This Commission report to the European Parliament and the Council deals with the functioning of the European Agency for the Operational Management of Large-Scale Information Systems in the Area of Freedom, Security and Justice (eu-LISA).

Objectives of the report: the Agency was set up in 2011 and is currently managing the Visa Information System (VIS), the Schengen Information System (SIS) and Eurodac, which are essential instruments for the protection of the Schengen area, border management and the implementation of asylum and visa policies .

The eu-LISA agency may also be responsible for the design, development and operational management of other large-scale information systems.

It began operations on 1 December 2012.

The purpose of this report is to assess the overall functioning of the Agency. It is based on the findings of the external evaluation of the Agency's action for the period from December 2012 to September 2015. The Commission, after consulting the Management Board, issues recommendations regarding changes to the Regulation and forwards them together with the opinion of the Management Board, as well as appropriate proposals to the European Parliament, the Council and the European Data Protection Supervisor.

This report focuses on recommendations for changes to the Regulation governing the Agency. On 21 March 2017, the eu-LISA Management Board adopted an action plan to follow up on the findings of the evaluation, which did not require amendments to the Regulation establishing the Agency.

Lastly, the report places the evaluation and the role of the Agency in a broader perspective and takes into account the evolving factual, legal and political developments in its field of competence.

Evaluation context: the evaluation of the eu-LISA Agency began just before the publication of the European Agenda on Security and the European agenda on migration in April and May 2015 respectively. These papers laid down the way forward for the design and implementation of the Union's strategy to tackle the parallel challenges of managing migration and combating terrorism, organised crime and cybercrime.

Both programmes refer directly to the systems that the eu-LISA operates.

The evaluation was also carried out in the context of unprecedented migratory flows and new threats to security (terrorist attacks) faced by Member States.

Key findings: the Agency's first evaluation confirmed that, like the systems it operates and which are vital for the functioning of a constantly evolving Schengen area, eu-LISA is an efficient agency and becoming increasingly important .

The evaluation also confirmed that the functioning of the Agency is a long-term task. Although it is unrealistic to expect the Agency to reach full maturity during its first three years of existence, eu-LISA has established itself as a reliable provider of operational management of the SIS, VIS and Eurodac , as well as its additional tasks. It is also an important partner for the European institutions and other agencies in the field of Justice and Home Affairs (JHA).

The evaluation also led to suggestions for improvements in the implementation of the current mandate and to indicate the limits of the expansion of the mandate.

A recurring problem of resources: the eu-LISA agency would not be able to manage new tools with the resources at its disposal. In the difficult context of migration and security, it is clear that in the years to come the eu-LISA agency will continue to be extremely busy with its core mission (i.e. the operational management of SIS II, VIS and Eurodac, their envisaged evolution and their interoperability). Thus, the main concern must be to ensure that the Agency has the capacity to manage its core business . In order to reduce this risk, the Agency should communicate more with its partners, first of all the Member States and the Commission. The board of directors and the advisory groups will be the main platforms for this purpose. Prioritisation of core tasks as well as continuous improvements in economic efficiency should be the keys to success.

Next steps: in addition to this report, the Commission is presenting, on the same date, a proposal to amend the Regulation establishing the Agency and the instruments relating to systems where necessary. The proposed amendments aim, among other things, to transfer to the Agency the responsibilities of the Commission relating to the communication infrastructure and to align the Agency Regulation on the updated instruments applicable to the operation of Union agencies.

Other changes include a further specific extension of the scope of the Agency's mandate, for example the possibility of providing ad hoc support to Member States as well as changes arising from technical developments where warranted.

Lastly, in addition to the changes made necessary by the forthcoming adoption of the SEA proposal, the Regulation establishing the Agency should also be amended as a result of other proposals which include tasks related to the development or the operational management for the eu-LISA agency.

For the most part, these are technical changes.

PURPOSE: to establish a European agency for the operational management of large-scale IT systems in the area of freedom, security and justice (the Agency).

LEGISLATIVE ACT: Regulation (EU) No 1077/2011 of the European Parliament and of the Council establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice.

CONTENT: on the basis of a text agreed with the European Parliament, the Council adopted this Regulation establishing a European agency for the operational management of large-scale EU information technology systems. The Agency shall be responsible for the operational management of the second-generation Schengen Information System ( SIS II – Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA ), the Visa Information System ( VIS - Regulation (EC) No 767/2008 ) and Eurodac – CNS/1999/0116 ) . It will also be responsible for the management of any other IT systems, which might be developed in the area of freedom, security and justice in the future. However, any integration of further systems will require a specific decision by the Council and the European Parliament.

Current EU information systems :

· SIS II is currently under construction and was launched to replace the existing Schengen Information System (SIS I+). The global schedule presented by the Commission at the Council meeting in October 2010 provides for entry into operation of the SIS II by the first quarter of 2013. The Schengen Information System is a common database with stringent data protection rules that facilitates the exchange of information on persons and objects between national law enforcement authorities responsible, inter alia, for border controls and other customs and police checks.

· VIS is another database under preparation. It will support the implementation of the common visa policy and facilitate effective border control by enabling Schengen member states to enter, update and consult visa data, including biometric data, electronically. For the VIS to go live, the central VIS, managed by the Commission, the national VIS of each individual Member State as well as preparations at the external border crossing points and in the consulates of the first roll-out region (North Africa) must be ready. The central VIS is expected to be ready by the end of June 2011. The whole system should start operating in the autumn 2011.

