Index 
Texts adopted
Tuesday, 12 March 2019 - Strasbourg 
Request for waiver of the immunity of Monika Hohlmeier
 Request for waiver of the immunity of Jean-Marie Le Pen
 Request for waiver of the immunity of Dominique Bilde
 Extending Rule 159 of Parliament’s Rules of Procedure until the end of the ninth parliamentary term
 Electronic freight transport information ***I
 EU-Vietnam Voluntary Partnership Agreement on forest law enforcement, governance and trade ***
 EU-Vietnam Voluntary Partnership Agreement on forest law enforcement, governance and trade (resolution)
 Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ***
 Authorising Member States to become party to the Council of Europe Convention on an Integrated safety, security, and service approach at football matches and other sports events ***
 Protocol amending the EU-China Agreement on Maritime Transport (accession of Croatia) ***
 EU-Egypt Euro-Mediterranean Agreement (accession of Croatia) ***
 EU-Turkmenistan Partnership and Cooperation Agreement
 Implementing decision on the launch of automated data exchange with regard to DNA data in the United Kingdom *
 Exchange of information on third country nationals and European Criminal Records Information System (ECRIS) ***I
 Centralised system for the identification of Member States holding conviction information on third country nationals and stateless persons (ECRIS-TCN) ***I
 European Solidarity Corps programme ***I
 EU Cybersecurity Act ***I
 Unfair trading practices in business-to-business relationships in the food supply chain ***I
 European citizens’ initiative ***I
 Import of cultural goods ***I
 Protection of personal data in the context of elections to the European Parliament ***I
 Security threats connected with the rising Chinese technological presence in the EU and possible action on the EU level to reduce them
 State of EU-Russia political relations
 Building EU capacity on conflict prevention and mediation

Request for waiver of the immunity of Monika Hohlmeier
PDF 129kWORD 44k
European Parliament decision of 12 March 2019 on the request for waiver of the immunity of Monika Hohlmeier (2019/2002(IMM))
P8_TA-PROV(2019)0135A8-0165/2019

The European Parliament,

–  having regard to the request for waiver of the immunity of Monika Hohlmeier, forwarded on 27 November 2018 by the public prosecutor’s office in Coburg (Germany) in connection with a preliminary police investigation, and announced in plenary on 14 January 2019,

–  having regard to the waiver by Monika Hohlmeier of her right to be heard under Rule 9(6) of its Rules of Procedure,

–  having regard to Article 9 of Protocol No 7 on the Privileges and Immunities of the European Union, and Article 6(2) of the Act of 20 September 1976 concerning the election of the members of the European Parliament by direct universal suffrage,

–  having regard to the judgments of the Court of Justice of the European Union of 12 May 1964, 10 July 1986, 15 and 21 October 2008, 19 March 2010, 6 September 2011 and 17 January 2013(1),

–  having regard to Article 46 of the Basic Law of the Federal Republic of Germany,

–  having regard to Rule 5(2), Rule 6(1) and Rule 9 of its Rules of Procedure,

–  having regard to the report by the Committee on Legal Affairs (A8-0165/2019),

A.  whereas the public prosecutor’s office in Coburg has forwarded a request for waiver of the immunity of Monika Hohlmeier, Member of the European Parliament elected for the Federal Republic of Germany, in connection with an offence within the meaning of Article 142 of the German Criminal Code; whereas, in particular, the proceedings relate to leaving the scene of an accident;

B.  whereas, at around 15:00 on 4 September 2018, Monika Hohlmeier attempted to park her car in a car park in Lichtenfels (Germany); whereas the front of her vehicle hit the back of another car parked there, causing an estimated EUR 287,84 of damage; and whereas Monika Hohlmeier then left the scene of the accident without arranging to pay for the damage;

C.  whereas Article 9 of Protocol No 7 on the privileges and immunities of the European Union stipulates that Members of the European Parliament ‘shall enjoy, in the territory of their own State, the immunities accorded to members of their parliament’;

D.  whereas Article 46 of the Basic Law of the Federal Republic of Germany stipulates that a Member may not be called to account or arrested for a punishable offence without the approval of the Bundestag unless he or she is apprehended while committing the offence or in the course of the following day;

E.  whereas it is for Parliament alone to decide, in a given case, whether or not to waive immunity; whereas Parliament may reasonably take account of the position of the Member in order to decide whether or not to waive his or her immunity(2);

F.  whereas the alleged offence has no clear or direct bearing on the performance by Ms Hohlmeier of her duties as a Member of the European Parliament and does not constitute an opinion expressed or vote cast in the performance of those duties within the meaning of Article 8 of Protocol No 7 on the privileges and immunities of the European Union;

G.  whereas, in this case, Parliament has found no evidence of fumus persecutionis, i.e. a sufficiently serious and precise suspicion that the proceedings have been brought with the intention of causing the Member political damage;

1.  Decides to waive the immunity of Monika Hohlmeier;

2.  Instructs its President to forward this decision and the report of its committee responsible immediately to the competent authority of the Federal Republic of Germany and to Monika Hohlmeier.

(1) Judgment of the Court of Justice of 12 May 1964, Wagner v Fohrmann and Krier, 101/63, ECLI:EU:C:1964:28; judgment of the Court of Justice of 10 July 1986, Wybot v Faure and others, 149/85, ECLI:EU:C:1986:310; judgment of the General Court of 15 October 2008, Mote v Parliament, T-345/05, ECLI:EU:T:2008:440; judgment of the Court of Justice of 21 October 2008, Marra v De Gregorio and Clemente, C-200/07 and C-201/07, ECLI:EU:C:2008:579; judgment of the General Court of 19 March 2010, Gollnisch v Parliament, T-42/06, ECLI:EU:T:2010:102; judgment of the Court of Justice of 6 September 2011, Patriciello, C-163/10, ECLI: EU:C:2011:543; judgment of the General Court of 17 January 2013, Gollnisch v Parliament, T-346/11 and T-347/11, ECLI:EU:T:2013:23.
(2) Judgment of the General Court of 15 October 2008, Mote v Parliament, T-345/05, EU:T:2008:440, paragraph 28.


Request for waiver of the immunity of Jean-Marie Le Pen
PDF 137kWORD 51k
European Parliament decision of 12 March 2019 on the request for waiver of the immunity of Jean-Marie Le Pen (2018/2247(IMM))
P8_TA-PROV(2019)0136A8-0167/2019

The European Parliament,

–  having regard to the request for waiver of the immunity of Jean-Marie Le Pen, forwarded on 5 September 2018 by the Ministry of Justice of the French Republic on the basis of a request made by the Prosecutor-General at the Paris Court of Appeal, and announced in plenary on 22 October 2018, in connection with a case pending before the Examining Magistrates pertaining to a judicial investigation on grounds of alleged offences of breach of trust, concealment of breach of trust, fraud by an organised group, forgery and the use of forged documents, and concealed work by concealment of employees, in relation to the employment conditions of parliamentary assistants,

–  having heard Jean-François Jalkh, replacing Jean-Marie Le Pen, in accordance with Rule 9(6) of its Rules of Procedure,

–  having regard to Article 9 of Protocol No 7 on the Privileges and Immunities of the European Union, and Article 6(2) of the Act of 20 September 1976 concerning the election of the members of the European Parliament by direct universal suffrage,

–  having regard to the judgments of the Court of Justice of the European Union of 12 May 1964, 10 July 1986, 15 and 21 October 2008, 19 March 2010, 6 September 2011 and 17 January 2013(1),

–  having regard to Article 26 of the Constitution of the French Republic,

–  having regard to Rule 5(2), Rule 6(1) and Rule 9 of its Rules of Procedure,

–  having regard to the report of the Committee on Legal Affairs (A8-0167/2019),

Α.  whereas the Examining Magistrates at the Paris Regional Court have requested the waiver of the parliamentary immunity of Jean-Marie Le Pen in order to hear him in connection with alleged offences;

Β.  whereas the request for waiver of immunity of Jean-Marie Le Pen relates to alleged offences of breach of trust, concealment of breach of trust, fraud by an organised group, forgery and the use of forged documents, and concealed work by concealment of employees, in relation to the employment conditions of assistants of Members of the European Parliament affiliated to the Front National;

C.  whereas a judicial investigation was launched on 5 December 2016 following a preliminary investigation initiated after a denouncement by the then President of the European Parliament on 9 March 2015 regarding a certain number of parliamentary assistants of Members of the European Parliament affiliated to the Front National;

D.  whereas during a search conducted at the headquarters of the Front National in February 2016, a number of documents were seized in the office of the treasurer of the Front National, which bore witness to the party’s desire to make ‘savings’ through the European Parliament’s defrayal of the remuneration of employees of the party by virtue of their capacity as parliamentary assistants;

E.  whereas the Front National’s establishment plan, published in February 2015, listed only 15 Members of the European Parliament (of a total of 23), 21 local parliamentary assistants and 5 accredited parliamentary assistants (of a total of 54 assistants); whereas a number of parliamentary assistants declared that their place of employment was the headquarters of the Front National in Nanterre, in some cases indicating that they were employed there full time, though residing between 120 and 945 km from the declared place of employment; whereas, at this stage in the investigation, it emerged that 8 parliamentary assistants carried out virtually no parliamentary assistance work, or did so only as a very small part of their overall duties;

F.  whereas the investigations also revealed circumstances that made it seem unlikely that the parliamentary assistants concerned were genuinely performing duties connected with the European Parliament, notably:

   EU parliamentary assistants’ employment contracts interspersed between two Front National employment contracts,
   EU parliamentary assistants’ employment contracts for the European Parliament and for the Front National running concurrently,
   employment contracts for the Front National concluded for periods immediately following periods covered by EU parliamentary assistants’ employment contracts;

G.  whereas the investigation revealed that in his capacity as Member of the European Parliament, Jean-Marie Le Pen employed a parliamentary assistant in 2011, but the parliamentary assistant in question told investigators that he had worked on the election campaign of another Member of the European Parliament during the period concerned; whereas Jean-Marie Le Pen arranged for the payment of parliamentary assistants’ salaries to three other people, although they had done virtually no work whatsoever in that capacity;

H.  whereas the investigation also revealed that in his capacity as President of the Front National at the time of the alleged offences, Jean-Marie Le Pen established a system, brought to light by the European Parliament, of using EU funds to pay for some of the Front National’s employees through parliamentary contracts with people who, in reality, worked for the party, thereby infringing the EU rules in force;

I.  whereas the Examining Magistrates consider it necessary to hear Jean-Marie Le Pen;

J.  whereas Jean-Marie Le Pen refused to enter an appearance in response to the summonses served by the investigators on 21 June 2018 and did the same when served with a summons by the Examining Magistrates in July 2018, invoking his parliamentary immunity;

K.  whereas with a view to carrying out the questioning of Jean-Marie Le Pen in connection with the charges brought against him, the competent authority lodged an application for his immunity to be waived;

L.  whereas, pursuant to Article 9 of Protocol No 7 on the Privileges and Immunities of the European Union, Members of the European Parliament enjoy, in the territory of their own state, the immunities accorded to members of their parliament;

M.  whereas Article 26 of the French Constitution states that ‘No Member of Parliament shall be arrested for a serious crime or other major offence, nor shall he be subjected to any other custodial or semi-custodial measure, without the authorisation of the Bureau of the House of which he is a member. Such authorisation shall not be required in the case of a serious crime or other major offence committed flagrante delicto or when a conviction has become final’;

N.  whereas there is no evidence of nor any reason to suspect fumus persecutionis;

1.  Decides to waive the immunity of Jean-Marie Le Pen;

2.  Instructs its President to forward this decision and the report of its committee responsible immediately to the Minister of Justice of the French Republic and to Jean-Marie Le Pen.

(1) Judgment of the Court of Justice of 12 May 1964, Wagner v Fohrmann and Krier, 101/63, ECLI:EU:C:1964:28; judgment of the Court of Justice of 10 July 1986, Wybot v Faure and others, 149/85, ECLI:EU:C:1986:310; judgment of the General Court of 15 October 2008, Mote v Parliament, T-345/05, ECLI:EU:T:2008:440; judgment of the Court of Justice of 21 October 2008, Marra v De Gregorio and Clemente, C-200/07 and C-201/07, ECLI:EU:C:2008:579; judgment of the General Court of 19 March 2010, Gollnisch v Parliament, T-42/06, ECLI:EU:T:2010:102; judgment of the Court of Justice of 6 September 2011, Patriciello, C-163/10, ECLI: EU:C:2011:543; judgment of the General Court of 17 January 2013, Gollnisch v Parliament, T-346/11 and T-347/11, ECLI:EU:T:2013:23.


Request for waiver of the immunity of Dominique Bilde
PDF 137kWORD 51k
European Parliament decision of 12 March 2019 on the request for waiver of the immunity of Dominique Bilde (2018/2267(IMM))
P8_TA-PROV(2019)0137A8-0166/2019

The European Parliament,

–  having regard to the request for waiver of the immunity of Dominique Bilde, forwarded on 19 October 2018 by the Ministry of Justice of the French Republic on the basis of a request made by the Prosecutor-General at the Paris Court of Appeal and announced in plenary on 12 November 2018, in connection with a case pending before the Examining Magistrates pertaining to a judicial inquiry on grounds of alleged offences of breach of trust, concealment of breach of trust, fraud by an organised group, forgery and the use of forged documents, and concealed work by concealment of employees, in relation to the employment conditions of assistants,

–  having heard Jean-François Jalkh, replacing Dominique Bilde, in accordance with Rule 9(6) of its Rules of Procedure,

–  having regard to Article 9 of Protocol No 7 on the Privileges and Immunities of the European Union, and Article 6(2) of the Act of 20 September 1976 concerning the election of the members of the European Parliament by direct universal suffrage,

–  having regard to the judgments of the Court of Justice of the European Union of 12 May 1964, 10 July 1986, 15 and 21 October 2008, 19 March 2010, 6 September 2011 and 17 January 2013(1),

–  having regard to Article 26 of the Constitution of the French Republic,

–  having regard to Rule 5(2), Rule 6(1) and Rule 9 of its Rules of Procedure,

–  having regard to the report of the Committee on Legal Affairs (A8-0166/2019),

Α.  whereas the Examining Magistrates at the Paris Regional Court have requested the waiver of the parliamentary immunity of Dominique Bilde in order to hear her in connection with alleged offences;

Β.  whereas the request for waiver of the immunity of Dominique Bilde relates to alleged offences of breach of trust, concealment of breach of trust, fraud by an organised group, forgery and the use of forged documents, and concealed work by concealment of employees, in relation to the employment conditions of assistants of Members of the European Parliament affiliated to the Front National;

C.  whereas a judicial investigation was launched on 5 December 2016, following a preliminary investigation initiated after a denouncement by the then President of the European Parliament on 9 March 2015 regarding a certain number of parliamentary assistants of Members of the European Parliament affiliated to the Front National;

D.  whereas during a search conducted at the headquarters of the Front National in February 2016, a number of documents were seized in the office of the treasurer of the Front National, which bore witness to the party’s desire to make ‘savings’ through the European Parliament’s defrayal of the remuneration of employees of the party by virtue of their capacity as parliamentary assistants; whereas, at this stage in the investigation, it emerged that eight parliamentary assistants carried out virtually no parliamentary assistance work, or did so only as a very small proportion of their overall duties;

E.  whereas it emerged that Dominique Bilde’s full-time parliamentary assistant from 1 October 2014 to 31 July 2015 was one of the assistants who carried out virtually no parliamentary assistance work; whereas in the Front National’s establishment plan published in February 2015, the job title of Dominique Bilde’s parliamentary assistant was ‘national planning officer’, and he worked in the Policy Watch and Planning Unit under the responsibility of another Member of the European Parliament; whereas his contract as a parliamentary assistant was followed by two contracts in connection with the activities of the Front National for the period from August 2015 to 31 December 2016; whereas during the period covered by his contract as a parliamentary assistant, he also performed the following duties: Secretary-General of the Collectif Marianne, Secretary-General of the Collectif Mer et Francophonie and candidate in the March 2015 departmental elections in the department of Doubs;

F.  whereas the European Parliament suspended payment of the parliamentary assistance expenses related to the contract of Dominique Bilde’s parliamentary assistant;

G.  whereas the Examining Magistrates consider it necessary to hear Dominique Bilde;

H.  whereas Dominique Bilde refused to answer the questions put by the investigators when she was heard by them in August 2017, and refused to appear before the Examining Magistrates at a hearing preparatory to her being charged with breach of trust which was due to be held on 24 November 2017, invoking her parliamentary immunity;

I.  whereas, with a view to carrying out the questioning of Dominique Bilde in connection with the charges brought against her, the competent authority lodged an application for her immunity to be waived;

J.  whereas, pursuant to Article 9 of Protocol No 7 on the Privileges and Immunities of the European Union, Members of the European Parliament enjoy, in the territory of their own state, the immunities accorded to members of their parliament;

K.  whereas Article 26 of the French Constitution states that ‘No Member of Parliament shall be arrested for a serious crime or other major offence, nor shall he be subjected to any other custodial or semi-custodial measure, without the authorisation of the Bureau of the House of which he is a member. Such authorisation shall not be required in the case of a serious crime or other major offence committed flagrante delicto or when a conviction has become final’;

L.  whereas there is no evidence of nor any reason to suspect fumus persecutionis;

1.  Decides to waive the immunity of Dominique Bilde;

2.  Instructs its President to forward this decision and the report of its committee responsible immediately to the Minister of Justice of the French Republic and to Dominique Bilde.

(1) Judgment of the Court of Justice of 12 May 1964, Wagner v Fohrmann and Krier, 101/63, ECLI:EU:C:1964:28; judgment of the Court of Justice of 10 July 1986, Wybot v Faure and others, 149/85, ECLI:EU:C:1986:310; judgment of the General Court of 15 October 2008, Mote v Parliament, T-345/05, ECLI:EU:T:2008:440; judgment of the Court of Justice of 21 October 2008, Marra v De Gregorio and Clemente, C-200/07 and C-201/07, ECLI:EU:C:2008:579; judgment of the General Court of 19 March 2010, Gollnisch v Parliament, T-42/06, ECLI:EU:T:2010:102; judgment of the Court of Justice of 6 September 2011, Patriciello, C-163/10, ECLI: EU:C:2011:543; judgment of the General Court of 17 January 2013, Gollnisch v Parliament, T-346/11 and T-347/11, ECLI:EU:T:2013:23.


Extending Rule 159 of Parliament’s Rules of Procedure until the end of the ninth parliamentary term
PDF 125kWORD 43k
European Parliament decision of 12 March 2019 extending Rule 159 of Parliament’s Rules of Procedure until the end of the ninth parliamentary term (2019/2545(RSO))
P8_TA-PROV(2019)0138B8-0147/2019

The European Parliament,

–  having regard to Article 342 of the Treaty on the Functioning of the European Union,

–  having regard to Council Regulation No 1 of 15 April 1958 determining the languages to be used by the European Economic Community(1),

–  having regard to Council Regulations (EC) No 920/2005(2) and (EU, Euratom) 2015/2264(3),

–  having regard to the Code of Conduct on Multilingualism adopted by the Bureau on 16 June 2014,

–  having regard to its decision of 26 February 2014(4) extending the applicability of Rule 159 of Parliament’s Rules of Procedure until the end of the eighth parliamentary term and the subsequent decisions of the Bureau extending the derogation from Rule 158 until the end of this term,

–  having regard to Rules 158 and 159 of its Rules of Procedure,

A.  whereas, pursuant to Rule 158, all Parliament’s documents are to be drawn up in the official languages, and all Members have the right to speak in Parliament in the official language of their choice, with interpretation being provided into the other official languages;

B.  whereas, under Rule 159, derogations from Rule 158 are permissible until the end of the eighth parliamentary term if and to the extent that, despite adequate precautions having been taken, the linguists required for an official language are not available in sufficient numbers; whereas, with respect to each official language for which a derogation is considered necessary, the Bureau, on a proposal from the Secretary-General and having due regard to the temporary special arrangements adopted by the Council on the basis of the Treaties concerning the drafting of legal acts, is required to ascertain whether the conditions are fulfilled and to review its decision every six months;

C.  whereas Council Regulations (EC) No 920/2005 and (EU, Euratom) 2015/2264 provide for a gradual restriction of the derogation in respect of Irish and, in the absence of another Council Regulation stating otherwise, the lapse of that derogation as from 1 January 2022;

D.  whereas, despite all adequate precautions, capacity in Croatian, Irish and Maltese is not expected to be such as to allow a full interpretation service in those languages from the beginning of the ninth parliamentary term;

E.  whereas, despite sustained and continuous interinstitutional efforts and considerable progress, the number of qualified translators is still expected to be so limited as regards Irish that, for the foreseeable future, full coverage of that language under Rule 158 cannot be assured; whereas, pursuant to Council Regulations (EC) No 920/2005 and (EU, Euratom) 2015/2264, a growing number of legal acts has to be translated into Irish, which reduces the possibility to translate other parliamentary documents into that language;

F.  whereas Rule 159(4) provides that, on the basis of a reasoned recommendation from the Bureau, Parliament may decide, at the end of the parliamentary term, to extend that Rule;

G.  whereas, in the light of the foregoing, the Bureau has recommended that Rule 159 be extended until the end of the ninth parliamentary term;

1.  Decides to extend Rule 159 of Parliament’s Rules of Procedure until the end of the ninth parliamentary term;

2.  Instructs its President to forward this decision to the Council and the Commission for information.

(1) OJ 17, 6.10.1958, p. 385.
(2) Council Regulation (EC) No 920/2005 of 13 June 2005 amending Regulation No 1 of 15 April 1958 determining the language to be used by the European Economic Community and Regulation No 1 of 15 April 1958 determining the language to be used by the European Atomic Energy Community and introducing temporary derogation measures from those Regulations (OJ L 156, 18.6.2005, p. 3).
(3) Council Regulation (EU, Euratom) 2015/2264 of 3 December 2015 extending and phasing out the temporary derogation measures from Regulation No 1 of 15 April 1958 determining the languages to be used by the European Economic Community and Regulation No 1 of 15 April 1958 determining the languages to be used by the European Atomic Energy Community introduced by Regulation (EC) No 920/2005 (OJ L 322, 8.12.2015, p. 1).
(4) OJ C 285, 29.8.2017, p. 164.


Electronic freight transport information ***I
PDF 265kWORD 79k
European Parliament legislative resolution of 12 March 2019 on the proposal for a regulation of the European Parliament and of the Council on electronic freight transport information (COM(2018)0279 – C8-0191/2018 – 2018/0140(COD))
P8_TA(2019)0139A8-0060/2019

This text is still being processed for publication in your language. The PDF or WORD version is already available by clicking on the icon above right.


