Explanatory Memorandum to COM(2022)731 - Collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime - Main contents
Please note
This page contains a limited version of this dossier in the EU Monitor.
| dossier | COM(2022)731 - Collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of ... |
|---|---|
| source | COM(2022)731  |
| date | 13-12-2022 |
1. CONTEXT OF THE PROPOSAL
• Reasons for and objectives of the proposal
Over the last decade the EU and other parts of the world have seen an increase in serious and organised crime. According to Europol’s EU Serious and Organised Crime Threat Assessment, most organised crime involves international travel, typically aimed at smuggling persons, drugs or other illicit goods into the EU. Notably, criminals make frequent use of the EU’s main airports as well as smaller regional airports operating low-cost airlines. 1 Likewise, Europol’s Terrorism Situation and Trend Report shows that terrorist threat in the EU remains real and serious, 2 pointing out that most terrorist campaigns have a transnational character with either the involvement of either transnational contacts or travels outside the EU. In this context, information on air travellers is an important tool for law enforcement authorities to counter serious crime and terrorism in the EU.
Air traveller data includes Advance Passenger Information (API) and Passenger Name Records (PNR) which, when used together, are particularly effective to identify high-risk travellers and to confirm the travel pattern of suspected individuals. When a passenger buys a ticket with an air carrier, a PNR will be generated by the reservation systems of air carriers for their business purposes. This includes data on the complete itinerary, payment details, contact-details, and special requests of the passenger. Where an obligation to that effect applies, this PNR data is sent to the Passenger Information Unit (PIU) of the country of destination and often the country of departure.
In the EU, the PNR Directive 3 was adopted in 2016 to ensure that all Member States implement rules on collecting PNR data from air carriers to prevent, detect, investigate and prosecute terrorist offences and serious crime, without prejudice to existing EU rules on the obligation for air carriers to collect API data set in the API Directive. 4 Under the PNR Directive, Member States must adopt the necessary measures to ensure that air carriers transfer PNR data to the extent that they have already collected such data in the normal course of their business. The PNR Directive allows for the joint processing of both API data and PNR data, as its definition of PNR data includes ‘any advance passenger information (API) data collected’. 5 However, the PNR Directive does not oblige air carriers to collect any data beyond the normal course of their business. Consequently, the PNR Directive does not lead to the collection of the full set of API data, as air carriers do not have any business purpose to collect such data.
Only where an obligation to that effect applies, API data is collected by the air carrier during check-in of the passenger (online check-in and at the airport). It is then sent to competent border authorities as a complete ‘passenger list manifest’ containing all passengers on board at departure of the plane. While API data are considered as ‘verified’ information as it corresponds to travellers which eventually boarded the aircraft, and which can also be used by law enforcement authorities to identify suspects and persons sought, PNR data is ‘unverified’ information provided by passengers. The PNR data of a certain passenger usually do not contain all potential PNR elements, but only those provided by the passenger and/or necessary for the booking and hence for the normal business purpose of the air carrier.
Since the adoption of the API Directive in 2004, there is global consensus that API data is not only a key instrument for border management, but also an important tool for law enforcement purposes, notably to counter serious crime and terrorism. Thus, at international level, since 2014, United Nations’ Security Council Resolutions have repeatedly called for the establishment and global roll-out of API and PNR systems for law enforcement purposes. 6 In addition, the commitment by the Organization for Security and Co-operation in Europe (OSCE) participating states to set up API systems, confirm the importance of the use of this data in the fight against terrorism and transnational crime. 7
As shown by the Commission’s report on the PNR Directive review, the joint processing of API and PNR data by competent law enforcement authorities – meaning that the PNR data collected by air carriers for their normal business purposes and transferred to competent law enforcement authorities is complemented by an obligation on air carriers to collect and transfer API data – substantially increases the effectiveness of the fight against serious crimes and terrorism in the EU. 8 The combined use of API data and PNR data enables the competent national authorities to confirm the identity of passengers and greatly improves the reliability of PNR data. Such combined use prior to arrival also allows law enforcement authorities to conduct an assessment and perform a closer screening only of those persons who are most likely, based on objective assessment criteria and practices and in accordance with the applicable law, to pose a threat to security. This facilitates the travel of all other passengers and reduces the risk of passengers being subjected to examination upon arrival by the competent authorities based on discretionary elements such as race or ethnic origin which may wrongly be associated with security risks by law enforcement authorities.
