A strengthened Schengen information system

SUMMARY OF:

Regulation (EU) 2018/1860 on the use of the Schengen information system for the return of illegally staying non-EU nationals

Regulation (EU) 2018/1861 on the establishment, operation and use of the Schengen information system in the field of border checks, and amending the convention implementing the Schengen Agreement

Regulation (EU) 2018/1862 on the establishment, operation and use of the Schengen information system in the field of police cooperation and judicial cooperation in criminal matters

WHAT IS THE AIM OF THE REGULATIONS?

The Schengen information system (SIS), created in 1995 following the abolition of internal border controls in the European Union (EU), is a large-scale database supporting external border control and law enforcement cooperation between member countries of the Schengen Agreement (currently 26 EU Member States and four associated countries).

The three regulations are designed to strengthen the SIS II – established in 2006 and operational since 2013 – particularly in light of migration and security challenges. They replace the legislation laid down in Regulations (EC) No 1986/2006 and (EC) No 1987/2006, and Decision 2007/533/JHA.

KEY POINTS

System architecture

The SIS consists of the following.

A central system (central SIS) with:
- a technical support function (CS-SIS), containing a database (SIS database) performing technical supervision and administration functions, and a backup CS-SIS;
- a uniform national interface (NI-SIS).
A national system (N.SIS) in each country to communicate with the central SIS, including at least one national or shared backup N.SIS. The N.SIS may contain a data file (a ‘national copy’) containing a complete or partial copy of the SIS database. It is not possible to search data files in another N.SIS, unless the countries concerned have agreed to share the file.
A communication infrastructure between the CS-SIS, the backup CS-SIS and the NI-SIS provides an encrypted virtual network for SIS data and their exchange between the supplementary information request at the national entries (Sirene) bureaux.

The European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA):

is responsible for the operational management of the central SIS;
performs maintenance work and technical developments necessary for the smooth running of the central SIS;
implements technical solutions to strengthen the uninterrupted availability of the central SIS;
in exceptional circumstances, may develop an additional copy of the SIS database;
publishes a list of the N.SIS offices and Sirene bureaux.

Procedural rules state that:

alerts* should remain in the SIS only as long as required for their specific purpose and be deleted when they achieve their purpose;
alerts must be reviewed within defined periods; the member country may then decide to prolong them, otherwise they are automatically deleted – the review periods are:
- 5 years for alerts on persons wanted for arrest for surrender or extradition purposes and missing persons who may, or may not, need to be placed under protection,
- 3 years for alerts on persons sought to assist with a judicial procedure, unknown wanted persons, alerts on return and alerts for refusal of entry and stay; however, if the national decision on which the alert on return or alert for refusal of entry and stay is based provides for a longer period of validity than 3 years, the alert shall be reviewed within 5 years,
- 1 year for children at risk, vulnerable persons who need to be protected from travelling and persons for discreet inquiry or specific checks,
- 10 years for objects for discreet inquiry or specific checks or for seizure or use as evidence in criminal proceedings; the European Commission has adopted implementing acts to establish shorter review periods for certain categories of alerts on objects;
categories of data to be entered into the system must be designed to help end users to identify a person and take decisions quickly; they include the minimum set of data (surname, date of birth, reason for the alert and action to be taken) and other data, such as type of offence, photographs and dactyloscopic* information, if available;
the use of biometric and dactyloscopic data must respect EU law and fundamental rights, and meet minimum quality standards and technical specifications;
a case must be adequate, relevant and sufficiently important to warrant an SIS alert, for example, an alert related to a terrorist offence meets these criteria;
only the issuing member country may modify, add to, correct, update or delete data in the SIS;
a country that considers acting on an alert that would be incompatible with its national law, international obligations or essential interests may attach a flag* to the alert, this indicates that it will not take action on its territory.

Costs

The EU budget covers the operational, maintenance and development costs of the central SIS and the communication infrastructure.
Member States cover the operational, maintenance and development costs of their own N.SIS.

