Regulation (EU) 2018/1726 of the European Parliament and of the CouncilShow full title

CHAPTER II TASKS OF THE AGENCY

Article 3Tasks relating to SIS II

In relation to SIS II, the Agency shall perform:

Article 4Tasks relating to the VIS

In relation to the VIS, the Agency shall perform:

Article 5Tasks relating to Eurodac

In relation to Eurodac, the Agency shall perform:

Article 6Tasks relating to the EES

In relation to the EES, the Agency shall perform:

Article 7Tasks relating to ETIAS

In relation to ETIAS, the Agency shall perform:

Article 8Tasks relating to DubliNet

In relation to DubliNet, the Agency shall perform:

Article 9Tasks relating to the preparation, development and operational management of other large-scale IT systems

When entrusted with the preparation, development or operational management of other large-scale IT systems referred to in Article 1(5), the Agency shall perform the tasks conferred on it pursuant to the Union legal act governing the relevant system, as well as tasks relating to training on the technical use of those systems, as appropriate.

Article 10Technical solutions requiring specific conditions before implementation

Where the Union legal acts governing the systems require the Agency to keep those systems functioning 24 hours a day, 7 days a week and without prejudice to those Union legal acts, the Agency shall implement technical solutions to meet those requirements. Where those technical solutions require a duplication of a system or a duplication of components of a system, they shall only be implemented where an independent impact assessment and cost-benefit analysis to be commissioned by the Agency has been carried out and following the consultation of the Commission and the positive decision of the Management Board. The impact assessment shall also examine existing and future needs in terms of the hosting capacity of the existing technical sites related to the development of such technical solutions and the possible risks related to the current operational set up.

Article 11Tasks relating to the communication infrastructure

1.The Agency shall carry out all the tasks relating to the communication infrastructure of the systems conferred on it by the Union legal acts governing the systems, with the exception of those systems that make use of the EuroDomain for their communication infrastructure. In the case of those systems that make such use of the EuroDomain, the Commission shall be responsible for the tasks of the implementation of the budget, acquisition and renewal, and contractual matters. In accordance with the Union legal acts governing the systems using the EuroDomain, the tasks regarding the communication infrastructure, including the operational management and security, are to be divided between the Agency and the Commission. In order to ensure coherence between the exercise of their respective responsibilities, operational working arrangements shall be concluded between the Agency and the Commission and reflected in a memorandum of understanding.

2.The communication infrastructure shall be adequately managed and controlled in such a way as to protect it from threats and to ensure its security and that of the systems, including that of data exchanged through the communication infrastructure.

3.The Agency shall adopt appropriate measures, including security plans, inter alia, to prevent the unauthorised reading, copying, modification or deletion of personal data during transfers of personal data or transport of data media, in particular by means of appropriate encryption techniques. All system-related operational information circulating in the communication infrastructure shall be encrypted.

4.Tasks relating to the delivery, setting up, maintenance and monitoring of the communication infrastructure may be entrusted to external private-sector entities or bodies in accordance with Regulation (EU, Euratom) 2018/1046. Such tasks shall be carried out under the responsibility of the Agency and under its close supervision.

When carrying out the tasks referred to in the first subparagraph, all external private-sector entities or bodies, including network providers, shall be bound by the security measures referred to in paragraph 3 and shall have no access, by any means, to any operational data stored in the systems or transferred through the communication infrastructure or to the SIS II-related SIRENE exchange.

5.The management of the encryption keys shall remain within the competence of the Agency and shall not be outsourced to any external private-sector entity. This is without prejudice to the existing contracts on the communication infrastructures of SIS II, the VIS and Eurodac.

Article 12Data quality

Without prejudice to Member States’ responsibilities with regard to the data entered into the systems, the Agency, closely involving its Advisory Groups, together with the Commission, shall work towards establishing for all the systems automated data quality control mechanisms and common data quality indicators and towards developing a central repository containing only anonymised data for reporting and statistics, subject to specific provisions in the Union legal acts governing the development, establishment, operation and use of the systems.

Article 13Interoperability

Where interoperability of large-scale IT systems has been stipulated in a relevant Union legal act, the Agency shall develop the necessary actions to enable that interoperability.

Article 14Monitoring of research

1.The Agency shall monitor developments in research relevant for the operational management of SIS II, the VIS, Eurodac, the EES, ETIAS, DubliNet and other large-scale IT systems as referred to in Article 1(5).

2.The Agency may contribute to the implementation of the parts of the European Union Framework Programme for Research and Innovation that relate to large-scale IT systems in the area of freedom, security and justice. For that purpose, and where the Commission has delegated the relevant powers to it, the Agency shall have the following tasks:

(a)managing some stages of programme implementation and some phases in the lifetime of specific projects on the basis of the relevant work programmes adopted by the Commission;

(b)adopting the instruments of budget execution and for revenue and expenditure and carrying out all the operations necessary for the management of the programme; and

(c)providing support in programme implementation.

