Legalize / European Union / Regulation

Regulation (EU) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU

Type Regulation

Publication 2018-11-28

State In force

Department Council of the European Union, European Parliament

Source EUR-Lex

Reform history JSON API

REGULATION (EU) 2018/1862 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 28 November 2018

on the establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation and judicial cooperation in criminal matters, amending and repealing Council Decision 2007/533/JHA, and repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission Decision 2010/261/EU

CHAPTER I

General provisions

Article 1

General purpose of SIS

The purpose of SIS shall be to ensure a high level of security within the area of freedom, security and justice of the Union including the maintenance of public security and public policy and the safeguarding of security in the territories of the Member States, and to ensure the application of the provisions of Chapter 4 and Chapter 5 of Title V of Part Three TFEU relating to the movement of persons on their territories, using information communicated through this system.

Article 2

Subject matter

Article 3

Definitions

For the purposes of this Regulation, the following definitions apply:

(1) ‘alert’ means a set of data entered into SIS allowing the competent authorities to identify a person or an object with a view to taking specific action;

(2) ‘supplementary information’ means information not forming part of the alert data stored in SIS, but connected to alerts in SIS, which is to be exchanged through the SIRENE Bureaux: (a) in order to allow Member States to consult or inform each other when entering an alert; (b) following a hit in order to allow the appropriate action to be taken; (c) when the required action cannot be taken; (d) when dealing with the quality of SIS data; (e) when dealing with the compatibility and priority of alerts; (f) when dealing with rights of access;

(3) ‘additional data’ means the data stored in SIS and connected with alerts in SIS which are to be immediately available to the competent authorities where a person in respect of whom data has been entered in SIS is located as a result of conducting a search in SIS;

(4) ‘personal data’ means personal data as defined in point 1 of Article 4 of Regulation (EU) 2016/679;

(5) ‘processing of personal data’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, logging, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

(6) a ‘match’ means the occurrence of the following steps: (a) a search has been conducted in SIS by an end-user; (b) that search has revealed an alert entered into SIS by another Member State; and (c) data concerning the alert in SIS match the search data;

(7) a ‘hit’ means any match which fulfils the following criteria: (a) it has been confirmed by: (i) the end-user; or (ii) the competent authority in accordance with national procedures, where the match concerned was based on the comparison of biometric data; and (b) further actions are requested;

(8) ‘flag’ means a suspension of the validity of an alert at the national level that may be added to alerts for arrest, alerts on missing and vulnerable persons, alerts for discreet, inquiry and specific checks and to information alerts;

(9) ‘issuing Member State’ means the Member State which entered the alert into SIS;

(10) ‘executing Member State’ means the Member State which takes or has taken the required actions following a hit;

(11) ‘end-user’ means a member of staff of a competent authority authorised to search directly CS-SIS, N.SIS or a technical copy thereof;

(12) ‘biometric data’ means personal data resulting from specific technical processing relating to the physical or physiological characteristics of a natural person, which allow or confirm the unique identification of that natural person, namely photographs, facial images, dactyloscopic data and DNA profile;

(13) ‘dactyloscopic data’ means data on fingerprints and palm prints which due to their unique character and the reference points contained therein enable accurate and conclusive comparisons on a person's identity;

(14) ‘facial image’ means digital images of the face with sufficient image resolution and quality to be used in automated biometric matching;

(15) ‘DNA profile’ means a letter or number code which represents a set of identification characteristics of the noncoding part of an analysed human DNA sample, namely the particular molecular structure at the various DNA locations (loci);

(16) ‘terrorist offences’ means offences under national law referred to in Articles 3 to 14 of Directive (EU) 2017/541 of the European Parliament and of the Council (¹), or equivalent to one of those offences for the Member States which are not bound by that Directive;

(17) ‘threat to public health’ means a threat to public health as defined in point (21) of Article 2 of Regulation (EU) 2016/399 of the European Parliament and of the Council (²);

(18) ‘ESP’ means the European search portal established by Article 6(1) of Regulation (EU) 2019/818 of the European Parliament and of the Council (³);

(19) ‘shared BMS’ means the shared biometric matching service established by Article 12(1) of Regulation (EU) 2019/818;

(20) ‘CIR’ means the common identity repository established by Article 17(1) of Regulation (EU) 2019/818;

(21) ‘MID’ means the multiple-identity detector established by Article 25(1) of Regulation (EU) 2019/818;

(22) ‘third-country national’ means any person who is not a citizen of the Union within the meaning of Article 20(1) TFEU with the exception of persons who are beneficiaries of the right of free movement within the Union in accordance with Directive 2004/38/EC or in accordance with an agreement between the Union or the Union and its Member States on the one hand, and a third country on the other hand.

