法律人 LawPlayer logo

資料由法律人 LawPlayer整理提供·EU law / curated by LawPlayer from EUR-Lex

Regulation

Commission Implementing Regulation (EU) 2022/1380 of 8 August 2022 laying down the rules and conditions for verification queries by carriers, provisions for data protection and security for the carriers’ authentication scheme as well as fall back procedures in case of technical impossibility and repealing Implementing Regulation (EU) 2021/1217

CELEX
Implementing Regulation (EU) 2022/1380
Date of document
Articles
16
Source
EUR-Lex
Article 1Subject matter

This Regulation establishes:

(a)

the detailed rules and conditions for the operation of the carrier gateway and the data protection and security rules applicable to the carrier gateway provided for in Article 45(2) of Regulation (EU) 2018/1240;

(b)

an authentication scheme for carriers to enable them to fulfil their obligations pursuant to Article 45(3) of Regulation (EU) 2018/1240 as well as detailed rules and conditions on registration of carriers with the authentication scheme;

(c)

details of the procedures to be followed where it is technically impossible for carriers to access the carrier gateway, in accordance with Article 46(4) of Regulation (EU) 2018/1240.

Article 2Definitions

For the purposes of this Regulation the following definitions apply:

(a)

‘carrier interface’ means the carrier gateway to be developed by eu-LISA in accordance with Article 73(3) of Regulation (EU) 2018/1240 and consisting of an IT interface connected to a read only database;

(b)

‘technical guidelines’ means the part of the technical specifications, referred to in Article 73(3) of Regulation (EU) 2018/1240, that is relevant for carriers for the implementation of the authentication scheme and the development of the message format of the Application Programming Interface referred to in Article 4(2), point (a), of this Regulation;

(c)

‘duly authorised staff’ means employees of or contractually engaged by the carrier or by other legal or natural persons acting under that carrier’s direction or supervision, assigned with the tasks of verifying the status of travellers on behalf of the carrier, in accordance with Article 45(1) of Regulation (EU) 2018/1240.

Article 3Obligations of carriers

1.   Carriers shall send a query referred to in Article 45(1) of Regulation (EU) 2018/1240 (‘verification query’), through the carrier interface.

2.   The verification query shall be sent at the earliest 48 hours prior to the scheduled time of departure.

3.   Carriers shall ensure that only duly authorised staff have access to the carrier interface. The carriers shall put in place at least the following mechanisms:

(a)

physical and logical access control mechanisms to prevent unauthorised access to the infrastructure or the systems used by the carriers;

(b)

authentication;

(c)

logging to ensure access traceability;

(d)

a regular review of the access rights.

Article 4Connection and access to the carrier interface

1.   Carriers shall connect to the carrier interface through one of the following:

(a)

a dedicated network connection;

(b)

an internet connection.

2.   Carriers shall access the carrier interface through one of the following:

(a)

a system-to-system interface (Application Programming Interface);

(b)

a web interface (browser);

(c)

an application for mobile devices.

Article 5Queries

1.   In order to send the verification query, the carrier shall provide the following traveller data:

(a)

surname (family name); first name or names (given names);

(b)

date of birth, sex and nationality;

(c)

the type and number of the travel document and the three letter code of the issuing country of the travel document;

(d)

the date of expiry of the validity of the travel document;

(e)

the scheduled day of arrival at the border of the Member State of entry;

(f)

one of the following:

(i)

the scheduled Member State of entry;

(ii)

where possible to identify the scheduled Member State of entry, an airport in the Member State of entry;

(g)

the details (local date and time of scheduled departure, identification number where available or other means to identify the transport) of the means of transportation used to access the territory of a Member State.

2.   For the purposes of providing the information referred to in paragraph 1, points (a) to (d), carriers shall be allowed to scan the machine-readable zone of the travel document.

3.   Where the passenger is exempt from the scope of Regulation (EU) 2018/1240 in accordance with Article 2 of that Regulation or is in airport transit, the carrier shall be able to specify it in the verification query.

