Regulation (EU) 2021/1152 of the European Parliament and of the Council of 7 July 2021 amending Regulations (EC) No 767/2008, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1860, (EU) 2018/1861 and (EU) 2019/817 as regards the establishment of the conditions for accessing other EU information systems for the purposes of the European Travel Information and Authorisation System

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular points (a), (b) and (d) of Article 77(2) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Acting in accordance with the ordinary legislative procedure (1),

Whereas:

(1) Regulation (EU) 2018/1240 of the European Parliament and of the Council (2) established the European Travel Information and Authorisation System (‘ETIAS’) for third-country nationals exempt from the requirement to be in possession of a visa when crossing the external borders of the Union. That Regulation laid down the conditions and procedures for issuing or refusing a travel authorisation under ETIAS.

(2) ETIAS enables consideration of whether the presence of those third-country nationals on the territory of the Member States would pose a security, illegal immigration or high epidemic risk.

(3) In order to enable the ETIAS Central System to process application files as referred to in Regulation (EU) 2018/1240, it is necessary to establish interoperability between the ETIAS Information System, on the one hand, and the Entry/Exit System (‘EES’), the Visa Information System (‘VIS’), the Schengen Information System (‘SIS’), Eurodac and the European Criminal Record Information System – Third-Country Nationals (‘ECRIS-TCN’) (‘other EU information systems’), and Europol data as defined in that Regulation (‘Europol data’), on the other hand.

(4) This Regulation, together with Regulations (EU) 2021/1150 (3) and (EU) 2021/1151 (4) of the European Parliament and of the Council, lays down rules on the implementation of the interoperability between the ETIAS Information System, on the one hand, and other EU information systems and Europol data, on the other hand, and the conditions for the consultation of data stored in other EU information systems and Europol data by ETIAS for the purpose of automatically identifying hits. As a result, it is necessary to amend Regulations (EC) No 767/2008 (5), (EU) 2017/2226 (6), (EU) 2018/1240, (EU) 2018/1860 (7), (EU) 2018/1861 (8) and (EU) 2019/817 (9) of the European Parliament and of the Council in order to connect the ETIAS Central System to other EU information systems and to Europol data and to specify the data that will be sent between those EU information systems and Europol data.

(5) The European Search Portal (ESP), established by Regulation (EU) 2019/817 and Regulation (EU) 2019/818 of the European Parliament and of the Council (10), will enable the data stored in ETIAS and the data stored in the other EU information systems concerned to be queried in parallel.

(6) Technical arrangements should be established to enable ETIAS to regularly and automatically verify in other EU information systems whether the conditions for the retention of application files, as laid down in Regulation (EU) 2018/1240, are still fulfilled.

(7) It is necessary, for the purposes of ensuring the full attainment of the objectives of ETIAS, as well as to further the objectives of SIS, set out in Regulation (EU) 2018/1860, to include in the scope of the automated verifications a new alert category introduced by that Regulation, namely the alert on third-country nationals subject to a return decision.

(8) The return of third-country nationals who do not fulfil or no longer fulfil the conditions for entry to, stay or residence on the territory of the Member States, in accordance with Directive 2008/115/EC of the European Parliament and of the Council (11), is an essential component of the comprehensive efforts to tackle irregular migration and represents an important reason of substantial public interest.

(9) In order to ensure a high level of data accuracy and reliability, it is important to report false hits generated at the level of the ETIAS Central Unit.

(10) In order to supplement certain detailed technical aspects of Regulation (EU) 2018/1240, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union (TFEU) should be delegated to the Commission in respect of the specification of the conditions for the correspondence between the data present in a record, alert or file of the other EU information systems consulted and the data present in an ETIAS application file. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (12). In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

(11) In order to ensure uniform conditions for the implementation of Regulation (EU) 2018/1240, implementing powers should be conferred on the Commission to establish the technical arrangements for the implementation of certain provisions related to data retention and to detail further the rules relating to the support to carriers to be provided by the ETIAS Central Unit. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (13).

(12) In order to ensure uniform conditions for the implementation of Regulation (EU) 2017/2226, implementing powers should be conferred on the Commission to lay down the details of the fall-back procedures in the case of technical impossibility to access data by carriers and to detail further the rules relating to the support to carriers to be provided by the ETIAS Central Unit. Those powers should be exercised in accordance with Regulation (EU) No 182/2011.

