52003DC0771

COMMUNICATION FROM THE COMMISSION TO THE COUNCIL AND THE EUROPEAN PARLIAMENT - Development of the Schengen Information System II and possible synergies with a future Visa Information System (VIS)

CONTENTS

1. Introduction

1.1. Scope of the Communication

1.2. The Schengen Information System - From the current SIS to SIS II

1.2.1. The current SIS

1.2.2. Need for a new generation SIS

1.3. Development of SIS II

1.4. Constraints and key issues

1.4.1. Constraints

1.4.2. Key issues

2. Progress report

2.1. Results achieved (January-June 2003) and the way forward (July-December 2003)

2.1.1. Main activity: feasibility study

2.1.2. Current activity: preparation of the call for tender

2.1.3. Next steps

2.1.4. SIS II Committee

2.1.5. Involvement of the Acceding Countries

2.1.6. Commission project management

3. Architecture

3.1. SIS II Requirements

3.1.1. General requirements

3.1.2. Relative weightings of the requirements

3.2. Choice of the architecture: process and methodology.

3.2.1. Architecture selection process

3.2.2. Final recommendation: Hybrid architecture with no data in the National Interface

4. Functionalities

4.1. General approach

4.2. List of SIS II functionalities

4.3. Use of biometrics

5. Schedule

6. Costs

6.1. Outcome of the feasibility study

6.2. Comparisons between options

6.3. Distribution of costs

6.3.1. Costs linked to deploying SIS II

6.3.2. Operating costs

6.4. Project budget impact

6.4.1. Financial breakdown of the operating expenditures directly related to the design, development and deployment of the SIS II

6.4.2. Financial breakdown of other operating expenditures

6.4.3. Funding of the SIS II project

7. Management and Location of SIS II

7.1. Introduction

7.2. Technical Management of SIS II

7.2.1. Strategic management

7.2.2. Operational management

7.3. Location of the central part of SIS II

8. Future Visa Information system and synergies with SIS II

8.1. Political context

8.2. Introduction to the Visa Information System (VIS)

8.3. Possible Synergies with a future Visa Information system (VIS)

8.4. Financial overview VIS

9. Legal impact

10. Data protection

11. Conclusions

12. Annex 1: SIS II calendar January - June 2003

13. Annex 2: Provisions schedule up to 2007

14. Annex 3: legislative financial statement

1. Introduction

1.1. Scope of the Communication

The objective of this Communication is to:

* Present to the Council and the European Parliament the second generation Schengen Information System (SIS II) progress report for the activities carried out in the first half of 2003 [1] and future schedule [2].

[1] Submitted to the Council and the European Parliament in response to the obligation of article 6 of the Council Regulation n. 2424/2001 of 6 December 2001 on the development of the second Schengen Information System (SIS II), OJ L 328 of 13 December 2001.

[2] A progress report covering the second half of 2003 should be published at the beginning of 2004.

* Present an abridged version of the results of the feasibility study, which was carried out on the setting up of a new generation of the Schengen Information System .

* Highlight the budgetary repercussions of SIS II, based on the detailed budget estimates of the feasibility study.

* Suggest solutions for the location and future management of SIS II.

* Point out how synergies with a possible future Visa Information System (VIS) could be brought about.

This Communication builds upon the Communication of 18 December 2001 from the Commission to the Council and the European Parliament: Development of the Schengen Information System II [3].

[3] COM(2001) 720 final.

1.2. The Schengen Information System - From the current SIS to SIS II

1.2.1. The current SIS

SIS is an information system that allows competent authorities in the Member States, through an automatic query procedure, to access alerts regarding persons and property. It is thus a vital feature in managing the fields of security, freedom and justice for the Schengen area without internal borders. It contributes to the implementation of the provisions on the free movement of persons (Title IV of the EC Treaty) and to judicial co-operation (Title VI of the EU Treaty) in criminal matters and police co-operation in that context.

SIS currently consists of a national system [4] located in each of the Contracting Parties [5]. The systems data file has to remain materially identical to the national data file [6] located in the national systems of each of the other Contracting Parties, by means of a technical support function. By virtue of Article 92 of the Schengen Convention, implementing the Schengen agreement of 14 June 1985, France is responsible for the technical support function located in Strasbourg in a custom-built, high security environment. The Strasbourg system is also called the C.SIS (i.e. the central part of the SIS). The support function comprises a central data file, which ensures, via on-line transmission, that the data files of the national systems contain identical information. While the daily operations of the current SIS are presently managed by France, strategic management is carried out by various Council working groups, supported by the Council Secretariat General.

[4] System (or a set of systems) located in the national domain under the responsibility of the national authorities.

[5] The Contracting Parties are countries (in the future, some can also be organisations: Europol for example).

[6] Copy of (some of) the data stored in the SIS II Central System, hosted by the national systems and regularly updated by the SIS II Central System.

1.2.2. Need for a new generation SIS

The need for a new generation of the SIS is found in the quest for a common and integrated security strategy in an area of free movement. SIS II is an essential instrument for maintaining public order in an area without internal frontiers (e.g. the crossing of the external borders and the issuance of visas and residence permits). The compatibility with other relevant - existing or future - databases in these fields is of the utmost importance.

Demands on new functions and new information types are continuously being discussed within the decision-making bodies. In due time, some or all of these have to be included in the features of the SIS II. The ability for SIS II to be extended and changed in these areas is therefore another essential characteristic of the system.

The current SIS has the capacity to deal with no more than 18 participating states. It is operational in 13 Member States and 2 other states (Iceland and Norway) and is intended to become partially operational in the United Kingdom and Ireland in the foreseeable future. It has, however, not been designed to cope with the increased number of EU Member States after enlargement. Therefore, one of the main objectives in developing SIS II is to establish a system allowing the integration of new Member States. Furthermore, the technology of the present SIS is clearly outdated and does not provide the necessary flexibility for adding easily new functionalities.

For these reasons the Council decided that it was necessary to develop a new, second generation Schengen Information System (SIS II).

The mandate to develop SIS II was given to the Commission in December 2001 [7] and is for a limited period until 31 December 2006. The responsibilities for SIS II are shared between the Council and the Commission [8]. Establishing a clear and common understanding of the respective responsibilities has at times proven to be difficult.

[7] Council Regulation (EC) N° 2424/2001 and Council Decision 2001/886/JHA of 6 December 2001 on the development of the second generation Schengen Information System (SIS II), OJ L 328 of 13 December 2001, p. 4.

[8] Voir l'addendum au procès-verbal du Conseil (Justice, Affaires intérieures et Protection civile) des 6 et 7 septembre 2001 (14997/01 ADD 1).

1.3. Development of SIS II

Without prejudice to the future technical architecture, at an abstract level, SIS II could be described as constituting a central system surrounded by National Interfaces [9]. Each Contracting Party would, by using a national interface linked to its national system, be able to input and access data. For those states that wish to host Schengen information locally, SIS II also comprises national data files located in their premises, kept under their responsibility and updated by the central system.

[9] Central System and National Interfaces form the common part of the SIS II, National Interfaces being delivered in the Contracting Parties premises, and allowing them to access to the SIS II data and services.

The SIS II must fulfil the following key requirements:

* Scalability

The system must be designed to handle more than twice the number of Contracting Parties than the current SIS, including organisations that might have full or partial access (e.g. Europol) to the information in the SIS.

It must also be able to provide both optional and mandatory services (e.g. those countries which are ready to use a certain feature could go ahead, while those not ready to do so would technically not be affected by this).

* Flexibility

The current SIS includes functions constituting a defined set of information types (persons and objects), in accordance with articles 95-100 of the Schengen Convention. SIS II should have the potential to handle a significantly larger number of data and, once operational, to be extended to cope with new information types, new objects and further new functions, which are under discussion in the Council framework. Ideally, once it has been set up, the system should provide the flexibility to incorporate new functionalities, as well as new information and rules without major technical changes. This would include the inter-linking of alerts and the use of biometric information.