4.   Carriers shall be able to send a verification query for one or more passengers. The carrier interface shall include the reply referred to in Article 6 for each passenger included in the query.

Article 6Reply

1.   Where the passenger is exempt from the scope of Regulation (EU) 2018/1240 in accordance with Article 2 of that Regulation or is in airport transit, the reply shall be ‘Not applicable’. In all other cases, the reply shall be ‘OK’ or ‘Not OK’. Where a verification query returns a ‘Not OK’ reply, the reply shall specify that the response is coming from the European Travel Information and Authorisation System.

2.   During the transitional period referred to in Article 83(1) of Regulation (EU) 2018/1240, replies to the verification queries shall be determined in accordance with the following rules:

(a)

if the third-country national has a valid travel authorisation for the date of entry: OK;

(b)

if the third-country national has no valid travel authorisation for the date of entry: OK;

(c)

if the third-country national has no valid travel authorization for the date of entry but the carrier indicates that one of the conditions referred to in paragraph 1, are fulfilled: Not applicable;

(d)

if the third-country national has a valid travel authorisation for the date of entry with Limited Territorial Validity (‘LTV’) and the Member State of entry corresponds to the Member State of the LTV: OK;

(e)

if the third-country national has a valid travel authorisation for the date of entry with LTV and the Member State of entry does not correspond to the Member State of the LTV: OK.

3.   During the grace period referred to in Article 83(3) of Regulation (EU) 2018/1240 replies to the queries shall be determined in accordance with the following rules:

(a)

if the third-country national has a valid travel authorisation for the date of entry: OK;

(b)

if the third-country national has no valid travel authorisation for the date of entry and it is the first time since the end of the transitional period the third-country national is entering the territory of a Member State applying the ETIAS Regulation: OK;

(c)

if the third-country national has a valid travel authorisation for the date of entry with LTV, it is the first time since the end of the transitional period the third-country national is entering the territory of a Member State applying the ETIAS Regulation and the Member State of entry corresponds to the Member State of the LTV: OK;

(d)

if the third-country national has a valid travel authorisation for the date of entry with LTV, it is the second or more time since the end of the transitional period the third-country national is entering the territory of a Member State applying the ETIAS Regulation and the Member State of entry corresponds to the Member State of the LTV: OK;

(e)

if the third-country national has no valid travel authorisation for the date of entry and it is the second or more time since the end of the transitional period that the third-country national is entering the territory of a Member State applying the ETIAS Regulation: Not OK;

(f)

if the third-country national has no valid travel authorisation for the date of entry but the carrier confirms in the verification query that one of the conditions referred to in paragraph 1, are fulfilled: Not applicable;

(g)

if the third-country national has a valid travel authorisation for the date of entry with LTV, it is the first time since the end of the transitional period the third-country national is entering the territory of a Member State applying the ETIAS Regulation and the Member State of entry does not correspond to the Member State of the LTV: OK;

(h)

if the third-country national has a valid travel authorisation for the date of entry with LTV and it is the second or more time since the end of the transitional period the third-country national is entering the territory of a Member State applying the ETIAS Regulation and the Member State of entry does not correspond to the Member State of the LTV: Not OK.;

(i)

if the third-country national has no valid travel authorisation for the date of entry and is entering the territory of a Member State applying the ETIAS Regulation: Not OK.

4.   After the expiry of the grace period referred to in Article 83(3) of Regulation (EU) 2018/1240 replies to the queries shall be determined in accordance with the following rules:

(a)

Until the start of operations of the Visa Information System referred to in Regulation (EC) No 767/2008:

(i)

if the third-country national has a valid travel authorisation for the date of entry: OK;

(ii)

if the third-country national has no valid travel authorisation for the date of entry: Not OK;

(iii)

if the third-country national has no valid travel authorisation for the date of entry but the carrier confirms in the verification query that one of the conditions referred to in the first sentence of paragraph 1 are fulfilled: Not applicable;

(iv)

if the third-country national has a valid travel authorisation for the date of entry with LTV and the Member State of entry corresponds to the Member State of the LTV: OK;

(v)

if the third-country national has a valid travel authorisation for the date of entry with LTV and the Member State of entry does not correspond to the Member State of the LTV: Not OK.