EU-Vietnam Voluntary Partnership Agreement on forest law enforcement, governance and trade ***
PDF 125kWORD 48k
European Parliament legislative resolution of 12 March 2019 on the draft Council decision on the conclusion of the Voluntary Partnership Agreement between the European Union and the Socialist Republic of Viet Nam on forest law enforcement, governance and trade (10861/2018 – C8-0445/2018 – 2018/0272(NLE))
P8_TA-PROV(2019)0140A8-0083/2019

(Consent)

The European Parliament,

–  having regard to the draft Council decision on the conclusion of the Voluntary Partnership Agreement between the European Union and the Socialist Republic of Viet Nam on forest law enforcement, governance and trade (10861/2018),

–  having regard to the draft Voluntary Partnership Agreement between the European Union and the Socialist Republic of Viet Nam on forest law enforcement, governance and trade (10877/2018),

–  having regard to the request for consent submitted by the Council in accordance with first subparagraphs of Article 207(3) and (4), in conjunction with point (a)(v) of the second subparagraph of Article 218(6) and Article 218(7) thereof, of the Treaty on the Functioning of the European Union (C8‑0445/2018),

–  having regard to its non-legislative resolution of 12 March 2019(1) on the draft decision,

–  having regard to Rule 99(1) and (4), and Rule 108(7) of its Rules of Procedure,

–  having regard to the recommendation of the Committee on International Trade and the opinion of the Committee on Development (A8-0083/2019),

1.  Gives its consent to conclusion of the agreement;

2.  Instructs its President to forward its position to the Council, the Commission and the governments and parliaments of the Member States and of the Socialist Republic of Viet Nam.

(1) Texts adopted of that date, P8_TA-PROV(2019)0141.


EU-Vietnam Voluntary Partnership Agreement on forest law enforcement, governance and trade (resolution)
PDF 157kWORD 59k
European Parliament non-legislative resolution of 12 March 2019 on the draft Council decision on the conclusion of the Voluntary Partnership Agreement between the European Union and the Socialist Republic of Viet Nam on forest law enforcement, governance and trade (10861/2018 – C8-0445/2018 – 2018/0272M(NLE))
P8_TA-PROV(2019)0141A8-0093/2019

The European Parliament,

–  having regard to the draft Council decision on the conclusion of the Voluntary Partnership Agreement between the European Union and the Socialist Republic of Viet Nam on forest law enforcement, governance and trade (10861/2018),

–  having regard to the draft Voluntary Partnership Agreement of 9 October 2018 between the European Union and the Socialist Republic of Viet Nam on forest law enforcement, governance and trade (10877/2018),

–  having regard to the request for consent submitted by the Council in accordance with the first subparagraphs of Articles 207(3) and 207(4), in conjunction with point (a)(v) of the second subparagraph of Article 218(6) and with Article 218(7) of the Treaty on the Functioning of the European Union (C8‑0445/2018),

–  having regard to the Framework Agreement on Comprehensive Partnership and Cooperation between the European Union and its Member States, of the one part, and the Socialist Republic of Vietnam, of the other part(1),

–  having regard to the draft Free Trade Agreement between the European Union and the Socialist Republic of Vietnam,

–  having regard to the draft Investment Protection Agreement between the European Union and its Member States, of the one part, and the Socialist Republic of Vietnam of the other part,

–  having regard to Council Regulation (EC) No 2173/2005 of 20 December 2005 on the establishment of a FLEGT licensing scheme for imports of timber into the European Community(2) (FLEGT Regulation),

–  having regard to the Commission’s proposal for a Forest Law Enforcement, Governance and Trade Action Plan (COM(2003)0251),

–  having regard to the Council conclusions of 28 June 2016 on forest law enforcement, governance and trade (10721/2016),

–  having regard to Regulation (EU) No 995/2010 of the European Parliament and of the Council of 20 October 2010 laying down the obligations of operators who place timber and timber products on the market(3) (EU Timber Regulation),

–  having regard to the reports of the Environmental Investigation Agency of 31 May 2018 entitled ‘Serial Offender: Vietnam’s continued imports of illegal Cambodian timber’(4) and of 25 September 2018 entitled ‘Vietnam in Violation: Action required on fake CITES permits for rosewood trade’(5),

–  having regard to the 2015-2030 United Nations Sustainable Development Goals (SDGs),

–  having regard to the Paris Agreement reached on 12 December 2015 at the 21st Conference of Parties to the United Nations Framework Convention on Climate Change (COP21),

–  having regard to the 2011 Bonn Challenge, which is a global effort to bring 150 million hectares of the world’s deforested and degraded land into restoration by 2020, and 350 million hectares by 2030,

–  having regard to the report of the United Nations Environment Programme (UNEP) of 2012 entitled ‘Green carbon, black trade: illegal logging, tax fraud and laundering in the world’s tropical forests’(6),

–  having regard to the UN conventions to tackle crime and corruption, including the Convention against Transnational Organised Crime and the Convention against Corruption,

–  having regard to its legislative resolution of 12 March 2019(7) on the draft Council decision,

–  having regard to Rule 99(2) of its Rules of Procedure,

–  having regard to the report of the Committee on International Trade and the opinion of the Committee on Development (A8-0093/2019),

A.  whereas Vietnam became the third country in Asia to enter into negotiations on a forest law enforcement, governance and trade (FLEGT) Voluntary Partnership Agreement (VPA) in 2010, after Indonesia and Malaysia; whereas negotiations were concluded in May 2017 and the agreement was signed on 19 October 2018;

B.  whereas the objective of the VPA is to provide a legal framework aimed at ensuring that all timber and timber product imports from Vietnam into the EU covered by the VPA have been produced legally; whereas VPAs are generally intended to foster systemic changes in the forestry sector aimed at sustainable management of forests, eradicating illegal logging and supporting worldwide efforts to stop deforestation and forest degradation;

C.  whereas Vietnam is a significant country in the context of the timber trade, home to the world’s fourth-largest, export-oriented wood processing sector and aiming to become the largest; whereas, as a processing hub, Vietnam is a major exporter of timber products to the EU but also to countries in the region, notably China and Japan;

D.  whereas Vietnam is a major importer of timber and timber products, with its factories consuming some 34 million cubic meters of timber and timber products in 2017, of which 25 % was imported and 75 % was from domestic plantations, many owned and managed by smallholders; whereas imports grew in value by 68 % over the period 2011-2017; whereas in recent years, Vietnam has made considerable progress in reducing domestic deforestation and has increased its forested area from 37 % in 2005 to 41,65 % in 2018, including industrial plantations; whereas Vietnam has enforced a prohibition on the logging of domestic natural forests since 2016;

E.  whereas the biggest source countries for logs and sawn timber in 2017 were Cameroon, the US and Cambodia, alongside Democratic Republic of Congo (DRC) as a notable supplier; whereas, since 2015, Cambodia has been Vietnam’s second-largest tropical timber supplier, in spite of a reported ban(8) on exports to Vietnam; whereas a 43 % increase in volume and 40 % increase in value of imports from African countries was reported between 2016 and 2017; whereas NGOs with relevant expertise have pointed out that timber exported from Cambodia and DRC should be considered as ‘high risk’, while raw timber is often imported from countries characterised by weak governance, high levels of corruption or conflict, with widespread risk of illegality in timber harvesting;

F.  whereas Cambodia has the fifth-highest deforestation rate the world and whereas UN statistics show that Cambodia’s forest cover fell from 73 % in 1990 to 57 % in 2010;

G.  whereas, based on Article 3 of Sub-decree No. 131 of 28 November 2006, Cambodia prohibits exports of round logs except from plantations, rough sawn timber except from plantations, and square and rectangular timber of a thickness and width greater than 25 cm(9); whereas all exports of natural forest timber products from Cambodia are in principle deemed to be in breach of Cambodian law; whereas, under the VPA, Vietnam is committed to only importing timber that has been legally harvested in accordance with the national legislation of the source country;

H.  whereas under a VPA, a country commits to setting up a policy with a view to ensuring that only timber and timber products verified as legal will be exported to the EU(10); whereas Vietnam will have to adopt legislation putting in place the Timber Legality Assurance System (TLAS), and set up the necessary administrative structures and capacity in order to implement and enforce its VPA commitments; whereas this VPA will apply to timber and timber products intended for both domestic and export markets, save for the final step of FLEGT licensing, which is for the time being intended for exports to the EU only;

I.  whereas Vietnam has committed to adopting legislation ensuring only legally produced timber(11) is imported into its market, based on due diligence obligations for timber and timber product importers; whereas Vietnam has also committed to recognising the relevant laws of countries of harvest as part of the definition of legality under the VPA;

J.  whereas promoting this VPA in the region would play an important role in fostering economic integration and achieving international sustainable development goals; whereas the conclusion of new VPAs – in particular with China, which borders Vietnam and is a major player in the processed wood industry – would make it possible to provide guarantees as to the legality and viability of the trade in timber and timber products in the region;

K.  whereas only once Vietnam has proven full implementation of all VPA commitments(12) and has set up the capacity to enforce the related national legislation will it be able to accede to the EU FLEGT licencing scheme; whereas timber imported under a FLEGT licence is presumed to be legal under the EU Timber Regulation; whereas the accession of Vietnam to the FLEGT licencing scheme is approved by a delegated act;

L.  whereas the EU-Vietnam FTA will liberalise trade in timber and timber products at its entry into force and imports from Vietnam will be covered by the general due diligence obligations of the EU Timber Regulation until the start of FLEGT licencing(13);

1.  Recalls that sustainable and inclusive forest management and governance is essential to achieve the objectives set in the 2030 Agenda for Sustainable Development and the Paris Agreement;

2.  Calls for the EU to ensure the coherence of the VPA with all its policies, including in the fields of development, the environment, agriculture and trade;

3.  Strongly supports the FLEGT process with Vietnam given the country’s role in the timber processing sector; welcomes the signature of the VPA, an agreement designed to progressively bring complete policy reform in the country aimed at cleaning illegally produced timber from the supply chains of Vietnamese operators; welcomes Vietnam’s commitment and the progress made so far and is aware that the full implementation of the VPA will be a long-term process entailing not only the adoption of a whole set of legislation (TLAS) but also ensuring that adequate administrative capacity and expertise for implementation and enforcement of the VPA is in place; recalls that FLEGT licencing can start only once Vietnam has demonstrated the readiness of its TLAS system; takes note of the challenges represented by the coordination between the national and provincial levels, which is necessary in order to adequately and consistently enforce the VPA throughout the country and calls on the Government of Vietnam to ensure such coordination;

4.  Recalls that the implementation of the VPA must complement EU commitments to environmental protection and ensure coherence with commitments to prevent mass deforestation;

5.  Calls on the Commission and the European External Action Service (EEAS) to allocate adequate human resources to the implementation of this VPA, including ensuring adequate resources to the EU Delegation in Hanoi, as well as financial resources to Vietnam in the framework of the present and future development cooperation instruments to be specifically earmarked for the implementation of the VPA; encourages the Commission and the EEAS to assist the Vietnamese authorities and civil society, including by making satellite images available to them; calls for the EU to direct its efforts towards the strengthening of Vietnam’s legal framework and institutional capacity by addressing the technical and economic challenges that impede the effective implementation and enforcement of existing national and international regulations;

6.  Acknowledges commitments made by Vietnam’s wood industry to eliminate illegal timber from supply chains and raise awareness of these matters; stresses, however, that a shift in mindset within the industry, as well as robust enforcement, is key; recalls that the presence of illegal timber in supply chains risks inflicting reputational damage on the Vietnamese processing industry;

7.  Is aware, however, that in the past Vietnam has been faced with a significant challenge in tackling illegal timber trade from Laos, and in recent years from Cambodia; considers that in such cases Vietnam and supplier countries are together responsible for fuelling this illegal trade, since Vietnamese authorities, notably at provincial level, have taken formal decisions that breach the legislation of the country of harvest, such as administering formal import quotas;

8.  Welcomes Vietnam’s commitment to adopt legislation to ensure that only legally produced timber is imported into its market, based on mandatory due diligence for importers, as one of the major achievements of the VPA; recalls that due diligence obligations should not be reduced to a mere box-ticking exercise, but that they should include all necessary steps – such as gathering information, assessing risks and taking additional measures to mitigate any risks identified with a view to reducing the risk level to ‘negligible’ – to be enforced by the competent national authorities through sound and systematic checks on individual companies; highlights the challenge of enforcing due diligence obligations through customs authorities, which will require adequate training; recalls that the Vietnamese authorities should adopt a due diligence system corresponding to the one detailed in the EU Timber Regulation and stresses the need to provide for independent third party submissions in the national due diligence legislation; encourages the Vietnamese authorities to consider third party auditing and public reporting by companies as requirements of their due diligence system, as well as to provide adequate support to companies in complying with their obligations and to avoid placing disproportionate burdens on household suppliers of timber, while avoiding the creation of loopholes;

9.  Calls on the Government of Vietnam to provide for adequate, dissuasive and proportionate penalties for infringement of legislation implementing TLAS, which would in the case of imports include a full prohibition of the placing on the Vietnamese market of illegal timber, alongside the seizure of such timber;

10.  Welcomes the independent evaluation and complaints and feedback mechanism and calls on the Vietnamese authorities to ensure that these are responded to adequately, including through effective and dissuasive enforcement action when necessary; expects these mechanisms to operate in full transparency and to foster information sharing between civil society and enforcement authorities; welcomes the commitment by Vietnam to ensure independent monitoring of the VPA implementation by civil society organisations, forest associations, enterprises, trade unions, local communities and people living in forest areas; stresses the crucial importance of their involvement and access to relevant and up-to-date information in enabling them to fulfil their role in this process and to further contribute to the credibility of TLAS and its continuous strengthening; welcomes the commitment made by Vietnam to allow civil society access to the national database on forestry and encourages the government to submit TLAS implementing legislation to public consultation and take into account the feedback it receives;

11.  Welcomes the involvement of civil society organisations during and following the VPA negotiations and urges the Government of Vietnam to ensure genuine and full inclusion during the whole implementation phase and beyond, covering the entire scope of the VPA, including import controls, due diligence obligations, the organisation classification system and risk-based verification of companies and FLEGT licences; stresses the importance of involving local communities both for socio-economic reasons and in order to ensure proper implementation of the new Forestry Law and the VPA commitments;

12.  Strongly condemns the illegal timber trade taking place across the Cambodian border and calls on the authorities of both countries to put an immediate and complete stop to the illegal flows, as an absolute necessity for a successful continuation of the VPA process; urges the Vietnamese authorities to investigate, remove from function and bring to justice those responsible for having authorised and managed the illegal trade from Cambodia and elsewhere; welcomes the recent decision taken by the Vietnamese authorities only to allow timber trade through the main international gates, as well as to strengthen enforcement capabilities against illegal trade; urges the Vietnamese authorities to immediately categorise timber from Cambodia as ‘high risk’ and to make sure Cambodian legislation on the harvest and export of timber is respected, in line with VPA commitments; calls on the two countries to foster and improve dialogue, cross-border cooperation, exchange of trade data and information on risks related to illegal timber trade and the respective legislation in force, and encourages them to involve the EU in facilitating this dialogue; encourages Vietnam and Cambodia to request support from Interpol and work together on effective and long-term measures to combat rampant illegal logging and the cross border smuggling of timber to Vietnam; calls on the Vietnamese authorities to apply the same measures to imports from other supplier countries where similar concerns exist or may arise, notably those in Africa, such as DRC;

13.  Stresses the need to address the regional dimension of illegal logging and the transport, processing and trade of illegal timber throughout the supply chain; calls for this regional dimension to be included in the VPA evaluation process in the form of an assessment of the link between the existence of weaker enforcement mechanisms in other countries of the region and the increase of exports from such countries to the EU;

14.  Stresses that poor governance and corruption in the forestry sector accelerate illegal logging and forest degradation and emphasises the fact that the success of the FLEGT initiative also depends on tackling fraud and corruption throughout the timber supply chain; urges the Government of Vietnam to work to stop widespread corruption and address other factors fuelling this trade, in particular in relation to customs and other authorities that will play a pivotal role in the implementation and enforcement of the VPA, as a concrete signal that Vietnam is fully committed to the VPA process; stresses the need to end impunity in the forest sector by ensuring that infractions are prosecuted;

15.  Welcomes the recent adoption by the Vietnamese Government of an action plan for the implementation of the VPA and calls on the government to follow a concrete, time bound and measurable approach; welcomes the entry into force of the new Forestry Law on 1 January 2019, which includes a prohibition on imports of illegally produced timber into Vietnam and urges the Vietnamese authorities to enforce this prohibition and to swiftly adopt implementing measures if necessary, with a view to bridging the gap until TLAS becomes operational;

16.  Welcomes the inclusion of provisions on sustainable management of forests in the EU-Vietnam FTA, which also make a connection with the VPA; calls on the Commission to pay particular attention to trade in timber and timber products during the implementation of the FTA and to monitor trade flows closely in order to make sure that additional trade liberalisation does not entail additional risks of illegal trade;

17.  Asks the Commission to report to Parliament annually on progress made by Vietnam in implementing the VPA, including against the requirements of this resolution, as well as on the activities of the Joint Implementation Committee, with a view to enabling an informed decision once the delegated act authorising the acceptance of FLEGT licences is proposed; calls on the Commission to consider improving the regulation on FLEGT licencing at the next review exercise in order to enable it to respond quickly to cases of significant infringements of VPA commitments;

18.  Calls on the Commission to foster dialogue and promote the EU Timber Regulation with the major importing countries in the region and major EU trading partners such as China and Japan, and to further prioritise the need in bilateral relations with those countries, including in trade relations, for concrete solutions to stop illegal timber trade, with a view to creating a global level playing field on which to address the issue; supports the Commission in launching VPA negotiations with Vietnam’s neighbouring countries as soon as the necessary conditions are fulfilled and underlines the importance of FLEGT VPAs in future development and cooperation instruments; invites the Commission to put in place instruments to facilitate best practice exchanges between Vietnam and other countries that have already concluded VPAs with the EU;

19.  Instructs its President to forward its position to the Council, the Commission and the governments and parliaments of the Member States, of the Socialist Republic of Vietnam and of the Kingdom of Cambodia.

(1) OJ L 329, 3.12.2016, p. 8.
(2) OJ L 347, 30.12.2005, p. 1.
(3) OJ L 295, 12.11.2010, p. 23.
(4) https://eia-international.org/wp-content/uploads/eia-serial-offender-web.pdf
(5) https://eia-international.org/report/vietnam-violation-action-required-fake-cites-permits-rosewood-trade/
(6) Nellemann, C., INTERPOL Environmental Crime Programme (eds). 2012. Green Carbon, Black Trade: Illegal Logging, Tax Fraud and Laundering in the Worlds Tropical Forests. A Rapid Response Assessment. United Nations Environment Programme, GRIDArendal, http://wedocs.unep.org/bitstream/handle/20.500.11822/8030/Green%20carbon%20Black%20Trade_%20Illegal %20logging.pdf?sequence=5&isAllowed=y
(7) Texts adopted, P8_TA-PROV(2019)0140.
(8) https://www.phnompenhpost.com/national/despite-ban-timber-exports-vietnam-nearing-2016-total
(9) https://eia-international.org/wp-content/uploads/eia-serial-offender-web.pdf, p. 6.
(10) The VPA covers all major products exported to the EU, particularly the five compulsory timber products as defined in the 2005 FLEGT Regulation (logs, sawn timber, railway sleepers, plywood and veneer) and also includes a number of other timber products such as wood chip particles, parquet flooring, particle board and wooden furniture. The VPA covers exports to all third countries though, at least initially, the licencing scheme only applies to EU exports.
(11) According to point (j) of Article 2 of the VPA, ‘‘legally produced timber’ (hereinafter also referred to as ‘legal timber’) means timber products harvested or imported and produced in accordance with the legislation of Vietnam set out in Annex II and other relevant provisions of this Agreement; and, in the case of imported timber, it means timber products harvested, produced and exported in accordance with the relevant legislation of the country of harvest and the procedures described in Annex V’.
(12) The readiness of the TLAS system for FLEGT licensing will first be assessed jointly by the EU and Vietnam. Only if both parties agree that the system is robust enough will the licensing be able to start.
(13) Article 13.8, paragraph 2(a): ‘[each Party shall] encourage the promotion of trade in forest products from sustainably managed forests and harvested in accordance with the domestic legislation in the country of harvest; this may include the conclusion of a Forest Law Enforcement Governance and Trade (FLEGT) Voluntary Partnership Agreement’.


Protocol amending the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ***
PDF 122kWORD 42k
European Parliament legislative resolution of 12 March 2019 on the draft Council decision authorising Member States to ratify, in the interest of the European Union, the Protocol amending the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (10923/2018 – C8-0440/2018 – 2018/0238(NLE))
P8_TA-PROV(2019)0142A8-0070/2019

(Consent)

The European Parliament,

–  having regard to the draft Council decision (10923/2018),

–  having regard to the Protocol amending the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (ETS No. 108) (CETS No. 223),

–  having regard to the request for consent submitted by the Council in accordance with Article 16 and Article 218(6), second subparagraph, point (a)(v) of the Treaty on the Functioning of the European Union (C8-0440/2018),

–  having regard to Rule 99(1) and (4) and Rule 108(7) of its Rules of Procedure,

–  having regard to the recommendation of the Committee on Civil Liberties, Justice and Home Affairs (A8-0070/2019),

1.  Gives its consent to the draft Council decision;

2.  Instructs its President to forward its position to the Council, the Commission and the governments and parliaments of the Member States and to the Council of Europe.


Authorising Member States to become party to the Council of Europe Convention on an Integrated safety, security, and service approach at football matches and other sports events ***
PDF 124kWORD 42k
European Parliament legislative resolution of 12 March 2019 on the draft Council decision authorising Member States to become parties, in the interest of the European Union, to the Council of Europe Convention on an Integrated Safety, Security, and Service Approach at Football Matches and Other Sports Events (CETS No 218) (12527/2018 – C8-0436/2018 – 2018/0116(NLE))
P8_TA-PROV(2019)0143A8-0080/2019

(Consent)

The European Parliament,

–  having regard to the draft Council decision (12527/2018),

–  having regard to the Council of Europe Convention on an Integrated Safety, Security and Service Approach at Football Matches and Other Sports Events (CETS No. 218),

–  having regard to the request for consent submitted by the Council in accordance with Article 87(1) and Article 218(6), second subparagraph, point (a)(v), and Article 218(8) of the Treaty on the Functioning of the European Union (C8-0436/2018),

–  having regard to the Council Decision 2002/348/JHA of 25 April 2002 concerning security in connection with football matches with an international dimension(1),

–  having regard to its resolution of 2 February 2017 on an integrated approach to Sport Policy: good governance, accessibility and integrity(2),

–  having regard to Rule 99(1) and (4), and Rule 108(7) of its Rules of Procedure,

–  having regard to the recommendation of the Committee on Civil Liberties, Justice and Home Affairs and the opinion of the Committee on Culture and Education (A8-0080/2019),

1.  Gives its consent to the draft Council decision;

2.  Instructs its President to forward its position to the Council, the Commission and the governments and parliaments of the Member States and to the Council of Europe.

(1) OJ L 121, 8.5.2002, p. 1.
(2) OJ C 252, 18.7.2018, p. 2.


Protocol amending the EU-China Agreement on Maritime Transport (accession of Croatia) ***
PDF 122kWORD 41k
European Parliament legislative resolution of 12 March 2019 on the draft Council decision on the conclusion, on behalf of the Union and of the Member States, of the Protocol amending the Agreement on maritime transport between the European Community and its Member States, of the one part, and the government of the People's Republic of China, of the other part, to take account of the accession of the Republic of Croatia to the European Union (05083/2015 – C8-0022/2019 – 2014/0327(NLE))
P8_TA-PROV(2019)0144A8-0168/2019

(Consent)

The European Parliament,

–  having regard to the draft Council decision (05083/2015),

–  having regard to the draft Protocol amending the Agreement on Maritime Transport between the European Community and its Member States, of the one part, and the Government of the People's Republic of China, of the other part (05880/2015),

–  having regard to the request for consent submitted by the Council in accordance with Article 100(2) and Article 218(6), second subparagraph, point (a) of the Treaty on the Functioning of the European Union (C8‑0022/2019),

–  having regard to Rule 99(1) and (4) and Rule 108(7) of its Rules of Procedure,

–  having regard to the recommendation of the Committee on Transport and Tourism (A8-0168/2019),

1.  Gives its consent to conclusion of the Protocol;

2.  Instructs its President to forward its position to the Council, the Commission and the governments and parliaments of the Member States and of the People's Republic of China.


