate: For Rhineland-Palatinate the answer to question 6 is also NO, as it already records all irregularities under the existing EU regulations and analyses the underlying reasons for the irregularities in order to assess whether they constitute systematic errors or fraud.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒NO

If you did not implement the recommendation, could you please explain why?

ERDF Bremen: There are adequate registers in Germany, which already ensure high quality and the reliability of data, e.g. Transparency Register.

ERDF Lower Saxony: Lower Saxony still has an adequate anti-fraud system.

ERDF Rhineland-Palatinate: Rhineland-Palatinate’s answer to question 7 is NO, as the ERDF does not wish to use Arachne. The IT systems used by Rhineland-Palatinate – ‘Self-assessment of fraud risk in the ERDF programmes in Rhineland-Palatinate’ – are reviewed and adapted every 2 years. The last adaptation took place in 2021.

ERDF Bavaria: Bavaria uses its own system via North Data.

1.12.Estonia

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

Estonia has already joined the EPPO.

Q.2 Have you adopted a national anti-fraud strategy?

☒YES

If YES, did you communicate it to OLAF?

Yes, we sent the link to Estonia’s webpage www.korruptsioon.ee last year.

Has the NAFS been recently updated?

☒YES (+ date of update). Does the strategy/update cover the new significant risks linked to the COVID-19 crisis and the RRF? Can you share what risks the new strategy has taken into account?

The Anti-Corruption Action Plan 2021-2025 was approved on 11.02.2021 and the 2021 Action Report was published on 18.01.2022 https://www.korruptsioon.ee/et/tegevuskava-aruanne-2021 . The Anti-Corruption webpage covers the topics such as corruption or conflict of interests and consists of different guidelines, handbooks, e-courses, and information about surveys and statistics.

☒YES, fully implementing the recommendation

The controls were implemented as foreseen. Product safety controls of personal protective equipment (e.g., masks, gloves, etc.) were set as priority.

Q.4 Have you assessed the financial risks that might not have been sufficiently addressed during 2020 and have you established catch-up plans for carrying out appropriate customs checks where due to confinement measures such customs checks had to be cancelled or postponed e.g., checks at operators’ premises and physical checks before releasing goods into free circulation?

☒YES, fully implementing the recommendation

The controls were implemented as foreseen and there were no changes in the customs control practice due to the Covid-19 pandemic.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, fully implementing the recommendation

If you implemented fully the recommendation, can you please describe what type of exercises have you launched? Can you share any specific findings of such exercises?

In the autumn of 2020, when the ESIF Managing Authority (State Shared Service Centre) started the annual risk assessment of the administration, we held a workshop “OP systemic risk assessment based on the impact of COVID-19” at the opening meeting. The representatives of the ministries, Implementing Agencies, Managing Authority itself, and the Audit Authority participated in it. The focus was on whether and how the crisis may have an impact on the implementation of the OP, both in terms of finances and action indicators, and the aim was to map, assess, and identify possible risks.

While performing the day-to-day inspections, the MA uses risk assessments to inspect the costs of COVID-19 (e.g., procurement of medical supplies and vaccines, vaccination costs). Their principles of inspection are supported by the required two-level checks of procurements. During the first crisis year in 2020, Level I officials checked procurement before deciding whether to claim support for these costs at all. When procurement errors or deficiencies were identified, the costs were excluded. Later, already in the implementing phase, the procurements were also checked by Level II to guarantee the correctness of the deal.

In the measure for reimbursement of vaccination costs, the MA has validated the control procedures of the beneficiary (Estonian Health Insurance Fund) to guarantee the effectiveness of their controls. In addition, the MA performs additional random checks too.

When implementing the RRF, the developer of the measure (the ministry) is obliged to assess possible risks in the project implementation in the following categories:

o double funding

o target group risks, including fraud and conflict of interest

o state aid, and

o ensuring competition.

To assess the risks, the MA has prepared a separate risk table with an assessment model. The completed risk assessment together with the mitigating activities is an important input in coordinating the conditions for granting support / contract conditions.

In addition, an annual assessment of cross-administrative risks is carried out in the context of all external instruments implemented. E.g., in 2021 we assessed the RRF risks, the 2014-2020 period, the 2021+ period, and the Norwegian / EEA risks together.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒NO

If you did not implement the recommendation, could you please explain why? Could you explain how your current framework already ensures high quality and reliability of data?

All detected irregularities (ESIF, EGF, Norway/EEA, and in the future RRF) will be entered into a single national database, with no threshold for the irregular amount. This database enables us to analyse the irregularities across the funds and, if necessary, plan solutions or additional controls. To ensure high-quality information in the database regular checks are carried out – feedback on deficiencies is provided, all mistakes are requested to be corrected, and if needed, training courses or personal consultation are available.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒NO

If you did not implement the recommendation, could you please explain why?

Estonia will not use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget.

Risk management is carried out in a national system that ensures the necessary functionalities and interfaces with other existing systems. If necessary, we make inquiries into the EU commercial register. We also have the right to receive tax information from the Tax and Customs Board, and we plan to further develop cooperation with them.

1.13.Ireland

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

☒NO

Q.2 Have you adopted a national anti-fraud strategy?

☒NO

☒YES, fully implementing the recommendation

Customs was designated an essential service by Government and Customs staff continued to work at the ports, airports, and approved premises. Accordingly, Customs operations at Ireland's ports and airports were fully operational throughout COVID. The reduction in passenger numbers travelling through Irish ports and airports meant that additional resources could assigned to undertaking clearance checks such that our performance levels continued as normal during COVID.

Some changes were introduced to ensure the safety of Customs officers and traders. For those working on site, safety measures including the use of PPE, social distancing and team bubbles were introduced to minimise the impact of a COVID outbreak among Customs Officers. Certain functions also lent themselves to remote working and this helped to mitigate the potential impact of COVID outbreaks.

Some flexibilities were introduced to alleviate the impact of COVID for traders including the acceptance of scanned copies of documentation rather than the original for clearance checks with the requirement that trade retain the originals. The notice to trade that issued is available at https://www.revenue.ie/en/customs-traders-and-agents/customs-electronic-systems/aep/ecustoms-notifications/2020/aep-notification-005-2020.pdf

The key issues for Ireland were, the designation of customs as an essential service, the opportunity to reassign staff having regard to the reduction in passenger numbers, our ability and agility to respond to and support trade by putting in place necessary safeguard measures to protect our staff and trade and the implementation of administrative changes/flexibilities that didn’t compromise the proper oversight of the customs control regime but did alleviate the operational challenge for business.

☒YES, fully implementing the recommendation

Ireland has a multi-faceted risk focussed Customs annual compliance program to underpin compliance with EU and national Customs legislation. This program is a combination of frontier controls at clearance including both physical and documentary controls together with a post-clearance program ranging from single aspect checks to Customs audits. Cases for both pre-clearance and post-clearance are identified using sophisticated electronic risk assessment and risk profiling tools. This risk assessment includes risks identified during pre and post clearance checks.

While post clearance checks were temporarily halted at the beginning of the pandemic, they resumed approximately three months later. No change was detected in the compliance profile of Irish traders following this resumption and no specific risks associated with the pandemic were identified in post clearance checks. No risks associated with the pandemic were detected as a result of pre-clearance checks either. Because of this, there are no checks currently targeting pandemic issues. However, our overall customs control and monitoring framework is dynamic and if risks emerge the national compliance program will be adapted to ensure we engage with these risks.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒NO

If you did not implement the recommendation, could you please explain why?

Ireland’s current focus is on implementing the projects in the National Recovery and Resilience Plan in compliance with the RRF regulation.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒NO

If you did not implement the recommendation, could you please explain why? Could you explain how your current framework already ensures high quality and reliability of data?

Implementation of the National Recovery and Resilience Plan is underway and we will review in the context of implementation.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒NO

If you did not implement the recommendation, could you please explain why?

Ireland is currently developing an Information System for the NRRP, the use of ARACHNE is been considered in this context.

1.14.Greece

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

Greece has joined the European Public Prosecutor’s Office.

Q.2 Have you adopted a national anti-fraud strategy?

☒YES, but sectoral

Has the NAFS been recently updated?

☒YES (+ date of update). Does the strategy/update cover the new significant risks linked to the COVID-19 crisis and the RRF? Can you share what risks the new strategy has taken into account? If the updated strategy doesn’t cover such risks, why is it so?

Special Service for Institutional Support

National Coordination Authority

Secretariat-General for Public Investment and the Partnership Agreement for Development Framework

Ministry of Development and Investment:

The Greek National Anti-Fraud Strategy for Structural Actions was drawn up in 2014 by the Secretariat-General for Public Investment and the Partnership Agreement for the Development Framework of the Ministry of Economic Affairs and Development, through the Special Service for Institutional Support, which reports to the National Coordination Authority. The Strategy, and an Action Plan which is an integral part of it, were initially submitted formally to OLAF in 2014. They were resubmitted to OLAF in 2017, as part of an update and comprehensive overview of the Action Plan.

Although the Action Plan has been completed, the National Anti-Fraud Strategy for Structural Actions is still being implemented systematically. The Fraud Management System has been fully incorporated into the Management and Control System (MCS) of the operational programmes under the 2014-2020 Partnership Agreement for the Development Framework (investment for growth and jobs goal), systematically ensuring the prevention and combating of fraud through the:

üapplication of the relevant MSC procedures;

üoperation of the Internal Cooperation Network for the Anti-Fraud Strategy for Structural Actions;

üongoing awareness-raising and training of stakeholders;

üongoing constructive cooperation with the competent national bodies and EU anti-fraud departments.

In this context, and given the new significant risks related to the COVID-19 crisis, the 4th Technical Meeting of the Internal Cooperation Network for the Anti-Fraud Strategy for Structural Actions was held on 5 July 2021. The new risks were discussed at the meeting, on the basis of the relevant texts from the European Commission, as were the measures taken to mitigate them. The aim was to make it easier for the Managing Authorities to adapt their Fraud Risk Assessment Tool to reflect the new risks and the measures taken to address them. As a result of this cooperation in the Internal Network, the Managing Authorities that have implemented the tool since the meeting have included risks and measures related to the COVID-19 crisis.

The above also applies to the fisheries sector, as the Special Management Service of the Fisheries and Maritime Operational Programme participates in the Internal Cooperation Network for the Anti-Fraud Strategy and implements the Fraud Risk Assessment Tool, which includes the risks and measures in question.

As regards the fisheries sector in particular, please note that although an official Anti-Fraud Strategy has not been drawn up and submitted to OLAF, procedures and measures to prevent and combat fraud similar to those incorporated into the Management and Control System (MCS) for the operational programmes under the ERDF, ESF and CF have been incorporated into the MCS of the Fisheries and Maritime Operational Programme, under the investment for growth and jobs goal.

Finally, please note that this Anti-Fraud Strategy, the Management and Control Systems referred to and the Internal Cooperation Network for the Anti-Fraud Strategy do not concern the Recovery and Resilience Fund.

Recovery and Resilience Facility Coordination Agency: A Strategy to combat fraud and corruption when implementing actions under the Recovery and Resilience Fund has been prepared and approved by Decision No 139614 ΕΞ 2021/10.11.2021 of the Director of the Recovery and Resilience Facility Coordination Agency. The main pillars of the Strategy are prevention, detection and effective response. The Strategy also sets targets and is more specifically defined by means of further actions where necessary.

☒YES, fully implementing the recommendation

Independent Authority for Public Revenue (Directorate-General for Customs and Excise): The recommendation was implemented fully. Checks on COVID-19 protective equipment were increased and appropriate instructions were issued to staff to protect themselves during the checks. Instructions were also given on protecting facilities and customs offices against the risk of spreading COVID-19. There was constant feedback from ‘frontline’ services, and measures were adjusted to achieve the necessary flexibility of customs checks.

☒YES, fully implementing the recommendation

Independent Authority for Public Revenue (Directorate-General for Customs and Excise): The recommendation was implemented fully and no financial risks were identified. The customs authorities were kept constantly informed and checks were prioritised. Measures were taken through the creation of appropriate risk profiles from the risk analysis system in the form of guidelines.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, fully implementing the recommendation

If you implemented fully the recommendation, can you please describe what type of exercises have you launched? Can you share any specific findings of such exercises?

Financial and Economic Crime Unit: Taking account of the particular market conditions that have resulted from the COVID-19 outbreak, the Directorate-General for the Financial and Economic Crime Unit has stepped up its controls on undertakings marketing products whose demand has increased sharply during this period, such as sanitisers and surgical masks, in order to check for cases of profiteering and prevent products that do not meet the requisite specifications and pose a risk to public health from being placed on the market.

More specifically, following the appropriate use of information, staff of the Operational Directorate of the Attica Financial and Economic Crime Unit carried out checks on personal protection and personal care undertakings and seized the following:

• 2 308 surgical masks from Turkey and China for which there were no documents proving legal acquisition;

• over 8 000 litres of sanitiser that did not have the required authorisation from the National Organisation for Medicines (EOF). Samples of the above seized items have been sent to the EOF and the test results are pending;

• significant quantities of materials for packaging sanitisers (bottles, caps, packaging labels).

In addition, as regards the obligation of the undertakings checked to comply with the provisions of Article 2 of the Legislative Act of 14 March 2020 (Government Gazette, Series I, No 64/14.3.2020) on recording the stocks of surgical masks and sanitisers, missing or incorrect inventories were found. Finally, the Directorate-General for the Financial and Economic Crime Unit has already written to the Secretariat-General of the Ministry of Development, which is the department responsible for implementing the provisions of the Legislative Act of 14 March 2020 on recording the stocks of surgical masks and sanitisers, to inform them of the actions it has taken, as required by law, with regard to the seized items. The officials of the Directorate-General for the Financial and Economic Crime Unit are fully aware of the critical circumstances in Greece and will continue to make every effort to protect public health and stamp out profiteering at the expense of the general public.

Financial Audit Committee (Audit Authority): The Audit Authority would like to inform you that the operations/subprojects included to address the consequences of the COVID-19 outbreak constitute a separate stratum per Fund in the Audit Strategy for the seventh financial year. This was done because the risk associated with these operations is different from that associated with other operations. The Audit Authority has also drawn up specific instructions concerning the audit of the above operations/subprojects, taking account of the relevant adaptations of the EU institutional framework, the EU guidelines and the national legislation and regulations, with the aim of focusing on issues (risks) related to:

• adapting the data to the COVID-19 pandemic response when revising operational programmes;

• marking COVID-19 operations in the Partnership Agreement for the Development Framework MIS;

• declaring beneficiaries’ actions and expenses;

• COVID-19 specific indicators and their monitoring;

• public procurement procedures;

• implementing the physical object;

• eligibility of expenditure;

• on-the-spot verifications;

• implementing the Temporary Framework for State aid measures to support the economy in the current COVID-19 outbreak.

Reply/comments concerning the Recovery and Resilience Facility (RRF):

The Audit Authority would like to inform you that the National Recovery and Resilience Plan (NRRP) was adopted in July 2021. Given the short period between the adoption of the NRRP by the Council of the EU and the first payment request, the initial Audit Strategy was adopted in October 2021. In order to obtain audit assurance on the satisfactory achievement of the first milestones included in the first payment request, the Strategy took account of factors such as the specificity, value, materiality and retroactivity of NRRP actions.

Please note that the above Audit Strategy will be updated, and the more specific planning issues based on risk analysis for audits related to the RRF will be set out in the 2022 report.

The Recovery and Resilience Facility Coordination Agency, as the competent coordinating body, would like to inform you that the National Recovery and Resilience Plan (NRRP) was adopted in the second half of 2021 (July 2021), while the first payment request was submitted to the Commission in December 2021. A key feature of that request was the limited scope of the expenses incurred and the fact that they concerned only NRRP actions with retroactive effect.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒YES, fully implementing the recommendation

Financial Audit Committee (Audit Authority): The COVID-19 operations co-financed by the ERDF and ESF under the operational programmes of the 2014-2020 Partnership Agreement for the Development Framework are marked separately in the Partnership Agreement for the Development Framework MIS, making it easier to collect and use the relevant data. In addition, thanks to this special marking, they can be separated and included in a separate stratum per Fund for the purposes of sampling by the Audit Authority.

