Commission Implementing Regulation (EU) 2023/2790 of 14 December 2023 laying down functional and technical specifications for the reporting interface module of the Maritime National Single Windows

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2019/1239 of the European Parliament and of the Council of 20 June 2019 establishing a European Maritime Single Window environment and repealing Directive 2010/65/EU (1), and in particular Articles 6(1) and 12(4) thereof,

After consulting the Digital Transport and Trade Facilitation Committee,

Whereas:

(1) The specifications of the reporting interface module should be founded on a technology that is readily accessible, easy to install and easy to integrate in all Maritime National Single Windows (MNSWs) and should allow for smooth integration and maintenance in future.

(2) The functional and technical specifications of the reporting interface module should be based on the high-level Interoperability Requirements Solution Architecture Template (HL SAT) Design Guidelines to allow traceability between high-level and detailed interoperability requirements.

(3) Considering that senders use different reporting systems and the MNSWs are implemented using different technologies, the reporting interface module should be built on technologies that enable information to be exchanged between different information systems that use a standardised protocol, enabling greater interoperability.

(4) The reporting obligations listed in the Annex to Regulation (EU) 2019/1239 may require declarants to submit personal data through the Reporting Interface Module, which should exchange the information in a way that any personal data is processed in accordance with Regulations (EU) 2018/1725 (2) and Regulation (EU) 2016/679 (3) of the European Parliament and of the Council.

(5) As the reporting interface module is developed and updated by the Commission and distributed to the Member States for integration, distributing new versions of the reporting interface module, monitoring correct installation of the software and updating the message implementation guide should be managed centrally, taking into account the IT security requirements of the MNSWs where possible.

(6) To guarantee stability, security and performance of the reporting interface module, Member States should be able to monitor network traffic and analyse system events, errors and exceptions, as well as integrate this information into their existing monitoring systems and processes. To accomplish this, the reporting interface module should provide suitable functionalities that allow events to be logged and stored and provide network traffic information to the Member States.

(7) To ensure secure information exchange through the reporting interface module, senders require authentication. To this end, the common user registry and access management system should have a central authentication service and a central registry as key components. These components should work together to enable sender authentication across all reporting interface modules, providing a unified authentication mechanism.

(8) To exchange information securely using the reporting interface module and ensure that users are recognised at EU level when they access any of the reporting interface modules, senders should obtain a qualified certificate for electronic seals compliant with the requirements set by Regulation (EU) No 910/2014 (4) of the European Parliament and of the Council.

(9) To provide single registration for senders to exchange information through the harmonised reporting interfaces in different Member States, Member States should be able to register senders in the central registry. This should reduce the burden of multiple registrations for cross-border operations in multiple MNSWs. Any personal data in the central registry should be managed in accordance with Regulations (EU) 2018/1725 and (EU) 2016/679.

(10) To minimise Member States’ reliance on central services and considering that MNSWs may already be supported by national authentication services, Member States should also be allowed to reuse their own national authentication services and national registries to authenticate senders wishing to use the reporting interface module, as an alternative to the user registry and access management system of the European Maritime Single Window environment (EMSWe).

(11) To allow Member States to correctly integrate the reporting interface module and the user registry and access management system with the MNSWs, this Regulation should apply as of the same date as Regulation (EU) 2019/1239.

(12) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 18 October 2023.

HAS ADOPTED THIS REGULATION:

Article 1

Definitions

For the purpose of this Regulation, the following definitions shall apply:

(1) ‘reporting interface module’ means a middleware component of the MNSW referred to in Article 2(4) of Regulation (EU) 2019/1239;

(2) ‘sender’ means a declarant or data service provider operating the IT system that sends electronic messages to MNSW or receives them via the reporting interface module;

(3) ‘formality’ means the formality as defined in article 1 of Commission Implementing Regulation (EU) 2023/204 (5);

(4) ‘AS4’ means a message protocol based on web services to securely exchange messages between two parties;

(5) ‘message’ means a digital representation of formalities or response messages used for the exchange between the sender and the MNSW;

(6) ‘AS4 access point’ means a server operating software that is compatible with the AS4 messaging protocol and the requirements of the reporting interface module, enabling information to be sent and received on behalf of a sender from and to the reporting interface module;

(7) ‘MNSW core’ means a MNSW technical component with which the reporting interface module is integrated;

(8) ‘syntax validation’ means the process of checking whether an electronic message is free of programming, structural or stylistic errors;

(9) ‘semantic validation’ means a process in which data conformity with specific data rules within a formality is checked;

(10) ‘message implementation guide’ means a functional specification laying down standards and messages to be exchanged between senders and MNSWs through the reporting interface module;

(11) ‘registration’ means a process where a natural or legal person identifies themselves and creates an account with the authority referred to in Article 12(2) of Regulation (EU) 2019/1239;

(12) ‘identification’ means electronic identification as defined in point (1) of Article 3 of Regulation (EU) No 910/2014;

(13) ‘electronic identification means’ means an electronic identification as defined in point (2) of Article 3 of Regulation (EU) No 910/2014;

(14) ‘authentication’ means an authentication as defined in point (5) of Article 3 of Regulation (EU) No 910/2014;

(15) ‘certificate’ means a qualified certificate for electronic seal defined in Article 3(30) of Regulation (EU) No 910/2014 issued by a qualified trust service provider as defined in Article 3(20) of Regulation (EU) No 910/2014;

(16) ‘EORI number’ means an identification number as defined in point (18) of Article 1 of Commission Delegated Regulation (EU) 2015/2446 (6);

(17) ‘EMSWe user registry and access management system’ means a system operated by the Commission that encompasses a central registry and a central authentication service, and ensures the mutual recognition of electronic identification means and authentication for secure cross-border data exchange between senders and MNSWs through the reporting interface module;

(18) ‘central registry’ means a registry operated by the Commission that holds senders’ registration data provided by the Member States with the purpose of facilitating the authentication of senders;

(19) ‘national registry’ means a registry operated by a Member State that holds senders’ registration data and can be used to facilitate the authentication of senders if compliant with the requirements of the central authentication service;

(20) ‘central authentication service’ means a service operated by the Commission that authenticates senders that use the reporting interface module;

(21) ‘national authentication service’ means a service operated by a Member State that may be used to authenticate senders that use the reporting interface module.

Article 2

The reporting interface module shall comply with the functional and technical specifications set out in Part I of the Annex.

To help integrate the reporting interface module into the MNSWs, the Commission, in close collaboration with the national coordinators for EMSWe, shall:

— define guidelines for testing and configuring the reporting interface module for integration into the respective MNSWs;

— define and maintain, with the assistance of the European Maritime Safety Agency, the message implementation guide.

Article 3

The central registry and the central authentication service shall be set up in accordance with the technical specifications, standards and procedures set out in Part II of the Annex.

Article 4

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

It shall apply from 15 August 2025.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 14 December 2023.

For the Commission The President Ursula VON DER LEYEN

(1) OJ L 198, 25.7.2019, p. 64.

(2) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

(3) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

(4) Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73).

(5) Commission Implementing Regulation (EU) 2023/204 of 28 October 2022 laying down technical specifications, standards and procedures for the European Maritime Single Window environment pursuant to Regulation (EU) 2019/1239 of the European Parliament and of the Council (OJ L 33, 3.2.2023, p. 1).

(6) Commission Delegated Regulation (EU) 2015/2446 of 28 July 2015 supplementing Regulation (EU) No 952/2013 of the European Parliament and of the Council as regards detailed rules concerning certain provisions of the Union Customs Code (OJ L 343, 29.12.2015, p. 1)