EU-Egypt Euro-Mediterranean Agreement (accession of Croatia) ***
PDF 123kWORD 42k
European Parliament legislative resolution of 12 March 2019 on the draft Council decision on the conclusion, on behalf of the European Union and its Member States, of a Protocol to the Euro-Mediterranean Agreement establishing an Association between the European Communities and their Member States, of the one part, and the Arab Republic of Egypt, of the other part, to take account of the accession of the Republic of Croatia to the European Union (10219/2016 – C8-0135/2017 – 2016/0121(NLE))
P8_TA-PROV(2019)0145A8-0025/2019

(Consent)

The European Parliament,

–  having regard to the draft Council decision (10219/2016),

–  having regard to the draft Protocol to the Euro-Mediterranean Agreement establishing an Association between the European Communities and their Member States, of the one part, and the Arab Republic of Egypt, of the other part, to take account of the accession of the Republic of Croatia to the European Union (10221/2016),

–  having regard to the request for consent submitted by the Council in accordance with Article 217 and Article 218(6), second subparagraph, point (a) of the Treaty on the Functioning of the European Union (C8‑0135/2017),

–  having regard to Rule 99(1) and (4) and Rule 108(7) of its Rules of Procedure,

–  having regard to the recommendation of the Committee on Foreign Affairs (A8-0025/2019),

1.  Gives its consent to conclusion of the Protocol;

2.  Instructs its President to forward its position to the Council, the Commission and the governments and parliaments of the Member States and of the Arab Republic of Egypt.


EU-Turkmenistan Partnership and Cooperation Agreement
PDF 152kWORD 47k
European Parliament resolution of 12 March 2019 on the draft Council and Commission decision on the conclusion by the European Union and the European Atomic Energy Community of the Partnership and Cooperation Agreement establishing a Partnership between the European Communities and their Member States, of the one part, and Turkmenistan, of the other part (12183/1/2011 – C8-0059/2015 – 1998/0031R(NLE))
P8_TA-PROV(2019)0146A8-0072/2019

The European Parliament,

–  having regard to the draft Council and Commission decision (12183/1/2011),

–  having regard to the draft Partnership and Cooperation Agreement establishing a partnership between the European Communities and their Member States, of the one part, and Turkmenistan, of the other part (12288/2011),

–  having regard to the request for consent submitted by the Council in accordance with Articles 91, 100(2), 207, 209 and 218(6)(a) of the Treaty on the Functioning of the European Union, and in accordance with the second paragraph of Article 101 of the Treaty establishing the European Atomic Energy Community (C8-0059/2015),

–  having regard to its previous resolutions on the region of Central Asia, in particular those of 20 February 2008 on an EU Strategy for Central Asia(1), of 15 December 2011 on the state of implementation of the EU Strategy for Central Asia(2), of 13 April 2016 on implementation and review of the EU-Central Asia Strategy(3), of 22 April 2009 on the Interim Trade Agreement with Turkmenistan(4), and of 14 February 2006 on the human rights and democracy clause in European Union agreements(5),

–  having regard to the 1999 Interim Agreement on trade and trade-related matters between the European Community, the European Coal and Steel Community and the European Atomic Energy Community, of the one part, and Turkmenistan, of the other part, concluded by the Council on 27 July 2009 (5144/1999), and to the regular meetings of the Joint Committee established thereunder,

–  having regard to the Memorandum of Understanding on Energy signed between the European Union and Turkmenistan in May 2008,

–  having regard to the International Covenant on Civil and Political Rights (ICCPR) and the International Covenant on Economic, Social and Cultural Rights (ICESCR), to which Turkmenistan is a party,

–  having regard to the annual EU-Turkmenistan Human Rights Dialogue,

–  having regard to the commitment made by the Vice-President of the Commission / High Representative of the Union for Foreign Affairs and Security Policy (VP/HR) in her letter to the Committee on Foreign Affairs on 16 December 2015, containing the aspects mentioned in paragraph 3 herein,

–  having regard to the letter by the VP/HR to the Chair of the Committee on Foreign Affairs of 5 July 2018 noting her support for the Partnership and Cooperation Agreement (PCA) with Turkmenistan,

–  having regard to Rule 99(5) of its Rules of Procedure,

–  having regard to the interim report of the Committee on Foreign Affairs (A8-0072/2019),

A.  whereas Central Asia is a region in which the European Union is increasingly engaged;

B.  whereas a Partnership and Cooperation Agreement (PCA) with Turkmenistan was initialled in 1997 and signed in 1998; whereas 14 Member States of the 15 original signatories have since ratified the PCA (the United Kingdom being the last remaining one); whereas Turkmenistan ratified the PCA in 2004; whereas accession to the PCA by those Member States that acceded to the EU after the agreement had been signed is subject to a separate protocol and ratification procedure;

C.  whereas once fully ratified, the PCA would be concluded for an initial period of 10 years, and then renewed annually, enabling the EU to resile from the agreement should serious doubts arise concerning respect for human rights or other serious infringements; whereas the parties may amend the PCA in order to take account of new developments;

D.  whereas the European Parliament was consulted on the Interim Trade Agreement (ITA) with Turkmenistan by the Council in April 2009, as part of an optional, legally non-binding procedure;

E.  whereas the Organisation for Security and Cooperation in Europe (OSCE) and the European Bank for Reconstruction and Development (EBRD) have set their benchmarks against which progress in Turkmenistan should be measured and the criteria authorising the pursuit of further cooperation, in compliance with internationally recognised standards on the rule of law, good governance and human rights;

F.  whereas respect for democracy and fundamental and human rights, and for the principles of a market economy, which constitute essential elements of the ITA (as set out in both Article 1 therein and Article 2 of the PCA), should remain long-term goals for Turkmenistan; whereas the unilateral suspension of application is a possibility in the event that either party were to violate these elements;

G.  whereas following considerations of the draft recommendation to give Parliament’s consent to conclusion of the PCA, and of its accompanying draft report of 8 May 2015 containing a motion for a resolution, the Committee on Foreign Affairs decided to temporarily suspend the procedure on 24 May 2016 until it deemed that sufficient progress had been made as regards respect for human rights and the rule of law, and decided to open the current interim procedure;

H.  whereas the continued validity of the benchmarks for human rights progress for Turkmenistan, as articulated by Parliament in its previous resolutions, is of vital importance for a principled and coherent EU policy for relations with the country;

I.  whereas Turkmenistan adopted a National Action Plan on Human Rights for 2016-2020 (NAPHR) in 2015, prepared with the assistance of the UN Development Programme in 2013;

J.  whereas Turkmenistan has concluded international agreements, such as the ICCPR, the ICESCR and ILO Conventions;

1.  Asks the Council, the Commission and the VP/HR to set, as a matter of urgency, the following short-term benchmarks to measure sustainable progress by the state authorities of Turkmenistan, based on recommendations by the UN, the OSCE and the EBRD, and before it has given its consent to the PCA:

The political system, the rule of law and good governance

Human rights and fundamental freedoms

   (i) A clear division between the executive, legislative and judiciary branches and, inter alia, enabling and guaranteeing real participation by the population in state decision-making processes, including a consultation with international experts such as the Venice Commission of the Council of Europe and the OSCE Office for Democratic Institutions and Human Rights (ODIHR), on the compliance of the Constitution of Turkmenistan with these democratic principles, and a demonstration of willingness on the part of Turkmenistan to consider the recommendations for reforms proposed by these organisations;
   (ii) The removal of restrictions on the registration and functioning of non-governmental organisations;
   (iii) Implementation of the commitments made by the Turkmen Government in its NAPHR for 2016-2020;
   (iv) An end to the secret detentions and enforced disappearances, forced labour, torture and disclosure of the fate or whereabouts of disappeared persons, allowing families to stay in contact with persons in custody; an acknowledgment by the country’s authorities of the existence of political prisoners and unhindered access to the country for international organisations and independent monitors, including the International Committee of the Red Cross;
   (v) Ensuring unhindered access to various sources of information and, in particular, allowing people to access alternative sources of information, including international communication facilities, and to keep telecommunications devices, such as private satellite dishes or affordable internet connections;
   (vi) An end to the persecution and intimidation of independent journalists and civil society and human rights activists based in the country and abroad, including of their family members; guaranteeing freedom of expression and assembly;
   (vii) Allowing visits by the UN and international and regional human rights organisations that have requested them and are still awaiting replies;
   (viii) An end to the informal and arbitrary system of travel bans and ensuring that people who have been denied permission to leave the country are able to travel freely;

2.  Asks the Council, the Commission and the VP/HR to take into account the following long-term recommendations for sustainable and credible progress:

The political system, the rule of law and good governance

Human rights and fundamental freedoms

   (i) Respect for the principles of political pluralism and democratic accountability, with properly functioning political parties and other organisations, free from interference;
   (ii) Continued implementation of reforms at all levels in accordance with the UN Sustainable Development Goals and in all areas of the administration, especially in the judiciary and in law enforcement;
   (iii) Strong and effective safeguards against high-level corruption, money laundering, organised crime and drug trafficking;
   (iv) Full implementation of the law prohibiting child labour;
   (v) Overall respect for the peaceful and legitimate exercise of the right to freedom of expression, freedom of association and freedom of religion or belief;
   (vi) General freedom of movement, both within and outside the country;

3.  Underlines the need for the European Parliament to closely follow and monitor developments in Turkmenistan and the implementation of all parts of the PCA, once it enters into force; calls on the VP/HR, in this context, to implement and publicly commit to the human rights monitoring mechanism, allowing Parliament to be properly informed by the European External Action Service (EEAS) about the implementation of the PCA, once it enters into force, and, in particular, of its objectives and of compliance with Article 2, so that it can respond to developments on the ground in the event of documented and proven serious breaches of human rights; highlights the possibility of a mechanism to suspend the PCA should such cases occur and welcomes, in this respect, the VP/HR’s letter to the Committee on Foreign Affairs of 16 December 2015, containing the following objectives:

   (i) ensuring that the European Parliament is properly informed about the implementation of the human rights and democratisation provisions of the PCA, including access to the relevant information on the development of the situations regarding human rights, democracy and the rule of law and that it is briefed upon request ahead of and following meetings of the Cooperation Council in a timely manner, subject to applicable confidentiality rules;
   (ii) closer interaction with the European Parliament and civil society in preparation for the annual Human Rights Dialogues, and debriefings;
   (iii) consultation with the European Parliament when preparing updates of the EU Human Rights Country Strategy for Turkmenistan;

4.  Welcomes the VP/HR’s announcement from November 2018 regarding the setting up of a fully-fledged EU Delegation in Ashgabat; emphasises that the new Delegation should develop a mutually beneficial cooperation strategy tailored to Turkmenistan’s development conditions and requirements, should monitor the situation in the country, including human rights violations and individual cases of concern, should enter into a dialogue with the country’s various political, social and economic players, should enable diplomacy on the ground, and should improve the management and oversight of projects funded by EU external financing instruments;

5.  Concludes that it will consider giving its consent once it deems that the recommendations set out in paragraphs 1 and 3 have been duly addressed by the Commission, the Council, the VP/HR and the state authorities of Turkmenistan;

6.  Instructs its President to request that the Council, the Commission and the VP/HR regularly provide Parliament with substantial information on the situation in Turkmenistan;

7.  Instructs its President to forward this resolution to the Council, the Commission, the VP/HR and the Government and Parliament of Turkmenistan.

(1) OJ C 184 E, 6.8.2009, p. 49.
(2) OJ C 168 E, 14.6.2013, p. 91.
(3) OJ C 58, 15.2.2018, p. 119.
(4) OJ C 184 E, 8.7.2010, p. 20.
(5) OJ C 290 E, 29.11.2006, p. 107.


Implementing decision on the launch of automated data exchange with regard to DNA data in the United Kingdom *
PDF 123kWORD 42k
European Parliament legislative resolution of 12 March 2019 on the draft Council implementing decision on the launch of automated data exchange with regards to DNA data in the United Kingdom (13123/2018 – C8-0474/2018 – 2018/0812(CNS))
P8_TA-PROV(2019)0147A8-0092/2019

(Consultation)

The European Parliament,

–  having regard to the Council draft (13123/2018),

–  having regard to Article 39(1) of the Treaty on European Union, as amended by the Treaty of Amsterdam, and Article 9 of Protocol No 36 on transitional provisions, pursuant to which the Council consulted Parliament (C8-0164/2018),

–  having regard to Council Decision 2008/615/JHA of 23 June 2008 on the stepping up of cross-border cooperation, particularly in combating terrorism and cross-border crime(1), and in particular Article 33 thereof,

–  having regard to Rule 78c of its Rules of Procedure,

–  having regard to the report of the Committee on Civil Liberties, Justice and Home Affairs (A8-0092/2019),

1.  Approves the Council draft;

2.  Calls on the Council to notify Parliament if it intends to depart from the text approved by Parliament;

3.  Asks the Council to consult Parliament again if it intends to substantially amend the text approved by Parliament;

4.  Instructs its President to forward its position to the Council and the Commission.

(1) OJ L 210, 6.8.2008, p. 1.


Exchange of information on third country nationals and European Criminal Records Information System (ECRIS) ***I
PDF 209kWORD 62k
Resolution
Consolidated text
European Parliament legislative resolution of 12 March 2019 on the proposal for a directive of the European Parliament and of the Council amending Council Framework Decision 2009/315/JHA, as regards the exchange of information on third country nationals and as regards the European Criminal Records Information System (ECRIS), and replacing Council Decision 2009/316/JHA (COM(2016)0007 – C8-0012/2016 – 2016/0002(COD))
P8_TA-PROV(2019)0148A8-0219/2016

(Ordinary legislative procedure: first reading)

The European Parliament,

–  having regard to the Commission proposal to Parliament and the Council (COM(2016)0007),

–  having regard to Article 294(2) and Article 82(1), second subparagraph, point (d) of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C8‑0012/2016),

–  having regard to Article 294(3) of the Treaty on the Functioning of the European Union,

–  having regard to the provisional agreement approved by the committee responsible under Rule 69f(4) of its Rules of Procedure and the undertaking given by the Council representative by letter of 19 December 2018 to approve Parliament’s position, in accordance with Article 294(4) of the Treaty on the Functioning of the European Union,

–  having regard to Rule 59 of its Rules of Procedure,

–  having regard to the report of the Committee on Civil Liberties, Justice and Home Affairs (A8-0219/2016),

1.  Adopts its position at first reading hereinafter set out;

2.  Calls on the Commission to refer the matter to Parliament again if it replaces, substantially amends or intends to substantially amend its proposal;

3.  Instructs its President to forward its position to the Council, the Commission and the national parliaments.

Position of the European Parliament adopted at first reading on 12 March 2019 with a view to the adoption of Directive (EU) 2019/… of the European Parliament and of the Council amending Council Framework Decision 2009/315/JHA, as regards the exchange of information on third-country nationals and as regards the European Criminal Records Information System (ECRIS), and replacing Council Decision 2009/316/JHA

P8_TC1-COD(2016)0002


THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 82(1), second subparagraph, point (d) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Acting in accordance with the ordinary legislative procedure(1),

Whereas:

(1)  The Union has set itself the objective of offering its citizens an area of freedom, security and justice without internal frontiers, in which the free movement of persons is ensured. That objective should be achieved by means of, among others, appropriate measures to prevent and combat crime, including organised crime and terrorism.

(2)  That objective requires that information on convictions handed down in the Member States be taken into account outside the convicting Member State in the course of new criminal proceedings, as laid down in Council Framework Decision 2008/675/JHA(2), as well as in order to prevent new offences.

(3)  That objective presupposes the exchange of information extracted from criminal records between the competent authorities of the Member States. Such an exchange of information is organised and facilitated by the rules set out in Council Framework Decision 2009/315/JHA(3) and by the European Criminal Records Information System (ECRIS), established in accordance with Council Decision 2009/316/JHA(4).

(4)  The existing ECRIS legal framework, however, does not sufficiently address the particularities of requests concerning third-country nationals. Although it is already possible to exchange information on third-country nationals through ECRIS, there is no common Union procedure or mechanism in place to do so efficiently, rapidly and accurately.

(5)  Within the Union, information on third-country nationals is not gathered as it is for nationals of Member States - in the Member States of nationality- but only stored in the Member States where the convictions have been handed down. A complete overview of the criminal history of a third-country national can therefore be ascertained only if such information is requested from all Member States.

(6)  Such "blanket requests" impose a disproportionate administrative burden on all Member States, including those not holding information on the particular third-country national. In practice, that burden deters Member States from requesting information on third-country nationals from other Member States, which seriously hinders the exchange of information between them, limiting their access to criminal records information to information stored in their national register. As a consequence, the risk of information exchange between Member States being inefficient and incomplete is increased.

(7)  In order to improve the situation, the Commission submitted a proposal, which led to the adoption of Regulation (EU) …/… of the European Parliament and of the Council(5)(6), which establishes a centralised system at Union level containing the personal data of convicted third-country nationals allowing identification of the Member States holding information on their previous convictions (ʻECRIS-TCN’).

(8)  ECRIS-TCN will allow the central authority of a Member State to find out promptly and efficiently in which other Member States criminal records information on a third-country national is stored so that the existing ECRIS framework can ▌be used to request the criminal records information from those Member States in accordance with Framework Decision 2009/315/JHA.

(9)  The exchange of information on criminal convictions is important in any strategy to combat crime and counter terrorism. It would contribute to the criminal justice response to radicalisation leading to terrorism and violent extremism if Member States used ECRIS to its full potential.

(10)  In order to increase the utility of information on convictions and disqualifications arising from convictions for sexual offences against children, Directive 2011/93/EU of the European Parliament and of the Council(7) laid down the obligation for Member States to take the necessary measures to ensure that for the purpose of recruiting a person for a post involving direct and regular contact with children, information concerning the existence of criminal convictions for sexual offences against children entered in the criminal records, or of any disqualifications arising from those criminal convictions, be transmitted in accordance with the procedures set out in Framework Decision 2009/315/JHA. The aim of that mechanism is to ensure that a person convicted of a sexual offence against children is not able to conceal that conviction or disqualification with a view to performing a professional activity involving direct and regular contact with children in another Member State.

(11)  This Directive aims to introduce the necessary modifications to Framework Decision 2009/315/JHA that will allow for an effective exchange of information on convictions of third-country nationals via ECRIS. It obliges Member States to take the necessary measures to ensure that convictions are accompanied by information on the nationality, or nationalities, of the convicted person, in so far as the Member States have such information at their disposal. It also introduces procedures for replying to requests for information, ensures that a criminal records extract requested by a third-country national is supplemented with information from other Member States, and provides for the technical changes ▌necessary to make the information exchange system work.

(12)  Directive (EU) 2016/680 of the European Parliament and of the Council(8) should apply to the processing of personal data by competent national authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and the prevention of threats to public security. Regulation (EU) 2016/679 of the European Parliament and of the Council(9) should apply to the processing of personal data by national authorities when such processing does not fall within the scope of Directive (EU) 2016/680.

(13)  In order to ensure uniform conditions for the implementation of Framework Decision 2009/315/JHA, the principles of Decision 2009/316/JHA should be incorporated in that Framework Decision and implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and the Council(10).

(14)   The common communication infrastructure used for the exchange of criminal records information should be the secured Trans European Services for Telematics between Administrations (sTESTA), any further development of it or any alternative secure network.

(15)  Notwithstanding the possibility of using the Union’s financial programmes in accordance with the applicable rules, each Member State should bear its own costs arising from the implementation, administration, use and maintenance of its criminal records database, and from the implementation, administration, use and maintenance of the technical alterations needed to be able to use ECRIS.

(16)  This Directive respects fundamental rights and freedoms enshrined, in particular, in the Charter of Fundamental Rights of the European Union, including the right to protection of personal data, the rights to judicial and administrative redress, the principle of equality before the law, the right to a fair trial, the presumption of innocence and the general prohibition of discrimination. This Directive should be implemented in accordance with those rights and principles.

(17)  Since the objective of this Directive, namely to enable rapid and efficient exchange of accurate criminal records information on third-country nationals, cannot be sufficiently achieved by the Member States, but can rather, by putting in place common rules be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality, as set out in that Article, this Directive does not go beyond what is necessary to achieve that objective.

(18)  In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the TEU and to the Treaty on the Functioning of the European Union (TFEU), Denmark is not taking part in the adoption of this Directive and is not bound by it or subject to its application.

(19)  In accordance with Articles 1 and 2 and Article 4a(1) of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the TEU and to the TFEU, and without prejudice to Article 4 of that Protocol, Ireland is not taking part in the adoption of this Directive and is not bound by it or subject to its application. ▌

(20)  In accordance with Article 3 and Article 4a(1) of Protocol No 21, the United Kingdom has notified its wish to take part in the adoption and application of this Directive.

(21)  The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 of the European Parliament and of the Council(11) and delivered an opinion on 13 April 2016(12).

(22)  Framework Decision 2009/315/JHA should therefore be amended accordingly,

HAVE ADOPTED THIS DIRECTIVE:

Article 1

Amendments to Framework Decision 2009/315/JHA

Framework Decision 2009/315/JHA is amended as follows:

(1)  Article 1 is replaced by the following:"

"Article 1

Subject matter

This Framework Decision:

   (a) defines the conditions under which a convicting Member State shares information ▌with other Member States on convictions;
   (b) defines ▌obligations for the convicting Member State and for the Member State of the convicted person’s nationality (the ‘Member State of the person’s nationality’), and specifies the methods to be followed when replying to a request for information extracted from criminal records;
   (c) establishes a decentralised information technology system for the exchange of information on convictions based on the criminal records databases in each Member State, the European Criminal Records Information System (ECRIS).";

"

(2)  In Article 2, the following points are added:"

"(d) ‘convicting Member State’ means the Member State where a conviction is handed down;

   (e) 'third-country national' means a person who is not a citizen of the Union within the meaning of Article 20(1) TFEU, or who is a stateless person ▌ or a person whose nationality is unknown ▌;
   (f) ‘fingerprint data’ means the data relating to plain and rolled impressions of the fingerprints of each of a person's fingers;
   (g) 'facial image' means a digital image of a person's face;
   (h) 'ECRIS reference implementation' means the software developed by the Commission and made available to the Member States for the exchange of criminal records information through ECRIS.";

"

(3)  In Article 4, paragraph 1 is replaced by the following:"

"1. Each convicting Member State shall take all the necessary measures to ensure that ▌convictions handed down within its territory are accompanied by information on the nationality or nationalities of the convicted person ▌if the person is a national of another Member State or a third-country national. Where a convicted person is of unknown nationality or stateless, the criminal record shall reflect this.";

"

(4)  Article 6 is amended as follows:

(a)  paragraph 3 is replaced by the following:"

"3. Where a national of one Member State asks the central authority of another Member State for information on his or her own criminal record, that central authority shall ▌ submit a request to the central authority of the Member State of the person’s nationality for information and related data to be extracted from the criminal records and shall▌include such information and related data in the extract to be provided to the person concerned.”;

"

(b)  the following paragraph is inserted:"

“3a. Where a third-country national ▌ asks the central authority of a Member State for information on his or her own criminal record, that central authority shall submit a request only to those central authorities of the Member States which hold information on the criminal record of that person for information and related data to be extracted from the criminal records and shall include such information and related data in the extract to be provided to the person concerned.";

"

(5)  Article 7 is amended as follows:

(a)  paragraph 4 is replaced by the following:"

"4. Where information extracted from the criminal records on convictions handed down against a national of a Member State is requested under Article 6 from the central authority of a Member State other than the Member State of the person’s nationality, the requested Member State shall transmit such information ▌ to the same extent as provided for in Article 13 of the European Convention on Mutual Assistance in Criminal Matters.”;

"

(b)  the following paragraph is inserted:"

“4a. Where information extracted from the criminal records on convictions handed down against a third-country national is requested under Article 6 for the purposes of criminal proceedings, the requested Member State shall transmit information ▌on any conviction handed down in the requested Member State and entered in the criminal records and on any conviction handed down in third countries and subsequently transmitted to it and entered into the criminal records.