However, the current EU legal framework only regulates the use of PNR data for fighting serious crime and terrorism but does not do so specifically for API data, which can be requested only on flights coming from third countries, leading to a security gap, notably regarding intra-EU flights for which Member States request air carriers to transfer PNR data. Passenger Information Units obtain the most effective operational results on flights where both API and PNR data are collected. This means that competent law enforcement authorities cannot benefit from the results of the joint processing of API data and PNR data on flights within the EU, for which only PNR data is transferred.
To address this gap, the Commission’s June 2021 Strategy towards a fully functioning and resilient Schengen area called for an increased use of API data in combination with PNR data for intra-Schengen flights to significantly enhance internal security, in compliance with the fundamental right to the protection of personal data and the fundamental right to freedom of movement. 9
The proposed Regulation therefore aims to lay down better rules for the collection and transfer of API data by air carriers for the purpose of preventing, detecting, investigating, and prosecuting terrorist offences and serious crime. In order to ensure compliance with the relevant fundamental rights enshrined in the Charter of Fundamental Rights of the EU (‘Charter’), in particular the rights to privacy and to protection of personal data, and the resulting requirements of necessity and proportionality, the proposal is, as explained further below, carefully limited in scope and contains strict personal data protection limits and safeguards.
• Consistency with existing policy provisions in the policy area
The proposed rules on the collection and transfer of API data for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime are aligned with the applicable rules for the processing of PNR data, as established in the PNR Directive. 10 They take account of the interpretations by the Court of Justice of the European Union in its recent case law, notably what is specified in that case law regarding the processing of PNR data for intra-EU flights, whereby the transfer of PNR data to Member States’ competent authorities on intra-EU flights must be selective and cannot be systematic unless justified by a genuine and present or foreseeable terrorist threat. 11
Insofar as there is a possible overlap between the proposed Regulation and the rules of the PNR Directive, considering that – as mentioned – under that Directive the definition of ‘PNR data’ includes ‘any advance passenger information (API) data collected’, the rules of the proposed Regulation prevail, considering that it is both lex specialis and lex posterior. While Member States must under the PNR Directive adopt the necessary measures to ensure that air carriers transfer PNR data to the extent that they have already collected such data in the normal course of their business, the proposed Regulation sets an obligation on air carriers to collect API data in specific situations and to transfer that data in a specific manner. The proposed Regulation therefore complements the PNR Directive, as it ensures that in all cases in which competent law enforcement authorities – i.e. the Passenger Information Units – receive PNR data under the PNR Directive, there is an obligation on air carriers to also collect and transfer API data to these competent authorities.
Following the transmission of API data to Passenger Information Units (PIUs) established by the PNR Directive, apart from the limited requirements in this regard as set out in the proposed Regulation, the rules on the subsequent processing of API data by the PIUs are those set out in the PNR Directive. As mentioned, the PNR Directive allows for the joint processing of API data and PNR data, as its definition of PNR data includes ‘any advance passenger information (API) data collected’, including therefore the API data received by PIUs pursuant to the proposed Regulation. Accordingly, the rules of Article 6 and Articles 9 and following of the PNR Directive apply, relating to matters such as the precise purposes of the processing, retention periods, deletion, exchange of information, transfer by the Member States to third countries and specific provisions on the protection of such personal data.
In addition, generally applicable acts of EU law will apply in accordance with the conditions set out therein. Where the processing of personal data is concerned, that holds true, in particular, for the General Data Protection Regulation (GDPR), 12 the data protection ‘Law Enforcement Directive’ (LED) 13 and the EU Data Protection Regulation 14 . Those acts are left unaffected by the present proposal.
The applicability of the abovementioned acts of EU law mean to the processing of the API data received under this Regulation mean that the Member States are implementing EU law within the meaning of Article 51 i of the Charter, meaning that the rules of the Charter apply as well. In particular, the rules of those acts of EU law are to be interpreted in the light of the Charter.
Ensuring consistency with the rules laid down in the proposal for a Regulation on the collection and transfer of API data for border control purposes and efficiencies in the transmissions of API data, the present proposal provides for the obligation on air carriers to collect the same set of API data and transfer it to the same router established under that other proposed Regulation.