The quality and reliability of the data concerned, including data relating to irregularities detected in COVID-19 operations, are ensured by the current procedures of the Management and Control System that also governs the other co-financed operations.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒YES, fully implementing the recommendation

Financial Audit Committee (Audit Authority): In accordance with the Manual of Procedures of the Management and Control System for the Recovery Fund, the European Commission will be kept informed via the management declaration accompanying each payment request until the Irregularity Management System (AFIS/IMS) is fully operational for the needs of the Recovery and Resilience Fund. OLAF will also be kept informed by email ( OLAF-FMB-SPE@ec.europa.eu ).

The Recovery and Resilience Facility Coordination Agency is pleased to inform you that it will implement and make full use of the comprehensive and interoperable information and monitoring system made available by the Commission for the Recovery and Resilience Facility and the EU budget once it becomes fully operational for the needs of the Facility and relevant information and training is provided. In full compliance with the guidance given by the Commission in reply to Member States, and in accordance with the Manual of Procedures of the Management and Control System for the Recovery Fund, the Agency will keep the European Commission informed via the management declaration accompanying each payment request until the Irregularity Management System (AFIS/IMS) is fully operational for the needs of the Recovery and Resilience Fund. It will also keep OLAF informed by email ( OLAF-FMB-SPE@ec.europa.eu ).

1.15.Spain

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

NOTE: Spain has joined the EPPO

Q.2 Have you adopted a national anti-fraud strategy?

☒NO

NOTE: During the year 2020, the AFCOS-Spain prepared and presented to the European Commission the project "A National Anti -Fraud Strategy for Spain”, for financing within the framework of the Support Program for Structural Reforms of the European Union (SRSP Technical Support Instrument -TSI-). This project aims to prepare a National Anti-Fraud Strategy that comprehensively includes the four phases of the anti-fraud cycle (prevention, detection, investigation and recovery/sanction). On January 4, 2021, the project was pre-selected for financing by the DG REFOM of the European Commission, and approved by the Commission Implementing Decision on the financing of the Technical Support Instrument and adoption of the work programme for 2021 of 2 March 2021. The project, whose kick-off meeting took place on 22 October 2021, is currently ongoing with the technical assistance of the OECD. It has an execution period of 19 months.

☒YES, partly implementing the recommendation

The Spanish Tax Agency, which is the competent body for customs control, in its answer to this question, indicates that, in its opinion, it is impossible the fully implementation of a recommendation like this. In particular, the effects of situations such as the one arising from COVID 19 are different in each Member State, as well as the measures adopted by each of them. It is therefore impossible to arbitrate measures at national level to uniform controls within the EU.

Notwithstanding the foregoing, the experience in the context of the COVID 19 pandemic has shown that its effect has not been so significant for customs control strategy. This is because the containment measures adopted in the EU have led to a radical reduction in international trade, which largely compensates for the limitations inherent in the impossibility or difficulty of carrying out some controls.

The main effect on the control strategy is in the field of physical controls in customs areas and in operators' premises, although the need for such controls is in turn much lower due to the reduction in imports.

☒YES, fully implementing the recommendation

According to the response of the Spanish Tax Agency, there is an annual tax and customs control plan in which the companies to be controlled are selected. This plan complements the controls prior to customs clearance. Within the framework of this plan, it has been possible to cover the risks affected by difficulties in carrying out the controls because of the sanitary measures.

In any case, the relaxation of controls did never meant to eliminate controls prior to the customs clearance even through physical inspection, in those areas in which such prior control is essential to guarantee its effectiveness.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, partly implementing the recommendation

If you implemented partially the recommendation, could you please explain why you think it was a partial implementation and why a full implementation was not possible?

In accordance with the response provided by the Responsible Authority of the Recovery, Transformation and Resilience Plan in Spain, the entities in charge of implementation of the Recovery and Resilience Plan will carry out fraud risk assessments of the activity they carry out for the implementation of the Plan's measures. This obligation has been established by Ministerial Order (HFP/1030/2021) establishing the Recovery, Transformation and Resilience Plan Management System.

However, the measure is considered partially implemented within the scope of the Recovery and Resilience Facility, since, taking into account the date of approval of the plan and the degree of progress in its execution, these evaluations are under development.

In relation to the rest of the European Funds, once the different Management Authorities have been consulted, the conclusion that can be drawn based on their answers is also a partial implementation of the measure. They carry out periodic evaluations of the risk of fraud in which, for certain programs, the new risks associated with the pandemic have been taken into account, when necessary, and also in the quality checks of the systems of certain Intermediate Bodies.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒YES, partly implementing the recommendation

According to the information received from the Management Authorities, some of them are implementing alert systems. The measure is considered partially implemented, since it is a process of continuous improvement and progress.

We highlight some responses regarding measures adopted:

- The ERDF Management Authority highlights the review of the consistency of the data on contracts entered by the Intermediate Bodies in the IT tool for fund management "Fondos 2020”.

- The EMFF Management Authority indicates that, as a measure to better detect irregularities, new mandatory fields have been incorporated in the EMFF management monitoring application “ApliFEMP”, corresponding to the identification of the beneficiary as contracting authority. All beneficiaries that are contracting authorities must comply with the contract´s checklists in the certifications they carry out.

- The Management Authority of the European Territorial Cooperation programs is implementing an alert system that allows those relevant signs of fraud to be incorporated into the management.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒YES, partly implementing the recommendation

Regarding this question, the Responsible Authority of the RRF in Spain, the different Ministerial Departments that participate as executing entities in the Recovery and Resilience Plan approved for Spain, and also the Management Authorities of the Shared Management Funds have been consulted.

The conclusion that could be drawn from the responses received is that, regarding to the execution of the RRF, there is a majority intention on the part of the Executing Entities at the state level to use, as far as possible, some functionalities of the System. In fact, most of the responses received refer to the fact that the Anti-Fraud Measures Plans drawn up by these entities contemplate the use of the System.

The Responsible Authority of the RRF indicates that this system will be used in the form and with the scope that was established for all Member States, taking into account that the European Commission announced the forthcoming publication of a guide for its use.

In the same way, regarding other shared management funds, the Management Authorities indicate that they will use some of the System's functionalities.

However, the implementation of the system is still under development and it needs further work in order to be operational for certain funds such as EAFG and EAFRD.

Certain Authorities highlight the need for more information and training on the management of the System.

1.16.France

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

No answer.

Q.2 Have you adopted a national anti-fraud strategy?

☒YES

If YES, did you communicate it to OLAF? If you did not communicate it, why? Please transmit it without delay.

Has the NAFS been recently updated?

The French authorities have adopted a new anti-fraud strategy. As the Anti-fraud Coordination Service (AFCOS), the Mission de coordination interministérielle antifraude (MICAF, the inter-ministerial anti-fraud coordination office) has drawn up, in consultation with its partners, a national anti-fraud strategy.

The national anti-fraud strategy was adopted on 4 February 2022 and forwarded to the European Commission on 8 February 2022.

The national anti-fraud strategy covers the new significant risks linked to the Recovery and Resilience Facility (RRF).

France has established a coordination authority for the RRF, the Secrétariat Général du plan de relance (SGPR, the recovery plan secretariat-general), reporting to the Prime Minister and the Minister for Economic Affairs, Finance and Recovery. It centralises the data on implementation of the RRF measures by public authorities and issues, where necessary, warnings on the risks of targets and milestones not being met, insufficient supporting documentation being provided and any irregularities brought to light.

In addition, monitoring for new types of fraud will be put into place by the various parties engaged in administering the new funds made available by the European Union (EU). The aim of this working group, led by the MICAF, will be to allow the regular exchange of information between the national bodies responsible for the funds in order to identify the risks of fraud specifically related to the allocation of these funds, and to exchange information in order to define types of fraud with a view to making it easier to discover them. These exchanges could be drawn upon, if required, to map risk, which would be helpful in the rollout of mechanisms to detect and investigate fraud.

As for France’s specialist judicial investigation bodies, they will take part in the framework operations launched by the European authorities (Europol, OLAF, Eurojust, the European Public Prosecutor’s Office), inter alia in Operation Sentinel, launched on 15 October 2021, which aims to prevent fraud linked to the RRF.

☒YES, partly implementing the recommendation

Over the crisis, the French authorities were able to note the continued commitment of staff, their responsiveness, technical mastery of the subjects covered, wealth of operational experience and the extent of the customs administration’s scope of action as a border goods administration. The analysis of the implementation of the business continuity plans should allow useful lessons to be learnt on crisis management.

Given the limited number of staff physically present and the significant extent of distance working required under the health instructions, physical checks on traditional own resources (TOR) were adapted and the national focus was put on Community requirements for processing mutual assistance cases related to the protection of financial interests. The local focus was on targeting new traders and those which changed traffic or supplies during the crisis.

Documentary checks were the preferred method.

A review must be carried out to develop the capacity to redistribute attributions in order to deal with exceptional circumstances (skills pool and volunteers willing to accept changes in their attributions in the event of a crisis).

In order to have the capacity to carry out customs assignments during future crises, it is important to boost the capacity to anticipate and respond through a definition of crisis management and by determining those in charge at the central level and in the decentralised departments. A review is also under way to assert the role of the customs administration in relation to its outside partners and to enhance synergy from interministerial and European partnerships.

☒YES, fully implementing the recommendation

During the COVID crisis TOR checks were maintained where they were mandatory, inter alia where relating to a case of mutual assistance or where they could be carried out by a documentary check alone.

For post-clearance checks, staff were asked to bear in mind the difficulty of undertakings in complying in lockdown conditions. They were thus asked to define precisely the documents to be submitted. Within the context of the three-phase resumption of activity, documentary checks at the time of customs clearance were aimed at preparing post-clearance checks. A campaign of specific checks was carried out to verify whether clearance obligations relating to import duty relief had been met.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, partly implementing the recommendation

If you implemented partially the recommendation, could you please explain why you think it was a partial implementation and why a full implementation was not possible?

The Agence national de la cohésion des territoires (ANCT, national agency for territorial cohesion), as the coordination authority, has forwarded to the management authorities the European Commission’s specific recommendation for consideration during risk assessment linked to the impact of COVID19, as laid down in the letter to management authorities of 31 March ‘Necessity to update fraud risk assessments and to adapt anti-fraud measures by the managing authority in the context of CRII/CRII+ and REACT EU measures’. This information was provided during a working group meeting for French managing authorities’ internal audit contact people on 27 May 2021.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒YES, partly implementing the recommendation

The coordination authority has launched a number of communications initiatives. In this respect, four dedicated working groups bringing together internal audit-anti-fraud officers of the management authorities of the European funds have been set up, including a meeting held on 9 December 2021, at which a presentation was given by the delegation of the European Public Prosecutor’s Office in France on its attributions and practical details of how management authorities could submit notifications to it. A similar presentation was given by the delegation of the European Public Prosecutor’s Office in France to the Europe Directors of the French management authorities on 24 March 2022.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒YES, partly implementing the recommendation

If you implemented partially the recommendation, could you please explain why you think it was a partial implementation and why a full implementation was not possible? To what extent the use of the system will cover the RRF and the programmes for the programming period 2021-2027?

If the question refers to ARCHNE [sic], it is used by the management authorities in relation to funds from the EU budget.

1.17.Croatia

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

No answer.

Q.2 Have you adopted a national anti-fraud strategy?

☒YES

If YES, did you communicate it to OLAF? If you did not communicate it, why? Please transmit it without delay.

Has the NAFS been recently updated?

☒NO (+ date of adoption of NAFS). Is the update ongoing or are you considering updating it? Can you please indicate a timeline for the adoption of a new / updated anti-fraud strategy?

The Republic of Croatia has adopted two anti-fraud strategies so far and they were both communicated to OLAF. One covered the period 2010-2012 (adopted 14/01/2010) while the other covered the period 2014-2016 (adopted 23/01/2014), and both strategies were fully implemented.

Considering that the Anti-Fraud Coordination System in the Republic of Croatia has been established, fully operational, and no major weaknesses were identified, there were no new anti-fraud strategies aimed at protection of financial interests of the EU adopted, neither updates of the existing ones have been made. Yet, AFCOS system in the Republic of Croatia has been constantly fine-tuned through softer measures (e.g. Irregularity management guidelines, fraud risk assessments at the level of operational programmes, etc.).

In addition, the Strategy for the Prevention of Corruption for the period 2021 - 2030 (Official Gazette 120/21) was adopted in October 2021, which is the fifth strategic document in this field since 2001. The Strategy sets strategic goals in the field of the fight against corruption for this period and is focused exclusively on the prevention of corruption. Each of the envisaged strategic objectives is accompanied by a series of measures related to various priority sectoral areas such as public administration, political system, judiciary, economy, public finance, health, science, etc. The strategy envisages 95 measures elaborated in the Action Plans and one of the measures is “Further strengthening of the framework for prevention of irregularities and fraud in the institutional framework for the implementation of ESI Funds”.

The strategy is divided into five basic specific objectives:

1. Strengthening the institutional and normative framework for the fight against corruption;

2. Increasing the transparency and openness of the work of public authorities;

3. Improving the system of integrity and conflict of interest management;

4. Strengthening anti-corruption potentials in the public procurement system;

5. Raising public awareness of the harmfulness of corruption, the need to report irregularities and strengthen transparency.

☒NO

If you did not implement the recommendation, could you please explain why?

The implemented customs checks cannot be further improved in the area of flexibility, except that additional protective equipment for customs officers when doing control checks has been introduced. Where applicable, control checks were less frequent in order to minimize the exposure of customs officers to COVID-19. However, for financial risks, no exceptions were made, and all the controls were conducted during the release for free circulation. To conclude, all measures that were implemented for control checks were in line with the recommendations of the National Health Administration regarding COVID-19 pandemic.

☒NO

If you did not implement the recommendation, could you please explain why?

The recommendation was not implemented because there were no exceptions in addressing of financial risks. All the detected financial risks were checked during the release of goods for free circulation.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, partly implementing the recommendation

If you implemented partially the recommendation, could you please explain why you think it was a partial implementation and why a full implementation was not possible?

In relation to risk assessment in the Operational Programme Competitiveness and Cohesion 2014-2020 all bodies in the management and control system of the ESI funds identify and assess risks on an annual basis using the following forms: Process Risk Map, Risk Catalogue, Risk Registry, Risk Mitigation Action Plan, Assessment of exposure to specific risks of fraud, and a Tool for self-assessment of risk exposure to ineffective and inefficient irregularity management. The risks associated with the Covid-19 pandemic are also taken into account in risk assessment.

The findings of the risk assessment showed an increased risk in relation to the extension of the deadlines for the submission of documentation by the beneficiaries and extension of the deadlines for the grant award procedure. In addition, in implementation phase due to the circumstances caused by the COVID-19 pandemic, the risk of increasing the number of requests for contract changes has been identified.

Regarding RRF, by the time the questionnaire was filled out, we hadn't received any information related to this question from the competent authorities.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒YES, fully implementing the recommendation

In the Republic of Croatia, irregularity reporting is centralised. Namely, reporting bodies send irregularity reports to the AFCOS-service where irregularity reports are being checked against technical errors and omissions. If irregularity reports are correct, they are being sent to OLAF. On the other hand, if errors and/or omissions are identified, they are being sent to their creators along with instructions for corrections.

AFCOS-service keeps record of the most common errors and omissions in irregularity reports and presents them to participants of educational activities related to irregularity reporting (e.g. trainings on the use of Irregularity Reporting System, IMS). Moreover, each new IMS user attends initial IMS training where IMS functionalities and its use are being introduced to him/her.

Once the quarterly reporting period ends, the AFCOS-service conducts statistical analysis of cases reported through the IMS.

The AFCOS-service has noted that the quality of 2014-2020 irregularity reports is much higher than the quality of irregularity reports that relate to the programming period 2007-2013. In addition, the quality of irregularity reports created by experienced users is higher.

Regarding Common agricultural policy, Croatian authorities in agriculture collect and use diverse and numerous data sources to monitor implementation of measures and intervention within Common agricultural policy. They use continuously the analytical processing of large amounts of data for the purpose of monitoring and evaluating agricultural policy. Data sources and data types which Croatian authorities already use or expect to collect and use (in programming period 2023.—2027.) to monitor implementation (or evaluation) of agricultural policy are, among others, as follows:

§administrative IT resources (reports, etc.)