If such information is requested for any purpose other than that of criminal proceedings, paragraph 2 of this Article shall apply accordingly.";

"

(6)  In Article 8, paragraph 2 is replaced by the following:"

“2. Replies to the requests referred to in Article 6(2), (3) and (3a) shall be transmitted within twenty working days from the date the request was received.”;

"

(7)  Article 9 is amended as follows:

(a)  in paragraph 1, the words "Article 7(1) and (4)" are replaced by "Article 7(1), (4) and (4a)";

(b)  in paragraph 2, the words "Article 7(2) and (4)" are replaced by "Article 7(2), (4) and (4a)";

(c)  in paragraph 3, the words "Article 7(1), (2) and (4)” are replaced by "Article 7(1), (2), (4) and (4a)";

(8)  Article 11 is amended as follows:

(a)  in point (c) of the first subparagraph of paragraph 1, the following point is added:"

"(iv) facial image.";

"

(b)  paragraphs 3 to 7 are replaced by the following:"

"3. Central authorities of Member States shall transmit the following information electronically using ECRIS and a standardised format in accordance with the standards to be laid down in implementing acts:

   (a) information referred to in Article 4; ▌
   (b) requests referred to in Article 6;
   (c) replies referred to in Article 7; and
   (d) other relevant information.

4.  If the mode of transmission referred to in paragraph 3 is not available ▌, central authorities of Member States shall transmit all information referred to in paragraph 3 ▌by any means capable of producing a written record under conditions allowing the central authority of the receiving Member State to establish the authenticity of the information, taking the security of transmission into consideration.

If the mode of transmission referred to in paragraph 3 is not available for an extended period of time, the Member State concerned shall inform the other Member States and the Commission.

5.  Each Member State shall carry out the technical alterations necessary for its use of the standardised format ▌ to electronically transmit all information as referred to in paragraph 3 to other Member States via ECRIS. Each Member State shall notify the Commission of the date from which it will be able to carry out such transmissions ▌.";

"

(9)  The following Articles are inserted:"

"Article 11a

European Criminal Records Information System (ECRIS)

1.  In order to exchange information extracted from criminal records in accordance with this Framework Decision electronically, a decentralised information technology system based on the criminal records databases in each Member State, the European Criminal Records Information System (ECRIS), is established. It is composed of the following elements:

   (a) ECRIS reference implementation;
   (b) ▌a common communication infrastructure between central authorities that provides an encrypted network.

To ensure the confidentiality and integrity of criminal records information transmitted to other Member States, appropriate technical and organisational measures shall be used, taking into account the state of the art, the cost of implementation and the risks posed by the processing of information.

2.  All criminal records data shall be stored solely in databases operated by the Member States.

3.  The central authorities of the Member States shall not have direct ▌ access to the criminal records databases of other Member States.

4.  The ECRIS reference implementation and databases storing, sending and receiving information extracted from criminal records shall operate under the responsibility of the Member State concerned. The European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA) established by Regulation (EU) 2018/1726 of the European Parliament and of the Council* shall support the Member States in accordance with its tasks as laid down in Regulation (EU) …/… (13).

5.  The common communication infrastructure shall be operated under the responsibility of the Commission. It shall fulfil the necessary security requirements and fully meet the needs of ECRIS.

6.  eu-LISA shall provide, further develop and maintain the ECRIS reference implementation▌.

7.  Each Member State shall bear its own costs arising from the implementation, administration, use and maintenance of its criminal records database and the installation and use of the ECRIS reference implementation.

The Commission shall bear the costs arising from the implementation, administration, use, maintenance and future development of the common communication infrastructure▌.

8.  The Member States which use their national ECRIS implementation software in accordance with paragraphs 4 to 8 of Article 4 of Regulation (EU) …/…(14) may continue to use their national ECRIS implementation software instead of the ECRIS reference implementation, provided that they fulfil all the conditions set out in those paragraphs.

Article 11b

Implementing Acts

1.  The Commission shall lay down the following in implementing acts:

   (a) the standardised format referred to in Article 11(3), including as regards information on the offence giving rise to the conviction and information on the content of the conviction;
   (b) the rules concerning the technical implementation of ECRIS ▌ and the exchange of fingerprint data;
   (c) any other technical means of organising and facilitating exchanges of information on convictions between central authorities of Member States, including:
   (i) the means of facilitating the understanding and automatic translation of transmitted information;
   (ii) the means by which information may be exchanged electronically, particularly as regards the technical specifications to be used and, if need be, any applicable exchange procedures.

2.  The implementing acts referred to in paragraph 1 of this Article shall be adopted in accordance with the examination procedure referred to in Article 12a(2).

__________________

* Regulation (EU) 2018/1726 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011 (OJ L 295, 21.11.2018, s. 99).";

"

(10)  The following Article is inserted:"

"Article 12a

Committee procedure

1.  The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2.  Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

Where the committee delivers no opinion, the Commission shall not adopt the draft implementing act and the third subparagraph of Article 5(4) of Regulation (EU) No 182/2011 shall apply. ";

"

(11)  The following Article is inserted:"

"Article 13a

Reporting by the Commission and review

1.  By … [12 months after the date of transposition of this amending Directive], the Commission shall submit a report on the application of this Framework Decision to the European Parliament and to the Council. The report shall assess the extent to which the Member States have taken the necessary measures to comply with this Framework Decision, including its technical implementation.

2.  The report shall be accompanied, where appropriate, by relevant legislative proposals.

3.  The Commission shall regularly publish a report concerning the exchange ▌ of information extracted from the criminal record through ECRIS and concerning the use of ECRIS-TCN based in particular on the statistics provided by eu-LISA and the Member States in accordance with Regulation (EU) …/…(15) . The report shall be published for the first time one year after the report referred to in paragraph 1 is submitted.

4.  The Commission report referred to in paragraph 3 shall cover in particular the level of exchange of information between Member States, including that relating to third-country nationals, as well as the purpose of requests and their respective number, including requests for purposes other than criminal proceedings, such as background checks and requests for information from the persons concerned on their own criminal record.".

"

Article 2

Replacement of Decision 2009/316/JHA

Decision 2009/316/JHA is replaced with regard to the Member States bound by this Directive, without prejudice to the obligations of those Member States with regard to the date for implementation of that Decision.

Article 3

Transposition

1.  Member States shall bring into force the laws, regulations and administrative provisions necessary to comply with this Directive by … [36 months after the entry into force of this amending Directive]. They shall immediately communicate ▌the text of those measures to the Commission.

When Member States adopt those measures, they shall contain a reference to this Directive or be accompanied by such a reference on the occasion of their official publication. They shall also include a statement that references in existing laws, regulations and administrative provisions to the Decision replaced by this Directive shall be construed as references to this Directive. Member States shall determine how such reference is to be made and how that statement is to be formulated..

2.  Member States shall communicate to the Commission the text of the main provisions of national law which they adopt in the field covered by this Directive.

3.  Member States shall carry out the technical alterations referred to in Article 11(5) of Framework Decision 2009/315/JHA, as amended by this Directive, by … [36 months after the entry into force of this amending Directive].

Article 4

Entry into force and application

This Directive shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

Article 2 shall apply from …. [36 months after the entry into force of this amending Directive]

Article 5

Addressees

This Directive is addressed to the Member States in accordance with the Treaties.

Done at …,

For the European Parliament For the Council

The President The President

(1) Position of the European Parliament of 12 March 2019.
(2)Council Framework Decision 2008/675/JHA of 24 July 2008 on taking account of convictions in the Member States of the European Union in the course of new criminal proceedings (OJ L 220, 15.8.2008, p. 32).
(3)Council Framework Decision 2009/315/JHA of 26 February 2009 on the organisation and content of the exchange of information extracted from the criminal record between Member States (OJ L 93, 7.4.2009, p. 23).
(4)Council Decision 2009/316/JHA of 6 April 2009 on the establishment of the European Criminal Records Information System (ECRIS) in application of Article 11 of Framework Decision 2009/315/JHA (OJ L 93, 7.4.2009, p. 33).
(5) Regulation (EU) .../... of the European Parliament and of the Council of ... establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System and amending Regulation (EU) 2018/1726 (OJ L..., p. ...).
(6)+OJ: please insert in the text the number of the Regulation contained in document PE-CONS 88/18 (2017/0144(COD)) and insert the number, date and OJ reference of that Regulation in the footnote.
(7)Directive 2011/93/EU of the European Parliament and of the Council of 13 December 2011 on combating the sexual abuse and sexual exploitation of children and child pornography, and replacing Council Framework Decision 2004/68/JHA (OJ L 335, 17.12.2011, p. 1).
(8) Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).
(9) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
(10)Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).
(11)Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).
(12)OJ C 186, 25.5.2016, p. 7.
(13)+OJ: please insert the number of the Regulation contained in document PE-CONS 88/18 (2017/0144(COD)).
(14)+OJ: please insert the number of the Regulation contained in document PE-CONS 88/18 (2017/0144(COD)).
(15)+OJ: please insert the number of the Regulation contained in document PE-CONS 88/18 (2017/0144(COD)).


Centralised system for the identification of Member States holding conviction information on third country nationals and stateless persons (ECRIS-TCN) ***I
PDF 344kWORD 117k
Resolution
Consolidated text
European Parliament legislative resolution of 12 March 2019 on the proposal for a regulation of the European Parliament and of the Council establishing a centralised system for the identification of Member States holding conviction information on third country nationals and stateless persons (TCN) to supplement and support the European Criminal Records Information System (ECRIS-TCN system) and amending Regulation (EU) No 1077/2011 (COM(2017)0344 – C8-0217/2017 – 2017/0144(COD))
P8_TA-PROV(2019)0149A8-0018/2018

(Ordinary legislative procedure: first reading)

The European Parliament,

–  having regard to the Commission proposal to Parliament and the Council (COM(2017)0344),

–  having regard to Article 294(2) and Article 82(1), second subparagraph, point (d) of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C8‑0217/2017),

–  having regard to Article 294(3) of the Treaty on the Functioning of the European Union,

–  having regard to the provisional agreement approved by the committee responsible under Rule 69f(4) of its Rules of Procedure and the undertaking given by the Council representative by letter of 19 December 2018 to approve Parliament’s position, in accordance with Article 294(4) of the Treaty on the Functioning of the European Union,

–  having regard to Rule 59 of its Rules of Procedure,

–  having regard to the report of the Committee on Civil Liberties, Justice and Home Affairs and the opinion of the Committee on Budgets (A8-0018/2018),

1.  Adopts its position at first reading hereinafter set out;

2.  Calls on the Commission to refer the matter to Parliament again if it replaces, substantially amends or intends to substantially amend its proposal;

3.  Instructs its President to forward its position to the Council, the Commission and the national parliaments.

Position of the European Parliament adopted at first reading on 12 March 2019 with a view to the adoption of Regulation (EU) 2019/… of the European Parliament and of the Council establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System and amending Regulation (EU) 2018/1726

P8_TC1-COD(2017)0144


THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty of the Functioning of the European Union, and in particular Article 82(1), second subparagraph, point (d) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Acting in accordance with the ordinary legislative procedure(1),

Whereas:

(1)  The Union has set itself the objective of offering its citizens an area of freedom, security and justice without internal frontiers, in which the free movement of persons is ensured. That objective should be achieved by means of, among others, appropriate measures to prevent and combat crime, including organised crime and terrorism.

(2)  That objective requires that information on convictions handed down in the Member States be taken into account outside the convicting Member State in the course of new criminal proceedings, as laid down in Council Framework Decision 2008/675/JHA(2), as well as in order to prevent new offences.

(3)  That objective presupposes the exchange of information extracted from criminal records between the competent authorities of the Member States. Such an exchange of information is organised and facilitated by the rules set out in Council Framework Decision 2009/315/JHA(3) and by the European Criminal Records Information System (ECRIS), established by Council Decision 2009/316/JHA(4).

(4)  The existing ECRIS legal framework, however, does not sufficiently address the particularities of requests concerning third-country nationals. Although it is already possible to exchange information on third-country nationals through ECRIS, there is no common Union procedure or mechanism in place to do so efficiently, rapidly and accurately.

(5)  Within the Union, information on third-country nationals is not gathered as it is for nationals of Member States - in the Member States of nationality - but only stored in the Member States where the convictions have been handed down. A complete overview of the criminal history of a third-country national can therefore be ascertained only if such information is requested from all Member States.

(6)  Such 'blanket requests' impose a disproportionate administrative burden on all Member States, including those not holding information on the particular third-country national. In practice, that burden deters Member States from requesting information on third-country nationals from other Member States, which seriously hinders the exchange of information between them, limiting their access to criminal records information to information stored in their national register. As a consequence, the risk of information exchange between Member States being inefficient and incomplete is increased, which in turn affects the level of security and safety provided to citizens and persons residing within the Union.

(7)  To improve the situation, a system should be established by which the central authority of a Member State can find out promptly and efficiently ▌ which other Member States hold criminal records information on a third-country national ▌(' ECRIS-TCN'). The existing ECRIS framework could then be used to request the criminal records information from those Member States in accordance with Framework Decision 2009/315/JHA.

(8)  This Regulation should therefore lay down rules establishing a centralised system at the Union level containing personal data, and rules on the division of responsibilities between the Member State and the organisation responsible for the development and maintenance of the centralised system, as well as any specific data protection provisions needed to supplement the existing data protection arrangements and to provide for an adequate overall level of data protection ▌, data security and protection of the fundamental rights of the persons concerned ▌.

(9)  The objective of offering to citizens of the Union an area of freedom, security and justice without internal frontiers, in which the free movement of persons is ensured, also requires complete information to be held on convictions of citizens of the Union who also hold the nationality of a third country. Given the possibility that those persons could present themselves as holding one or several nationalities, and that different convictions could be stored in the convicting Member State or in the Member State of nationality, it is necessary to include citizens of the Union who also hold the nationality of a third country within the scope of this Regulation. The exclusion of such persons would result in the information stored in ECRIS-TCN being incomplete. That would jeopardise the reliability of the system. However, since such persons hold Union citizenship, the conditions under which fingerprint data can be included in ECRIS-TCN in respect of those persons should be comparable to the conditions under which the fingerprint data of Union citizens are exchanged between Member States through ECRIS, which was established by Framework Decision 2009/315/JHA and Decision 2009/316/JHA. Therefore, in respect of citizens of the Union who also hold the nationality of a third country, fingerprint data should only be included in ECRIS-TCN where they have been collected in accordance with national law during criminal proceedings, it being understood that for such inclusion Member States should be able to use fingerprint data collected for purposes other than criminal proceedings, where such use is permitted under national law.

(10)  ECRIS-TCN should allow for processing of fingerprint data for the purpose of identifying the Member States in possession of criminal records information on a third-country national. It should also allow for processing of facial images in order to confirm his or her identity. It is essential that the entry and use of fingerprint data and facial images not exceed what is strictly necessary to achieve the aim, respect fundamental rights, as well as the best interests of children, and be in conformity with applicable Union data protection rules.

(11)  The European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA) established by Regulation (EU) 2018/1726 of the European Parliament and of the Council(5) should be entrusted with the task of developing and operating ECRIS-TCN ▌, given its experience with managing other large scale systems in the area of justice and home affairs. Its mandate should be amended to reflect those new tasks.

(12)  eu-LISA should be equipped with the appropriate funding and staffing to meet its responsibilities under this Regulation.

(13)  Given the need to create close technical links between ECRIS-TCN and ECRIS, eu-LISA should also be entrusted with the task of further developing and maintaining the ECRIS reference implementation, and its mandate should be amended to reflect this.

(14)  Four Member States have developed their own national ECRIS implementation software in accordance with Decision 2009/316/JHA, and have been using it instead of the ECRIS reference implementation to exchange criminal records information. Given the particular features that those Member States have introduced in their systems for national use and the investments that they have made, they should be allowed to use their national ECRIS implementation software for the purposes of ECRIS-TCN as well, provided that the conditions set out in this Regulation are met.

(15)  ECRIS-TCN should contain only the identity information of third-country nationals convicted by a criminal court within the Union. Such identity information should include alphanumeric and fingerprint data ▌. It should also be possible for facial images to be included in as far as the law of the Member State where a conviction is handed down allows for the collection and storage of facial images of a convicted person.

(16)  The alphanumeric data to be entered by the Member States into the central system should include the surname (family name) and the first names (given names) of the convicted person, as well as, where such information is available to the central authority, any pseudonyms or aliases of that person. If differing personal data, such as a different spelling of a name in another alphabet, are known to the Member State concerned, it should be possible to enter such data into the central system as additional information.

(17)  The alphanumeric data should also include, as additional information, the identity number, or the type and number of the person's identification documents, as well as the name of the authority issuing those documents, where such information is available to the central authority. The Member State should seek to verify the authenticity of identification documents before entering the relevant information in the central system. In any case, given that such information could be unreliable, it should be used cautiously.

(18)  The central authorities should use ECRIS-TCN to identify the Member States holding criminal records information on a third-country national when criminal records information on that person is requested in the Member State concerned for the purposes of criminal proceedings against that person, or for the purposes referred to in this Regulation. While ECRIS-TCN should in principle be used in all such cases, the authority responsible for conducting the criminal proceedings should be able to decide that ECRIS-TCN should not be used when it would not be appropriate in the circumstances of the case, e.g. in certain types of urgent criminal proceedings, in cases of transit, when criminal records information has recently been obtained via ECRIS, or in respect of minor offences, in particular minor traffic offences, minor offences in relation to general municipal regulations and minor public order offences.

(19)  Member States should also be able to use ECRIS-TCN for purposes other than those set out in this Regulation, if provided for under and in accordance with national law. However, in order to enhance the transparency of the use of ECRIS-TCN, Member States should notify such other purposes to the Commission, which should ensure publication of all the notifications in the Official Journal of the European Union.

(20)  It should also be possible for other authorities requesting criminal records information to decide that ECRIS-TCN should not be used when this would not be appropriate in the circumstances of the case, e.g. when certain standard administrative checks need to be carried out regarding the professional qualifications of a person, especially if it is known that criminal records information will not be requested from other Member States, irrespective of the result of the search in ECRIS-TCN. However, ECRIS-TCN should always be used when the request for criminal records information has been initiated by a person who asks for information on his or her own criminal record in accordance with Framework Decision 2009/315/JHA, or when it is made in order to obtain criminal records information in accordance with Directive 2011/93/EU of the European Parliament and of the Council (6).

(21)  Third-country nationals should have the right to obtain information in writing concerning their own criminal record in accordance with the law of the Member State where they request such information to be provided and in accordance with Framework Decision 2009/315/JHA. Before providing such information to a third-country national, the Member State concerned should query ECRIS-TCN.

(22)  Citizens of the Union who also hold the nationality of a third country will only be included in ECRIS-TCN if the competent authorities are aware that such persons hold the nationality of a third country. Where the competent authorities are not aware that citizens of the Union also hold the nationality of a third country, it is nevertheless possible that such persons have prior convictions as third-country nationals. In order to ensure that the competent authorities have a complete overview of criminal records, it should be possible to query ECRIS-TCN to verify whether, in respect of a citizen of the Union, any Member State holds criminal record information concerning this person as a third-country national.

(23)  In the event that there is a match between data recorded in the central system and those used for search by a Member State (hit), the identity information against which a hit was recorded should be provided together with the hit. The result of a search should be used by the central authorities only for the purpose of making a request through ECRIS or by the European Union Agency for Criminal Justice Cooperation (Eurojust) established by Regulation (EU) 2018/1727 of the European Parliament and of the Council(7), the European Union Agency for Law Enforcement Cooperation (Europol) established by Regulation (EU) 2016/794 of the European Parliament and of the Council(8), ▌ and the European Public Prosecutor's Office (the ‘EPPO') established by Council Regulation (EU) 2017/1939(9), only for the purpose of making a request for conviction information as referred to in this Regulation.

(24)  In the first instance, facial images included in ECRIS-TCN should only be used for the purpose of confirming the identity of a third-country national in order to identify the Member States holding information on previous convictions of that third-country national. In the future, ▌it should be possible for facial images to be used for automated biometric matching, provided that the technical and policy requirements to do so have been met. The Commission, taking into account necessity and proportionality, as well as the technical developments in the field of facial recognition software, should assess the availability and readiness of the required technology before adopting a delegated act concerning the use of facial images for the purpose of identifying third-country nationals in order to identify the Member States holding information on previous convictions concerning those persons.

(25)  The use of biometrics is necessary as it is the most reliable method of identifying third-country nationals within the territory of the Member States, who are often not in possession of documents or any other means of identification, as well as for more reliable matching of third-country nationals’ data.

(26)  Member States should enter in the central system fingerprint data of convicted third-country nationals that have been collected in accordance with national law during criminal proceedings. In order to have as complete identity information as possible available in the central system, Member States should also be able to enter into the central system fingerprint data that have been collected for other purposes than criminal proceedings, where those fingerprint data are available for use in criminal proceedings in compliance with national law.

(27)  This Regulation should establish minimum criteria as regards the fingerprint data that Member States should include in the central system. Member States should be given the choice either to enter the fingerprint data of third-country nationals who have received a custodial sentence of at least 6 months, or to enter the fingerprint data of third-country nationals who have been convicted of a criminal offence which is punishable under the law of the Member State concerned by a custodial sentence of a maximum period of at least 12 months.

(28)  Member States should create records in ECRIS-TCN regarding convicted third-country nationals. This should, where possible, be done automatically and without undue delay after their conviction was entered into the national criminal records. Member States should, in accordance with this Regulation, enter into the central system alphanumeric and fingerprint data relating to convictions handed down after the date of the start of entry of data into the ECRIS-TCN. As from the same date, and any time thereafter, Member States should be able to enter facial images in the central system.

(29)  Member States should also, in accordance with this Regulation, create records in ECRIS-TCN regarding third-country nationals convicted prior to the date of start of entry of data, in order to ensure the maximum effectiveness of the system. However, for that purpose Member States should not be obliged to collect information which is not already in their criminal records prior to the date of start of entry of data. The fingerprint data of third-country nationals collected in connection with such prior convictions should be included only where they have been collected during criminal proceedings, and where the Member State concerned considers that they can be clearly matched with other identity information in criminal records.