Main details of each regulation

Regulation (EU) 2018/1860 strengthens enforcement and effectiveness of the EU’s return policy.

It lays down common conditions and procedures for entering and processing alerts and exchanging supplementary information on non-EU nationals subject to return decisions*.
It requires national authorities to enter alerts as soon as a return decision is taken.
It establishes categories of data to be included in the alert.
It establishes harmonised procedures on:
- confirmation of return – verification if a return decision has been complied with and, if not, the notification to the relevant authorities;
- deletion of alerts to ensure there is no delay between the departure of a non-EU national and the activation of an entry ban, when relevant;
- compulsory consultation between national authorities:
  - before granting or extending a residence permit or long-stay visa for a non-EU national who is the subject of a return alert in another Member State that is accompanied by an entry ban,
  - before entering an alert on a return decision concerning a non-EU national who is the holder of a valid residence permit or long-stay visa granted by another Member State or when this emerges at a later stage.

Regulation (EU) 2018/1861 covers the use of the SIS for entry bans.

It establishes the conditions and procedures for entering and processing alerts and exchange of supplementary information* on non-EU nationals refused entry or the right to stay in the EU.
It introduces categories of data to be included in the alert.
It introduces harmonised procedures on:
- compulsory entry of an alert when a non-EU national is refused entry or the right to stay because they pose a security threat or are subject to a restrictive order preventing entry into, or transit through, a Member State;
- entering alerts on non-EU nationals who are beneficiaries of the right of free movement within the EU;
- mandatory consultation between national authorities before granting or extending a residence permit or long-stay visa to a non-EU national refused the right of entry or stay in another Member State; before or after entering an alert for refusal of entry and stay on a non-EU national who is the holder of a valid residence permit or long-stay visa granted by another Member State.
It guarantees non-EU nationals the right to be informed in writing if they are the subject of an alert.

Regulation (EU) 2018/1862 improves and extends the use of the SIS for cooperation between police and judicial authorities.

It establishes the conditions and procedures for entering and processing alerts in the SIS on wanted and missing persons and objects, and for exchanging supplementary information and data in police and judicial cooperation on criminal matters.
It covers procedures on alerts on:
- people wanted for arrest, for surrender or extradition purposes;
- missing persons;
- vulnerable persons who need to be prevented from travelling, either for their own protection or to prevent a threat to public order or security;
- children at risk, notably of abduction, trafficking or becoming involved in terrorism;
- individuals being sought to assist with a judicial procedure as witnesses or because they have been summoned in connection with criminal proceedings;
- unknown wanted persons whose identity is being sought;
- discreet or specific checks and inquiry checks to prevent, detect, investigate or prosecute criminal offences, execute a criminal sentence or prevent threats to public security;
- items to be seized or used as evidence in criminal proceedings, especially readily identifiable objects such as cars, boats, aircraft, firearms, identity documents and banknotes.

Information alerts on non-EU nationals

Regulation (EU) 2022/1190 amends Regulation (EU) 2018/1862 by setting rules regarding information alerts that target non-EU nationals suspected of being involved in terrorism and other serious crimes listed in Annex I to the European Union Agency for Law Enforcement Cooperation (Europol) regulation (Regulation (EU) 2016/794 – see summary). This ensures that their movement can be monitored and that all relevant information about them is easily and immediately retrievable by law enforcement agencies in the Member States.
Member States may enter information alerts on non-EU nationals into the SIS in the interest of the EU, upon a proposal by Europol to enter an information alert on the basis of information received from the authorities of non-EU countries or international organisations. Europol must notify its data protection officer where it makes such a proposal.
Europol may propose that information alerts be entered into the SIS where it assesses that:
- there is a factual indication that a person intends to commit or is committing terrorist offences or other serious crimes; or
- an overall assessment of a person, in particular on the basis of past criminal offences, gives reason to believe that that person may commit such an offence.
Before the information is entered into the SIS, Europol must ensure that the alert is necessary and justified and that the information is reliable and accurate and that no other alert on the person concerned already exists in the system. It then passes on the information it holds on the particular case and the results of its assessment to the Member States and proposes that one or more Member State enter an information alert into the SIS. Member States must put in place the necessary procedures for entering, updating and deleting information alerts in the SIS.

