REGULATION (EU) 2018/1726 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 14 November 2018

on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union and in particular Article 74, Article 77(2)(a) and (b), Article 78(2)(e), Article 79(2)(c), Article 82(1)(d), Article 85(1), Article 87(2)(a) and Article 88(2) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Acting in accordance with the ordinary legislative procedure (1),

Whereas:

(1) The Schengen Information System (SIS II) was established by Regulation (EC) No 1987/2006 of the European Parliament and of the Council (2) and by Council Decision 2007/533/JHA (3). Regulation (EC) No 1987/2006 and Decision 2007/533/JHA provide that the Commission is to be responsible, during a transitional period, for the operational management of the central system of SIS II (Central SIS II). After that transitional period, a Management Authority is to be responsible for the operational management of Central SIS II and certain aspects of the communication infrastructure.

(2) The Visa Information System (VIS) was established by Council Decision 2004/512/EC (4). Regulation (EC) No 767/2008 of the European Parliament and of the Council (5) provides that the Commission is to be responsible, during a transitional period, for the operational management of the VIS. After that transitional period, a Management Authority is to be responsible for the operational management of the central VIS and of the national interfaces and for certain aspects of the communication infrastructure.

(3) Eurodac was established by Council Regulation (EC) No 2725/2000 (6). Council Regulation (EC) No 407/2002 (7) laid down necessary implementing rules. Those legal acts were repealed and replaced by Regulation (EU) No 603/2013 of the European Parliament and of the Council (8) with effect from 20 July 2015.

(4) The European Agency for the operational management of large-scale IT (information technology) systems in the area of freedom, security and justice, commonly referred to as eu-LISA, was established by Regulation (EU) No 1077/2011 of the European Parliament and of the Council (9) in order to ensure the operational management of SIS, the VIS and Eurodac and of certain aspects of their communication infrastructures and potentially that of other large-scale IT systems in the area of freedom, security and justice, subject to the adoption of separate Union legal acts. Regulation (EU) No 1077/2011 was amended by Regulation (EU) No 603/2013 in order to reflect the changes introduced to Eurodac.

(5) Since the Management Authority required legal, administrative and financial autonomy, it was established in the form of a regulatory agency (the ‘Agency’) with legal personality. As was agreed, the seat of the Agency was established in Tallinn, Estonia. However, since the tasks relating to the technical development and the preparation for the operational management of SIS II and the VIS were already being carried out in Strasbourg, France, and a backup site for those systems had been installed in Sankt Johann im Pongau, Austria, in line also with the locations of SIS II and the VIS as established under the relevant Union legal acts, this should continue to be the case. Those two sites should also continue to be the locations, respectively, where the tasks relating to operational management of Eurodac are carried out and where a backup site for Eurodac is established. Those two sites should also be the locations, respectively, for the technical development and operational management of other large-scale IT systems in the area of freedom, security and justice and for a backup site capable of ensuring the operation of a large-scale IT system in the event of failure of that large-scale IT system. In order to maximise the possible use of the backup site, that site could also be used to operate systems simultaneously provided that it remains capable of ensuring their operation in the event of failure of one or more of the systems. Due to the high-security, high-availability and mission-critical nature of the systems, if the hosting capacity of the existing technical sites becomes insufficient, it should be possible for the Agency’s Management Board (the Management Board), where justified on the basis of an independent impact assessment and cost-benefit analysis, to propose the establishment of a second separate technical site either in Strasbourg or in Sankt Johann im Pongau or in both locations, as required, in order to host the systems. The Management Board should consult the Commission and take its views into account before notifying the European Parliament and the Council (the ‘budgetary authority’) of its intention to implement any project related to property.

(6) Since taking up its responsibilities on 1 December 2012, the Agency took over the tasks conferred on the Management Authority in relation to the VIS by Regulation (EC) No 767/2008 and Council Decision 2008/633/JHA (10). In April 2013, the Agency also took over the tasks conferred on the Management Authority in relation to SIS II by Regulation (EC) No 1987/2006 and Decision 2007/533/JHA after SIS II went live and, in June 2013, it took over the tasks conferred on the Commission in relation to Eurodac in accordance with Regulations (EC) No 2725/2000 and (EC) No 407/2002.

(7) The first evaluation of the Agency’s work, based on an independent external evaluation and carried out in the period 2015-2016 concluded that the Agency effectively ensures the operational management of the large-scale IT systems and other tasks entrusted to it but also that a number of changes to Regulation (EU) No 1077/2011 are necessary such as the transfer to the Agency of the communication infrastructure tasks retained by the Commission. Building on that external evaluation, the Commission took into account policy, legal and factual developments and proposed, in particular in its report of 29 June 2017 on the functioning of the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA) (the evaluation report), that the mandate of the Agency be extended to carry out the tasks deriving from the adoption by the co-legislators of legislative proposals entrusting new systems to the Agency and the tasks referred to in the Commission’s Communication of 6 April 2016 entitled ‘Stronger and Smarter Information Systems for Borders and Security’, in the High-Level Expert Group on Information Systems and Interoperability’s final report of 11 May 2017 and in the Commission’s Communication of 16 May 2017 entitled ‘Seventh progress report towards an effective and genuine Security Union’, subject to the adoption of the relevant Union legal acts, where required. In particular, the Agency should be tasked with the development of solutions regarding interoperability defined in the Communication of 6 April 2016 as the ability of information systems to exchange data and to enable the sharing of information.

Where relevant, any actions carried out with regard to interoperability should be guided by the Commission’s Communication of 23 March 2017 entitled ‘European Interoperability Framework — Implementation Strategy’. Annex 2 of that Communication provides the general guidelines, recommendations and best practices for achieving interoperability or for, at least, creating the environment to achieve better interoperability when designing, implementing and managing European public services.

(8) The evaluation report also concluded that the Agency’s mandate should be extended to enable it to provide Member States with advice with regard to the connection of national systems to the central systems of the large-scale IT systems it manages (the ‘systems’) and with ad hoc assistance and support, where requested, and to provide the Commission services with assistance and support on technical issues related to new systems.

(9) The Agency should be entrusted with the preparation, development and operational management of the Entry/Exit System (EES), established by Regulation (EU) 2017/2226 of the European Parliament and of the Council (11).

(10) The Agency should also be entrusted with the operational management of DubliNet, a separate secure electronic transmission channel set up under Article 18 of Commission Regulation (EC) No 1560/2003 (12), which Member States’ competent asylum authorities should use for the exchange of information on applicants for international protection.

(11) The Agency should further be entrusted with the preparation, development and operational management of the European Travel Information and Authorisation System (ETIAS), established by Regulation (EU) 2018/1240 of the European Parliament and of the Council (13).

(12) The core function of the Agency should continue to be the fulfilment of the operational management tasks for SIS II, the VIS, Eurodac, the EES, DubliNet, ETIAS and, if so decided, other large-scale IT systems in the area of freedom, security and justice. The Agency should also be responsible for technical measures required as a result of the non-normative tasks with which it is entrusted. Those responsibilities should be without prejudice to the normative tasks reserved for the Commission alone or for the Commission assisted by a Committee in the respective Union legal acts governing the systems.

(13) The Agency should be able to implement technical solutions in order to comply with the availability requirements laid down in the Union legal acts governing the systems, while fully respecting the specific provisions of those acts with regard to the technical architecture of the respective systems. Where those technical solutions require a duplication of a system or a duplication of components of a system, an independent impact assessment and cost-benefit analysis should be carried out and a decision should be taken by the Management Board following the consultation of the Commission. That impact assessment should also include an examination of the hosting capacity needs of the existing technical sites related to the development of such technical solutions and the possible risks related to the current operational set up.

(14) It is no longer justified for the Commission to retain certain tasks related to the communication infrastructure of the systems and those tasks should therefore be transferred to the Agency in order to improve the coherence of the management of the communication infrastructure. However, for those systems that use EuroDomain, a secured communication infrastructure provided by TESTA-ng (Trans-European Services for Telematics between Administrations-new generation) and set up as part of the ISA Programme that was established by Decision No 922/2009/EC of the European Parliament and of the Council (14) and continued as part of the ISA2 Programme that was established by Decision (EU) 2015/2240 of the European Parliament and of the Council (15), the tasks in relation to the implementation of the budget, acquisition and renewal and contractual matters should be retained by the Commission.

(15) The Agency should be able to entrust tasks relating to the delivery, setting up, maintenance and monitoring of the communication infrastructure to external private-sector entities or bodies in accordance with Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council (16). The Agency should have sufficient budgetary and staff resources at its disposal in order to limit as much as possible the need to outsource its tasks and duties to external private-sector entities or bodies.

(16) The Agency should continue to perform tasks relating to training on the technical use of SIS II, the VIS and Eurodac and other systems entrusted to it in the future.

(17) In order to contribute to evidence-based Union migration and security policy-making and to the monitoring of the proper functioning of the systems, the Agency should compile and publish statistics and produce statistical reports and make them available to relevant actors in accordance with the Union legal acts governing the systems, for example in order to monitor the implementation of Council Regulation (EU) No 1053/2013 (17) and for the purposes of carrying out risk analysis and vulnerability assessment in accordance with Regulation (EU) 2016/1624 of the European Parliament and of the Council (18).

(18) It should be possible to make the Agency responsible for the preparation, development and operational management of additional large-scale IT systems pursuant to Articles 67 to 89 of the Treaty on the Functioning of the European Union (TFEU). Possible examples of such systems could be the centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons to supplement and support the European Criminal Records Information System (ECRIS-TCN system) or the computerised system for cross-border communication in civil and criminal proceedings (e-CODEX). However, the Agency should be entrusted with such systems only by means of subsequent and separate Union legal acts, preceded by an impact assessment.

(19) The mandate of the Agency with regard to research should be extended in order to increase its ability to be more proactive in suggesting relevant and necessary technical changes to the systems. The Agency should not only be able to monitor research activities relevant to the operational management of the systems but also be able to contribute to the implementation of relevant parts of the European Union Framework Programme for Research and Innovation, where the Commission delegates the relevant powers to the Agency. At least once a year, the Agency should provide information on such monitoring to the European Parliament, to the Council and, where the processing of personal data is concerned, to the European Data Protection Supervisor.

(20) It should be possible for the Commission to entrust the Agency with responsibility for carrying out pilot projects of an experimental nature designed to test the feasibility of an action and its usefulness, which may be implemented without a basic act in accordance with Regulation (EU, Euratom) 2018/1046. In addition, it should be possible for the Commission to entrust the Agency with budget implementation tasks for proofs of concept funded under the instrument for financial support for external borders and visa established by Regulation (EU) No 515/2014 of the European Parliament and of the Council (19) in accordance with Regulation (EU, Euratom) 2018/1046, after informing the European Parliament. It should also be possible for the Agency to plan and implement testing activities on matters strictly covered by this Regulation and the Union legal acts governing the development, establishment, operation and use of the systems, such as testing virtualisation concepts. When tasked with carrying out a pilot project, the Agency should pay particular attention to the European Union Information Management Strategy.

(21) The Agency should, as regards the connection of national systems to the central systems provided for in the Union legal acts governing the systems, provide advice to Member States at their request.

(22) The Agency should also provide ad hoc support to Member States at their request, subject to the procedure set out in this Regulation, where required by extraordinary security or migratory challenges or needs. In particular, a Member State should be able to request and rely on operational and technical reinforcement where that Member State faces specific and disproportionate migratory challenges at particular areas of its external borders characterised by large inward migratory flows. Such reinforcement should be provided in hotspot areas by migration management support teams composed of experts from relevant Union agencies. Where the support of the Agency is required in this context with regard to issues related to the systems, the Member State concerned should transmit a request for support to the Commission, which, following its assessment that such support is effectively justified, should transmit the request for support without delay to the Agency. The Agency should, inform the Management Board of such requests. The Commission should also monitor whether the Agency provides a timely response to the request for ad hoc support. The Agency’s annual activity report should report in detail on the actions the Agency has carried out to provide ad hoc support to Member States and on the costs incurred in that respect.

(23) The Agency should also support the Commission services on technical issues related to existing or new systems, where requested, in particular for the preparation of new proposals on large-scale IT systems to be entrusted to the Agency.

(24) It should be possible for a group of Member States to entrust the Agency with the development, management or hosting of a common IT component in order to assist them with the implementation of technical aspects of obligations deriving from Union legal acts regarding decentralised IT systems in the area of freedom, security and justice. This should be without prejudice to the obligations of those Member States under the applicable Union legal acts, in particular with regard to the architecture of those systems. This should require prior approval by the Commission, be subject to a positive decision of the Management Board, be reflected in a delegation agreement between the Member States concerned and the Agency and be financed fully by the Member States concerned. The Agency should inform the European Parliament and the Council of the approved delegation agreement and of any modifications thereto. Other Member States should be able to participate in such common IT solutions provided that this possibility is provided for in the delegation agreement and that the necessary amendments are made thereto. This task should not adversely affect the Agency’s operational management of the systems.

(25) Entrusting the Agency with the operational management of large-scale IT systems in the area of freedom, security and justice should not affect the specific rules applicable to those systems. In particular, the specific rules governing the purpose, access rights, security measures and further data protection requirements for each such system are fully applicable.