(30)  Improving the exchange of information on convictions should assist Member States in their implementation of Framework Decision 2008/675/JHA, which obliges the Member States to take account of previous convictions in other Member States in the course of new criminal proceedings to the extent that previous national convictions are taken into account under national law.

(31)  A hit indicated by ECRIS-TCN should not of itself be taken to mean that the third-country national concerned has been convicted in the Member States that are indicated ▌. The existence of previous convictions should only be confirmed based on information received from the criminal records of the Member States concerned.

(32)  Notwithstanding the possibility of using the Union’s financial programmes in accordance with the applicable rules, each Member State should bear its own costs arising from the implementation, administration, use and maintenance of its criminal records database and national fingerprints databases, and from the implementation, administration, use and maintenance of the technical alterations necessary to be able to use ECRIS-TCN, including their connections to the national central access point.

(33)  Eurojust, Europol and the EPPO should have access to ECRIS-TCN for the purpose of identifying the Member States holding criminal records information on a third-country national in order to support their statutory tasks. Eurojust should also have direct access to ECRIS-TCN for the purpose of carrying out its task under this Regulation of acting as a contact point for third countries and international organisations, without prejudice to the application of principles of judicial cooperation in criminal matters, including rules on mutual legal assistance. While the position of Member States who are not part of the enhanced cooperation on the establishment of the EPPO should be taken into account, the EPPO should not be refused access to conviction information on the sole ground that the Member State concerned is not part of that enhanced cooperation.

(34)  This Regulation establishes strict rules on access to ECRIS-TCN and the necessary safeguards, including the responsibility of the Member States in collecting and using the data. It also sets out how individuals may exercise their rights to compensation, access, rectification, erasure and redress, in particular the right to an effective remedy and the supervision of processing operations by public independent authorities. It therefore respects fundamental rights and freedoms enshrined, in particular, in the Charter of Fundamental Rights of the European Union, including the right to protection of personal data, the principle of equality before the law and the general prohibition of discrimination. In this regard, it also takes into account the European Convention for the Protection of Human Rights and Fundamental Freedoms, the International Covenant on Civil and Political Rights, and other human rights obligations under international law.

(35)  Directive (EU) 2016/680 of the European Parliament and of the Council(10) ▌ should apply to the processing of personal data by competent national authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Regulation (EU) 2016/679 of the European Parliament and of the Council(11) ▌ should apply to the processing of personal data by national authorities when such processing does not fall within the scope of Directive (EU) 2016/680. Coordinated supervision should be ensured in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council(12), which should also apply to the processing of personal data by eu-LISA.

(36)  In respect of prior convictions, the central authorities should enter alphanumeric data by the end of the period for entry of data under this Regulation, and fingerprint data within two years after the date of the start of operations of ECRIS-TCN. Member States should be able to enter all data at the same time, provided those time limits are met.

(37)  Rules should be laid down on the liability of the Member States, Eurojust, Europol, the EPPO and eu-LISA in respect of damage arising from any breach of this Regulation.

(38)  In order to improve identification of the Member States holding information on previous convictions of third-country nationals, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union (TFEU) should be delegated to the Commission in respect of supplementing this Regulation by providing for the use of facial images for the purpose of identifying third-country nationals in order to identify the Member States holding information on previous convictions. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making(13). In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

(39)  In order to ensure uniform conditions for the establishment and operational management of ECRIS-TCN, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and the Council(14).

(40)  Member States should take the necessary measures to comply with this Regulation as soon as possible so as to ensure the proper functioning of ECRIS-TCN, taking into account the time that eu-LISA needs to develop and implement ECRIS-TCN. However, Member States should have at least 36 months after the entry into force of this Regulation to take measures to comply with this Regulation.

(41)  Since the objective of this Regulation, namely to enable the rapid and efficient exchange of accurate criminal records information on third-country nationals, cannot be sufficiently achieved by the Member States, but can rather, by putting in place common rules, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary to achieve that objective.

(42)  In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the TEU and to the TFEU, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(43)  In accordance with Articles 1 and 2 and Article 4a(1) of Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the TEU and to the TFEU, and without prejudice to Article 4 of that Protocol, Ireland is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(44)   In accordance with Article 3 and Article 4a(1) of Protocol No 21, the United Kingdom has notified its wish to take part in the adoption and application of this Regulation.

(45)  The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 of the European Parliament and of the Council(15) and delivered an opinion on 12 December 2017(16),

HAVE ADOPTED THIS REGULATION:

CHAPTER I

GENERAL PROVISIONS

Article 1

Subject matter

This Regulation establishes:

(a)  ▌ a system to identify the Member States holding information on previous convictions of third-country nationals (’ECRIS-TCN’);

(b)  ▌the conditions under which ECRIS-TCN shall be used by the central authorities in order to obtain information on such previous convictions through the European Criminal Records Information System (ECRIS) established by Decision 2009/316/JHA, as well as the conditions under which Eurojust, Europol and the EPPO shall use ECRIS-TCN.

Article 2

Scope

This Regulation applies to the processing of identity information of third-country nationals who have been subject to convictions in the Member States for the purpose of identifying the Member States where such convictions were handed down. With the exception of point (b)(ii) of Article 5(1), the provisions of this Regulation that apply to third-country nationals also apply to citizens of the Union who also hold the nationality of a third country and who have been subject to convictions in the Member States.

Article 3

Definitions

For the purposes of this Regulation, the following definitions ▌apply:

(1)  'conviction' means any final decision of a criminal court against a natural person in respect of a criminal offence, to the extent that the decision is entered in the criminal records of the convicting Member State;

(2)  'criminal proceedings’ means the pre-trial stage, the trial stage and the execution of the conviction;

(3)  'criminal record' means the national register or registers recording convictions in accordance with national law;

(4)  'convicting Member State' means the Member State in which a conviction is handed down;

(5)  'central authority' means an authority ▌ designated in accordance with Article 3(1) of Framework Decision 2009/315/JHA;

(6)  'competent authorities' means the central authorities and Eurojust, Europol and the EPPO, which are competent to access or query ECRIS-TCN in accordance with this Regulation;

(7)  'third-country national' means a person who is not a citizen of the Union within the meaning of Article 20(1) TFEU, or who is a stateless person or a person whose nationality is unknown ▌;

(8)  'central system' means the database or databases developed and maintained by eu-LISA which hold identity information on third-country nationals who have been subject to convictions in the Member States ▌;

(9)  'interface software' means the software hosted by the competent authorities allowing them to access the central system through the communication infrastructure referred to in point (d) of Article 4(1);

(10)   'identity information' means alphanumeric data, fingerprint data and facial images that are used to establish a connection between these data and a natural person;

(11)  'alphanumeric data' means data represented by letters, digits, special characters, spaces and punctuation marks;

(12)  'fingerprint data' means the data relating to plain and rolled impressions of the fingerprints of each of a person's fingers;

(13)  'facial image' means a digital image of a person's face;

(14)  'hit' means a match or matches established by comparison between identity information recorded in the central system and the identity information used for a search ▌;

(15)  'national central access point' means the national connection point to the communication infrastructure referred to in point (d) of Article 4(1);

(16)  'ECRIS reference implementation' means the software developed by the Commission and made available to the Member States for the exchange of criminal records information through ECRIS;

(17)  ‘national supervisory authority’ means an independent public authority which is established by a Member State pursuant to applicable Union data protection rules;

(18)  ‘supervisory authorities’ means the European Data Protection Supervisor and the national supervisory authorities.

Article 4

Technical architecture of ECRIS-TCN

1.  ECRIS-TCN shall be composed of:

(a)  a central system in which identity information on convicted third-country nationals is stored;

(b)  a national central access point in each Member State;

(c)  interface software enabling the connection of the competent authorities to the central system via the national central access points and the communication infrastructure referred to in point (d);

(d)  a communication infrastructure between the central system and the national central access points.

2.  The central system shall be hosted by eu-LISA at its ▌technical sites.

3.  The interface software shall be integrated with the ECRIS reference implementation. The Member States shall use the ECRIS reference implementation or, in the situation and under the conditions set out in paragraphs 4 to 8, the national ECRIS implementation software to query ECRIS-TCN and to send subsequent requests for criminal records information.

4.  The Member States which use their national ECRIS implementation software shall be responsible for ensuring that their national ECRIS implementation software allows their national criminal records authorities to use ECRIS-TCN, with the exception of the Interface Software, in accordance with this Regulation. For that purpose, they shall, before the date of start of operations of ECRIS-TCN in accordance with Article 35(4), ensure that their national ECRIS implementation software functions in accordance with the protocols and technical specifications established in the implementing acts referred to in Article 10, and with any further technical requirements established by eu-LISA pursuant to this Regulation based on those implementing acts.

5.  For as long as they do not use the ECRIS reference implementation, Member States which use their national ECRIS implementation software shall also ensure the implementation of any subsequent technical adaptations to their national ECRIS implementation software required by any changes to the technical specifications established in the implementing acts referred to in Article 10, or changes to any further technical requirements established by eu-LISA pursuant to this Regulation based on those implementing acts, without undue delay.

6.  The Member States which use their national ECRIS implementation software shall bear all the costs associated with the implementation, maintenance and further development of their national ECRIS implementation software and its interconnection with ECRIS-TCN, with the exception of the interface software.

7.  If a Member State which uses its national ECRIS implementation software is unable to comply with its obligations under this Article, it shall be obliged to use the ECRIS reference implementation, including the integrated interface software, to make use of ECRIS-TCN.

8.  In view of the assessment to be carried out by the Commission pursuant to point (b) of Article 36(10), the Member States concerned shall provide the Commission with all necessary information.

CHAPTER II

ENTRY AND USE OF DATA BY CENTRAL AUTHORITIES

Article 5

Data entry in ECRIS-TCN

1.  For each convicted third-country national, the central authority of the convicting Member State shall create a data record in the central system. The data record shall include: ▌

(a)   as concerns alphanumeric data:

(i)  information to be included unless, in individual cases, such information is not known to the central authority (obligatory information):

surname (family name);

first names (given names),

date of birth,

place of birth (town and country),

nationality or nationalities,

gender,

previous names, if applicable.the code of the convicting Member State,

(ii)  information to be included if it has been entered in the criminal record (optional information):

− parents' names,

(iii)  information to be included if it is available to the central authority (additional information):

− identity number, or the type and number of the person's identification documents, as well as the name of the issuing authority,

− pseudonyms or aliases;

(b)  as concerns fingerprint data:

(i)  fingerprint data that have been collected in accordance with national law during criminal proceedings;

(ii)  as a minimum, fingerprint data collected on the basis of either of the following criteria:

–  where the third-country national has received a custodial sentence of at least 6 months;

or

–  where the third-country national has been convicted of a criminal offence which is punishable under the law of the Member State by a custodial sentence of a maximum period of at least 12 months.

2.  The fingerprint data referred to in point (b) of paragraph 1 of this Article shall have the technical specifications for the quality, resolution and processing of fingerprint data provided for in the implementing act referred to in point (b) of Article 10(1). The reference number of the fingerprint data of the convicted person shall include the code of the convicting Member State.

3.  The data record may also contain facial images of the convicted third-country national, if the law of the convicting Member State allows for the collection and storage of facial images of convicted persons.

4.   The convicting Member State shall create the data record automatically, where possible, and without undue delay after the conviction has been entered into the ▌criminal records ▌.

5.  The convicting Member States shall also create data records for convictions handed down prior to … the date of start of entry of data in accordance with Article 35(1) to the extent that data related to convicted persons are stored in ▌their national databases. In those cases, fingerprint data shall be included only where they have been collected during criminal proceedings in accordance with national law, and where they can be clearly matched with other identity information in criminal records.

6.  In order to comply with the obligations set out in points (b)(i) and (ii) of paragraph 1, and in paragraph 5, Member States may use fingerprint data collected for purposes other than criminal proceedings, where such use is permitted under national law.

Article 6

Facial images

1.  Until the entry into force of the delegated act provided for in paragraph 2, facial images may be used only to confirm the identity of a third-country national who has been identified as a result of an alphanumeric search or a search using fingerprint data.

2.   The Commission is empowered to adopt delegated acts in accordance with Article 37 supplementing this Regulation concerning the use of facial images for the purpose of identifying third-country nationals in order to identify the Member States holding information on previous convictions concerning such persons, when it becomes technically possible. Before exercising this empowerment, the Commission, taking into account necessity and proportionality, as well as technical developments in the field of facial recognition software, shall assess the availability and readiness of the required technology.

Article 7

Use of ECRIS-TCN for identifying the Member States holding criminal records information

1.  The central authorities shall use ECRIS-TCN to identify the Member States holding criminal records information on a third-country national in order to obtain information on previous convictions through ECRIS, when criminal records information on that person is requested in the Member State concerned for the purposes of criminal proceedings against that person, or for any of the following purposes, if provided for under and in accordance with national law:

–  checking a person's own criminal record at his or her request,

–  security clearance,

–  obtaining a licence or permit,

–  employment vetting,

–  vetting for voluntary activities involving direct and regular contacts with children or vulnerable persons,

–  visa, acquisition of citizenship and migration procedures, including asylum procedures, and

–  checks in relation with public contracts and public examinations.

However, in specific cases other than those in which a third-country national asks the central authority for information on his or her own criminal record, or where the request is made in order to obtain criminal records information pursuant to Article 10(2) of Directive 2011/93/EU, the authority requesting criminal records information may decide that such use of ECRIS-TCN is not appropriate.

2.  Any Member State which decides, if provided for under and in accordance with national law, to use ECRIS-TCN for purposes other than those set out in paragraph 1 in order to obtain information on previous convictions through ECRIS, shall, by the date of start of operations as referred to in Article 35(4), or any time thereafter, notify the Commission of such other purposes and any changes to such purposes. The Commission shall publish such notifications in the Official Journal of the European Union within 30 days of receipt of the notifications.

3.  Eurojust, Europol ▌ and the EPPO are entitled to query ECRIS-TCN to identify the Member States holding criminal records information on a third-country national in accordance with Articles 14 to 18. However, they shall not enter, rectify or erase any data in ECRIS-TCN .

4.  For the purposes referred to in paragraphs 1, 2 and 3, the competent authorities may also query ECRIS-TCN to verify whether, in respect of a citizen of the Union, any Member State holds criminal records information concerning this person as a third-country national.

5.  When querying ECRIS-TCN, the competent authorities may use all or only some of the data referred to in Article 5(1). The minimum set of data that is required to query the system shall be specified in an implementing act adopted in accordance with point (g) of Article 10(1).

6.  The competent authorities may also query ECRIS-TCN using ▌ facial images ▌, provided that such functionality has been implemented in accordance with Article 6(2).

7.  In the event of a hit, the central system shall automatically provide the competent authority with information on the Member States holding criminal records information on the third-country national, along with the associated reference numbers and any corresponding identity information. Such identity information shall only be used for the purpose of verifying the identity of the third-country national concerned. The result of a search in the central system may only be used for the purpose of making a request according to Article 6 of Framework Decision 2009/315/JHA or a request referred to in Article 17(3) of this Regulation.

8.  In the event that there is no hit, the central system shall automatically inform the competent authority.

CHAPTER III

RETENTION AND MODIFICATION OF THE DATA

Article 8

Retention period for data storage

1.  Each ▌data record shall be stored in the central system for as long as the data related to the convictions of the person concerned are stored in the ▌criminal records ▌.

2.  Upon expiry of the retention period referred to in paragraph 1, the central authority of the convicting Member State shall erase the ▌ data record, including any fingerprint data or facial images, from the central system. The erasure shall be done automatically, where possible, and in any event no later than one month after the expiry of the retention period.

Article 9

Modification and erasure of data

1.  The Member States may modify or erase the data which they have entered into ECRIS-TCN.

2.  Any modification of the information in the criminal records ▌which led to the creation of a data record in accordance with Article 5 shall include identical modification of the information stored in that data record in the central system by the convicting Member State without undue delay.

3.  If a convicting Member State has reason to believe that the data it has recorded in the central system are inaccurate or that data were processed in the central system in contravention of this Regulation, it shall:

(a)  immediately launch a procedure for checking the accuracy of the data concerned or the lawfulness of its processing, as appropriate;

(b)  if necessary, rectify the data or erase them from the central system without undue delay.

4.  If a Member State other than the convicting Member State which entered the data has reason to believe that data recorded in the central system are inaccurate or that data were processed in the central system in contravention of this Regulation, it shall contact the central authority of the convicting Member State without undue delay.

The convicting Member State shall:

(a)  immediately launch a procedure for checking the accuracy of the data concerned or the lawfulness of its processing, as appropriate;

(b)  if necessary, rectify the data or erase them from the central system without undue delay;

(c)  inform the other Member State that the data have been rectified or erased, or of the reasons why the data have not been rectified or erased, without undue delay.

CHAPTER IV

DEVELOPMENT, OPERATION AND RESPONSIBILITIES

Article 10

Adoption of implementing acts by the Commission

1.  The Commission shall adopt the implementing acts necessary for the technical development and ▌ implementation of ECRIS-TCN as soon as possible, and in particular acts concerning:

(a)  the technical specifications for the processing of the alphanumeric data;

(b)  the technical specifications for the quality, resolution and processing of fingerprint data▌;

(c)  the technical specifications of the interface software;

(d)  the technical specifications for the quality, resolution and processing of facial images for the purposes of and under the conditions set out in Article 6;

(e)  data quality, including a mechanism for and procedures to carry out data quality checks;

(f)  entering the data in accordance with Article 5;

(g)  accessing and querying ECRIS-TCN in accordance with Article 7;

(h)  modifying and erasing the data in accordance with Articles 8 and 9;

(i)  keeping and accessing logs in accordance with Article 31;

(j)  operation of the central repository and the data security and data protection rules applicable to the repository, in accordance with Article 32;

(k)  providing statistics in accordance with Article 32;

(l)  performance and availability requirements of ECRIS-TCN, including minimal specifications and requirements on the biometric performance of ECRIS-TCN in particular in terms of the required false positive identification rate and false negative identification rate.

2.  The implementing acts referred to in paragraph 1 shall be adopted in accordance with the examination procedure referred to in Article 38(2).

Article 11

Development and operational management of ECRIS - TCN

1.  eu-LISA shall be responsible for the development of ECRIS-TCN in accordance with the principle of data protection by design and by default. In addition, eu-LISA shall be responsible for the operational management of ECRIS-TCN. The development shall consist of the elaboration and implementation of the technical specifications, testing and overall project coordination.

2.  eu-LISA shall also be responsible for the further development and maintenance of the ECRIS reference implementation.

3.  eu-LISA shall define the design of the physical architecture of ECRIS-TCN including its technical specifications and evolution as regards the central system, the national central access point and the interface software. That design shall be adopted by its Management Board, subject to a favourable opinion of the Commission.

4.  eu-LISA shall develop and implement ECRIS-TCN as soon as possible after the entry into force of this Regulation ▌ and following the adoption by the Commission of the implementing acts provided for in Article 10.

5.  Prior to the design and development phase of ECRIS-TCN, the Management Board of eu-LISA shall establish a Programme Management Board composed of ten members.

The Programme Management Board shall be composed of eight members appointed by the Management Board, the Chair of the Advisory Group referred to in Article 39 and one member appointed by the Commission. The members appointed by the Management Board shall be elected only from those Member States which are fully bound under Union law by the legislative instruments governing ECRIS and which will participate in ECRIS-TCN. The Management Board shall ensure that the members it appoints to the Programme Management Board have the necessary experience and expertise in the development and management of IT systems supporting judicial and criminal records authorities.

eu-LISA shall participate in the work of the Programme Management Board. To that end, representatives of eu-LISA shall attend the meetings of the Programme Management Board in order to report on work regarding the design and development of ECRIS-TCN and on any other related work and activities.

The Programme Management Board shall meet at least once every three months, and more often when necessary. It shall ensure the adequate management of the design and development phase of ECRIS-TCN and shall ensure consistency between central and national ECRIS-TCN projects, and national ECRIS implementation software. The Programme Management Board shall submit written reports regularly and if possible every month to the Management Board of eu-LISA on the progress of the project. The Programme Management Board shall have no decision-making power nor any mandate to represent the members of the Management Board.

6.  The Programme Management Board shall establish its rules of procedure which shall include in particular rules on:

(a)  chairmanship;

(b)  meeting venues;

(c)  preparation of meetings;

(d)  admission of experts to the meetings;

(e)  communication plans ensuring that non-participating Members of the Management Board are kept fully informed.

7.  The chairmanship of the Programme Management Board shall be held by a Member State which is fully bound under Union law by the legislative instruments governing ECRIS and the legislative instruments governing the development, establishment, operation and use of all the large-scale IT systems managed by eu-LISA.

8.  All travel and subsistence expenses incurred by the members of the Programme Management Board shall be paid by eu-LISA. Article 10 of the eu-LISA Rules of Procedure shall apply mutatis mutandis. The Programme Management Board’s secretariat shall be ensured by eu-LISA.

9.  During the design and development phase, the Advisory Group referred to in Article 39 shall be composed of the national ECRIS-TCN project managers and chaired by eu-LISA. During the design and development phase it shall meet regularly, if possible at least once a month, until the start of operations of ECRIS-TCN. It shall report after each meeting to the Programme Management Board ▌. It shall provide the technical expertise to support the tasks of the Programme Management Board and shall follow up on the state of preparation of the Member States.

10.  In order to ensure the confidentiality and integrity of data stored in ECRIS-TCN at all times, eu-LISA shall, in cooperation with the Member States, provide for appropriate technical and organisational measures, taking into account the state of the art, the cost of implementation and the risks posed by the processing.

11.  eu-LISA shall be responsible for the following tasks related to the communication infrastructure referred to in point (d) of Article 4(1):

(a)  supervision;

(b)  security;

(c)  the coordination of relations between the Member States and the provider of the communication infrastructure

12.  The Commission shall be responsible for all other tasks relating to the communication infrastructure referred to in point (d) of Article 4(1), in particular:

(a)  tasks relating to the implementation of the budget;

(b)  acquisition and renewal;

(c)  contractual matters.

13.  eu-LISA shall develop and maintain a mechanism and procedures for carrying out quality checks on the data stored in ECRIS-TCN and shall provide regular reports to the Member States. eu-LISA shall provide regular reports to the Commission covering the issues encountered and the Member States concerned.

14.  The operational management of ECRIS-TCN shall consist of all the tasks necessary to keep ECRIS-TCN operational in accordance with this Regulation, and in particular the maintenance work and technical developments necessary to ensure that ECRIS-TCN functions at a satisfactory level in accordance with the technical specifications.

15.  eu-LISA shall perform tasks related to providing training on the technical use of ECRIS-TCN and the ECRIS reference implementation.

16.  Without prejudice to Article 17 of the Staff Regulations of Officials of the European Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68(17), eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality to its entire staff required to work with data registered in the central system. That obligation shall also apply after such staff leave office or employment or after the termination of their activities.