The rights of data subjects

Individuals have the right to:

access data relating to them processed in the SIS;
correction of inaccurate data;
bring an action before the courts or competent supervisory authorities to access, correct, erase, obtain information or obtain compensation in connection to an alert concerning them.

Member States:

are committed to enforcing rulings on data protection rights;
report annually to the European Data Protection Board on the number of requests they receive to access data and correct inaccuracies, and the volume of court cases and their outcome.

Independent supervisory authorities monitor the legality of national processing of personal data in the SIS; the European Data Protection Supervisor set up under Regulation (EU) 2018/1725 performs the same role for eu-LISA. The two cooperate to ensure coordinated supervision of the SIS.

Data processed in the SIS and related supplementary information may not be transferred or made available to non-EU countries or international organisations.
Regulation (EU) 2018/1725 applies to personal data processed by eu-LISA, the European Border and Coast Guard Agency and the European Union Agency for Criminal Justice Cooperation (Eurojust).
Regulation (EU) 2016/679 (see summary) and Directive (EU) 2016/680 (see summary) apply to personal data processed by national authorities and services.

The following authorities have access to data in the SIS.

National authorities, which are responsible for:
- border control, police and customs checks;
- prevention, detection, investigation or prosecution of terrorist acts or other serious criminal offences;
- examining the conditions and taking decisions, including on residence permits and long-stay visas, on the entry, stay and return of non-EU nationals;
- security checks on non-EU nationals applying for international protection;
- examining visa applications (only for certain categories of alerts);
- naturalisation decisions;
- national judicial authorities, including those responsible for public prosecutions in criminal proceedings and judicial inquiries;
- issuing registration certificates for vehicles, boats, aircraft and firearms.
The EU agencies below have the right to access and search SIS data when carrying out their responsibilities within their respective mandates:
- Europol may access all data, not just some, as was previously the case. SIS member countries must inform the law enforcement agency of any hits or alerts relating to terrorist offences;
- Eurojust handles judicial cooperation of criminal matters;
- European Border and Coast Guard Agency teams are involved in return-related tasks and migration management support teams.

The abovementioned EU agencies inform the issuing member country when a search reveals the existence of an alert. They may not connect parts of the SIS or transfer any of its data to their own system.

The Commission evaluates every 5 years the use these agencies make of the SIS.

Responsibilities

Each SIS member country:

ensures the data are accurate, up-to-date and entered and stored in the SIS lawfully, and respects general data processing rules;
sets up, operates, maintains and develops its N.SIS, according to common standards, protocols and technical procedures, and connects it to NI-SIS;
ensures the uninterrupted availability of SIS data to end users;
transmits its alerts through its N.SIS;
designates an N.SIS office with central responsibility to ensure the smooth operation and security of its N.SIS, access of the national authorities to the SIS, overall compliance with the regulation and appropriate availability of the SIS for all end users;
appoints a national authority (the Sirene bureau) as a single contact point, operational 24/7 for the exchange and availability of all supplementary information on alerts and to facilitate follow-up action;
adopts security, business continuity and disaster recovery plans to protect data and prevent unauthorised access;
applies professional secrecy and confidentiality rules, including close monitoring of external contractors; private companies and organisations are banned from operational management of the N.SIS;
keeps electronic logs, normally deleted after 3 years, on alerts, access and exchange of personal data to check whether the search was lawful and ensure data integrity and security;
operates a national SIS training programme for staff with access to the SIS on data security and fundamental rights, including data protection and data processing rules and regulations.