(26) In order to monitor effectively the functioning of the Agency, the Member States and the Commission should be represented on the Management Board. The Management Board should be entrusted with the necessary functions, in particular to adopt the annual work programme, to carry out its functions relating to the Agency’s budget, to adopt the financial rules applicable to the Agency and to establish procedures for taking decisions relating to the operational tasks of the Agency by the Executive Director. The Management Board should carry out those tasks in an efficient and transparent way. Following the organisation of an appropriate selection procedure by the Commission, and following a hearing of the proposed candidates in the competent committee or committees of the European Parliament, the Management Board should also appoint an Executive Director.

(27) Considering that the number of large-scale IT systems entrusted to the Agency will have increased significantly by 2020 and that the tasks of the Agency are being considerably enhanced, there will be a corresponding large increase in staff of the Agency up until 2020. A position of Deputy Executive Director of the Agency should therefore be created, taking also into account the fact that the tasks relating to the development and operational management of the systems will require increased and dedicated oversight and that the headquarters and technical sites of the Agency are spread over three Member States. The Management Board should appoint the Deputy Executive Director.

(28) The Agency should be governed and operated taking into account the principles of the Common approach on Union decentralised agencies adopted on 19 July 2012 by the European Parliament, the Council and the Commission.

(29) As regards SIS II, the European Union Agency for Law Enforcement Cooperation (Europol) and the European Judicial Cooperation Unit (Eurojust), which both have the right to access and directly search data entered in SIS II pursuant to Decision 2007/533/JHA, should have observer status at the meetings of the Management Board when a question in relation to the application of that Decision is on the agenda. The European Border and Coast Guard Agency, which has the right to access and search SIS II pursuant to Regulation (EU) 2016/1624, should have observer status at the meetings of the Management Board when a question in relation to the application of that Regulation is on the agenda. Europol, Eurojust and the European Border and Coast Guard Agency should each be able to appoint a representative to the SIS II Advisory Group established under this Regulation.

(30) As regards the VIS, Europol should have observer status at the meetings of the Management Board, when a question in relation to the application of Decision 2008/633/JHA is on the agenda. Europol should be able to appoint a representative to the VIS Advisory Group established under this Regulation.

(31) As regards Eurodac, Europol should have observer status at the meetings of the Management Board, when a question in relation with the application of Regulation (EU) No 603/2013 is on the agenda. Europol should be able to appoint a representative to the Eurodac Advisory Group established under this Regulation.

(32) As regards the EES, Europol should have observer status at the meetings of the Management Board when a question concerning Regulation (EU) 2017/2226 is on the agenda.

(33) As regards ETIAS, Europol should have observer status at the meetings of the Management Board when a question concerning Regulation (EU) 2018/1240 is on the agenda. The European Border and Coast Guard Agency should also have observer status at the meetings of the Management Board when a question concerning ETIAS in relation with the application of that Regulation is on the agenda. Europol and the European Border and Coast Guard Agency should be able to appoint a representative to the EES-ETIAS Advisory Group established under this Regulation.

(34) Member States should have voting rights on the Management Board concerning a large-scale IT system, where they are bound under Union law by any Union legal act governing the development, establishment, operation and use of that particular system. Denmark should also have voting rights in relation to a large-scale IT system if it decides, under Article 4 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union (TEU) and to the TFEU, to implement the Union legal act governing the development, establishment, operation and use of that particular system in its national law.

(35) Member States should appoint a member to the Advisory Group of a large-scale IT system if they are bound under Union law by any Union legal act governing the development, establishment, operation and use of that particular system. Denmark should, in addition, appoint a member to the Advisory Group of a large-scale IT system if it decides, under Article 4 of Protocol No 22, to implement the Union legal act governing the development, establishment, operation and use of that particular system in its national law. Advisory Groups should cooperate with each other when necessary.

(36) In order to guarantee its full autonomy and independence and to enable it to properly fulfil the objectives and to perform the tasks assigned to it by this Regulation, the Agency should be granted an adequate and autonomous budget with revenue from the general budget of the Union. The financing of the Agency should be subject to an agreement between the European Parliament and the Council as set out in point 31 of the Interinstitutional Agreement of 2 December 2013 between the European Parliament, the Council and the Commission on budgetary discipline, on cooperation in budgetary matters and sound financial management (20). The Union budgetary and discharge procedures should apply. The auditing of accounts and of the legality and regularity of the underlying transactions should be undertaken by the Court of Auditors.

(37) For the purpose of fulfilling its mission and to the extent required for the accomplishment of its tasks, the Agency should be allowed to cooperate with Union institutions, bodies, offices and agencies, in particular those established in the area of freedom, security and justice, in matters covered by this Regulation and the Union legal acts governing the development, establishment, operation and use of the systems in the framework of working arrangements concluded in accordance with Union law and policy and within the framework of their respective competences. Where so provided by a Union legal act, the Agency should also be allowed to cooperate with international organisations and other relevant entities and should be able to conclude working arrangements for that purpose. Those working arrangements should receive the Commission’s prior approval and be authorised by the Management Board. The Agency should also consult and follow up on the recommendations of the European Union Agency for Network and Information Security (ENISA), established by Regulation (EU) No 526/2013 of the European Parliament and of the Council (21), regarding network and information security, where appropriate.

(38) When ensuring the development and the operational management of the systems, the Agency should follow European and international standards, taking into account the highest professional requirements, in particular the European Union Information Management Strategy.

(39) Regulation (EU) 2018/1725 of the European Parliament and of the Council (22) should apply to the processing of personal data by the Agency, without prejudice to the provisions on data protection laid down in the Union legal acts governing the development, establishment, operation and use of the systems, which should be consistent with Regulation (EU) 2018/1725. In order to maintain security and to prevent processing in infringement of Regulation (EU) 2018/1725 and of the Union legal acts governing the systems, the Agency should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality, taking into account the state of the art and the costs of implementation in relation to the risks and the nature of the personal data to be protected. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage. The European Data Protection Supervisor should be able to obtain from the Agency access to all information necessary for his or her enquiries. In accordance with Regulation (EC) No 45/2001 of the European Parliament and of the Council (23), the Commission consulted the European Data Protection Supervisor, who delivered an opinion on 10 October 2017.

(40) In order to ensure the transparent operation of the Agency, Regulation (EC) No 1049/2001 of the European Parliament and of the Council (24) should apply to the Agency. The Agency should be as transparent as possible with regard to its activities, without jeopardising the attainment of the objective of its operations. It should make public information on all of its activities. It should likewise ensure that the public and any interested party are promptly given information with regard to its work.

(41) The activities of the Agency should be subject to the scrutiny of the European Ombudsman in accordance with Article 228 TFEU.

(42) Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council (25) should apply to the Agency, which should accede to the Interinstitutional Agreement of 25 May 1999 between the European Parliament, the Council of the European Union and the Commission of the European Communities concerning internal investigations by the European Anti-Fraud Office (OLAF) (26).

(43) Council Regulation (EU) 2017/1939 (27), concerning the establishment of the European Public Prosecutor’s Office, should apply to the Agency.

(44) In order to ensure open and transparent employment conditions and equal treatment of staff, the Staff Regulations of Officials of the European Union (‘Staff Regulations of Officials’) and the Conditions of Employment of Other Servants of the European Union (‘Conditions of Employment of other Servants’), laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (28) (together referred to as the ‘Staff Regulations’), should apply to the staff (including the Executive Director and the Deputy Executive Director of the Agency), including the rules of professional secrecy or other equivalent duties of confidentiality.

(45) Since the Agency is a body set up by the Union within the meaning of Regulation (EU, Euratom) 2018/1046, the Agency should adopt its financial rules accordingly.

(46) Commission Delegated Regulation (EU) No 1271/2013 (29) should apply to the Agency.

(47) The Agency, as established by this Regulation, replaces and succeeds the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice, as established by Regulation (EU) No 1077/2011. It should therefore be the legal successor in respect of all contracts concluded by, liabilities incumbent upon, and properties acquired by, the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice as established by Regulation (EU) No 1077/2011. This Regulation should not affect the legal force of agreements, working arrangements and memoranda of understanding concluded by the Agency as established by Regulation (EU) No 1077/2011, without prejudice to any amendments thereto as required by this Regulation.

(48) To enable the Agency to continue to fulfil the tasks of the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice, as established by Regulation (EU) No 1077/2011, to the best of its abilities, transitional measures should be laid down, in particular with regard to the Management Board, the Advisory Groups, the Executive Director and the internal rules adopted by the Management Board.

(49) This Regulation aims to amend and expand the provisions of Regulation (EU) No 1077/2011. Since the amendments to be made by this Regulation are of a substantial number and nature, Regulation (EU) No 1077/2011 should, in the interests of clarity, be replaced in its entirety in relation to the Member States bound by this Regulation. The Agency, as established by this Regulation, should replace and assume the functions of the Agency, as established by Regulation (EU) No 1077/2011 and, as a consequence, that Regulation should be repealed.

(50) Since the objectives of this Regulation, namely the establishment of an Agency at Union level responsible for the operational management and, where appropriate, the development of large-scale IT systems in the area of freedom, security and justice, cannot be sufficiently achieved by the Member States, but can rather, by reason of the scale and effects of the action, be better achieved at Union level, the Union may adopt measures in accordance with the principle of subsidiarity as set out in Article 5 TEU. In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary to achieve those objectives.

(51) In accordance with Articles 1 and 2 of Protocol No 22, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application. Given that this Regulation, insofar as it relates to SIS II, the VIS, the EES and ETIAS builds upon the Schengen

acquis

, Denmark shall, in accordance with Article 4 of that Protocol, decide within a period of six months after the Council has decided on this Regulation whether it will implement it in its national law. In accordance with Article 3 of the Agreement between the European Community and the Kingdom of Denmark on the criteria and mechanisms for establishing the State responsible for examining a request for asylum lodged in Denmark or any other Member State of the European Union and ‘Eurodac’ for the comparison of fingerprints for the effective application of the Dublin Convention (30), Denmark is to notify the Commission whether it will implement the contents of this Regulation, insofar as it relates to Eurodac and DubliNet.

(52) Insofar as its provisions relate to SIS II as governed by Decision 2007/533/JHA, the United Kingdom is taking part in this Regulation, in accordance with Article 5(1) of Protocol No 19 on the Schengen

acquis

integrated into the framework of the European Union, annexed to the TEU and to the TFEU, and Article 8(2) of Council Decision 2000/365/EC (31). Insofar as its provisions relate to SIS II as governed by Regulation (EC) No 1987/2006 and to the VIS, to the EES and to ETIAS, this Regulation constitutes a development of the provisions of the Schengen

acquis

in which the United Kingdom does not take part, in accordance with Decision 2000/365/EC; the United Kingdom requested, by its letter of 19 July 2018 to the President of the Council, to be authorised to take part in this Regulation, in accordance with Article 4 of Protocol No 19. By virtue of Article 1 of Council Decision (EU) 2018/1600 (32), the United Kingdom has been authorised to take part in this Regulation. Furthermore, insofar as its provisions relate to Eurodac and DubliNet, the United Kingdom notified its wish to take part in the adoption and application of this Regulation by its letter of 23 October 2017 to the President of the Council, in accordance with Article 3 of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the TEU and to the TFEU. The United Kingdom therefore takes part in the adoption of this Regulation, is bound by it and subject to its application.

(53) Insofar as its provisions relate to SIS II as governed by Decision 2007/533/JHA, Ireland could, in principle, take part in this Regulation, in accordance with Article 5(1) of Protocol No 19 and Article 6(2) of Council Decision 2002/192/EC (33). Insofar as its provisions relate to SIS II as governed by Regulation (EC) No 1987/2006 and to the VIS, to the EES and to ETIAS, this Regulation constitutes a development of the provisions of the Schengen

acquis

in which Ireland does not take part, in accordance with Decision 2002/192/EC; Ireland has not requested to take part in the adoption of this Regulation, in accordance with Article 4 of Protocol No 19. Ireland is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application to the extent that its measures develop provisions of the Schengen

acquis

as they relate to SIS II as governed by Regulation (EC) No 1987/2006, to the VIS, to the EES and to ETIAS. Furthermore, insofar as its provisions relate to Eurodac and DubliNet, in accordance with Articles 1 and 2 and Article 4a(1) of Protocol No 21, Ireland is not taking part in the adoption of this Regulation and is not bound by it or subject to its application. Since it is not possible, under these circumstances, to ensure that this Regulation is applicable in its entirety to Ireland, as required by Article 288 TFEU, Ireland is not taking part in the adoption of this Regulation and is not bound by it or subject to its application, without prejudice to its rights under Protocols No 19 and No 21.

(54) As regards Iceland and Norway, this Regulation constitutes, insofar as it relates to SIS II and the VIS, to the EES and to ETIAS, a development of the provisions of the Schengen

acquis

within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen

acquis

(34) which fall within the area referred to in Article 1, points A, B and G of Council Decision 1999/437/EC (35). As regards Eurodac and DubliNet, this Regulation constitutes a new measure within the meaning of the Agreement between the European Community and the Republic of Iceland and the Kingdom of Norway concerning the criteria and mechanisms for establishing the State responsible for examining a request for asylum lodged in a Member State or in Iceland or Norway (36). Consequently, subject to their decision to implement it in their internal legal order, delegations of the Republic of Iceland and the Kingdom of Norway should participate in the Management Board of the Agency. In order to determine further detailed rules allowing for the participation of the Republic of Iceland and the Kingdom of Norway in the activities of the Agency, a further arrangement should be concluded between the Union and these States.