* Uniformity

Uniformity is a requirement, since a more homogenous system, especially concerning national interfaces, will have a positive impact on testing, data quality and data integrity/security. Other areas of uniformity could be sought in the validation rules and the potential use of common query interfaces. In addition, uniformity will result in overall lower system costs.

* Reliability

Reliability includes availability and performance. High availability is an obvious priority for the future system. This includes the ability to ensure that data are correct, safely delivered and not corrupted. An important aspect of high availability is also the ability to maximise prevention of system failure or crash and, should such an event occur despite all precautions, the ability to recover extremely quickly.

High performance is crucial. As an example, the answer to a police request, under operational conditions, has to be delivered within five seconds. SIS II should be able to limit the time for the distribution of data entered by one end-user to all the other Contracting Parties.

* Economy

Given the potential number of new Contracting Parties and the potentially increased number of new functions to be handled, the system must be designed to be easily manageable at both central and national level, in order to make it as cost-effective as possible.

* Security

The data stored in the SIS are highly sensitive. The data are, to a large extent, personal data derived from the national police forces and other authorities allowed handling sensitive information. The data need to be protected from a non-authorised use. Physical protection (i.e. restricted physical access to the site, to the machine room) and logical protection are mandatory (limited access for read only, modification or deletion).

1.4. Constraints and key issues

1.4.1. Constraints

The following are the main constraints for the development of the SIS II system:

* The tight deadline given to set up such a complex system, in which the adaptation of the national systems remains the competence of Member States.

* Division of responsibilities between the Commission and Council, with boundaries that are partly difficult to define, thus adding complexity to the decision-making process.

* Legacy of a complex Council working group structure, leading to a potentially slow decision-making process as regards the necessary legal framework.

1.4.2. Key issues

* Architecture: the architecture of an IT system means the way that physical and logistical items (namely hardware and software) are designed, including their relationship to one another. The architecture of a system always defines its broad outlines, and also partially defines precise mechanisms. Since it is not possible to start implementing an IT system without knowledge of its architecture, a decision on the architecture must be taken at an early stage.

* Functionalities: these are the functional requirements that SIS II has to provide in order to allow the Contracting Parties and end-users to match the SIS objectives. It is not possible to implement an IT system without informing the contractor about what the system is supposed to do. The decision on the general functionalities must be taken at an early stage of any IT project.

* Synergies: at the request of the Council, possible synergies with the VIS (Visa Information System) have been examined. This was done in the framework of a feasibility study for VIS, which contained recommendations on synergies that might lead to substantial savings, especially in the long term.

* Financing: the feasibility study provided financial figures for the implementation of SIS II e.g. design, development and roll-out of the system, including hardware. The costs of the management of the system are also specified. The provisional budget estimates have been readjusted in the light of these figures and the financial statement attached to this Communication updated accordingly.

* Location and management of the central system: taking into account the political and legal situation of the current SIS and SIS II, as well as the operational requirements of SIS II, an assessment must be made as regards the appropriate arrangements concerning location and the management of the central system.

2. Progress report

This report is the second [10] provided by the Commission services in accordance with Article 6 of Council Regulation N. 2424/2001 of 6 December 2001. The report aims to provide a description of the work carried out by the Commission services for the first half of 2003.

[10] The first report, submitted in early 2003, covered the whole of 2002.

2.1. Results achieved (January-June 2003) and the way forward (July-December 2003)

The main steps undertaken were described in detail in the Commission working paper: Progress Report 2002 on the development of the second generation Schengen Information System (SIS II).

2.1.1. Main activity: feasibility study

The SIS II feasibility study, as explained in the July-December 2002 Progress Report, was divided into three steps:

* Assessment of the strategic approach for SIS II, carried out in 2002 and detailed in the July-December 2002 Progress Report.

* Technical, feasibility and security reports on a number of architectural options which could be feasible for SIS II, carried out from October 2002 to April 2003.

* Draft of a blueprint of the technical requirements carried out from May to June 2003.

After receipt of the first version of the reports (feasibility, technical and security reports) in January 2003, and close study by the Commission and the SIS II Committee, the SIS II Committee gave a favourable opinion on the proposed architecture and the final versions of the reports were sent to the Council on 2 May, in order to prepare the political decision-making process in the different working groups.

In an additional contract signed in April 2003, the Commission asked the contractor to study the feasibility of the following features:

* Moving some of the National Interface intelligence to the central part.

* A direct query function on the central database, based on additional information provided by the Member States.

* Possible synergy between the SIS and VIS projects. The aim was to analyse the conditions for a synergy and to estimate the impact on the network and on each studied architecture.

The output of this additional study was presented to the SIS II Committee in June 2003.

The "Draft of a blueprint of the technical requirements" step had to be postponed in order to take into account the conclusions, adopted in the Justice and Home Affairs Council of 5/6 June 2003, regarding architecture and functionalities. The draft blue print of the technical requirements report was delivered in July 2003.

2.1.2. Current activity: preparation of the call for tender

In order to deliver the system as quickly as possible, the Commission services started the preparation of the call for tender in February 2003.

A prior information notice was published in the S series of the Official Journal of the European Union in March 2003 [11] aiming at informing potential tenderers that a major IT project in the field of EU Justice and Home Affairs was under preparation.

[11] OJ, 2003/562-053772.

After the Council has given orientations, in its conclusions of June 2003, on the architecture and functionalities of the new system, the Commission published a contract notice in the S series of the Official Journal of the European Union [12]. The call for tender is restricted. All interested economic operators could ask to take part but only candidates satisfying the selection criteria are being invited to submit a tender.

[12] OJ, 2003/S 119-106332.

The candidates invited to submit a tender have been selected and the successful candidates will be invited to submit their tenders by spring 2004. The evaluation of the tenders and the award of the contract will be finalised in August 2004. The signature of the contract is planned for September 2004.

2.1.3. Next steps

As regards the timetable, the feasibility study stated that the tight deadline of 2006, given in the mandate received from the Council in 2001, was still feasible for the selected architecture, provided that the main deadlines listed below were adhered to.

* June 2003 - Definite list of functionalities and decision on the architecture,

* August 2003 - Launch of the SIS II call for tender,

* June 2004 - Signature of the contract for the detailed design and development of SIS II and subsequent draft of the detailed design,

* January 2005 - Commence SIS II development,

* Spring 2005 - Commence Contracting Parties national system adaptation,

* Autumn 2006 - Commence migration of current Contracting Parties,

* End 2006 - Ready for integration of new Contracting Parties (the issue of whether acceding countries could integrate in parallel with current Parties is still under discussion).

The feasibility study clearly pointed out that any delay in any of the milestones mentioned above will render the deadline of 2006 impossible to meet.

Given that throughout autumn 2003, difficulties were encountered to fit the budgetary requirements for SIS II as they result from the feasibility study into the tight budgetary framework available especially in 2005, the call for tender could not be launched in late August 2003 as initially foreseen. Final clarity on budgetary availability was only achieved in November 2003 and therefore the call for tender can only be launched in December 2003.

This implies that the initial planning to have the complete system operational by the end of 2006 cannot be kept. System availability is still planned for the end of 2006 and readiness for migration and integration during the first half of 2007 including three additional months as a safety margin in case some delay would occur in the detailed design and development phase of the system.

2.1.4. SIS II Committee

The SIS II Committee convened for the first time in January 2002. It is composed of representatives of the Member States, and follows the management or regulatory procedure - depending on the measures at stake - as prescribed in the Council Regulation and Council Decision of 6 December 2001 on the development of SIS II [13]. This Committee meets on a monthly basis. Iceland and Norway [14] take part in these meetings as observers.

[13] Article 4 and 5 of the Council Regulation 2424/2001 and Article 4 and 5 of Council Decision 2001/886.

[14] Following an exchange of letters, because they are associated with the implementation and development of the Schengen acquis.

The importance of the work of the SIS II Committee throughout the feasibility study phase must be stressed since Member States were given the opportunity to submit their written comments for each version of the reports and thereby assisted the contractor in addressing their concerns.