Article 12

Responsibilities of the Member States

1.  Each Member State shall be responsible for:

(a)  ensuring a secure connection between its national criminal records ▌and fingerprints databases and the national central access point;

(b)  the development, operation and maintenance of the connection referred to in point (a);

(c)  ensuring a connection between its national systems and the ECRIS reference implementation;

(d)  the management of and arrangements for access of duly authorised staff of the central authorities to ECRIS-TCN in accordance with this Regulation and for establishing and regularly updating a list of such staff and the profiles referred to in point (g) of Article 19(3).

2.  Each Member State shall give the staff of its central authority who have a right to access ECRIS-TCN appropriate training covering, in particular, data security and data protection rules and applicable fundamental rights, before authorising them to process data stored in the central system.

Article 13

Responsibility for the use of data

1.  In accordance with applicable Union data protection rules, each Member State shall ensure that the data recorded in ECRIS-TCN are processed lawfully, and in particular that:

(a)  only duly authorised staff have access to the data for the performance of their tasks;

(b)  the data are collected lawfully in a manner that fully respects the human dignity and fundamental rights of the third-country national;

(c)  the data are entered into ECRIS-TCN lawfully;

(d)  the data are accurate and up-to-date when they are entered into ECRIS-TCN.

2.  eu-LISA shall ensure that ECRIS-TCN is operated in accordance with this Regulation, with the delegated act referred to in Article 6(2) and with the implementing acts referred to in Article 10, as well as in accordance with Regulation (EU) 2018/1725. In particular, eu-LISA shall take the necessary measures to ensure the security of the central system and the communication infrastructure referred to in point (d) of Article 4(1), without prejudice to the responsibilities of each Member State.

3.  eu-LISA shall inform the European Parliament, the Council and the Commission as well as the European Data Protection Supervisor as soon as possible of the measures it takes pursuant to paragraph 2 in view of the start of operations of ECRIS-TCN.

4.  The Commission shall make the information referred to in paragraph 3 available to the Member States and to the public through a regularly updated public website.

Article 14

Access for Eurojust, Europol, and the EPPO

1.   Eurojust shall have direct access to ECRIS-TCN for the purpose of the implementation of Article 17, as well as for fulfilling its tasks under Article 2 of Regulation (EU) 2018/1727, in order to identify the Member States holding information on previous convictions of third-country nationals.

2.  Europol shall have direct access to ECRIS-TCN for the purpose of fulfilling its tasks under points (a) to (e) and (h) of Article 4(1) of Regulation (EU) 2016/794, in order to identify the Member States holding information on previous convictions of third-country nationals.

3.  The EPPO shall have direct access to ECRIS-TCN for the purpose of fulfilling its tasks under Article 4 of Regulation (EU) 2017/1939, in order to identify the Member States holding information on previous convictions of third-country nationals.

4.  Following a hit indicating the Member States holding criminal records information on a third-country national, Eurojust, Europol, and the EPPO may use their respective contacts with the national authorities of those Member States to request the criminal records information in the manner provided for in their respective founding acts. .

Article 15

Access by authorised staff of Eurojust, Europol and the EPPO

Eurojust, Europol and the EPPO shall be responsible for the management of and arrangements for access of duly authorised staff to ECRIS-TCN in accordance with this Regulation and ▌for establishing and regularly updating a list of such staff and their profiles.

Article 16

Responsibilities of Eurojust, Europol and the EPPO

▌Eurojust, Europol ▌ and the EPPO shall:

(a)  establish the technical means to connect to ECRIS-TCN and be responsible for maintaining that connection ▌;

(b)   provide appropriate training covering, in particular, data security and data protection rules and applicable fundamental rights to those members of their staff who have a right to access ECRIS-TCN before authorising them to process data stored in the central system ;

(c)  ensure that the personal data processed by them under this Regulation is protected in accordance with the applicable data protection rules.

Article 17

Contact point for third countries and international organisations

1.  Third countries and international organisations may, for the purposes of criminal proceedings, address requests for information on which Member States, if any, hold criminal records information on a third-country national to Eurojust. To that end, they shall use the standard form set out in the Annex to this Regulation.

2.  When Eurojust receives a request under paragraph 1, it shall use ECRIS-TCN to identify which Member States, if any, hold criminal records information on the third-country national concerned.

3.  If there is a hit, Eurojust shall ask the Member State that holds criminal records information on the third-country national concerned whether it consents to Eurojust informing the third country or the international organisation of the name of the Member State concerned. Where that Member State gives its consent, Eurojust shall inform the third country or the international organisation of the name of that Member State, and of how it can introduce a request for extracts from the criminal records with that Member State in accordance with the applicable procedures.

4.  In cases where there is no hit or where Eurojust cannot provide an answer in accordance with paragraph 3 to requests made under this Article, it shall inform the third country or international organisation concerned that it has completed the procedure, without providing any indication of whether criminal records information on the person concerned is held by one of the Member States.

Article 18

Providing information to a third country, international organisation or private party

Neither Eurojust, Europol, the EPPO nor any central authority shall transfer or make available to a third country, an international organisation or a private party information obtained from ECRIS-TCN concerning a third-country national. This Article shall be without prejudice to Article 17(3).

Article 19

Data Security

1.  eu-LISA shall take the necessary measures to ensure the security of ECRIS-TCN, without prejudice to the responsibilities of each Member State, taking the security measures specified in paragraph 3 into consideration.

2.  As regards the operation of ECRIS-TCN, eu-LISA shall take the necessary measures in order to achieve the objectives set out in paragraph 3, including the adoption of a security plan and a business continuity and disaster recovery plan, and to ensure that installed systems may, in case of interruption, be restored.

3.  The Member States shall ensure the security of the data before and during the transmission to and receipt from the national central access point. In particular, each Member State shall:

(a)  physically protect data, including by making contingency plans for the protection of ▌infrastructure;

(b)  deny unauthorised persons access to national installations in which the Member State carries out operations related to ECRIS-TCN;

(c)  prevent the unauthorised reading, copying, modification or removal of data media;

(d)  prevent the unauthorised input of data and the unauthorised inspection, modification or erasure of stored personal data;

(e)  prevent the unauthorised processing of data in ECRIS-TCN and any unauthorised modification or erasure of data processed in ECRIS-TCN;

(f)  ensure that persons authorised to access ECRIS-TCN have access only to the data covered by their access authorisation, by means of individual user identities and confidential access modes only;

(g)  ensure that all authorities with a right of access to ECRIS-TCN create profiles describing the functions and responsibilities of persons who are authorised to enter, rectify, erase, consult and search the data and make their profiles available to the national ▌supervisory authorities without undue delay at their request;

(h)  ensure that it is possible to verify and establish to which Union bodies, offices and agencies personal data may be transmitted using data communication equipment;

(i)  ensure that it is possible to verify and establish what data have been processed in ECRIS-TCN, when, by whom and for what purpose;

(j)  prevent the unauthorised reading, copying, modification or erasure of personal data during the transmission of personal data to or from ECRIS-TCN or during the transport of data media, in particular by means of appropriate encryption techniques;

(k)  monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to self-monitoring and supervision to ensure compliance with this Regulation.

4.  eu-LISA and the Member States shall cooperate in order to ensure a coherent data security approach based on a security risk management process encompassing the entire ECRIS-TCN.

Article 20

Liability

1.  Any person who, or any Member State which, has suffered material or non-material damage as a result of an unlawful processing operation or any other act incompatible with this Regulation shall be entitled to receive compensation from:

(a)  the Member State which is responsible for the damage suffered; or

(b)  eu-LISA, where eu-LISA has not complied with its obligations set out in this Regulation or in Regulation (EU) 2018/1725.

The Member State which is responsible for the damage suffered or eu-LISA, respectively, shall be exempted from liability, in whole or in part, if it proves that it is not responsible for the event which gave rise to the damage.

2.  If any failure of a Member State, Eurojust, Europol, or the EPPO to comply with its obligations under this Regulation causes damage to ECRIS-TCN, that Member State, Eurojust, Europol, or the EPPO, respectively, shall be held liable for such damage, unless and insofar as eu-LISA or another Member State participating in ECRIS-TCN failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.

3.  Claims for compensation against a Member State for the damage referred to in paragraphs 1 and 2 shall be governed by the law of the defendant Member State. Claims for compensation against eu-LISA, Eurojust, Europol and the EPPO for the damage referred to in paragraphs 1 and 2 shall be governed by their respective founding acts.

Article 21

Self-monitoring

Member States shall ensure that each central authority takes the measures necessary to comply with this Regulation and cooperates, where necessary, with the supervisory authorities.

Article 22

Penalties

Any misuse of data entered in ECRIS-TCN shall be subject to penalties or disciplinary measures, in accordance with national or Union law, that are effective, proportionate and dissuasive.

CHAPTER V

DATA PROTECTION RIGHTS AND SUPERVISION

Article 23

Data controller and data processor

1.  Each central authority is to be considered as data controller in accordance with applicable Union data protection rules for the processing of the personal data by that central authority's Member State under this Regulation.

2.  eu-LISA shall be considered as data processor in accordance with Regulation (EU) 2018/1725 as regards the personal data entered into the central system by the Member States.

Article 24

Purpose of the processing of personal data

1.  The data entered into the central system shall only be processed for the purpose of the identification of the Member States holding the criminal records information on third-country nationals.

2.  With the exception of duly authorised staff of Eurojust, Europol and the EPPO who have access to ECRIS-TCN for the purposes of this Regulation, access to ECRIS-TCN shall be reserved exclusively to duly authorised staff of the central authorities ▌. Access shall be limited to the extent needed for the performance of the tasks in accordance with the purpose referred to in paragraph 1, and to what is necessary and proportionate to the objectives pursued.

Article 25

Right of access, rectification, erasure and restriction of processing

1.  The requests of third-country nationals concerning the rights of access to personal data, to rectification and erasure and to restriction of processing of personal data which are set out in the applicable Union data protection rules may be addressed to the central authority of any Member State.

2.  Where a request is made to a Member State other than the convicting Member State, the ▌Member State to which the request has been made shall forward it to the convicting Member State without undue delay and in any event within 10 working days of receiving the request. Upon receipt of the request, the convicting Member State shall:

(a)  immediately launch a procedure for checking the accuracy of the data concerned and the lawfulness of its processing in ECRIS-TCN; and

(b)  respond to the Member State that forwarded the request without undue delay.

3.  In the event that data recorded in ECRIS-TCN are ▌ inaccurate or have been processed unlawfully, the convicting Member State shall rectify or erase the data in accordance with Article 9. The convicting Member State or, where applicable, the Member State to which the request has been made shall confirm in writing to the person concerned without undue delay that action has been taken to rectify or erase data relating to that person. The convicting Member State shall also without undue delay inform any other Member State which has been a recipient of conviction information obtained as a result of a query of ECRIS-TCN of what action has been taken.

4.  If the convicting Member State ▌ does not agree that data recorded in ECRIS-TCN are inaccurate or have been processed unlawfully, that Member State shall adopt an administrative or judicial decision explaining in writing to the person concerned ▌why it is not prepared to rectify or erase data relating to him or her. Such cases may, where appropriate, be communicated to the national supervisory authority.

5.  The Member State which has adopted the ▌ decision pursuant to paragraph 4 shall also provide the person concerned with information explaining the steps which that person can take if ▌ the explanation given pursuant to paragraph 4 is not acceptable to him or her. This shall include information on how to bring an action or a complaint before the competent authorities or courts of that Member State and any assistance, including from the national supervisory authorities, that is available in accordance with the national law of that Member State.

6.  Any request made pursuant to paragraph 1 shall contain the ▌ information necessary to identify the person concerned. That information shall be used exclusively to enable the exercise of the rights referred to in paragraph 1 and shall be erased immediately afterwards.

7.  Where paragraph 2 applies, the central authority to whom the request was addressed shall keep a written record that such a request was made and of how it was addressed and to which authority it was forwarded. Upon request from the national supervisory authority, the central authority shall make that record available to that national supervisory authority without delay. The central authority and the national supervisory authority shall erase such records three years after their creation.

Article 26

Cooperation to ensure respect for data protection rights

1.  The central authorities shall cooperate with each other in order to ensure respect for the rights laid down in Article 25.

2.  In each Member State, the national supervisory authority shall, upon request, provide information to the person concerned on how to exercise his or her right to rectify or erase data relating to him or to her, in accordance with the applicable Union data protection rules.

3.  For the purposes of this Article, the national supervisory authority of the Member State which transmitted the data and the national supervisory authority of the Member State to which the request has been made shall cooperate with each other.

Article 27

Remedies

▌ Any person shall have the right to lodge a complaint and the right to a legal remedy in the convicting Member State which refused the right of access to or the right of rectification or erasure of data relating to him or to her, referred to in Article 25 in accordance with national or Union law.

Article 28

Supervision by the national supervisory authorities

1.  Each Member State shall ensure that the national supervisory authorities designated pursuant to applicable Union data protection rules shall monitor the lawfulness of the processing of personal data referred to in Articles 5 and 6 by the Member State concerned, including their transmission to and from ECRIS-TCN.

2.  The national supervisory authority shall ensure that an audit of the data processing operations in the national criminal records and fingerprints databases related to the data exchange between those systems and ECRIS-TCN is carried out in accordance with relevant international auditing standards at least every three years from the date of the start of operations of ECRIS-TCN.

3.  Member States shall ensure that their national supervisory authorities have sufficient resources to fulfil the tasks entrusted to them under this Regulation.

4.  Each Member State shall supply any information requested by its national supervisory authorities and shall, in particular, provide them with information on the activities carried out in accordance with Articles 12, 13 and 19. Each Member State shall grant its national supervisory authorities access to its records pursuant to Article 25(7) and to its logs pursuant to Article 31(6) and allow them access at all times to all its ECRIS-TCN related premises.

Article 29

Supervision by the European Data Protection Supervisor

1.  The European Data Protection Supervisor shall monitor that the personal data processing activities of eu-LISA concerning ECRIS-TCN are carried out in accordance with this Regulation.

2.  The European Data Protection Supervisor shall ensure that an audit of eu-LISA’s personal data processing activities is carried out in accordance with relevant international auditing standards at least every three years. A report of that audit shall be sent to the European Parliament, the Council, the Commission, eu-LISA and the supervisory authorities. eu-LISA shall be given an opportunity to make comments before the report is adopted.

3.  eu-LISA shall supply information requested by the European Data Protection Supervisor, give him or her access to all documents and to its logs referred to in Article 31 and allow him or her access to all of its premises at any time.

Article 30

Cooperation among national supervisory authorities and the European Data Protection Supervisor

Coordinated supervision of ECRIS-TCN shall be ensured in accordance with Article 62 of Regulation (EU) 2018/1725.

Article 31

Keeping of logs

1.  eu-LISA and the competent authorities shall ensure, in accordance with their respective responsibilities, that all data processing operations in ECRIS-TCN are logged in accordance with paragraph 2 for the purposes of checking the admissibility of requests, monitoring data integrity and security and the lawfulness of the data processing as well as for the purposes of self-monitoring.

2.  The log ▌shall show:

(a)  the purpose of the request for access to ECRIS-TCN data;

(b)  the data transmitted as referred to in Article 5;

(c)  the national file reference;

(d)  the date and exact time of the operation;

(e)  the data used for a query;

(f)  the identifying mark of the official who carried out the search. ▌

3.  The log of consultations and disclosures shall make it possible to establish the justification of such operations.

4.  Logs ▌ shall be used only for monitoring the lawfulness of data processing and for ensuring data integrity and security. Only logs containing non-personal data may be used for the monitoring and evaluation referred to in Article 36. Those logs shall be protected by appropriate measures against unauthorised access and erased after three years, if they are no longer required for monitoring procedures which have already begun.

5.  On request, eu-LISA shall make the logs of its processing operations available to the central authorities without undue delay.

6.  The competent national supervisory authorities responsible for checking the admissibility of the requests and monitoring the lawfulness of the data processing and data integrity and security shall have access to logs at their request for the purpose of fulfilling their duties. On request, the central authorities shall make the logs of their processing operations available to the competent national supervisory authorities without undue delay.

CHAPTER VI

FINAL PROVISIONS

Article 32

Use of data for reporting and statistics

1.  The duly authorised staff of eu-LISA, of the competent authorities ▌ and of the Commission shall have access to the data processed within ECRIS-TCN solely for the purposes of reporting and providing statistics, without allowing for individual identification.

2.  For the purpose of paragraph 1, eu-LISA shall establish, implement and host a central repository at its technical sites containing the data referred to in paragraph 1 which, without allowing for individual identification ▌, enables customisable reports and statistics to be obtained. Access to the central repository shall be granted by means of secured access with control of access and specific user profiles, solely for the purpose of reporting and statistics.

3.  The procedures put in place by eu-LISA to monitor the functioning of ECRIS-TCN referred to in Article 36 as well as the ECRIS reference implementation shall include the possibility to produce regular statistics for ▌ monitoring purposes.

Every month eu-LISA shall submit to the Commission ▌statistics relating to the recording, storage and exchange of information extracted from criminal records through ECRIS-TCN and the ECRIS reference implementation. eu-LISA shall ensure that it is not possible to identify individuals on the basis of those statistics. At the request of the Commission, eu-LISA shall provide it with statistics on specific aspects related to the implementation of this Regulation.

4.  The Member States shall provide eu-LISA with the statistics necessary to fulfil its obligations referred to in this Article. They shall provide the Commission with statistics on the number of convicted third-country nationals, as well as the number of convictions of third-country nationals on their territory ▌.

Article 33

Costs

1.  The costs incurred in connection with the establishment and operation of the central system, the communication infrastructure referred to in point (d) of Article 4(1), the interface software and the ECRIS reference implementation shall be borne by the general budget of the Union.

2.  The costs of connection of Eurojust, Europol and ▌the EPPO▌ to ECRIS-TCN shall be borne by their respective budgets.

3.  Other costs shall be borne by the Member States, specifically the costs incurred by the connection of the existing national criminal records registers, fingerprints databases and the central authorities to ECRIS-TCN, as well as the costs of hosting the ECRIS reference implementation.

Article 34

Notifications

1.  Each Member State shall notify eu-LISA of its central authority, or authorities, that has access to enter, rectify, erase, consult or search data, as well as of any change in this respect.

2.  eu-LISA shall ensure publication of the list of central authorities notified by the Member States, both in the Official Journal of the European Union and on its website. When eu-LISA receives notification of a change to a Member State's central authority, it shall update the list without undue delay.

Article 35

Entry of data and start of operations

1.  Once the Commission is satisfied that the following conditions are met, it shall determine the date from which the Member States shall start entering the data referred to in Article 5 into ECRIS-TCN ▌:

(a)  the relevant implementing acts referred to in Article 10 have been adopted;

(b)  the Member States have validated the technical and legal arrangements to collect and transmit the data referred to in Article 5 to ECRIS-TCN and have notified them to the Commission;

(c)  eu-LISA has carried out a comprehensive test of ECRIS-TCN, in cooperation with the Member States, using anonymous test data.

2.  When the Commission has determined the date of start of entry of data in accordance with paragraph 1, it shall communicate that date to the Member States. Within a period of two months following that date, the Member States shall enter the data referred to in Article 5 into ECRIS-TCN, taking account of Article 41(2).

3.  After the end of the period referred to in paragraph 2, eu-LISA shall carry out a final test of ECRIS-TCN, in cooperation with the Member States.

4.  When the test referred to in paragraph 3 has been successfully completed and eu-LISA considers that ECRIS-TCN is ready to start operations, it shall notify the Commission. The Commission shall inform the European Parliament and the Council of the results of the test and shall decide on the date on which ECRIS-TCN is to start operations.

5.  The decision of the Commission on the date of the start of operations of ECRIS-TCN, as referred to in paragraph 4, shall be published in the Official Journal of the European Union.

6.  The Member States shall start using ECRIS-TCN from the date determined by the Commission in accordance with paragraph 4.

7.  When taking the decisions referred to in this Article, the Commission may specify different dates for the entry into ECRIS-TCN of alphanumeric data and fingerprint data as referred to in Article 5, as well as for the start of operations with respect to those different categories of data.

Article 36

Monitoring and evaluation

1.  eu-LISA shall ensure that procedures are in place to monitor the development of ECRIS-TCN in light of objectives relating to planning and costs and to monitor the functioning of ECRIS-TCN and the ECRIS reference implementation in light of objectives relating to the technical output, cost-effectiveness, security and quality of service.

2.  For the purposes of monitoring the functioning of ECRIS-TCN and its technical maintenance, eu-LISA shall have access to the necessary information relating to the data processing operations performed in ECRIS-TCN and in the ECRIS reference implementation.

3.  By …[six months after the entry into force of this Regulation] and every six months thereafter during the design and development phase, eu-LISA shall submit a report to the European Parliament and the Council on the state of play of the development of ECRIS-TCN and of the ECRIS reference implementation.

4.  The report referred to in paragraph 3 shall include an overview of the current costs and the progress of the project, a financial impact assessment, and information on any technical problems and risks that may impact the overall costs of ECRIS-TCN to be borne by the general budget of the Union in accordance with Article 33.

5.  In the event of substantial delays in the development process, eu-LISA shall inform the European Parliament and the Council as soon as possible of the reasons for these delays and of their impact in terms of time and finances.

6.  Once the development of ECRIS-TCN and of the ECRIS reference implementation is finalised, eu-LISA shall submit a report to the European Parliament and to the Council explaining how the objectives, in particular relating to planning and costs, were achieved and justifying any divergences.

7.  In the event of a technical upgrade of ECRIS-TCN which could result in substantial costs, eu-LISA shall inform the European Parliament and the Council .

8.  Two years after the start of operations of ECRIS-TCN and every year thereafter, eu-LISA shall submit to the Commission a report on the technical functioning of ECRIS-TCN and of the ECRIS reference implementation, including their security, based in particular on the statistics on the functioning and use of ECRIS-TCN and on the exchange, through the ECRIS reference implementation, of information extracted from the criminal records.

9.  Four years after the start of operations of ECRIS-TCN and every four years thereafter, the Commission shall conduct an overall evaluation of ECRIS-TCN and of the ECRIS reference implementation. The overall evaluation report established on this basis shall include an assessment of the application of this Regulation and an examination of results that have been achieved relative to the objectives that were set and of the impact on fundamental rights. The report shall also include an assessment of whether the underlying rationale for operating ECRIS-TCN continues to hold, of the appropriateness of the use of biometric data for the purposes of ECRIS-TCN, of the security of ECRIS-TCN and of any security implications for future operations. The evaluation shall include any necessary recommendations. The Commission shall transmit the ▌report to the European Parliament, the Council, the European Data Protection Supervisor and the European Union Agency for Fundamental Rights.

10.  In addition, the first overall evaluation as referred to in paragraph 9 shall include an assessment of:

(a)  the extent to which, on the basis of relevant statistical data and further information from the Member States, the inclusion in ECRIS-TCN of identity information of citizens of the Union who also hold the nationality of a third country has contributed to the achievement of the objectives of this Regulation;

(b)  the possibility, for some Member States, to continue the use of national ECRIS implementation software, as referred to in Article 4;

(c)  the entry of fingerprint data into ECRIS-TCN, in particular the application of the minimum criteria as referred to in point (b)(ii) of Article 5(1);

(d)  the impact of ECRIS and of ECRIS-TCN on the protection of personal data.

The assessment may be accompanied, if necessary, by legislative proposals. Subsequent overall evaluations may include an assessment of any or all of those aspects .

