This page contains a limited version of this dossier in the EU Monitor.
|dossier||COM(2016)731 - European Travel Information and Authorisation System (ETIAS).|
1. CONTEXT OF THE PROPOSAL
Our overarching priority is to ensure the security of citizens in an open Europe. The pressures of the migration and refugee crises, alongside a series of terrorist attacks, have severely tested the EU migration and security frameworks. EU citizens expect the external borders of the Schengen area to be managed effectively to prevent irregular migration and ensure enhanced internal security. 1 The effectiveness of external border management is an essential precondition for free movement within the Schengen Area and for facilitating the crossing of EU external borders in a world of mobility. Every year, there are some 400 million crossings of the Schengen border by EU citizens, and 200 million by non-EU citizens.
Today, around 1,4 billion people from around 60 countries worldwide can benefit from visa-free travel to the European Union. This makes the EU the most welcoming destination in the industrialised world, and based on the principle of reciprocity, benefits also EU citizens by facilitating visa-free travel abroad. The number of visa-exempt third country nationals to the Schengen countries will continue to grow, with an expected increase of over 30% in the number of visa exempt third country nationals crossing the Schengen borders by 2020, from 30 million in 2014 to 39 million in 2020. 2 These figures demonstrate the need to put in place a system that is able to achieve objectives similar to the visa regime, namely to assess and manage the potential irregular migration and security risks represented by third country nationals visiting the EU, yet in a lighter and more visitor-friendly way, in line with the objectives of the EU's visa liberalisation policy.
The Commission confirmed in its Communication of 14 September 2016 Enhancing security in a world of mobility: improved information exchange in the fight against terrorism and stronger external borders 3 the need to strike the right balance between ensuring mobility and enhancing security, while facilitating legal entry into the Schengen area without the need for a visa. Visa liberalisation has proved an important tool in building partnerships with third countries, including as a means of ensuring effective systems of return and readmission, and to increase the attractiveness of the EU for business and tourism.
In comparison to visa-required third country nationals, the competent border and law enforcement authorities have little information on visa-exempt third country nationals as regards risks they may pose before their arrival at the Schengen border. Adding this missing layer of information and risk assessment on visa free visitors would bring significant added value to existing measures to maintain and strengthen the security of the Schengen area and will allow visa free visitors to fully enjoy their visa-free status.
Building an effective and integrated external border management based on new technologies by harnessing the full potential of interoperability was set out in the Communication Stronger and Smarter Information Systems for Borders and Security 4 , and applied in a revised legislative proposal for an EU Entry/Exit System (EES) 5 . The EES proposal aims to modernise the collection and registration of entry and exit records of non-EU citizens crossing the EU external borders. In parallel, the Commission launched a feasibility study 6 on establishing a European Travel Information and Authorisation System (ETIAS). ETIAS would collect information from visa free third country nationals, and ensure interoperability in terms of information and technological infrastructure with the EES and other EU information systems. To ensure maximum interoperability and resource sharing, the development and implementation of EES and ETIAS should be carried out together and in parallel. The importance of proposing swiftly a European Travel Information and Authorisation System was underlined by President Juncker in September's State of the Union address and the Commission announced that a legislative proposal for the establishment of this system would be adopted by November 2016.
In this context, and following the reference to ETIAS in the Bratislava Roadmap 7 , the European Council in October 2016 8 invited the Commission to put forward a proposal for setting up ETIAS, stressing the need “to allow for advance security checks on visa- exempt travellers and deny them entry where necessary”.
Rationale for the setting up of ETIAS
ETIAS will be an automated system created to identify any risks associated with a visa-exempt visitor travelling to the Schengen Area. Countries like the USA, Canada and Australia already use similar systems and consider these as an essential part of their security frameworks – as a result, these systems are now familiar to many Europeans.
ETIAS will gather information on these travellers prior to the start of their travel, to allow for advance processing. For the travellers, this will give them confidence that they would be able to cross the borders smoothly.
Strengthening integrated border management and enhancing internal security
At the moment, there is no advance information as regards visa exempt visitors coming to the Schengen external border. Both from a migration and from a security point of view, there is a clear necessity to conduct prior checks in order to identify any risks associated with a visa-exempt visitor travelling to the Schengen Area. At present border guards need to make the decision at the Schengen area external borders without the benefit of a prior assessment. In 2014, approximately 286,000 third country nationals were refused entry at the external borders of the EU-28. Most refusals were recorded at the external land borders (81%), followed by refusals at air borders (16 %). Approximately one-fifth of these refusals were due to the lack of a valid visa, but most cases were related to a negative assessment of the migration and/or security risk represented by the third country national. 9 Europol and the European Border and Coast Guard risk assessments confirm 10 the existence of these risks both from an irregular migration and from a security point of view.
Therefore, the key function of ETIAS would consist in checking the information submitted by visa-exempt third country nationals, via an online application ahead of their arrival at EU external borders, if they pose certain risks for irregular migration, security or public health. This would be done by automatically processing each application submitted via a website or a mobile application against other EU information systems, a dedicated ETIAS watchlist and clearly defined screening rules. This examination would allow to determine that there are no factual indications or reasonable grounds to prevent a travel authorisation being issued.
Through the setting up of ETIAS, a mandate would be given to the European Border and Coast Guard to ensure via an ETIAS Central Unit the management of the ETIAS Central System that will be connected and integrated in the national border guard infrastructures. Applications rejected from the automatic processing would be transferred to an ETIAS Central Unit in the European Border and Coast Guard which will quickly verify the correctness of information provided and alerts identified. Applications subject to an alert or hit will be forwarded to the Member State(s) responsible. The Agency for the operational management of large-scale information systems in the area of freedom, security and justice ('eu-LISA') would develop the ETIAS Information System and ensure its technical management. Europol would give its input when it comes to security aspects.
By requiring a valid travel authorisation for all visa-exempt third country nationals, regardless of their mode of travelling or their point of entry, the EU will ensure that all visitors are checked prior to arrival while fully respecting their visa-free status. The system is however especially relevant for land borders as those visa-exempt third-country nationals travelling by land (foot, car, bus, truck, train) do not generate Advance Passenger Information (API) or Passenger Name Records (PNR) as is the case with air- and/or sea-travel.