Member States expressed strong interest in continuing to work on the issues that would allow keeping the tight schedule. The SIS II Committee agreed to organise additional specific workshops for the preparation of the call for tender. Considering the necessity for carrying out further intensive work with effect from autumn 2003, the SIS II Committee also agreed to hold 2-days Committee Meetings.

2.1.5. Involvement of the Acceding Countries

One of the main reasons for developing SIS II is to deliver a system allowing the integration of new Member States. It must be possible for them to fully participate in the Schengen acquis and then also in SIS II as quickly as possible after the date of their accession. Therefore, they need to be properly involved, and this in good time.

As outlined in the Commission Communication of 18 December 2001, this involvement commenced with an information phase. A preparatory meeting for the Permanent Representations was held on 18 April 2002, followed by the first TAIEX [15] Seminar on 6 June 2002, and a further information session on 13 December 2002.

[15] Technical Assistance Information EXchange office

As planned, an additional TAIEX Seminar, to be held towards the end of the feasibility study, took place on 9 April 2003. The aim of this meeting was to update Acceding Countries on the latest developments, results and recommendations of the feasibility study. In addition, the seminar served to familiarise Acceding Countries with the tasks and working methods of the SIS II Committee and the Council Working Groups.

The Acceding Countries were welcomed to the Committee Meeting for the first time on 14 May 2003 as observers. This status allows them to be informed and to participate in the general debate. This process also informs them about possible dates for their integration, provided they are legally and technically ready. Their respective national plans for preparing the national systems to interface with the SIS II will then need to be established.

2.1.6. Commission project management

A Project Management Board was set up in October 2002 to share in-house knowledge with other Commission services, such as the Informatics Directorate of Personal and Administration, Enterprise and Information Society Directorates General, in order to take into account possible synergies within the Commission.

A new unit "Large-scale information systems" was created within DG JAI on 16 December 2002. Part of its mandate is to exploit synergies between the major IT projects in the Justice and Home Affairs policy areas: SIS II, EURODAC and VIS (Visa Information System). Within this newly created unit, a "SIS team" is particularly assigned and committed to the SIS II project.

In order to ensure maximum transparency of the work conducted by the Commission services, since the beginning of 2003 a representative of the Presidency representing the Member States has been systematically invited to participate in the Project Management Board.

In April 2003, a contract for external assistance and advice was renewed with a major IT consultancy. The contract had originally been signed in April 2002, following an open call for tender procedure. The contractor provides technical advice on the project and guarantees an external independent quality control.

Four new staff have joined or are about to join the SIS II team - consisting of three Commission officials (2 A and 1 B grade) and one national seconded expert. These additional posts will be devoted to strengthening the team for the following tasks: preparation of the call for tenders, drafting of technical and functional specifications for the development of SIS II, co-ordination of national preparations, data protection aspects and network analysis, administrative support.

3. Architecture

3.1. SIS II Requirements

3.1.1. General requirements

In order to ensure coherence and continuity with work already undertaken within the Council structure, the Commission has drafted the technical requirements for SIS II on the basis of discussions that had already taken place in the Council prior to the Commission being entrusted with the development of SIS II.

The main technical strategic requirements (scalability, flexibility, uniformity, reliability and economy) have been explained above, under paragraph 1.3.

3.1.2. Relative weightings of the requirements

The feasibility study concluded that, of all key requirements, four were particularly crucial. They are scalability, system management, security and the ability to implement the chosen architecture in due time. These have been taken into special consideration during the decision-making process for choosing architecture.

3.2. Choice of the architecture: process and methodology.

3.2.1. Architecture selection process

The feasibility study initially identified a large number of architectural options for SIS II.

Thirteen architectural options were presented and differed in the following respects: the locations where data could be stored (centrally, de-centrally, or in the national systems of the Contracting Parties), the way data types (text, multimedia, etc.) could be dealt with and the way in which data could be split up, according to ownership. Consequently, they also differed in processing and communication methods.

The architectural options were evaluated considering SIS II current and new functionalities and the key requirements as set out above. In addition, a preliminary cost evaluation was made for SIS II and the impact on schedule and Member States.

After narrowing down the possible architectures to three, the feasibility study further examined them in detail, addressing strategic requirements. Under all three options, the central reference data file contains all Schengen data. The difference between the architectures is the presence or not of data in the national interface:

* 'decentralised architecture': only Schengen alphanumerical data in the national interface,

* 'hybrid architecture with all data in the national interface': all Schengen data in the national interface, including the large biometrics data,

* 'hybrid architecture with no data in the national interface': no data in the national interface.

The options are rather similar, in terms of the services provided. The greatest difference between each option relates to the inclusion or exclusion of data sets in the National Interface. The decentralised option includes only character data in the National Interface. The hybrid option includes either all data in the National Interface (i.e. all character, multimedia and especially, biometric data, etc.) or no data in the National Interface, thereby making the National Interface a sort of pass-through system.

3.2.2. Final recommendation: Hybrid architecture with no data in the National Interface

The feasibility study makes the following recommendation based on the previous criteria:

"SIS II should comprise a Central System with all required functionalities and a National Interface delivered as an RTS [16] without data storage".

[16] Readymade turnkey solution: elements (hardware and software) developed centrally, e.g. the National Interfaces (NIs), completely ready to use and managed from the Central System avoiding any major involvement of users.

This option received a favourable opinion of the SIS II Committee. In this option, all data are stored centrally. The National Interfaces store no Schengen data and are little more than "pass through" interfaces. The Contracting Parties may store the data in their national systems (and so use and query the national data file), but may also choose to use and query SIS II directly.

This option, with all data in the Central System and no data in the National Interfaces, allows for easy extensibility [17]. The required and desired changes can be dealt with at one central node in a highly controlled manner.

[17] Capacity of the system to implement quickly new components and new functionalities.

Since changes are dealt with at central level, system and version management, software upgrading and parameter changes are best handled by the selected option.

The feasibility study carefully analysed scalability, with respect to both the inclusion of new Member States and increased data sets and querying. The selected option avoids the problems of adding new Member States (given the estimated and extrapolated usage that is foreseen due to the addition of more than 30 new countries) and new data formats (e.g. fingerprints and pictures), even at peak hours.

>REFERENCE TO A GRAPHIC>

Migration to this option is slightly easier, but preparation for migration must be started well before 2005.

Other aspects, such as schedule, security and product maturity/market availability were less discriminatory and comparable for all three architectural options.

4. Functionalities

4.1. General approach

One of the key elements for adhering to the tight deadline is the timely launch of the call for tender. At its meeting of 16 January 2003, the SIS-SIRENE Working Group agreed on the approach of separating legal and political discussions on functionalities from a list of definite and potential high level functionalities that were approved by the Council in June 2003 in order to to provide guidance to the future contractor.

This approach does not imply the removal of any flexibility during the development phase of the system. Definite functionalities would be activated from the beginning, whereas the activation of potential functionalities would only occur once political agreement has been reached. However, in order not to modify the perimeter of the project during the development phase, a course which would inevitably delay the schedule, such agreements have to be reached by June 2004 at the latest for those potential functionalities that the Member States would like to see implemented from the beginning. If this is not the case, they will not be implemented before the migration of all Member States has been affected.

In this context, it should be pointed out that introducing new functionalities (e.g. the interlinking of alerts) might trigger the need to establish new or to revise existing SIRENE procedures.

4.2. List of SIS II functionalities

The list of SIS II functionalities contains the existing [18] and the potential new functionalities. As regards the new functionalities, general indications were given in the JHA Council conclusions of June 2003. These functionalities are currently being discussed in the Council. The new functionalities that should be operational at the launch of the system should be identified at the latest by June 2004 [19]. This is the case, for example, of the links between types of alerts and the practical conditions for storing photographs and fingerprints of wanted persons.

[18] Voir également les projets de décision et de règlement émanant du Royaume d'Espagne concernant l'attribution de certaines fonctions nouvelles au Système d'Information Schengen, y compris dans le cadre de la lutte contre le terrorisme (JO C 160 du 4 juillet 2002, p. 5 et s.)

[19] Before the signature of the contract which is planned for September 2004.