· EURODAC is an existing IT system - currently managed by the European Commission - for comparing the fingerprints of asylum seekers and illegal immigrants, in order to facilitate the application of the Dublin II Regulation, which makes it possible to determine the Member State responsible for examining an asylum application (the country through which the asylum seeker first entered the EU).

Operational management , for which the Agency is responsible, shall consist of all the tasks necessary to keep large-scale IT systems functioning in accordance with the specific provisions applicable to each of them, including responsibility for the communication infrastructure used by them. Those large-scale IT systems shall not exchange data or enable sharing of information or knowledge, unless so provided in a specific legal basis.

Objectives: the Agency shall ensure:

· effective, secure and continuous operation of large-scale IT systems;

· the efficient and financially accountable management of large-scale IT systems;

· an adequately high quality of service for users of large-scale IT systems;

· continuity and uninterrupted service;

· a high level of data protection, in accordance with the applicable rules, including specific provisions for each large-scale IT system;

· an appropriate level of data and physical security, in accordance with the applicable rules, including specific provisions for each large-scale IT system; and

· the use of an adequate project management structure for efficiently developing large-scale IT systems.

Tasks: the Regulation sets out the tasks specific to SIS II, VIS and Eurodac, as well as the tasks relating to the communications infrastructure. In addition, the Agency should perform tasks relating to training on the technical use of SIS II, VIS and Eurodac and other large-scale IT systems which might be entrusted to it in the future.

Moreover and only upon the specific and precise request of the Commission, which shall have informed the European Parliament and the Council at least 3 months in advance, and after a decision by the Management Board, the Agency may carry out pilot schemes for the development or the operational management of large-scale IT systems, in the application of Articles 67 to 89 TFEU. The Agency shall on a regular basis keep the European Parliament, the Council and, where data protection issues are concerned, the European Data Protection Supervisor, informed of the evolution of the pilot schemes.

Seat: the seat of the Agency will be in Tallin, Estonia. The tasks related to development and operational management will be carried out in Strasbourg, France. A backup site will be installed in Sankt Johann im Pongau, Austria.

Structure: the Agency’s administrative and management structure shall comprise: (a) a Management Board; (b) an Executive Director; (c) Advisory Groups. The Regulation sets out the tasks of each of these. The structure must include a Data Protection Officer, a Security Officer; and an Accounting Officer.

Each Member State which is bound under Union law by any legislative instrument governing the development, establishment, operation and use of a particular large-scale IT system, as well as the Commission, shall appoint one member to the Advisory Group relating to that large-scale IT system, for a three-year term, which may be renewed. As regards Denmark, it shall also appoint a member to an Advisory Group relating to a large-scale IT system, if it decides to implement the legislative instrument governing the development, establishment, operation and use of that particular large-scale IT system in its national law.

Access to data : on the basis of a proposal by the Executive Director, and not later than 6 months after 1 December 2012, the Management Board shall adopt rules concerning access to the Agency’s documents, in accordance with Regulation (EC) No 1049/2001.

Evaluation: within 3 years from 1 December 2012, and every 4 years thereafter,

Budget: the revenue of the Agency shall consist of: (a) a subsidy from the Union; (b) a contribution from the countries associated with the implementation, application and development of the Schengen acquis and Eurodac-related measures; (c) any financial contribution from the Member States.

ENTRY INTO FORCE: 21/11/2011. The Agency shall take up part of its responsibilities from 1 December 2012.

The European Parliament adopted by 607 votes to 48, with 14 abstentions, a legislative resolution on the amended proposal for a regulation of the European Parliament and of the Council establishing an Agency for the operational management of large-scale IT systems in the area of freedom, security and justice.

Parliament adopted its position at first reading, under the ordinary legislative procedure. The amendments adopted in plenary are the result of a compromise negotiated between the European Parliament and the Council.

They amend the Commission proposal as follows:

The Agency: Parliament made it clear that the Agency may only be made responsible for the preparation, development and operational management of other large-scale IT systems in the area of freedom, security and justice, only if so provided by the relevant legislative instrument, based on Title V of the Treaty on the Functioning of the European Union (TFEU) . Operational management shall consist of all the tasks necessary to keep the large-scale IT systems functioning in accordance with the specific provisions applicable to each of those large-scale IT systems, including responsibility for the communication infrastructure used by the large-scale IT systems. These systems shall not exchange data and/or enable sharing of information and knowledge , unless provided in a specific legal basis.

Objectives: the Agency shall ensure:(a)the implementation of effective, secure and continuous operation of the large-scale IT systems (b) the efficient and financially accountable management of those systems;(c) an adequately high quality of service for users of those large-scale IT systems;(d) continuity and uninterrupted service;(e) a high level of data protection, in accordance with the applicable rules, including specific provisions for each large-scale IT system (f) an appropriate level of data– and physical security, in accordance with applicable rules, including specific provisions for each of the large-scale IT systems and; (g) the use of an adequate project management structure for efficiently developing large-scale IT systems.