Accordingly, ETIAS will reinforce EU internal security in two ways: first, through the identification of persons that pose a security risk before they arrive at the Schengen external border; and second, by making information available to national law enforcement authorities and Europol, where this is necessary in a specific case of prevention, detection or investigation of a terrorist offence, or other serious criminal offences.
ETIAS will also facilitate the crossing of the Schengen external border by visa-exempt third country nationals. An ETIAS authorisation would be obtained through an application process, which would be simple, cheap, fast and would in the vast majority of cases not require any further steps. According to the experience of other countries with similar systems for travel authorisations (US, Canada, Australia), an estimated 95% or more would result in a positive reply, which would be communicated to applicants within minutes. Fingerprints and other biometric data would not be collected. The authorisation would be valid for five years and for multiple travels and its application fee will only be € 5. The authorisation prior to travel would offer clarity to visa exempt third country nationals bound for the Schengen area. Once the applicants receive the travel authorisation, they would have a reliable early indication of admissibility into the Schengen area. This is a significant improvement for travellers compared to the current state of play.
Even if the final decision on allowing entry into the Schengen Area will still rest with the border guards at the external border in line with the Schengen Border Code, ETIAS will substantially reduce the number of cases of refusals of entry at the border crossing points. Border guards will be able to see if the person before them has obtained a travel authorisation or not before arriving at the border. ETIAS in this way will also reduce the costs for carriers to return passengers from sea and air borders. Persons having been denied authorisation will not waste time and money to travel to the Schengen area. Such decisions can be appealed in the Member State that has taken that decision and would not require launching lengthy and expensive visa application process as in the case of similar systems for travel authorisations.
Main elements of ETIAS
- Response to applicants
- Check by carriers
- Arriving at the Schengen area border crossing point
- Revocation or annulment of travel authorisations
- Role of Europol
- ETIAS technical infrastructure
- Data Retention period
- Interoperability and resource-sharing with EES
- Costs of development phase and running phase
The proposed European Travel Information and Authorisation System (ETIAS) will be an EU system for visa-exempt third country nationals when crossing the external borders. The system would enable to determine whether the presence of such persons on the territory of the Member States would pose an irregular migration, security or public health risk.
For this purpose a travel authorisation would be introduced as a new condition for entering the Schengen area and the absence of a valid ETIAS travel authorisation would result in a refusal of entry into the Schengen area.
Moreover, where applicable, carriers would have to check that their passengers have a valid ETIAS travel authorisation before allowing them to board their transportation means bound to a Schengen country.
A valid travel authorisation would be a reliable indication to the visitor that the risk assessments performed in advance of arrival at a Schengen border crossing point makes him/her, a priori, eligible for entering the Schengen area. The border guard would still conduct the border control checks as provided under the Schengen Border Code and would take the final decision for granting or refusing entry.
The ETIAS would be composed of the ETIAS Information System, the ETIAS Central Unit and the ETIAS National Units.
The ETIAS Information System would be composed of a Central System to process the applications; a National Uniform Interface in each Member State based on the same technical specifications for all Member States, and connecting their national border infrastructures to the Central System; a secure Communication Infrastructure between the Central System and the National Uniform Interfaces; a public website and a mobile app for mobile devices; an email service; a secure account service enabling applicants to provide additional information and/or documentation, if deemed necessary; a carrier gateway; a web service enabling communication between the central system and external stakeholders, and a software enabling the ETIAS Central Unit and the ETIAS National Units to process the applications.
To the maximum extent possible and technically feasible, the ETIAS Information System will re-use the hardware and software components of the EES and its communication infrastructure. Interoperability would also be established with the other information systems to be consulted by ETIAS such as the VIS, the Europol data, the Schengen Information System (SIS), the Eurodac and the European Criminal Records Information System (ECRIS).
The ETIAS Central Unit will be established within the European Border and Coast Guard, and will be part of its legal and policy framework. Operating on a 24/7 basis, the ETIAS Central Unit will have four central tasks: 1) ensuring that the data stored in the application files and the data recorded in the ETIAS Information System are correct and up to date, 2) where necessary, verifying the travel authorisation applications to remove any ambiguity about the applicant’s identity in cases of a hit obtained during the automated process, 3) defining, testing, implementing, evaluating and revising specific risk indicators of the ETIAS screening rules after consultation of the ETIAS Screening Board, and 4) carrying out regular audits on the management of applications and on the implementation of the ETIAS screening rules, particularly as regards their impacts on fundamental rights and especially with regards to privacy and data protection.
ETIAS National Units would be established in each Member State, and would have the primary responsibility of conducting the risk assessment and deciding on travel authorization for applications rejected by the automated application process. They would need to have adequate resources to fulfil their tasks on a 24/7 basis. If necessary, they would consult other National Units and Europol and would issue opinions when consulted by other Member States. They would also act as national central access points regarding requests for access to the ETIAS data for law enforcement purposes in order to prevent, detect and investigate terrorist offences or other serious criminal offences falling under their competence.
An ETIAS Screening Board with an advisory function would also be established within the European Border and Coast Guard. It would be composed of a representative of each ETIAS National Unit and Europol, and would be consulted for the definition, evaluation and revision of the risk indicators as well as for the implementation of the ETIAS watchlist.
ETIAS will apply to visa-exempt third country nationals, including, and when it comes to checking the security and public health risk, to family members of European Union citizens and of nationals of a third country enjoying the right to free movement if they do not hold a residence card.
ETIAS will not apply to: holders of long-stay visas, holders of a local border traffic permits, citizens of the micro-states in the Schengen area, holders of diplomatic passports and crew members of ships or aircraft while on duty, third-country nationals who are family members of EU citizens or of a national of a third country enjoying the right of free movement under the Union law and hold a valid residence card and recognised refugees, stateless persons or other persons who reside and hold a travel document issued by a Member State.
ETIAS does not apply to EU citizens. Consequently, third country nationals having multiple nationalities, including the nationality of an EU Member State must use the passport issued by an EU Member State for entering the Schengen area.