Finally, even if some of the potential functionalities mentioned in the Council conclusions of June 2003 will still need to be discussed later, SIS II will provide the technical flexibility to allow their implementation at a later stage, should a decision on them been taken. This could be the case for new categories of persons and objects under Articles 99 and/or 100.

4.3. Use of biometrics

From a police operational point of view, introducing biometric identification tools into SIS II would significantly improve the SIS II capacity to identify a person.

The existing SIS is based on the situation in the late eighties, when technology was not far enough advanced to allow the handling of any kind of digital images or biometric data on a permanent basis.

Moreover, law enforcement authorities are faced with more and more difficulties related to person identity checks and entry control. There are important operational problems, which can no longer be solved by a simple name search:

* Persons who know or assume they are stored in the SIS will try to hide their real identity by using false names (e.g. aliens subject to expulsion decisions). Even if the travel document produced is genuine, a SIS check using only a name search will fail.

* Assuming that a person has been apprehended using a false document, the real identity is unknown. With the current SIS functionality it is impossible to establish that the person is, for example, a wanted person and stored in the SIS under another identity.

* Multiple hits for a person with a common name (e.g. Schultze, Dupuis and basically any common family name) occur and make it very difficult to identify the person concerned. Citizens of countries with a traditionally more limited variety of family names (e.g. Bulgaria) might be particularly affected. This leads to potentially embarrassing situations for finally innocent persons and to ensuing operational and legal problems.

A bilateral exchange of biometric data could be started now via the SIRENE offices. However the growing number of Schengen partners excludes, from a practical point of view, such multiple exchanges for those cases. In addition, the reliability of results would be doubtful.

This explains why the biometric identification or the query on biometric data is clearly the appropriate solution for person identification. Should there be no firm decision on this functionality before the call for tender, SIS II must be designed and prepared for biometric identification to be implemented easily at a later stage, once the legal basis, allowing for the activation of such potential functionalities, has been defined. The advantage of designing the system now allows the choice and share of standards with other projects (e.g. VIS), easing the activation process in the future.

5. Schedule

The provisional schedule included in the SIS II 2002 Progress Report has been scrutinised and amended within the framework of the feasibility study. Draft versions of the overall schedule were presented to the SIS II Committee from January to April. Finally, a specific planning workshop was organised in May 2003 with the Member States and the Acceding Countries.

The latest version of the schedule is included in the annex of this Communication. It enables the Member States to prepare and carry out their call for tender procedures respecting their own national constraints.

The schedule also takes into account the willingness of the Member States to gradually migrate towards SIS II. In the conclusion of the May SIS II Committee meeting, the delegations expressed their wish to migrate to SIS II only when they are all individually ready. By the end of May 2003, this approach was preferred to an overnight migration, which would have forced all Member States to be ready at the same time. In the meantime, various alternative scenarii are being considered and so far no final conclusion has been reached.

The agreement on a gradual migration offers the advantage of allowing the integration of Acceding Countries earlier, even if some Member States still need to be migrated. The minimum number of migrated Member States to be connected to SIS II before Acceding Countries can migrate can be decided in the SIS II Committee at a later stage.

The consequence of gradual migration is that those Member States not ready in 2006 will continue the migration process in the first half of 2007.

The definite approach to migrate the Member States and integrate the Acceding Countries remains open until spring 2004 given that the successful tenderer can also propose alternative solutions.

A consensus on the programme was achieved by taking into account the compatibility between the schedules of the Commission and the Member States. Nevertheless, some of the Member States still have doubts about the ability to implement the project on time.

6. Costs

6.1. Outcome of the feasibility study

The initial estimates for the development, made in the first Commission Communication [20] to the Council and Parliament, amounted to 15,9 Million EUR for 2004-2006. As stated at that time, this was only a first indication, as the financial figures depend very much on the structure and content of the system to be delivered.

[20] COM(2001) 720 final.

The results of the feasibility study indicated that it would be necessary to invest a maximum of 28 Million EUR for the recommended option, which would also be 5 Million EUR cheaper than the other two possible options. This financial figure also includes the costs for the storage and exchange, but not for the query, of biometric data (fingerprints and pictures). The increase is mainly due to the fact that the concept of the Business Continuity System (BCS) was not taken into account in the previous estimates.

The chosen architecture option requires a high availability and robustness, to be achieved through specific implementation measures, such as doubled hardware and software, as well as data replication. The SIS II capacity to be highly available, including the possibility for the Member States to query the central SIS II database, allows those Member States which are ready to do so to discard their national database. The added value of such a feature is that the yearly costs for the management and maintenance of the national database will be reduced for those Member States able to do so.These costs also include a limited support that the successful tenderer will offer to the Member States. The aim is to provide assistance to the Member States during the national preparation and migration phase.

6.2. Comparisons between options

System development costs are similar for all three options analysed in detail in the feasibility study. The largest part of the costs is the national cost, which will be related to the implementation and migration of Member States to the National Interface.

System management costs, both for the Central System as well as for the National Interface, are lowest for the selected option (28 Million EUR compared to 33 Million EUR for the discarded options). The 28 Million EUR include: the First Implementation; Roll-out in 30 locations/Migration; Licences; Hardware.

Network costs are slightly higher for the chosen architecture, since more network capacity is needed, in order to answer requests from end-users. The expectations are, however, that cost for the network will decrease considerably in the near future, due to the improvement of new technologies, unlike costs related to system management.

Most of the future costs will be related to the management of the changes that SIS II will create. It therefore makes most sense to opt for the chosen architecture with as little system management as possible, and to make a trade-off with respect to network costs.

The yearly costs are also minimal for the recommended option. These costs start from 5.5 Million EUR to more than 6.5 Million EUR for the discarded options and include network, hosting, production and maintenance, new versions, releases and licences.

The economic impact for development at national level is identical for all three architectures.

The national cost can vary depending on which functionalities are to be implemented and also depending on the infrastructure currently in use in each Member State. The national costs must be estimated by Member States taking account of whether current national data files are to be discarded or not. At first glance, retention of the national data file would appear to be cheaper. However, the yearly cost could be constantly higher. On the other hand, reviewing the infrastructure by discarding the national file, even if expensive at the outset, would then reduce significantly the yearly costs, resulting in substantial overall savings.

6.3. Distribution of costs

This section considers the distribution of costs for SIS II between the Community and the Member States.

6.3.1. Costs linked to deploying SIS II

The SIS II project overall consists of the following components:

* The common part to be deployed by the Commission. This includes:

- Development of the common part of SIS II, estimated at EUR28 million and consisting of supplying a complete package (hardware and software) - the central system, geographically distributed (the high degree of accessibility of the central system depends on the geographical distribution of central units) and national interfaces. Development costs should be borne by the Community budget.

- Use of a European network infrastructure for interconnection between the Member States and the central system and for interconnection between the sites of which the central system consists. There are currently three possibilities: use the IDA programme's future TESTA III network, or use the SISNET network currently used for SIS I+, or combine the two for the sake of maximum accessibility of the system overall. The costs involved in deploying the TESTA network are already covered by the Community budget.

* Adaptation of existing national systems prior to linking them up to the common part.

The Member States must find the budget needed for these adaptations to their national systems to link them up to SIS II (via national interfaces).

The distribution of costs set out here matches the scope of the responsibility conferred on the Commission by the mandate received from the Council: the Commission is tasked with deploying the common system. This common system has been defined by the SIS II Committee as being delimited by and including the national interfaces to be installed in the Member States.

The Member States are to bear the cost of all activities related to national systems up to the interconnection with the national interface.

6.3.2. Operating costs

Once SIS II is operational, operating costs could be by a similar approach to that taken for making it available: the Community budget for operating the common part and national budgets for national systems linked to SIS II by the national interface.

Communication costs should also be distributed between the Member States.

A corresponding legal basis needs to be established.

6.4. Project budget impact

The Commission provided a first financial assessment for the whole project (2002-2006) in the financial annex to its Communication [21], anticipating that the financial implications would also depend on the structure and content of the system to be put in place. It therefore also stated that the feasibility study would allow for additional elements to confirm the figures in that financial annex. Considering the above, it is now necessary to propose an adjustment to the initial financial assessment budget previsions for 2003-06. Details are given in the financial statement annexed.