(55) As regards Switzerland, this Regulation constitutes, insofar as it relates to SIS II and the VIS, to the EES and to ETIAS, a development of the provisions of the Schengen

acquis

within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation concerning the association of the Swiss Confederation with the implementation, application and development of the Schengen

acquis

(37) which fall within the area referred to in Article 1, points A, B and G of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/146/EC (38). As regards Eurodac and DubliNet, this Regulation constitutes a new measure related to Eurodac within the meaning of the Agreement between the European Community and the Swiss Confederation concerning the criteria and mechanisms for establishing the State responsible for examining a request for asylum lodged in a Member State or in Switzerland (39). Consequently, subject to its decision to implement it in their internal legal order, the delegation of the Swiss Confederation should participate in the Management Board of the Agency. In order to determine further detailed rules allowing for the participation of the Swiss Confederation in the activities of the Agency, a further arrangement should be concluded between the Union and the Swiss Confederation.

(56) As regards Liechtenstein, this Regulation constitutes, insofar as it relates to SIS II and the VIS, to the EES and to ETIAS, a development of the provisions of the Schengen

acquis

within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen

acquis

(40) which fall within the area referred to in Article 1, points A, B and G of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU (41).

As regards Eurodac and DubliNet, this Regulation constitutes a new measure within the meaning of the Protocol between the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Community and the Swiss Confederation concerning the criteria and mechanisms for establishing the State responsible for examining a request for asylum lodged in a Member State or in Switzerland (42). Consequently, subject to its decision to implement it in its internal legal order, the delegation of the Principality of Liechtenstein should participate in the Management Board of the Agency. In order to determine further detailed rules allowing for the participation of the Principality of Liechtenstein in the activities of the Agency, a further arrangement should be concluded between the Union and the Principality of Liechtenstein,

HAVE ADOPTED THIS REGULATION:

CHAPTER I

SUBJECT MATTER AND OBJECTIVES

Article 1

Subject matter

1. A European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (the Agency) is hereby established.

2. The Agency, as established by this Regulation, shall replace and succeed the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice, as established by Regulation (EU) No 1077/2011.

3. The Agency shall be responsible for the operational management of the Schengen Information System (SIS II), the Visa Information System (VIS) and Eurodac.

4. The Agency shall be responsible for the preparation, development or operational management of the Entry/Exit System (EES), DubliNet, and the European Travel Information and Authorisation System (ETIAS).

5. The Agency may be made responsible for the preparation, development or operational management of large-scale IT systems in the area of freedom, security and justice other than those referred to in paragraphs 3 and 4 of this Article, including existing systems, only if so provided by relevant Union legal acts governing those systems, based on Articles 67 to 89 TFEU, taking into account, where appropriate, the developments in research referred to in Article 14 of this Regulation and the results of pilot projects and proofs of concept referred to in Article 15 of this Regulation.

6. Operational management shall consist of all the tasks necessary to keep large-scale IT systems functioning in accordance with the specific provisions applicable to each of them, including responsibility for the communication infrastructure used by them. Those large-scale IT systems shall not exchange data or enable sharing of information or knowledge, unless so provided in a specific Union legal act.

7. The Agency shall also be responsible for the following tasks:

(a) ensuring data quality in accordance with Article 12;

(b) developing the necessary actions to enable interoperability in accordance with Article 13;

(d) carrying out pilot projects, proofs of concept and testing activities in accordance with Article 15; and

(e) providing support to Member States and the Commission in accordance with Article 16.

Article 2

Objectives

Without prejudice to the respective responsibilities of the Commission and of the Member States under the Union legal acts governing large-scale IT systems, the Agency shall ensure:

(a) the development of large-scale IT systems using an adequate project management structure for efficiently developing such systems;

(b) the effective, secure and continuous operation of large-scale IT systems;

(d) an adequately high quality of service for users of large-scale IT systems;

(e) continuity and uninterrupted service;

(f) a high level of data protection, in accordance with Union data protection law, including specific provisions for each large-scale IT system;

(g) an appropriate level of data and physical security, in accordance with the applicable rules, including specific provisions for each large-scale IT system.

CHAPTER II

TASKS OF THE AGENCY

Article 3

Tasks relating to SIS II

In relation to SIS II, the Agency shall perform:

(a) the tasks conferred on the Management Authority by Regulation (EC) No 1987/2006 and Decision 2007/533/JHA; and

(b) tasks relating to training on the technical use of SIS II, in particular for SIRENE staff (SIRENE — Supplementary Information Request at the National Entries), and training of experts on the technical aspects of SIS II in the framework of Schengen evaluation.

Article 4

Tasks relating to the VIS

In relation to the VIS, the Agency shall perform:

(a) the tasks conferred on the Management Authority by Regulation (EC) No 767/2008 and Decision 2008/633/JHA; and

(b) tasks relating to training on the technical use of the VIS and training of experts on the technical aspects of the VIS in the framework of Schengen evaluation.

Article 5

Tasks relating to Eurodac

In relation to Eurodac, the Agency shall perform:

(a) the tasks conferred on it by Regulation (EU) No 603/2013; and

(b) tasks relating to training on the technical use of Eurodac.

Article 6

Tasks relating to the EES

In relation to the EES, the Agency shall perform:

(a) the tasks conferred on it by Regulation (EU) 2017/2226; and

(b) tasks relating to training on the technical use of the EES and training of experts on the technical aspects of the EES in the framework of Schengen evaluation.

Article 7

Tasks relating to ETIAS

In relation to ETIAS, the Agency shall perform:

(a) the tasks conferred on it by Regulation (EU) 2018/1240; and

(b) tasks relating to training on the technical use of ETIAS and training of experts on the technical aspects of ETIAS in the framework of Schengen evaluation.

Article 8

Tasks relating to DubliNet

In relation to DubliNet, the Agency shall perform:

(a) the operational management of DubliNet, a separate secure electronic transmission channel between the authorities of Member States, set up under Article 18 of Regulation (EC) No 1560/2003, for the purposes of Articles 31, 32 and 34 of Regulation (EU) No 604/2013 of the European Parliament and of the Council (43); and

(b) tasks relating to training on the technical use of DubliNet.

Article 9

Tasks relating to the preparation, development and operational management of other large-scale IT systems

When entrusted with the preparation, development or operational management of other large-scale IT systems referred to in Article 1(5), the Agency shall perform the tasks conferred on it pursuant to the Union legal act governing the relevant system, as well as tasks relating to training on the technical use of those systems, as appropriate.

Article 10

Technical solutions requiring specific conditions before implementation

Where the Union legal acts governing the systems require the Agency to keep those systems functioning 24 hours a day, 7 days a week and without prejudice to those Union legal acts, the Agency shall implement technical solutions to meet those requirements. Where those technical solutions require a duplication of a system or a duplication of components of a system, they shall only be implemented where an independent impact assessment and cost-benefit analysis to be commissioned by the Agency has been carried out and following the consultation of the Commission and the positive decision of the Management Board. The impact assessment shall also examine existing and future needs in terms of the hosting capacity of the existing technical sites related to the development of such technical solutions and the possible risks related to the current operational set up.

Article 11

Tasks relating to the communication infrastructure

1. The Agency shall carry out all the tasks relating to the communication infrastructure of the systems conferred on it by the Union legal acts governing the systems, with the exception of those systems that make use of the EuroDomain for their communication infrastructure. In the case of those systems that make such use of the EuroDomain, the Commission shall be responsible for the tasks of the implementation of the budget, acquisition and renewal, and contractual matters. In accordance with the Union legal acts governing the systems using the EuroDomain, the tasks regarding the communication infrastructure, including the operational management and security, are to be divided between the Agency and the Commission. In order to ensure coherence between the exercise of their respective responsibilities, operational working arrangements shall be concluded between the Agency and the Commission and reflected in a memorandum of understanding.

2. The communication infrastructure shall be adequately managed and controlled in such a way as to protect it from threats and to ensure its security and that of the systems, including that of data exchanged through the communication infrastructure.

3. The Agency shall adopt appropriate measures, including security plans, inter alia, to prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal data or transport of data media, in particular by means of appropriate encryption techniques. All system-related operational information circulating in the communication infrastructure shall be encrypted.

4. Tasks relating to the delivery, setting up, maintenance and monitoring of the communication infrastructure may be entrusted to external private-sector entities or bodies in accordance with Regulation (EU, Euratom) 2018/1046. Such tasks shall be carried out under the responsibility of the Agency and under its close supervision.

When carrying out the tasks referred to in the first subparagraph, all external private-sector entities or bodies, including network providers, shall be bound by the security measures referred to in paragraph 3 and shall have no access, by any means, to any operational data stored in the systems or transferred through the communication infrastructure or to the SIS II-related SIRENE exchange.

5. The management of the encryption keys shall remain within the competence of the Agency and shall not be outsourced to any external private-sector entity. This is without prejudice to the existing contracts on the communication infrastructures of SIS II, the VIS and Eurodac.

Article 12

Data quality

Without prejudice to Member States’ responsibilities with regard to the data entered into the systems, the Agency, closely involving its Advisory Groups, together with the Commission, shall work towards establishing for all the systems automated data quality control mechanisms and common data quality indicators and towards developing a central repository containing only anonymised data for reporting and statistics, subject to specific provisions in the Union legal acts governing the development, establishment, operation and use of the systems.

Article 13

Interoperability

Where interoperability of large-scale IT systems has been stipulated in a relevant Union legal act, the Agency shall develop the necessary actions to enable that interoperability.

Article 14

Monitoring of research

1. The Agency shall monitor developments in research relevant for the operational management of SIS II, the VIS, Eurodac, the EES, ETIAS, DubliNet and other large-scale IT systems as referred to in Article 1(5).

2. The Agency may contribute to the implementation of the parts of the European Union Framework Programme for Research and Innovation that relate to large-scale IT systems in the area of freedom, security and justice. For that purpose, and where the Commission has delegated the relevant powers to it, the Agency shall have the following tasks:

(a) managing some stages of programme implementation and some phases in the lifetime of specific projects on the basis of the relevant work programmes adopted by the Commission;

(b) adopting the instruments of budget execution and for revenue and expenditure and carrying out all the operations necessary for the management of the programme; and

3. The Agency shall, on a regular basis and at least once a year, keep the European Parliament, the Council, the Commission, and, where processing of personal data is concerned, the European Data Protection Supervisor, informed on the developments referred to in this Article without prejudice to the reporting requirements in relation to the implementation of parts of the European Union Framework Programme for Research and Innovation referred to in paragraph 2.

Article 15

Pilot projects, proofs of concept and testing activities

1. Upon the specific and precise request of the Commission, which shall have informed the European Parliament and the Council at least three months in advance of making such a request, and after a positive decision of the Management Board, the Agency may, in accordance with point (u) of Article 19(1) of this Regulation and by way of a delegation agreement be entrusted with carrying out pilot projects as referred to in point (a) of Article 58(2) of Regulation (EU, Euratom) 2018/1046 for the development or the operational management of large-scale IT systems pursuant to Articles 67 to 89 TFEU in accordance with point (c) of Article 62(1) of Regulation (EU, Euratom) 2018/1046.

The Agency shall keep the European Parliament, the Council and, where the processing of personal data is concerned, the European Data Protection Supervisor informed on a regular basis of the evolution of the pilot projects carried out by the Agency under the first subparagraph.

2. Financial appropriations for pilot projects as referred to in point (a) of Article 58(2) of Regulation (EU, Euratom) 2018/1046, that have been requested by the Commission under paragraph 1, shall be entered in the budget for no more than two consecutive financial years.

3. At the request of the Commission or the Council, after having informed the European Parliament and after a positive decision of the Management Board, the Agency may be entrusted, by way of a delegation agreement, with budget implementation tasks for proofs of concept funded under the instrument for financial support for external borders and visa established by Regulation (EU) No 515/2014 in accordance with point (c) of Article 62(1) of Regulation (EU, Euratom) 2018/1046.

4. Following a positive decision of the Management Board, the Agency may plan and implement testing activities on matters covered by this Regulation and by any of the Union legal acts governing the development, establishment, operation and use of the systems.

Article 16

Support to Member States and the Commission

1. Any Member State may request the Agency to provide advice with regard to the connection of its national system to the central systems of the large-scale IT systems managed by the Agency.

2. Any Member State may submit a request for ad hoc support to the Commission, which, subject to its positive assessment that such support is required by virtue of extraordinary security or migratory needs, shall transmit it, without delay, to the Agency. The Agency shall inform the Management Board of such requests. The Member State shall be informed where the Commission’s assessment is negative.

The Commission shall monitor whether the Agency has provided a timely response to the Member State's request. The Agency’s annual activity report shall report in detail on the actions the Agency has carried out to provide ad hoc support to Member States and on the costs incurred in that respect.

3. The Agency may also be requested to provide advice or support to the Commission on technical issues related to existing or new systems, including by way of studies and testing. The Agency shall inform the Management Board of such requests.

