Regulation (EU) 2018/1726 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011

CHAPTER I

SUBJECT MATTER AND OBJECTIVES

Article 1

Subject matter

The Agency shall also be responsible for the following tasks:

(a) ensuring data quality in accordance with Article 12;

(b) developing the necessary actions to enable interoperability in accordance with Article 13;

(c) carrying out research activities in accordance with Article 14;

(d) carrying out pilot projects, proofs of concept and testing activities in accordance with Article 15; and

(e) providing support to Member States and the Commission in accordance with Article 16.

Article 2

Objectives

Without prejudice to the respective responsibilities of the Commission and of the Member States under the Union legal acts governing large-scale IT systems, the Agency shall ensure:

(a) the development of large-scale IT systems using an adequate project management structure for efficiently developing such systems;

(b) the effective, secure and continuous operation of large-scale IT systems;

(c) the efficient and financially accountable management of large-scale IT systems;

(d) an adequately high quality of service for users of large-scale IT systems;

(e) continuity and uninterrupted service;

(f) a high level of data protection, in accordance with Union data protection law, including specific provisions for each large-scale IT system;

(g) an appropriate level of data and physical security, in accordance with the applicable rules, including specific provisions for each large-scale IT system.

CHAPTER II

TASKS OF THE AGENCY

Article 3

Tasks relating to SIS II

In relation to SIS II, the Agency shall perform:

(a) the tasks conferred on the Management Authority by Regulation (EC) No 1987/2006 and Decision 2007/533/JHA; and

(b) tasks relating to training on the technical use of SIS II, in particular for SIRENE staff (SIRENE — Supplementary Information Request at the National Entries), and training of experts on the technical aspects of SIS II in the framework of Schengen evaluation.

Article 4

Tasks relating to the VIS

In relation to the VIS, the Agency shall perform:

(a) the tasks conferred on the Management Authority by Regulation (EC) No 767/2008 and Decision 2008/633/JHA; and

(b) tasks relating to training on the technical use of the VIS and training of experts on the technical aspects of the VIS in the framework of Schengen evaluation.

Article 5

Tasks relating to Eurodac

In relation to Eurodac, the Agency shall perform:

(a) the tasks conferred on it by Regulation (EU) No 603/2013; and

(b) tasks relating to training on the technical use of Eurodac.

Article 6

Tasks relating to the EES

In relation to the EES, the Agency shall perform:

(a) the tasks conferred on it by Regulation (EU) 2017/2226; and

(b) tasks relating to training on the technical use of the EES and training of experts on the technical aspects of the EES in the framework of Schengen evaluation.

Article 7

Tasks relating to ETIAS

In relation to ETIAS, the Agency shall perform:

(a) the tasks conferred on it by Regulation (EU) 2018/1240; and

(b) tasks relating to training on the technical use of ETIAS and training of experts on the technical aspects of ETIAS in the framework of Schengen evaluation.

Article 8

Tasks relating to DubliNet

In relation to DubliNet, the Agency shall perform:

(a) the operational management of DubliNet, a separate secure electronic transmission channel between the authorities of Member States, set up under Article 18 of Regulation (EC) No 1560/2003, for the purposes of Articles 31, 32 and 34 of Regulation (EU) No 604/2013 of the European Parliament and of the Council (¹); and

(b) tasks relating to training on the technical use of DubliNet.

Article 8a

Tasks related to ECRIS-TCN and the ECRIS reference implementation

In relation to ECRIS-TCN and the ECRIS reference implementation, the Agency shall perform:

(a) the tasks conferred on it by Regulation (EU) 2019/816 of the European Parliament and of the Council (²);

(b) tasks relating to training on the technical use of ECRIS-TCN and the ECRIS reference implementation.

Article 8b

Tasks related to the e-CODEX system

In relation to the e-CODEX system, the Agency shall perform:

(a) the tasks conferred on it by Regulation (EU) 2022/850 of the European Parliament and of the Council (³);

(b) tasks relating to training on the technical use of the e-CODEX system, including the provision of online training materials.

Article 8c

Tasks related to the JITs collaboration platform

In relation to the JITs collaboration platform, the Agency shall perform:

(a) the tasks conferred on it by Regulation (EU) 2023/969 of the European Parliament and of the Council (⁴);

(b) tasks relating to training on the technical use of the JITs collaboration platform provided to the JITs Network Secretariat, including the provision of training materials.

Article 8d

Tasks related to the Prüm II router

In relation to the Prüm II router, the Agency shall perform the tasks conferred on it by Regulation (EU) 2024/982 of the European Parliament and of the Council (⁵).

Article 9

Tasks relating to the preparation, development and operational management of other large-scale IT systems

When entrusted with the preparation, development or operational management of other large-scale IT systems referred to in Article 1(5), the Agency shall perform the tasks conferred on it pursuant to the Union legal act governing the relevant system, as well as tasks relating to training on the technical use of those systems, as appropriate.