§publicly available information (ie. internet sites and other public data)

§remote sensors

§Earth observation technology and space/satellite technology (satellite data collection program Copernicus Sentinel)

§mobile applications

§Geospatial data (data with geographical or location component-GSA)

Croatian Paying agency, in accordance with the obligations stipulated by EU legislation, also collects and processes data relevant to analyses of agricultural policy which are obtained through system IACS (Integrated Administrative and control system). This system is subject to quality control of the collected data on a regular basis (annually).

Croatian authorities (Ministry of Agriculture and Paying Agency) continuously undertake necessary measures to reduce lack of financial resources for equipment and lack of staff with relevant knowledge and skills for usage of those equipment and tools.

According to legal requirements for the programming period 2023.-2027., Croatian Paying Agency plans to further develop system of Checks by Monitoring given the fact that usage of satellite data obtained through Area Monitoring System becomes obligatory from January 1st 2023.

Beside this, ARACHNE system is used in Croatia (among only nine other member states) within pilot project launched in year 2018 as a basis for indication of the need to carry out additional controls in some doubtful projects.

However, further improvements of PA’s IT systems and staff’s competences are needed.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒YES, partly implementing the recommendation

Croatian agricultural authorities consider ARACHNE system, that Commission made available for member states (although not obligatory), appropriate and efficient in order to enhance the quality and interoperability of the data on beneficiaries and final recipients of support from EU agricultural funds. When setting up national control system for implementation of RRF and agricultural funds (EAFRD and EAGF), such a system as ARACHNE can be used to strengthen the capacity to detect, report and follow-up on irregularities.

At this moment, Croatian Paying Agency makes use of this system in some specific measures/operations of rural development, not as a basis for decision making but as a tool that indicates that certain circumstances and facts need to be further verified and possibly determined or confirmed on the basis of relevant documents, reports, registers…etc.

By this moment, full implementation of ARACHNE system is not possible due to the fact that some functionalities have to be improved to make this system suitable also for controls of EAGF beneficiaries (especially beneficiaries of direct payments)

For that reason, we consider this recommendation partly implemented. To make this system fully operational, after improvements are made, it will be needed to provide detailed and thorough education for effective and correct usage of this tool (especially for Paying Agency’s employees that will carry out checks).

Regarding RRF, by the time the questionnaire was filled out, we hadn't received any information related to this question from the competent authorities.

1.18.Italy

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

No answer.

Q.2 Have you adopted a national anti-fraud strategy?

☒YES

If YES, did you communicate it to OLAF? (10 December 2021)

Has the NAFS been recently updated?

☒YES (30 November 2021). Does the strategy/update cover the new significant risks linked to the COVID-19 crisis and the RRF? Can you share what risks the new strategy has taken into account? If the updated strategy doesn’t cover such risks, why is it so?

Contribution of the Italian AFCOS (Technical Secretariat):

The Italian AFCOS, among its various tasks, is to ensure the drafting of the National Anti-Fraud Strategy (NAFS) on the theme of the fight against irregularities and fraud against the European Union budget, contained in the Annual Report presented to the national Parliament, pursuant to art. 54 of Law 234/2012.

In this perspective, the Italian AFCOS has updated, in collaboration with all the competent institutions, the National Anti-Fraud Strategy (NAFS), according to the main priorities at national and European level in the fight against fraud, corruption or other illegal activities.

In order to develop the new fundamental strategic guidelines to follow in the future in the anti-fraud sector, the NAFS has been adapted its content but also, as regards the reference time horizon, which will be extended in response to the resources available from the long-term EU budget and NGEU and the evolution of the new potential risks of economic illegality (through the increasingly extensive use of specially developed IT tools).

Therefore, in line with the new significant news linked to the COVID-19 crisis and to the RRF, the need was felt to collect, by means of a specific questionnaire addressed to all the Institutions belonging to the Italian AFCOS, detailed information regarding the management of the emergency and the methods of utilization of the financial resources allocated.

Specifically, an attempt was made to find out what measures have been adopted, or are being implemented, to deal with the new risks of fraud linked to the pandemic crisis and strengthen the prevention and fight against corruption, fraud, as well as conflicts of interest and the risk of double funding and possible infiltration by organized crime, through a greater collaboration between managing and control authorities, an increase in IT security, a better interoperability of the multiple existing databases and a more effective use of technological tools.

Consequently, the main innovations and further objectives to be achieved were therefore identified:

-in strengthening national and international cooperation, as regards the exchange of information and the development of European projects and partnerships with the European institutions, other Member States, pre-accession countries (candidates and potential) and countries interested in the European Neighbourhood Policy;

-in the development of innovative projects and strategic actions in partnership that will have positive repercussions in the overall framework of the anti-fraud action and greater interoperability of IT systems for a more efficient and effective risk analysis aimed at prevention, identification of irregularities / fraud to the detriment of the EU budget and the effective recovery of amounts unduly paid to the beneficiary of an EU subsidy;

-in the implementation, also according to the new rules of the National Recovery and Resilience Plan / NRRP (which is part of the “Next Generation EU” programme and which has the Recovery and Resilience Facility / RRF as its main component), of a renewed communication and training strategy aimed, in particular, at:

Øexperts from the management and audit authorities, on issues related to the development of the most innovative technologies for contrasting and identifying potential risks of fraud and double funding;

Øuniversity or post-graduate students, with the aim of preparing ad hoc training and laboratory activities on the protection of the EU's financial interests.

☒YES, fully implementing the recommendation

Contribution of the Customs and Monopolies Agency:

Given the exceptional circumstances that customs services had to face because of the COVID emergency, in particular the reduction of the organizational ability and the availability of human resources, priorities for the control of financial risks have been defined more restrictively.

In line with EC Decision (2018) 3293 on the financial risk criteria, financial risks of greater impact (under billing, antidumping duties) have been approached with priority as they cannot be managed properly in post clearance controls, leading to a focus on cases in which there is an elevated risk or an high probability of fiscal evasion or disappearing of the obligated subject, or on cases in which the inspection of goods constitutes a crucial factor in mitigating the risk.

Middle-low level financial risks, for which it was possible to evaluate the possibility of managing in a later phase, have been dealt with post clearance controls, submitting the declarations to a document review (without physical interaction with the economic operator).

☒YES, fully implementing the recommendation

Contribution of the Customs and Monopolies Agency:

All the financial risks faced during 2020 have been adequately managed by the Italian system of risk management which chooses the Customs Declaration crossing different risk indicators and defining, consequently, the associated risk level (low, medium, high) and the right kind of control to carry out. There have been no control activities that have led to invalidation.

The post clearance controls (ex officio or on the economic operator’s request) have been made with documental check through the request to the economic operators of the documentation necessary for the definition of the inspection.

Ex post inspections have been carried out also for assuring that EU measures of exemption from import customs duties have been correctly applied (EU Decision n.491 of 3 April 2020) for goods aimed at fighting the effects of the COVID-19 pandemic.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, fully implementing the recommendation

If you implemented fully the recommendation, can you please describe what type of exercises have you launched? Can you share any specific findings of such exercises?

Contribution of the Agency for Territorial Cohesion

During 2020, in order to maximize the opportunities offered by the EU initiatives on structural funds with anti-crisis function following the COVID-19 emergency (called “Coronavirus Response Investment Initiative (CRII)" and "Coronavirus Response Investment Initiative plus (CRII+)) and in compliance with the modifications to the EU Regulations introduced by Reg. (EU) 2020/460 of the European Parliament and of the Council of 30/03/2020 and by Reg. (EU) 2020/558 of the European Parliament and of the Council of 23/04/2020, the reprogramming was carried out respectively:

-for the PON METRO 2014-2020_ Version 6.0 approved with the Commission Implementing Decision C(2020) 6170 of 07/09/2020 and Version 7.0 approved with the Commission Implementing Decision (2020) 8496 of 27/11/2020,

-for the PON Governance and Institutional Capacity 2014-2020: Version 6.0 approved with the Commission Implementing Decision C(2020) 8044 final of 17/11/2020, aimed at introducing within the Operative Programs new objectives/actions and/or modifications of the existing actions in order to cope with the new needs arising, directly or indirectly, from the COVID-19 emergency.

Contribution of the Ministry of Sustainable Infrastructures and Mobility

As part of the National Operational Programme “Infrastructures and Networks” 2014-2020, the Administration conducts the periodic assessment of the risk of fraud in relation to the Programme.

The Evaluation Group in charge of the risk assessment, which met on the 10th of December 2021, has analyzed the impact of Covid-19 and related measures put in place by the Administration to reduce the risk of fraud, and has agreed that the Programme is exposed to a tolerable risk.

Contribution of the Ministry of Economy and Finance - DRGS - IGRUE

On April 29, 2021, the Ministry of Economy and Finance - DRGS - IGRUE and the Agency for Territorial Cohesion issued the "Operational guidelines for the Management Authorities and Audit Authorities for the execution of the verifications of their respective competence on the operations implemented to deal with the health emergency ". In general, indications were provided on the methods of controls in the new simplified regulatory context, in order to guarantee the legality and regularity of the operations in any case. In particular, it was indicated, as far as it was concerned, to Audit Authorities to examine the composition of the population in order to obtain the appropriate sampling method, recommending the use of the stratification of expenses related to the Covid-19 health emergency. In this way the provisions of the document “Recovery plan for Europe” instruments: risks for the legality and regularity of expenditure and mitigating measures (EUROPEAN COMMISSION DIRECTORATE-GENERAL REGIONAL AND URBAN POLICY Audit Coordination, Relations with the Court of Auditors and OLAF)” have been implemented.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒YES, fully implementing the recommendation

Contribution of the Agency for Territorial Cohesion

"Guidelines for the effective performance of first level controls" have been developed, aimed at encouraging preliminarily "check list for the administrative verification of the main types of operations" and to check subsequently, during the first level control step, compliance with the whole legal, Community and national, the administrative expenditure procedures put in place, encouraging the detection of irregularities, including fraud, which may result in reporting to the Managing Authority of the Programme, for the data entry of the records on IMS system.

During 2020, data recorded on the IMS system made it possible to report cases of irregularities in both Operational Programmes owned by the Agency.

Contribution of the Ministry of Sustainable Infrastructures and Mobility

In relation to the NOP "Infrastructures and Networks" 2014-2020, the Administration has created a dedicated section in its information system SIPONIER to collect and consult data on detected irregularities. This framework in place already ensures high quality and reliability of data. Furthermore, in line with Art. 122, paragraph 2 of Regulation (EU) no. 1303/2013, the Administration uses the European application AFIS-Irregularity Management System (IMS) to communicate irregularities / frauds to the European Commission.

Additionally, the anti-fraud manager has participated to a training course in collaboration by the Italian “Guardia di Finanza” related to the new Anti-fraud National Platform (PIAF-IT). The platform aggregates data from national and European sources, with the overall goal to make available to all national Administrations involved in the management of EU funds, a technological tool capable of intensifying the exchange of information and maximizing the "anti-fraud prevention" phase.

Contribution of the Ministry of Economy and Finance - DRGS – IGRUE

Audit Authorities always report in the annual control report (ARC) the table on the types of errors found as foreseen in the Guideline on ACR EGESIF_15-0002-04 of 19 December 2018 (Annex 5) and use the analysis of the data reported therein for the periodic review of the audit strategy.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒YES, fully implementing the recommendation

Contribution of the Ministry of Sustainable Infrastructures and Mobility

Yes, we will use the integrated and interoperable information and monitoring system once the Commission will make it available to the Administration.

Contribution of the Guardia di Finanza

Starting from mid-2022, to The Guardia di Finanza will be granted the access to the national monitoring system on RRF plan, named ReGIS. It will be also made available to the other national institutions involved, as well as to the European Commission, OLAF, the Court of Auditors and, where appropriate, the EPPO in compliance with the provisions of Article 22, paragraph 2, letter e) of Regulation (EU) 2021/241.

Contribution of the Ministry of Economy and Finance - DRGS – IGRUE

If reference is made to the irregularity monitoring system, the Managing Authority feeds it and Audit Authorities verify this fulfillment.

1.19.Cyprus

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

N/A – Cyprus is a member of EPPO

Q.2 Have you adopted a national anti-fraud strategy?

☒NO

Cyprus, only has established a national anti-corruption strategy. Additionally, the House of Parliament has recently approved the Law concerning the Establishment and Operation of the Independent Authority against Corruption.

☒YES, fully implementing the recommendation

The Department of Customs & Excise has implemented the guidelines referred in document C (2020) 3891 which was prepared by DG TAXUD in cooperation with MS in order to prioritise the risks for customs controls and manage the impact of the common risk criteria, ensuring at the same time the uniform controls within the EU, during pandemic. Although the level of impact from COVID 19 was low, for the Department of Customs & Excise, the following measures have been implemented in line with FRC Decision C (2018)3293 of 31/05/2018.

Economic operators controlled several times over a period of time with no irregularity, were excluded from some profiles.

The control officer could decide for no control in duly justified circumstances, with the approval from the District Senior Customs Officer.

Many risk profiles created in our national systems, are set to select declarations for documentary control and if the control officers are not satisfied then they can proceed with physical control. Also, some profiles select a percentage of specific declarations for control.

The implementation of crisis management at EU level proved to be effective in such cases and help to ensure the implementation of uniform controls throughout EU.

Due to the Covid 19 pandemic, many of our employees had to work remotely. Even though this shift was sudden, the flexibility given to our employees made this transition easier.

Given the constraints associated with working remotely, the customs controls were not affected in terms of quantity and quality.

The level of flexibility through the use of technology in creating analytical reports enabled us with utilizing quality data and performing the necessary targeted customs controls.

Despite the fact that our department adopted new technological methods in the pandemic era, there is always room for improvement in ensuring the effects of any unexpected future events are taken into consideration.

The development of new customs information systems which are based on the restructuring and improvement of the existing ones is under way given the Union Customs Code (i.e. new Import system).

Almost all of the current customs information systems are going through restructuring in a way that will allow us to better monitor the customs facilities as well as perform targeted controls through the collection of quality data in a user-friendly manner.

As mentioned above the Customs department is developing new integrated information system. It is worth noting that the development is taking under consideration certain templates as well as data inputs in a way that will allow us to better communicate with the customs departments of other EU member states and organizations.

Based on our experience in sharing and receiving information from other organizations, the new information systems that are being developed are taking into consideration the uniformity of controls within the EU at the highest possible extend.

☒YES, fully implementing the recommendation

The Department of Customs and Excise was able to carry out the whole range of checks as the level of impact (due to confinement) was low, but priority was given to controls for security and safety related to Covid-19 risks.

The high demand in personal protective equipment led to an increase of IPR infringements of this kind of products. Due to the pandemic, there was a high demand in personal protective equipment which led to either the increase of IPR infringements of this kind of products or increase of production of such products which eventually do not meet the requirements of EU Regulation 425/2016 for personal protective equipment.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, fully implementing the recommendation

If you implemented fully the recommendation, can you please describe what type of exercises have you launched? Can you share any specific findings of such exercises?

Separate Fraud Risk Assessments have been performed concerning the implementation of RRF and Covid-19 Schemes. The Assessment takes into account all relevant risks associated with the following key pillars; selection, implementation, verification, certification, payment and procurement. All potential risks have been identified and described. Controls have been designed in order to mitigate the risks associated to each pillar. The design and implementation of the defined controls has been assessed in terms of effectiveness and efficiency. Any remaining risk derived from any potential ineffectiveness of these controls has been further examined and a specific action plan is set in order to eliminate any material impact of such remaining risk.

Additionally, within 2021 several other procedures have been designed and the implementation of these measures has effect from 2022 onwards.

Specifically, an enhanced circular concerning the application of measures for the comparability with National and Union policies for Public Procurement and safeguarding the prevention, detection and correction of any possible suspicion of Fraud or Conflict of Interest, has been developed by the Treasury of the Republic of Cyprus and the Directorate General Growth.