Tasks: besides its core mission, the Agency should also be responsible for technical measures required by the tasks entrusted to it, which are not of a normative nature. These responsibilities should be without prejudice to the normative tasks reserved to the Commission alone or assisted by a Committee in the respective legal instruments governing the systems operationally managed by the Agency. In addition, the Agency should perform tasks related to training on the technical use of SIS II, VIS and EURODAC and other large-scale IT systems which might be entrusted to it in the future.

New provisions are inserted on tasks related to the communication infrastructure. These tasks are divided between the Agency and the Commission. In order to ensure coherence between the exercise of the respective responsibilities of the Commission and the Agency, operational working arrangements shall be made between them and reflected in a Memorandum of Understanding. The tasks concerning the operational management of the communication infrastructure may be entrusted to external private-sector entities or bodies but the network provider shall be bound by the security measures and shall not have access to VIS, EURODAC and SIS II operational data and the related SIRENE exchange by any means.

Moreover, and only on the express request of the Commission, which shall have informed the European Parliament and the Council at least three months in advance, and after a decision by the Management Board, the Agency may, carry out pilot schemes for the development and/or the operational management of large-scale IT systems, in application of Title V of the TFEU. The European Parliament, the Council and, where data protection issues are concerned, the European Data Protection Supervisor shall be regularly kept informed of the evolution of these pilot schemes.

Seat: the seat of the Agency for the operational management of large-scale IT systems in the area of freedom, security and justice will be Tallinn , Estonia. However, the tasks related to development and operational management shall be carried out in Strasbourg , France. A backup site capable of ensuring the operation of a large scale IT system in the event of failure of that system shall be installed in Sankt Johann im Pongau , Austria , if so provided in the legislative instrument governing the development, establishment and use of that system.

Since the tasks relating to technical development and the preparation for the operational management of SIS II and VIS are already carried out in Strasbourg and a backup site for those IT systems has already been installed in Sankt Johann im Pongau, this should continue to be the case. Those two sites should also be the locations, respectively, where the tasks relating to technical development and operational management of Eurodac should be carried out and where a backup site for Eurodac should be established. It is, moreover, stipulated that the host Member States should provide the best possible conditions to ensure the proper functioning of the Agency, for example including multilingual, European-oriented schooling and appropriate transport connections.

Structure: the Agency's structure shall also include: (a) a Data Protection Officer; (b) a Security Officer; and (c) an Accounting Officer.

Management Board: provisions are laid down to improve and strengthen the structure and operation of the Agency’s Management Board. Member States will have voting rights within the Agency’s Management Board if they are bound under Union law by a legislative instrument governing the development, establishment, operation and use of a large-scale IT system in question. Specific provisions are made to take account of the particular situation of Denmark in this regard.

Executive Director : it is stipulated that the Agency’s Executive Director should be appointed by the Management Board for a period of five years, from a list of eligible candidates identified in an open competition organised by the Commission. The candidate selected by the Management Board shall be invited to make a statement before the European Parliament which shall then adopt an opinion setting out its view of the selected candidate. The Management Board shall inform the European Parliament of the manner in which that opinion has been taken into account.

Advisory Group: each Member State which is bound under Union law by any legislative instrument governing the development, establishment, operation and use of a particular large-scale IT system, as well as the Commission, shall appoint one member to the Advisory Group which concerns that large-scale IT system , for a three-year term, which may be renewed . Denmark may also appoint a member if it decides to transpose the Regulation.

Security of the Agency: the Agency shall be responsible for the security and the preservation of order within the buildings, premises and land used by it. The host Member States shall take all effective and adequate measures to preserve order and security in the immediate vicinity of the buildings, premises and land used by the Agency and shall provide to the Agency the appropriate protection.

Financing: the financing of the Agency should be subject to an agreement by the budgetary authority (European Parliament and Council).

Evaluation: within three years from the date of the Agency having taken up its responsibilities, and every four years thereafter, the Commission, shall perform an evaluation of the action of the Agency examining the way and extent to which the Agency effectively contributes to the operational management of large-scale IT systems in the area of freedom, security and justice and fulfils its tasks described in the regulation. The evaluation should also evaluate the role of the Agency in the context of a Union strategy aimed at a coordinated, cost-effective and coherent IT environment at Union level that is to be established in the coming years. The Commission’s recommendations following the evaluation must be forwarded to the European Data Protection Supervisor , as well as the Council and the European Parliament.

Cooperation with other agencies: within the framework of their respective competences, the Agency should cooperate with other agencies of the Union, especially agencies established in the area of freedom, security and justice, and in particular the European Union Agency for Fundamental Rights. It should also consult and follow-up the recommendations of the European Network and Information Security Agency (ENISA) regarding network security, where appropriate.

The Committee on Civil Liberties, Justice and Home Affairs adopted the report by Carlos COELHO (EPP, PT) on the amended proposal for a regulation of the European Parliament and of the Council establishing an Agency for the operational management of large-scale IT systems in the area of freedom, security and justice.

The committee recommends that the European Parliament’s position in first reading following the ordinary legislative procedure make certain amendments to the Commission proposal. A large number of the amendments relate to improvements in terms of security and data protection and the role of the European Parliament, as well as transparency. There are special provisions for the participation of Denmark.