Article 10

Technical solutions requiring specific conditions before implementation

Where the Union legal acts governing the systems require the Agency to keep those systems functioning 24 hours a day, 7 days a week and without prejudice to those Union legal acts, the Agency shall implement technical solutions to meet those requirements. Where those technical solutions require a duplication of a system or a duplication of components of a system, they shall only be implemented where an independent impact assessment and cost-benefit analysis to be commissioned by the Agency has been carried out and following the consultation of the Commission and the positive decision of the Management Board. The impact assessment shall also examine existing and future needs in terms of the hosting capacity of the existing technical sites related to the development of such technical solutions and the possible risks related to the current operational set up.

Article 11

Tasks relating to the communication infrastructure

Tasks relating to the delivery, setting up, maintenance and monitoring of the communication infrastructure may be entrusted to external private-sector entities or bodies in accordance with Regulation (EU, Euratom) 2018/1046. Such tasks shall be carried out under the responsibility of the Agency and under its close supervision.

When carrying out the tasks referred to in the first subparagraph, all external private-sector entities or bodies, including network providers, shall be bound by the security measures referred to in paragraph 3 and shall have no access, by any means, to any operational data stored in the systems or transferred through the communication infrastructure or to the SIS II-related SIRENE exchange.

Article 12

Data quality

Article 13

Interoperability

Where interoperability of large-scale IT systems has been stipulated in a relevant Union legal act, the Agency shall develop the necessary actions to enable that interoperability.

Article 13a

Tasks related to the router

In relation to Regulations (EU) 2025/12 (⁸) and (EU) 2025/13 (⁹) of the European Parliament and of the Council, the Agency shall perform the tasks related to the router conferred on it by those Regulations.

Article 14

Monitoring of research

The Agency may contribute to the implementation of the parts of the European Union Framework Programme for Research and Innovation that relate to large-scale IT systems in the area of freedom, security and justice. For that purpose, and where the Commission has delegated the relevant powers to it, the Agency shall have the following tasks:

(a) managing some stages of programme implementation and some phases in the lifetime of specific projects on the basis of the relevant work programmes adopted by the Commission;

(b) adopting the instruments of budget execution and for revenue and expenditure and carrying out all the operations necessary for the management of the programme; and

(c) providing support in programme implementation.

Article 15

Pilot projects, proofs of concept and testing activities

Upon the specific and precise request of the Commission, which shall have informed the European Parliament and the Council at least three months in advance of making such a request, and after a positive decision of the Management Board, the Agency may, in accordance with point (u) of Article 19(1) of this Regulation and by way of a delegation agreement be entrusted with carrying out pilot projects as referred to in point (a) of Article 58(2) of Regulation (EU, Euratom) 2018/1046 for the development or the operational management of large-scale IT systems pursuant to Articles 67 to 89 TFEU in accordance with point (c) of Article 62(1) of Regulation (EU, Euratom) 2018/1046.

The Agency shall keep the European Parliament, the Council and, where the processing of personal data is concerned, the European Data Protection Supervisor informed on a regular basis of the evolution of the pilot projects carried out by the Agency under the first subparagraph.

Article 16

Support to Member States and the Commission

Any Member State may submit a request for ad hoc support to the Commission, which, subject to its positive assessment that such support is required by virtue of extraordinary security or migratory needs, shall transmit it, without delay, to the Agency. The Agency shall inform the Management Board of such requests. The Member State shall be informed where the Commission’s assessment is negative.

The Commission shall monitor whether the Agency has provided a timely response to the Member State's request. The Agency’s annual activity report shall report in detail on the actions the Agency has carried out to provide ad hoc support to Member States and on the costs incurred in that respect.

A group of at least five Member States may entrust the Agency with the task of developing, managing or hosting a common IT component to assist them in implementing technical aspects of obligations deriving from Union law on decentralised systems in the area of freedom, security and justice. Those common IT solutions shall be without prejudice to the obligations of the requesting Member States under the applicable Union law, in particular with regard to the architecture of those systems.

In particular, the requesting Member States may entrust the Agency with the task of establishing a common component or router for advance passenger information and passenger name record data as a technical support tool to facilitate connectivity with air carriers in order to assist Member States in the implementation of Council Directive 2004/82/EC (¹⁰) and Directive (EU) 2016/681 of the European Parliament and of the Council (¹¹). In such a case the Agency shall centrally collect the data from air carriers and transmit those data to the Member States via the common component or router. The requesting Member States shall adopt the necessary measures to ensure that air carriers transfer the data via the Agency.

The Agency shall be entrusted with the task of developing, managing or hosting a common IT component only after prior approval by the Commission and subject to a positive decision of the Management Board.

The requesting Member States shall entrust the Agency with the tasks referred to in the first and second subparagraphs by way of a delegation agreement setting out the conditions for the delegation of the tasks and the calculation of all relevant costs and the invoicing method. All relevant costs shall be covered by the participating Member States. The delegation agreement shall comply with the Union legal acts governing the systems in question. The Agency shall inform the European Parliament and the Council of the approved delegation agreement and of any modifications thereto.