The collection of API data from travel documents is also consistent with the ICAO guidelines on Machine Readable Travel Documents, 15 that are transposed in Regulation 2019/1157 on strengthening the security of identity cards of Union citizens, Council Directive 2019/997 on EU emergency travel documents and Regulation 2252/2004 on standards for security features and biometrics in passports. These Regulations are the precursors to enable an automated extraction of complete and high-quality data from travel documents.
2. LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
• Legal basis
For this proposed Regulation on the collection and transfer of API data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, having regard to its aim and the measures provided for, the appropriate legal basis is Articles 82(1)(d) and 87(2)(a) of the Treaty on the Functioning of the European Union (TFEU).
Under point (d) of paragraph 1 of Article 82 TFEU, the Union has the power to adopt measures relating to facilitate cooperation between judicial or equivalent authorities of the Member States in relation to proceedings in criminal matters and the enforcement of decisions. Under point (a) of paragraph 2 of Article 87 TFEU, the Union has the power to adopt measures on the collection, storage, processing, analysis, and exchange of relevant information for the purposes of police cooperation in the EU.
Accordingly, the legal basis used for the present proposal is the same as the one used for the PNR Directive, which is appropriate considering not only that the proposed Regulation pursues essentially the same aim, but also that it seeks to complement the PNR Directive.
• Subsidiarity
Law enforcement authorities must be provided with effective tools to fight terrorism and serious crime. As most serious crimes and terrorist acts involve international travel, often by air, PNR data have proven to be very efficient to protect the internal security of the EU. Furthermore, investigations for the purpose of preventing, detecting, investigating, and prosecuting terrorist offences and serious crime carried out by the competent authorities of the Member States are largely dependent on international and cross-border cooperation.
In an area without internal border controls, collection, processing and exchange of passenger data, including PNR and API data, by Member States are also efficient compensatory measures. By acting coherently at EU level, the proposal will contribute to increasing the security of the Member States and, by extension, of the EU as a whole.
The API Directive is part of the Schengen acquis related to the crossing of the external borders. It therefore does not regulate the collection and transfer of API data on intra-EU flights. In the absence of API data to complement the PNR data for these flights, Member States have implemented a variety of different measures that seek to compensate the lack of identity data on the passengers. This includes physical conformity checks to verify identity data between travel document and boarding card that generate new issues without solving the underlying problem of not having API data.
Action at EU level will help to ensure the application of harmonised provisions on safeguarding fundamental rights, in particular personal data protection, in the Member States. The different systems of Member States that have already established similar mechanisms, or will do so in the future, may impact negatively on the air carriers as they may have to comply with several diverging national requirements, for example regarding the types of information to be transferred and the conditions under which this information needs to be provided to the Member States. These differences are prejudicial to effective cooperation between the Member States for the purposes of preventing, detecting, investigating, and prosecuting terrorist offences and serious crime. Such harmonised rules can only be set at EU level.
Since the objectives of this proposal cannot be sufficiently achieved by the Member States, and can be better achieved at Union level, it can be concluded that the EU is both entitled to act and better placed to do so than the Member States acting independently. The proposal therefore complies with the subsidiarity principle as set out in Article 5 of the Treaty on European Union.
• Proportionality
According to the principle of proportionality laid down in Article 5 i TEU, there is a need to match the nature and intensity of a given measure to the identified problem. All problems addressed in this legislative initiative call, in one way or another, for EU-level legislative action enabling Member States to tackle these problems effectively.
The proposed rules on the collection and transfer of API data, subject to strict limitations and safeguards, will strengthen the prevention, detection, investigation and prosecution of terrorist offences and serious crime. Consequently, the proposed rules correspond to an identified need to enhance internal security, responding effectively to the problem resulting from the absence of joint processing of API data and PNR data, including on those intra-EU flights for which Member States receive PNR data.
The scope of the proposal is limited to what is strictly necessary, i.e. it is limited to those elements that require a harmonised EU approach, namely the purposes for which API can be used by the Passenger Information Units, the data elements that need to be collected and the means for the collection and transfer of the API data from travellers. The transfer of the API data to the router reduces the complexity for air carriers to maintain connections with Passenger Information Units and introduces economies of scale, whilst reducing the scope for errors and abuse. The purpose covers only terrorist offences and serious crime, as defined in the proposal, in view of the serious nature thereof and their transnational dimension.