(b)

From the start of operations of the Visa Information System:

(i)

if the third-country national has a valid travel authorisation for the date of entry and there is at least 1 remaining day of authorised stay: OK;

(ii)

if the third-country national has no valid travel authorisation for the date of entry or there are 0 remaining days of authorised stay: Not OK;

(iii)

if the third-country national has no valid travel authorisation for the date of entry but the carrier confirms in the verification query that one of the conditions referred to in paragraph 1 are fulfilled: Not applicable;

(iv)

if the third-country national has a valid travel authorisation for the date of entry with LTV and the Member State of entry corresponds to the Member State of the LTV and there is at least 1 remaining day of authorised stay: OK;

(v)

if the third-country national has a valid travel authorisation for the date of entry with LTV and the Member State of entry does not correspond to the Member State of the LTV: Not OK.

Article 7Message format

eu-LISA shall specify the data formats and structure of messages to be used for transmitting verification queries and replies to those queries through the carrier interface in the technical guidelines. eu-LISA shall provide for the use of at least the following data formats:

(a)

UN/EDIFACT;

(b)

PAXLST/CUSRES;

(c)

XML;

(d)

JSON.

Article 8Data extraction requirements for the carrier interface and data quality

1.   Data on issued, annulled and revoked travel authorisations shall be automatically extracted from the European Travel Information and Authorisation System at least daily and transmitted to the read-only database.

2.   All extractions of data into the read-only database pursuant to paragraph 1 shall be logged.

3.   eu-LISA shall be responsible for the security of the carrier interface, for the security of the personal data it contains and for the process of extracting from the European Travel Information and Authorisation System and transmitting the data referred to in paragraph 1 to the read-only database. The technical implementation details shall be derived from the security plan following the risk assessment process.

4.   It shall not be possible to transmit data from the read-only database to the European Travel Information and Authorisation System.

Article 9Authentication scheme

1.   eu-LISA shall develop an authentication scheme, taking into account information on security risk management and the principles of data protection by design and default and access control principles including accountability and allowing to trace the initiator of the verification query.

2.   The details of the authentication scheme shall be set out in the technical guidelines.

3.   The authentication scheme shall be tested in accordance with Article 12.

4.   Where carriers access the carrier interface using the Application Programming Interface referred to in Article 4(2), point (a), the authentication scheme shall be implemented by means of mutual authentication.

Article 10Registration with the authentication scheme

1.   Carriers referred to in Article 45(1) of Regulation (EU) 2018/1240 operating and transporting passengers into the territory of the Member States shall be required to register prior to gaining access to the authentication scheme.

2.   eu-LISA shall make available a registration form on a public website to be completed online. Submission of the registration form shall only be possible where all the fields have been correctly completed.

3.   The registration form shall include fields requiring carriers to provide the following information:

(a)

the legal name of the carrier as well as its contact details (email address, telephone number and postal address);

(b)

the contact details of the legal representative of the company requesting the registration and of back-up points of contact (names, telephone numbers, email and postal addresses) as well as the functional email address and other means of communication that the carrier intends to use for the purposes of Articles 13 and 14;

(c)

the Member State or third country that issued the official company registration referred to in paragraph 6 and the registration number, where available;

(d)

where the carrier has attached, in accordance with paragraph 6, an official company registration issued by a third country, the Member States in which the carrier operates or intends to operate within the next year.

4.   The registration form shall inform the carriers of the minimum security requirements. The carriers shall ensure compliance with the following objectives:

(a)

identifying and managing security risks related to the connection to the carrier interface;

(b)

protecting the environments and the devices connected to the carrier interface;

(c)

detecting, analysing, responding to and recovering from cyber security incidents.

5.   The registration form shall require carriers to declare:

(a)

that they operate and transport passengers into the territory of the Member States or intend to do so within the next six months;

(b)

that they will access and make use of the carrier interface in accordance with the minimum security requirements set out in the registration form, in accordance with paragraph 4;

(c)

that only duly authorised staff will have access to the carrier interface.

