Commission Implementing Regulation (EU) 2022/1409 of 18 August 2022 concerning the detailed rules on the conditions for the operation of the web service and data protection and security rules applicable to the web service, as well as measures for the development and technical implementation of the web service and repealing Implementing Regulation (EU) 2021/1224

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (1), and in particular Article 13(7), Article 13a and Article 36, first paragraph, point (h), thereof,

Having regard to Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of information between Member States on short-stay visas, long-stay visas and residence permits (VIS Regulation) (2), and in particular Article 45c(3), fourth subparagraph, Article 45c(5), second paragraph and Article 45d(3), thereof,

Whereas:

(1) Regulation (EU) 2017/2226 establishes the Entry/Exit System, for the electronic recording and storage of the date, time and place of entry and exit of third-country nationals admitted or refused for a short stay in the territory of the Member States and calculates the duration of their authorised stay.

(2) Regulation (EC) No 767/2008 establishes the Visa Information System for the exchange of data between Member States on applications for short-stay visas, long-stay visas and residence permits, and on the decision taken to annul, revoke or extend the visa.

(3) The European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice, established by Regulation (EU) No 1077/2011 of the European Parliament and of the Council (3) (eu-LISA) is responsible for the development of the Entry/Exit System, and the operational management of the Entry/Exit System and the Visa Information System.

(4) Commission Implementing Regulation (EU) 2021/1224 (4) laid down specifications and conditions for the operation of the web service provided for in Article 13 of Regulation (EU) 2017/2226, including specific provisions for data protection and security. Those specifications and conditions also take into account visa-exempt travellers within the meaning of Article 45(2) of Regulation (EU) 2018/1240 of the European Parliament and of the Council (5). Those specifications and conditions should be adapted by taking into account third-country nationals that require a short-stay visa, a long-stay visa or a residence permit within the meaning of Article 45c of Regulation (EC) No 767/2008. In the interests of clarity, that Regulation shall be replaced.

(5) Article 13(3) of Regulation (EU) 2017/2226 requires carriers to use the web service to verify whether third-country nationals holding a short-stay visa issued for one or two entries have already used the number of entries authorised by their visa.

(6) Article 45c(1) and (2) of Regulation (EC) No 767/2008 requires air carriers, sea carriers and international carriers transporting groups overland by coach to use the carrier gateway to verify whether third-country nationals subject to a short-stay visa, airport transit visa or who are required to hold a long-stay visa or a residence permit are in possession of a valid short-stay visa, an airport transit visa, a long-stay visa or a residence permit.

(7) In order to enable carriers to verify whether the third-country national subject to a visa requirement or who is required to hold an airport transit visa, a long-stay visa or a residence permit, is in possession of a valid visa or residence permit, they should have access to the web service. Carriers should access the web service through an authentication scheme and be able to dispatch and receive messages in a format to be determined by eu-LISA.

(8) Technical rules on the message format and authentication scheme should be laid down in order to enable carriers to connect and use the web service to be specified in the technical guidelines, which are part of the technical specifications referred to in Article 37(1) of Regulation (EU) 2017/2226, to be adopted by eu-LISA.

(9) Carriers should be able to indicate that the passengers fall outside the scope of the Regulation (EU) 2017/2226 and Regulation (EC) No 767/2008 and in such case carriers should receive an automatic ‘Not applicable’ reply from the web service, without querying the read-only database and without logging.

(10) The Commission, eu-LISA and the Member States should endeavour to inform all known carriers of how and when they can register. Upon successful completion of the registration procedure as well as, where relevant, the successful completion of testing, eu-LISA should connect the carrier to the carrier interface.

(11) Authenticated carriers should only give access to the web service to duly authorised staff.

(12) This Regulation should provide for data protection and security rules applicable to the authentication scheme.

(13) In order to ensure that the verification query is based on information, which is as up-to-date as possible, queries should be introduced at the earliest 48 hours prior to the scheduled time of departure.

(14) This Regulation should apply to air carriers, sea carriers and international carriers transporting groups overland by coach, coming into the territory of the Member States. Border checks for entry into the territory of the Member States may precede boarding. In such cases, carriers should be relieved of the obligation to verify the travel authorisation status of travellers.

(15) Carriers should have access to a web form on a public website allowing them to request assistance. When requesting assistance carriers should receive an acknowledgement of receipt containing a ticket number. eu-LISA or the ETIAS Central Unit may contact carriers that have received a ticket by any means necessary, including by phone, in order to provide an adequate response. It is necessary to adopt further detailed rules for this assistance to be provided by the ETIAS Central Unit as provided for in Article 13a of Regulation (EU) 2017/2226.

(16) Given that Regulation (EU) 2017/2226 and Regulation (EU) 2021/1134 of the European Parliament and of the Council (6) build upon the Schengen acquis, Denmark, in accordance with Article 4 of Protocol No 22 on the Position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark notified the implementation of Regulation (EU) 2021/1134 in its national law. It is therefore, bound by this Regulation.

(17) This Regulation constitutes a development of the provisions of the Schengen acquis in which Ireland does not take part (7). Ireland is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(18) As regards Iceland and Norway, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis (8), which fall within the area referred to in Article 1, points A and B of Council Decision 1999/437/EC (9).

(19) As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (10), which fall within the area referred to in Article 1, points A and B of Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/EC (11).

(20) As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (12) which fall within the area referred to in Article 1, points A and B of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU (13).