To limit the interference on the rights of passengers to what is strictly necessary, a number of safeguards are set out in the proposal. More specifically, the processing of API data under the proposed Regulation is restricted to a closed and limited list of API data. Beyond that, no additional identity data are to be collected. Moreover, the proposed Regulation only provides for rules on the collection and transfer of API data through the router to the PIUs for the limited purposes specified therein and does not regulate the further processing of API data by the PIUs, given that, as explained above, that is covered by other acts of EU law (PNR Directive, personal data protection law, the Charter). The functionalities of the router and in particular its capability to collect and provide comprehensive statistical information also supports the monitoring of the implementation of this Regulation by air carriers and Passenger Information Units. Certain specific safeguards are also provided for, such as rules on logging, personal data protection and security.
To ensure the necessity and proportionality of the data processing under the proposed Regulation, and more specifically as regards the collection and transfer of API data on intra-EU flights, Member States will only receive API data for those intra-EU flights that they have selected in line with the abovementioned case law of the CJEU. In addition, the further processing of API data by PIUs would be subject to the limits and safeguards established in the PNR Directive, as interpreted by the CJEU in the Ligue des droits humains case 16 in the light of the Charter.
• Choice of the instrument
The proposed action is a Regulation. In view of the need for the proposed measures to be directly applicable and uniformly applied across Member States, a Regulation is therefore the appropriate choice of legal instrument.
3. RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS
• Ex-post evaluation of existing legislation
The API Directive does not prevent the processing of API data for law enforcement purposes as provided in national legislation and subject to personal data protection requirements. However, the implementation of this possibility across Member States is problematic, as found by the evaluation of the API Directive, leading to security gaps due a lack of EU-defined criteria on the collection and transfer of API for law enforcement purposes: 17
–The law enforcement purpose is construed widely in some Member States’ national laws, ranging from administrative offences, enhancing internal security and public order, to fight against terrorism and safeguarding national security interests. The API Directive evaluation also indicated that an effective use of API data for law enforcement would require a dedicated legal instrument for this distinct purpose. 18
–The variety of purposes for collecting API data adds complexity to ensuring compliance with the EU’s personal data protection framework. The requirement to delete API data within 24 hours is established only in the case of the use of API data for the principal aim of the API Directive, namely external border management. It is not clear whether this requirement also applies in respect of processing conducted for law enforcement purposes.
–The API data set that can be requested from carriers for law enforcement purposes, in addition to the practice of some Member States to request API data going beyond the non-exhaustive list included in the API Directive, create additional hindrances for air carriers to comply with the different requirements when transporting passengers to the EU.
–Likewise, the API Directive gives no indications of the flights for which API data can be requested nor to which authority API data should be transferred or conditions of access to such data for law enforcement purposes.
• Stakeholder consultations
The preparation of this proposal involved a wide range of consultations of concerned stakeholders, including Member States’ authorities (competent border authorities, Passenger Information Units), transport industry representatives and individual carriers. EU agencies – such as the European Border and Coast Guard Agency (Frontex), the EU Agency for Law Enforcement Cooperation (Europol), the EU Agency for the Operational Management of Large-Scale IT systems in the Area of Freedom, Security and Justice (eu-LISA) and the EU Agency for Fundamental Rights (FRA), also provided input. This initiative also integrates the views and feedback received during the public consultation carried out end of 2019 within the framework of the evaluation of the API Directive. 19
Consultation activities in the context of the preparation of the impact assessment supporting this proposal gathered feedback from stakeholders using various methods. These activities included notably an inception impact assessment, an external supporting study and a series of technical workshops.
An inception impact assessment was published for feedback from 5 June 2020 to 14 August 2020, with a total of seven contributions received providing feedback on the extension of the scope of the future API Directive, data quality, sanctions, relation of API data and PNR data, and protection of personal data. 20
The external supporting study was conducted based on desk research, interviews and surveys with subject matter experts which examined different possible measures for the processing of API data with clear rules that facilitate legitimate travel, are consistent with interoperability of EU information systems, EU personal data protection requirements, and other existing EU instruments and international standards.