Local border traffic permit holders are excluded from the scope of the ETIAS Regulation, pending a thorough assessment of the security risks associated with this category of persons in accordance with Regulation (EC) No 1931/2006, which lays down rules on local border traffic at the external land borders of the Member States and amending the provisions of the Schengen Convention. The European Commission will examine the necessity of modifying Regulation (EC) No 1931/2006, to ensure that the conditions for issuing local border traffic permits, guarantee appropriate security risk assessments, while not prejudicing in any way the facilitations provided to local border traffic permit holders by Regulation (EC) No 1931/2006 and the Schengen Borders Code. The European Commission will also examine the security features of the permit itself.
The legislative proposal sets out in detail the practical steps and the process for issuing or refusing the travel authorisation. The figure below presents an overview of the process from the visa exempt third country national's perspective.
Prior to the intended travel, the applicant creates an on-line application, via a dedicated website or the mobile application.
To fill in the application, each applicant will be requested to provide the following data:
– Surname (family name), first name(s), surname at birth, usual name(s); date of birth, place of birth, country of birth, sex, current nationality, first names of the parents of the applicant; home address;
– Travel document;
– If applicable, any other nationality;
– Permanent residence information;
– Email address and phone number;
– Member State of intended first entry;
– Education and current occupation details;
– Answers to a set of ETIAS background questions (as regards conditions with epidemic potential or other infectious or contagious parasitic diseases; criminal records; presence in war zones; and any previous decision to return to borders or orders to leave the territory of an EU Member State),
– If the applicant is a minor, the identity of the person responsible for the minor,
– If the application is submitted by a person different of the applicant, the identity of the person and company that he or she represents (if applicable).
– For family members to EU citizens/third country nationals benefitting from free movement without residence cards: their status as family member; the identity details of the family member with whom the applicant has ties; their family ties.
Filling the application form online would in principle not take more than 10 minutes. Apart from having a valid passport, no further documentation would be required to reply to the questions asked.
ETIAS would accept applications introduced on behalf of the applicant in situations where visa exempt third country nationals cannot themselves create an application (for example, because of age, literacy- level, access to and inability to use information technology). In such cases, the application may be submitted by a third person provided this person's identity is included in the application.
Applicants intending to travel from far away would usually purchase a ticket online or through a travel agent. Both possibilities involve the use of information technology. Consequently, the applicant will have direct access to the technology required for introducing the ETIAS application or will have the possibility to request the travel agent to introduce the application on his/her behalf.
Once the application is ready, the payment of a fee of €5 per application will be required for all applicants above the age of 18. This would be an electronic payment in euro using a credit card or other payment methods. The payment methods available may be specified further at a later stage, in order to include additional and up to date means of payment, taking account of technological developments and their availability, in order not to hinder visa-free third country nationals who may not have access to certain payment means when applying for an ETIAS authorisation.
The payment would be managed by a bank or a financial intermediary. Data required for completing the payment would only be provided to the company operating the financial transaction and would not be processed by ETIAS in the context of the application.
Once the payment is received, the ETIAS application is automatically introduced.
The process of assessing and deciding on an application would start immediately after the payment of the fee is confirmed.
The application would be automatically processed. Where applicable, the application would undergo manual processing by the ETIAS Central Unit and ETIAS National Unit(s).
This automated step will process data related to identity data, travel document, and the answers to the background questions. The central system will, within minutes, proceed to a fully automated cross-checking of the information provided by the applicant against other information systems, a watchlist established in ETIAS and against ETIAS’ clearly defined screening rules.
The objective of this automated process is to ensure that:
– no other valid travel authorisation already exists, the data provided in the application concerning the travel document do not correspond to another application for travel authorisation associated with different identity data, and the applicant or the associated travel document do not correspond to a refused, revoked or annulled application for travel authorisation (ETIAS);
– the applicant is not subject to a refusal of entry alert (SIS) and/or the travel document used for the application does not correspond to a travel document reported lost, stolen or invalidated (SIS and Interpol’s SLTD);
– whether the applicant is not subject to an alert on the basis of a European Arrest Warrant or wanted for arrest for extradition purposes (SIS)
– the applicant has not been reported as an overstayer, at present or in the past, or has was refused entry (EES);
– the applicant had no visa application refused in Visa Information System (VIS – this would be valid for nationals of countries which were granted visa waiver status within five years or less and for applicants having more than one nationality);
– the applicant and the data provided in the application corresponds to information recorded in the Europol data;
– a risk assessment is conducted for irregular migration risks, particularly as to whether the applicant was subject to a return decision or a removal order issued following the withdrawal or rejection of the application for international protection (EURODAC 11 );
– no criminal record is recorded (ECRIS);
– the applicant and/or his/her travel document are not subject to an Interpol alert (TDAWN).
This automated process would also ensure that the applicant is not in the ETIAS watchlist and would verify if the applicant has replied affirmatively to any of the ETIAS background questions.
Clearly defined screening rules within the ETIAS Central System will be used to assess the application file. These rules will consist of an algorithm which will compare the data recorded in an ETIAS application file, and specific risk indicators pointing to identified irregular migration, security or public health risks. The specific risk indicators will be established by the ETIAS Central Unit after consultation with the ETIAS Screening Board (see below).
The irregular migration, security or public health risks will be determined on the basis of:
– EES statistics on abnormal rates of overstays or refusals of entry for specific groups of third country nationals;
– ETIAS statistics on travel authorisation refusals due to irregular migration, security or public health risks associated with specific groups of third country nationals;
– Statistics generated by both EES and ETIAS showing correlations between the information collected through the ETIAS application form and overstays or refusals of entry.
– Information provided by Member States concerning specific security risk indicators or threats identified by those Member States.
– Information provided by Member States as well as the European Centre for Disease Prevention and Control (ECDC) concerning specific public health risks.
These screening rules and the irregular migration, security or public health risks will be targeted, proportionate and specific. The sets of data used for these rules will in no circumstances be based on a person's race or ethnic origin, political opinions, religion or philosophical beliefs, trade union membership, sexual life or sexual orientation.
If the automatic process has not reported any hit or any element requiring additional analysis, the travel authorisation is issued automatically and the applicant is informed by email. Such a positive answer will concern the vast majority of applications (expected to exceed 95% of cases) and will be communicated to the applicant within minutes after payment.
If the automatic process has reported a hit or has identified elements requiring additional analysis, the application will be further assessed manually.