Other Member States may request to participate in a common IT solution where this possibility is provided for in the delegation agreement setting out, in particular, the financial implications of such participation. The delegation agreement shall be modified accordingly following the prior approval by the Commission and after a positive decision of the Management Board.

CHAPTER III

STRUCTURE AND ORGANISATION

Article 17

Legal status and location

The tasks relating to development and operational management referred to in Article 1(4) and (5), Articles 3 to 9 and Articles 11 and 13a shall be carried out at the technical site in Strasbourg, France.

A backup site capable of ensuring the operation of a large-scale IT system in the event of failure of such a system shall be installed in Sankt Johann im Pongau, Austria.

Article 18

Structure

The administrative and management structure of the Agency shall comprise:

(a) a Management Board;

(b) an Executive Director;

(c) Advisory Groups.

The structure of the Agency shall include:

(a) a data protection officer;

(b) a security officer;

(c) an accounting officer.

Article 19

Functions of the Management Board

The Management Board shall:

(a) provide the general orientation for the Agency’s activities;

(b) adopt, by a majority of two-thirds of members entitled to vote, the annual budget of the Agency and exercise other functions in respect of the Agency’s budget pursuant to Chapter V;

(c) appoint the Executive Director and the Deputy Executive Director and, where relevant, extend their respective terms of office or remove them from office in accordance with Articles 25 and 26 respectively;

(d) exercise disciplinary authority over the Executive Director and oversee his or her performance, including the implementation of the Management Board’s decisions, and exercise disciplinary authority over the Deputy Executive Director in agreement with the Executive Director;

(e) take all decisions on the establishment of the Agency’s organisational structure and, where necessary, its modification, taking into consideration the Agency’s activity needs and having regard to sound budgetary management;

(f) adopt the Agency’s staff policy;

(g) establish the Agency’s rules of procedure;

(h) adopt an anti-fraud strategy, proportionate to the risk of fraud, taking into account the costs and benefits of the measures to be implemented;

(i) adopt rules for the prevention and management of conflicts of interest in respect of its members and publish them on the Agency’s website;

(j) adopt detailed internal rules and procedures for the protection of whistleblowers, including appropriate channels of communication for reporting misconduct;

(k) authorise the conclusion of working arrangements in accordance with Articles 41 and 43;

(l) approve, following a proposal by the Executive Director, the Headquarters Agreement concerning the seat of the Agency and the agreements concerning the technical and backup sites, set up in accordance with Article 17(3), to be signed by the Executive Director and the host Member States;

(m) exercise, in accordance with paragraph 2, with respect to the staff of the Agency, the powers conferred by the Staff Regulations of Officials on the Appointing Authority and by the Conditions of Employment of Other Servants on the Authority Empowered to Conclude a Contract of Employment (‘the appointing authority powers’);

(n) adopt, in agreement with the Commission, the necessary implementing rules for giving effect to the Staff Regulations in accordance with Article 110 of the Staff Regulations of Officials;

(o) adopt the necessary rules on the secondment of national experts to the Agency;

(p) adopt a draft estimate of the Agency’s revenue and expenditure, including the draft establishment plan, and submit them by 31 January each year to the Commission;

(q) adopt the draft single programming document, containing the Agency’s multiannual programming and its work programme for the following year and a provisional draft estimate of the Agency’s revenue and expenditure, including the draft establishment plan, and submit it by 31 January each year, as well as any updated version of that document, to the European Parliament, to the Council and to the Commission;

(r) adopt, before 30 November each year, by a two-thirds majority of its members with the right to vote, and in accordance with the annual budgetary procedure, the single programming document taking into account the opinion of the Commission and ensure that the definitive version of this single programming document is transmitted to the European Parliament, to the Council and to the Commission and is published;

(s) adopt an interim report by the end of August of each year on the progress of the implementation of the planned activities for the current year and submit it to the European Parliament, to the Council and to the Commission;

(t) assess and adopt the consolidated annual activity report of the Agency’s activities for the previous year, comparing, in particular, the results achieved with the objectives of the annual work programme, and send both the report and its assessment by 1 July of each year to the European Parliament, to the Council, to the Commission and to the Court of Auditors and ensure that the annual activity report is published;

(u) carry out its functions relating to the Agency’s budget, including the implementation of pilot projects and proofs of concept as referred to in Article 15;

(v) adopt the financial rules applicable to the Agency in accordance with Article 49;

(w) appoint an accounting officer, who may be the Commission’s accounting officer, subject to the Staff Regulations, who shall be completely independent in the performance of his or her duties;

(x) ensure adequate follow-up to the findings and recommendations stemming from the various internal or external audit reports and evaluations as well as from investigations by the European Anti-Fraud Office (OLAF) and the European Public Prosecutor’s Office (EPPO);

(y) adopt the communication and dissemination plans referred to in Article 34(4) and regularly update them;