(21) As regards Bulgaria and Romania, in relation to the provisions under this act concerning Regulation (EU) 2017/2226, the provisions of the Schengen acquis relating to the Schengen Information System have been put into effect by Council Decision (EU) 2018/934 (14); the provisions of the Schengen acquis relating to the Visa Information System have been put into effect by Council Decision (EU) 2017/1908 (15), all the conditions for the operation of the Entry/Exit System set out in Article 66(2), point (b), of Regulation (EU) 2017/2226 are met and those Member States should therefore operate the Entry/Exit System from the start of operations as decided in accordance with Article 66(1) of Regulation (EU) 2017/2226. The provisions under this act concerning Regulation (EC) No 767/2008, constitute an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 4(2) of the 2005 Act of Accession.

(22) As regards Cyprus and Croatia, in relation to the provisions under this act concerning Regulation (EU) 2017/2226, the operation of the Entry/Exit System requires the granting of passive access to the Visa Information System and the putting into effect of all the provisions of the Schengen acquis relating to the Schengen Information System in accordance with the relevant Council Decisions. Those conditions can only be met once the verification in accordance with the applicable Schengen evaluation procedure has been successfully completed. Therefore, the Entry/Exit System should be operated only by those Member States which fulfil those conditions at the start of the operation of the Entry/Exit System. Member States not operating the Entry/Exit System from the start of operations should be connected to the Entry/Exit System, in accordance with the procedure set out in Regulation (EU) 2017/2226, as soon as all of those conditions are met.

(23) As regards Cyprus, the provisions under this Regulation concerning Regulation (EC) No 767/2008, constitutes an act building upon, or otherwise relating to, the Schengen acquis, within the meaning of Article 3(2) of the 2003 Act of Accession.

(24) As regards Croatia, the provisions under this Regulation concerning Regulation (EC) No 767/2008, constitutes an act building upon, or otherwise relating to, the Schengen acquis within the meaning of Article 4(2) of the 2011 Act of Accession.

(25) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (16) and delivered an opinion on 22 March 2022.

(26) The measures provided for in this Regulation are in accordance with the opinion of the Smart Borders Committee,

HAS ADOPTED THIS REGULATION:

Article 1

Subject matter

This Regulation establishes:

(a) the detailed rules and conditions for the operation of the web service and the data protection and security rules applicable to the web service provided for in Article 13(1) and (3) and Article 36, first paragraph, point (h), of Regulation (EU) 2017/2226 and in Article 45c(3), fourth subparagraph of Regulation (EC) No 767/2008;

(b) an authentication scheme for carriers to enable them to fulfil their obligations pursuant to Article 13(3) of Regulation (EU) 2017/2226 and Article 45c(5), second paragraph of Regulation (EC) No 767/2008 as well as detailed rules and conditions on registration of carriers with the authentication scheme;

(c) details of the procedures to be followed where it is technically impossible for carriers to access the web service pursuant to Article 45d(3) of Regulation (EC) No 767/2008.

Article 2

Definitions

For the purposes of this Regulation the following definitions apply:

(1) ‘carrier interface’ means the web service to be developed by eu-LISA in accordance with Article 37(1) of Regulation (EU) 2017/2226 where used for the purposes of Article 13(3) of that Regulation and the carrier gateway referred in Article 45c(2) and (3) of Regulation (EC) No 767/2008 and consisting of an IT interface connected to a read-only database;

(2) ‘technical guidelines’ means the part of the technical specifications, referred to in Article 37(1) of Regulation (EU) 2017/2226 that is relevant for carriers for the implementation of the authentication scheme and the development of the message format of the Application Programming Interface referred to in Article 4(2), point (a) of this Regulation;

(3) ‘duly authorised staff’ means employees of or contractually engaged by the carrier or by other legal or natural persons acting under that carrier’s direction or supervision, assigned with the tasks of verifying whether the number of entries authorised by a visa has already been used on behalf of the carrier, in accordance with Article 13(3) of Regulation (EU) 2017/2226 and as from the start of operations of the Visa Information System, to verify whether third-country nationals who are subject to a short-stay visa or who are required to hold a long-stay visa, the airport transit visa or a residence permit are in possession of a valid short-stay visa, long-stay visa, airport transit visa or a residence permit, as applicable, in accordance with Article 45c(1) of Regulation (EC) No 767/2008.

Article 3

Obligations of carriers

(a) in the case of a short-stay visa, the number of entries authorised by the visa has already been used or whether the holder of the visa has reached the maximum authorised stay, as referred to in Article 13 of Regulation (EU) 2017/2226;

(b) in the case of a long-stay visa, an airport transit visa or a residence permit, the visa or the permit are valid as referred to in Article 45c(1) of Regulation (EC) No 767/2008.

(a) physical and logical access control mechanisms to prevent unauthorised access to the infrastructure or the systems used by the carriers;

(b) authentication;

(c) logging to ensure access traceability;

(d) regular review of the access rights.

Article 4

Connection and access to the carrier interface

(a) a dedicated network connection;

(b) an internet connection.

(a) a system-to-system interface (Application Programming Interface);

(b) a web interface (browser);

(c) an application for mobile devices.

Article 5

Queries

(a) surname (family name); first name or names (given names);

(b) date of birth; sex; nationality;

(c) the type and number of the travel document and the three letter code of the issuing country of the travel document;

(d) the date of expiry of the validity of the travel document;

(e) the scheduled date of arrival at the border of a Member State which applies the Schengen acquis in full or a Member State which does not apply the Schengen acquis in full but operates the Entry/Exit system;

(g) the details (local date and time of scheduled departure, identification number, where available, or other means to identify the transport) of the means of transportation used to access the territory of a Member State which applies the Schengen acquis in full or the Member State which does not apply the Schengen acquis in full but operates the Entry/Exit System.

The carrier may also provide the number of the short-stay visa, the long-stay visa or the residence permit.

From the start of operations of the Visa Information System, where the destination cannot be reached with a single-entry visa, the carrier shall provide information that the itinerary includes two or more entries into the Member States when submitting the verification query.