The main amendments are as follows:

The Agency : the committee made it clear that the Agency may only be made responsible for the preparation, development and operational management of other large-scale IT systems in the area of freedom, security and justice, only if so provided by the relevant legislative instrument, based on Title V of the Treaty on the Functioning of the European Union (TFEU). Operational management shall consist of all the tasks necessary to keep the large-scale IT systems functioning in accordance with the specific provisions applicable to each of those large-scale IT systems, including responsibility for the communication infrastructure used by the large-scale IT systems. Those systems shall not exchange data and/or enable sharing of information and knowledge, unless provided in a specific legal basis.

The report notes that in the joint statements accompanying the SIS II and VIS legal instruments, the European Parliament and the Council invited the Commission to present, following an impact assessment, the necessary legislative proposals entrusting an Agency with the long term operational management of the Central SIS II and parts of the communication infrastructure as well as the VIS.

Objectives : the Agency shall ensure:(a)the implementation of effective, secure and continuous operation of the large-scale IT systems (b) the efficient and financially accountable management of those systems;(c) an adequately high quality of service for users of those large-scale IT systems;(d) continuity and uninterrupted service;(e) a high level of data protection, in accordance with the applicable rules, including specific provisions for each large-scale IT system (f) an appropriate level of data– and physical security, in accordance with applicable rules, including specific provisions for each of the large-scale IT systems and; (g) the use of an adequate project management structure for efficiently developing large-scale IT systems.

Tasks: Members specify that the core mission of the Agency is to fulfil the operational management tasks for SIS II, VIS and EURODAC and, if so decided, other large-scale IT-systems in the area of freedom, security and justice. The Agency should also be responsible for technical measures required by the tasks entrusted to it, which are not of a normative nature. These responsibilities should be without prejudice to the normative tasks reserved to the Commission alone or assisted by a Committee in the respective legal instruments governing the systems operationally managed by the Agency. In addition, the Agency should perform tasks related to training on the technical use of SIS II, VIS and EURODAC and other large-scale IT systems which might be entrusted to it in the future.

Members stress that the Agency might also be made responsible for the preparation, development and operational management of additional large-scale IT systems in application of Title V of the TFEU, but only by means of subsequent and separate legal instruments, preceded by an impact assessment.

A new clause is inserted on tasks related to the communication infrastructure , which specifies that the Agency shall carry out the tasks relating to the communication infrastructure conferred on the Management Authority by the legal instruments governing the development, establishment, operation and use of the large scale IT systems.

According to those legal instruments, the tasks regarding the communication infrastructure (including the operational management and security) are divided between the Agency and the Commission. In order to ensure coherence between the exercise of the respective responsibilities of the Commission and the Agency, operational working arrangements shall be made between them and reflected in a Memorandum of Understanding. Appropriate measures including security plans shall be adopted. The tasks concerning the operational management of the communication infrastructure may be entrusted to external private-sector entities or bodies but the network provider shall be bound by the security measures and shall not have access to VIS, EURODAC and SIS II operational data and the related SIRENE exchange by any means.

Lastly, the Agency should be responsible for monitoring of research and for pilot schemes , in accordance with the provisions of Council Regulation (EC, Euratom) No 1605/2002 on the Financial, for large-scale IT systems in application of Title V of the TFEU, at the specific and precise request of the Commission. When tasked with a pilot scheme, special attention should be given to the European Union Information Management Strategy.

Seat: the seat of the Agency for the operational management of large-scale IT systems in the area of freedom, security and justice will be Tallinn, Estonia . The tasks related to development and operational shall be carried out in Strasbourg, France . A backup site capable of ensuring the operation of a large scale IT system in the event of failure of that system shall be installed in Sankt Johann im Pongau, Austria , if so provided in the legislative instrument governing the development, establishment and use of that system.

The recitals note that as was agreed, the seat of the Agency should be in Tallinn (Estonia). However, since the tasks related to technical development and the preparation for the operational management of SIS II and VIS were already carried out in Strasbourg (France) and a backup site for these IT systems was already installed in Sankt Johann im Pongau (Austria), this should continue to be the case. These two sites should also be the locations, respectively, where the tasks related to technical development and operational management of EURODAC should be carried out and where a backup site for EURODAC should be established. This should also be the case regarding, respectively, the technical development and operational management of other large-scale IT systems in the area of freedom, security and justice and a backup site capable of ensuring the operation of an IT system in the event of failure of that system, if so provided in the relevant legislative instrument.

Structure: the Agency's structure shall also include: (a) a Data Protection Officer; (b) a Security Officer;(c) an Accounting Officer.

Management Board : the list of members of the Management Board shall be published on the Agency's internet site.

Appointment of the Executive Director : the latter will be appointed for a period of five years from among the eligible candidates identified in an open competition organised by the Commission. This selection procedure will provide for publication in the Official Journal and elsewhere of a call for expressions of interest. The Management Board could require a repeated procedure if it is not satisfied with the suitability of any of the candidates retained in the first list. The Executive Director shall be appointed on the basis of his or her personal merits, experience in the field of large scale IT systems and administrative, financial and management skills as well as knowledge in data protection. The Management Board shall take the decision by a two-thirds majority of all members with a right to vote.

Advisory Group : Member States should appoint a Member to the Advisory Group concerning a large-scale IT system, if they are bound under Union law by any legislative instrument governing the development, establishment, operation and use of that particular system. Each country associated with the implementation, application and development of the Schengen acquis, the EURODAC-related measures and the measures related to other large scale IT systems which participates in a particular system shall appoint a member to the Advisory Group which concerns that system.