Additionally, targeted conflict of Interest controls in terms of all procurement and grant schemes selection procedures exceeding certain thresholds will be performed. Controls will be performed through access to Arachne (E.C suggested tool) and the Ultimate Beneficial Owner (OBO) National Register. Access to relevant electronic tools (such as electronic search to the Registrar of Companies platform and to the Ultimate Beneficiaries Register) will be granted to authorized personnel of the Treasury of the Republic.

The access to competent authorities to UBO Register to perform such controls was granted through modification of the National Regulation (ΚΔΠ 116/2022, ΚΔΠ 180/2022). These modifications ensured the granting of access to the UBO Registers to all European level audit and control bodies (OLAF, EPPO, ECA, EC)

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒YES, fully implementing the recommendation

In relation to RRF, a new dedicated MIS has been developed to monitor all information regarding measures financed through Cyprus RRP. Relevant interface has been foreseen between the under development new ERP for the central Government and the RRP MIS as well as the Cohesion Policy MIS. The interconnection between the three systems will further improve the manner which the underline data will be collected and used. All detected irregularities will be documented in the two respective MIS. The National control and audit co-ordinator (Treasury of the Republic) has been granted the responsibility through the Council Ministry Decision to collect and report all detected irregularities in the MIS.

Q.6 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒YES, fully implementing the recommendation

Cyprus Authorities will make full use of integrated and interoperable information and monitoring system which has been developed by the Commission (Arachne) for both Cyprus RRP and Cohesion Policy Programs. Authorised personnel from the National Co-Ordinating Authority and other relevant Authorities have been granted access to such systems and a training plan has been designed in order to educate staff in the use of such tools in an effective and efficient manner.

1.20.Latvia

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

NA, Latvia has already joined the EPPO.

Q.2 Have you adopted a national anti-fraud strategy?

☒YES

If YES, did you communicate it to OLAF? If you did not communicate it, why? Please transmit it without delay.

NAFS has been communicated to OLAF on 19.01.2021.

Has the NAFS been recently updated?

☒NO (+ date of adoption of NAFS is 29.05.2020.). Is the update ongoing or are you considering updating it? Can you please indicate a timeline for the adoption of a new / updated anti-fraud strategy?

The necessity to update NAFS was assessed and it was concluded that NAFS includes mostly horizontal activities which relates to all the Funds covered by the AFCOS Network and also all the new risks and circumstances can be taken into account when implementing these activities. In addition the representative from the RRF is included in the AFCOS Network, as well as representative from the EPPO.

NAFS is approved for the period 2020-2022, it is foreseen that in the beginning of the 2023 the evaluation of the implementation of NAFS will take place and decision on the scope and activities of the new NAFS will be taken.

☒YES, fully implementing the recommendation

In the Customs Administration of the State Revenue Service, financial risks are analysed and control measures are organized both at the time of customs clearance and at the post-clearance stage. As a result of the COVID-19 restrictions, no systematic changes were made to the implementation of control measures.

Control measures take into account international risk information, including the activities identified in OLAF's mutual assistance reports for each Member State. Feedback on control results and risk assessment in Latvia is always provided in response to OLAF reports.

Controls during customs clearance are mainly organized in accordance with the European Commission's guidelines on the implementation of Commission implementing decision (2018) 3293f of 31 May 2018 laying down measures for the uniform application of customs controls by establishing common financial risk criteria and standards (FRC).

An analytical solution in the SAP HANA platform has been implemented and is being developed to select customs declarations for post-clearance inspections. At present, a solution has been developed for assessing the level of risk at the level of declarations and commodities and selecting declarations with the highest possible financial risks for inspection. Work is underway to implement a solution for the analysis of customs clients (merchants).

☒YES, fully implementing the recommendation

The Customs Administration has developed a risk management policy. Within this policy an annual report on the effectiveness of the customs risk management system is prepared and a plan for risk mitigation measures for the coming year is set out. This includes setting levels of specific financial risks based on potential impact and probability and planning appropriate control measures. To an equal extent, financial risks are analysed and control measures are planned during the COVID-19 pandemic, including in 2020. In the opinion of the Customs Administration, the risk mitigation measures in 2020 have been implemented in accordance with the prepared plans, set priorities and international risk information and guidelines, therefore no compensatory measures are required.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, fully implementing the recommendation

If you implemented fully the recommendation, can you please describe what type of exercises have you launched? Can you share any specific findings of such exercises?

The competent authorities in Latvia responsible for implementation of the EU Funds are:

1.Ministry of Finance (in cooperation with the Central Finance and Contracting Agency) responsible for implementation of ESF, ERDF, CF and RRF;

2.Ministry of Agriculture (in cooperation with the Rural Support Service) responsible for implementation of EMFF, EAFRD and EAGF;

3.Ministry of Environmental Protection and Regional Development responsible for implementation of ETC;

4.Ministry of Interior responsible for implementation of ISF and AMIF;

5.Ministry of Welfare responsible for implementation of FEAD.

The Ministry of Finance informed that the risks of the Recovery and Resilience Facility (RRF) have been evaluated and approved during Risk management group meeting held in 2021, as well as the impact of COVID-19 on human resources and capacity has been assessed during same Risk management group meeting.

The Ministry of Agriculture informed that the risk register is reviewed every year and at the end of the year 2020 probability of occurrence of 2 risks (manipulation of cost demand and delivery of non-compliant products) was increased. In order to prevent possible fraud, the Rural Support Service carried out remote controls, in case of doubt enhanced controls have been carried out and, as far as possible, the approval of payment claims is suspended until the situation improves.

The Ministry of Environmental Protection and Regional Development informed that this risk has been assessed and remote controls are being performed. Where there were doubts about the projects, an inspection was carried out in the summer when it was possible to carry out on the spot visits. The Ministry has observed an increase in the number of deliveries of non-compliant goods or unjustified changes to contracts and has taken corrective action accordingly.

The Ministry of Welfare informed that in 2020 the impact of COVID-19 was included in the risk assessment and risk mitigation measures were identified, during 2021 these risks and measures were reviewed and re-evaluated.

The Ministry of the Interior informed that this risk has been assessed and there have been cases when the term of performance of the contract has been extended, which is mainly for foreign deliveries, when the borders were closed.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒YES, fully implementing the recommendation

The competent authorities of the EU funds (Ministry of Finance / CFCA, Ministry of Agriculture / RSS, Ministry of Environmental Protection and Regional Development) confirmed that the quality of IMS data is receiving increased attention and various controls are in place to ensure correct data entry (e.g. 4-eye principle, oversight, trainings, as well as opportunities for future development are being sought). The competent authorities also pointed out that the large amount of data required to be entered in the IMS could pose a risk of gaps, but the comparative reports received by the institutions from OLAF show that the data are correct and reliable. Representatives of the Ministry of Welfare and the Ministry of the Interior informed that no cases have yet been identified that should be reported in the IMS system.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒YES, fully implementing the recommendation

The Arachne tool is used by the CFCA:

-at the project selection stage, information on related companies and individuals is used, especially those registered outside Latvia.

-during the project risk assessment, procurement ex-ante checks, procurement checks, payment claim checks, and especially in cases of suspected fraud.

The use of Arachne tools has also started in the Procurement Monitoring Bureau and it is used during procurement ex-ante checks on major EU funds procurements.

The Audit Authority uses Arachne tool is mainly during audit planning to identify risks that need to be included in the audit plan. In addition tool is also used when information is needed about foreign companies directly or indirectly involved in the project. Special attention is also paid to possible cases of conflict of interest.

1.21.Lithuania

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

☒YES

Q.2 Have you adopted a national anti-fraud strategy?

☒YES

☒YES, fully implementing the recommendation

Yes, we have assessed the risks and shortcomings of the national customs control strategies. This was taken into account when drawing up the annual plans for Post-Release Audits (PRA) and other kinds of post-release controls. Analysis of data for the previous three years, affecting the number of planned PCA and other kinds of post-release controls and their execution, is carried out when drawing up these plans. The number, scope, effectiveness and results of PRA and other kinds of post-release controls through the COVID-19 pandemic years were similar to and even higher than in previous years. The flexibility of PCA and other post-release inspections has been improved, some PCA and inspection methods have been changed (e.g., the delivery of company documents to customs and verification of the delivered documents and other type of information in various forms at customs premises have been changed when executing checks at operators' premises). The lack of physical checks in PRA and other kinds of post-release controls has been largely offset by increased use of analytical tools and methods.

During the COVID-19 pandemic, the Lithuanian Customs carried out customs controls of vehicles and passenger items in accordance to general procedures. It has to be noted that during the pandemic the movement of passengers among different countries was banned (later, the possibility of movement was subject to valid vaccination certificates). This ban resulted in reduced passenger traffic. The movement of cargo vehicles was subject to regular procedures and customs officers followed all established safety requirements and guidelines during inspections.

Physical inspection of cargo vehicles during the period of COVID-19 pandemic was carried out using all protective measures and with minimal contacts with the person. Special rules were introduced to ensure minimal contact inspections where possible. However, based on risks analysis, in cases of great risk of violations, standard physical inspections were carried out. In addition, strengthened customs control was introduced with respect to goods used to combat the COVID-19 pandemic, especially personal protective equipment.

The following recommendation was followed during customs clearance of goods under the red channel of control: the inspection of the goods referred to in the order (marking of packages, labelling information, etc.), which only required a visual inspection of vehicles, the goods and their packaging, was carried out on the basis of photographs provided by declarants by electronic means. The application of this measure has ensured greater effectiveness of customs controls.

As a result of this situation, i.e. the COVID-19 pandemic, the Lithuanian Customs learnt how to manage the cargo flows at periods with limited human resources at customs offices. In addition, there was a possibility to develop techniques on how to react promptly to emerging threats and manage the situation in an emergency.

☒YES, fully implementing the recommendation

Yes, we have assessed the financial risks. The number, scope, effectiveness and financial results of PRA and other kinds of post-release controls through the Covid-19 pandemic years were similar to and even higher than in previous years. There were no cases when, due to confinement measures, PCA or other customs controls were cancelled or postponed for an unacceptable period. Therefore, there was no need to develop catch-up plans. Currently there are no restrictions applied to PRA and other kinds of post-release controls.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒NO

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒NO

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒YES, partly implementing the recommendation

1.22.Luxembourg

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

Luxembourg already joined the EPPO

Q.2 Have you adopted a national anti-fraud strategy?

☒NO

Has the NAFS been recently updated?

Luxembourg NAFS has been drafted and is currently under internal review

☒ YES, fully implementing the recommendation

Luxembourg has carried out a thorough analysis of the customs controls performed at customs clearance stage during the period of the Covid-19 pandemic with the highest impact on controls due to the sanitary measures including confinement and contact restrictions (16/03/2020 – 24/05/2020). As expected, the main findings of this report is that, compared to the same period in 2019, up to 24 % less physical controls where carried out in general. In the specific area of financial risks, the difference is slightly lower at 22 %. On the other hand, overall, more documentary controls have been carried out during the reference period in 2020 compared to 2019.

Indeed, from the outset, Luxembourg expected that during the above-mentioned period, due the special circumstances i.e. reduced capacities, physical controls could not be performed at a usual frequency. According to the motto “safety first”, the focus was set on the risks of substandard, dangerous or counterfeit goods related to Covid-19 items such as personal protective equipment or medical equipment for example‎. Although physical controls had to be downgraded to documentary checks for some part, it has to be noted that no risk profiles were deactivated during the concerned period. The controls were accordingly carried out with the necessary flexibility, i.e. more documentary and post-clearance controls. This approach was also underpinned by the Guidelines from the Commission on prioritising risks for customs controls and managing the impact of the common risk criteria and standards (C(2020)3091 Final from 12 May 2020).

The experience gained, combined with and in accordance to relevant provisions from existing EU guidance in this context will be incorporated into a risk mapping, which Luxembourg is about to create. In terms of crisis management, this risk mapping should serve as a tool to support the setting of priorities and at the same time diminish the impact of unexpected future events.

In order to ensure the implementation of uniform controls within the EU‎, Luxembourg is applying the relevant provisions provided under the above-mentioned guidelines as well as the Commission implementing decisions (& their corresponding guidance documents) laying down measures for the uniform application of customs controls by establishing common risk ‎criteria and standards‎ in the actually specified areas (cash control, financial as well as safety and security risks).

☒YES, fully implementing the recommendation

The report mentioned under Q3 section 1 allowed the identification of the customs declarations selected for control at clearance stage by electronic risk profiles including financial risk profiles. From this report, it emerges that the financial risks have all been dealt with, at least by documentary control. By indicating amongst other elements the type of control, i.e. physical or documentary as well as control results, this report usefully served as a basis for the planning and focusing of post-clearance controls.

A “safety-net” for any shortcomings in terms of customs controls will be part of the risk mapping mentioned under Q3 section 3.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, fully implementing the recommendation

If you implemented fully the recommendation, can you please describe what type of exercises have you launched? Can you share any specific findings of such exercises?

On 18 June 2021, the European Commission published a positive assessment of Luxembourg’s Recovery and Resilience Plan and awarded an “A” rating for the control system. Following the Commission’s assessment, the plan was adopted by the Council. The plan contains an assessment of all relevant risks related to control system and outlines the different actions to be taken to implement an adequate system that manages these risks.

In the case of Luxembourg, the specific risks related to COVID-19 are limited. The economic impact of the health crisis remained below initial estimations and resulted in a decrease in GDP of only 1.8% in 2020, followed by an estimated rebound of 7% in 2021. Turning to the labour market, the unemployment rate is already at pre-crisis levels and employment levels remained positive throughout the crisis.

Further to this, the national RRP does only include a small number of projects, which are mainly linked to the digital and green transition and are not specifically vulnerable to the impact of COVID-19 related risks.

In conclusion, the risks linked to the COVID-19 pandemic and the implementation of the national Recovery and Resilience Plan are considered to be limited.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒YES, fully implementing the recommendation

The managing authority of the European Regional Development Fund (FEDER), the Ministry of Economics, the managing authority of the European Social Fund (ESF), the Ministry of Labour, as well as the INTERREG programme, managed by the Ministry for Spatial Planning, all implemented the Arachne tool. This was done in tight collaboration with the Commission's services. The latter helped them to enhance management of their internet platforms, used by promoters to upload information regarding, inter alia, expenses. The managing authorities use the internet platform as a management control tool for their projects as all the information is centralised on it. Collected information is exported in Arachne.

INTERREG uses in addition a Risk Assessment Tool in the framework of the establishment of their management control system. Its procedures are adapted based on the results from the Risk Assessment Tool. In addition, INTERREG programme elaborated more tools to report on fraud, like a formulary to notify first level controllers.

The Inspectorate General of Finances, which is also ESF’s Audit Authority, can access ESF’s IMS and ESF’s internet platform. The latter is used for the daily management of the ESF and its projects. The application has a back office for the managing authority and a front office for the project owners. Most of the common tasks are done through or with the support of the platform: deposit of new projects, reporting of data (i.e. payment claims, follow-up of indicators, monitoring of, first level control,…). All available data on ESF projects is centralised on this platform and it ensures transparency and a possible audit trail. When accessing it, the Inspectorate General of Finances can get all the available information needed for their second level control.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒YES, fully implementing the recommendation

Luxembourg’s Recovery and Resilience Plan contains a detailed description of the underlying control and management system. In this document, which was endorsed by the European Commission, the managing authority has included a commitment to use the ARACHNE risk-scoring tool.

1.23.Hungary

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

☒NO

Q.2 Have you adopted a national anti-fraud strategy?

☒YES

If YES, did you communicate it to OLAF? If you did not communicate it, why? Please transmit it without delay.

A copy of the updated NAFS was attached to our response of February 1, 2022.

Has the NAFS been recently updated?

In addition to the 2014–2020 Commission Anti-Fraud Strategy, the Member State adopted its own national strategy for 2021–2027 (signed on 31 August 2021), which is complemented by the RFF Anti-Fraud Strategy as a sectoral strategy adopted by the Head of the National Authority. The COVID-19 crisis was covered in the annual fraud risk analysis.