Article 4

Technical architecture and ways of operating SIS

SIS shall be composed of:

(a) a central system (Central SIS) composed of: (i) a technical support function (‘CS-SIS’) containing a database (the ‘SIS database’), and including a backup CS-SIS; (ii) a uniform national interface (‘NI-SIS’);

(b) a national system (N.SIS) in each of the Member States, consisting of the national data systems which communicate with Central SIS, including at least one national or shared backup N.SIS;

(c) a communication infrastructure between CS-SIS, backup CS-SIS and NI-SIS (‘the Communication Infrastructure’) that provides an encrypted virtual network dedicated to SIS data and the exchange of data between SIRENE Bureaux, as referred to in Article 7(2); and

(d) a secure communication infrastructure between CS-SIS and the central infrastructures of the ESP, the shared BMS and the MID.

An N.SIS as referred to in point (b) may contain a data file (a ‘national copy’) containing a complete or partial copy of the SIS database. Two or more Member States may establish in one of their N.SIS a shared copy which may be used jointly by those Member States. Such shared copy shall be considered as the national copy of each of those Member States.

A shared backup N.SIS as referred to in point (b) may be used jointly by two or more Member States. In such cases, the shared backup N.SIS shall be considered as the backup N.SIS of each of those Member States. The N.SIS and its backup may be used simultaneously to ensure uninterrupted availability to end-users.

Member States intending to establish a shared copy or shared backup N.SIS to be used jointly shall agree their respective responsibilities in writing. They shall notify their arrangement to the Commission.

The Communication Infrastructure shall support and contribute to ensuring the uninterrupted availability of SIS. It shall include redundant and separated paths for the connections between CS-SIS and the backup CS-SIS and shall also include redundant and separated paths for the connections between each SIS national network access point and CS-SIS and backup CS-SIS.

CS-SIS shall provide the services necessary for the entry and processing of SIS data, including searches in the SIS database. For the Member States which use a national or shared copy, CS-SIS shall:

(a) provide online updates for the national copies;

(b) ensure synchronisation of and consistency between the national copies and the SIS database; and

Article 5

Costs

CHAPTER II

Responsibilities of the Member States

Article 6

National systems

Each Member State shall be responsible for setting up, operating, maintaining and further developing its N.SIS and connecting it to NI-SIS.

Each Member State shall be responsible for ensuring the uninterrupted availability of SIS data to end-users.

Each Member State shall transmit its alerts through its N.SIS.

Article 7

N.SIS Office and SIRENE Bureau

That authority shall be responsible for the smooth operation and security of the N.SIS, shall ensure the access of the competent authorities to SIS and shall take the necessary measures to ensure compliance with this Regulation. It shall be responsible for ensuring that all functionalities of SIS are made available to the end users appropriately.

Each SIRENE Bureau shall, in accordance with national law, have easy direct or indirect access to all relevant national information, including national databases and all information on its Member States' alerts, and to expert advice, in order to be able to react to requests for supplementary information swiftly and within the deadlines provided for in Article 8.

The SIRENE Bureaux shall coordinate the verification of the quality of the information entered in SIS. For those purposes they shall have access to data processed in SIS.

Article 8

Exchange of supplementary information

Requests for supplementary information with the highest priority shall be marked ‘URGENT’ in the SIRENE forms, and the reason for the urgency shall be specified.

Article 9

Technical and functional compliance

Article 10

Security — Member States

Each Member State shall, in relation to its N.SIS, adopt the necessary measures, including a security plan, a business continuity plan and a disaster recovery plan, in order to:

(a) physically protect data, including by making contingency plans for the protection of critical infrastructure;

(b) deny unauthorised persons access to data-processing facilities used for processing personal data (facilities access control);

(d) prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control);

(e) prevent the use of automated data-processing systems by unauthorised persons using data communication equipment (user control);

(f) prevent the unauthorised processing of data in SIS and any unauthorised modification or erasure of data processed in SIS (control of data entry);

(g) ensure that persons authorised to use an automated data-processing system have access only to the data covered by their access authorisation, by means of individual and unique user identifiers and confidential access modes only (data access control);