Access to documents : on the basis of a proposal by the Executive Director, and not later than six months after the entry into force of the Regulation, the Management Board shall adopt rules concerning access to the Agency's documents, in accordance with Regulation (EC) No 1049/2001.

Security of the Agency : this new provision states that the Agency shall be responsible for the security and the preservation of order within the buildings, premises and land used by it. The Agency shall apply the security principles and relevant provisions of the instruments governing the development, establishment, use and operation of the large-scale IT-systems. Furthermore, the host Member States shall take all effective and adequate measures to preserve order and security in the immediate vicinity of the buildings, premises and land used by the Agency and shall provide to the Agency the appropriate protection.

Evaluation: within three years from the date of the Agency having taken up its responsibilities, and every four years thereafter, the Commission, shall perform an evaluation of the action of the Agency examining the way and extent to which the Agency effectively contributes to the operational management of large-scale IT systems in the area of freedom, security and justice and fulfils its tasks described in the regulation. The evaluation should also evaluate the role of the Agency in the context of a Union strategy aimed at a coordinated, cost-effective and coherent IT environment at Union level that is to be established in the coming years. The Commission’s recommendations following the evaluation must be forwarded to the European Data Protection Supervisor as well as the Council and the European Parliament.

Fundamental rights : lastly, the text states that within the framework of their respective competences, the Agency should cooperate with other agencies of the EU, especially agencies established in the area of freedom, security and justice, and in particular the European Union Agency for Fundamental Rights. It should also consult and follow-up the recommendations of European Network and Information Security Agency regarding network security, where appropriate.

With a decisive political agreement , the Council paved the way for the establishment of a European agency for the operational management of large-scale IT systems in summer 2012 on the basis of a compromise text with the European Parliament .

The presidency can now confirm to the European Parliament that, if Parliament adopts its position at first reading, exactly as set out in the compromise text, the Council will approve Parliament's position at a future meeting.

The aim is to have the agency up and running by summer 2012. The seat of the Agency will be in Tallinn, tasks related to development and operational management will be carried out in Strasbourg and a backup site will be established in Austria, in Sankt Johann im Pongau.

Large-scale IT systems managed by the future agency will include the second-generation Schengen Information System (SIS II), the Visa Information System (VIS) and EURODAC. The agency will also be responsible for the management of any other IT systems which might be developed in the area of freedom, security and justice in the future. However, any integration of further systems will require a specific decision by the Council and the European Parliament.

The Committee discussed the state-of-play on the establishment of a European agency for the operational management of large-scale IT systems (such as the second-generation Schengen Information System (SIS II), the Visa Information System (VIS) and EURODAC.

On this dossier, the Council aims to reach a first reading agreement with the European Parliament before the summer.

PURPOSE: to establish a European Agency for the operational management of large-scale information technology ("IT") systems.

PROPOSED ACT: Regulation of the European Parliament and of the Council.

BACKGROUND: in June 2009, the Commission adopted a legislative proposal package to establish an Agency responsible for the operational management of large-scale IT systems in the area of freedom, security and justice ( for more details, please refer to the summary dated 24 June 2009 ).

The legislative package initially consisted of two proposals: a proposal for a Regulation establishing the Agency, and a proposal for a Council Decision conferring upon the Agency established by this Regulation tasks regarding the operational management of SIS II and VIS in application of Title VI of the EU Treaty. The proposed Regulation covered the SIS II, VIS and EURODAC to the extent they were governed by the EC Treaty. The proposed Decision covered the SIS II and VIS to the extent they were governed by the EU Treaty.

Upon entry into force of the Lisbon Treaty on 1 December 2009, the former distinction between EC Treaty and EU Treaty legal bases in the area of freedom, security and justice disappeared. Moreover, as notified to the European Parliament and to the Council by the Communication in December 2009, the proposal for a Council Decision lapsed and was formally withdrawn.

Therefore, these two texts need to be merged into this single amended proposal for a Regulation , which takes into account the changes resulting from the entry into force of the Lisbon Treaty and which contains the substantive provisions initially proposed as a Council Decision.

IMPACT ASSESSMENT: five possible options to achieve the objective of long-term

operational management of SIS II, VIS and EURODAC were analysed:

Option 1 - baseline : the operational management solution for SIS II and VIS identified for the transitional period (the Commission entrusting the operational management tasks to Member States' authorities) would be continued as a permanent solution. Currently, EURODAC is managed by the Commission and this solution would also be maintained; Option 2 - baseline+ : under which the Commission would entrust the operational management tasks related to SIS II, VIS and EURODAC to Member States' authorities; Option 3 - a new Regulatory Agency that would assume responsibility for the long-term operational management of SIS II, VIS and EURODAC; Option 4 - FRONTEX would manage the three systems, which would entail changes to both its basic act and its management structure; Option 5 - EUROPOL would manage SIS II, whereas the Commission would manage VIS and EURODAC. This option was considered while negotiations on the conversion of the current Europol Convention into a Community act were still ongoing.

As a result of a comparative analysis, the new Regulatory Agency option, which aims to create a joint operational management structure ( option 3 ) for SIS II, VIS and EURODAC scored highest.