☒YES, fully implementing the recommendation

a) Improve flexibility for the types of customs checks

a.1 General corrective measures to improve the flexibility for the types of customs checks

In view of the COVID-19 pandemic, the National Tax and Customs Administration (NTCA) issued circular No 5021/2020/VEZ of 6 March 2020 to ensure the continued functioning of the NTCA, and to identify and prevent effects that might jeopardise the operation. In addition to other provisions to ensure functioning and to protect staff, the circular drew up an action plan which required an assessment of the monitoring and customer service tasks of each field, and the measures and controls that need not be performed or could be postponed during the pandemic. The circular was in effect until 30 September 2021.

In view of the state of emergency declared by the Hungarian Government in Government Decree No 40/2020 of 11 March 2020 for the whole territory of Hungary, and the above-mentioned circular, the Head of the NAV laid down transitional measures concerning the performance of the NTCA’s tasks on 18 March 2020 in circular No 5023/2020/VEZ. The circular was in effect until 8 June 2020. It provided for the reorganisation of the performance of the NTCA’s core activities, the introduction of teleworking and rotating management, the general rules relating to work during the pandemic, and the derogation from the provisions of legal instruments. The circular also defined the primary and secondary tasks to be carried out by the NTCA in certain areas (including customs), and the tasks that need not be performed in some areas during the pandemic.

In the field of customs, the core tasks were defined to ensure the continuous functioning of the supply chain, and to maintain economic security and public safety, both being fundamental interests of the State. These were:

1. checks related to Commission Implementing Regulation (EU) 2020/402 making the exportation of certain products subject to the production of an export authorisation;

2. electronic and paper-based customs procedures (for export, import and transit);

3. processing client requests for a licence, refund or modification that do not require the client’s personal presence;

4. the inspection of high-risk goods;

5. the inspection of goods if security/safety risks occur;

6. conducting checks for products subject to prohibitions and restrictions (e.g. drugs, protected plants, animals and goods made from animals, cultural goods, military equipment, dual-use goods, weapons, intellectual property rights, product safety etc.).

The customs department used the resources remaining after the core tasks have been fully performed to focus on secondary tasks.

1. the inspection of medium-risk goods;

2. inspection for export refunds;

3. the introduction of a sampling procedure;

4. in the VAT refund claim process for a foreign traveller, the physical inspection of the product, if it is to leave the territory of the EU;

5. on-the-spot checks for post-release inspection;

6. conducting in-person interviews with clients (but allowing them to put their case in writing wherever possible);

7. On-the-spot checks during the authorisation process for authorised economic operators (AEOs);

8. AEO monitoring activities for low risk profiles;

9. official checks related to the trade in precious metals and to hallmarking;

10. ex post verification of compliance with the legislation on drug precursors;

11. destruction of non-EU goods;

12. inspection of tax / customs warehouse and temporary storage facilities;

13. inspection of the means of transport;

14. on-the-spot-checks of exporters;

15. the inspection of low-risk goods.

The range of tasks that could be foregone in the field of customs was not defined.

In circular No 5002/2020/VSZF, the Director General for Customs laid down further details of the measures introduced in the fields of customs, finance and law enforcement as a response to the coronavirus, in accordance with Commission Recommendation EU/CRC001/2020. Until 8 June 2020, the circular governed the implementation of road and border control tasks and the procedures for the inspection of goods and documents as part of customs activities.

a.2 specific corrective measures taken in the field of post-release checks to improve flexibility for the type of customs checks

As a result of exploiting the benefits of the digital age, the post-release checks department has been conducting ‘desk audits’ wherever possible, which greatly contributed to the protection of audit staff. On-the-spot checks were carried out only where absolutely necessary, with the utmost respect for precautions to control the pandemic.

b) diminish the potential impact of unexpected future events

One effective way to reduce the potential adverse effects of unforeseen events is to protect the audit staff. In addition to exploiting the benefits of the digital age, teleworking is another option, especially for procedures which do not require much physical presence. These protection measures together ensured the efficiency of desk audits.

c) ensure the implementation of uniform controls within the EU

In our view it is necessary to comply with EU legislation and other standards to ensure the uniform implementation of controls. However, uniformity across the EU goes beyond the reach of any single Member State.

If this question concerns the findings of the European Court of Auditors’ special report on controls, we believe that ensuring uniform implementation falls within the responsibility of the Commission, and the recommendations set out in the special report of the Court of Auditors are addressed to the Commission.

☒YES, fully implementing the recommendation

It can be stated that the Hungarian Customs Authority did not cancel or postpone customs checks due to confinement measures. Following consultation with economic operators, checks were also carried out at their premises where necessary, and their input was taken into account as much as possible.

Consequently, there was no need to make up for checks cancelled, or to create or implement remedial plans.

However, the post-clearance verification of conditions for the exemption from customs duty for protective equipment related to the pandemic created an additional burden for the directorates concerned. Nevertheless, these checks will be carried out.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, partly implementing the recommendation

If you implemented fully the recommendation, can you please describe what type of exercises have you launched? Can you share any specific findings of such exercises?

The COVID-19 emergency made it necessary to amend the Hungarian legislation. Rules other than those laid down in Government Decree No 272/2014 of 5 November 2014 were set out in Government Decrees. However, these rules are transitional. The risks posed by the emergency continue to be addressed by first-level checks, which are carried out with due diligence by the managing authorities. The annual fraud risk analysis has been complemented to reflect the COVID-19 crisis.

We have also exercised due diligence in changing the implementing rules for public procurement, since as a rule EU funds are not subject to the exceptions set out in the emergency measures. In Hungary, Government Decree No 48/2020 of 19 March 2020 laid down the rules for procurement related to the efforts to contain the coronavirus. However, that decree clearly stated that those procedures were not applicable for EU development funds. So, there is no increased risk for public procurements either.

If you implemented partially the recommendation, could you please explain why you think it was a partial implementation and why a full implementation was not possible?

Negotiations on Hungary’s Recovery and Resilience Plan (RRP) are still ongoing.Chapter 3 of the Plan details the rules for implementation and the planned control and audit activities designed to reduce the implementation risks and to ensure that funds are used in a proper manner.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒YES, fully implementing the recommendation

To raise awareness of fraud, staff receive training on the relevant legislation, fraud indicators and best practices. The coordination body at the Prime Minister’s Office headed by the minister responsible for the use of EU funds and AFCOS organise courses entitled ‘Preventing Fraud in EU Development Policy’ several times per year. In the induction training for new colleagues, there is a module on irregularities and fraud.

The coordination body, in cooperation with the managing authorities and AFCOS, has prepared a compendium of ‘irregularity cases classified as “suspected fraud” in the 2014–2020 programming period’ which, in addition to presenting individual cases, includes the experience and best practices of the managing authority, providing practical examples to illustrate the individual offences.

Staff undergo training to be able to use and to have access to the local monitoring and information system (EUPR).

AFCOS holds regular presentations to deepen their knowledge on how to use the IMS system and how to file reports.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

We have no information about the system referred to in Q7. Please inform us when the Commission is planning to make this system available to Hungary.

1.24.Malta

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

N/A. Malta has joined the EPPO in August 2018.

Q.2 Have you adopted a national anti-fraud strategy?

☒YES

If YES, did you communicate it to OLAF? If you did not communicate it, why? Please transmit it without delay.

The 2008 Maltese NAFCS was communicated to OLAF.

Has the NAFS been recently updated?

In 2021, Malta finalized the update to the 2008 NAFCS. The updated NAFCS was tabled in Parliament in the second half of H1-2021.

The update to the 2008 NAFCS was carried out given the changes that took place over the years, including regulatory and institutional changes as well as international obligations. The aim of the updated NAFCS is to continue to provide for a normative, institutional and operational framework for the effective and efficient fight against fraud and corruption. The action plan, spanning over three years, with specific time frames for the implementation of each action point, aims to enhance the strategic objectives of the NAFCS, namely:

1. Capacity building;

2. Communication strategy;

3. Maximization of national co-operation; and

4. Maximization of EU and international co-operation.

Malta included the update to the 2008 NAFCS as one of the reforms under the Recovery and Resilience Plan (RRP), namely ‘Reform C6-R3: Reinforcing the institutional framework capacity to fight against corruption - Implementation of the National Anti-Fraud and Corruption Strategy’. The objective of this reform is to increase the capacity, authority and public accountability of the State institutions entrusted with regulatory and control functions in relation to the management of public resources.

The updated NAFCS includes twenty-three action points related to the strengthening of the fight against fraud and corruption. Three of the actions identified by the strategy were also included as milestones and targets under the RRP.

The updated NAFCS which was tabled in Parliament in the second half of H1- 2021 is a dynamic and living document and may evolve through updates, as required, including with respect to new risks linked to the Covid-19 crisis and the RRF. In this respect, it shall be reviewed at regular intervals in order to be kept up-to date and reflect new issues to achieve its objectives.

☒NO

If you did not implement the recommendation, could you please explain why?

Customs control strategies during the pandemic did not have any particular impact on the Department’s operations at the border. Resources were quite sufficient to cover the workload requiring physical controls in line with pre-pandemic levels. To ensure the facilitation of legitimate trade, while maintaining controls concerning safety, also in view of covid related commodities, risk-profiles were regularly updated. Risk Profiles were based on information received, inter alia through RIF Alerts.

☒NO

If you did not implement the recommendation, could you please explain why?

As explained in Q3, Customs operations were not impacted. All planned controls and checks were conducted prior to release for free circulation. Since Officials were available to conduct checks on time, the emergence of possible financial risks due to lack of planned Customs controls was eliminated.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, fully implementing the recommendation

If you implemented fully the recommendation, can you please describe what type of exercises have you launched? Can you share any specific findings of such exercises?

Work is being carried out, by the respective Unit within the Planning and Priorities Coordination Division (PPCD) and is in its final stages in relation to having in place the risk register linked to the Recovery and Resilience Plans (RRP) in line with the Office of the Prime Minister (OPM) Circular Number 1/2016. This will strengthen the internal control system by putting in place the mitigation measures appropriate in dealing with the prevention, detection and correction of cases of irregularities, conflict of interest, corruption, fraud and double funding.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒YES, fully implementing the recommendation

The Management Information System catering for the Recovery and Resilience Facility includes additional collection of data, such as UBO data.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

The system is not yet in place. Once in place, it is the Managing Authority’s intention to implement it.

1.25.Netherlands

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

No answer

Q.2 Have you adopted a national anti-fraud strategy?

☒NO

If you did not implement the recommendation, could you please explain why?

The Netherlands has not explicitly assessed the shortcomings of its national control strategy, but it directly included the aspects covered by points a), b) and c) in its tackling of the crisis. The crisis organisation was immediately activated at the start of the COVID-19 crisis. At the beginning, a number of vital customs processes which should take place as far as possible were identified. First, physical surveillance activities at sea ports and airports throughout the country, and at the Central Notification Centre of the Customs [Centrale Meldkamer Douane]. Secondly, the processing of transactions to and from companies to levy and collect import duties and excise duties, including providing information to businesses: the work contributing to Europe’s security and the core task of taxation were given top priority. During the COVID-19 period, Dutch Customs scaled down the level of enforcement only to a limited extent, strictly complying with the guidelines set out in the guidance document TAXUD A3-007-2022 final. Risk-based checks were not scaled down at all: they were fully carried out. Random checks and checks for risk detection were not carried out for a period of around 3 weeks, as we initially decided to prioritise the safety of staff.

For each customs process, ‘COVID-19 protocols’ were drawn up for staff to ensure that the work was carried out safely. For some processes, this (temporarily) led to a different implementation of controls.

In order to make it possible to carry out administrative checks for example, it was agreed with companies to share documents electronically in a secure environment or by email. On the basis of set guidelines, interviews were conducted over the telephone, for example via a conference call or via Webex. As the documents were requested via digital means and also received digitally, large parts of the checks could still be carried out. As a result, requesting information on and assessing the set-up, existence and functioning of companies’ administrative organisation or internal controls was largely possible. The additional substantive checks could also often be carried out entirely digitally.

At the beginning of the crisis, a different method was used for ship inspections. Shore-based observation and enhanced surveillance were used instead of physical controls on board. A protocol was subsequently developed to re-establish the regular control methods as far as possible and to ensure that checks could be carried out safely on board. These on-board checks are now carried out with medical face masks or plastic masks and, when a cabin is searched, the cabin is aired before the staff member enters it.

Customs requested an external evaluation of the functioning of the crisis organisation. The overall conclusion was that Customs’ crisis organisation of had worked well. This is partly due to the preparations already undertaken in the context of Brexit. But it is also thanks to our staff’s strong commitment and readiness to act. However, it is recommended that our plans take greater account of the possibility of long-lasting crises such as COVID-19. To that end, it is important to educate and train enough people to take up duties in the crisis organisation. This makes it possible to rotate members of staff if crisis situations persist for a longer period of time.

To prepare for a possible period of recurrent lockdowns in the future, a protocol has been drawn up for the scaling-up and scaling-down of our level of enforcement, setting out step by step how this should be done. It can also be used where decisions have to be taken on checks or priorities if large numbers of Customs staff are on sick leave at the same time. There has not yet been a need to use it.

A new system for sharing crisis information has been developed: the National Crisis Management System [Landelijk Crisismanagement Systeem]. This is a system used, inter alia, by our national crisis structure. The National Crisis Management System includes all functionalities needed in a crisis situation to quickly and clearly collect and share information with both internal and external parties.

☒NO

If you did not implement the recommendation, could you please explain why?

As mentioned in the answer to the previous question, as regards the risk-based financial risks, the Netherlands did not scale down the level of enforcement at all. Random checks and checks for risk detection were scaled down only for a short period of around 3 weeks.

In 2022, there will be more emphasis on the original documents of origin during the administrative checks, as companies were allowed to provide copies during the initial phase of the crisis. In addition, COVID-19 protective equipment with the exemption code C26 has been continuously given additional priority. Beyond the above issues, there were no additional financial risks during the COVID-19 period.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, partly implementing the recommendation

If you implemented partially the recommendation, could you please explain why you think it was a partial implementation and why a full implementation was not possible?

How the Recovery and Resilience Facility is implemented in the Netherlands is not yet sufficiently clear to fully completed a risk management exercise. However, risk assessments are included in the implementation of this facility. For the existing funds in shared management, exercises for Covid-related risks have been completed, where it has been concluded that few additional activities have been undertaken, which means that few additional risks of improper use arise.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒YES, fully implementing the recommendation

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒NO

If you did not implement the recommendation, could you please explain why?

The system as described is not recognised. Is it a new system or is it already in use? If it’s new, the Netherlands will certainly considered. We do use Arachne for the ESI funds and the implementation of the RRF will also include the use the already existing systems.

1.26.Poland

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

☒ NO

Q.2 Have you adopted a national anti-fraud strategy?

☒NO

☒YES, fully implementing the recommendation

We have assessed the risks and shortcomings of the national customs control strategies revealed through the COVID-19 pandemic. The National Revenue Administration determined that, for pre-release controls, the COVID-19 pandemic should be assumed to have a low impact on Poland’s capabilities.

As for remedial measures aimed at:

a)improving flexibility in terms of types of customs controls – the following ad hoc measures have been taken:

·stepping up controls in the area of security and safety threats while at the same time temporarily restricting warning levels concerning other risk areas in the customs declaration processing systems;

·maintaining the levels for controls on high-risk customs declarations, including the risk of customs undervaluation of goods covered by the EU reference price system,

b)limiting the potential impact of unexpected future events – depending on the type of future event, it is possible to use automatic risk analysis to step up controls on customs declarations in specific risk areas while simultaneously lowering check levels in lower-priority areas,

c)ensuring the implementation of uniform controls within the EU – in the risk area of customs undervaluation covered by the EU reference price system, pre-release controls have been standardised and refer to uniform EU reference prices. Moreover, there is a two-step control in this area. The results of the pre-release controls are analysed and, in the event of doubt, requests for post-release controls at operators’ premises are sent. Uniform controls are also in place where the European Commission has recommended the use of standardised control activities, for example by using the appropriate risk profiles in customs declaration processing systems.

As for the results achieved following the introduction of existing remedial measures, the results of the customs controls are sent to the European Commission as part of the Customs Union Performance (CUP) system. With respect to Poland, the Commission’s draft CUP report for 2020 states, on page 23, that the number of import declarations increased by 10%. The annex to the draft CUP report (Country Fiches 2020) states, on page 53, that the levels of controls in standard declarations and the effectiveness levels for those controls for Poland are close to or higher than the levels achieved in 2019.