If the automatic examination reports a hit from other information systems or the ETIAS watchlist or specific risk indicators, or is indecisive because there is uncertainty about the identity of the applicant a manual examination by the ETIAS Central Unit would follow. The ETIAS Central Unit will check the application to remove any ambiguity about the applicant's identity, using the information reported through the automatic process. This again may lead to a positive decision on the application, within 12 hours. If there is a confirmed hit, the application is transferred to the ETIAS National Unit of the Member State of first entry, as declared by the applicant during the application process.
It is expected that an additional 3-4% of applications would receive a positive decision after the verification of data done by the ETIAS Central Unit. This would leave the remaining 1-2% of ETIAS applications reporting a hit or hits to be transferred to ETIAS National Units for manual processing and a decision.
Step 3 (where applicable) – manual processing by the ETIAS National Unit of the Member State of intended first entry
If the automatic process by the ETIAS Central System detects a (confirmed) hit against any of the consulted databases or the ETIAS watchlist, and/or indicates that the applicant corresponds to the screening rules, the application will be transferred to the ETIAS National Units.
Attribution of the application by ETIAS to a specific Member State would be automated, and directed to the Member State of the traveller’s intended first entry as declared in the application form.
Once the application has been transferred to the responsible ETIAS National Unit, the ETIAS National Unit would have to assess the application file and inform the applicant no later than 72 hours after lodging the application about the decision taken (negative or positive). The task of the responsible ETIAS National Unit would be to assess the irregular migration, security or public health risk and decide whether to issue or refuse a travel authorisation.
When the applicant receives a negative decision on his/her application, they will always have the right to appeal. Appeals would be launched in the Member State that has taken the decision on the application and in accordance with the national law of that Member State. In addition, a special procedure is foreseen in situations for humanitarian grounds, for reasons of national interest or because of international obligations where ETIAS National Units may issue a travel authorisation with limited territorial and temporal validity.
Where the information provided by the traveller in the application form does not allow the responsible ETIAS National Unit to decide whether to issue or refuse travel authorisation, more information and/or documentation may be requested from the applicant by the ETIAS National Unit. The request would be communicated to the applicant via email and would clearly indicate the missing information and/or documentation to be provided. This information would need to be provided within 7 working days, and the ETIAS National Unit would need to process this information no later than 72 hours after the date of submission by the traveller. In exceptional circumstances, the applicant may be invited via email for an interview at a consulate in his/her country of residence.
When manually assessing applications for which they are responsible, the ETIAS National Units are allowed to use information available in national databases or other decentralised systems to which they have access. In this process, the responsible authorities of other Member States and Europol would also be consulted and would receive access to the relevant additional information or documentation, if they are responsible for data having triggered a hit in the course of the cross-checking of other information systems. The ETIAS National Unit of the consulted Member States would then within 24 hours issue a reasoned opinion, either positive or negative, on the application, which would be recorded on the application file. When one or more ETIAS National Units consulted issue a negative opinion on the application, the responsible Member State would refuse the travel authorisation.
In the context of this manual processing, it is imperative that competent law enforcement authorities, have access to relevant and clearly defined information in ETIAS, when this is necessary to prevent, detect and investigate terrorist offences or other serious criminal offences. Access to data contained in the Visa Information System (VIS) for law enforcement purpose has already proven effective in helping investigators to make substantial progress in cases related to human being trafficking, terrorism or drug trafficking. The Visa Information System, however, does not contain data on visa-exempt third-country nationals.
In an era of globalised crime, information generated by ETIAS could be necessary to be accessed by law enforcement authorities in a specific investigation and in order to establish evidence and information related to a person suspected of having committed a crime or be the a victim of a crime. The data stored in ETIAS may also be necessary to identify the perpetrator of a terrorist offence or other serious criminal offences, especially when urgent action is needed. Access to ETIAS data for these purposes should only be granted following a reasoned request by the competent authorities giving reasons for its necessity. The request should be the subject of a prior review by a court or by an authority providing guarantees of full independence and impartiality. However, in situations of extreme urgency, it can be crucial for the law enforcement authorities to obtain immediately personal data necessary for preventing the commission of a serious crime or so that its perpetrators can be prosecuted. In these cases, the review of the personal data obtained from ETIAS takes place as swiftly as possible after access to such data has been granted to the competent authorities.
To prevent systematic searches of ETIAS by law enforcement authorities, the access to data stored in the ETIAS Central System would take place only in specific cases, and only when it is necessary for the purposes of preventing, detecting or investigating terrorist offences or other serious crime. The designated authorities and Europol should only request access to ETIAS when they have reasonable grounds to believe that such access will provide information that will substantially assist them in preventing, detecting or investigating a terrorist offence or other serious criminal offence. The designated authorities and Europol should only request access to the ETIAS if prior searches in all relevant national databases of the Member State and databases at Europol did not lead to the requested information.
If the manual processing of the application is conducted as a result of a hit in the Europol data, the ETIAS National Unit of the responsible Member State would consult Europol in cases falling under Europol's mandate. In those cases, the ETIAS National Unit of that Member State would transmit to Europol the relevant data of the application file as well as the hit(s) which are necessary for the purpose the consultation, as well as the relevant additional information or documentation provided by the applicant. Europol would provide a reasoned opinion within 24 hours.
The ETIAS National Unit will upload the information concerning the final decision in the central system. When the system notifies the decision to the applicant he or she will be informed, where relevant, of which national authority was responsible for the processing and decision on his or her travel authorisation. The ETIAS Central System, Central Unit and National Unit will keep records of all data processing operations performed. Those records would show the date and time, the data used for the automated processing of the applications and the hits found while carrying out the verifications. The decision taken concerning the travel authorisation, positive or negative, would be justified and explained. The decision and the corresponding justification are recorded in the individual ETIAS application file by the entity having taken the decision.
In all cases a final decision shall be taken by the ETIAS National Unit within two weeks after receipt of the application by the central system.
Applicants would receive an email with a valid travel authorisation and the authorisation's number, or a justification for the refusal. The validity of the travel authorisation would be 5 years (or until the expiry date of the passport). If the travel authorisation is refused, the applicant would be informed which national authority was responsible for the processing and decision on his or her travel authorisation, as well as information regarding the procedure to be followed in the event of an appeal.
Prior to boarding, carriers have to verify if visa exempt third country nationals have a valid ETIAS travel authorisation. They could do this by means of an online interface, or through other mobile technical solutions.