LEGAL BASIS: Articles 77(2)(a) and (b), 78(2)(e), 79(2)(c), 74, 82(1)(d) and 87(2)(a) of the Treaty on the Functioning of the EU. The proposal respects the principle of subsidiarity, as the objective of the proposed action, the conferring of the operational management of Central SIS II, Central VIS and the National Interfaces, Central EURODAC, as well as certain aspects of their communication infrastructure, on an Agency, cannot be achieved by the Member States individually.

CONTENT: the proposal aims to establish a European Agency for the operational management of the second-generation Schengen Information System (SIS II), the Visa Information System (VIS), EURODAC and for developing and managing other large-scale IT systems, in application of Title V of the Treaty on the Functioning of the EU. The regulatory Agency shall be established as a Union body, having legal personality.

The first tasks to be conferred on the Agency are operational, that is to say, ensuring the overall management of the information systems and the operation of the systems. It would thus become a "centre of excellence" with specialised operational staff.

The Agency's core task will be to fulfil the operational management tasks for SIS II, VIS and EURODAC, keeping the systems functioning 24 hours a day, seven days a week, thus ensuring a continuous, uninterrupted flow of data exchange.

Beyond these operational tasks, the corresponding responsibilities for adopting security measures, reporting, publishing, monitoring, information, organising specific VIS and SIS II related trainings, implementing pilot schemes upon specific and precise request of the Commission and monitoring of research will be assigned to the Agency.

The Agency could also potentially be responsible for developing and managing other large-scale IT systems in the area of freedom, security and justice. This would be subject to legislative instruments establishing such systems that in turn would provide the Agency with the respective competences.

BUDGETARY IMPLICATIONS: the Agency will be funded by the general budget of the European Union. The necessary appropriations to cover the activities of the Agency will come from the appropriations currently foreseen in the Financial Programming 2011-2013 in the budget lines:

18 02 04"Schengen Information System (SIS II)"; 18 02 05"Visa Information System (VIS)"; 18 03 11"EURODAC".

Therefore, the proposal does not impact on the financial framework for 2007-2013 .

The financial statement annexed to this proposal is based on the assumption that it will be adopted in 2010 in order for the Agency to be legally established in 2011 and become a fully fledged Agency in 2012 .

Overall, the preparatory and start-up phase of the Agency between 2010 and 2013 is estimated at EUR 113 million , which will be covered by the 2007‑2013 financial framework.

In the margins of the Council, the Mixed Committee (the EU plus Norway, Iceland, Liechtenstein and Switzerland) held an orientation debate on the possibility of setting up an agency for large-scale IT systems in the area of freedom, security and justice.

An agency for large-scale IT systems would be responsible for the operational management of VIS, SIS II and EURODAC, the IT system for comparing the fingerprints of asylum seekers and illegal immigrants, in order to facilitate the application of the Dublin II Regulation, which makes it possible to determine the Member State responsible for examining an asylum application. The new agency would also be charged with the operational aspects of any other large-scale IT system developed in the future in the area of freedom, security and justice.

This Commission communication concerns the legislative package establishing an Agency for the operational management of large-scale IT systems in the area of freedom, security and justice.

The main issues are as follows:

Objective : the objective of this legislative package is to establish an Agency responsible for the long-term operational management of the second-generation Schengen Information System (SIS II), Visa Information System (VIS) and EURODAC. In addition, the Agency could be given responsibility for other large-scale IT systems in the area of freedom, security and justice.

Background : in order to benefit from the developments in the field of information technology and to allow for the introduction of new functionalities, a second-generation Schengen Information System

(SIS II) will replace the existing Schengen Information System (SIS 1+). It will ensure a high level of security within the European Union’s area of freedom, security and justice, including maintenance of public security and public policy as well as safeguarding security in the territories of the Member States. VIS will be the essential IT-based instrument for supporting implementation of the common visa policy and facilitating, inter alia, effective border control. EURODAC is an IT system for comparing the fingerprints of asylum seekers and illegal immigrants in order to facilitate the application of the Dublin II Regulation, which makes it possible to determine the Member State responsible for examining an asylum application.

SIS II and VIS are being developed by the Commission. According to the legal instruments governing these systems, the Commission is entrusted with the operational management of SIS II and VIS during a transitional period. The Commission currently entrusts the operational management of SIS II and VIS to national public-sector bodies in two different Member States, namely in France and Austria. It is, however, not the Commission’s core task to operate such large-scale IT systems. Hence, the SIS II and VIS legal instruments stipulate the need to establish a Management Authority in the long term, mainly to ensure continuity and operational management of the respective systems and the permanent flow of data.

In joint statements accompanying the SIS II and VIS legal instruments, the Council and the European Parliament invited the Commission to present, following an impact assessment, the necessary legislative proposals entrusting an Agency with the long-term operational management of the Central SIS II and parts of the Communication Infrastructure as well as the VIS and EURODAC.

Structure of the legislative package : the Commission document proposes a descriptive summary of the objectives of the legislative framework of the future Agency. This can be summarised as follows:

Overview of the Agency : the Agency’s core task should be to provide the operational management for these systems keeping them functioning 24 hours a day, seven days a week. Beyond these operational tasks, the corresponding responsibilities for adopting security measures, reporting, publishing, monitoring and information issues as well as organising specific VIS and SIS II related trainings, should be assigned to the Agency. Many of the tasks related to the operation of these IT systems, such as procurement and project management would overlap, thus allowing the creation of synergies.

