The Schengen information system (SIS), created in 1995 following the abolition of internal border controls in the European Union (EU), is a large-scale database supporting external border control and law enforcement cooperation between member countries of the Schengen Agreement (currently 25 EU Member States and four associated countries).
The three regulations are designed to strengthen the SIS II – established in 2006 and operational since 2013 – particularly in light of migration and security challenges. They replace the legislation laid down in Regulations (EC) Nos 1986/2006 and 1987/2006, and Decision 2007/533/JHA.
KEY POINTS
System architecture
The SIS consists of the following.
A central system (central SIS) with:
a technical support function (CS-SIS), containing a database (SIS database) performing technical supervision and administrative functions, and a backup CS-SIS;
a uniform national interface (NI-SIS).
A national system (N.SIS) in each country to communicate with the central SIS, including at least one national or shared backup N.SIS. The N.SIS may contain a data file (a ‘national copy’) containing a complete or partial copy of the SIS database. It is not possible to search data files in another N.SIS, unless the country concerned has agreed to share the file.
is responsible for the operational management of the central SIS;
performs maintenance work and technical developments necessary for the smooth running of the central SIS;
implements technical solutions to strengthen the uninterrupted availability of the central SIS;
in exceptional circumstances, may develop an additional copy of the SIS database;
publishes a list of the N.SIS offices and Sirene Bureaux.
The procedural rules of the SIS state the following.
Alerts1 should be kept in the SIS only for the time required to achieve the purpose for which they were entered.
Alerts must be reviewed within defined periods; the Member State may then decide to prolong them, otherwise they are automatically deleted. The review periods are:
5 years for alerts on persons wanted for arrest, surrender or extradition purposes and missing persons who may or may not need to be placed under protection;
3 years for alerts on persons sought to assist with a judicial procedure, alerts on unknown wanted persons, alerts on return and alerts for refusal of entry and stay; however, if the national decision on which the alert on return or alert for refusal of entry and stay is based provides for a longer period of validity than 3 years, the alert shall be reviewed within 5 years;
1 year for alerts on children at risk, on vulnerable persons who need to be protected from travelling and on persons subject to discreet, inquiry or specific checks;
10 years for alerts on objects for specific checks or for seizure or use as evidence in criminal proceedings; the European Commission has adopted implementing acts to establish shorter review periods for certain categories of alerts on objects.
Categories of data to be entered into the system must be designed to help end users to identify a person and take decisions quickly. They must include the minimum set of data (surname, date of birth, reason for the alert and action to be taken), along with other data, such as type of offence, photographs and dactyloscopic2 information, if available.
The use of biometric and dactyloscopic data must respect EU law and fundamental rights and meet minimum quality standards and technical specifications.
A case must be adequate, relevant and sufficiently important to warrant an SIS alert; for example, an alert related to a terrorist offence meets these criteria.
Only the issuing Member State may modify, add to, correct, update or delete data in the SIS.
A country that considers acting on an alert that would be incompatible with its national law, international obligations or essential interests may attach a flag3 to the alert, which indicates that it will not take action on its territory.
Costs
The EU budget covers the operational, maintenance and development costs of the central SIS and the communication infrastructure.
Member States cover the operational, maintenance and development costs of their own N.SIS.
Main details of each regulation
Regulation (EU) 2018/1860 strengthens the enforcement and effectiveness of the EU’s return policy.
It lays down common conditions and procedures for entering and processing alerts and exchanging supplementary information on non-EU nationals subject to return decisions4.
It requires national authorities to enter alerts as soon as a return decision is taken.
It establishes categories of data to be included in the alert.
It establishes harmonised procedures for:
confirmation of return – verification that a return decision has been complied with and, if not, notification given to the relevant authorities;
deletion of alerts to ensure there is no delay between the departure of a non-EU national and the activation of an entry ban, when relevant;
compulsory consultation between national authorities:
before granting or extending a residence permit or long-stay visa for a non-EU national who is the subject of a return alert in another Member State that is accompanied by an entry ban,
before entering an alert on a return decision concerning a non-EU national who is the holder of a valid residence permit or long-stay visa granted by another Member State or when this emerges at a later stage.