The Commission services also organised a series of technical workshops with experts from Member States and Schengen Associated Countries. These workshops aimed at bringing together experts for an exchange of views on the possible options which were envisaged to strengthen the future API framework for border management purposes, and also for fighting crime and terrorism.
The accompanying impact assessment sets out a more detailed description of the stakeholder consultation (Annex 2).
• Impact assessment
In line with the Better Regulation Guidelines, the Commission conducted an Impact Assessment, as presented in the accompanying Staff Working document [reference]. The Regulatory Scrutiny Board reviewed the draft impact assessment at its meeting of 28 September 2022 and delivered its positive opinion on 30 September 2022.
In view of the problems identified on the collection and transfer of API data, the Impact Assessment evaluated policy options on the scope of collection of API data for external border management and for law enforcement purposes, together with options on the means to improving the quality of API data. As regards the collection of API data for law enforcement purposes, the impact assessment considered the collection of API data on all extra-EU flights on the one hand, and the collection of API data on all extra-EU and on selected intra-EU flights on the other hand. In addition, the Impact Assessment also considered options to improve the quality of API data – either to collect API data using automated and manual means, or to collect API data using automated means only.
Based on the findings of the Impact Assessment report, the preferred option for an API instrument for law enforcement purposes includes the collection of API data on all flights into and outside the EU, as well as on selected intra-EU flights for which PNR data is transferred. This will significantly reinforce the robustness of the necessary analysis of relevant data relating to air travellers in the fight against serious crime and terrorism, with Passenger Information Units benefitting from the availability of API data, verified and hence of a higher quality, in order to identify persons involved in serious crime or terrorism. The collection and transfer of API data for law enforcement purposes builds on the capabilities developed for the transfer of API data, via the router, for external border management, with no additional costs for eu-LISA. Air carriers transfer API data only to the router, which would then transmit that data to the Passenger Information Unit of each Member State concerned. The impact assessment concluded this to be a cost-efficient solution for air carriers, bringing down part of the transmission costs incurred by air carriers, whilst also limiting the scope for errors or abuse. However, different from the current situation, under the proposed Regulation air carriers would need to collect and transfer API data on all flights covered, irrespective of their normal business needs and including also intra-EU flights. The proposal is consistent with the climate-neutrality objective set out in the European Climate Law 21 and the Union 2030 and 2040 targets.
• Fundamental rights
This initiative provides for the processing of personal data of travellers and therefore limits the exercise of the fundamental right to the protection of personal data as guaranteed by Article 8 of the Charter and Article 16 of the TFEU. As underlined by the Court of Justice of the EU (CJEU), 22 the right to the protection of personal data is not an absolute right, but any limitation must be considered in relation to its function in society and comply with the criteria set out in Article 52 i of the Charter. 23 Personal data protection is also closely linked to respect for the right to privacy, as part of the right to private and family life protected by Article 7 of the Charter.
When it comes to the collection and transfer of API data for selected intra-EU flights, this initiative also affects the exercise of the fundamental right to freedom of movement provided for by Article 45 of the Charter and Article 21 of the TFEU. According to the CJEU, an obstacle to the freedom of movement of persons can be justified only where it is based on objective considerations and is proportionate to the legitimate objective of the national provisions 24 .
Under this Regulation, the collection and transfer of API data can only be for the prevention, detection, investigation and prosecution of terrorism and serious crime, as defined by the PNR Directive. The provisions in this proposal provide for uniform criteria for the collection and transfer of API data on extra-EU flights (inbound and outbound) on the one hand and selected intra-EU flights on the other hand, based on an assessment carried out by Member States and subject to regular review, in line with the requirements set by the the Court of Justice in the Ligue des droits humains case. The obligation on the air carriers to collect and transfer API data to the router covers all intra-EU flights. The transmission by the router to the PIUs is a technical solution to limit the transmission of API data to Passenger Information Units to selected flights only, without disclosing confidential information on which intra-EU flights have been selected. Such information is to be treated confidentially, in view of the risk of circumvention that would exist should it become known to the general public or, more specifically, to persons involved in serious crime or terrorist activities.