4. A group of at least five Member States may entrust the Agency with the task of developing, managing or hosting a common IT component to assist them in implementing technical aspects of obligations deriving from Union law on decentralised systems in the area of freedom, security and justice. Those common IT solutions shall be without prejudice to the obligations of the requesting Member States under the applicable Union law, in particular with regard to the architecture of those systems.

In particular, the requesting Member States may entrust the Agency with the task of establishing a common component or router for advance passenger information and passenger name record data as a technical support tool to facilitate connectivity with air carriers in order to assist Member States in the implementation of Council Directive 2004/82/EC (44) and Directive (EU) 2016/681 of the European Parliament and of the Council (45). In such a case the Agency shall centrally collect the data from air carriers and transmit those data to the Member States via the common component or router. The requesting Member States shall adopt the necessary measures to ensure that air carriers transfer the data via the Agency.

The Agency shall be entrusted with the task of developing, managing or hosting a common IT component only after prior approval by the Commission and subject to a positive decision of the Management Board.

The requesting Member States shall entrust the Agency with the tasks referred to in the first and second subparagraphs by way of a delegation agreement setting out the conditions for the delegation of the tasks and the calculation of all relevant costs and the invoicing method. All relevant costs shall be covered by the participating Member States. The delegation agreement shall comply with the Union legal acts governing the systems in question. The Agency shall inform the European Parliament and the Council of the approved delegation agreement and of any modifications thereto.

Other Member States may request to participate in a common IT solution where this possibility is provided for in the delegation agreement setting out, in particular, the financial implications of such participation. The delegation agreement shall be modified accordingly following the prior approval by the Commission and after a positive decision of the Management Board.

CHAPTER III

STRUCTURE AND ORGANISATION

Article 17

Legal status and location

1. The Agency shall be a body of the Union and shall have legal personality.

2. The Agency shall enjoy the most extensive legal capacity accorded to legal persons under national law in each Member State. It may, in particular, acquire or dispose of movable and immovable property and may be a party to legal proceedings.

3. The seat of the Agency shall be Tallinn, Estonia.

The tasks relating to development and operational management referred to in Article 1(4) and (5) and Articles 3, 4, 5, 6, 7, 8, 9 and 11 shall be carried out at the technical site in Strasbourg, France.

A backup site capable of ensuring the operation of a large-scale IT system in the event of failure of such a system shall be installed in Sankt Johann im Pongau, Austria.

4. Both technical sites may be used for the simultaneous operation of the systems, provided that the backup site remains capable of ensuring their operation in the event of the failure of one or more of the systems.

5. Due to the specific nature of the systems, should it become necessary for the Agency to establish a second separate technical site either in Strasbourg or in Sankt Johann im Pongau, or in both locations, as required, in order to host the systems, such need shall be justified on the basis of an independent impact assessment and cost-benefit analysis. The Management Board shall consult the Commission and take into account its views before notifying the budgetary authority of its intention to implement any project related to property in accordance with Article 45(9).

Article 18

Structure

1. The administrative and management structure of the Agency shall comprise:

(a) a Management Board;

(b) an Executive Director;

2. The structure of the Agency shall include:

(a) a data protection officer;

(b) a security officer;

Article 19

Functions of the Management Board

1. The Management Board shall:

(a) provide the general orientation for the Agency’s activities;

(b) adopt, by a majority of two-thirds of members entitled to vote, the annual budget of the Agency and exercise other functions in respect of the Agency’s budget pursuant to Chapter V;

(c) appoint the Executive Director and the Deputy Executive Director and, where relevant, extend their respective terms of office or remove them from office in accordance with Articles 25 and 26 respectively;

(d) exercise disciplinary authority over the Executive Director and oversee his or her performance, including the implementation of the Management Board’s decisions, and exercise disciplinary authority over the Deputy Executive Director in agreement with the Executive Director;

(e) take all decisions on the establishment of the Agency’s organisational structure and, where necessary, its modification, taking into consideration the Agency’s activity needs and having regard to sound budgetary management;

(f) adopt the Agency’s staff policy;

(g) establish the Agency’s rules of procedure;

(h) adopt an anti-fraud strategy, proportionate to the risk of fraud, taking into account the costs and benefits of the measures to be implemented;

(i) adopt rules for the prevention and management of conflicts of interest in respect of its members and publish them on the Agency’s website;

(j) adopt detailed internal rules and procedures for the protection of whistleblowers, including appropriate channels of communication for reporting misconduct;

(k) authorise the conclusion of working arrangements in accordance with Articles 41 and 43;

(l) approve, following a proposal by the Executive Director, the Headquarters Agreement concerning the seat of the Agency and the agreements concerning the technical and backup sites, set up in accordance with Article 17(3), to be signed by the Executive Director and the host Member States;

(m) exercise, in accordance with paragraph 2, with respect to the staff of the Agency, the powers conferred by the Staff Regulations of Officials on the Appointing Authority and by the Conditions of Employment of Other Servants on the Authority Empowered to Conclude a Contract of Employment (‘the appointing authority powers’);

(n) adopt, in agreement with the Commission, the necessary implementing rules for giving effect to the Staff Regulations in accordance with Article 110 of the Staff Regulations of Officials;

(o) adopt the necessary rules on the secondment of national experts to the Agency;

(p) adopt a draft estimate of the Agency’s revenue and expenditure, including the draft establishment plan, and submit them by 31 January each year to the Commission;

(q) adopt the draft single programming document, containing the Agency’s multiannual programming and its work programme for the following year and a provisional draft estimate of the Agency’s revenue and expenditure, including the draft establishment plan, and submit it by 31 January each year, as well as any updated version of that document, to the European Parliament, to the Council and to the Commission;

(r) adopt, before 30 November each year, by a two-thirds majority of its members with the right to vote, and in accordance with the annual budgetary procedure, the single programming document taking into account the opinion of the Commission and ensure that the definitive version of this single programming document is transmitted to the European Parliament, to the Council and to the Commission and is published;

(s) adopt an interim report by the end of August of each year on the progress of the implementation of the planned activities for the current year and submit it to the European Parliament, to the Council and to the Commission;

(t) assess and adopt the consolidated annual activity report of the Agency’s activities for the previous year, comparing, in particular, the results achieved with the objectives of the annual work programme, and send both the report and its assessment by 1 July of each year to the European Parliament, to the Council, to the Commission and to the Court of Auditors and ensure that the annual activity report is published;

(u) carry out its functions relating to the Agency’s budget, including the implementation of pilot projects and proofs of concept as referred to in Article 15;

(v) adopt the financial rules applicable to the Agency in accordance with Article 49;

(w) appoint an accounting officer, who may be the Commission’s accounting officer, subject to the Staff Regulations, who shall be completely independent in the performance of his or her duties;

(x) ensure adequate follow-up to the findings and recommendations stemming from the various internal or external audit reports and evaluations as well as from investigations by the European Anti-Fraud Office (OLAF) and the European Public Prosecutor’s Office (EPPO);

(y) adopt the communication and dissemination plans referred to in Article 34(4) and regularly update them;

(z) adopt the necessary security measures, including a security plan and a business continuity and disaster recovery plan, taking into account the possible recommendations of the security experts present in the Advisory Groups;

(aa) adopt the security rules on the protection of classified information and non-classified sensitive information following approval by the Commission;

(bb) appoint a security officer;

(cc) appoint a data protection officer in accordance with Regulation (EU) 2018/1725;

(dd) adopt the detailed rules for implementing Regulation (EC) No 1049/2001;

(ee) adopt the reports on the development of the EES pursuant to Article 72(2) of Regulation (EU) 2017/2226 and the reports on the development of ETIAS pursuant to Article 92(2) of Regulation (EU) 2018/1240;

(ff) adopt the reports on the technical functioning of SIS II pursuant to Article 50(4) of Regulation (EC) No 1987/2006 and Article 66(4) of Decision 2007/533/JHA respectively, of the VIS pursuant to Article 50(3) of Regulation (EC) No 767/2008 and Article 17(3) of Decision 2008/633/JHA, of the EES pursuant to Article 72(4) of Regulation (EU) 2017/2226 and of ETIAS pursuant to Article 92(4) of Regulation (EU) 2018/1240;

(gg) adopt the annual report on the activities of the Central System of Eurodac pursuant to Article 40(1) of Regulation (EU) No 603/2013;

(hh) adopt formal comments on the European Data Protection Supervisor’s reports on the audits carried out pursuant to Article 45(2) of Regulation (EC) No 1987/2006, Article 42(2) of Regulation (EC) No 767/2008 and Article 31(2) of Regulation (EU) No 603/2013, Article 56(2) of Regulation (EU) 2017/2226 and Article 67 of Regulation (EU) 2018/1240 and ensure appropriate follow-up of those audits;

(ii) publish statistics related to SIS II pursuant to Article 50(3) of Regulation (EC) No 1987/2006 and Article 66(3) of Decision 2007/533/JHA respectively;

(jj) compile and publish statistics on the work of the Central System of Eurodac pursuant to Article 8(2) of Regulation (EU) No 603/2013;

(kk) publish statistics related to the EES pursuant to Article 63 of Regulation (EU) 2017/2226;

(ll) publish statistics related to ETIAS pursuant to Article 84 of Regulation (EU) 2018/1240;

(mm) ensure annual publication of the list of competent authorities authorised to search directly the data contained in SIS II pursuant to Article 31(8) of Regulation (EC) No 1987/2006 and Article 46(8) of Decision 2007/533/JHA, together with the list of Offices of the national systems of SIS II (N.SIS II Offices) and SIRENE Bureaux pursuant to Article 7(3) of Regulation (EC) No 1987/2006 and Article 7(3) of Decision 2007/533/JHA respectively as well as the list of competent authorities pursuant to Article 65(2) of Regulation (EU) 2017/2226 and the list of competent authorities pursuant to Article 87(2) of Regulation (EU) 2018/1240;

(nn) ensure annual publication of the list of units pursuant to Article 27(2) of Regulation (EU) No 603/2013;

(oo) ensure that all decisions and actions of the Agency affecting large-scale IT systems in the area of freedom, security and justice respect the principle of independence of the judiciary;

(pp) perform any other tasks conferred on it in accordance with this Regulation.

Without prejudice to the provisions on publication of the lists of relevant authorities provided for in the Union legal acts referred to in point (mm) of the first subparagraph and where an obligation to publish and continuously update those lists on the Agency’s website is not provided for in those legal acts, the Management Board shall ensure such publication and continuous update.

2. The Management Board shall adopt, in accordance with Article 110 of the Staff Regulations of Officials, a decision based on Article 2(1) of the Staff Regulations of Officials and on Article 6 of the Conditions of Employment of Other Servants delegating relevant appointing authority powers to the Executive Director and defining the conditions under which this delegation of powers can be suspended. The Executive Director shall be authorised to sub-delegate those powers.

Where exceptional circumstances so require, the Management Board may, by way of a decision, temporarily suspend the delegation of the appointing authority powers to the Executive Director and those sub-delegated by him or her and exercise them itself or delegate them to one of its members or to a staff member other than the Executive Director.

3. The Management Board may advise the Executive Director on any matter strictly related to the development or operational management of large-scale IT systems and on activities related to research, pilot projects, proofs of concept and testing activities.

Article 20

Composition of the Management Board

1. The Management Board shall be composed of one representative of each Member State and two representatives of the Commission. Each representative shall have a right to vote in accordance with Article 23.

2. Each member of the Management Board shall have an alternate. The alternate shall represent the member in his or her absence or in the event that the member is elected Chairperson or Deputy Chairperson of the Management Board and is chairing the Management Board meeting. The members of the Management Board and their alternates shall be appointed on the basis of the high level of their relevant experience and expertise in the field of large-scale IT systems in the area of freedom, security and justice, and their knowledge with respect to data protection, taking into account their relevant managerial, administrative and budgetary skills. All parties represented on the Management Board shall make efforts to limit the turnover of their representatives in order to ensure continuity of the Management Board’s work. All parties shall aim to achieve a balanced representation between men and women on the Management Board.

3. The term of office of the members and their alternates shall be four years and shall be renewable. Upon expiry of their terms of office or in the event of their resignation, members shall remain in office until their appointments are renewed or until they are replaced.

4. Countries associated with the implementation, application and development of the Schengen

acquis

and with Dublin- and Eurodac-related measures shall participate in the activities of the Agency. They shall each appoint one representative and an alternate to the Management Board.

Article 21

Chairperson of the Management Board

1. The Management Board shall elect a Chairperson and a Deputy Chairperson from among those members of the Management Board that are appointed by Member States which are fully bound under Union law by all the Union legal acts governing the development, establishment, operation and use of all the large-scale IT systems managed by the Agency. The Chairperson and the Deputy Chairperson shall be elected by a majority of two-thirds of the members of the Management Board with the right to vote.

The Deputy Chairperson shall automatically replace the Chairperson if he or she is prevented from attending to his or her duties.

2. The term of office of the Chairperson and the Deputy Chairperson shall be four years. Their terms of office may be renewed once. Where their membership of the Management Board ends at any time during their term of office, their term of office shall automatically expire on that date.

Article 22

Meetings of the Management Board

1. The Chairperson shall convene the meetings of the Management Board.

2. The Executive Director shall take part in the deliberations, without the right to vote.

3. The Management Board shall hold at least two ordinary meetings a year. In addition, it shall meet on the initiative of its Chairperson, at the request of the Commission, at the request of the Executive Director or at the request of at least one third of the members of the Management Board with the right to vote.