Regulation (EU) 2018/1861 covers the use of the SIS for entry bans.
It establishes the conditions and procedures for entering and processing alerts and exchanges of supplementary information5 on non-EU nationals refused entry into or the right to stay in the EU.
It introduces categories of data to be included in the alert.
It introduces harmonised procedures for:
compulsory entry of an alert when a non-EU national is refused entry or the right to stay because they pose a security threat or are subject to a restrictive order preventing entry into, or transit through, a Member State;
entering alerts on non-EU nationals who are beneficiaries of the right of free movement within the EU;
mandatory consultation between national authorities before granting or extending a residence permit or long-stay visa for a non-EU national refused the right of entry into or stay in another Member State or before or after entering an alert for refusal of entry and stay on a non-EU national who is the holder of a valid residence permit or long-stay visa granted by another Member State.
It guarantees non-EU nationals the right to be informed in writing if they are the subject of an alert.
Regulation (EU) 2018/1862 improves and extends the use of the SIS for cooperation between police and judicial authorities.
It establishes the conditions and procedures for entering and processing alerts in the SIS on wanted and missing persons and objects, and for exchanging supplementary information and data in police and judicial cooperation on criminal matters.
It covers procedures for alerts on:
people wanted for arrest, surrender or extradition purposes;
missing persons;
vulnerable persons who need to be prevented from travelling, either for their own protection or to prevent a threat to public order or security;
children at risk, notably of abduction, trafficking or becoming involved in terrorism;
individuals being sought to assist with a judicial procedure as witnesses or because they have been summoned in connection with criminal proceedings;
unknown wanted persons whose identity is being sought;
discreet, specific and inquiry checks to prevent, detect, investigate or prosecute criminal offences, execute a criminal sentence or prevent threats to public security;
items to be seized or used as evidence in criminal proceedings, especially readily identifiable objects such as cars, boats, aircraft, firearms, identity documents and banknotes.
Information alerts on non-EU nationals
Regulation (EU) 2018/1862 also sets out rules regarding information alerts that target non-EU nationals suspected of being involved in terrorism and other serious crimes listed in Annex I to the European Union Agency for Law Enforcement Cooperation (Europol) regulation (Regulation (EU) 2016/794 – see summary). This ensures that their movement can be monitored and that all relevant information about them is easily and immediately retrievable by law enforcement agencies in the Member States.
Member States may enter information alerts on non-EU nationals into the SIS in the interest of the EU, upon a proposal by Europol to enter an information alert on the basis of information received from the authorities of non-EU countries or international organisations. Europol must notify its data protection officer when it makes such a proposal.
Europol may propose that information alerts be entered into the SIS where it assesses that:
there is a factual indication that a person intends to commit or is committing terrorist offences or other serious crimes; or
an overall assessment of a person, in particular on the basis of past criminal offences, gives reason to believe that that person may commit such an offence.
Before the information is entered into the SIS, Europol must ensure that the alert is necessary and justified, that the information is reliable and accurate and that no other alert on the person concerned already exists in the system. It then passes on the information it holds on the particular case and the results of its assessment to the Member States and proposes that one or more Member State enter an information alert into the SIS. Member States must put in place the necessary procedures for entering, updating and deleting information alerts in the SIS.
The rights of data subjects
Individuals have the right to:
access data relating to them processed in the SIS;
correct inaccurate data;
bring an action before the courts or competent supervisory authorities to access, correct, erase, obtain information or obtain compensation in connection with an alert concerning them.
Member States:
are committed to enforcing rulings on data protection rights;
report annually to the European Data Protection Board on the number of requests they receive to access data and correct inaccuracies, and the volume of court cases and their outcome.
Independent supervisory authorities monitor the legality of the national processing of personal data in the SIS; the European Data Protection Supervisor set up under Regulation (EU) 2018/1725 performs the same role for eu-LISA. The two cooperate to ensure coordinated supervision of the SIS.