If a traveller with a valid travel authorisation would be subsequently refused at entry, the carrier would remain liable for taking the traveller back to the initial point of embarkation but would not incur any penalty.
If a traveller who does not have a valid travel authorisation is authorised boarding and is subsequently refused entry, the carrier would not only remain liable for taking the traveller back to the initial point of embarkation but would also incur a penalty.
When the traveller arrives at the border crossing point, the border guard will, as part of the standard border control process, electronically read the travel document data. This will trigger a query to different databases as provided under the Schengen Border Code including a query to ETIAS which would provide the up-to-date travel authorisation status. The ETIAS file itself would not be accessible to the border guard for border controls.
If there is no valid travel authorisation, the border guard would have to refuse entry to the Schengen area and complete the border control process accordingly. The traveller would be registered in EES, as well as the refusal of entry according to the EES Regulation.
If there is a valid travel authorisation, the border control process would be conducted as per the Schengen Border Code. As a result of this process, the traveller may be authorised to enter the Schengen area or refused access under the conditions defined in the Schengen Border Code.
An issued travel authorisation has to be annulled or revoked as soon as it becomes evident that the conditions for issuing it were not met at the time of issuing, or are no longer met, particularly when there are serious grounds for believing that the travel authorisation was fraudulently obtained. The revocation or annulment decision will in principle be taken by the authorities of the Member State that is in possession of the evidence leading to the revocation or annulment, or by the ETIAS National Unit of the Member State of first entry as declared by the applicant.
In particular, when a new SIS alert is created for a refusal of entry, the SIS will inform the ETIAS Central System, which would in turn verify whether this new alert corresponds to a valid travel authorisation. If that is the case, the Member State having created the alert will be immediately informed and will have to proceed to the revocation of the travel authorisation.
Europol contributes to the added value that ETIAS will provide to EU internal security. This reflects Europol's role as EU information hub and core security cooperation tool within a reinforced regulatory framework. Data provided by applicants for an ETIAS authorisation will be cross-checked against data that is held by Europol related to persons who are suspected of having committed or taken part in a criminal offence, who have been convicted of such an offence, or regarding whom there are factual indications or reasonable grounds to believe that they will commit such an offence. Europol is in a unique position to combine information that is not available to individual Member States or in other EU databases.
This is why Europol will be involved in the definition of ETIAS screening rules through its participation in the ETIAS Screening Board. It will also manage the ETIAS watchlist within Europol data. Moreover, ETIAS National Units may consult Europol in the follow up to a hit that occurred during the ETIAS automated processing in cases falling under Europol's mandate. This will allow ETIAS National Units to benefit from relevant information that might be available at Europol when assessing an ETIAS application by a person that might pose a security threat. Finally, Europol may request consultation of data stored in the ETIAS Central System in a specific case where Europol supports action by Member States in preventing, detecting or investigating terrorist offences or other serious criminal offences falling under Europol's mandate.
The ETIAS would provide the technical infrastructure:
– For applicants to introduce the data required for each travel authorisation application online, with the appropriate guidance in case of doubt;
– For the ETIAS Central System to create, update and delete the travel authorisation application, and the information collected to handle the application, until the decision to grant or refuse authorisation is taken;
– For the ETIAS central system to process the personal data of the applicant to query specific databases and to retrieve the information they contain concerning the applicant, for the purpose of assessing the application;
– For border guards to access the travel authorisation status of an applicant from any Schengen border crossing point, by reading data on the travel document’s machine readable zone or application number;
– For carriers to consult the travel authorisation status using only data on the travel document’s machine readable zone or the application number;
– For staff in the ETIAS Central Unit and in ETIAS National Units to manage the process of handling the applications, including the exchanges with other Member State's competent authorities and the notifications to the applicants;
– For the ETIAS Central Unit as well as for staff and competent authorities in the ETIAS National Units to produce statistics using anonymised data, without enabling the identification of individuals by narrowing statistics to a very small group.
The technical infrastructure of ETIAS needs to provide timely responses to border control operations and to carriers on a 24/7 basis with an availability of 99,9%. The ETIAS Information System also needs to ensure the highest security protection mechanisms against intrusion, access and disclosure of data to non-authorised persons, corruption and loss of integrity of data. Compliance with this requirement will be sought by the adoption of a security plan as an implementing measure.
As a general rule the duration for the storage of the ETIAS application data will be 5 years after the last use of the travel authorisation or from the last decision to refuse, revoke or annul a travel authorisation. This retention period corresponds to the retention period of an EES record with an entry authorisation granted on the basis of an ETIAS travel authorisation. This synchronisation of retention periods ensures that both the entry record and the related travel authorisation are kept for the same duration and is an additional element of interoperability between ETIAS and EES. This synchronisation of data retention periods is necessary to allow the competent authorities performing the necessary risk analysis requested by the Schengen Borders Code and ETIAS. The retention period will also reduce the re-enrolment frequency and will be beneficial for all travellers. Beyond this period the ETIAS application file would be automatically and completely erased.
The proposed Regulation includes a general principle that ETIAS is built on the interoperability of information systems to be consulted (EES, SIS, VIS, Europol data, Eurodac and ECRIS) and on the re-use of components developed for those information systems, the EES in particular. This approach results also in significant cost saving for the set up and operation of ETIAS.
ETIAS and EES would share a common repository of personal data of third-country nationals, with additional data from the ETIAS application (e.g. residence information, answers to background questions, IP address) and the EES entry-exit records separately stored, but linked to this shared and single identification file. This approach is fully in line with the interoperability strategy proposed in the Communication on Stronger and Smarter Information Systems for Borders and Security of 6 April 2016, and would include all appropriate data protection safeguards.
The following components of EES are shared or re-used:
– the wide-area network (implemented as a virtual network and currently called Testa-ng that links Member State national domains with the central domain) has sufficient capacity to convey the ETIAS communications between national infrastructures and the central system;
– the National Uniform Interface which is a generic system developed and deployed by eu-LISA to provide a set of communication services between the national border control infrastructures and the central system will also be used for handling the ETIAS messages.
– the technical means that allow carriers to query the ETIAS status of visa exempt third country nationals travelling to the Schengen area will use the same service as provided for EES.