4. Europol and Eurojust may attend the meetings of the Management Board as observers when a question concerning SIS II in relation to the application of Decision 2007/533/JHA is on the agenda. The European Border and Coast Guard Agency may attend the meetings of the Management Board as observer when a question concerning SIS II in relation to the application of Regulation (EU) 2016/1624 is on the agenda.

Europol may attend the meetings of the Management Board as observer when a question concerning the VIS in relation to the application of Decision 2008/633/JHA or a question concerning Eurodac in relation to the application of Regulation (EU) No 603/2013 is on the agenda.

Europol may attend the meetings of the Management Board as observer when a question concerning the EES in relation to the application of Regulation (EC) No 2017/2226 is on the agenda or when a question concerning ETIAS in relation to Regulation (EU) 2018/1240 is on the agenda. The European Border and Coast Guard Agency may also attend the meetings of the Management Board as observer when a question concerning ETIAS in relation with the application of Regulation (EU) 2018/1240 is on the agenda.

The Management Board may invite any other person whose opinion may be of interest to attend its meetings as an observer.

5. The members of the Management Board and their alternates may be assisted by advisers or experts, subject to the rules of procedure for the Management Board, in particular those that are members of the Advisory Groups.

6. The Agency shall provide the secretariat for the Management Board.

Article 23

Voting rules of the Management Board

1. Without prejudice to paragraph 5 of this Article, and to points (b) and (r) of Article 19(1), Article 21(1) and Article 25(8), decisions of the Management Board shall be taken by a majority of its members with the right to vote.

2. Without prejudice to paragraphs 3 and 4, each member of the Management Board shall have one vote. In the absence of a member with the right to vote, his or her alternate shall be entitled to exercise his or her right to vote.

3. Each member appointed by a Member State which is bound under Union law by any Union legal act governing the development, establishment, operation and use of a large-scale IT system managed by the Agency may vote on a question which concerns that large-scale IT system.

Denmark may vote on a question which concerns a large-scale IT system if it decides under Article 4 of the Protocol No 22 to implement the Union legal act governing the development, establishment, operation and use of that particular large-scale IT system in its national law.

4. Article 42 shall apply as regards the voting rights of the representatives of countries that have entered into agreements with the Union on their association with the implementation, application and development of the Schengen

acquis

and with Dublin- and Eurodac-related measures.

5. In the event of a disagreement among members about whether a vote concerns a specific large-scale IT system, any decision which finds that this vote does not concern that specific large-scale IT system shall be taken by a two-thirds majority of the members of the Management Board with the right to vote.

6. The Chairperson, or the Deputy Chairperson when he or she is replacing the Chairperson, shall not vote. The right to vote of the Chairperson, or of the Deputy Chairperson when he or she is replacing the Chairperson, shall be exercised by his or her alternate member.

7. The Executive Director shall not vote.

8. The rules of procedure for the Management Board shall establish more detailed voting arrangements, in particular the conditions under which a member may act on behalf of another member and any quorum requirements, where appropriate.

Article 24

Responsibilities of the Executive Director

1. The Executive Director shall manage the Agency. The Executive Director shall assist and be accountable to the Management Board. The Executive Director shall report to the European Parliament on the performance of his or her duties when invited to do so. The Council may invite the Executive Director to report on the performance of his or her duties.

2. The Executive Director shall be the legal representative of the Agency.

3. The Executive Director shall be responsible for the implementation of tasks assigned to the Agency by this Regulation. In particular, the Executive Director shall be responsible for:

(a) the day-to-day administration of the Agency;

(b) the operation of the Agency in accordance with this Regulation;

(c) preparing and implementing the procedures, decisions, strategies, programmes and activities adopted by the Management Board, within the limits set out by this Regulation, its implementing rules and the applicable Union law;

(d) preparing the single programming document and submitting it to the Management Board after consulting the Commission and the Advisory Groups;

(e) implementing the single programming document and reporting to the Management Board on its implementation;

(f) preparing the interim report on the progress of the implementation of the planned activities for the current year and, after consulting the Advisory Groups, submitting it to the Management Board for adoption by the end of August of each year;

(g) preparing the consolidated annual report of the Agency’s activities and, after consulting the Advisory Groups, submitting it to the Management Board for assessment and adoption;

(h) preparing an action plan following up on the conclusions of internal or external audit reports and evaluations, as well as on investigations by OLAF and by the EPPO, and reporting on progress twice a year to the Commission and regularly to the Management Board;

(i) protecting the financial interests of the Union by applying preventive measures against fraud, corruption and any other illegal activities, without prejudicing the investigative competence of the EPPO and OLAF, by effective checks and, if irregularities are detected, by recovering amounts wrongly paid and, where appropriate, by imposing effective, proportionate and dissuasive administrative, including financial, penalties;

(j) preparing an anti-fraud strategy for the Agency and submitting it to the Management Board for approval as well as monitoring the proper and timely implementation of that strategy;

(k) preparing draft financial rules applicable to the Agency and submitting them to the Management Board for adoption after consulting the Commission;

(l) preparing the draft budget for the following year, established on the basis of activity-based budgeting;

(m) preparing the Agency’s draft statement of estimates of revenue and expenditure;

(n) implementing the budget of the Agency;

(o) establishing and implementing an effective system to enable the regular monitoring and evaluation of:

(i) large-scale IT systems, including statistics, and

(ii) the Agency, including the effective and efficient achievement of its objectives;

(p) establishing, without prejudice to Article 17 of the Staff Regulations of Officials, confidentiality requirements in order to comply with Article 17 of Regulation (EC) No 1987/2006, Article 17 of Decision 2007/533/JHA, Article 26(9) of Regulation (EC) No 767/2008, Article 4(4) of Regulation (EU) No 603/2013; Article 37(4) of Regulation (EC) No 2017/2226 and Article 74(2) of Regulation (EU) 2018/1240;

(q) negotiating and, after approval by the Management Board, signing a Headquarters Agreement concerning the seat of the Agency and agreements concerning the technical and backup sites with the host Member States;

(r) preparing the practical arrangements for implementing Regulation (EC) No 1049/2001 and submitting them to the Management Board for adoption;

(s) preparing the necessary security measures, including a security plan and a business continuity and disaster recovery plan, and, after consulting the relevant Advisory Group, submitting them to the Management Board for adoption;

(t) preparing the reports on the technical functioning of each large-scale IT system referred to in point (ff) of Article 19(1) and the annual report on the activities of the Central System of Eurodac referred to in point (gg) of Article 19(1) on the basis of the results of monitoring and evaluation and, after consulting the relevant Advisory Group, submitting them to the Management Board for adoption;

(u) preparing the reports on the development of the EES referred to in Article 72(2) of Regulation (EC) No 2017/2226 and on the development of ETIAS referred to in Article 92(2) of Regulation (EU) 2018/1240 and submitting them to the Management Board for adoption;

(v) preparing the annual list for publication of competent authorities authorised to search directly the data contained in SIS II, including the list of N.SIS II Offices and SIRENE Bureaux, and the list of competent authorities authorised to search directly the data contained in the EES and ETIAS referred to in point (mm) of Article 19(1) and the list of units referred to in point (nn) of Article 19(1), and submitting them to the Management Board for adoption.

4. The Executive Director shall perform any other tasks in accordance with this Regulation.

5. The Executive Director shall decide whether it is necessary to locate one or more staff members in one or more Member States in order to carry out the Agency’s tasks in an efficient and effective manner and to establish a local office for that purpose. Before adopting such a decision, the Executive Director shall obtain the prior consent of the Commission, the Management Board and the Member State or Member States concerned. The decision of the Executive Director shall specify the scope of the activities to be carried out at the local office in a manner that avoids unnecessary costs and duplication of administrative functions of the Agency. Activities carried out in technical sites shall not be carried out in a local office.

Article 25

Appointment of the Executive Director

1. The Management Board shall appoint the Executive Director from a list of at least three candidates proposed by the Commission following an open and transparent selection procedure. The selection procedure shall provide for publication in the

Official Journal of the European Union

and in other appropriate media of a call for expressions of interest. The Management Board shall appoint the Executive Director on the grounds of merit, proven experience in the field of large-scale IT systems, administrative, financial and management skills and knowledge with respect to data protection.

2. Before appointment, the candidates proposed by the Commission shall be invited to make a statement before the competent committee or committees of the European Parliament and answer questions from the committee members. After hearing the statement and the responses, the European Parliament shall adopt an opinion setting out its view and may indicate a preferred candidate.

3. The Management Board shall appoint the Executive Director taking those views into account.

4. If the Management Board takes a decision to appoint a candidate other than the candidate whom the European Parliament indicated as its preferred candidate, the Management Board shall inform the European Parliament and the Council in writing of the manner in which the opinion of the European Parliament was taken into account.

5. The term of office of the Executive Director shall be five years. By the end of that period, the Commission shall undertake an assessment that takes into account its evaluation of the Executive Director’s performance and the Agency’s future tasks and challenges.

6. The Management Board, acting on a proposal from the Commission that takes into account the assessment referred to in paragraph 5, may extend the term of office of the Executive Director once for no more than five years.

7. The Management Board shall inform the European Parliament if it intends to extend the Executive Director’s term of office. Within the one-month period before any such extension, the Executive Director shall be invited to make a statement before the competent committee or committees of the European Parliament and answer questions from the committee members.

8. An Executive Director whose term of office has been extended may not participate in another selection procedure for the same post at the end of the overall period.

9. The Executive Director may be removed from office only upon a decision of the Management Board, acting on a proposal from a majority of its members with the right to vote or from the Commission.

10. The Management Board shall reach decisions on appointment, extension of the term of office or removal from office of the Executive Director on the basis of a two-thirds majority of votes of its members with the right to vote.

11. For the purpose of concluding the employment contract with the Executive Director, the Agency shall be represented by the Chairperson of the Management Board. The Executive Director shall be engaged as a temporary agent of the Agency under Article 2(a) of the Conditions of Employment of other Servants.

Article 26

Deputy Executive Director

1. A Deputy Executive Director shall assist the Executive Director. The Deputy Executive Director shall also replace the Executive Director in his or her absence. The Executive Director shall set out the duties of the Deputy Executive Director.

2. On the proposal of the Executive Director, the Management Board shall appoint the Deputy Executive Director. The Deputy Executive Director shall be appointed on the grounds of merit and appropriate administrative and management skills, including relevant professional experience. The Executive Director shall propose at least three candidates for the post of Deputy Executive Director. The Management Board shall take its decision by a two-thirds majority of its members with a right to vote. The Management Board shall have the power to dismiss the Deputy Executive Director by means of a decision adopted by a two-thirds majority of its members with a right to vote.

3. The term of office of the Deputy Executive Director shall be five years. The Management Board may extend that term once, for a period of no more than five years. The Management Board shall adopt such a decision by a two-thirds majority of its members with the right to vote.

Article 27

Advisory Groups

1. The following Advisory Groups shall provide the Management Board with expertise relating to large-scale IT systems and, in particular, in the context of the preparation of the annual work programme and the annual activity report:

(a) SIS II Advisory Group;

(b) VIS Advisory Group;

(d) EES-ETIAS Advisory Group;

(e) any other advisory group relating to a large-scale IT system when so provided in the relevant Union legal act governing the development, establishment, operation and use of that large-scale IT system.

2. Each Member State that is bound under Union law by any Union legal act governing the development, establishment, operation and use of a particular large-scale IT system, and the Commission shall appoint one member to the Advisory Group relating to that large-scale IT system for a four-year term, which may be renewed.

Denmark shall also appoint a member to an Advisory Group relating to a large-scale IT system if it decides under Article 4 of the Protocol No 22 to implement the Union legal act governing the development, establishment, operation and use of that particular large-scale IT system in its national law.

Each country associated with the implementation, application and development of the Schengen

acquis

and with Dublin- and Eurodac-related measures that participates in a particular large-scale IT system shall appoint a member to the Advisory Group relating to that large-scale IT system.

3. Europol, Eurojust and the European Border and Coast Guard Agency may each appoint a representative to the SIS II Advisory Group. Europol may also appoint a representative to the VIS, Eurodac and EES-ETIAS Advisory Groups. The European Border and Coast Guard Agency may also appoint a representative to the EES-ETIAS Advisory Group.

4. Members of the Management Board and their alternates shall not be members of any of the Advisory Groups. The Executive Director or a representative of the Executive Director shall be entitled to attend all the meetings of the Advisory Groups as an observer

5. Advisory Groups shall cooperate with each other as necessary. The procedures for the operation and cooperation of the Advisory Groups shall be laid down in the Agency’s rules of procedure.

6. When preparing an opinion, the members of each Advisory Group shall do their best to reach consensus. If consensus is not reached, the reasoned position of the majority of members shall be considered the opinion of the Advisory Group. The minority reasoned position or positions shall also be recorded. Article 23(3) and (5) shall apply accordingly. The members representing the countries associated with the implementation, application and development of the Schengen

acquis

and with Dublin- and Eurodac-related measures shall be allowed to express opinions on issues on which they are not entitled to vote.

7. Each Member State and each country associated with the implementation, application and development of the Schengen

acquis

and with Dublin- and Eurodac-related measures shall facilitate the activities of the Advisory Groups.