6.   The registration form shall require carriers to attach an electronic copy of their instruments of constitution, including statutes, as well as an electronic copy of an extract of their official company registration from either at least one Member State, where applicable, or from a third country in, or officially translated into, one of the official Union or Icelandic or Norwegian. An electronic copy of an authorisation to operate in one or more Member States, such as an Air Operator Certificate, can substitute the official company registration.

7.   The registration form shall notify carriers:

(a)

that they are required to inform eu-LISA of any changes regarding the information referred to in paragraphs 3, 4 and 5 of this Article or in case of technical changes affecting their ‘system to system’ connection to the carrier interface that may require additional testing in accordance with Article 12 through specified contact details of eu-LISA to be used for this purpose;

(b)

that they will be automatically deregistered from the authentication scheme if the logs show that the carrier has not used the carrier interface during a period of one year;

(c)

that they may be deregistered from the authentication scheme in case of a breach of the provisions of this Regulation, the security requirements referred to in paragraph 4 or the technical guidelines, including in case of abuse of the carrier interface;

(d)

that they are obliged to inform eu-LISA of any personal data breach that may occur and regularly review the access rights of their dedicated staff.

8.   Where the registration form has been submitted correctly, eu-LISA shall register the carrier and notify the carrier that it has been registered. Where the registration form has not been submitted correctly, eu-LISA shall refuse registration and notify the carrier of the reasons.

9.   eu-LISA shall maintain an up to date register of registered carriers. Personal data contained in the registration of carriers shall be deleted at the latest one year after the carrier has been deregistered.

Article 11Deregistration from the authentication scheme

1.   Where the carrier informs eu-LISA that it no longer operates or transports passengers into the territory of the Member States, eu-LISA shall deregister the carrier.

2.   Where the logs show that the carrier has not used the carrier interface during a period of one year, it shall be automatically deregistered.

3.   Where a carrier no longer fulfils the conditions referred to in Article 10(5), or has otherwise breached the provisions of this Regulation, the security requirements referred to in Article 10(4) or the technical guidelines, including in case of abuse of the carrier interface, eu-LISA may deregister the carrier.

4.   eu-LISA shall inform the carrier of its intention to deregister the carrier pursuant to paragraphs 1, 2 or 3, together with the reason for the deregistration, one month before deregistration. Before deregistration, eu-LISA shall give the carrier the opportunity to provide written comments.

5.   In case of urgent IT security concerns, including where the carrier is not complying with the security requirements referred to in Article 10(4), or with the technical guidelines, eu-LISA may immediately disconnect a carrier. eu-LISA shall inform the carrier of the disconnection, together with the reason for the disconnection.

6.   To the extent appropriate, eu-LISA shall assist carriers that have received a notice of deregistration or disconnection to remedy the deficiencies that gave rise to the notice and, where possible, for a limited time and under strict conditions, provide the opportunity for disconnected carriers to send verification queries by other means than those referred to in Article 4.

7.   Disconnected carriers may again be connected to the carrier interface following successful removal of the security concerns that gave rise to the disconnection. Deregistered carriers may submit a new request for registration.

8.   At any time following the registration of carriers pursuant to Article 10, eu-LISA may, in particular where there is reasoned suspicion that one or more carriers are abusing the carrier interface or do not fulfil the conditions referred to in Article 10(4), make inquiries with Member States or third countries.

9.   Where the registration form referred to in Article 10(2) is not available for a prolonged period of time, eu-LISA shall ensure that registration in accordance with that Article is possible via other means.

Article 12Development, testing and connection of the carrier interface

1.   eu-LISA shall make available the technical guidelines to carriers in order to enable them to develop and test their carrier interface.

2.   Where carriers choose to connect through the Application Programming Interface referred to in Article 4(2), point (a), the implementation of the message format referred to in Article 7 and of the authentication scheme referred to in Article 9 shall be tested.