Data processed in the SIS and related supplementary information may not be transferred or made available to non-EU countries or international organisations.
Regulation (EU) 2016/679 (see summary) and Directive (EU) 2016/680 (see summary) apply to personal data processed by national authorities and services.
The following authorities have access to data in the SIS.
National authorities, which are responsible for:
border control, police and customs checks;
prevention, detection, investigation or prosecution of terrorist acts or other serious criminal offences;
examining the conditions and taking decisions, including on residence permits and long-stay visas, on the entry, stay and return of non-EU nationals;
security checks on non-EU nationals applying for international protection;
examining visa applications (only for certain categories of alerts);
naturalisation decisions;
national judicial authorities, including those responsible for public prosecutions in criminal proceedings and judicial inquiries;
issuing registration certificates for vehicles, boats, aircraft and firearms.
The EU agencies below have the right to access and search SIS data when carrying out their responsibilities within their respective mandates.
The European Union Agency for Criminal Justice Cooperation handles judicial cooperation in criminal matters.
Europol may access all data, not just some, as was previously the case. SIS member countries must inform the law enforcement agency of any hits or alerts relating to terrorist offences.
The abovementioned EU agencies inform the issuing Member State when a search reveals the existence of an alert. They may not connect parts of the SIS or transfer any of its data to their own systems.
The Commission evaluates the use these agencies make of the SIS every 5 years.
Responsibilities
Each SIS Member State:
ensures the data are accurate, up to date and entered and stored in the SIS lawfully, and respects general data processing rules;
sets up, operates, maintains and develops its N.SIS according to common standards, protocols and technical procedures, and connects it to the NI-SIS;
ensures the uninterrupted availability of SIS data to end users;
transmits its alerts through its N.SIS;
designates an N.SIS office with central responsibility to ensure the smooth operation and security of its N.SIS, access to the SIS by the national authorities, overall compliance with the regulation and appropriate availability of the SIS for all end users;
appoints a national authority (the Sirene Bureau) to be a single contact point, which is operational at all times for the exchange and availability of all supplementary information on alerts, and to facilitate follow-up action;
adopts security, business continuity and disaster recovery plans to protect data and prevent unauthorised access;
applies professional secrecy and confidentiality rules, including close monitoring of external contractors; private companies and organisations are banned from operational management of the N.SIS;
keeps electronic logs, normally deleted after 3 years, on alerts and on the access and exchange of personal data to check whether the search was lawful and ensure data integrity and security;
operates a national SIS training programme for staff with access to the SIS on data security and fundamental rights, including data protection and data processing rules and regulations.
The Commission:
adopts implementing and delegated acts on technical aspects of the SIS and updates them as necessary;
under Regulation (EU) 2022/922 (see summary), has an overall coordinating role for the evaluation and monitoring mechanism that it implements with EU governments to ensure Schengen rules are fully applied nationally;
carries out an overall evaluation of the central SIS, the supplementary information exchange between national authorities, including an assessment of the automated fingerprint identification system, and the SIS information campaigns that will occur 3 years after the regulation becomes applicable and every 4 years thereafter.
eu-LISA is responsible for:
the central SIS and its operational management, including quality checks on the data it contains, and all the tasks necessary to ensure it functions every hour of every day of the year;
the communication infrastructure and its key aspects, notably supervision, security, coordination between member countries and providers, and budgetary and contractual issues;
relating to the Sirene Bureaux, coordinating, managing and supporting testing activities, maintaining and updating technical specifications on supplementary information exchanges between the bureaux and the communication infrastructure and managing technical changes;
adopting the necessary measures to protect data and prevent unauthorised access or use, including security, business continuity and disaster recovery plans for the central SIS and the communication infrastructure;
applying professional secrecy and confidentiality rules, and maintaining electronic logs, under the same conditions as national authorities;
producing daily, monthly and annual statistics on the number of records per category of alerts, omitting any personal data and then making its reports public.