[21] COM(2001) 720 final.

6.4.1. Financial breakdown of the operating expenditures directly related to the design, development and deployment of the SIS II

The SIS II project consists of designing and deploying the project, the integration of Contracting Parties and providing them with adequate support. If the first task can be clearly and separately identified as the first step of the project, the other tasks could overlap each other, depending on the methodology used by the contractor. This implies that, from a contractual point of view, the project can be seen as being composed of two contract phases, design and implementation, planned to cover the 2004 and 2005-2006 periods, respectively.

In accordance with the planned timetable, Commission services will prepare one contract covering both contract phases. From a budgetary point of view, the award of the contract is dependent on the availability of the budget for Contract Phase I. The launch of Contract Phase II will be subject to a decision to be taken by the Commission at the end of Contract Phase I. The Commission will thereby consider the results of Contract Phase I and the budgetary availability for Contract Phase II.

The consequence of such an approach is that the commitments initially planned to be spread over 2005 and 2006 (contract phase II) need to be available at the latest from 2005. The annexed financial statement has been adapted subsequently.

6.4.2. Financial breakdown of other operating expenditures

In the light of the results of the feasibility study, additional resources which are necessary for additional studies have been identified for a global amount of 2.35 Million EUR. These additional resources will cover necessary additional studies and will be used to acquire specialised expertise in some specific domains (in particular security, network and technical project assistance). This expertise is indispensable in IT project management.

6.4.3. Funding of the SIS II project

The feasibility study stated that a maximum of 28 Million EUR are necessary for the design and development process of SIS II, compared to the original amount [22], i.e. 16.4 Million EUR (minus 0.5 Million EUR related to the feasibility study, i.e. 15.9 Million EUR).

[22] COM(2001) 720 final

The difference between the Commission Communication provisional financial estimate and the feasibility study is therefore 12.1 Million EUR plus the 2.35 Million EUR identified for additional studies and expertise.

Bearing in mind the margin on the financial perspectives in heading 3 for the period 2003-2006, the Commission will spread the supplementary amount of 14.45 Million EUR. The 12.1 Million EUR related to the development are spread over 2003-2005 and the 2.35 Million EUR over the whole period.

A global commitment will be made in 2003 and 2004 in the sense of Article 92 of Commission Regulation (EC, Euratom) N° 2342/2002 of 23 December 2002.

7. Management and Location of SIS II

7.1. Introduction

The future legal basis for SIS II must determine responsibility [23] for the management of the system once it is operational, that is to say when the Commission has completed its development. Technical management of the system raises a number of questions.

[23] See point 9.

7.2. Technical Management of SIS II

Generally speaking, from a technical point of view, IT systems require two sorts of management functions:

* Strategic management (decisions on how to integrate new functionalities, migration strategy, procurement, contract management etc.)

* Operational management (daily running of the hardware and software, service continuity, providing physical security etc.)

Operational and strategic management can be separated both organisationally and physically. However, since operational management requires continuous on-site presence, the choice of operational management should be addressed together with the question of the system location.

7.2.1. Strategic management

Currently, the Council carries out the strategic management of SIS.

As regards strategic management, three possibilities should be examined:

* Strategic Management by the Council (status quo)

* Strategic Management by Commission services

* Strategic Management by an agency or agency-related structure

7.2.1.1. Strategic Management by the Council (status quo)

The strategic management structure of the current SIS is explained by the intergovernmental legacy of the SIS, i.e. the institutional framework in which the Schengen Convention had originally been conceived.

In practice, strategic management of the SIS has been hampered by the relatively slow decision-making process in a Council framework not designed for the strategic management of IT systems. The fact that SIS is a cross-pillar instrument has further complicated matters. In addition, according to institutional logic and the provisions of the treaties, after integration of Schengen matters into the Community framework, executive tasks such as the strategic management of IT systems should not be dealt with within the Council framework.

7.2.1.2. Strategic Management by Commission services

Although the strategic management of large-scale IT systems is a field in which Commission services have gained significant experience over recent years, it is highly unlikely that strategic management of a system, the only users of which are Member States and authorised participating States, would be entrusted to the Commission only, even if assisted by a committee. In addition, the current internal organisation of the Commission (with different, policy sector related Directorates-General) would not allow for a centralised strategic management of large-scale IT systems in different policy sectors, enabling economies of scale and synergies.

Strategic Management of SIS II by Commission services alone is, therefore, also not a realistic option.

7.2.1.3. Strategic Management by an agency or agency-related structure

One possibility would be to establish an executive agency specifically responsible for managing large-scale information systems. Such an option might include - in order to reach a "critical mass" of IT systems the management of which might create sufficient synergies to justify the substantial initial investment linked to the creation of an agency - the necessity to look at the possible management of large-scale IT systems in areas other than Justice and Home Affairs and currently managed by the Commission on behalf of Member States. As an example, entrusting such an agency with the management of certain infrastructure services operated under the IDA programme, such as the network for interadministrative data exchanges (TESTA), should be explored. This might, however, have repercussions for the management structure, which will need to be assessed carefully.

An executive agency would be able to provide a framework not only for the Schengen Information System, but also for other present (EURODAC) and future large-scale IT systems in the area of Justice and Home Affairs (VIS [24], other future systems e.g. related to civil and penal co-operation) and, possibly, other policy sectors, allowing synergies and economy of scale.

[24] Visa Information System.

However, strategic management by the agency itself (i.e. its Directors) would require that the agency would not only have the necessary sector-related knowledge itself (which is unlikely to be the case), but would also be in a position to take a strategic - thus an often political - autonomous decision, which would be incompatible with its executive status. Tasks requiring discretionary powers in translating political choices into action remain indeed within the competence of the Commission [25].

[25] Council Regulation (EC) No 58/2003 of 19 December 2002 laying down the statute for executive agencies to be entrusted with certain tasks in the management of Community programmes.

For this reason, executive agencies are strategically steered by an agency-related Strategic Management structure, i.e. a Director appointed by the Commission and a Steering Committee, usually composed of members designated by the Commission. . Given that such a Steering Committee, which forms an integral part of an executive agency, could provide an ideal link between the executive agency, the European Institutions and SIS II users, it could be the appropriate solution for the future strategic management of SIS II and other large-scale IT systems managed by the agency, thus creating synergy effects and a more streamlined operation of large-scale IT systems, the functionalities of which might be partly interlinked.

It goes without saying that the institutional framework, and in particular the legislative powers of the Council, could not be changed by such a solution, and that extensive and regular reporting to Council, the European Parliament and the Commission would be required.

In addition, given the importance and size of the SIS II and therefore the rather frequent need for strategic decisions, certain routine tasks as well as the preparation of meetings of the Steering Committee could be delegated to an Executive Board, chaired by the Commission.

However, the administrative effort and cost of setting up an executive agency is not to be underestimated. Since one of the preconditions for the creation of an agency is that "the decision to outsource tasks must always be made on grounds of good management.... and because it is more cost-effective than direct management" [26], a careful analysis of the budgetary impact (which goes beyond the remit of this Communication) must precede any decision on devolution.

[26] See Communication on the externalisation of the management of Community programmes, COM(2000) 788 final, 13.12.2000.

Once the creation of an agency decided, since the setting-up of the strategic management structure would not necessarily be linked to the physical creation of the agency, a strategic management structure could, if necessary, even be set up in the event that by the system is ready, not all issues related to the creation of an agency have been solved. The strategic management structure (Steering Committee and Executive Board) could thus precede the physical creation of the agency or, in other words, be the "nucleus" of an agency "in statu nascendi".

7.2.2. Operational management

Operational management must normally be performed at the physical location of the central part and can be carried out by any organisation with the appropriate capacity and which complies with security requirements.

Although this is an area that might theoretically well be outsourced, given the sensitivity of the SIS data (public order and security and movement of persons) it does not seem advisable to outsource core areas of the system(s) (i.e. the real data processing) to a private firm. Operational management of the system should thus be the key activity of a future agency (see above). This would not exclude the possibility of private firms carrying out routine tasks such as technical maintenance (e.g. help desk system), as is the case within certain national administrations.