(h) ensure that all authorities with a right of access to SIS or to the data processing facilities create profiles describing the functions and responsibilities of persons who are authorised to access, enter, update, delete and search the data and make those profiles available to the supervisory authorities referred to in Article 69(1) without delay upon their request (personnel profiles);

(i) ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment (communication control);

(j) ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems, when, by whom and for what purpose (input control);

(k) prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data or during the transport of data media, in particular by means of appropriate encryption techniques (transport control);

(l) monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation (self-auditing);

(m) ensure that, in the event of interruption, installed systems can be restored to normal operation (recovery); and

(n) ensure that SIS performs its functions correctly, that faults are reported (reliability) and that personal data stored in SIS cannot be corrupted by means of the system malfunctioning (integrity).

Article 11

Confidentiality — Member States

Article 12

Keeping of logs at national level

Member States shall ensure that every access to personal data via the ESP is also logged for the purposes of checking whether the search was lawful, monitoring the lawfulness of data processing, self-monitoring, and data integrity and security.

Article 13

Self-monitoring

Member States shall ensure that each authority entitled to access SIS data takes the measures necessary to comply with this Regulation and cooperates, where necessary, with the supervisory authority.

Article 14

Staff training

That training programme may be part of a general training programme at national level encompassing training in other relevant areas.

CHAPTER III

Responsibilities of eu-LISA

Article 15

Operational management

eu-LISA shall also be responsible for the following tasks relating to the Communication Infrastructure:

(a) supervision;

(b) security;

(d) tasks relating to implementation of the budget;

(e) acquisition and renewal; and

(f) contractual matters.

eu-LISA shall also be responsible for the following tasks relating to the SIRENE Bureaux and communication between the SIRENE Bureaux:

(a) the coordination, management and support of testing activities;

(b) the maintenance and updating of technical specifications for the exchange of supplementary information between SIRENE Bureaux and the Communication Infrastructure; and

(c) managing the impact of technical changes where it affects both SIS and the exchange of supplementary information between SIRENE Bureaux.

eu-LISA shall provide a regular report to the Commission covering the issues encountered and the Member States concerned.

The Commission shall provide the European Parliament and the Council with a regular report on data quality issues that are encountered.

Article 16

Security — eu-LISA

eu-LISA shall adopt the necessary measures, including a security plan, a business continuity plan and a disaster recovery plan for Central SIS and the Communication Infrastructure in order to:

(a) physically protect data, including by making contingency plans for the protection of critical infrastructure;

(b) deny unauthorised persons access to data-processing facilities used for processing personal data (facilities access control);

(d) prevent the unauthorised input of data and the unauthorised inspection, modification or deletion of stored personal data (storage control);

(e) prevent the use of automated data-processing systems by unauthorised persons using data communication equipment (user control);

(f) prevent the unauthorised processing of data in SIS and any unauthorised modification or erasure of data processed in SIS (control of data entry);

(g) ensure that persons authorised to use an automated data-processing system have access only to the data covered by their access authorisation by means of individual and unique user identifiers and confidential access modes only (data access control);

(h) create profiles describing the functions and responsibilities of persons who are authorised to access the data or the data processing facilities and make those profiles available to the European Data Protection Supervisor without delay upon its request (personnel profiles);

(i) ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment (communication control);

(j) ensure that it is subsequently possible to verify and establish which personal data have been input into automated data-processing systems, when and by whom (input control);

(m) ensure that, in the event of interrupted operations, installed systems can be restored to normal operation (recovery);

(o) ensure the security of its technical sites.

Article 17

Confidentiality — eu-LISA

Article 18

Keeping of logs at central level

The European Data Protection Supervisor shall have access to those logs on request, within the limits of its competence and for the purpose of fulfilling its tasks.

Article 18b

Keeping of logs for the purposes of interoperability with ETIAS

Logs of each data processing operation carried out within SIS and the European Travel Information and Authorisation System (ETIAS) pursuant to Article 50b of this Regulation shall be kept in accordance with Article 18 of this Regulation and Article 69 of Regulation (EU) 2018/1240 of the European Parliament and of the Council (⁵).

CHAPTER IV

Information to the public

Article 19

SIS information campaigns

Reading this document does not replace reading the official text published in the Official Journal of the European Union. We assume no responsibility for any inaccuracies arising from the conversion of the original to this format.