8. Article 21 shall apply

mutatis mutandis

as regards the chair of the Advisory Groups.

CHAPTER IV

GENERAL PROVISIONS

Article 28

Staff

1. The Staff Regulations and the rules adopted by agreement between the institutions of the Union for giving effect to the Staff Regulations shall apply to the staff of the Agency, including the Executive Director.

2. For the purpose of implementing the Staff Regulations, the Agency shall be considered an agency within the meaning of Article 1a(2) of the Staff Regulations of Officials.

3. The staff of the Agency shall consist of officials, temporary staff and contract staff. The Management Board shall, on an annual basis, give its consent in the case of contracts that the Executive Director plans to renew where, following renewal, those contracts would be of an indefinite period pursuant to the Conditions of Employment of Other Servants.

4. The Agency shall not recruit interim staff to perform what are deemed to be sensitive financial duties.

5. The Commission and the Member States may second officials or national experts to the Agency on a temporary basis. The Management Board shall adopt a decision laying down rules on the secondment of national experts to the Agency.

6. Without prejudice to Article 17 of the Staff Regulations of Officials, the Agency shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality.

7. The Management Board shall, in agreement with the Commission, adopt the necessary implementing measures referred to in Article 110 of the Staff Regulations of Officials.

Article 29

Public interest

The members of the Management Board, the Executive Director, the Deputy Executive Director and the members of the Advisory Groups shall undertake to act in the public interest. For that purpose, they shall issue an annual, written, public statement of commitment which shall be published on the Agency’s website.

The list of members of the Management Board and of members of the Advisory Groups shall be published on the Agency’s website.

Article 30

Headquarters Agreement and agreements concerning the technical sites

1. The necessary arrangements concerning the accommodation to be provided for the Agency in the host Member States and the facilities to be made available by those Member States, together with the specific rules applicable in the host Member States to the members of the Management Board, to the Executive Director, to the other members of staff of the Agency and to the members of their families, shall be laid down in a Headquarters Agreement concerning the seat of the Agency and in agreements concerning the technical sites. Such agreements shall be concluded between the Agency and the host Member States, following approval by the Management Board.

2. The Agency’s host Member States shall provide the necessary conditions to ensure the proper functioning of the Agency, including, inter alia, multilingual, European-oriented schooling and appropriate transport connections.

Article 31

Privileges and immunities

The Protocol on the Privileges and Immunities of the European Union shall apply to the Agency.

Article 32

Liability

1. The contractual liability of the Agency shall be governed by the law applicable to the contract in question.

2. The Court of Justice of the European Union shall have jurisdiction to give judgment pursuant to any arbitration clause contained in a contract concluded by the Agency.

3. In the case of non-contractual liability, the Agency shall, in accordance with the general principles common to the laws of the Member States, make good any damage caused by its departments or by its staff in the performance of their duties.

4. The Court of Justice of the European Union shall have jurisdiction in disputes over compensation for the damage referred to in paragraph 3.

5. The personal liability of the Agency’s staff towards the Agency shall be governed by the provisions laid down in the Staff Regulations of Officials or Conditions of Employment of Other Servants applicable to them.

Article 33

Language arrangements

1. Council Regulation No 1 (46) shall apply to the Agency.

2. Without prejudice to decisions taken pursuant to Article 342 TFEU, the single programming document referred to in point (r) of Article 19(1) and the annual activity report referred to in point (t) of Article 19(1) shall be produced in all official languages of the institutions of the Union.

3. The Management Board may adopt a decision on working languages without prejudice to the obligations set out in paragraphs 1 and 2.

4. The translation services necessary for the activities of the Agency shall be provided by the Translation Centre for the Bodies of the European Union.

Article 34

Transparency and communication

1. Regulation (EC) No 1049/2001 shall apply to documents held by the Agency.

2. On the basis of a proposal by the Executive Director, the Management Board shall adopt the detailed rules for applying Regulation (EC) No 1049/2001 without delay.

3. Decisions taken by the Agency pursuant to Article 8 of Regulation (EC) No 1049/2001 may form the subject of a complaint to the European Ombudsman or of an action before the Court of Justice of the European Union, under the conditions laid down in Articles 228 and 263 TFEU respectively.

4. The Agency shall communicate in accordance with the Union legal acts governing the development, establishment, operation and use of large-scale IT-systems and may engage in communication activities on its own initiative within its field of competence. The Agency shall ensure, in particular, that in addition to the publications specified in points (r), (t), (ii), (jj), (kk) and (ll) of Article 19(1) and Article 47(9), the public and any interested party are promptly given objective, accurate, reliable comprehensive and easily understandable information with regard to its work. The allocation of resources to communication activities shall not be detrimental to the effective exercise of the Agency’s tasks as referred to in Articles 3 to 16. Communication activities shall be carried out in accordance with the relevant communication and dissemination plans adopted by the Management Board.

5. Any natural or legal person shall be entitled to address written correspondence to the Agency in any of the official languages of the Union. The person concerned shall have the right to receive an answer in the same language.

Article 35

Data protection

1. The processing of personal data by the Agency shall be subject to Regulation (EU) 2018/1725.

2. The Management Board shall adopt measures for the application of Regulation (EU) 2018/1725 by the Agency, including measures concerning the data protection officer. Those measures shall be adopted after consulting the European Data Protection Supervisor.

Article 36

Purposes of processing personal data

1. The Agency may process personal data only for the following purposes:

(a) where necessary for the performance of its tasks related to the operational management of large-scale IT systems entrusted to it under Union law;

(b) where necessary for its administrative tasks.

2. Where the Agency processes personal data for the purpose referred to in point (a) of paragraph 1 of this Article, Regulation (EU) 2018/1725 shall apply without prejudice to the specific provisions concerning data protection and data security of the Union legal acts governing the development, establishment, operation and use of the systems.

Article 37

Security rules on the protection of classified information and sensitive non-classified information

1. The Agency shall adopt its own security rules based on the principles and rules laid down in the Commission’s security rules for protecting European Union Classified Information (EUCI) and sensitive non-classified information, including, inter alia, provisions for the exchange with third states, processing and storage of such information as set out in Commission Decisions (EU, Euratom) 2015/443 (47) and 2015/444 (48). Any administrative arrangement on the exchange of classified information with the relevant authorities of a third state or, in the absence of such arrangement, any exceptional ad hoc release of EUCI to such authorities shall have received the Commission’s prior approval.

2. The Management Board shall adopt the security rules referred to in paragraph 1 of this Article following approval by the Commission. The Agency may take all necessary measures to facilitate the exchange of information relevant to its tasks with the Commission and the Member States and, where appropriate, the relevant Union agencies. The Agency shall develop and operate an information system capable of exchanging classified information with the Commission, the Member States and relevant Union agencies in accordance with Decision (EU, Euratom) 2015/444. The Management Board shall, pursuant to Article 2 and point (z) of Article 19(1) of this Regulation, decide on the Agency’s internal structure necessary to comply with the appropriate security principles.

Article 38

Security of the Agency

1. The Agency shall be responsible for the security and the maintenance of order within the buildings, premises and land used by it. The Agency shall apply the security principles and relevant provisions of the Union legal acts governing the development, establishment, operation and use of large-scale IT systems.

2. The host Member States shall take all effective and adequate measures to maintain order and security in the immediate vicinity of the buildings, premises and land used by the Agency and shall provide the Agency with the appropriate protection in accordance with the Headquarters Agreement concerning the seat of the Agency and the agreements concerning the technical and backup sites, whilst guaranteeing the free access of persons authorised by the Agency to those buildings, premises and land.

Article 39

Evaluation

1. By 12 December 2023, and every five years thereafter, the Commission, after consulting the Management Board, shall evaluate, in accordance with the Commission’s guidelines, the performance of the Agency in relation to its objectives, mandate, locations and tasks. That evaluation shall also include an examination of the implementation of this Regulation and the way and extent to which the Agency effectively contributes to the operational management of large-scale IT systems and to the establishment of a coordinated, cost-effective and coherent IT environment at Union level in the area of freedom, security and justice. That evaluation shall, in particular, assess the possible need to modify the mandate of the Agency and the financial implications of any such modification. The Management Board may issue recommendations regarding amendments to this Regulation to the Commission.

2. Where the Commission considers that the continuation of the Agency is no longer justified with regard to its assigned objectives, mandate and tasks, it may propose that this Regulation be amended accordingly or repealed.

3. The Commission shall report to the European Parliament, to the Council and to the Management Board on the findings of the evaluation referred to in paragraph 1. The findings of the evaluation shall be made public.

Article 40

Administrative inquiries

The activities of the Agency shall be subject to the inquiries of the European Ombudsman in accordance with Article 228 TFEU.

Article 41

Cooperation with Union institutions, bodies, offices and agencies

1. The Agency shall cooperate with the Commission, with other Union institutions and with other Union bodies, offices and agencies, in particular those established in the area of freedom, security and justice, and in particular the European Union Agency for Fundamental Rights, in matters covered by this Regulation, in order to achieve, inter alia, coordination and financial savings, to avoid duplication and to promote synergy and complementarity as regards their respective activities.

2. The Agency shall cooperate with the Commission within the framework of a working arrangement laying down operational working methods.

3. The Agency shall consult and follow the recommendations of the European Network and Information Security Agency regarding network and information security, where appropriate.

4. Cooperation with Union bodies, offices and agencies shall take place within the framework of working arrangements. The Management Board shall authorise such working arrangements, taking into account the opinion of the Commission. Where the Agency does not follow the Commission’s opinion, it shall justify its reasons. Such working arrangements may provide for the sharing of services between agencies, where appropriate, either by proximity of locations or by policy area within the limits of the respective mandates and without prejudice to their core tasks. Such working arrangements may establish a mechanism for cost recovery.

5. Union institutions, bodies, offices and agencies shall use information received from the Agency only within the limits of their competences and insofar as they respect fundamental rights, including data protection requirements. Onward transmission or other communication of personal data processed by the Agency to Union institutions, bodies, offices or agencies shall be subject to specific working arrangements regarding the exchange of personal data and subject to the prior approval by the European Data Protection Supervisor. Any transfer of personal data by the Agency shall be in accordance with Articles 35 and 36. As regards the handling of classified information, such working arrangements shall provide that the Union institution, body, office or agency concerned comply with security rules and standards equivalent to those applied by the Agency.

Article 42

Participation by countries associated with the implementation, application and development of the Schengen acquis and with Dublin- and Eurodac-related measures

1. The Agency shall be open to the participation of countries that have entered into agreements with the Union on their association with the implementation, application and development of the Schengen

acquis

and with Dublin- and Eurodac-related measures.

2. Under the relevant provisions of the agreements referred to in paragraph 1, arrangements shall be made specifying, in particular, the nature and extent of, and the detailed rules for, the participation of countries as referred to in paragraph 1 in the work of the Agency, including provisions on financial contributions, staff and voting rights.

Article 43

Cooperation with international organisations and other relevant entities

1. Where so provided by a Union legal act, in so far as it is necessary for the performance of its tasks, the Agency may, by means of the conclusion of working arrangements, establish and maintain relations with international organisations and their subordinate bodies, governed by public international law, or other relevant entities or bodies, which are set up by, or on the basis of, an agreement between two or more countries.

2. In accordance with paragraph 1, working arrangements may be concluded specifying, in particular, the scope, nature, purpose and extent of such cooperation. Such working arrangements may be concluded only with the authorisation of the Management Board after having received the Commission’s prior approval.

CHAPTER V

ESTABLISHMENT AND STRUCTURE OF THE BUDGET

SECTION 1

Single programming document

Article 44

Single programming document

1. Each year the Executive Director shall draw up a draft single programming document for the following year, as set out in Article 32 of Delegated Regulation (EU) No 1271/2013 and in the relevant provision of the Agency’s financial rules adopted pursuant to Article 49 of this Regulation and taking into account guidelines set by the Commission.

The single programming document shall contain a multiannual programme, an annual work programme and the Agency’s budget and information on its resources, as set out in detail in the Agency’s financial rules adopted pursuant to Article 49.

2. The Management Board shall adopt the draft single programming document after consulting the Advisory Groups and shall send it to the European Parliament, to the Council and to the Commission by 31 January each year, as well as any updated version of that document.

3. Before 30 November each year, the Management Board shall adopt, by a two-thirds majority of its members with the right to vote, and in accordance with the annual budgetary procedure, the single programming document, taking into account the opinion of the Commission. The Management Board shall ensure that the definitive version of this single programming document is sent to the European Parliament, to the Council and to the Commission and is published.

4. The single programming document shall become definitive after the final adoption of the general budget of the Union and, if necessary, shall be adjusted accordingly. The adopted single programming document shall then be sent to the European Parliament, the Council and the Commission and shall be published.

5. The annual work programme for the following year shall comprise detailed objectives and expected results, including performance indicators. It shall also contain a description of the actions to be financed and an indication of financial and human resources allocated to each action, in accordance with the principles of activity-based budgeting and management. The annual work programme shall be coherent with the multiannual work programme referred to in paragraph 6. It shall clearly indicate tasks that have been added, changed or deleted in comparison with the previous financial year. The Management Board shall amend the adopted annual work programme when a new task is given to the Agency. Any substantial amendment to the annual work programme shall be adopted by the same procedure as the initial annual work programme. The Management Board may delegate the power to make non-substantial amendments to the annual work programme to the Executive Director.

