Interoperability

Interoperability aims to contribute to a high level of security within the area of freedom, security and justice of the Union, including the maintenance of public security and public policy, and safeguarding security in the territories of the Member States according to Article 67(3) of the Treaty on the Functioning of the EU. Specific objectives of interoperability include:

• improve the effectiveness and efficiency of border checks at external borders;
• contribute to the prevention and the combating of irregular immigration;
• improve the implementation of the common visa policy;
• help check applications for international protection;
• contribute to the prevention, detection, and investigation of terrorist offences and of other serious criminal offences;
• facilitate the identification of people who are unable to identify themselves or unidentified human remains in case of a natural disaster, accident or terrorist attack.

Interoperability between the Union’s large-scale IT systems allows those systems to complement each other while:

• facilitating the correct identification of persons, including unknown persons who are unable to identify themselves or unidentified human remains according to Article 20 of the two Regulations;
• helping to combat identity fraud;
• improving and harmonising the data quality requirements of the respective large-scale IT systems;
• facilitating the technical and operational implementation by Member States of large-scale IT systems;
• strengthening the data security and data protection safeguards that govern the respective large-scale IT systems;
• streamlining access for the purposes of preventing, detecting or investigating terrorist offences or other serious criminal offences to the EES, VIS, ETIAS, and
• supporting the EES, VIS, ETIAS, Eurodac, SIS and ECRIS-TCN.

The interoperability framework relies on four new components:

• a European Search Portal (ESP);
• a shared Biometric Matching Service (sBMS);
• a Common Identity Repository (CIR);
• a Multiple-Identity Detector (MID).

The ESP acts as a one-stop-shop to search the various EU information systems and retrieve the necessary information seamlessly. It facilitates the efficient, systematic and controlled access by Member State authorities and EU agencies to the large-scale IT systems and to Europol data in accordance with access rights. The interoperability components cover Europol data, enabling Europol data to be searched at the same time as the EU information systems. In addition, the ESP covers the querying of the International Criminal Police Organization (Interpol) databases in accordance with applicable Union and national law, without sharing the data with Interpol.

The CIR stores personal data necessary to identify individuals accurately, as long as this data is also stored in one of the underlying systems. This includes identity, travel document and biometric data. The corresponding biometric templates are stored in the sBMS. This makes it easier to identify an individual who is registered in several large-scale IT systems. All records in the CIR, as well as the biometric templates in the sBMS, are logically separated according to the underlying system that owns the record so that access rights are fully respected.

The MID creates and stores links between the data inserted in the large-scale IT systems to detect multiple identities. By doing so, the MID facilitates identity checks for bona fide travellers and combats identity fraud. The MID includes safeguards against potential discrimination and unfavourable decisions for persons with multiple lawful identities.

All EU Member States except Ireland, and four Schengen associated countries (Iceland, Liechtenstein, Norway, and Switzerland) participate in the interoperability Regulations.

The EU Agency for large-scale IT systems, eu-LISA, is responsible for the technical development and operational management of the interoperability infrastructure.

The interoperability Regulations have rules on the protection of personal data (Chapter VII). For example, individuals whose data is processed in the Multiple-Identity Detector (MID) and have been informed that an MID link has been generated can contact the authority responsible for the manual verification of different identities via the Web Portal. The Web Portal facilitates the exercise of the rights of access, rectification, erasure or restriction of processing of personal data. The interoperability Regulations furthermore lays down rules concerning:

• who the owner of the data used in the interoperability components is and the consequent designation of the controller and processor of the personal data;
• security measures to ensure safe data processing and measures to be taken in case of a security incident;
• punishment for any misuse, processing or exchange of data contrary to the interoperability Regulations in accordance with national law;
• guarantees for the right to compensation for damages as a result of an unlawful personal data processing operation;
• the right to information to persons whose data are stored in the interoperability components;
• specific provisions on the right of access to, rectify and erase personal data;
• the prohibition, as a general rule, to communicate personal data to third countries, international organisations and private parties, and
• the co-monitoring activity of the national supervisory authorities and the European Data Protection Supervisor (EDPS) to assess the lawfulness of the processing of personal data .

• Why were two Regulations adopted and not one?