Information campaign
The Commission, in cooperation with supervisory authorities and the European Data Protection Supervisor, runs the campaign. This was launched when the legislation became applicable and will be repeated at regular intervals, to inform the public about:
the aims of the SIS;
the data it holds;
the authorities with access to it;
the rights of the data subjects.
The Commission maintains a publicly available website with all relevant information on the SIS.
Member States, working with their supervisory authorities, must inform the public about the SIS.
FROM WHEN DO THE REGULATIONS APPLY?
The rules have come into application in successive stages in order to allow sufficient time for the necessary legal, operational and technical measures and arrangements to be put in place.
Under Implementing Decision (EU) 2023/201, the operations of the SIS pursuant to Regulations (EU) 2018/1861 and 2018/1862 commenced on . Regulations (EU) 2018/1860, 2018/1861 and 2018/1862 are now fully applicable.
BACKGROUND
While based on different pieces of legislation, the SIS is a single system for sharing data and requests among its members.
It is the most widely used and largest security and border management information sharing system in Europe. In 2022, it was accessed more than 12 billion times and secured 263,452 hits on foreign alerts.
It operates in 31 European countries: all of the Member States and four Schengen-associated countries (Iceland, Liechtenstein, Norway and Switzerland). Further to Decision (EU) 2023/870, the SIS has been in operation in Cyprus since .
KEY TERMS
Alert. A set of data enabling authorities to identify a person or object and act accordingly.
Dactyloscopic data. Data on palm prints and fingerprints.
Flag. Suspension of the validity of an alert at the national level that may be added to alerts for arrest, alerts on missing and vulnerable persons and alerts for discreet, inquiry and specific checks and to information alerts.
Return decision. A judicial or administrative decision on a non-EU national considered to be staying illegally who should return to their home country.
Supplementary information. Information not forming part of the alert data in the SIS, but connected to it.
MAIN DOCUMENTS
Regulation (EU) 2018/1860 of the European Parliament and of the Council of on the use of the Schengen Information System for the return of illegally staying third-country nationals (OJ L 312, , pp. 1–13).
Successive amendments to Regulation (EU) 2018/1860 have been incorporated into the original text. This consolidated version is of documentary value only.
Regulation (EU) 2018/1861 of the European Parliament and of the Council of on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006 (OJ L 312, , pp. 14–55).
Regulation (EU) 2018/1862 of the European Parliament and of the Council of on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (OJ L 312, , pp. 56–106).
Council Decision (EU) 2023/870 of on the application of the provisions of the Schengen acquis relating to the Schengen Information System in the Republic of Cyprus (OJ L 113, , pp. 44–47).
Council Regulation (EU) 2022/922 of on the establishment and operation of an evaluation and monitoring mechanism to verify the application of the Schengen acquis, and repealing Regulation (EU) No 1053/2013 (OJ L 160, , pp. 1–27).
Regulation (EU) 2018/1726 of the European Parliament and of the Council of on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011 (OJ L 295, , pp. 99–137).
Directive (EU) 2017/541 of the European Parliament and of the Council of on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, , pp. 6–21).
Regulation (EU) 2016/399 of the European Parliament and of the Council of on a Union Code on the rules governing the movement of persons across borders (Schengen Borders Code) (codification) (OJ L 77, , pp. 1–52).
Regulation (EU) 2016/679 of the European Parliament and of the Council of on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, , pp. 1–88).
Directive (EU) 2016/680 of the European Parliament and of the Council of on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, , pp. 89–131).
Regulation (EU) 2016/794 of the European Parliament and of the Council of on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, , pp. 53–114).
Directive 2008/115/EC of the European Parliament and of the Council of on common standards and procedures in Member States for returning illegally staying third-country nationals (OJ L 348, , pp. 98–107).
The Schengen acquis as referred to in Article 1(2) of Council Decision 1999/435/EC of (OJ L 239, , pp. 1–473).
Council Decision 1999/435/EC of concerning the definition of the Schengen acquis for the purpose of determining, in conformity with the relevant provisions of the Treaty establishing the European Community and the Treaty on European Union, the legal basis for each of the provisions or decisions which constitute the acquis (OJ L 176, , pp. 1–16).