6. The multiannual programme shall set out the overall strategic programming, including objectives, expected results and performance indicators. It shall also set out resource programming, including multiannual budget and staff. The resource programming shall be updated annually. The strategic programming shall be updated where appropriate and in particular to address the outcome of the evaluation referred to in Article 39.

Article 45

Establishment of the budget

1. Each year the Executive Director shall draw up, taking into account the activities carried out by the Agency, a draft statement of estimates of the Agency’s revenue and expenditure for the following financial year, including a draft establishment plan, and shall submit it to the Management Board.

2. The Management Board shall, on the basis of the draft statement of estimates drawn up by the Executive Director, adopt a draft estimate of the revenue and expenditure of the Agency for the following financial year, including the draft establishment plan. By 31 January each year, the Management Board shall send it to the Commission and to the countries associated with the implementation, application and development of the Schengen

acquis

and with Dublin- and Eurodac-related measures, as a part of the single programming document.

3. The Commission shall send the draft estimate to the budgetary authority together with the preliminary draft general budget of the Union.

4. On the basis of the draft estimate, the Commission shall enter in the draft general budget of the Union the estimates it deems necessary for the establishment plan and the amount of the subsidy to be charged to the general budget, which it shall place before the budgetary authority in accordance with Articles 313 and 314 TFEU.

5. The budgetary authority shall authorise the appropriations for the contribution to the Agency.

6. The budgetary authority shall adopt the establishment plan for the Agency.

7. The Management Board shall adopt the Agency’s budget. It shall become final following the final adoption of the general budget of the Union. Where appropriate, the Agency’s budget shall be adjusted accordingly.

8. Any modification to the Agency’s budget, including the establishment plan, shall follow the same procedure as that applicable to the establishment of the initial budget.

9. Without prejudice to Article 17(5), the Management Board shall, as soon as possible, notify the budgetary authority of its intention to implement any project which may have significant financial implications for the funding of its budget, in particular any projects relating to property, such as the rental or purchase of buildings. The Management Board shall inform the Commission thereof. If either branch of the budgetary authority intends to issue an opinion, it shall, within two weeks of the receipt of the information on the project, notify the Management Board of its intention to issue such an opinion. In the absence of a reply, the Agency may proceed with the planned operation. Delegated Regulation (EU) No 1271/2013 shall apply to any building project likely to have any significant implications for the Agency’s budget.

SECTION 2

Presentation, implementation and control of the budgET

Article 46

Structure of the budget

1. Estimates of all revenue and expenditure for the Agency shall be prepared each financial year, corresponding to the calendar year, and shall be shown in the Agency’s budget.

2. The Agency’s budget shall be balanced in terms of revenue and of expenditure.

3. Without prejudice to other types of income, the revenue of the Agency shall consist of:

(a) a contribution from the Union entered in the general budget of the Union (Commission section);

(b) a contribution from the countries associated with the implementation, application and development of the Schengen

acquis

and with Dublin- and Eurodac-related measures that participate in the work of the Agency, as established in the respective association agreements and in the arrangements referred to in Article 42 that specify their financial contribution;

(c) Union funding in the form of delegation agreements in accordance with the Agency’s financial rules adopted pursuant to Article 49 and with the provisions of the relevant instruments supporting the policies of the Union;

(d) contributions paid by Member States for the services provided to them in accordance with the delegation agreement referred to in Article 16;

(e) cost recovery paid by Union bodies, offices and agencies for services provided to them in accordance with the working arrangements referred to in Article 41; and

(f) any voluntary financial contribution from the Member States.

4. The expenditure of the Agency shall include staff remuneration, administrative and infrastructure expenses and operational expenditure.

Article 47

Implementation and control of the budget

1. The Executive Director shall implement the Agency’s budget.

2. Each year the Executive Director shall forward to the budgetary authority all information relevant to the findings of evaluation procedures.

3. By 1 March of a financial year N+1, the Agency’s accounting officer shall communicate the provisional accounts for financial year N to the Commission’s accounting officer and the Court of Auditors. The Commission’s accounting officer shall consolidate the provisional accounts of the institutions and decentralised bodies in accordance with Article 245 of Regulation (EU, Euratom) 2018/1046.

4. The Executive Director shall send a report on the budgetary and financial management for year N to the European Parliament, to the Council, to the Commission and to the Court of Auditors by 31 March of year N+1.

5. The Commission’s accounting officer shall send the Agency’s provisional accounts for year N, consolidated with the Commission’s accounts, to the Court of Auditors by 31 March of year N+1.

6. On receipt of the Court of Auditors’ observations on the Agency’s provisional accounts, pursuant to Article 246 of Regulation (EU, Euratom) 2018/1046, the Executive Director shall draw up the Agency’s final accounts under his or her own responsibility and forward them to the Management Board for an opinion.

7. The Management Board shall deliver an opinion on the Agency’s final accounts for year N.

8. By 1 July of year N+1, the Executive Director shall send the final accounts, together with the opinion of the Management Board, to the European Parliament, to the Council, to the Commission and to the Court of Auditors as well as to the countries associated with the implementation, application and development of the Schengen

acquis

and with Dublin- and Eurodac-related measures.

9. The final accounts for year N shall be published in the

Official Journal of the European Union

by 15 November of year N+1.

10. The Executive Director shall send the Court of Auditors a reply to its observations by 30 September of year N+1. The Executive Director shall also send that reply to the Management Board.

11. The Executive Director shall submit to the European Parliament, at the latter’s request, any information required for the smooth application of the discharge procedure for year N, in accordance with Article 261(3) of Regulation (EU, Euratom) 2018/1046.

12. On a recommendation from the Council acting by a qualified majority, the European Parliament shall, before 15 May of year N+2, grant discharge to the Executive Director in respect of the implementation of the budget for year N.

Article 48

Prevention of conflicts of interest

The Agency shall adopt internal rules requiring the members of its Management Board and its Advisory Groups and its staff members to avoid any situation liable to give rise to a conflict of interest during their employment or term of office and to report such situations. Those internal rules shall be published on the website of the Agency.

Article 49

Financial rules

The financial rules applicable to the Agency shall be adopted by the Management Board after consulting the Commission. They shall not depart from Delegated Regulation (EU) No 1271/2013 unless such departure is specifically required for the operation of the Agency and the Commission has given its prior consent.

Article 50

Combating fraud

1. In order to combat fraud, corruption and other unlawful activities, Regulation (EU, Euratom) No 883/2013 and Regulation (EU) 2017/1939 shall apply.

2. The Agency shall accede to the Interinstitutional Agreement of 25 May 1999 concerning internal investigations by OLAF and shall adopt, without delay, the appropriate provisions applicable to all the employees of the Agency using the template set out in the Annex to that Agreement.

3. The Court of Auditors shall have the power of audit, on the basis of documents and of on-the-spot inspections, over all grant beneficiaries, contractors and subcontractors who have received Union funds from the Agency.

4. OLAF may carry out investigations, including on-the-spot checks and inspections, in accordance with the provisions and procedures laid down in Regulation (EU, Euratom) No 883/2013 and Council Regulation (Euratom, EC) No 2185/96 (49), with a view to establishing whether there has been fraud, corruption or any other illegal activity affecting the financial interests of the Union in connection with a grant or a contract funded by the Agency.

5. Without prejudice to paragraphs 1, 2, 3 and 4, contracts, grant agreements and grant decisions of the Agency shall contain provisions expressly empowering the Court of Auditors, OLAF and the EPPO to conduct audits and investigations, in accordance with their respective competences.

CHAPTER VI

AMENDMENTS TO OTHER UNION LEGAL ACTS

Article 51

Amendment to Regulation (EC) No 1987/2006

In Regulation (EC) No 1987/2006, Article 15(2) and (3) are replaced by the following:

‘2. The Management Authority shall be responsible for all tasks relating to the Communication Infrastructure, in particular:

(a) supervision;

(b) security;

(d) tasks relating to implementation of the budget;

(e) acquisition and renewal, and

(f) contractual matters.’.

Article 52

Amendment to Decision 2007/533/JHA

In Decision 2007/533/JHA, Article 15(2) and (3) are replaced by the following:

‘2. The Management Authority shall also be responsible for all tasks relating to the Communication Infrastructure, in particular:

(a) supervision;

(b) security;

(d) tasks relating to implementation of the budget;

(e) acquisition and renewal, and

(f) contractual matters.’.

CHAPTER VII

TRANSITIONAL PROVISIONS

Article 53

Legal succession

1. The Agency, as established by this Regulation, shall be the legal successor in respect of all contracts concluded by, liabilities incumbent on, and properties acquired by the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice as established by Regulation (EU) No 1077/2011.

2. This Regulation shall not affect the legal force of agreements, working arrangements and memoranda of understanding concluded by the Agency as established by Regulation (EU) No 1077/2011, without prejudice to any amendments thereto required by this Regulation.

Article 54

Transitional arrangements concerning the Management Board and the Advisory Groups

1. The members and the Chairperson and Deputy Chairperson of the Management Board, appointed on the basis of Articles 13 and 14 of Regulation (EU) No 1077/2011 respectively, shall continue to exercise their functions for the remaining terms of their office.

2. The members, Chairpersons and deputy Chairpersons of the Advisory groups, appointed on the basis of Article 19 of Regulation (EU) No 1077/2011, shall continue to exercise their functions for their remaining terms of office.

Article 55

Maintenance in force of the internal rules adopted by the Management Board

Internal rules and measures adopted by the Management Board on the basis of Regulation (EU) No 1077/2011 shall remain in force after 11 December 2018, without prejudice to any amendments thereto required by this Regulation.

Article 56

Transitional arrangements concerning the Executive Director

The Executive Director of the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice, appointed on the basis of Article 18 of Regulation (EU) No 1077/2011, shall, for his or her remaining term of office, be assigned the responsibilities of the Executive Director of the Agency, as provided for in Article 24 of this Regulation. The other conditions of his or her contract shall remain unchanged. If a decision extending the mandate of the Executive Director in accordance with Article 18(4) of Regulation (EU) No 1077/2011 is adopted prior to 11 December 2018, the term of office shall be extended automatically until 31 October 2022.

CHAPTER VIII

FINAL PROVISIONS

Article 57

Replacement and repeal

Regulation (EU) No 1077/2011 is hereby replaced with regard to the Member States bound by this Regulation.

Therefore, Regulation (EU) No 1077/2011 is repealed.

With regard to the Member States bound by this Regulation, references to the repealed Regulation shall be construed as references to this Regulation and shall be read in accordance with the correlation table in the Annex to this Regulation.

Article 58

Entry into force and applicability

This Regulation shall enter into force on the twentieth day following that of its publication in the

Official Journal of the European Union

This Regulation shall apply from 11 December 2018. However point (x) of Article 19(1), points (h) and (i) of Article 24(3) and Article 50(5) of this Regulation, insofar as they refer to the EPPO, and Article 50(1) of this Regulation, insofar as it refers to Regulation (EU) 2017/1939, shall apply from the date determined by the Commission decision provided for in the second subparagraph of Article 120(2) of Regulation (EU) 2017/1939.

This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.

Done at Strasbourg, 14 November 2018.

For the European Parliament

The President

A. TAJANI

For the Council

The President

K. EDTSTADLER

(1) Position of the European Parliament of 5 July 2018 (not yet published in the Official Journal) and Decision of the Council of 9 November 2018.