– the technical means that allow applicants to introduce requests to ETIAS (implemented as a web interface and mobile platform) will also use the infrastructure put in place in EES for allowing travellers to consult outstanding durations of authorised stay.
The cost for developing the ETIAS system is estimated at € 212,1 million and the average annual operations cost at € 85 million. The ETIAS would be financially self-sustaining as the annual operations costs would be covered by the fee revenue.
Existing provisions in the area of the proposal
Regulation (EU) 2016/399 of the European Parliament and of the Council of 9 March 2016 on a Union Code on the rules governing the movement of persons across borders (Schengen Borders Code).
Regulation of the European Parliament and of the Council (EC) No 767/2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation).
Regulation of the European Parliament and of the Council (EC) No 810/2009 establishing a Community Code on Visas.
Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II).
Proposal for a Regulation of the European Parliament and of the Council establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third country nationals crossing the external borders of the Member States of the European Union and determining the conditions for access to the EES for law enforcement purposes and amending Regulation (EC) No 767/2008 and Regulation (EU) COM(2016) 194 final.
Regulation (EU) No 603/2013 of the European Parliament and of the Council of 26 June 2013 on the establishment of Eurodac for the comparison of fingerprints for the effective application of Regulation (EU) No 604/2013 establishing the criteria and mechanisms for determining the Member State responsible for examining an application for international protection lodged in one of the Member States by a third-country national or a stateless person and on requests for the comparison with Eurodac data by Member States' law enforcement authorities and Europol for law enforcement purposes, and amending Regulation (EU) No 1077/2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice.
Proposal for a Directive of the European Parliament and of the Council amending Council Framework Decision 2009/315/JHA, as regards the exchange of information on third country nationals and as regards the European Criminal Records Information System (ECRIS), and replacing Council Decision 2009/316/JHA.
Regulation of the European Parliament and of the Council (EU) No 1077/2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice.
Regulation (EU) 2016/1624 of the European Parliament and of the Council of 14 September 2016 on the European Border and Coast Guard and amending Regulation (EU) 2016/399 of the European Parliament and of the Council and repealing Regulation (EC) No 863/2007 of the European Parliament and of the Council, Council Regulation (EC) No 2007/2004 and Council Decision 2005/267/EC.
Regulation (EU) No 515/2014 of the European Parliament and of the Council of 16 April 2014 establishing as part of the Internal Security Fund, the Instrument for financial support for external borders and visa and repealing Decision No 574/2007/EC.
Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA.
2. CONSULTATION OF INTERESTED PARTIES AND IMPACT ASSESSMENT
Consultation of interested parties
The ETIAS proposal was developed on the basis of a feasibility study. As part of this study, the Commission collected the views of Member State experts on border control and security. In addition the main elements of the ETIAS proposal were discussed in the framework of the High Level Expert Group on Interoperability that was set up as a follow-up of the Communication on Stronger and Smarter Borders of 6 April 2016. Consultation took also place with representatives of the air, sea and rail carriers, as well as with representatives of EU Member States with external land borders. As part of the feasibility study, a consultation of the Fundamental Rights Agency was also undertaken.
The ETIAS legal proposal is based on the results of the feasibility study conducted from June till October 2016.
3. LEGAL ELEMENTS OF THE PROPOSAL
Summary of the proposed actions
The purposes, functionalities and responsibilities for the ETIAS are defined in the legislative proposal. The proposal gives a mandate to the European Border and Coast Guard to ensure the creation and management of an ETIAS Central Unit. In addition, a mandate is given to the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA) to develop and to ensure the technical operational management of the system. Europol is also given a significant role in terms of ensuring the security objectives of the ETIAS.
Therefore, consequential amendments to Regulation (EU) No 2016/399, Regulation (EU) No 2016/1624, to Regulation (EU) No 1077/2011, and Regulation (EU) 2016/794 are included in this proposal.
Consequential amendments to Regulations concerning the EU systems that will be queried by ETIAS shall be the object of separate Commission Proposals.
This legislative proposal establishes the elements of the ETIAS. The technical and operational details will be agreed at a later stage, in the framework of implementing decisions, where the Commission shall adopt further measures and rules on:
– the establishment and the high level design of the interoperability;
– the specifications and conditions for the website ;
– the entering the data;
– the definition of specific categories of data ;
– accessing the data ;
– determining the information systems to be consulted ;
– defining the screening rules;
– amending, deleting and advance deleting of data ;
– keeping and accessing the records ;
– performance requirements, including minimal specifications for technical equipment.
The proposal uses Article 77(2) (b) and (d) of the Treaty on the Functioning of the European Union as the legal basis for this Regulation. Article 77(2) (b) and (d) is the appropriate legal basis for further specifying the measures on the crossing of the external borders of the Member States, developing standards and procedures to be followed by Member States in carrying out checks on persons at such borders and specifying measures towards the gradual establishment of an integrated management system for external borders.
In addition, the proposal relies on Article 87(2) (a) as a legal basis to allow access for law enforcement purposes under strict conditions. This additional legal basis for law enforcement access involves the same ordinary legislative procedure applicable under Article 77(2) (b) and (d).
Finally, the proposal also relies on Article 88(2) (a) to the extent that it amends the list of tasks of Europol.
The proposed initiative falls within the scope of Article 77(2) (b) TFEU, where the European Union has competence to adopt measures relating to the checks on persons and the efficient monitoring of the crossing of external borders of the Member States.
The current EU framework on the crossing of the external borders of the Member States does not offer the possibility of automated, coordinated and homogenous prior screening of visa-exempt third country nationals. This does not enable Member States to apply the common Schengen rules in a harmonised and coordinated way. There is a clear cross-border problem as visa exempt third country nationals can freely choose the first point of entry into the Schengen area in order to avoid certain controls at certain border points. As for visa applicants, information should be available on visa-exempt third country nationals in order to enhance the effectiveness of security and immigration checks on persons and the overall quality of EU external border management.
These objectives cannot be sufficiently achieved by the Member States acting alone, and can better be achieved at Union level.
Article 5 of the Treaty on the European Union states that action by the Union shall not go beyond what is necessary to achieve the objectives of the Treaty. The proposed initiative constitutes a further development of the Schengen acquis in order to ensure that common rules at external borders are applied in the same way in all the Member States which have abolished controls at internal borders. It creates an instrument providing the European Union with the means to ensure that the rules to assess the irregular migration, security and public health risks from visa-exempt third country nationals are as consistently applied as for visa-required third country nationals by all Member States.