When it comes to post-release controls, in the light of the COVID-19 outbreak in Poland, rules of procedure for the National Revenue Administration bodies were introduced concerning customs controls, among other things, in order to ensure business continuity. Controls were carried out subject to health measures, whereby the National Revenue Administration bodies used the option of analysing the operators’ accounting documents on their own premises instead of on the operators’ premises.

☒YES, fully implementing the recommendation

As regards physical controls before releasing goods for free circulation, we did not find it necessary to cancel or postpone them because of confinement measures. Therefore, there was no need to establish catch-up plans for carrying out such controls.

As for post-release controls, we did not find it necessary to cancel the controls at operators’ premises or postpone them because of confinement measures. Therefore, there was no need to establish catch-up plans for carrying out such controls.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, fully implementing the recommendation

If you implemented fully the recommendation, can you please describe what type of exercises have you launched? Can you share any specific findings of such exercises?

In the context of the COVID-19 pandemic, Poland has put in place a number of mechanisms to ensure that the spending of, accounting for and control of EU funds continue to be properly monitored. This was done on the basis of the ‘Special Fund Act’. In view of the development of the pandemic, the validity of the act was extended until 31 December 2023 by means of an amendment (Act of 3 April 2020 on special arrangements to support the implementation of operational programmes following the COVID-19 outbreak (Journal of Laws 2021, item 986)).

The act contains a basic package of arrangements making it easier to implement and account for projects co-financed by the EU. The options available include: extending the deadlines for submitting funding applications in individual competitions; conducting extraordinary calls for projects; extending deadlines in administrative procedures or suspending them and ceasing to carry out administrative decisions relating to the implementation of projects; suspending application of the guidelines issued by the Minister for Regional Development; the possibility of discontinuing controls and audits in exceptional situations (provided that they are supplemented later where justified by the risk present) or, where feasible, performing controls and audits remotely or using electronic means of communication.

Application of some of the ‘Guidelines on controls on the implementation of operational programmes for 2014-2020’ has been suspended. This ensured continuity in the smooth operation of controls, including system controls, and in the verification of project expenses by control authorities despite the limitations caused by the epidemiological emergency.

The Managing Authorities use the permitted arrangements to send to the Partnership Agreement Coordinating Authority information on how to use the available facilitation measures. In most cases, the authorities carry out on-the-spot checks remotely, on the basis of the documentation provided/available. When the health emergency is over, they plan to carry out on-site monitoring visits at project sites to confirm the previous verifications.

Actions aimed at implementing the National Recovery Plan are:

·legislative (developing legal and procedural acts)

·organisational (regular meetings of working groups discussing the various areas of implementation of the National Recovery Plan),

·administrative (allocation of tasks and responsibilities).

Support in the implementation of both actions described in question 5 is also provided by the IT tool designed by Poland, especially the SKANER application used to verify entities and persons (information from public registers and from the Ministry of Funds and Regional Policy’s IT system) and the Cross-Check application which, as part of cohesion policy projects (including EU-REACT), combines expenses into correlated invoice groups in order to check for double financing of expenses.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒YES, fully implementing the recommendation

Poland improved the method for collecting the underlying data in the area of cohesion policy by setting up a system of IT microservices. These microservices serve to facilitate the process of evaluating funding applications, monitoring the implementation of agreements, performing controls and audits and project accounting. The tools include the following applications:

- SKANER (information on: entities from public registers, including their personal and capital links; on those entities’ projects co-financed by the EU; information on beneficial ownership),

- Cross-Checks (a bot combining into correlated invoice groups accounting documents which could be used to check for double financing of expenses),

- e-Controls (an app to perform project controls, including tracing the audit trail).

Moreover, in line with the allocation of competences under Article 125(4)(c) of the Common Provisions Regulation, Managing Authorities provide for procedures to combat financial irregularities and fraud as part of their operational programmes, and are responsible for updating them.

In line with the ‘Guidelines on controls on the implementation of operation programmes for 2014-2020’, the Managing Authority must draft a document on the prevention of and contingency plans for corruption and fraud, including conflict of interest in an operational programme. The Guidelines also regulate the minimum scope of this document, and recommendations on taking into account the current requirements in the relevant EU documents. Once this document is drafted, and every time it is updated, it is transmitted electronically to the Coordinating Authority using a dedicated email address. All of the Managing Authorities in Poland have drafted such documents and take care to keep them updated.

Moreover, cohesion policy operational programme institutions use a system for mutual signalling and exchange of information about potentially risky entities and other identified risks.

In the area of agricultural funds, it is the Paying Agency that is responsible for collecting data on the financial irregularities and fraud detected. As part of the procedures in force since 2009, there are dedicated databases at the Paying Agency, which make it possible to record and update information on the financial irregularities and fraud detected and to monitor individual cases of financial irregularities and fraud. The databases are operated by all of the Paying Agency’s organisational units and by entities carrying out delegated tasks, involved in the process of detecting financial irregularities and fraud. The databases are subject to periodic modification based on new needs as required for reporting irregularities and for analytical activities.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒YES, fully implementing the recommendation

Poland will use the system in line with the obligation under Article 22(4) of Regulation (EU) 2021/241 of the European Parliament and of the Council of 12 February 2021 establishing the Recovery and Resilience Facility.

1.27.Portugal

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

No answer

Q.2 Have you adopted a national anti-fraud strategy?

☒YES, but sectoral

If YES, did you communicate it to OLAF? If you did not communicate it, why? Please transmit it without delay.

The role of the Inspeção-Geral de Finanças (Inspectorate-General of Finance - IGF) as audit authority and AFCOS for European funds is obviously confined to this narrow (i.e. sectoral) scope and should not be mistaken for any broader ‘national anti-fraud strategy’ covering all economic and financial policy areas in Portugal, which would never fall within the IGF's remit as audit authority.

That said, the ‘National Anti-Fraud Strategy’ drawn up by the IGF for the 2014-2020 programming period was circulated by all managing authorities and certifying authorities of European funds in Portugal pursuant to all the regulatory requirements (e.g. Key requirement 7: Effective implementation of proportionate anti-fraud measures - Articles 72(h), 122(2) and 125(4)(c) of the CPR), and has also been made available to the Commission’s audit services at different points in time during the current programming period of 2014-2020.

This Strategy is currently under review (new text needs to be added, specifically the results of the audits conducted in this area in the meantime, and the new key requirements in the field of fraud prevention under the new EU regulatory framework for 2021-2027). Therefore it has not been possible to finalise it and formally communicate it to OLAF yet.

As soon as these requirements are known, an updated version of the National Anti-Fraud Strategy for European funds will be finalised straightaway and circulated to the Commission and the national authorities once again.

We would also point out, as explicitly stated in the report on protection of the European Union’s financial interests (page 30), that the IGF/Portuguese audit authority carried out a targeted audit of the anti-fraud measures adopted by the managing authorities of cohesion policy funds, considered by the Commission to be a pioneering example of best practice.

Has the NAFS been recently updated?

☒NO (+ date of adoption of NAFS). Is the update ongoing or are you considering updating it?

The update is ongoing.

Can you please indicate a timeline for the adoption of a new / updated anti-fraud strategy? 31/12/2022

☒YES, fully implementing the recommendation

During 2021 (as it was also the case for 2020) PT Authority for Tax and Customs monitored, supervised and control, permanently, the supply chain of COVID 19 related goods. That total understanding of the movement helped facilitate the flow of legitimate and essential goods, protect the citizens against unsafe, unlicensed or substandard goods and at the same time, protect the financial interests of the Union and the European companies.

The supervision, profiling, targeting and control were induced via a series of risk profiles implemented over entry, import and controls systems. The evaluation of the performance was crucial for fine tuning of the risk measures implemented.

In 2021, as in 2020, a dedicated team of customs experts were responsible for this work, including the immediate share of intelligence, risk information, alerts and general knowledge of the phenomena, throughout all regional and local customs offices.

☒YES, fully implementing the recommendation

Specific methodologies were designed and implemented for audits and other controls, during the pandemic period when checks on site (on economic operators’ premises) were not taken place.

During that time, layer 1 checks were performed, by assessing all information available on AT systems and open sources, with a view to prepare future action on EO premises. It is important to refer that AT (tax and customs) have access by system to the relevant information in terms of accounts, movement of goods, stocks in warehouses, internal sales/purchases, intracommunity information on sales and acquisition of goods and services, so basically, the only thing missing were the physical contact with goods, under depot.

Also, Customs services, at border and customs offices, never stop working physically, not even during the hardest times of the pandemic.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, fully implementing the recommendation

If you implemented fully the recommendation, can you please describe what type of exercises have you launched? Can you share any specific findings of such exercises?

As part of the update to the National Anti-Fraud Strategy, information was collected for the purpose of identifying risks of fraud, including those related to the impact of COVID-19 and the implementation of the national recovery and resilience plan (RRP). There are, however, no definitive results that can be shared as yet.

The Instituto de Financiamento da Agricultura e Pescas I.P. (Institute for the Financing of Agriculture and Fisheries - IFAP) explained that weighting of risk analysis is applied systematically in several of their areas of activity, namely administrative checks, on-the-spot checks and audits, which therefore covers issues relating to the impact of COVID-19 and the National Recovery and Resilience Plan.

For its part, the Agência para o Desenvolvimento e Coesão, I.P. (Agency for Development and Cohesion, IP - AD&C) stated that under the RRP, there had been systemic analysis of double funding from cohesion policy funds under PT2020 and RRP financing.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒YES, fully implementing the recommendation

The IGP audit authority has carried out some data consistency tests (on open cases) and made the necessary updates. It has also made updates following OLAF/Team IMS alerts. The fact that a smaller number of cases of incomplete data or discrepancies have been detected in these notifications shows how the quality of the data has improved. In its most recent letter of 16 December 2021, OLAF pointed out five Portuguese cases which have been reviewed.

IFAP stated that it has reliable information systems which, when processing and reporting irregularities, pool all the information on the calculation and recording of the amounts to be recovered from the beneficiaries (aid unduly paid) and provide a platform for that information to be periodically transmitted to the Commission, notably via the IMS (OLAF) or as part of the annual submission of accounts (Annexes II and III to Regulation 908/2014 (DG AGRI)).

AD&C pointed out that completion of the ‘reporting of irregularities’ module in SI Audit 2020 will enable data on irregularities to be filled in and processed automatically. Furthermore, for audits of operations, the IT system in use (SICA) contains a specific field for flagging suspected fraud in relation to each of the transactions audited. When the ‘reporting of irregularities’ module comes on stream, this data will be transmitted by SI Audit 2020 automatically. In addition to the above, the Agency has developed a debt management system (SPTD), which receives data from the managing authorities and enables faster and more reliable detection of non-compliances.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒YES, fully implementing the recommendation

IFAP pointed out that it had already been used for monitoring under the EAGF/EAFRD in 2021. It consisted of a satellite-image-based automatic control process enabling checks on all parcels declared so that non-compliant declarations could be detected and corrected in a timely manner, this being compulsory under the new CAP reform.

In relation to the ARACHNE risk scoring tool and EDES-DB, OLAF's early detection and exclusion system database, AD&C mentioned that it was undertaking consultations, specifically with regard to the scope of audit activities and the follow-up of irregularities and other requirements.

1.28.Romania

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

No answer

Q.2 Have you adopted a national anti-fraud strategy?

☒NO

Has the NAFS been recently updated?

☒NO (+ date of adoption of NAFS). Is the update ongoing or are you considering updating it? Can you please indicate a timeline for the adoption of a new / updated anti-fraud strategy?

End of year 2022

☒YES, fully implementing the recommendation

The Directorate for Customs Supervision and Inspection asked the regional customs directorates to carry out specific risk analyses and select, for post-clearance checks, customs declarations for release for free circulation of goods intended to combat the effects of Covid-19 and likely to contain incorrect data, taking into account:

- a growing demand for medical devices, health supplies and medicines for the prevention and treatment of conditions relating to COVID-19 and the urgent need for customs import formalities for such goods;

- the introduction of measures to prevent and combat criminal activities;

- in addition, a customs entity action plan for medical devices, health supplies and medicines for the prevention and treatment of conditions relating to COVID-19 (‘Plan’) No 7411/30.03.2020, approved by the management of the National Agency for Fiscal Administration, was submitted for implementation;

- transmission, for analysis and information, of the documents sent by the customs offices to the Risk Analysis Group referred to in point 5 of the Plan, to the Directorate-General for Combating Tax Fraud (DGAF) and to the Economic Crime Investigation Directorate (DICE) of the General Inspectorate of the Romanian Police.

☒YES, fully implementing the recommendation

Checks were performed on companies that released for free circulation goods necessary to combat the effects of the COVID-19 pandemic during 2020 and benefited from relief from customs duties and from import VAT exemption, in accordance with Decision (EU) 2020/491.

Related risk analyses have been carried out at regional and local level, comprising at least the following two stages:

a) selection of customs import declarations with the following information:

- box 31 – subdivision ‘VAT regime’ - code V2V (referred to as ‘VAT exemption’, Decision (EU) 2020/491);

and/or

- box 37 – subdivision 2 ‘COM’ – code C26 (‘Goods imported to help disaster victims’),

b) verification of compliance with:

- the conditions laid down in points (1) and (2) of Article 1 of Decision (EU) 2020/491.

The checks carried out between January and May 2021 on a total of 17 economic operators did not reveal significant deviations.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, partly implementing the recommendation

If you implemented partially the recommendation, could you please explain why you think it was a partial implementation and why a full implementation was not possible?

Ministry of Investments and European Projects — Managing Authority for the Operational Programme ‘Technical Assistance’ (AM-POAT)

During the COVID-19 pandemic, most of the training activities, conferences, seminars, etc. planned for 2021 as part of technical assistance projects either took place online (where possible) or were postponed to 2022. Several projects were therefore amended in view of the need to adapt to the changing conditions ensuring that activities take place.

Also in the context of the COVID-19 pandemic, the fraud risk assessment took place at the AM-POAT and two main risks were identified in connection with the emergency purchase and management verification procedure. Management verifications were performed at the same high level as in previous years. As for specific findings at Managing Authority level, these verifications did not result in any findings. Just like in previous years, irregularities continued to be very few in number and very low in amount. No emergency purchases were submitted to the AM-POAT for ex-post verification until January 2022.

Ministry of Investments and European Projects - Managing Authority for the Operational Programme ‘Competitiveness ’ (AM-POC)

The AM-POC completed the fraud risk assessment in view of the need to adapt anti-fraud measures to the CRII/CRII+ and REACT-EU objectives.

The most recent assessment took place last year at DG REGIO’s request (letter ref. Ares(2021)2231198 – 31.03.2021) according to which:

‘An updated risk assessment is therefore considered to be necessary both for the current programming period, and also in view of the programmes to be negotiated for 2021-2027. The 2021-2027 operational programmes will in particular have to take into account that additional funding is made available to your Member State under the NextGenerationEU and the Recovery and Resilience Facility (RRF). The risk of double funding will in particular need to be closely monitored and mitigating measures taken, as Cohesion policy and RRF will co-finance investments in a complementary way.’

Ministry of Investments and European Projects – Directorate-General for Management of the Recovery and Resilience Facility (MIPE-DGMMRR)

- The European Commission issued a positive verdict on Romania’s Recovery and Resilience Plan on 27 September 2021, meaning that most of the requests made to the Ministry of Investment and European Projects do not apply to the Directorate-General for Management of the Recovery and Resilience Mechanism;

-We are currently drawing up the legislative and procedural framework for implementing the National Recovery and Resilience Plan.

-A set of risks was already defined back at the preparation stage of the National Recovery and Resilience Plan, and those risks have been identified for all components/reforms and investments.

-Turning to the implementation stage of the National Recovery and Resilience Plan, the MIPE-DGMMRR is currently defining the risks in terms of both impact and probability.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒YES, partly implementing the recommendation

Anti-Fraud Department — Information Management Directorate

Yes, we have improved the way underlying data and data on detected irregularities are collected and used.