(13) It is possible to revoke ETIAS travel authorisations following the registration in SIS of new alerts on refusal of entry and stay, or concerning a travel document reported as lost, stolen, misappropriated or invalidated. In order for the ETIAS Central System to be informed automatically by SIS of such new alerts, an automated process should be established between SIS and ETIAS.

(14) With a view to rationalising and simplifying the work of border guards through the implementation of a more uniform border control process for all third-country nationals seeking to enter the territory of the Member States for a short stay and following the adoption of Regulations (EU) 2017/2226 and (EU) 2018/1240, it is desirable to align the way the EES and ETIAS work together with the way the EES and the VIS are integrated with one another for the purpose of border control and registering border crossings in the EES.

(15) The conditions, including access rights, under which the ETIAS Central Unit and ETIAS National Units are able to consult data stored in other EU information systems for the purposes of ETIAS should be safeguarded by clear and precise rules regarding access by the ETIAS Central Unit and ETIAS National Units to the data stored in other EU information systems, the types of query and the categories of data, all of which should be limited to what is strictly necessary for the performance of their duties. Member States’ access via the ETIAS National Units to the other EU information systems should be in accordance with the participation in the respective legal instruments. In the same vein, the data stored in ETIAS application files should be visible only to those Member States that operate the underlying information systems in accordance with the arrangements for their participation. As an example, the provisions of this Regulation relating to SIS and the VIS constitute provisions building upon all the provisions of the Schengen acquis, for which the Council Decisions 2010/365/EU (14), (EU) 2017/733 (15), (EU) 2017/1908 (16) and (EU) 2018/934 (17) on the application of the provisions of the Schengen acquis relating to SIS and the VIS are relevant.

(16) Where technical difficulties make it impossible for carriers to access the ETIAS Information System through the carrier gateway, the ETIAS Central Unit should provide operational support to carriers in order to limit the impact on passenger travel and carriers to the extent possible. For that reason, it is necessary to align the fall-back procedures in the case of technical impossibility, including operational support, provided for in the VIS, ETIAS and the EES.

(17) Pursuant to Regulation (EU) 2018/1240, the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), established by Regulation (EU) 2018/1726 of the European Parliament and of the Council (18), is to be responsible for the design and development phase of the ETIAS Information System.

(18) This Regulation is without prejudice to Directive 2004/38/EC of the European Parliament and of the Council (19).

(19) In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union (TEU) and to the TFEU, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application. Given that this Regulation builds upon the Schengen acquis, Denmark shall, in accordance with Article 4 of that Protocol, decide within a period of six months after the Council has decided on this Regulation whether it will implement it in its national law.

(20) This Regulation constitutes a development of the provisions of the Schengen acquis in which Ireland does not take part, in accordance with Council Decision 2002/192/EC (20); Ireland is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(21) As regards Iceland and Norway, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the latters’ association with the implementation, application and development of the Schengen acquis (21) which fall within the areas referred to in Article 1, points A, B, C and G, of Council Decision 1999/437/EC (22).

(22) As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (23) which fall within the areas referred to in Article 1, points A, B, C and G, of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2008/146/EC (24).

(23) As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (25) which fall within the areas referred to in Article 1, points A, B, C and G, of Council Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU (26).

(24) As regards Cyprus, Bulgaria, Romania and Croatia, the provisions of this Regulation relating to the VIS, SIS and the EES constitute provisions building upon, or otherwise relating to, the Schengen acquis within, respectively, the meaning of Article 3(2) of the 2003 Act of Accession, Article 4(2) of the 2005 Act of Accession and Article 4(2) of the 2011 Act of Accession read in conjunction with Decisions 2010/365/EU, (EU) 2017/733, (EU) 2017/1908 and (EU) 2018/934.

(25) Regulations (EC) No 767/2008, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1860, (EU) 2018/1861 and (EU) 2019/817 should therefore be amended accordingly.

(26) Since the objectives of this Regulation, namely to amend Regulations (EC) No 767/2008, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1860, (EU) 2018/1861 and (EU) 2019/817 in order to connect the ETIAS Central System to the other EU information systems and to Europol data and to specify the data that will be sent between those EU information systems and Europol data, cannot be sufficiently achieved by the Member States but can rather, by reason of their scale and effects, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 TEU. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.