Operational management should thus be entrusted to a future executive agency.

However, as will be explained below when discussing location, contrary to strategic management, operational management needs to be in place during the development phase of SIS II. Operational management during the development phase of SIS II (until 2006) is thus linked to the location issue (see below).

The operational budgets needed after SIS II is launched will be determined at a later date in the light of information supplied by the contractor in response to the call for tenders.

7.3. Location of the central part of SIS II

Existing Schengen rules stipulate that the Schengen Information System is located in Strasbourg.

As regards SIS II, a decision on the location of the central part of SIS II must be taken at the latest by June 2004 before the contract with the successful tenderer of the SIS II call for tender will be signed [27]. In addition, contrary to the current system which does not provide a Business Continuity System allowing a full continuation of operations in case of a complete unavailability of the main system (e.g. after a fire), because of the high availability requirement for SIS II, a second location for such a Business Continuity System must be found.

[27] It should be noted that in case the "synergy approach" with SIS II is confirmed and VIS will share a common technical platform with SIS II, the central part of VIS will be located in the same location as SIS II.

The current SIS is located in a highly secure, custom-built facility which was built in 1993 at a cost of about 5 Million EUR. Independently of the choice of a location for any future agency involved in the operational management, a similarly secured location to that in Strasbourg will have to be available before September 2004. Since it will be impossible to custom-build a location within that timeframe, unless an existing location providing the same high level of security can be found, the only possibility would be to use the current SIS premises in Strasbourg to host SIS II. Independently of the installation of the main system, adequate premises for the Business Continuity System must be found but the installation of the Business Continuity System can take place later (but before mid-2005) than the installation of the main system.

Operational management has to be agreed on at the latest in June 2004, before the contract for SIS II will be signed with the successful tenderer following the SIS II call for tender.

Contrary to the strategic management which will have to be in place only shortly before SIS II becomes operational, operational management will have to be in place as of September 2004 to support the Commission, charged with developing the system, in its development tasks by, for example, preparing premises, carrying out tests etc.

Provided that it is agreed that the location of SIS II will provisionally be Strasbourg until a future agency has been set up, the operational management should therefore also provisionally be entrusted to the French administration, leaving open, however, the possibility of outsourcing some operational activities that may not be carried out by a public service.

In order to avoid any confusion of tasks, a clear agreement ("Service Level Agreement") will have to be put in place between the Commission and operational management, defining who does what, when and how. According to the decision taken regarding the location, this agreement might have to be continued (and updated) between strategic management and operational management once the project has passed the development phase and moves into the operational phase. Strategic management structures will have to be set up by the start of the operational phase. The division of tasks between operational and strategic management will also need to be defined by that time.

8. Future Visa Information system and synergies with SIS II

8.1. Political context

Based on the guidelines adopted by the Council for VIS on 13 June 2002, the Commission carried out a feasibility study, which provides an analysis of the technical and financial aspects of VIS, including - following the mandate of the guidelines - an assessment of possible synergy effects with SIS II. The VIS feasibility study was finalised and transmitted to the Council in May 2003.

The Thessaloniki European Council on 19 and 20 June 2003 highlighted the need to adopt orientations in order to satisfy the preferred options with regard to the planning for the development of the system as soon as possible after the Commission's feasibility study for VIS.

The Thessaloniki European Council stressed that "a coherent approach is needed in the EU on biometric identifiers or biometric data, which would result in harmonised solutions for documents for third country nationals, passports of Union citizens and information systems (VIS and SIS II)".

8.2. Introduction to the Visa Information System (VIS)

VIS is a proposed common system for the exchange of visa data between Member States. Two main processes were identified by the study: the storage of visa data during the visa issuing process, and the consultation of these data, where and when that information is useful, for instance at external border controls. These two processes support the objectives of VIS, as set out in the Council guidelines:

* facilitate the fight against fraud,

* contribute to the improvement of consular co-operation and the exchange of information between central consular authorities,

* facilitate checks at border checkpoints or at immigration or police checkpoints,

* contribute to the prevention of "visa shopping",

* facilitate the application of the Dublin Convention,

* assist in the procedures for returning citizens of third countries,

* contribute towards improving the administration of the common visa policy and internal security, and to combating terrorism.

The system would have a capacity to connect at least 27 Member States, 12 000 VIS users and 3 500 consular posts worldwide. The study is based on the assumption that 20 million visa requests would be handled annually.

Following the Council guidelines, VIS should comprise a Central Visa Information System (C-VIS) and a National Visa Information System (N-VIS) in each Member State. On that basis the study has assessed two architectural options: a separate VIS and a technical integration of VIS and SIS II in view of synergies.

Further points assessed by the study - as requested by the Council Guidelines - are, in particular, the communication infrastructures for VIS, the future development of the Schengen consultation network VISION, the interoperability with other systems and the categories of information to be stored and processed, namely alphanumeric data, photographs, supporting documents and biometric identifiers.

The Council Guidelines of 13 June 2002 indicated that "digitised photographs and other biometric data on the holder of the visa could also be entered in VIS when they are added to the visa file" . The study has assessed three options, which - for the present - can be envisaged as biometric identifiers: iris scanning, facial recognition and fingerprints. It recommends the latter as the primary biometric identifier and the use of facial recognition as an additional verification facility. However, with the use of biometrics on such an unprecedented scale, the system will enter a new and largely unknown dimension. The study clearly indicates that this issue would have great impact on such a system, both in technical and financial terms.

8.3. Possible Synergies with a future Visa Information system (VIS)

As stated in the Council Guidelines, the structure of the new VIS must be similar to that of the existing Schengen Information System (SIS). The current SIS system is composed of a Central System and a National System. Similarly, the VIS system would comprise a central visa information system (C-VIS) and, in each State, a national system (N-VIS) with an interface to the central system. The consular posts and other national authorities (border checkpoints, police and immigration authorities) would need to connect to their corresponding N-VIS to benefit from the VIS services.

Therefore, the Visa Information System would be based on three levels:

* Central level, referred as the Central Visa Information System (C-VIS), under a single responsible authority, to be decided;

* National level, for each Member State, comprising national systems (National Visa Information System, N-VIS) and their interfaces to the C-VIS;

* Local level, which includes consular posts, borders crossing points, and immigration and police authorities.

On the functional level, VIS users would consult SIS II during the issue of visa to determine whether an alert has been issued for the visa applicant for the purpose of refusing entry. Similarly, SIS users (border crossing points, police and immigration authorities) connected to the SIS technical infrastructure would need to check visa authenticity or traveller identity, as well as to identify undocumented travellers, and would thus need to be facilitated access to the new system.

>REFERENCE TO A GRAPHIC>

In view of the above, synergies could be envisaged between the two systems at central level, based on the assumption that VIS and SIS II would have a centralised architecture .

Feasible solutions for such synergy architecture are:

* Solution 1, common technical platform, aims at placing both systems in the same building, connecting them to the same network through a single access point, using the same technological platforms and sharing management tools and staff;

* Solution 2, common technical platform and services, introducing, in addition to the above (solution 1), synergies at application level. Shared or common services between the systems would be introduced.

Nevertheless in both of these solutions, data remains separated.

Synergies will not affect the business processes. Both SIS II and VIS users will be able to operate seamlessly, should the synergies be implemented. Synergies would lower the cost of ownership of both VIS and SIS II.

In addition, other synergies could be achieved: VIS and SIS II could share a common business continuity system at the central level with a significant reduction of costs; both projects could be developed under a common management organisation which could have the oversight of the project implementation, starting with a common call for tender procedure for both systems.

Technical integration of VIS and SIS II at central level is recommended, due to the reduction of total costs of investment and operations. In order to maximise the synergies between the systems, it is suggested that VIS and SIS II be implemented in parallel and even have a common call for tender for both systems. Likewise, it is advisable that the project management concerning the implementation should be assumed by a single organisation.