Ministry of Investments and European Projects — Managing Authority for the Operational Programme ‘Technical Assistance’ (AM-POAT)

The Managing Authority makes good use of the data collected to prevent and deal with irregularities.

To this end, AM-POAT has implemented several levels of checks, such as the use of:

- internal operational procedures (OP for Irregularity Management and OP for Fraud Risk Assessment),

- inter-institutional cooperation protocols and agreements,

- the ARACHNE, ONRC and REGAS information systems.

Ministry of Investments and European Projects - Managing Authority for the Operational Programme ‘Competitivity’ (AM-POC)

Fraudulent and non-fraudulent irregularities are closely monitored until debts are recovered. In order to correctly address the problem, in particular as regards suspicions of irregularity and the way they are followed up, the Managing Authority has implemented several levels of checks, such as: use of internal operational procedures (OP for Irregularity Management, OP for Major Risk Assessment and OP for Fraud Risk Assessment). They all describe in depth the activities that are mandatory for the sole purpose of successfully identifying, sanctioning and monitoring all cases of irregularities.

In addition to the procedures mentioned above, the Managing Authority also has access to ARACHNE. It is a risk-scoring tool developed by the Commission that aims to support the Managing Authority’s efforts to effectively and efficiently identify the riskiest projects, contractors and beneficiaries, as required for the management verification under Article 125(4)(c) of Common Regulation (EU) No 1303/2013.

Ministry of Investments and European Projects - Managing Authority for the Operational Programme ‘Human Capital’ (AM-POCU)

The way the Managing Authority collects information on detected irregularities has been improved.

Another important aspect in preventing irregularities is the application by the Managing Authority and intermediate bodies of clear procedures to ensure a uniform approach across all entities involved in the monitoring and implementation of projects.

As regards monitoring the reporting of irregularities, this is done on a continuous basis through actions aimed at verifying the status of the investigation of irregularities and updating the initial reports with the latest information communicated (e.g.: recovery, administrative appeal, court action).

Furthermore, since the 2014-2020 programming period, the activity of identifying suspected irregularities has been carried out exclusively by the Managing Authority, through the entity responsible for irregularity management. Intermediate bodies and entities within the Managing Authority submit irregularity alerts.

While some steps have been taken, we consider that it is mandatory for the process to continue, as the prevention and monitoring of irregularities are ongoing actions, and project implementation is a dynamic process influenced by a multitude of factors.

Owing to the Covid situation and the use of a digitalised system, information is transmitted through electronic tools (IT system) to ensure a more reliable system, faster communication and a safer working environment. Beneficiaries submit their documents through the IT system (SMIS 2014 +). Consequently, there are fewer cases where there is a difference between the documents at the level of the beneficiary/partners and the documents submitted to the Managing Authority/intermediate bodies. This has made it easier to identify possible irregularities.

All these actions, together with the support given to beneficiaries, have led to a decrease in the number of irregularities.

The operational procedure for irregularity management has been updated, taking into account the new challenges, and it is specified that suspicions of irregularity are communicated not only to the intermediate body but also to the entities responsible for monitoring the project within the Managing Authority. Where the matter has been referred to the competent bodies (e.g.: DLAF/DNA/ANI), all relevant entities are informed, as is done for status updates regarding the conduct of investigations. Thus the information is communicated in real time.

Ministry of Investments and European Projects – Directorate-General for Management of the Recovery and Resilience Facility (MIPE-DGMMRR)

At this stage, the MIPE-DGMMRR is developing the legislative and procedural framework and also the IT system for the implementation of the National Recovery and Resilience Plan.

As part of this work, the MIPE-DGMMRR will provide for appropriate measures for data collection and the use of information to detect irregularities.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒YES, partly implementing the recommendation

Anti-Fraud Department — Information Management Directorate

Yes, we will use the Commission’s integrated and interoperable information and monitoring system.

Ministry of Investments and European Projects - Managing Authority for the Operational Programme ‘Competitivity’ (AM-POC)

The Managing Authority will use the integrated and interoperable information and monitoring system where necessary, as suggested by the Commission.

Ministry of Investments and European Projects – Directorate-General for Management of the Recovery and Resilience Facility

The recommendation is partially implemented through the actions described in the reply to the previous question, i.e. the MIPE-DGMMRR is developing the legislative and procedural framework as well as the IT system for the National Recovery and Resilience Plan.

When the IT system is fully operational, it will provide integrated data that can be used in the monitoring system provided by the Commission.

1.29.Slovenia

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

No answer

Q.2 Have you adopted a national anti-fraud strategy?

☒NO

☒YES, fully implementing the recommendation

SI Answer (Financial Administration of the Republic of Slovenia): Perfect example about this not only on national level but also on EU level is customs action plan which ensures the implementation uniform controls within the EU.

Customs action plans are a well-established way of delivering jointly agreed activities. They are built on customs priorities resulting from situational awareness analysis. Drafting and adopting the 11th action plan was one of the most important jobs for the Slovenian Presidency in the second part of 2021. The action plan defines activities for the next two years: 2022 and 2023.

Due to special the particular circumstances in relation to the COVID-19 pandemic, some actions from the previous 10th CCWP Action plan could not be finalised in a foreseen timeline accordance with the schedule. Actions from the 10th CCWP Action plan which, according to the action leaders’ assessment, could not be concluded until by 30 June 2022 and merit to be continued in the 11th LEWP Custom Action Plan but were worth continuing were transferred to the 11th LEWP Custom Action plan. Some of the transferred actions were pooled together and merged with other similar Actions proposed under 11th Action Plan.

The customs action plan is taking into account flexibility for the type of custom checks and diminish the potential impact of unexpected future events. And the most important ensure the implementation uniform controls within the EU.

The important part of the customs action plan are Joint customs operations (‘JCOs’) which are targeted actions limited in time that aim to combat fraud and the smuggling of sensitive goods in specific areas at risk and/or on identified trade routes.

☒YES, fully implementing the recommendation

SI Answer (Financial Administration of the Republic of Slovenia): Under question 3 is given the example of customs action plan. The action plan and the Situational Awareness Paper (SAP) include identified financial risks, moreover the measures to address these risks are identified in the customs action plan.

The 11th LEWP customs action plan, drafted and approved under the Slovenian Presidency, is based on the SAP prepared by the Portuguese Presidency. Member States presented the most relevant crime and threat areas for customs that and these were collected set out in the SAP. In the action plan also, the financial risks have been identified.

The Slovenian Presidency took full account of relevant SAP findings, performed further prioritisation of the SAP results and prepared the consultation questionnaire, in which Member States indicated their interest in undertaking joint actions. Through the consultation process, the indications given by Member States and other stakeholders (DG HOME, DG TAXUD, OLAF, Europol and Frontex) for proposed actions under the new Action Plan have been collected, coordinated and mapped out in the 11th Action Plan, which was approved on 13 December 2021 at the last LEWP Customs meeting under the Slovenian Presidency.

In the first half of 2020, due to the COVID-19 epidemic, a number of post-release controls were postponed due to the lower availability of taxpayers (waiting to work, sick leave). During this time, no controls were carried out at the headquarters of the companies due to the epidemic. However, these postponed controls were carried out in the second half of 2020 and an appropriate number of ex-post controls were carried out on an annual basis.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒NO

If you did not implement the recommendation, could you please explain why?

Response - Recovery and Resilience Office of the Republic of Slovenia:

The Office of the Republic of Slovenia for Recovery and Resilience was established on 2 August 2021. So far, we have not dealt with this topic in more detail, as we are just establishing the implementation system of the Recovery and Resilience Plan in Slovenia, and we will include this in the documents we are preparing and relating to risk management.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒NO

If you did not implement the recommendation, could you please explain why? Could you explain how your current framework already ensures high quality and reliability of data?

Response - Recovery and Resilience Office of the Republic of Slovenia:

The Office of the Republic of Slovenia for Recovery and Resilience was established on 2 August 2021. So far, we have not collected and used the basic data, as well as those related to the detected irregularities, as we are only in the initial phase of establishing the implementation system of the Recovery and Resilience Plan. However, we will include this in the documents we are preparing, which relate to the collection and use of basic data, as well as to detected irregularities.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒YES, fully implementing the recommendation

If you did not implement the recommendation, could you please explain why?

Response - Recovery and Resilience Office of the Republic of Slovenia:

When establishing the implementation system of the Recovery and Resilience Plan we will also check the possibilities of use of the integrated and interoperable information and monitoring system made available by the Commission for both the Recovery and Resilience Facility and the EU budget.

1.30.Slovakia

The Government Office of the Slovak republic via its organisational unit National Office for OLAF, which is responsible for ensuring and coordinating the protection of the EU´s financial interests in the Slovak Republic, provided replies to questions related to cross-cutting aspects of the fight against fraud (EPPO and NAFS).

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

N/A. Slovakia participates in EPPO.

Q.2 Have you adopted a national anti-fraud strategy?

☒YES

If YES, did you communicate it to OLAF? If you did not communicate it, why? Please transmit it without delay.

Yes. The Slovak National Anti-Fraud Strategy (NAFS) was communicated to OLAF (as well as its update).

Has the NAFS been recently updated?

☒NO (+ date of adoption of NAFS). Is the update ongoing or are you considering updating it? Can you please indicate a timeline for the adoption of a new / updated anti-fraud strategy?

The National Strategy for the Protection of the European Union’s Financial Interests in the Slovak Republic (adopted in 2015) was updated in June 2019. We are aware of the need for the update of the current NAFS in order to address new challenges in the area of the protection of the EU’s financial interests and we are considering updating it in the upcoming period, but the exact timeline has not been determined yet.

The Government Office of the Slovak republic via its organisational unit National Office for OLAF contacted the Financial Directorate of the Slovak republic, which is the AFCOS network partner responsible for the protection of the revenue side of the EU budget. The Finance Directorate of the Slovak republic provided the information for the revenue part of the questionnaire below.

☒NO

If you did not implement the recommendation, could you please explain why?

The time period during which the physical checks could not be carried out was relatively short and the post-release checks were ordered for the cases falling under the aforementioned period.

☒NO

If you did not implement the recommendation, could you please explain why?

In the subsequent period, the physical inspection of goods was already fully ensured in compliance with hygiene standards in order to ensure the safety and security of the Financial Administration officers against COVID-19.

The lower number of reported irregularities (fraud and non-fraud) compared to previous years was also caused due to the overall decrease in the import volume caused by the COVID-19 pandemic as well.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, partly implementing the recommendation

If you implemented partially the recommendation, could you please explain why you think it was a partial implementation and why a full implementation was not possible?

We have contacted AFCOS network partners (national authorities, including managing authorities, certifying authority, control bodies etc.) in order to provide relevant information with respect to this question. Some of the partners fully implemented the recommendation, e.g. several managing authorities updated their risks matrixes following Commission´s recommendations to managing authorities. Other partners have partly implemented the recommendation, as they are in the process of setting up their risk management procedures (this relates mainly to the implementation of the new programming period 2021 – 2027, start of RRF implementation and improving of the APA processes).

Below please find detailed replies as provided by AFCOS partners:

In 2021, the Working Group for Risk/Fraud Risk Management of the OP EQ took into account the guidance/letter of 31. 03. 2021 for managing authorities in relation to COVID-19 titled Necessity to update fraud risk assessments and to adapt anti-fraud measures by the managing authority in the context of CRII / CRII + and REACT-EU measures and its annexes titled COVID-19 and „Recovery plan for Europe“ instruments: risks for the legality and regularity of expenditure and mitigating measures. Follow up to 26 November 2020 Working group of audit authorities”. In connection with the above mentioned letter, the Working Group for Risk Management of the OP EQ assessed the impact of COVID-19 on individual risks within the framework of risk analysis and assessment.

As part of the further risk management procedure of the OP EQ, the implementation of the Recovery and Resilience Facility will also be taken into account, if relevant.

2. The Ministry of Health of the Slovak Republic, acting as the intermediate body for the Integrated Regional Operational Programme 2014 – 2020 (IROP) fully implemented the recommendation.

Incorporation of the risk matrix in relation to the specific objective 2.1.4 (COVID-19 pandemic) following the EC letter (ref. Ares (2021) 2231198-310302021) addressed to all managing authorities (intermediate bodies) on the need to update the fraud risk assessment and to take anti-corruption measures in the context of CRII / CRII + (European Commission anti-pandemic measures) into internal management documents, together with measures to mitigate the impact of fraud risks during a pandemic situation. The proposals are discussed at a meeting of the Risk Management Working Group, which usually meets once a year at IB level for IROP (Ministry of Health of the Slovak Republic).

3. The Ministry of Agriculture and Rural Development of the Slovak Republic and the Agricultural Paying Agency (APA) partly implemented the recommendation.

In connection with the in-depth and targeted risk assessment, the Agricultural Paying Agency (APA) monitors the risks of fraud at regular intervals, and the proposed measures reduce these risks and thus prevent the emergence of new potential fraud risks. Identified possible fraud risks are incorporated into the APA's internal methodological documentation. APA is currently unifying a risk monitoring system.

4. The Ministry of Investments, Regional Development and Informatization of the Slovak Republic (MIRDI) partly implemented the recommendation.

The managing authority for Interreg SK-AT and SK - CZ regularly assesses risks on an annual basis and also uses all IT tools to protect the EU's financial interests, e.g. ARACHNE. In 2021, no specific risks were identified due to the COVID-19 pandemic, as the Interreg programs did not introduce simplified expenditure control rules due to the COVID-19 pandemic.

In the preparation of the Programme Slovakia (Programming period 2021 - 2027) MIRDI takes into account and manages potential risks arising from the COVID-19 pandemic and from the implementation of the Recovery and Resilience Plan. Although formal procedures have not yet been established by the managing authority, several risk mitigation measures are being developed/are planned to be put in place during programming, e.g: (1) consultation to identify clear dividing lines between the Recovery and Resilience Plan and the Programme Slovakia in order to avoid double financing; (2) consultation on the interoperability of IT systems for the Cohesion Policy and the Recovery and Resilience Mechanism. The aim is, among others, to store standardised categories of data for both systems; (3) ensuring a fully electronic data exchange between bodies involved in the implementation of EU funds, including setting up a framework to ensure online meetings of bodies implementing EU funds. Consequently, it will be necessary to focus on increasing the control of activities taking place online; (4) designation of a single intermediate body (the Public Procurement Office) to control contracts for all projects of Programme Slovakia - the measure will strengthen expertise and introduce the application of uniform and best practices in contract control; (5) considering the application of the EC's in-depth data analysis for Cohesion Policy and the Recovery and Resilience Mechanism, once it is made available by the EC.

The measures will be part of the implementation management documentation that is currently under preparation.

5. The Ministry of Finance of the Slovak Republic, acting as Certifying Authority (CA) has not implemented the above recommendation yet; however, in 2022 CA plans to carry out certification verifications in relation to the expenditure used to mitigate the Covid-19 impacts. As regards the implementation of the Recovery and Resilience Facility, it should be noted that it is not in the competence of CA.

6. The Supreme Audit Office of the Slovak Republic (SAO SR) partly implemented the recommendation.

Due to the pandemic, SAO SR has changed the goals and focus of its planned audits, so based on risk analyses, SAO SR has planned in 2021 two audits related to the COVID-19 pandemic for year 2022, results of which will be presented in individual reports on the results of the audit.

In connection with the pandemic, planned activities of SAO SR for 2021 resulting from the SAO SR Development Strategy for 2020 – 2025 have included the analysis of internal management acts for the purpose of digitizing the SAO SR processes. The need for more significant digitization of processes in organizations of public administration was not only highlighted by the ongoing pandemic, but without it it´s impossible to apply new forms of work organization that would increase its efficiency, save financial and human resources as well as time - all strategic goals. However, the task cannot be completed within one year due to potential financial demands. Deadline for the elaboration of the proposal on scope of digitization was 31.12.2021. The evaluation of this activity will take place in the coming months. Representatives of SAO SR are also currently members of the international working group for the Recovery and Resilience Plan, the creation of which was initiated by the European Court of Auditors (ECA), representing an informal cooperation between the state audit institutions (SAI) and ECA. In this context, the SAIs of Belgium, Germany and EDA invited all SAIs from the Contact Committee to participate in regular exchange of views in order to discuss specific issues related to the oversight of the Recovery and Resilience Facility (RRF) and the National Recovery and Resilience Plans (NRRP).