(27) The European Data Protection Supervisor was consulted, in accordance with Article 41(2) of Regulation (EU) 2018/1725 of the European Parliament and the Council (27),

HAVE ADOPTED THIS REGULATION:

CHAPTER I

AMENDMENTS TO REGULATION (EU) 2018/1240

Article 1

Amendments to Regulation (EU) 2018/1240

Regulation (EU) 2018/1240 is amended as follows:

(6) the following articles are inserted: ‘Article 11b Support of the objectives of the EES For the purpose of Articles 6, 14, 17 and 18 of Regulation (EU) 2017/2226, an automated process, using the secure communication channel referred to in point (da) of Article 6(2) of this Regulation, shall query and import from the ETIAS Central System the information referred to in Article 47(2) of this Regulation, as well as the application number and the expiry date of the ETIAS travel authorisation, and shall create or update the entry/exit record or the refusal of entry record in the EES accordingly.

Article 11c

Interoperability between ETIAS and the EES for the purpose of the revocation of an ETIAS travel authorisation at the request of an applicant

(7) Article 12 is replaced by the following: ‘Article 12 Querying the Interpol databases

(14) in Article 28(3), the following subparagraph is added: ‘For the purpose of the manual processing pursuant to Article 26, the reasoned positive or negative opinion shall only be visible by the ETIAS National Unit of the Member State consulted and by the ETIAS National Unit of the Member State responsible.’;

(15) Article 37(3) is replaced by the following: ‘3.   Applicants who have been refused a travel authorisation shall have the right to appeal. Appeals shall be conducted in the Member State that has taken the decision on the application and in accordance with the national law of that Member State. During the appeal procedure, the appellant shall be given access to the information in the application file in accordance with the data protection rules referred to in Article 56 of this Regulation. The ETIAS National Unit of the Member State responsible shall provide applicants with information regarding the appeal procedure. That information shall be provided in one of the official languages of the countries listed in Annex II to Regulation (EC) No 539/2001 of which the applicant is a national.’;

(16) Article 41(3) is replaced by the following: ‘3.   Without prejudice to paragraph 2, where a new alert is entered in SIS concerning a refusal of entry and stay or concerning a travel document reported as lost, stolen, misappropriated or invalidated, SIS shall inform the ETIAS Central System. The ETIAS Central System shall verify whether that new alert corresponds to a valid travel authorisation. Where this is the case, the ETIAS Central System shall transfer the application file to the ETIAS National Unit of the Member State having entered the alert. Where a new alert for refusal of entry and stay has been entered, the ETIAS National Unit shall revoke the travel authorisation. Where the travel authorisation is linked to a travel document reported as lost, stolen, misappropriated or invalidated in SIS or the Interpol SLTD database, the ETIAS National Unit shall manually process the application file.’;

(19) in Article 64, the following paragraph is added: ‘7.   The right of access to personal data under this Article is without prejudice to Article 53 of Regulation (EU) 2018/1861 and Article 67 of Regulation (EU) 2018/1862.’;

(23) Article 90(1) is replaced by the following: ‘1.   The Commission shall be assisted by the committee established by Article 68 of Regulation (EU) 2017/2226. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.’;

(25) in Article 96, the following paragraph is inserted after the second paragraph: ‘Article 11b shall apply from 3 August 2021.’.

CHAPTER II

AMENDMENT TO OTHER UNION INSTRUMENTS

Article 2

Amendments to Regulation (EC) No 767/2008

Regulation (EC) No 767/2008 is amended as follows:

(2) the following articles are inserted: ‘Article 18b Interoperability with ETIAS

Article 18c

Access to VIS data by the ETIAS Central Unit

Article 18d

Use of the VIS for the manual processing of applications by the ETIAS National Units

(3) the following article is inserted: ‘Article 34a Keeping of logs for the purposes of interoperability with ETIAS Logs of each data processing operation carried out within the VIS and ETIAS pursuant to Article 20, point (c)(ii) of Article 24(6), and point (b) of Article 54(1) of Regulation (EU) 2018/1240 shall be kept in accordance with Article 34 of this Regulation and Article 69 of Regulation (EU) 2018/1240.’;

Article 3

Amendments to Regulation (EU) 2017/2226

Regulation (EU) 2017/2226 is amended as follows:

(3) in Article 9, the following paragraph is inserted: ‘2a.   The duly authorised staff of the ETIAS National Units, designated pursuant to Article 8 of Regulation (EU) 2018/1240, shall have access to the EES to consult EES data in a read-only format.’;

(4) the following article is inserted: ‘Article 13a Fall-back procedures in the case of technical impossibility to access data by carriers

(7) the following articles are inserted: ‘Article 25a Access to EES data by the ETIAS Central Unit

Article 25b

Use of the EES for the manual processing of applications by the ETIAS National Units