The Commission:

adopts implementing and delegated acts on technical aspects of the SIS and updates them as necessary;
under Regulation (EU) 2022/922 (see summary), has an overall coordinating role for the evaluation and monitoring mechanism that it implements with EU governments to ensure Schengen rules are fully applied nationally;
carries out an overall evaluation of the central SIS, the supplementary information exchange between national authorities, including an assessment of the automated fingerprint identification system, and the SIS information campaigns 3 years after the regulation becomes applicable and every 4 years thereafter.

eu-LISA is responsible for:

the central SIS and its operational management, including quality checks on the data it contains, and all the tasks necessary to ensure it functions 24/7 every day of the year;
communication infrastructure and its key aspects, notably supervision, security, coordination between member countries and providers, and budgetary and contractual issues;
relating to the Sirene bureaux, coordinating, managing and supporting testing activities, maintaining and updating technical specifications on supplementary information exchange between the bureaux and the communication infrastructure, and managing technical changes;
adopting the necessary measures to protect data and prevent unauthorised access or use, including security, business continuity and disaster recovery plans for the central SIS and the communication infrastructure;
applying professional secrecy and confidentiality rules, and maintenance of electronic logs, on the same conditions as national authorities;
making publicly available via the Official Journal of the European Union a list of national authorities authorised to search for data in the SIS;
producing daily, monthly and annual statistics on the number of records per category of alerts, omitting any personal data – its reports are then made public.

Information campaign

The Commission, in cooperation with supervisory authorities and the European Data Protection Supervisor, runs the campaign. This was launched when the legislation became applicable and will be repeated at regular intervals, to inform the public on:
- the aims of the SIS;
- the data it holds;
- the authorities with access to it;
- the rights of the data subjects.
The Commission maintains a publicly available website with all relevant information on the SIS.
Member States, working with their supervisory authorities, must inform the public about the SIS.

FROM WHEN DO THE REGULATIONS APPLY?

The new rules have come into application in successive stages in order to allow sufficient time for the necessary legal, operational and technical measures and arrangements to be put in place.

Under Commission Implementing Decision (EU) 2023/201, the operations of the SIS pursuant to Regulations (EU) 2018/1861 and (EU) 2018/1862 commenced on 7 March 2023. Regulations (EU) 2018/1860, (EU) 2018/1861 and (EU) 2018/1862 are now fully applicable.

BACKGROUND

While based on different pieces of legislation, the SIS is a single system for sharing data and requests among its members.
It is the most widely used and largest security and border management information sharing system in Europe. In 2022, it was accessed more than 12 billion times and secured 263,452 hits on foreign alerts.
It operates in 30 European countries: in all of the Member States (apart from Cyprus) and four Schengen-associated countries (Iceland, Liechtenstein, Norway and Switzerland).

KEY TERMS

Alert. A set of data enabling authorities to identify a person or object and act accordingly.

Dactyloscopic data. Data on palm and fingerprints.

Flag. Suspension of the validity of an alert at the national level that may be added to alerts for arrest, alerts on missing and vulnerable persons, alerts for discreet inquiry and specific checks and to information alerts.

Return decisions. Judicial or administrative decision on a non-EU national considered to be staying illegally who should return to their home country.

Supplementary information. Information not forming part of the alert data in the SIS, but connected to it.

MAIN DOCUMENTS

Regulation (EU) 2018/1860 of the European Parliament and of the Council of 28 November 2018 on the use of the Schengen Information System for the return of illegally staying third-country nationals (OJ L 312, 7.12.2018, pp. 1–13).

Successive amendments to Regulation (EU) 2018/1860 have been incorporated into the original text. This consolidated version is of documentary value only.

Regulation (EU) 2018/1861 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC) No 1987/2006 (OJ L 312, 7.12.2018, pp. 14–55).

See consolidated version.

Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU (OJ L 312, 7.12.2018, pp. 56–106).