7. The Government Office of the Slovak Republic, acting as the National Implementation and Coordination Authority (hereinafter referred to as “NICA”) responsible for the implementation, monitoring and overall coordination of the Recovery and Resilience Plan, as well as for reporting to the Commission, partly implemented the recommendation. In this regard NICA stated that Slovakia has launched the process of risk management concerning the upcoming implementation of the Recovery and Resilience Facility.

One of the tools for detailed monitoring of risks at the level of milestones and targets is risk database which monitors thematic and horizontal risks – e. g. public procurement, Strategic Environmental Assessment (SEA) and Environmental Impact Assessment, political risks. Risk database will allow to prioritize monitoring of specific milestones and targets that reach significant importance. At the same time, the tool allows to aggregate data and thus divide milestones and their according to their affiliation to individual horizontal risks. Furthermore, NICA imposed an obligation on the executors (central government bodies designated by the government that are responsible for implementing the investment or implementing the reform in accordance with the recovery plan) to assess the risks of fraud. Each executor shall perform a fraud risk self-assessment. Its output will be a catalogue / list of risks. The deadline to complete the self-assessment is March 31, 2022. In addition, Slovakia has requested the Commission to provide technical support for enhancing the risk identification and assessment framework to be set up by the national authorities to identify and monitor the risks for the completion of milestones and targets and the underlying reforms and investments, as well as for other reporting obligations related to RRF Regulation. The project is ongoing and support covers the following steps: (1) conducting analysis of deficiencies and irregularities; (2) identifying good practices in risk identification, assessment and management of other EU Member States (3) creating a list of the most important potential risks (4) providing recommendations in the form of a handbook (5) providing support to the relevant authorities. After the process is finished, the recommendation could be considered as implemented.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒YES, fully implementing the recommendation

We have contacted AFCOS network partners (national authorities, including Managing Authorities, Certifying Authority, control bodies etc.) in order to provide relevant information with respect to this question. All of the partners that provided us with the reply stated that they had fully implemented the recommendation, except one that stated that the recommendation had been partially implemented due to the lack of access to ARACHNE.

Below please find more detailed information from the AFCOS partners about on how the full implementation was achieved:

1. The Ministry of Environment of the Slovak Republic, acting as the managing authority for the Operational Programme Quality of Environment 2014 – 2020 (OP QE) fully implemented the recommendation. The Working Group for Risk Management / Fraud Risks of the OP EQ in 2021 used ITMS2014+, ARACHNE, EDES, databases / lists of irregularities, etc. within the risk management / fraud risks of OP EQ.

2. The Ministry of Agriculture and Rural Development of the Slovak Republic and the Agricultural Paying Agency (APA) fully implemented the recommendation. APA makes full use of the Arachne tool as a risk assessment tool. The data on detected irregularities and fraud detected during inspections are collected in a file, which then serves as a tool for further processing in the relevant information systems. At the same time, APA uses an application that serves as a support tool for fraud detection, where information is collected from all available sources, including the detection of direct links to other business entities.

3. The Ministry of Health of the Slovak Republic, acting as the intermediate body for the Integrated Regional Operational Programme 2014 – 2020 (IROP) fully implemented the recommendation. The coordinator of audits and certification verifications and the employee in charge of fraud risk collection collect data on irregularities and audit findings. Subsequently, the employee in whose scope is also the analysis of fraud risks analyses and proposes to take measures to prevent the occurrence of the risk in question in the future. The proposals are then discussed at a meeting of the Risk Management Working Group, which usually meets once a year.

4. The Ministry of Investments, Regional Development and Informatization of the Slovak Republic fully implemented the recommendation.

The Managing Authority for Interreg SK-AT and SK – CZ collects and uses the underlying data registered in the internal database and in the national IT monitoring system (ITMS2014+). ITMS2014+ what ensures the transparent collection and processing of data on irregularities.

The Programme Slovakia (programming period 2021 - 2027) is currently in the programming phase and improvements are being discussed at national level. Slovakia will continue to use Arachne and EDES systems in the 2021-2027 programming period. Increased transparency of the implementation of EU funds is planned; all data whose disclosure is not restricted by law will be automatically published by the IT system in a user-friendly form. The public will be able to check all actions supported by EU funds based on these data.

5. The Ministry of Finance of the Slovak Republic, acting as Certifying Authority (CA) fully implemented the recommendation. Thanks to procedures that have been already in process from the beginning programming period of the 2014-2020, the Certifying Authority did not have to introduce significant improvements of collecting data concerning detected irregularities. Information monitoring system used for the implementation of the European Structural and Investment Funds meets all requirements in compliance with EU regulation. Only minor modifications were made to the user interface in 2021. The quality and reliability of data is guaranteed and stable.

6. The Supreme Audit Office of the Slovak Republic (SAO SR) partly implemented the recommendation. SAO SR collects background data through: (1) systematic analyses and other analyses of data from public administration information systems and other information sources; (2) analyses of development of the economic environment, budget revenues and expenditures, fiscal, budgetary and structural policies; (3) monitoring and analyses of audit findings that may impact state budget; (4) commonly available sources and inquiries addressed to audited entities; (5) on the basis of Act 39/1993 Coll. on SAO SR; (6) benchmark; (7) international initiative BIEP (the benchmarking information exchange project); (8) international working groups; (9) V-4 meeting of the Presidents of SAI; (10) suggestions of citizens. In 2021, SAO SR commenced the audit “Irregularities in the 2014-2020 programming period” at the Ministry of the Environment of the Slovak Republic and the Ministry of Transport and Construction of the Slovak Republic, the results of which will be known in the course of 2022. Background data were drawn from ITMS2014+ and based on the analysis of irregularities, audited entities were selected. The database was subsequently updated with additional data entered into ITMS2014+ by the said audited entities, on the basis of which a sample of irregularities was selected to be audited. It being partial implementation of recommendations is due to the fact that SAO SR does not have access to the integrated IT tool ARACHNE, which is big restriction for SAO SR. ARACHNE would perform as in-depth data analysis increasing the efficiency of project selection, strengthen identification and detection of fraud.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

We do not have any exact information about the new integrated and interoperable system mentioned above and we are not aware that the Commission would have made such system available for Member States already, so we cannot answer this question properly. We would welcome more details about this new system (e.g. about conditions of its usage) and Slovakia may then consider using it.

Other systems set up by the Commission, which are commonly used in Slovakia, are: e.g. SFC, IMS, ARACHNE, EDES.

1.31.Finland

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

Finland has already joined the EPPO.

Q.2 Have you adopted a national anti-fraud strategy?

☒NO

If you did not implement the recommendation, could you please explain why?

We didn´t notice any special risks which would have effect on controls. The controls at operators’ premises were flexibly replaced with documentary controls and video conferences. The change of control type did not have effect on the results.

☒NO

If you did not implement the recommendation, could you please explain why?

The number of controls before releasing goods into free circulation has been in the same level than previous year and we did not have to replace them with post-clearance controls.

We carried out post-clearance controls and audits according to the audit plan. The auditors audited documents or electric material in the office and had video conferences with companies. The companies’ premises were visited only if necessary.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, partly implementing the recommendation

If you implemented partially the recommendation, could you please explain why you think it was a partial implementation and why a full implementation was not possible?

The recommendation is partly implemented as the preparation for the implementation of the RRF is still ongoing. In the preparatory work, a particular attention has been paid to the organization of internal controls so that they mitigate the risks of fraud, corruption, conflicts of interest and double-funding. The implementation of RRF is based, in line with the regulation, on the regular national budget management systems. However, at the same time the regular national budget management system needs to be supplemented in order to meet the EU level requirements especially on controls and collection of data.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒YES, partly implementing the recommendation

As part of the preparation phase for the implementation of the RRF, a new project has been launched with an aim to create a new information system for the programme. The new system will collect data from different national authorities’ information systems linked to the RRF. In this way, all authorities responsible for audits and controls in the RRF can make use of the data. In this way the new information system will improve availability and coverage of the data. The quality of the data will be reviewed with audit and control measures. The new information system is still under preparation and, therefore, the recommendation is partly implemented.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒YES, partly implementing the recommendation

The possibilities to use the Commission’s a data-mining and risk-scoring tool and to link it with the new national RRF information system are being examined during the preparation phase for the implementation of the RRF. The preparation is still ongoing and, therefore, the recommendation is partly implemented.

1.32.Sweden

Q.1. For the Member States not having joined the EPPO yet. Are there plans to join the EPPO in the short-medium term?

☒YES

If YES, can you provide some additional information on the state-of-play?

The Swedish Government is committed to Sweden joining the European Public Prosecutors Office (EPPO) as soon as possible. The Swedish Government is working on a legislative proposal containing the necessary provisions for Sweden to join. In accordance with the standard legislative process the proposal will be referred to the Council on Legislation for consideration. Thereafter, the Government can submit a proposal in the form of a government bill to the parliament for approval. The objective is to have a proposal ready by the end of 2022.

Q.2 Have you adopted a national anti-fraud strategy?

☒NO

☒YES, fully implementing the recommendation

Swedish Customs reacted rapidly and adapted its organisation in order to meet the effects of the Covid 19-pandemic. Swedish Customs have contingency plans in the form of steering- and supporting documents which made it possible to react when the flow of goods changed.

Swedish customs works in accordance with EU recommendations when it comes to customs controls.

☒YES, fully implementing the recommendation

From an operational perspective, Swedish customs had the same possibilities during the pandemic as before for profiling, risk-assessment and intelligence operations. The level of staff absent due to sick leave has been non-dramatic. Swedish customs has had the possibility for telework and has never been subject to lockdown. The adaption to telework was quick and has not been affected by the circumstances.

Q.5 Have you launched targeted risk management exercises linked to the impact of Covid-19 and the upcoming implementation of the Recovery and Resilience Facility?

☒YES, fully implementing the recommendation

If you implemented fully the recommendation, can you please describe what type of exercises have you launched? Can you share any specific findings of such exercises?

The Swedish government advocates a risk-based approach when it comes to management of EU-funds and the implementation of the RRF. The managing agencies and the auditing agency are responsible for risk management exercises and have great freedom when it comes to their daily operational work. The Government has ensured system-level capacity for an appropriate management through the framework for internal management and control. In the implementation of the RRF, the government has tasked the agencies with implementing the RRF in accordance with applicable EU-regulations.

Q.6 Have you improved the manner in which underlying data, as well as those concerning detected irregularities, are collected and used?

☒YES, fully implementing the recommendation

The managing agencies are responsible for ensuring that the data collected and used is collected in an appropriate manner and that this these processes are continuously revised and improved. The Government has enhanced the preconditions for this through the work of the Swedish Council for the Protection of the Europeans Union’s Financial Interests (the SEFI Council). The council is responsible for among other competence development for the agencies and for reporting to the Government on the protection of the EU’s financial interests in Sweden. The report details what the SEFI Council and its member authorities have done during the period covered to promote efficient and correct handling of EU funds in Sweden. The council’s role in the implementation of the RRF has been strengthened and formalised within the framework of the Swedish Recovery Plan.

Q.7 Will you use the integrated and interoperable information and monitoring system that the Commission has made available for both the Recovery and Resilience Facility and the EU budget?

☒NO

If you did not implement the recommendation, could you please explain why?

In line with Swedish traditional division of responsibilities and practices this is up to each individual managing agency to decide on.

(1)

Bulgaria, Czechia, Estonia, France, Croatia, Italy, Latvia, Lithuania, Hungary, Malta, Slovakia.

(2)

Denmark, Greece, Austria, Portugal.

(3)

Germany.

(4)

Belgium, Ireland, Spain, Cyprus, Luxembourg, the Netherlands, Poland, Romania, Slovenia, Finland, Sweden.

(5)

Belgium, Spain, Luxembourg, Romania.

(6)

Bulgaria, Czechia, Estonia, Ireland, Greece, Italy, Cyprus, Latvia, Lithuania, Luxembourg, Hungary, Poland, Portugal, Romania, Slovenia, Sweden.

(7)

Belgium, Germany, Spain, France.

(8)

Denmark, Croatia, Malta, the Netherlands, Slovakia, Finland.

(9)

Czechia, Estonia, Ireland, Greece, Spain, Italy, Cyprus, Latvia, Lithuania, Luxembourg, Hungary, Poland, Portugal, Romania, Slovenia, Sweden.

(10)

Belgium, Bulgaria, France.

(11)

Denmark, Germany, Croatia, Malta, the Netherlands, Slovakia, Finland.

(12)

Denmark, Estonia, Greece, Italy, Cyprus, Latvia, Luxembourg, Malta, Poland, Portugal, Sweden.

(13)

Belgium, Bulgaria, Czechia, Spain, France, Croatia, Hungary, the Netherlands, Romania, Slovakia, Finland.

(14)

Germany, Ireland, Lithuania, Slovenia.

(15)

Bulgaria, Greece, Croatia, Italy, Cyprus, Latvia, Luxembourg, Hungary, Malta, the Netherlands, Poland, Portugal, Slovakia, Sweden.

(16)

Belgium, Czechia, Denmark, Spain, France, Romania, Finland.

(17)

Germany, Estonia, Ireland, Lithuania, Slovenia.

(18)

Belgium, Bulgaria, Czechia, Denmark, Ireland, Greece, Spain, France, Italy, Cyprus, Latvia, Luxembourg, Hungary, Malta, the Netherlands, Poland, Portugal, Slovenia, Slovakia.

(19)

Croatia, Lithuania, Romania, Finland.

(20)

Germany, Estonia, Sweden.

(21)

Belgium, Bulgaria, Czechia, Germany, Estonia, Greece, Spain, France, Croatia, Italy, Cyprus, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Austria, Portugal, Romania, Slovenia, Slovakia, Finland.

(22)

Bulgaria, Czechia, Estonia, France, Croatia, Italy, Latvia, Lithuania, Hungary, Malta, Slovakia.

(23)

Denmark, Germany, Greece, Portugal.

(24)

Belgium, Ireland, Spain, Cyprus, Luxembourg, the Netherlands, Poland, Romania, Slovenia, Finland, Sweden.

(25)

Bulgaria, Czechia, Estonia, Ireland, Greece, Italy, Cyprus, Latvia, Lithuania, Luxembourg, Hungary, Poland, Portugal, Romania, Slovenia, Sweden.

(26)

Belgium, Germany, Spain, France.

(27)

Denmark, Croatia, Malta, the Netherlands, Slovakia, Finland.

(28)

Czechia, Estonia, Ireland, Greece, Spain, Italy, Cyprus, Latvia, Lithuania, Luxembourg, Hungary, Poland, Portugal, Romania, Slovenia, Sweden.

(29)

Belgium, Bulgaria, France.

(30)

Denmark, Germany, Croatia, Malta, the Netherlands, Slovakia, Finland.

(31)

Denmark, Estonia, Greece, Italy, Cyprus, Latvia, Luxembourg, Malta, Poland, Portugal, Sweden.

(32)

Belgium, Bulgaria, Czechia, Spain, France, Croatia, Hungary, the Netherlands, Romania, Slovakia, Finland.

(33)

Germany, Ireland, Lithuania, Slovenia.

(34)

Act of 3 April 2020 on special arrangements supporting the implementation of operational programmes in connection with the outbreak of COVID-19, Journal of Laws 2021, item 986.

(35)

Bulgaria, Greece, Croatia, Italy, Cyprus, Latvia, Luxembourg, Hungary, Malta, the Netherlands, Poland, Portugal, Slovakia, Sweden.

(36)

Belgium, Czechia, Denmark, Spain, France, Romania, Finland.

(37)

Germany, Estonia, Ireland, Lithuania, Slovenia.

(38)

Belgium, Bulgaria, Czechia, Denmark, Ireland, Greece, Spain, France, Italy, Cyprus, Latvia, Luxembourg, Hungary, Malta, the Netherlands, Poland, Portugal, Slovenia, Slovakia.

(39)

Croatia, Lithuania, Romania, Finland.

(40)

Germany, Estonia, Sweden.