11.  The Member States, Eurojust, Europol ▌ and the EPPO▌ shall provide eu-LISA and the Commission with the information necessary to draft the reports referred to in paragraphs 3, 8 and 9 according to the quantitative indicators predefined by the Commission or eu-LISA or both. That information shall not jeopardise working methods or include information that reveals sources, staff members or investigations.

12.  Where relevant, the supervisory authorities shall provide eu-LISA and the Commission with the information necessary to draft the reports referred to in paragraph 9 according to the quantitative indicators predefined by the Commission or eu-LISA or both. That information shall not jeopardise working methods or include information that reveals sources, staff members or investigations.

13.  eu-LISA shall provide the Commission with the information necessary to produce the overall evaluations referred to in paragraph 9.

Article 37

Exercise of the delegation

1.  The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

2.  The power to adopt delegated acts referred to in Article 6(2) shall be conferred on the Commission for an indeterminate period of time from … [date of entry into force of this Regulation].

3.  The delegation of power referred to in Article 6(2) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

4.  Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.

5.  As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

6.  A delegated act adopted pursuant to Article 6(2) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.

Article 38

Committee procedure

1.  The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.▌

2.  Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

Where the committee delivers no opinion, the Commission shall not adopt the draft implementing act and the third subparagraph of Article 5(4) of Regulation (EU) No 182/2011 shall apply.

Article 39

Advisory Group

eu-LISA shall establish an Advisory Group in order to obtain expertise related to ECRIS-TCN and the ECRIS reference implementation, in particular in the context of preparation of its annual work programme and its annual activity report. During the design and development phase, Article 11(9) shall apply.

Article 40

Amendments to Regulation (EU) 2018/1726

Regulation (EU) 2018/1726 is amended as follows:

(1)  In Article 1, paragraph 4 is replaced by the following:"

"4. The Agency shall be responsible for the preparation, development or operational management of the Entry/Exit System (EES), DubliNet, the European Travel Information and Authorisation System (ETIAS), ECRIS-TCN and the ECRIS reference implementation.";

"

(2)  The following Article is inserted:"

"Article 8a

Tasks related to ECRIS-TCN and the ECRIS reference implementation

In relation to ECRIS-TCN and the ECRIS reference implementation, the Agency shall perform:

   (a) the tasks conferred on it by Regulation (EU) .../... of the European Parliament and of the Council ▌*(18)
   (b) tasks relating to training on the technical use of ECRIS-TCN and the ECRIS reference implementation.

* Regulation (EU) .../... of the European Parliament and of the Council of ... establishing a centralised system for the identification of Member States holding conviction information on third-country nationals and stateless persons (ECRIS-TCN) to supplement the European Criminal Records Information System) and amending Regulation (EU) 2018/1726 (OJ L ..., p. ...). (19)";

"

(3)  In Article 14, paragraph 1 is replaced by the following:"

"1. The Agency shall monitor ▌developments in research relevant for the operational management of SIS II, VIS, Eurodac, the EES, ETIAS, DubliNet, ECRIS-TCN and other large-scale IT systems as referred to in Article 1(5).";

"

(4)  In Article 19, paragraph 1 is amended as follows:

(a)  point (ee) is replaced by the following:"

"(ee) adopt the reports on the development of the EES pursuant to Article 72(2) of Regulation (EU) 2017/2226, the reports on the development of ETIAS pursuant to Article 92(2) of Regulation (EU) 2018/1240 and the reports on the development of ECRIS-TCN and of the ECRIS reference implementation pursuant to Article 36(3) of Regulation (EU) .../...(20);";

"

(b)  point (ff) is replaced by the following:"

"(ff) adopt the reports on the technical functioning of SIS II pursuant to Article 50(4) of Regulation (EC) No 1987/2006 and Article 66(4) of Decision 2007/533/JHA respectively, of VIS pursuant to Article 50(3) of Regulation (EC) No 767/2008 and Article 17(3) of Decision 2008/633/JHA, of the EES pursuant to Article 72(4) of Regulation (EU) 2017/2226, of ETIAS pursuant to Article 92(4) of Regulation (EU) 2018/1240, and of ECRIS-TCN and of the ECRIS reference implementation pursuant to Article 36(8) of Regulation (EU) .../...(21);";

"

(c)  point (hh) is replaced by the following:"

"(hh) adopt formal comments on the European Data Protection Supervisor's reports on the audits carried out pursuant to Article 45(2) of Regulation (EC) No 1987/2006, Article 42(2) of Regulation (EC) No 767/2008 and Article 31(2) of Regulation (EU) No 603/2013, Article 56(2) of Regulation (EU) 2017/2226, Article 67 of Regulation (EU) 2018/1240 and to Article 29(2) of Regulation (EU) .../...(22)) and ensure appropriate follow-up of those audits;";

"

(d)  the following point is inserted:"

"(lla) submit to the Commission statistics related to ECRIS-TCN and to the ECRIS reference implementation pursuant to the second subparagraph of Article 32(3)of Regulation .../...(23);";

"

(e)  point (mm) is replaced by the following:"

"(mm) ensure annual publication of the list of competent authorities authorised to search directly the data contained in SIS II pursuant to Article 31(8) of Regulation (EC) No 1987/2006 and Article 46(8) of Decision 2007/533/JHA, together with the list of Offices of the national systems of SIS II (N.SIS II Offices) and SIRENE Bureaux pursuant to ▌Article 7(3) of Regulation (EC) No 1987/2006 and Article 7(3) of Decision 2007/533/JHA respectively as well as the list of competent authorities pursuant to Article 65(2) of Regulation (EU) 2017/2226, the list of competent authorities pursuant to Article 87(2) of Regulation (EU) 2018/1240 and ▌the list of central authorities pursuant to Article 34(2) of Regulation .../...(24);";

"

(5)  In Article 22(4), the following subparagraph is inserted after the third subparagraph:"

"Eurojust, Europol and the EPPO may attend the meetings of the Management Board as observers when a question concerning ECRIS-TCN in relation to the application of Regulation .../...(25) is on the agenda.";

"

(6)  In Article 24(3), point (p) is replaced by the following:"

"(p) establishing, without prejudice to Article 17 of the Staff Regulations of Officials, ▌ confidentiality requirements in order to comply with Article 17 of Regulation (EC) No 1987/2006, Article 17 of Decision 2007/533/JHA, Article 26(9) of Regulation (EC) No 767/2008, Article 4(4) of Regulation (EU) No 603/2013, ▌Article 37(4) of Regulation (EU) 2017/2226, Article 74(2) of Regulation 2018/1240 and Article 11(16) of ▌Regulation (EU) .../...(26);";

"

(7)  In Article 27(1), the following point is inserted:"

"(da) ECRIS-TCN Advisory Group;”.

"

Article 41

Implementation and transitional provisions

1.  Member States shall take the necessary measures to comply with ▌this Regulation as soon as possible so as to ensure the proper functioning of ECRIS-TCN.

2.  For convictions handed down prior to the date of start of entry of data in accordance with Article 35(1), the central authorities shall create the individual data records in the central system as follows:

(a)  alphanumeric data to be entered into the central system by the end of the period referred to in Article 35(2);

(b)  fingerprint data to be entered into the central system within two years after the start of operations in accordance with Article 35(4).

Article 42

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.

Done at …,

For the European Parliament For the Council

The President The President

ANNEX

Standard information request form

as referred to in Article 17(1) of Regulation (EU) .../...(27)

in order to obtain information on which Member State, if any, holds

criminal records information of a third-country national

This form, which is available at www.eurojust.europa.eu in all 24 official languages of the institutions of the Union, should be addressed in one of those languages to ECRIS-TCN@eurojust.europa.eu

Requesting state or international organisation:

Name of state or international organisation:

Authority submitting the request:

Represented by (name of person):

Title:

Address:

Telephone number:

E-mail address:

Criminal proceedings for which the information is sought:

Domestic reference number:

Competent authority:

Type of crimes under investigation (please mention relevant article(s) of criminal code):

Other relevant information (e.g. urgency of the request):

Identity information of the person having the nationality of a third country in respect of whom information regarding the convicting Member State is sought :

NB: please provide as much available information as possible.

Surname (family name):

First name(s) (given names):

Date of birth:

Place of birth (town and country):

Nationality or nationalities:

Gender:

Previous name(s), if applicable:

Parents' names:

Identity number:

Type and number of the person's identification document(s):

Issuing authority of document(s):

Pseudonyms or aliases:

If fingerprint data are available, please provide these.

In case of multiple persons, please indicate them separately

A drop down panel would allow the insertion of additional subjects

Place

 

Date

 

(Electronic) signature and stamp:

(1)Position of the European Parliament of 12 March 2019.
(2)Council Framework Decision 2008/675/JHA of 24 July 2008 on taking account of convictions in the Member States of the European Union in the course of new criminal proceedings (OJ L220, 15.8.2008, p. 32).
(3)Council Framework Decision 2009/315/JHA of 26 February 2009 on the organisation and content of the exchange of information extracted from the criminal record between Member States (OJ L 93, 7.4.2009, p. 23).
(4)Council Decision 2009/316/JHA of 6 April 2009 on the establishment of the European Criminal Records Information System (ECRIS) in application of Article 11 of Framework Decision 2009/315/JHA (OJ L 93, 7.4.2009, p. 33).
(5)Regulation (EU) 2018/1726 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011 (OJ L 295, 21.11.2018, p. 99).
(6)Directive 2011/93/EU of the European Parliament and of the Council of 13 December 2011 on combating the sexual abuse and sexual exploitation of children and child pornography, and replacing Council Framework Decision 2004/68/JHA (OJ L 335, 17.12.2011, p. 1).
(7) Regulation (EU) 2018/1727 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for Criminal Justice Cooperation (Eurojust), and replacing and repealing Council Decision 2002/187/JHA (OJ L 295, 21.11.2018, p. 138).
(8)Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol) and replacing and repealing Council Decisions 2009/371/JHA, 2009/934/JHA, 2009/935/JHA, 2009/936/JHA and 2009/968/JHA (OJ L 135, 24.5.2016, p. 53).
(9)Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (‘the EPPO’) (OJ L 283, 31.10.2017, p. 1).
(10)Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (OJ L 119, 4.5.2016, p. 89).
(11)Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
(12)Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
(13)OJ L 123, 12.5.2016, p. 1.
(14)Regulation (EU) No 182/2011 of the European Parliament and the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p.13).
(15)Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p.1).
(16)OJ C 55, 14.2.2018, p. 4.
(17) OJ L 56, 4.3.1968, p. 1.
(18)+ OJ: Please insert the number of this Regulation.
(19)++ OJ: please insert the number, date and OJ reference of this Regulation.
(20)+ OJ: Please insert the number of this Regulation.
(21)
(22)+ Please insert the number of this Regulation.
(23)
(24)+ OJ: Please insert the number of this Regulation.
(25)+ OJ: Please insert the number of this Regulation.
(26)+ OJ: Please insert the number of this Regulation.
(27)+ OJ: please insert the number of this Regulation.


European Solidarity Corps programme ***I
PDF 298kWORD 108k
European Parliament legislative resolution of 12 March 2019 on the proposal for a regulation of the European Parliament and of the Council establishing the European Solidarity Corps programme and repealing [European Solidarity Corps Regulation] and Regulation (EU) No 375/2014 (COM(2018)0440 – C8-0264/2018 – 2018/0230(COD))
P8_TA(2019)0150A8-0079/2019

This text is still being processed for publication in your language. The PDF or WORD version is already available by clicking on the icon above right.


EU Cybersecurity Act ***I
PDF 438kWORD 169k
Resolution
Consolidated text
European Parliament legislative resolution of 12 March 2019 on the proposal for a regulation of the European Parliament and of the Council on ENISA, the "EU Cybersecurity Agency", and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (''Cybersecurity Act'') (COM(2017)0477 – C8-0310/2017 – 2017/0225(COD))
P8_TA-PROV(2019)0151A8-0264/2018

(Ordinary legislative procedure: first reading)

The European Parliament,

–  having regard to the Commission proposal to Parliament and the Council (COM(2017)0477),

–  having regard to Article 294(2) and Article 114 of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C8-0310/2017),

–  having regard to Article 294(3) of the Treaty on the Functioning of the European Union,

–  having regard to the reasoned opinion submitted, within the framework of Protocol No 2 on the application of the principles of subsidiarity and proportionality, by the French Senate, asserting that the draft legislative act does not comply with the principle of subsidiarity,

–  having regard to the opinion of the European Economic and Social Committee of 14 February 2018(1),

–  having regard to the opinion of the Committee of the Regions of 31 January 2018(2),

–  having regard to the provisional agreement approved by the committee responsible under Rule 69f(4) of its Rules of Procedure and the undertaking given by the Council representative by letter of 19 December 2018 to approve Parliament’s position, in accordance with Article 294(4) of the Treaty on the Functioning of the European Union,

–  having regard to Rule 59 of its Rules of Procedure,

–  having regard to the report of the Committee on Industry, Research and Energy and the opinions of the Committee on the Internal Market and Consumer Protection, the Committee on Budgets and the Committee on Civil Liberties, Justice and Home Affairs (A8-0264/2018),

1.  Adopts its position at first reading hereinafter set out;

2.  Calls on the Commission to refer the matter to Parliament again if it replaces, substantially amends or intends to substantially amend its proposal;

3.  Instructs its President to forward its position to the Council, the Commission and the national parliaments.

Position of the European Parliament adopted at first reading on 12 March 2019 with a view to the adoption of Regulation (EU) 2019/… of the European Parliament and of the Council on ENISA (the European Union Agency for Cybersecurity ▌) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act)

P8_TC1-COD(2017)0225


(Text with EEA relevance)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee(3),

Having regard to the opinion of the Committee of the Regions(4),

Acting in accordance with the ordinary legislative procedure(5),

Whereas:

(1)  Network and information systems and electronic communications networks and services play a vital role in society and have become the backbone of economic growth. Information and communications technology (ICT) underpins the complex systems which support everyday societal activities, keep our economies running in key sectors such as health, energy, finance and transport, and, in particular, support the functioning of the internal market.

(2)  The use of network and information systems by citizens, organisations and businesses across the Union is now pervasive. Digitisation and connectivity are becoming core features in an ever growing number of products and services and with the advent of the Internet of Things (IoT) an extremely high number of connected digital devices are expected to be deployed across the Union during the next decade. While an increasing number of devices is connected to the internet, security and resilience are not sufficiently built in by design, leading to insufficient cybersecurity. In that context, the limited use of certification leads to individual, organisational and business users having insufficient information about the cybersecurity features of ICT products, ICT services and ICT processes, which undermines trust in digital solutions. Network and information systems are capable of supporting all aspects of our lives and drive the Union’s economic growth. They are the cornerstone for achieving the digital single market.

(3)  Increased digitisation and connectivity increase cybersecurity risks, thus making society as a whole more vulnerable to cyber threats and exacerbating the dangers faced by individuals, including vulnerable persons such as children. In order to mitigate those risks, all necessary actions need to be taken to improve cybersecurity in the Union so that network and information systems, communications networks, digital products, services and devices used by citizens, organisations and business – ranging from small and medium-sized enterprises (SMEs), as defined in Commission Recommendation 2003/361/EC(6), to operators of critical infrastructure – are better protected from cyber threats.

(4)  By making the relevant information available to the public, the European Union Agency for Network and Information Security (ENISA), as established by Regulation (EU) No 526/2013 of the European Parliament and of the Council(7) contributes to the development of the cybersecurity industry in the Union, in particular SMEs and start-ups. ENISA should strive for closer cooperation with universities and research entities in order to contribute to reducing dependence on cybersecurity products and services from outside the Union and to reinforce supply chains inside the Union.

(5)  Cyberattacks are on the increase and a connected economy and society that is more vulnerable to cyber threats and attacks requires stronger defences. However, while cyberattacks often take place across borders, the competence of, and policy responses by, cybersecurity and law enforcement authorities are predominantly national. Large-scale incidents could disrupt the provision of essential services across the Union. This necessitates effective and coordinated responses and crisis management at Union level, building on dedicated policies and wider instruments for European solidarity and mutual assistance. Moreover, a regular assessment of the state of cybersecurity and resilience in the Union, based on reliable Union data, as well as systematic forecasts of future developments, challenges and threats, at Union and global level, are important for policy makers, industry and users.

(6)  In light of the increased cybersecurity challenges faced by the Union, there is a need for a comprehensive set of measures that would build on previous Union action and would foster mutually reinforcing objectives. Those objectives include further increasing the capabilities and preparedness of Member States and businesses, as well as improving cooperation, information sharing and coordination across Member States and Union institutions, bodies, offices and agencies. Furthermore, given the borderless nature of cyber threats, there is a need to increase capabilities at Union level that could complement the action of Member States, in particular in cases of large-scale cross-border incidents and crises, while taking into account the importance of maintaining and further enhancing the national capabilities to respond to cyber threats of all scales.

(7)  Additional efforts are also needed to increase citizens', organisations' and businesses' awareness of cybersecurity issues. Moreover, given that incidents undermine trust in digital service providers and in the digital single market itself, especially among consumers, trust should be further strengthened by offering information in a transparent manner on the level of security of ICT products, ICT services and ICT processes that stresses that even a high level of cybersecurity certification cannot guarantee that an ICT product, ICT service or ICT process is completely secure. An increase in trust can be facilitated by Union-wide certification providing for common cybersecurity requirements and evaluation criteria across national markets and sectors.

(8)  Cybersecurity is not only a technology-related issue, but one where human behaviour is equally important. Therefore, ‘cyber-hygiene’, namely simple, routine measures that, where implemented and carried out regularly by citizens, organisations and businesses, minimise their exposure to risks from cyber threats, should be strongly promoted.

(9)  For the purpose of strengthening Union cybersecurity structures, it is important to maintain and develop the capabilities of Member States to comprehensively respond to cyber threats, including to cross-border incidents.

(10)  Businesses and individual consumers should have accurate information regarding the assurance level with which the security of their ICT products, ICT services and ICT processes has been certified. At the same time, no ICT product or ICT service is wholly cyber-secure and basic rules of cyber-hygiene have to be promoted and prioritised. Given the growing availability of IoT devices, there is a range of voluntary measures that the private sector can take to reinforce trust in the security of ICT products, ICT services and ICT processes.

(11)  Modern ICT products and systems often integrate and rely on one or more third-party technologies and components such as software modules, libraries or application programming interfaces. This reliance, referred to as a “dependency”, could pose additional cybersecurity risks as vulnerabilities found in third-party components could also affect the security of the ICT products, ICT services and ICT processes. In many cases, identifying and documenting such dependencies enables end users of ICT products, ICT services and ICT processes to improve their cybersecurity risk management activities by improving, for example, users’ cybersecurity vulnerability management and remediation procedures.

(12)  Organisations, manufacturers or providers involved in the design and development of ICT products, ICT services or ICT processes should be encouraged to implement measures at the earliest stages of design and development to protect the security of those products, services and processes to the highest possible degree, in such a way that the occurrence of cyberattacks is presumed and their impact is anticipated and minimised (‘security by design’). Security should be ensured throughout the lifetime of the ICT product, ICT service or ICT process by design and development processes that constantly evolve to reduce the risk of harm from malicious exploitation.

(13)  Undertakings, organisations and the public sector should configure the ICT products, ICT services or ICT processes designed by them in a way that ensures a higher level of security which should enable the first user to receive a default configuration with the most secure settings possible (‘security by default’), thereby reducing the burden on users of having to configure an ICT product, ICT service or ICT process appropriately. Security by default should not require extensive configuration or specific technical understanding or non-intuitive behaviour on the part of the user, and should work easily and reliably when implemented. If, on a case-by-case basis, a risk and usability analysis leads to the conclusion that such a setting by default is not feasible, users should be prompted to opt for the most secure setting.

(14)  Regulation (EC) No 460/2004 of the European Parliament and of the Council(8)established ENISA with the purposes of contributing to the goals of ensuring a high and effective level of network and information security within the Union, and developing a culture of network and information security for the benefit of citizens, consumers, enterprises and public administrations. Regulation (EC) No 1007/2008 of the European Parliament and of the Council (9) extended ENISA’s mandate until March 2012. Regulation (EC) No 580/2011 of the European Parliament and of the Council(10) further extended ENISA’s mandate until 13 September 2013. Regulation (EU) No 526/2013 extended ENISA’ mandate until 19 June 2020.

(15)  The Union has already taken important steps to ensure cybersecurity and to increase trust in digital technologies. In 2013, the Cybersecurity Strategy of the European Union was adopted to guide the Union's policy response to cyber threats and risks. In an effort to better protect citizens online, the Union’s first legal act in the field of cybersecurity was adopted in 2016 in the form of Directive (EU) 2016/1148 of the European Parliament and of the Council(11). Directive (EU) 2016/1148 put in place requirements concerning national capabilities in the field of cybersecurity, established the first mechanisms to enhance strategic and operational cooperation between Member States, and introduced obligations concerning security measures and incident notifications across sectors which are vital for the economy and society, such as energy, transport, drinking water supply and distribution, banking, financial market infrastructures, healthcare, digital infrastructure as well as key digital service providers (search engines, cloud computing services and online marketplaces). A key role was attributed to ENISA in supporting the implementation of that Directive. In addition, fighting effectively against cybercrime is an important priority in the European Agenda on Security, contributing to the overall aim of achieving a high level of cybersecurity. Other legal acts such as Regulation (EU) 2016/679 of the European Parliament and of the Council(12) and Directives 2002/58/EC(13) and (EU) 2018/1972(14) of the European Parliament and of the Council also contribute to a high level of cybersecurity in the digital single market.

(16)  Since the adoption of the Cybersecurity Strategy of the European Union in 2013 and the last revision of ENISA’s mandate, the overall policy context has changed significantly as the global environment has become more uncertain and less secure. Against that background and in the context of the positive development of the role of ENISA as a reference point for advice and expertise, as a facilitator of cooperation and of capacity-building as well as within the framework of the new Union cybersecurity policy, it is necessary to review ENISA’s mandate, to establish its role in the changed cybersecurity ecosystem and to ensure that it contributes effectively to the Union's response to cybersecurity challenges emanating from the radically transformed cyber threat landscape, for which, as recognised during the evaluation of ENISA, the current mandate is not sufficient.

(17)  ENISA as established by this Regulation should succeed ENISA as established by Regulation (EU) No 526/2013. ENISA should carry out the tasks conferred on it by this Regulation and other legal acts of the Union in the field of cybersecurity, among other things, by providing advice and expertise and by acting as a Union centre of information and knowledge. It should promote the exchange of best practices between Member States and private stakeholders, offer policy suggestions to the Commission and the Member States, act as a reference point for Union sectoral policy initiatives with regard to cybersecurity matters, and foster operational cooperation, both between Member States and between the Member States and Union institutions, bodies, office and agencies.

(18)  Within the framework of Decision (2004/97/EC, Euratom) taken by common agreement between the Representatives of the Member States, meeting at Head of State or Government level(15), the representatives of the Member States decided that ENISA would have its seat in a town in Greece to be determined by the Greek Government. ENISA’s host Member State should ensure the best possible conditions for the smooth and efficient operation of ENISA. It is imperative for the proper and efficient performance of its tasks, for staff recruitment and retention and for enhancing the efficiency of networking activities that ENISA be based in an appropriate location, among other things providing appropriate transport connections and facilities for spouses and children accompanying members of staff of ENISA. The necessary arrangements should be laid down in an agreement between ENISA and the host Member State concluded after obtaining the approval of the Management Board of ENISA.