Apart from the obvious synergy advantages at central level, Member States can also achieve remarkable benefits and cost savings from synergy architecture.

Thousands of end-users, which belong to police authorities, border control and immigration services, for example, could use SIS II equipment to check visa information via the future SIS II infrastructure. Additional investment for dedicated VIS equipment could be avoided and the daily work could be simplified and harmonised.

>REFERENCE TO A GRAPHIC>

The information flow for SIS and VIS end-users.

Legend:

CP = Consular Post

N-VIS = National VIS

C-VIS = Central VIS

PIB LC = Local systems Police authorities and Immigration Services and Border control

NI= SIS National Interface

SIS II CS = SIS Core System, Central Level

Whatever the synergy implemented, both Council conclusions of 5 and 6 of June and the Conclusion of the European Council of Thessaloniki have clearly stressed that the VIS project must not delay the delivery of SIS II [28]. In their project planning, Commission services have paid particular attention to the possibility to decouple the VIS project management from the SIS II project management in case a delay might occur on the VIS project, thus ensuring that such a delay would have no repercussions on the implementing schedule for SIS II.

[28] Extract from the conclusions of the Presidency, European Council of 19 and 20 June 2003: " The European Council invites the Commission to prepare the appropriate proposals, starting with visas, while fully respecting the envisaged timetable for the introduction of the Schengen Information System II.

8.4. Financial overview VIS

The investment and yearly operational cost would depend on the decision which of the functionalities were chosen and which implementation scenario used. Biometrics and supporting documents functionalities would represent 90% of the costs. As a result also of first exchanges of views in the Visa Working Party and SCIFA, the first step towards a common VIS system should contain only alphanumeric data and photos. Biometrics and supporting documents will follow later.

For the setting up, implementing and operating of a separate VIS system, based on a centralised architecture and containing only alphanumeric data and photos, the cost estimates are:

>TABLE POSITION>

For the preferred option, when synergies are applied with the SIS II as a common technical platform for SIS and VIS, containing only alphanumeric data and photos, the cost estimates are:

>TABLE POSITION>

These budget figures do not cover additional external resources to support and assist COM in managing, controlling and set-up the project.

These estimates do not cover the investment and operational costs for the national parts of the VIS beyond the N-VIS, in particular the costs of adapting existing national systems and the envisaged world-wide connections to the consular posts and their equipment, shipping and the necessary training of consular staff.

These costs could be spread out over a number of years since it will take Member States several years to equip all their consular posts and to adapt their existing national visa systems. The graph below shows the estimate of spread investment and yearly operating costs.

>REFERENCE TO A GRAPHIC>

For implementing also biometrics and supporting documents functionalities, the investment costs for C-VIS and the N-VIS would be almost 157 million Euro and the cost for operation could reach 35 million Euro a year for a solution based on a common technical platform with SIS II. For a separate VIS with centralised architecture these investment costs would be 158 million Euro with annual operational costs of about 42 million Euro.

The investment cost for implementing biometrics and supporting documents could also be spread out over several years and it will take 5 years from the start of the implementation for the yearly operational costs to reach the maximum.

However, cost estimates are very difficult in the fields of IT, especially with regard to the very dynamic biometric market, where dramatic price decreases are currently being observed.

It can therefore be reasonably expected that the final "price tag" will be lower than the above estimates that reflect estimated market prices of December 2002.

9. Legal impact

SIS II will need a legal basis. The development of SIS II will have a legal aspect and the Council "Justice and Home Affairs" of 5 and 6 June 2003, in its conclusions on SIS II regarding the architecture and the functionalities of SIS II, requested "that in due time, the necessary legislative provisions reflecting the principles underlying the current conclusions be prepared for adoption".

Since the new legal texts will have to be "Amsterdam-compatible", the development of SIS II is the appropriate occasion to present new legal texts to replace the entire Title IV of the Schengen Convention. This will also allow the European Parliament to play its full role as regards SIS II.

As regards the VIS, it goes without saying that despite the technical synergies, a separate legal framework will have to be established.

10. Data protection

The data-protection authorities will have to be consulted regularly on planned developments to SIS II. The consultation should relate specifically to the new functionalities to be introduced and their implementation in terms of categories of personal data, public authorities' access to the data, securing individual rights and the more general assurances to be given. The consultation should specifically extend to the question of SIS II processing of biometric data and photographs, cross-checking of requests and data exchanges with VIS.

The architecture of the system envisaged by the Commission has the flexibility needed to allow quick adjustment to new needs flowing from the data-protection rules.

The question of the physical and logical security of personal data to provide protection against unauthorised access is an integral part and a core element of the development of the system (see point 1.3).

11. Conclusions

So far, work on implementing SIS II has proceeded exactly as scheduled.

All the necessary measures have been taken to ensure that the ambitious schedule is adhered to. But this depends on all those involved in the project being highly mobilised, on strict compliance with intermediate stages defined at paragraph 2.1.3 and political decisions, no later than spring 2004, on additional functionalities and the location of the future system.

The conclusions of the Justice and Home Affairs Council in Luxembourg on 5 and 6 June 2003 have enabled the Commission to issue an invitation to tender for SIS II in autumn 2003 as planned.

On the basis of the recommendations in the feasibility study, the opinions of the SIS II Committee and the relevant Council Working Parties, the Council has decided to go for the centralised architecture and a uniform national interface in each Member State. The national interfaces must be supplied in the form of a standard turnkey solution ("RTS") and will not contain SIS data. Member States who wish to do so retain the option of keeping a national copy of the SIS data bank on their own responsibility alone. Those that do not wish to do so will be able to search in the central system direct, which depends on availability, integrity and regular updating of SIS data. Given the requisite high degree of availability, the Council has taken the decision to install a back-up system at a different place and to implement a communications infrastructure offering necessary assurance as to availability. The central system and the national interfaces must, of course, be of a suitably high security level.

Regarding functional requirements, the Council has concluded that SIS II should be a "hit/no hit" system, with supplementary functionalities over those that exist today. Certain of these supplementary functionalities are already clearly identified in the Council conclusions, [29] whereas others will have to be agreed on before the detailed analysis begins (i.e. no later than spring 2004) if the Member States want them to be operational as soon as SIS II comes on line (links between alerts, new fields in personal descriptions, conditions for storing digitised photographs and fingerprints of wanted persons, etc.). On the legislative front, the Council has asked for proposals to be prepared in good time for adoption.

[29] Document 9808/03 SIRIS 47 CATS 34 ASIM 31 COMIX 330.

As for the location, management and long-term financing of SIS II, the Council has asked its relevant working parties to prepare conclusions for adoption by May 2004. The proposals for the establishment of an agency in this Communication could provide a basis for the discussions needed to prepare these conclusions, on which the possibility of setting up the new system and starting development work will depend.

Concerning the financial aspects of the project phase itself, the feasibility study has identified an additional need for EUR14.45 million on top of the estimates set out in an earlier Communication. [30] Likewise, the year-by-year distribution has had to be reviewed as proposed in the financial statement annexed to this Communication.

[30] COM(2001) 720 final, annex.

Following the JHA Council Conclusions of 5 and 6 June 2003, [31] the specifications of the VIS system will be incorporated in the invitation to tender for SIS II, but the development of VIS functionalities may begin only after the Council decision that is to be taken no later than December 2003.

[31] Document 9916/1/03 Rev 1 Visa 97 Comix 341.

This approach will give the Member States time for the discussions on the financial aspects of VIS and for deciding on the biometric identifiers to be use while preserving the possibility of synergies between the two systems. A second invitation to tender could subsequently be issued for the biometric functionalities envisaged for the two systems.

12. Annex 1: SIS II calendar January - June 2003

Date // Description

17 January // SIS II Committee meeting

27 January // First version of the feasibility reports

18 February // SIS II Committee meeting

19 March // SIS II Committee meeting - First day

24 March // SIS II Committee meeting - Second day. Agreement to send feasibility reports to the Council

9 April // TAIEX seminar

10 April // SIS II Committee meeting. Agreement to send security report [32] to the Council

[32] A delivery of the feasibility study.