(2) Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II) (

OJ L 381, 28.12.2006, p. 4

(3) Council Decision 2007/533/JHA of 12 June 2007 on the establishment, operation and use of the second generation Schengen Information System (SIS II) (

OJ L 205, 7.8.2007, p. 63

(4) Council Decision 2004/512/EC of 8 June 2004 establishing the Visa Information System (VIS) (

OJ L 213, 15.6.2004, p. 5

(5) Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (

OJ L 218, 13.8.2008, p. 60

(6) Council Regulation (EC) No 2725/2000 of 11 December 2000 concerning the establishment of ‘Eurodac’ for the comparison of fingerprints for the effective application of the Dublin Convention (

OJ L 316, 15.12.2000, p. 1

(7) Council Regulation (EC) No 407/2002 of 28 February 2002 laying down certain rules to implement Regulation (EC) No 2725/2000 concerning the establishment of ‘Eurodac’ for the comparison of fingerprints for the effective application of the Dublin Convention (

OJ L 62, 5.3.2002, p. 1

(8) Regulation (EU) No 603/2013 of the European Parliament and of the Council of 26 June 2013 on the establishment of ‘Eurodac’ for the comparison of fingerprints for the effective application of Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person and on requests for the comparison with Eurodac data by Member States’ law enforcement authorities and Europol for law enforcement purposes, and amending Regulation (EU) No 1077/2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (

OJ L 180, 29.6.2013, p. 1

(9) Regulation (EU) No 1077/2011 of the European Parliament and of the Council of 25 October 2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (

OJ L 286, 1.11.2011, p. 1

(10) Council Decision 2008/633/JHA of 23 June 2008 concerning access for consultation of the Visa Information System (VIS) by designated authorities of Member States and by Europol for the purposes of the prevention, detection and investigation of terrorist offences and of other serious criminal offences (

OJ L 218, 13.8.2008, p. 129

(11) Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (

OJ L 327, 9.12.2017, p. 20

(12) Commission Regulation (EC) No 1560/2003 of 2 September 2003 laying down detailed rules for the application of Council Regulation (EC) No 343/2003 establishing the criteria and mechanisms for determining the Member State responsible for examining an asylum application lodged in one of the Member States by a third-country national (

OJ L 222, 5.9.2003, p. 3

(13) Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (

OJ L 236, 19.9.2018, p. 1

(14) Decision No 922/2009/EC of the European Parliament and of the Council of 16 September 2009 on interoperability solutions for European Public Administrations (ISA) (

OJ L 280, 3.10.2009, p. 20

(15) Decision (EU) 2015/2240 of the European Parliament and of the Council of 25 November 2015 establishing a programme on interoperability solutions and common frameworks for European public administrations, businesses and citizens (ISA2 programme) as a means for modernising the public sector (

OJ L 318, 4.12.2015, p. 1

(16) Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (

OJ L 193, 30.7.2018, p. 1

(17) Council Regulation (EU) No 1053/2013 of 7 October 2013 establishing an evaluation and monitoring mechanism to verify the application of the Schengen

acquis

and repealing the Decision of the Executive Committee of 16 September 1998 setting up a Standing Committee on the evaluation and implementation of Schengen (

OJ L 295, 6.11.2013, p. 27

(18) Regulation (EU) 2016/1624 of the European Parliament and of the Council of 14 September 2016 on the European Border and Coast Guard and amending Regulation (EU) 2016/399 of the European Parliament and of the Council and repealing Regulation (EC) No 863/2007 of the European Parliament and of the Council, Council Regulation (EC) No 2007/2004 and Council Decision 2005/267/EC (

OJ L 251, 16.9.2016, p. 1

(19) Regulation (EU) No 515/2014 of the European Parliament and of the Council of 16 April 2014 establishing, as part of the Internal Security Fund, the instrument for financial support for external borders and visa and repealing Decision No 574/2007/EC (

OJ L 150, 20.5.2014, p. 143

(20)

OJ C 373, 20.12.2013, p. 1

(21) Regulation (EU) No 526/2013 of the European Parliament and of the Council of 21 May 2013 concerning the European Union Agency for Network and Information Security (ENISA) and repealing Regulation (EC) No 460/2004 (

OJ L 165, 18.6.2013, p. 41

(22) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (see page 39 of this Official Journal).

(23) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (

OJ L 8, 12.1.2001, p. 1

(24) Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (

OJ L 145, 31.5.2001, p. 43

(25) Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the Anti-Fraud Office (OLAF) and repealing Regulation (EC) No 1073/1999 of the European Parliament and of the Council and Council Regulation (Euratom) No 1074/1999 (

OJ L 248, 18.9.2013, p. 1

(26)

OJ L 136, 31.5.1999, p. 15

(27) Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (the ‘EPPO’) (

OJ L 283, 31.10.2017, p. 1

(28) Regulation (EEC, Euratom, ECSC) No 259/68 of the Council of 29 February 1968 laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Communities and instituting special measures temporarily applicable to officials of the Commission (

OJ L 56, 4.3.1968, p. 1

(29) Commission Delegated Regulation (EU) No 1271/2013 of 30 September 2013 on the framework financial regulation for the bodies referred to in Article 208 of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council (

OJ L 328, 7.12.2013, p. 42

(30)

OJ L 66, 8.3.2006, p. 38

(31) Council Decision 2000/365/EC of 29 May 2000 concerning the request of the United Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen

acquis

(

OJ L 131, 1.6.2000, p. 43

(32) Council Decision (EU) 2018/1600 of 28 September 2018 concerning the request of the United Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen acquis relating to the European Union Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA) (

OJ L 267, 25.10.2018, p. 3

(33) Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions of the Schengen

acquis

(

OJ L 64, 7.3.2002, p. 20

(34)

OJ L 176, 10.7.1999, p. 36

(35) Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen

acquis

(

OJ L 176, 10.7.1999, p. 31

(36)

OJ L 93, 3.4.2001, p. 40

(37)

OJ L 53, 27.2.2008, p. 52

(38) Council Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen

acquis

(

OJ L 53, 27.2.2008, p. 1

(39)

OJ L 53, 27.2.2008, p. 5

(40)

OJ L 160, 18.6.2011, p. 21

(41) Council Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen

acquis

, relating to the abolition of checks at internal borders and movement of persons (

OJ L 160, 18.6.2011, p. 19

(42)

OJ L 160, 18.6.2011, p. 39

(43) Regulation (EU) No 604/2013 of the European Parliament and of the Council of 26 June 2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third country national or a stateless person (

OJ L 180, 29.6.2013, p. 31

(44) Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data (

OJ L 261, 6.8.2004, p. 24

(45) Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (

OJ L 119, 4.5.2016, p. 132

(46) Council Regulation No 1 of 15 April 1958 determining the languages to be used by the European Economic Community (

OJ 17, 6.10.1958, p. 385

(47) Commission Decision (EU, Euratom) 2015/443 of 13 March 2015 on Security in the Commission (

OJ L 72, 17.3.2015, p. 41

(48) Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 on the security rules for protecting EU classified information (

OJ L 72, 17.3.2015, p. 53

(49) Council Regulation (Euratom, EC) No 2185/96 of 11 November 1996 concerning on-the-spot checks and inspections carried out by the Commission in order to protect the European Communities’ financial interests against fraud and other irregularities (

OJ L 292, 15.11.1996, p. 2

ANNEX

CORRELATION TABLE

Regulation (EU) No 1077/2011	This Regulation

Article 1(1)	Article 1(1)
—	Article 1(2)
Article 1(2)	Article 1(3) and (4)
Article 1(3)	Article 1(5)
Article 1(4)	Article 1(6)
Article 2	Article 2
Article 3	Article 3
Article 4	Article 4
Article 5	Article 5
Article 5a	Article 6
—	Article 7
—	Article 8
Article 6	Article 9
—	Article 10
Article 7(1) and (2)	Article 11(1)
Article 7(3)	Article 11(2)
Article 7(4)	Article 11(3)
Article 7(5)	Article 11(4)
Article 7(6)	Article 11(5)
—	Article 12
—	Article 13
Article 8(1)	Article 14(1)
—	Article 14(2)
Article 8(2)	Article 14(3)
Article 9(1) and (2)	Article 15(1) and (2)
—	Article 15(3)
—	Article 15(4)
—	Article 16
Article 10(1) and (2)	Article 17(1) and (2)
Article 10(3)	Article 24(2)
Article 10(4)	Article 17(3)
—	Article 17(4)
—	Article 17(5)
Article 11	Article 18
Article 12(1)	Article 19(1)
—	Article 19(1)(a)
—	Article 19((1)(b)
Article 12(1)(a)	Article 19(1)(c)
Article 12(1)(b)	Article 19(1)(d)
Article 12(1)(c)	Article 19(1)(e)
—	Article 19(1)(f)
Article 12(1)(d)	Article 19(1)(g)
—	Article 19(1)(h)
—	Article 19(1)(i)
—	Article 19(1)(j)
—	Article 19(1)(k)
Article 12(1)(e)	Article 19(1)(l)
—	Article 19(1)(m)
Article 12(1)(f)	Article 19(1)(n)
Article 12(1)(g)	Article 19(1)(o)
—	Article 19(1)(p)
Article 12(1)(h)	Article 19(1)(q)
Article 12(1)(i)	Article 19(1)(q)
Article 12(1)(j)	Article 19(1)(r)
—	Article 19(1)(s)
Article 12(1)(k)	Article 19(1)(t)
Article 12(1)(l)	Article 19(1)(u)
Article 12(1)(m)	Article 19(1)(v)
Article 12(1)(n)	Article 19(1)(w)
Article 12(1)(o)	Article 19(1)(x)
—	Article 19(1)(y)
Article 12(1)(p)	Article 19(1)(z)
Article 12(1)(q)	Article 19(1)(bb)
Article 12(1)(r)	Article 19(1)(cc)
Article 12(1)(s)	Article 19(1)(dd)
Article 12(1)(t)	Article 19(1)(ff)
Article 12(1)(u))	Article 19(1)(gg)
Article 12(1)(v)	Article 19(1)(hh)
Article 12(1)(w)	Article 19(1)(ii)
Article 12(1)(x)	Article 19(1)(jj)
—	Article 19(1)(ll)
Article 12(1)(y)	Article 19(1)(mm)
Article 12(1)(z)	Article 19(1)(nn)
—	Article 19(1)(oo)
Article 12(1)(aa)	Article 19(1)(pp)
Article 12(1)(sa)	Article 19(1)(ee)
Article 12(1)(xa)	Article 19(1)(kk)
Article 12(1)(za)	Article 19(1)(mm)
—	Article 19(1) second subparagraph
—	Article 19(2)
Article 12(2)	Article 19(3)
Article 13(1)	Article 20(1)
Article 13(2) and (3)	Article 20(2)
Article 13(4)	Article 20(3)
Article 13(5)	Article 20(4)
Article 14(1) and (3)	Article 21(1)
Article 14(2)	Article 21(2)
Article 15(1)	Article 22(1) and (3)
Article 15(2)	Article 22(2)
Article 15(3)	Article 22(5)
Article 15(4) and (5)	Article 22(4)
Article 15(6)	Article 22(6)
Article 16(1) to (5)	Article 23(1) to (5)
—	Article 23(6)
Article 16(6)	Article 23(7)
Article 16(7)	Article 23(8)
Article 17(1) and (4)	Article 24(1)
Article 17(2)	—
Article 17(3)	—
Article 17(5) and (6)	Article 24(3)
Article 17(5)(a)	Article 24(3)(a)
Article 17(5)(b)	Article 24(3)(b)
Article 17(5)(c)	Article 24(3)(c)
Article 17(5)(d)	Article 24(3)(o)
Article 17(5)(e)	Article 22(2)
Article 17(5)(f)	Article 19(2)
Article 17(5)(g)	Article 24(3)(p)
Article 17(5)(h)	Article 24(3)(q)
Article 17(6)(a)	Article 24(3)(d) and (g)
Article 17(6)(b)	Article 24(3)(k)
Article 17(6)(c)	Article 24(3)(d)
Article 17(6)(d)	Article 24(3)(l)
Article 17(6)(e)	—
Article 17(6)(f)	—
Article 17(6)(g)	Article 24(3)(r)
Article 17(6)(h)	Article 24(3)(s)
Article 17(6)(i)	Article 24(3)(t)
Article 17(6)(j)	Article 24(3)(v)
Article 17(6)(k)	Article 24(3)(u)
Article 17(7)	Article 24(4)
—	Article 24(5)
Article 18	Article 25
Article 18(1)	Article 25(1) and (10)
Article 18(2)	Article 25(2), (3) and (4)
Article 18(3)	Article 25(5)
Article 18(4)	Article 25(6)
Article 18(5)	Article 25(7)
Article 18(6)	Article 24(1)
—	Article 25(8)
Article 18(7)	Article 25(9) and (10)
—	Article 25(11)
—	Article 26
Article 19	Article 27
Article 20	Article 28
Article 20(1) and (2)	Article 28(1) and (2)
Article 20(3)	—
Article 20(4)	Article 28(3)
Article 20(5)	Article 28(4)
Article 20(6)	Article 28(5)
Article 20(7)	Article 28(6)
Article 20(8)	Article 28(7)
Article 21	Article 29
Article 22	Article 30
Article 23	Article 31
Article 24	Article 32
Article 25(1) and (2)	Article 33(1) and (2)
—	Article 33(3)
Article 25(3)	Article 33(4)
Articles 26 and 27	Article 34
Article 28(1)	Article 35(1) and Article 36(2)
Article 28(2)	Article 35(2)
—	Article 36(1)
Article 29(1) and (2)	Article 37(1)
Article 29(3)	Article 37(2)
Article 30	Article 38
Article 31(1)	Article 39(1)
Article 31(2)	Article 39(1) and (3)
—	Article 39(2)
—	Article 40
—	Article 41
—	Article 43
—	Article 44
Article 32(1)	Article 46(3)
Article 32(2)	Article 46(4)
Article 32(3)	Article 46(2)
Article 32(4)	Article 45(2)
Article 32(5)	Article 45(2)
Article 32(6)	Article 44(2)
Article 32(7)	Article 45(3)
Article 32(8)	Article 45(4)
Article 32(9)	Article 45(5) and (6)
Article 32(10)	Article 45(7)
Article 32(11)	Article 45(8)
Article 32(12)	Article 45(9)
Article 33(1) to (4)	Article 47(1) to (4)
—	Article 47(5)
Article 33(5)	Article 47(6)
Article 33(6)	Article 47(7)
Article 33(7)	Article 47(8)
Article 33(8)	Article 47(9)
Article 33(9)	Article 47(10)
Article 33(10)	Article 47(11)
Article 33(11)	Article 47(12)
—	Article 48
Article 34	Article 49
Article 35(1) and (2)	Article 50(1) and (2)
—	Article 50(3)
Article 35(3)	Article 50(4) and (5)
Article 36	—
Article 37	Article 42
—	Article 51
—	Article 52
—	Article 53
—	Article 54
—	Article 55
—	Article 56
—	Article 57
Article 38	Article 58
—	Annex