3.The Agency shall, on a regular basis and at least once a year, keep the European Parliament, the Council, the Commission, and, where processing of personal data is concerned, the European Data Protection Supervisor, informed on the developments referred to in this Article without prejudice to the reporting requirements in relation to the implementation of parts of the European Union Framework Programme for Research and Innovation referred to in paragraph 2.

Article 15Pilot projects, proofs of concept and testing activities

1.Upon the specific and precise request of the Commission, which shall have informed the European Parliament and the Council at least three months in advance of making such a request, and after a positive decision of the Management Board, the Agency may, in accordance with point (u) of Article 19(1) of this Regulation and by way of a delegation agreement be entrusted with carrying out pilot projects as referred to in point (a) of Article 58(2) of Regulation (EU, Euratom) 2018/1046 for the development or the operational management of large-scale IT systems pursuant to Articles 67 to 89 TFEU in accordance with point (c) of Article 62(1) of Regulation (EU, Euratom) 2018/1046.

The Agency shall keep the European Parliament, the Council and, where the processing of personal data is concerned, the European Data Protection Supervisor informed on a regular basis of the evolution of the pilot projects carried out by the Agency under the first subparagraph.

2.Financial appropriations for pilot projects as referred to in point (a) of Article 58(2) of Regulation (EU, Euratom) 2018/1046, that have been requested by the Commission under paragraph 1, shall be entered in the budget for no more than two consecutive financial years.

3.At the request of the Commission or the Council, after having informed the European Parliament and after a positive decision of the Management Board, the Agency may be entrusted, by way of a delegation agreement, with budget implementation tasks for proofs of concept funded under the instrument for financial support for external borders and visa established by Regulation (EU) No 515/2014 in accordance with point (c) of Article 62(1) of Regulation (EU, Euratom) 2018/1046.

4.Following a positive decision of the Management Board, the Agency may plan and implement testing activities on matters covered by this Regulation and by any of the Union legal acts governing the development, establishment, operation and use of the systems.

Article 16Support to Member States and the Commission

1.Any Member State may request the Agency to provide advice with regard to the connection of its national system to the central systems of the large-scale IT systems managed by the Agency.

2.Any Member State may submit a request for ad hoc support to the Commission, which, subject to its positive assessment that such support is required by virtue of extraordinary security or migratory needs, shall transmit it, without delay, to the Agency. The Agency shall inform the Management Board of such requests. The Member State shall be informed where the Commission’s assessment is negative.

The Commission shall monitor whether the Agency has provided a timely response to the Member State's request. The Agency’s annual activity report shall report in detail on the actions the Agency has carried out to provide ad hoc support to Member States and on the costs incurred in that respect.

3.The Agency may also be requested to provide advice or support to the Commission on technical issues related to existing or new systems, including by way of studies and testing. The Agency shall inform the Management Board of such requests.

4.A group of at least five Member States may entrust the Agency with the task of developing, managing or hosting a common IT component to assist them in implementing technical aspects of obligations deriving from Union law on decentralised systems in the area of freedom, security and justice. Those common IT solutions shall be without prejudice to the obligations of the requesting Member States under the applicable Union law, in particular with regard to the architecture of those systems.

In particular, the requesting Member States may entrust the Agency with the task of establishing a common component or router for advance passenger information and passenger name record data as a technical support tool to facilitate connectivity with air carriers in order to assist Member States in the implementation of Council Directive 2004/82/EC(2) and Directive (EU) 2016/681 of the European Parliament and of the Council(3). In such a case the Agency shall centrally collect the data from air carriers and transmit those data to the Member States via the common component or router. The requesting Member States shall adopt the necessary measures to ensure that air carriers transfer the data via the Agency.

The Agency shall be entrusted with the task of developing, managing or hosting a common IT component only after prior approval by the Commission and subject to a positive decision of the Management Board.

The requesting Member States shall entrust the Agency with the tasks referred to in the first and second subparagraphs by way of a delegation agreement setting out the conditions for the delegation of the tasks and the calculation of all relevant costs and the invoicing method. All relevant costs shall be covered by the participating Member States. The delegation agreement shall comply with the Union legal acts governing the systems in question. The Agency shall inform the European Parliament and the Council of the approved delegation agreement and of any modifications thereto.

Other Member States may request to participate in a common IT solution where this possibility is provided for in the delegation agreement setting out, in particular, the financial implications of such participation. The delegation agreement shall be modified accordingly following the prior approval by the Commission and after a positive decision of the Management Board.