14 May // SIS II Committee meeting. Acceding Countries participation as observers

21 May // Planning workshop

12-13 June // SIS II Committee meeting

10 June // Function workshop

19 June // Interface control document workshop

13. Annex 2: Provisions schedule up to 2007

>REFERENCE TO A GRAPHIC>

14. Annex 3: legislative financial statement

LEGISLATIVE FINANCIAL STATEMENT

Policy area(s): JHA

Activit(y/ies): Cooperation in the field of Title IV TEC (visa, asylum, immigration and other policies to the free circulation of persons) and of Title VI TEU (police and penal judicial cooperation)

Title of operation: Development of SIS II System

1. Budget line(s) + heading(s)

18 08 02 - Schengen Information System (SIS II)

2. Overall figures

2.1. Total allocation for action (Part B): EUR 31.3 Million for commitment

2.2. Period of application

2003-2006

2.3. Overall multiannual estimate of expenditure

(a) Schedule of commitment appropriations/payment appropriations (financial statement) (see point 6.1.)

>TABLE POSITION>

EUR million (to three decimal places)

(b) Incidence financière globale des ressources humaines et autres dépenses de fonctionnement (cf. points 7.2 et 7.3)

>TABLE POSITION>

>TABLE POSITION>

2.4. Compatibility with financial programming and financial perspective

- X Proposal is compatible with existing financial programming.

Proposal will entail reprogramming of the relevant heading in the financial perspective.

- Proposal may require application of the provisions of the Inter-institutional Agreement.

2.5. Financial impact on revenue:

[X] Proposal has financial impact - the effect on revenue is as follows:

The present proposal builds upon the Schengen acquis as defined in Annex A of the Agreement signed on 18 May 1999 between the Council and the Republic of Iceland and the Kingdom of Norway concerning the association of those both States with the implementation, application and development of the Schengen acquis [33]. The article 12(1) last paragraph lays down:

[33] OJ L 176, 10 July.99, p. 35.

"In cases where operational costs are attributed to the general budget of the European Community, Iceland and Norway shall share in these costs by contributing to the said budget an annual sum in accordance with the percentage of the gross national product of their countries in relation with the gross national product of all participating States".

Contribution from Iceland/Norway: 2.128% (estimated contributions based on 2002 figures, to be determined in accordance with the above-mentioned article)

(EUR million to three decimal place)

>TABLE POSITION>

3. Budget characteristics

>TABLE POSITION>

4. Legal basis

This statement is not a financial statement accompanying a legislative proposal but a statement on the launch of a project. The development and installation of SIS II will require the timely adoption of legislative measures.

5. Description and grounds

5.1. Need for Community intervention

5.1.1. Objectives pursued

The SIS is an essential tool for the proper practical operation of free movement for persons within the area without controls at internal frontiers referred to in Title IV of Part Three of the EC Treaty. The current system devised around ten years ago and in operation since 1995, needs to be modernized and modified to allow the participation of all the Member States after enlargement. The necessary studies and operations need to be started in order to introduce a second generation SIS. The expenditure required for these studies and operations will be charged to the general budget of the European Communities.

5.1.2. Measures taken in connection with ex ante evaluation

The financial statement made in this sheet relates to the procurement of technical expertise, management expertise, hardware and software, etc. during the entire project life cycle and is based on:

- initial estimates made in the Belgian-Swedish initiatives

- evaluation of the consequences of the on-going work in the Council working groups;

- estimates based on Commission's guidelines and experience in IT projects;

- estimates based on the outcome of a specific feasibility study on the SIS II ended in early 2003;

- experience in developing and managing the current SIS and the differences that are foreseen or expected between the two systems. It should be noted that the SIS 1+, and migration to the SISNET network, has entailed a total cost of around EUR 11 million since the project was started. SIS II must be able to handle a much larger number of countries, more information types, larger volumes of data, stricter security and must also offer a high available and flexible solution that can survive the years after its introduction when new requests for changes will occur.

The SIS II project is a large-scale project, comparable to other major Community IT projects such as the CIS [34] or the "Transit" system [35]. The total amount involved is higher than the rough figures initially put forward in the financial statement annexed to the Belgian-Swedish initiatives proposing a committee procedure to assist the Commission in its work, but is based on a thorough analysis of the usual needs for IT projects of this scale and importance, especially in terms of management of the project and system development.

[34] Custom Information System integrated in AFIS project (Anti Fraud Information System) developed by the Commission.

[35] The "Transit system", a Customs system launched and managed by the Commission.

However carefully the cost analysis for the project has been carried out, the figures given must still be considered as working hypothesis. They could also be affected by decisions taken by the Council (additional functionalities, final choice for the network for example) with an impact on the project and the technical solution to be chosen for SIS II. In addition, the tight implementation schedule might require an additional external support at the very last stage of the project.

5.1.3. Measures taken following ex post evaluation

Because the conception and management of SIS II is the responsibility of the Member States, there is no Community-level ex-post evaluation. The development of SIS II, as proposed in this Communication, will nonetheless take account of the experience gained from the development and management of SIS I.

5.2. Actions envisaged and budget intervention arrangements

* Detailed Technical Design (Development and construction phase)

Following the Feasibility Study and the launch of a call for tender to select the supplier of the technical solution (who, under the responsibility and close supervision of the Commission, will start setting-up the system), the Detailed Technical Design phase aims at delivering all the documents needed for the development of the system. Acceptance tests will be carried out for the delivered documents before development.

* System Development and Deployment

Once the solution proposed is checked against the tender requirements and in the light of users' requirements, the solution will be developed, tested and deployed. Several acceptance actions will be performed to ensure the solution is ready before migration.

* Migration, Integration and Support

Migration from SIS I to SIS II, together with preparations for integrating the new Member States, constitute the final phase of the project. Migration to SIS II will be subject to a risk assessment to determine whether it would be more effective to run the two systems in parallel in a pre-operational phase or to migrate directly from SIS I to SIS II.

In addition, to ensure that the operational phase gets off to a good start, the call for tenders ensures that the contractor has to provide maintenance and support.

* Specialised technical expertise and additional studies

The nature of the project generates a need for expertise in several technical fields, like for example biometrics, but also security and network. Provisions for additional studies and external expertise are therefore necessary.

5.3. Methods of implementation

Implementation of development work will be managed directly by the Commission using internal and external resources (auxiliary staff and national experts), since high-quality technical expertise is required. The Member States will be closely involved in the work via the committee that will have to be set up for this purpose.

6. Financial impact

6.1. Total financial impact on Part B - (over the entire programming period)

6.1.1. Operating expenditure related to development, deployment and support

>TABLE POSITION>

Individual Commitments [36] (in EUR million to three decimal places)

[36] Subject to the availability of budgetary credits, global commitments for a maximum amount of 4 Million EUR and 10,45 Million EUR shall be made in 2003 and 2004. These global commitments shall cover the total cost of the corresponding individual commitments up to 31 December of year n + 1.

6.2. Calculation of costs by measure envisaged in Part B (over the entire programming period)

>TABLE POSITION>

Commitments (in EUR million to three decimal places)

7. Impact on staff and administrative expenditure

7.1. Impact on human resources

As SIS II resources are established from 2004, the impact on human and financial resources in 2005 and 2006 will be the same, and are indicated as below:

>TABLE POSITION>

7.2. Overall financial impact of human resources

>TABLE POSITION>

The amounts are total expenditure for twelve months.

7.3. Other administrative expenditure deriving from the action

>TABLE POSITION>

The amounts are total expenditure for twelve months.

1 Specify the type of committee and the group to which it belongs.

>TABLE POSITION>

Requirements for human and administrative resources will be met from within the appropriation allocated to each managing DG in the annual allocation procedure.

8. Follow-up and evaluation

Every six months the Commission will present to the Council and the European Parliament a progress report on development work for SIS II.

When the SIS II has become operational, it will be evaluated every four years to assess the results and the effectiveness of the system.

9. Anti-fraud measures

The Commission procedures for the award of contracts will be applied, ensuring compliance with Community law on public contracts.