3.   Where carriers choose to connect through the web interface (browser) or application for mobile devices, they shall notify eu-LISA that they have successfully tested their connection to the carrier interface and that their duly authorised staff has been successfully trained in using the carrier interface.

4.   For the purpose of paragraph 2, eu-LISA shall develop and make available a testing plan, a test environment and a simulator allowing eu-LISA and carriers to test the carriers’ connection to the carrier interface. For the purpose of paragraph 3, eu-LISA shall develop and make available a test environment allowing carriers to train their staff.

5.   Upon successful completion of the registration procedure referred to in Article 10 as well as the successful completion of the testing referred to in paragraph 2 of this Article or reception of the notification referred to in paragraph 3 of this Article, eu- LISA shall connect the carrier to the carrier interface.

Article 13Technical impossibility

1.   Where it is technically impossible to send a verification query because a component of the European Travel Information and Authorisation System failed, the following shall apply:

(a)

where the failure is detected by a carrier, as soon as it becomes aware of it, it shall notify the ETIAS Central Unit through the means referred to in Article 14.

(b)

where the failure is detected or confirmed by eu-LISA, the ETIAS Central Unit shall inform concerned carriers and Member States of such failure by email or other means of communication, as soon as they become aware of it, and of the end of the failure when the issue has been solved;

2.   Where it is technically impossible to send a verification query for other reasons than a failure of any component of the ETIAS Information System, the carrier shall notify the ETIAS Central Unit through the means referred to in Article 14.

3.   The carrier shall inform the ETIAS Central Unit, through the means referred to in Article 14, as soon as the issue has been solved.

4.   The ETIAS Central Unit shall inform the concerned Member States of the impossibility of this carrier to send the verification query.

5.   For the purpose of this Article and Article 14, eu-LISA shall make available to the ETIAS Central Unit a ticketing tool. That tool shall offer access to the register of carriers.

6.   The ETIAS Central Unit shall acknowledge receipt of the notifications referred to in paragraphs 1 and 2.

Article 14Assistance to carriers

1.   A web form as part of the ticketing tool shall be made available to carriers on a public website in order to allow carriers to request assistance.

The web form shall enable the carriers to provide at least the following information:

(a)

the identification details of the carrier;

(b)

a summary of the request;

(c)

whether the request is of a technical nature and, in such case, the date and time of the start of the technical issue.

2.   Carriers shall receive an acknowledgement of receipt of the request by the ETIAS Central Unit. That receipt shall contain a ticket number.

3.   Where the request for assistance is of a technical nature, the ETIAS Central Unit shall send the request to eu-LISA. eu-LISA shall be responsible for providing technical assistance to carriers.

4.   Where the request for assistance is not of a technical nature, the ETIAS Central Unit shall assist carriers by directing them to relevant information.

5.   Where it is technically impossible to request assistance in accordance with paragraph 1 using the web form, the carrier shall be able to use an emergency phone line connected to the ETIAS Central Unit or eu-LISA.

6.   The assistance provided by the ETIAS Central Unit and eu-LISA shall be available 24/7 and provided in English.

7.   The ETIAS Central Unit shall make available online a list of frequent questions and answers relevant for carriers. That list shall be available in all official languages of the Union. It shall be separate from the questions and answers relevant for travelers.

Article 15Repeal of Implementing Regulation (EU) 2021/1217

Implementing Regulation (EU) 2021/1217 shall be repealed.

Article 16Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union .

16 articles

Cite this act

Commission Implementing Regulation (EU) 2022/1380 of 8 August 2022 laying down the rules and conditions for verification queries by carriers, provisions for data protection and security for the carriers’ authentication scheme as well as fall back procedures in case of technical impossibility and repealing Implementing Regulation (EU) 2021/1217 (EUR-Lex). Retrieved via LawPlayer, https://lawplayer.com/eu/act/32022R1380

© European Union, https://eur-lex.europa.eu, 1998-2026. Reuse authorised under Commission Decision 2011/833/EU, provided the source is acknowledged.

EU-EurLex-Reuse-2011-833

本頁資料來源:EUR-Lex·整理提供:法律人 LawPlayer· lawplayer.com