The Agency’s governance structure should also reflect the existing variable geometry, i.e. a heterogeneous group of Member States and associated countries with a varying level of participation in the systems:

Cross-pillar elements of the structure : these elements require the adoption of different legal instruments for establishing the Agency (in particular for the SIS II). The Agency shall be based on legal instruments covering the first and third pillars. The present package of legal instruments combines two legal instruments:

Regulation of the European Parliament and of the Council establishing an Agency for the operational management of large-scale IT systems in the area of freedom, security and justice; Council Decision conferring upon the Agency established by Regulation XX tasks regarding the operational management of SIS II and VIS in application of Title VI of the EU Treaty.

The Regulation, will describe the structure and the tasks of the Agency, its voting procedures and other necessary elements.

The Decision, which takes account of the cross-pillar elements of the systems, will confer on the Agency the tasks related to the operational management of SIS II and VIS in application of Title VI of the EU Treaty.

Financial Implications : the estimated total costs related to the preparatory and start-up phase of the long-term operational management of SIS II, VIS and EURODAC amount to EUR 113 million between 2010 and 2013. This amount is covered by the financial framework for 2007-2013. An overview of the operational and administrative expenditure is provided in the legislative financial statement annexed to the proposal for a Regulation establishing an Agency for the operational management of large-scale IT systems in the area of freedom, security and justice. The financial statement is mainly founded on estimates and figures from the impact assessment conducted in 2007. It is also based on the assumption that this proposal will be adopted in 2010, in order for the Agency to be legally established in 2011 and become a fully fledged Agency able to take over all the tasks related to the operational management of SIS II, VIS and EURODAC and other large-scale IT systems in 2012.

The estimated costs for the Agency cover operational as well as administrative expenditure needed to ensure the effective operational management of SIS II, VIS and EURODAC. The total amount also includes costs related to personnel and its training. It is currently foreseen that the Agency will employ 120 people. However, what is not foreseen in the budget of the Agency are the costs linked to the connection of the three systems to the s-TESTA network. According to the proposal, the Commission remains responsible for all contractual and budgetary aspects related to the communication infrastructure. The yearly costs of the connection of the three systems amount to around EUR 16.5 million, an amount that will be covered by the Community budget. Lastly, resources have been foreseen for the acquisition of a new site for the Agency which has also the capacity to host systems.

Compared to the current situation, where the systems are developed and operated separately, and once the necessary initial investments have been made, a joint management structure would result in synergies and cost efficiencies in the long term.

PURPOSE: to establish an Agency for the operational management of large-scale IT systems in the area of freedom, security and justice.

PROPOSED ACT: Regulation of the European Parliament and of the Council.

BACKGROUND: on the basis of the Schengen Convention (1985), the Schengen Information System (SIS) was established to maintain public policy and public security, including national security. Since then, the system has been great improved and extended, leading to the second-generation Schengen Information System (SIS II), established by Regulation (EC) No 1987/2006 of the European Parliament and of the Council and Council Decision 2007/533/JHA .

At the same time, the Visa Information System (VIS) was established by Regulation (EC) No 767/2008 of the European Parliament and of the Council enabling consulates and other competent authorities of the Member States to exchange visa information for the purposes of facilitating the visa application procedure, preventing 'visa shopping' and contributing to the fight against fraud in the framework of the implementation of Council Regulation (EC) No 343/2003 establishing the criteria and mechanisms for determining the Member State responsible for examining an asylum application (Dublin Regulation).

Lastly, EURODAC was established to facilitate the application of that Regulation (see CNS/1999/0116 ) by enabling Member States to identify asylum seekers as well as persons having crossed an external border of the Community illegally, by comparing their fingerprints with those in an existing database.

At present, the central systems of the SIS II and VIS (CS-SIS and central VIS) are located in Strasbourg (France), whereas the back-up central systems (back-up CS-SIS and back-up central VIS) are located in Sankt Johann im Pongau (Austria). The Commission is entirely responsible for the management of EURODAC.

In joint statements accompanying the SIS II and VIS legal instruments, the Council and the European Parliament invited the Commission, following an Impact Assessment containing a substantive analysis of alternatives, from the financial, operational and organisational perspective, to present the necessary legislative proposals entrusting an agency with the long term operational management of SIS II and VIS . After the analysis of different options, a new Regulatory Agency was found to be the most feasible alternative for carrying out the tasks of a "Management Authority" for these systems in the long term. That is why the Commission is now proposing the current legal framework.

The approach of a single entity for the management of the three systems will result in economies of scale both in terms of capital and human resources.

IMPACT ASSESSMENT: the Commission carried out an impact assessment. Following a pre‑screening process, five possible options to achieve the objective of long-term operational management of SIS II, VIS and EURODAC were retained and further analysed:

Option 1: baseline : the operational management solution for SIS II and VIS (namely, entrusting management tasks to Member States' authorities). Currently, the Commission manages EURODAC and this solution would also be maintained; Option 2: Baseline+ : the Commission would entrust the operational management tasks related to SIS II, VIS and EURODAC to Member States' authorities; Option 3: a new Regulatory Agency : a new Regulatory Agency would assume responsibility for the long-term operational management of SIS II, VIS and EURODAC; Option 4: FRONTEX : this Agency would manage the three systems, which would entail changes to both its basic act and its operational management structure; Option 5: EUROPOL : EUROPOL would manage SIS II, whereas the Commission would manage VIS and EURODAC. This option was considered while negotiations on the conversion of the current Europol Convention into a Community act were still ongoing ( CNS/2006/0310 ).