It also provides for consultation of data stored in the ETIAS Central System for law enforcement authorities where this is necessary in a specific case of the prevention, detection or investigation of terrorist offences or other serious criminal offences. In such a case and where prior searches in national and Europol databases did not lead to the requested information, ETIAS provides national law enforcement authorities and Europol with a timely, accurate, secure and cost-efficient way to investigate visa-exempt third-nationals who are suspects (or victims) of terrorism or of a serious crime. It enables competent authorities to consult the ETIAS application file of visa-exempt third-country nationals who are suspects (or victims) of such serious crimes.
The proposal includes all appropriate data protection safeguards and is proportionate in terms of the right to protection of personal data. It adheres to the data minimisation principle, includes strict data security provisions, and does not require the processing of data for a longer period than is absolutely necessary to allow the system to function and meet its objectives. All safeguards and mechanisms required for the effective protection of the fundamental rights of third country nationals, will be foreseen and implemented fully (see the section below on Fundamental Rights).
No further processes or harmonisation will be necessary at EU level to make the system work; thus the envisaged measure is proportionate in that it does not go beyond what is necessary in terms of action at EU level to meet the defined objectives.
Choice of instrument
Proposed instruments: Regulation.
Other means would not be adequate for the following reason(s):
The present proposal will set up a centralised system through which Member States cooperate with each other on Schengen external border management, something which requires a common architecture and common operating rules. It will lay down rules on risk assessment checks on irregular migration, security and public health for visa exempt third country nationals prior to their arrival at the external borders and on access to the system including for the purpose of law enforcement, which are uniform for all Member States. Moreover, the Central System will be managed by the European Border and Coast Guard. As a consequence, only a Regulation can fully achieve these objectives and should be chosen as a legal instrument.
The proposed Regulation has an impact on fundamental rights, notably on right to dignity (Article 1 of the Charter of Fundamental Rights of the EU); right to liberty and security (Article 6 of the Charter), respect for private and family life (Article 7 of the Charter), the protection of personal data (Article 8 of the Charter), right to asylum (Article 18 of the Charter) and protection in the event of removal, expulsion or extradition (Article 19 of the Charter), the right to non-discrimination (Article 21 of the Charter), the rights of the child (Article 24 of the Charter) and the right to an effective remedy (Article 47 of the Charter).
The legitimate public interest of ensuring a high level of security is positively affected by the implementation of an ETIAS. A better and more accurate identification of the security risk of visa-exempt third country nationals crossing the external border of the Schengen area supports the detection of trafficking in human beings (particularly in the case of minors) and cross border criminality, and it more generally facilitates the identification of persons whose presence in the Schengen area would pose a security threat. ETIAS thus contributes to improving the security of the citizens present in the Schengen area and enhancing internal security in the EU.
ETIAS guarantees non-discriminatory access to all visa exempt third country nationals to the applications process, ensuring that the decisions taken will in no circumstances be based on a person's race or ethnic origin, political opinions, religion or philosophical beliefs, sexual life or sexual orientation. ETIAS provides guarantees ensuring information for the person who submitted an application and effective remedies.
Concerning the right to protection of personal data, the proposal contains all appropriate safeguards as regards personal data, in particular regarding access, which should be strictly limited only to the purpose of this Regulation. It also foresees individuals' rights of redress, particularly as regards the right to a judicial remedy and the supervision of processing operations by public independent authorities. The limitation of the retention period of data referred to above also contributes to the respect for protection of personal data as a fundamental right.
The proposal provides for consultation by national law enforcement authorities and Europol to the ETIAS Central System for the prevention, detection or investigation of terrorist offences or other serious criminal offences. As stipulated by Article 52(1) of the Charter, any limitation to the right to the protection of personal data must be appropriate for attaining the objective pursued and not going beyond what is necessary to achieve it. Article 8(2) of the European Convention of Human Rights also recognises that interference by a public authority with a person’s right to privacy may be justified as necessary in the interest of national security, public safety or the prevention of crime, as it is the case in the current proposal. The Court of Justice has also recognised that the fight against terrorism and serious crime, in particular against organised crime and terrorism, is indeed of the utmost importance in order to ensure public security and its effectiveness may depend to a great extent on the use of modern information technologies and investigation techniques and hence, access to personal data granted for those specific purposes could be justified if considered necessary. Therefore, the proposal fully complies with the Charter of Fundamental Rights of the European Union as regards the right to the protection of personal data, and is also in line with Article 16 TFEU, which guarantees everyone the right to protection of personal data concerning them.
The proposal provides for access to the ETIAS for the prevention, detection or investigation of terrorist offences or other serious criminal offences for the purpose of accessing data submitted by visa-exempt third-country nationals when applying for a travel authorisation. Although similar data exist in the VIS on visa holders or applicants, such data on visa exempt nationals are not available in any other EU database. The globalisation of criminality follows the globalisation of economics. 12 International criminal organisations are developing their activities across borders. 13 Criminal activities such as trafficking in human beings, smuggling of people or the smuggling of illicit goods involve numerous border crossings. Information stored in the VIS is an important source of information for criminal investigations against third-country nationals who are involved in criminal activity, as indicated by the increasing use of the VIS for law enforcement purposes as well as by the effectiveness and usefulness of the system. 14 However, such information is currently not available for visa-exempt third-country nationals.
Providing for consultation of data stored in the ETIAS Central System for the prevention, detection or investigation of terrorist offences or other serious criminal offences thus addresses an information gap concerning visa-exempt third-country nationals and allows, where necessary, to link with information stored in an ETIAS application file. Moreover, as a travel authorisation will generally be valid for a period of five years, consultation by national law enforcement authorities or Europol of data stored in the ETIAS Central System might be necessary when information related to a person and an act of terrorism or other serious crimes becomes available after that person was granted a travel authorisation.