The mandatory use of automated means by air carriers to collect certain API data from travellers can lead to risks, including from the viewpoint of the protection of personal data. However, such risks have been limited and mitigated. Firstly, the requirement applies only in respect of certain API data, where automated means can be used responsibly, i.e. for machine-readable data on travellers’ documents. Secondly, the proposed Regulation contains requirements regarding the automated means to be used, which are to be elaborated further in a delegated act. Finally, several safeguards are provided for, such as logging, specific rules on the protection of personal data and effective supervision.
Furthermore, whilst – apart from the provision ensuring compliance with the principle of purpose limitation – the proposed Regulation would not regulate the use that the competent border authorities make of the API data that they receive thereunder given that – as explained above – that is already covered by other legislation, in the interest of clarity it is recalled in the recitals that any such use may not lead to any discrimination precluded under Article 21 of the Charter.
4. BUDGETARY IMPLICATIONS
This legislative initiative on the collection and transfer of API data, respectively, for facilitating external border controls and for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, would have an impact on the budget and staff needs of eu-LISA and Member States’ competent authorities.
For eu-LISA, it is estimated that an additional budget of around EUR 45 million (33 million under current MFF) to set-up the router and EUR 9 million per year from 2029 onwards for the technical management thereof, and that around 27 additional posts would be needed for to ensure that eu-LISA has the necessary resources to perform the tasks attributed to it in this proposed Regulation and the proposed Regulation on the collection and transfer of API data for facilitating external border controls.
For Member States, it is estimated that EUR 11 million (EUR 3 million under the current Multiannual Financial Framework) dedicated to upgrading the necessary national systems and infrastructures for the PIUs could be entitled for reimbursement by the Internal Security Fund 25 , and from 2028 onwards, progressively up to an estimated EUR 2 million per year. Any such entitlement will ultimately have to be determined in accordance with the rules regulating those funds as well as the rules on costs contained in the proposed Regulation.
In view of the close connection between this proposed Regulation and the proposed Regulation on the collection and transfer of API data for facilitating external border controls, particularly as regards the transfer of API data to the router, the legislative financial statement, in annex of this proposed Regulation, is identical to both proposals.
5. OTHER ELEMENTS
• Implementation plans and monitoring, evaluation and reporting arrangements
The Commission would ensure that the necessary arrangements are in place to monitor the functioning of the measures proposed and evaluate them against the main policy objectives. Four years after the commencement of operations of the proposed API Regulation, and every four years thereafter, the Commission would submit a report to the European Parliament and the Council assessing the implementation of the Regulation and its added value. The report would also report on any direct or indirect impact on fundamental rights. It would examine results achieved against objectives and assess the continuing validity of the underlying rationale and any implications for future options.
The mandatory nature of the obligation for air carriers to collect API data on extra-EU and selected intra-EU flights and the introduction of the API router will allow for a clearer view on both the transmission of API data by air carriers and the use of API data by Member States in accordance with applicable national and Union legislation. This will support the Commission in its evaluation and enforcement tasks by providing it with reliable statistics on the volume of data transmitted and on the flights for which API data would be requested.
• Detailed explanation of the specific provisions of the proposal
Chapter 1 sets out the general provisions for this Regulation, starting with rules on its subject matter and scope. It also contains a list of definitions.
Chapter 2 sets out the provisions for the collection, transfer to the router and deletion of API data by air carriers, and rules regarding the transmission of API data from the router to the Passenger Information Units.
Chapter 3 contains specific provisions on logs, specifications as to whom are the personal data controllers in relation to processing of API data constituting personal data under this Regulation, security and self-monitoring by air carriers and PIUs.
Chapter 4 further sets out rules on the connections to, and integration with, the router by Passenger Information Units and air carriers, as well as on Member States’ costs in connection thereto. It also contains provisions regulating the situation of a partial or full technical impossibility to use the router and on liability for damage caused to the router.
Chapter 5 contains provisions on supervision, on possible penalties applicable to air carriers for non-compliance of their obligations set out in this Regulation and on the preparation of a practical handbook by the Commission.
Chapter 6 provides for amendments to other existing instruments, i.e. Regulation (EU) 2019/818.
Chapter 7 contains the final provisions of this Regulation, which concern the adoption of delegated acts, the monitoring and evaluation of this Regulation, and its entry into force and application.