As a result of a comparative analysis, the new Regulatory Agency option ( option 3 ), which aims to create a joint management structure for SIS II, VIS and EURODAC, scored highest.

CONTENT: this proposal aims to establish an agency responsible for the operational management of the SIS II, VIS, EURODAC and other large-scale IT systems in application of Title IV of the EC Treaty and potentially for other large-scale IT systems in the area of freedom, security and justice (on the basis of a legal instrument to be adopted at a later date).

Legal particularity of the proposed plan : this legislative package contains two distinct proposals:

this proposal for a Regulation covering the first pillar scope of SIS II, VIS and EURODAC; and a proposal for a Council Decision entrusting the Agency created by the Regulation with tasks related to the operation management of the SIS II and VIS systems in application of Title IV of the EC Treaty, and under the third pillar.

This established method for a legislative package of this nature is also applied in the entire legal instrument related to the SIS, in accordance with the relevant provisions of the Treaty.

Tasks : the Agency's core task will be to fulfil the operational management tasks for SIS II, VIS and EURODAC , keeping the systems functioning 24 hours a day, seven days a week, thus ensuring a continuous, uninterrupted flow of data exchange.

In addition to these operational tasks, the Agency shall assume responsibilities related to:

adopting security measures; establishing and publishing reports and other types of information as well as monitoring; organising specific VIS and SIS II related training; implementing pilot schemes upon specific and precise request of the Commission; monitoring of research on the operational management of the SIS II, VIS and EURODAC and other potential information systems.

The Agency shall also be responsible for the tasks relating to the Communication Infrastructure which are referred to in the SIS II Regulation and Decision, the VIS Regulation and the EURODAC Regulation.

The Agency could also potentially be responsible for developing and managing other large-scale IT systems in the area of freedom, security and justice. This would be subject to legislative instruments establishing such systems that in turn would provide the Agency with the respective competences.

The Agency would also become a "centre of excellence" with specialised operational staff in order to ensure the highest level of efficiency and responsiveness, including for the development and operational management of other potential systems.

Governance structure : combining the systems in a joint Agency will make it possible to exploit synergies and share facilities and staff. The Agency's governance structure reflects the existing variable geometry which denotes a heterogeneous group of participating countries (EU Member States with different levels of participation in the information systems and associated countries).

The regulatory Agency shall be established as a Community body, having legal personality. The main body governing the Agency shall be a Management Board with an adequate representation of the Member States and the Commission. The representation of Member States should reflect each Member State's Treaty rights and obligations. The countries associated with the implementation, application and development of the Schengen acquis and the EURODAC related measures shall also participate in the Agency.

In addition to the Management Board, the governance structure shall include an Executive Director (appointed for five years) and advisory groups responsible for providing the Management Board with the expertise related to the respective IT systems. The procedure for appointing the Director and the Director’s tasks are set out in the proposal.

The Agency shall have all the characteristics of a Community body (financed by the Community budget, the Staff Regulations of Officials of the European Communities shall apply to the Agency’s staff, as well as rules on access to documents, linguistic regime, implementation of the budget and scrutiny of expenditure, under the discharge procedure, by the European Parliament, etc.).

Note that this proposal does not prejudge in any way the Council choice regarding the future headquarters of the Agency but the Commission insists that a choice be made quickly.

Rules on security and data protection : entrusting an Agency with the operational management of large-scale IT systems in the area of freedom, security and justice does not affect the specific rules governing the purpose, access rights, security measures and further data protection requirements applicable to those systems.

Evaluation : the Agency shall be subject to an evaluation three years after its implementation and every five years thereafter.

Territorial provisions : the legal frameworks of SIS II, VIS and EURODAC are characterised by variable geometry . On the one hand, Ireland and the United Kingdom participate in EURODAC but are only partly involved in SIS II, and do not participate in VIS, while Denmark is involved in all three systems on a different legal basis. On the other hand, a number of non-EU countries, namely Iceland, Norway, Switzerland and Liechtenstein, are or will be associated with the implementation, application and development of the Schengen acquis, and therefore participate both in SIS II and VIS.

BUDGETARY IMPLICATIONS: the Agency will be funded by the general budget of the European Union. The necessary appropriations to cover the activities of the Agency will come from the appropriations currently foreseen in the Financial Programming 2011-2013 in the budget lines:

18 02 04 "Schengen Information System (SIS II)"; 18 02 05 "Visa Information System (VIS)"; 18 03 11 "EURODAC".

Therefore, the proposal does not impact on the financial framework for 2007-2013 .

The financial statement annexed to this proposal is based on the assumption that it will be adopted in 2010 in order for the Agency to be legally established in 2011 and become a fully fledged Agency in 2012 .

Overall, the preparatory and start-up phase of the Agency between 2010 and 2013 is estimated at EUR 113 million , which will be covered by the 2007‑2013 financial framework.