Consultation of the ETIAS Central System for the prevention, detection or investigation of terrorist offences or other serious criminal offences constitutes a limitation of the right to the protection of personal data. The proposal provides for effective safeguards to mitigate this limitation:
– Clear scope of discretion conferred on the competent authorities and the manner of its exercise: Consultation of data stored in the ETIAS Central System for law enforcement purposes may only be granted for the prevention, detection or investigation of criminal offences or other serious criminal offences as defined in Council Framework Decisions 2002/475/JHA on combatting terrorism and 2002/584/JHA on the European arrest warrant, and only if it is necessary for a specific case. This excludes both the access to ETIAS for crimes that are not serious and a systematic or mass comparison of data.
– Reasoned justification of requests for access for law enforcement purposes: Designated national law enforcement authorities and Europol may only request consultation of data stored in the ETIAS Central System if there are reasonable grounds to consider that such access will substantially contribute to the prevention, detection or investigation of the criminal offence in question.
– Independent verification prior to the consultation of data: Requests for consultation of data stored in the ETIAS Central System in a specific case of prevention, detection or investigation of terrorist offences or other serious criminal offences are subject to an independent verification of whether the strict conditions for requesting consultation of data stored in the ETIAS Central System for law enforcement purposes are fulfilled. Such independent verification is to be conducted a prior by a court or by an authority providing guarantees of full independence and impartiality, and which is free from any direct or indirect external influence.
– Data minimisation to limit the extent of processing to the minimum necessary in relation to its purposes: Not all data stored in an ETIAS application file will be available for the prevention, detection or investigation of terrorist offences or other serious criminal offences. Some data elements will not be available at all given their limited relevance for criminal investigations (e.g. information regarding a person's education or whether or not he or she may pose a public health risk). Other data elements will only be available if the necessity of consulting such specific data element is explicitly justified in the reasoned request for law enforcement consultation and confirmed by independent verification (e.g. data concerning the current occupation).
– Consultation of data stored in the ETIAS Central System as measure of last resort: National law enforcement authorities and Europol can only request consultation of data stored in the ETIAS Central System if prior searches in all relevant national databases of the Member State and Europol databases did not lead to the requested information.
4. BUDGETARY IMPLICATIONS
Following the feasibility study, the current proposal is based on the preferred option for the ETIAS system and the amount needed has been assessed as € 212,1 million which takes also into account the purpose of law enforcement access.
This financial support will cover not only the costs of central components for the entire MFF period (€ 113,4 million – at EU level, both development and operational cost via indirect management) but also the costs for the integration of the existing national border infrastructures in Member States with the ETIAS via the National Uniform Interfaces (NUI) (€ 92,3 million - via shared management). Providing financial support for national integration costs will ensure that difficult economic circumstances at national level do not jeopardise or delay the projects. During the development phase (2018-2020) the Commission will spend a total amount of € 4,2 million (via shared management) for the expenses related to the operations in the Member States.
From 2020, when the new system will be operational, future operational costs in the Member States could be supported by their national programmes in the framework of the ISF (shared management). However, the operation will start after the end of the current MFF and their funding should consequently be considered during the discussions concerning the next Multiannual Financial Framework.
Both eu-LISA and the European Border and Coast Guard will require additional human and financial resources to carry out their new tasks under the ETIAS Regulation. For eu-LISA, the development phase will start as of 2018, while European Border and Coast Guard will need to be equipped to handle the operational phase, which requires a phasing in of resources starting in the second half of 2020.
As set out in Section 1 above, from 2020 the ETIAS System will generate fee revenue, which in view of its specific character is proposed to be treated as external assigned revenue. Based on the current estimates of the number of applications, the fee revenue will more than cover the direct development and running cost of the ETIAS. In turn, this will allow the financing of related expenditure in the field of Smart Borders.
5. ADDITIONAL INFORMATION
This proposal builds upon the Schengen acquis in that it concerns the crossing of external borders. Therefore the following consequences in relation to the various protocols and agreements with associated countries have to be considered:
Denmark: In accordance with Articles 1 and 2 of the Protocol (no 22) on the position of Denmark, annexed to the Treaty on European Union (TEU) and the Treaty on the Functioning of the European Union (TFEU), Denmark does not take part in the adoption by the Council of measures pursuant to Title V of part Three of the TFEU.
Given that this Regulation builds upon the Schengen acquis, Denmark shall, in accordance with Article 4 of that Protocol decide within a period of six months after the Council has decided on this Regulation whether it will implement it in its national law.
United Kingdom and Ireland: In accordance with Articles 4 and 5 of the Protocol integrating the Schengen acquis into the framework of the European Union and Council Decision 2000/365/EC of 29 May 2000 concerning the request of the United Kingdom of Great Britain and Northern Ireland, and Council Decision 2002/192/EC of 28 February 2002 concerning Ireland's request to take part in some of the provisions of the Schengen acquis, the United Kingdom and Ireland do not take part in Regulation (EU) 2016/399 (Schengen Borders Code) nor in any other of the legal instruments which are commonly known as the 'Schengen acquis', viz. the legal instruments organising and supporting the abolition of controls at internal borders and the flanking measures regarding the controls at external borders.
This Regulation constitutes a development of this acquis, and therefore, the United Kingdom and Ireland are not taking part in the adoption of this Regulation and are not bound by it or subject to its application.
In line with the judgment of the Court of Justice in case C-482/08, United Kingdom v. Council, ECLI:EU:C:2010:631, the circumstance that this Regulation has Articles 87(2)(a) and 88(2)(a) as legal bases alongside Article 77(2)(b) and (d) TFEU does not affect the above conclusion, as the access for law enforcement purposes is ancillary to the establishment of the ETIAS.
Iceland and Norway: The procedures laid down in the Association Agreement concluded by the Council and the Republic of Iceland and the Kingdom of Norway concerning the latter's association with the implementation, application and development of the Schengen acquis are applicable, since the present proposal builds on the Schengen acquis as defined in Annex A of this Agreement. 15
Switzerland: This Regulation constitutes a development of the provisions of the Schengen acquis, as provided for by the Agreement between the European Union, the European Community and the Swiss Confederation on the latter's association with the implementation, application and development of the Schengen acquis. 16
Liechtenstein: This Regulation constitutes a development of the provisions of the Schengen acquis, as provided for by the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen acquis. 17
Croatia, Cyprus, Bulgaria and Romania: This Regulation establishing the ETIAS builds on the conditions of entry as described in Article 6 of Regulation (EU) 2016/399. This provision was to be applied by the acceding Member States upon accession to the European Union.