The interoperability initiative has to respect the differences between the large-scale IT systems in terms of legal bases. Some of the systems are a development of the part of the Schengen acquis (namely SIS, VIS, EES and ETIAS). Other information systems, instead, are not part of the Schengen acquis (namely Eurodac and ECRIS-TCN). Because of this difference in participation in the underlying information systems of some Member States and the Schengen associated countries, it is necessary to provide for two Regulations.

• Article 20 of the interoperability Regulations provides for the access to the Common Identity Repository (CIR) for identification purposes: why doesn’t it specify the need to obtain the consent of the person whose identity is assessed?

They would be informed that their personal data could be processed for the purposes of Article 20 when these are enrolled in one of the underlying large-scale IT systems being part of the Common Identity Repository (CIR).

• Will the links created and stored by the MID grant access to more personal data than necessary to improve identity checks at the borders?

No, only pre-defined competent authorities have access to the links and the data linked by the MID that are stored in Common Identity Repository (CIR) and the SIS. This access will not allow them to see more or different data than the ones strictly necessary to perform their functions.

• Is the European Commission working on further guidelines to help authorities to detect multiple identities within the MID process?

Indeed, detailed information on the verification of yellow links at both legal and business levels to support the competent authorities in their everyday work on the links will be provided in the interoperability handbook.

• Article 22 of the interoperability Regulations allows the Common Identity Repository (CIR) to be queried for the purposes of preventing, detecting or investigating terrorist offences or other serious criminal offences in a two-steps approach: Is the access for law enforcement purposes compatible with the specific access rights for law enforcement authorities under each systems’ Regulation?

The VIS, EES, ETIAS, and Eurodac allow law enforcement authorities access to the data stored therein under strict conditions. The access granted under Article 22 does not change the established procedures. What article 22 adds to the established procedure is a first hit/no-hit law enforcement access to the Common Identity Repository (CIR), while the actual access to the data stored in the underlying EU information systems should proceed via the Central Access Points and under the rules described in the VIS, EES, ETIAS and Eurodac Regulations.

List of key documents and legislation on interoperability.

Adopted legislation

• 15.12.2021 - Commission Delegated Regulation (EU) 2021/2222 of 30 September 2021 supplementing Regulation (EU) 2019/818 of the European Parliament and of the Council with detailed rules on the operation of the central repository for reporting and statistics.
• 15.12.2021 - Commission Implementing Regulation (EU) 2021/2224 of 16 November 2021 laying down the details of the automated data quality control mechanisms and procedures, the common data quality indicators and the minimum quality standards for storage of data, pursuant to Article 37(4) of Regulation (EU) 2019/818 of the European Parliament and of the Council.
• 1.12.2021 - Commission Delegated Regulation (EU) 2021/2103 of 19 August 2021 laying down detailed rules on the operation of the web portal, pursuant to Article 49(6) of Regulation (EU) 2019/818 of the European Parliament and of the Council.
• 22.05.2019 - Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between large-scale IT systems in the field of borders and visa and amending Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 2018/1240, (EU) 2018/1726 and (EU) 2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and 2008/633/JHA.
• 22.05.2019 - Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between large-scale IT systems in the field of police and judicial cooperation, asylum and migration and amending Regulations (EU) 2018/1726, (EU) 2018/1862 and (EU) 2019/816.

Implementation reports

• 13.10.2022 - Report from the Commission to the European Parliament and the Council on the state of play of preparations for the full implementation of the Interoperability Regulations in accordance with Article 78(5) of Regulation (EU) 2019/817 and Article 74(5) of Regulation (EU) 2019/818.
• 10.11.2021 - Report from the Commission to the European Parliament and the Council on the state of play of preparations for the full implementation of the Interoperability Regulations in accordance with Article 78(5) of Regulation (EU) 2019/817 and Article 74(5) of Regulation (EU) 2019/818.
• 21.08.2020 - Report from the Commission to the European Parliament and the Council on the state of play of preparations for the full implementation of the Interoperability Regulations in accordance with Article 78(5) of Regulation (EU) 2019/817 and Article 74(5) of Regulation (EU) 2019/818.

Other documents

• 22-23.06.2017 - European Council Conclusions on: security and defence, the Paris Agreement on climate change, the economy, migration and digital Europe.
• 16.05.2017 - Communication from the Commission to the European Parliament, the European Council and the Council seventh progress report towards an effective and genuine security Union.
• 6.04.2016 - Communication from the Commission to the European Parliament and the Council on Stronger and Smarter Information Systems for Borders and Security