(19)  Given the increasing cybersecurity risks and challenges the Union is facing, the financial and human resources allocated to ENISA should be increased to reflect its enhanced role and tasks, and its critical position in the ecosystem of organisations defending the digital ecosystem of the Union, allowing ENISA to effectively carry out the tasks conferred on it by this Regulation.

(20)  ENISA should develop and maintain a high level of expertise and operate as a reference point, establishing trust and confidence in the single market by virtue of its independence, the quality of the advice it delivers, the quality of information it disseminates, the transparency of its procedures, the transparency of its methods of operation, and its diligence in carrying out its tasks. ENISA should actively support national efforts and should proactively contribute to ▌Union efforts while carrying out its tasks in full cooperation with the Union institutions, ▌bodies, offices and agencies and with the Member States, avoiding any duplication of work and promoting synergy. In addition, ENISA should build on input from and cooperation with the private sector as well as other relevant stakeholders. A set of tasks should establish how ENISA is to accomplish its objectives while allowing flexibility in its operations.

(21)  In order to be able to provide adequate support to the operational cooperation between Member States, ENISA should further strengthen its technical and human capabilities and skills. ENISA should increase its know-how and capabilities. ENISA and Member States, on a voluntary basis, could develop programmes for seconding national experts to ENISA, creating pools of experts and staff exchanges.

(22)  ENISA should assist the Commission by means of advice, opinions and analyses regarding all Union matters related to policy and law development, updates and reviews in the field of cybersecurity and sector-specific aspects thereof in order to enhance the relevance of Union policies and laws with a cybersecurity dimension and to enable consistency in the implementation of those policies and laws at national level. ENISA should act as a reference point for advice and expertise for Union sector-specific policy and law initiatives where matters related to cybersecurity are involved. ENISA should regularly inform the European Parliament about its activities.

(23)  The public core of the open internet, namely its main protocols and infrastructure, which are a global public good, provides the essential functionality of the internet as a whole and underpins its normal operation. ENISA should support the security of the public core of the open internet and the stability of its functioning, including, but not limited to, key protocols (in particular DNS, BGP, and IPv6), the operation of the domain name system (such as the operation of all top level domains), and the operation of the root zone.

(24)  The underlying task of ENISA is to promote the consistent implementation of the relevant legal framework, in particular the effective implementation of Directive (EU) 2016/1148 and other relevant legal instruments containing cybersecurity aspects, which is essential to increasing cyber resilience. In light of the fast evolving cyber threat landscape, it is clear that Member States have to be supported by more comprehensive, cross-policy approach to building cyber resilience.

(25)  ENISA should assist the Member States and Union institutions, ▌bodies, offices and agencies in their efforts to build and enhance capabilities and preparedness to prevent, detect and respond to cyber threats and incidents and in relation to the security of network and information systems. In particular, ENISA should support the development and enhancement of national and Union computer security incident response teams ('CSIRTs') ▌provided for in Directive (EU) 2016/1148 with a view to achieving a high common level of their maturity in the Union. Activities carried out by ENISA relating to the operational capacities of Member States should actively support actions taken by Member States to comply with their obligations under Directive (EU) 2016/1148 and therefore should not supersede them.

(26)  ENISA should also assist with the development and updating of strategies on the security of network and information systems at Union level and, upon request, at Member State level, in particular on cybersecurity, and should promote the dissemination of such strategies and follow the progress of their implementation. ENISA should also contribute to covering the need for training and training materials, including the needs of public bodies, and where appropriate, to a high extent, 'train the trainers', building on the Digital Competence Framework for Citizens with a view to assisting Member States and Union institutions, bodies, offices and agencies in developing their own training capabilities.

(27)  ENISA should support Member States in the field of cybersecurity awareness-raising and education by facilitating closer coordination and the exchange of best practices between Member States. Such support could consist in the development of a network of national education points of contact and the development of a cybersecurity training platform. The network of national education points of contact could operate within the National Liaison Officers Network and be a starting point for future coordination within the Members States.

(28)  ENISA should assist the Cooperation Group created by Directive (EU) 2016/1148 in the execution of its tasks, in particular by providing expertise, advice and by facilitating the exchange of best practices, inter alia with regard to the identification of operators of essential services by Member States, as well as in relation to cross-border dependencies, regarding risks and incidents.

(29)  With a view to stimulating cooperation between the public and private sector and within the private sector, in particular to support the protection of the critical infrastructures, ENISA should support information sharing within and among sectors, in particular the sectors listed in Annex II of Directive (EU) 2016/1148, by providing best practices and guidance on available tools and on procedure, as well as by providing guidance on how to address regulatory issues related to information sharing, for example through facilitating the establishment of sectoral information sharing and analysis centres.

(30)  Whereas the potential negative impact of vulnerabilities in ICT products, ICT services and ICT processes is constantly increasing, finding and remedying such vulnerabilities plays an important role in reducing the overall cybersecurity risk. Cooperation between organisations, manufacturers or providers of vulnerable ICT products, ICT services and ICT processes and members of the cybersecurity research community and governments who find vulnerabilities has been proven to significantly increase both the rate of discovery and the remedy of vulnerabilities in ICT products, ICT services and ICT processes. Coordinated vulnerability disclosure specifies a structured process of cooperation in which vulnerabilities are reported to the owner of the information system, allowing the organisation the opportunity to diagnose and remedy the vulnerability before detailed vulnerability information is disclosed to third parties or to the public. The process also provides for coordination between the finder and the organisation as regards the publication of those vulnerabilities. Coordinated vulnerability disclosure policies could play an important role in Member States’ efforts to enhance cybersecurity.

(31)  ENISA should aggregate and analyse voluntarily shared national reports from CSIRTs and the inter-institutional computer emergency response team for the Union's institutions, bodies and agencies ('CERT-EU') established by the Arrangement between the European Parliament, the European Council, the Council of the European Union, the European Commission, the Court of Justice of the European Union, the European Central Bank, the European Court of Auditors, the European External Action Service, the European Economic and Social Committee, the European Committee of the Regions and the European Investment Bank on the organisation and operation of a computer emergency response team for the Union's institutions, bodies and agencies (CERT-EU)(16) in order to contribute to the setting up of common procedures, language and terminology for the exchange of information. In that context ENISA should involve the private sector within the framework of Directive (EU) 2016/1148 which lays down the grounds for the voluntary exchange of technical information at the operational level, in the computer security incident response teams network ('CSIRTs network') created by that Directive.

(32)  ENISA should contribute to responses at Union level in the case of large-scale cross-border incidents and crises related to cybersecurity. That task should be performed in accordance with ENISA’s mandate under this Regulation and an approach to be agreed by Member States in the context of Commission Recommendation (EU) 2017/1584(17) and the Council conclusions of 26 June 2018 on EU Coordinated Response to Large-Scale Cybersecurity Incidents and Crises. That task could include gathering relevant information and acting as a facilitator between the CSIRTs network and the technical community, as well as between decision makers responsible for crisis management. Furthermore, ENISA should support operational cooperation among Member States, where requested by one or more Member States, in the handling of incidents from a technical perspective,▌ by facilitating relevant exchanges of technical solutions between Member States, and by providing input into public communications. ENISA should support operational cooperation by testing the arrangements for such cooperation through regular cybersecurity exercises.

(33)  In supporting operational cooperation, ENISA should make use of the available technical and operational expertise of CERT-EU through structured cooperation▌. Such structured cooperation could build on ENISA's expertise. Where appropriate, dedicated arrangements between the two entities should be established to define the practical implementation of such cooperation and to avoid the duplication of activities.

(34)  In performing its task to support operational cooperation within the CSIRTs network, ENISA should be able to provide support to Member States at their request, such as by providing advice on how to improve their capabilities to prevent, detect and respond to incidents, by facilitating the technical handling of incidents having a significant or substantial impact or by ensuring that cyber threats and incidents are analysed. ENISA should facilitate the technical handling of incidents having a significant or substantial impact in particular by supporting the voluntary sharing of technical solutions between Member States or by producing combined technical information, such as technical solutions voluntarily shared by the Member States. Recommendation (EU) 2017/1584 recommends that Member States cooperate in good faith and share among themselves and with ENISA information on large-scale incidents and crises related to cybersecurity without undue delay. Such information would further help ENISA in performing its task of supporting operational cooperation.

(35)  As part of the regular cooperation at technical level to support Union situational awareness, ENISA, in close cooperation with the Member States, should prepare a regular in-depth EU Cybersecurity Technical Situation Report on incidents and cyber threats, based on publicly available information, its own analysis and reports shared with it by Member States' CSIRTs ▌or the national single points of contact on the security of network and information systems ('single points of contact') provided for in Directive (EU) 2016/1148, both on a voluntary basis, the European Cybercrime Centre (EC3) at Europol, CERT-EU and, where appropriate, the European Union Intelligence and Situation Centre (EU INTCEN) at the European External Action Service. That report should be made available to the Council, the Commission, the High Representative of the Union for Foreign Affairs and Security Policy and the CSIRTs network.

(36)  The support by ENISA for ex-post technical inquiries of incidents having a significant or substantial impact ▌undertaken ▌ at the request ▌of the Member States concerned should focus on the prevention of future incidents ▌. The Member States concerned should provide the necessary information and assistance in order to enable ENISA to effectively support the ex-post technical inquiry.

(37)  Member States may invite the undertakings concerned by the incident to cooperate by providing necessary information and assistance to ENISA without prejudice to their right to protect commercially sensitive information and information that is relevant to public security.

(38)  To understand better the challenges in the area of cybersecurity, and with a view to providing strategic long-term advice to Member States and Union institutions, bodies, offices and agencies, ENISA needs to analyse current and emerging cybersecurity risks. For that purpose, ENISA should, in cooperation with Member States and, as appropriate, with statistical bodies and other bodies, collect relevant publicly available or voluntarily shared information and perform analyses of emerging technologies and provide topic-specific assessments on the expected societal, legal, economic and regulatory impact of technological innovations on network and information security, in particular cybersecurity. ENISA should, furthermore, support Member States and Union institutions, bodies, offices and agencies in identifying emerging cybersecurity risks and preventing ▌incidents, by performing analyses of cyber threats, vulnerabilities and incidents.

(39)  In order to increase the resilience of the Union, ENISA should develop expertise in the field of cybersecurity of infrastructures, in particular to support the sectors listed in Annex II of Directive (EU) 2016/1148 and those used by the providers of the digital services listed in Annex III of that Directive, by providing advice, issuing guidelines and exchanging best practices. With a view to ensuring easier access to better-structured information on cybersecurity risks and possible remedies, ENISA should develop and maintain the 'information hub' of the Union, a one-stop-shop portal providing the public with information on cybersecurity originating in Union and national institutions, bodies, offices and agencies. Facilitating access to better-structured information on cybersecurity risks and possible remedies could also help Member States bolster their capacities and align their practices, thus increasing their overall resilience to cyberattacks.

(40)  ENISA should contribute to raising the public's awareness of cybersecurity risks, including through an EU-wide awareness-raising campaign by promoting education, and to providing guidance on good practices for individual users aimed at citizens ▌, organisations and businesses. ENISA should also contribute to promoting best practices and solutions, including cyber-hygiene and cyber-literacy at the level of citizens ▌, organisations and businesses by collecting and analysing publicly available information regarding significant incidents, and by compiling and publishing reports and guidance for citizens, organisations and businesses, to improve their overall level of preparedness and resilience. ENISA should also strive to provide consumers with relevant information on applicable certification schemes, for example by providing guidelines and recommendations. ENISA should furthermore organise, in line with the Digital Education Action Plan established in the Commission Communication of 17 January 2018 and in cooperation with the Member States and Union institutions, ▌bodies, offices and agencies regular outreach and public education campaigns directed at end-users, to promote safer online behaviour by individuals and digital literacy, to raise awareness of potential cyber threats, including online criminal activities such as phishing attacks, botnets, financial and banking fraud, data fraud incidents, and to promote basic multi-factor authentication, patching, encryption, anonymisation and data protection advice.

(41)  ENISA should play a central role in accelerating end-user awareness of the security of devices and the secure use of services, and should promote security-by-design and privacy-by-design at Union level. In pursuing that objective, ENISA should make use of available best practices and experience, especially the best practices and experience of academic institutions and IT security researchers.

(42)  In order to support the businesses operating in the cybersecurity sector, as well as the users of cybersecurity solutions, ENISA should develop and maintain a 'market observatory' by performing regular analyses and disseminating information on the main trends in the cybersecurity market, on both the demand and supply sides.

(43)  ENISA should contribute to the Union's efforts to cooperate with international organisations as well as within relevant international cooperation frameworks in the field of cybersecurity. In particular, ENISA should contribute, where appropriate, to cooperation with organisations such as OECD, OSCE and NATO. Such cooperation could include joint cybersecurity exercises and joint incident response coordination. Those activities are to be carried out in full respect of the principles of inclusiveness, reciprocity and the decision-making autonomy of the Union, without prejudice to the specific character of the security and defence policy of any Member State.

(44)  In order to ensure that it fully achieves its objectives, ENISA should liaise with the relevant Union supervisory authorities and with other competent authorities in the Union, Union institutions, bodies, offices and agencies, including CERT-EU, EC3, the European Defence Agency (EDA), the European Global Navigation Satellite Systems Agency (European GNSS Agency), the Body of European Regulators for Electronic Communications (BEREC), the European Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), the European Central Bank (ECB), the European Banking Authority (EBA), the European Data Protection Board, the Agency for the Cooperation of Energy Regulators (ACER), the European Union Aviation Safety Agency (EASA) and any other Union agency involved in cybersecurity. ENISA should also liaise with authorities that deal with data protection in order to exchange know-how and best practices and should provide advice on cybersecurity issues that might have an impact on their work. Representatives of national and Union law enforcement and data protection authorities should be eligible to be represented in the ENISA Advisory Group. In liaising with law enforcement authorities regarding network and information security issues that might have an impact on their work, ENISA should respect existing channels of information and established networks.

(45)  Partnerships could be established with academic institutions that have research initiatives in relevant fields, and there should be appropriate channels for input from consumer organisations and other organisations, which should be taken into consideration.

(46)  ENISA, in its role as the ▌secretariat of the CSIRTs network, should support Member States' CSIRTs and the CERT-EU in the operational cooperation in relation to the relevant tasks of the CSIRTs network, as referred to in Directive (EU) 2016/1148. Furthermore, ENISA should promote and support cooperation between the relevant CSIRTs in the event of incidents, attacks or disruptions of networks or infrastructure managed or protected by the CSIRTs and involving or being capable of involving at least two CSIRTs while taking due account of the Standard Operating Procedures of the CSIRTs network.

(47)  With a view to increasing Union preparedness in responding to incidents, ENISA should regularly organise cybersecurity exercises at Union level, and, at their request, support Member States and Union institutions, bodies, offices and agencies in organising such exercises. Large-scale comprehensive exercises which include technical, operational or strategic elements should be organised on a biennial basis. In addition, ENISA should be able to regularly organise less comprehensive exercises with the same goal of increasing Union preparedness in responding to incidents.

(48)  ENISA should further develop and maintain its expertise on cybersecurity certification with a view to supporting the Union policy in that area. ENISA should build on existing best practices and should promote the uptake of cybersecurity certification within the Union, including by contributing to the establishment and maintenance of a cybersecurity certification framework at Union level (European cybersecurity certification framework) with a view to increasing the transparency of the cybersecurity assurance of ICT products, ICT services and ICT processes, thereby strengthening trust in the digital internal market and its competitiveness.

(49)  Efficient cybersecurity policies should be based on well-developed risk assessment methods, in both the public and private sectors. Risk assessment methods are used at different levels, with no common practice regarding how to apply them efficiently. Promoting and developing best practices for risk assessment and for interoperable risk management solutions in public-sector and private-sector organisations will increase the level of cybersecurity in the Union. To that end, ENISA should support cooperation between stakeholders at Union level and facilitate their efforts relating to the establishment and take-up of European and international standards for risk management and for the measurable security of electronic products, systems, networks and services which, together with software, comprise the network and information systems.

(50)  ENISA should encourage Member States, manufacturers or providers of ICT products, ICT services or ICT processes to raise their general security standards so that all internet users can take the necessary steps to ensure their own personal cybersecurity and should give incentives to do so. In particular, manufacturers and providers of ICT products, ICT services or ICT processes should provide any necessary updates and should recall, withdraw or recycle ICT products, ICT services or ICT processes that do not meet cybersecurity standards, while importers and distributors should make sure that the ICT products, ICT services and ICT processes they place on the Union market comply with the applicable requirements and do not present a risk to Union consumers.

(51)  In cooperation with competent authorities, ENISA should be able to disseminate information regarding the level of the cybersecurity of the ICT products, ICT services and ICT processes offered in the internal market, and should issue warnings targeting manufacturers or providers of ICT products, ICT services or ICT processes and requiring them to improve the security of their ICT products, ICT services▌and ICT processes, including the cybersecurity.

(52)  ENISA should take full account of the ongoing research, development and technological assessment activities, in particular those activities carried out by the various Union research initiatives to advise Union institutions, ▌bodies, offices and agencies and where relevant, the Member States at their request, on research needs and priorities in the field of ▌cybersecurity. In order to identify the research needs and priorities, ENISA should also consult the relevant user groups. More specifically, cooperation with the European Research Council, the European Institute for Innovation and Technology and the European Union Institute for Security Studies could be established.

(53)  ENISA should regularly consult standardisation organisations, in particular European standardisation organisations, when preparing the European cybersecurity certification schemes.

(54)  Cyber threats are a global issue. There is a need for closer international cooperation to improve cybersecurity standards, including the need for definitions of common norms of behaviour, the adoption of codes of conduct, the use of international standards, and information sharing, promoting swifter international collaboration in response to network and information security issues and promoting a common global approach to such issues. To that end, ENISA should support further Union involvement and cooperation with third countries and international organisations by providing the necessary expertise and analysis to the relevant Union institutions, ▌bodies, offices and agencies, where appropriate.

(55)  ENISA should be able to respond to ad hoc requests for advice and assistance by Member States and Union institutions, bodies, offices and agencies on matters falling within ENISA’s mandate.

(56)  It is sensible and recommended to implement certain principles regarding the governance of ENISA in order to comply with the Joint Statement and Common Approach agreed upon in July 2012 by the Inter-Institutional Working Group on EU decentralised agencies, the purpose of which is to streamline the activities of decentralised agencies and improve their performance. The recommendations in the Joint Statement and Common Approach should also be reflected, as appropriate, in ENISA’s work programmes, evaluations of ENISA, and ENISA’s reporting and administrative practice.

(57)  The Management Board, composed of the representatives of the Member States and of the Commission, should establish the general direction of ENISA’s operations and ensure that it carries out its tasks in accordance with this Regulation. The Management Board should be entrusted with the powers necessary to establish the budget, verify the execution of the budget, adopt appropriate financial rules, establish transparent working procedures for decision making by ENISA, adopt ENISA’s single programming document, adopt its own rules of procedure, appoint the Executive Director and decide on the extension and termination of the Executive Director’s term of office.

(58)  In order for ENISA to function properly and effectively, the Commission and the Member States should ensure that persons to be appointed to the Management Board have appropriate professional expertise and experience. The Commission and the Member States should also make efforts to limit the turnover of their respective representatives on the Management Board in order to ensure continuity in its work.

(59)  The smooth functioning of ENISA requires that its Executive Director be appointed on grounds of merit and documented administrative and managerial skills, as well as competence and experience relevant to cybersecurity. The duties of the Executive Director should be carried out with complete independence. The Executive Director should prepare a proposal for ENISA’s annual work programme, after prior consultation with the Commission, and should take all steps necessary to ensure the proper implementation of the that work programme. The Executive Director should prepare an annual report to be submitted to the Management Board, covering the implementation of ENISAs annual work programme, draw up a draft statement of estimates of revenue and expenditure for ENISA, and implement the budget. Furthermore, the Executive Director should have the option of setting up ad hoc working groups to address specific matters, in particular matters of a scientific, technical, legal or socioeconomic nature. In particular, in relation to the preparation of a specific candidate European cybersecurity certification scheme ('candidate scheme'), the setting up of an ad hoc Working Group is considered to be necessary. The Executive Director should ensure that the members of ad hoc working groups are selected according to the highest standards of expertise, aiming to ensure gender balance and an appropriate balance, according to the specific issues in question, between the public administrations of the Member States, the Union institutions, bodies, offices and agencies and the private sector, including industry, users, and academic experts in network and information security.

(60)  The Executive Board should contribute to the effective functioning of the Management Board. As part of its preparatory work related to Management Board decisions, the Executive Board should examine relevant information in detail, explore available options and offer advice and solutions to prepare the decisions of the Management Board.

(61)  ENISA should have an ENISA Advisory Group as an advisory body to ensure regular dialogue with the private sector, consumers’ organisations and other relevant stakeholders. The ENISA Advisory Group, established by the Management Board on a proposal from the Executive Director, should focus on issues relevant to stakeholders and should bring them to the attention of ENISA. The ENISA Advisory Group should be consulted in particular with regard to ENISA’s draft annual work programme. The composition of the ENISA Advisory Group and the tasks assigned to it should ensure sufficient representation of stakeholders in the work of ENISA.

(62)  The Stakeholder Cybersecurity Certification Group should be established in order to help ENISA and the Commission facilitate consultation of relevant stakeholders. The Stakeholder Cybersecurity Certification Group should be composed of members representing industry in balanced proportions, both on the demand side and the supply side of ICT products and ICT services, and including, in particular, SMEs, digital service providers, European and international standardisation bodies, national accreditation bodies, data protection supervisory authorities and conformity assessment bodies pursuant to Regulation (EC) No 765/2008 of the European Parliament and of the Council(18), and academia as well as consumer organisations.

(63)  ENISA should have rules in place regarding the prevention and the management of conflicts of interest. ENISA should also apply the relevant Union provisions concerning public access to documents as set out in Regulation (EC) No 1049/2001 of the European Parliament and of the Council(19). The processing of personal data by ENISA should be subject to Regulation (EU) 2018/1725 of the European Parliament and of the Council(20). ENISA should comply with the provisions applicable to the Union institutions, bodies, offices and agencies, and with national legislation regarding the handling of information, in particular sensitive non-classified information and European Union classified information (EUCI).

(64)  In order to guarantee the full autonomy and independence of ENISA and to enable it to perform additional tasks, including unforeseen emergency tasks, ENISA should be granted a sufficient and autonomous budget whose revenue should primarily come from a contribution from the Union and contributions from third countries participating in ENISA’s work. An appropriate budget is paramount for ensuring that ENISA has sufficient capacity to perform all of its growing tasks and to achieve its objectives. The majority of ENISA’s staff should be directly engaged in the operational implementation of ENISA’s mandate. The host Member State, and any other Member State, should be allowed to make voluntary contributions to ENISA’s budget. The Union’s budgetary procedure should remain applicable as far as any subsidies chargeable to the general budget of the Union are concerned. Moreover, the Court of Auditors should audit ENISA’s accounts to ensure transparency and accountability.

(65)  Cybersecurity certification plays an important role in increasing trust and security in ICT products ▌, ICT services and ICT processes. The digital single market, and in particular the data economy and the IoT, can thrive only if there is general public trust that such products ▌, services and processes provide a certain level of cybersecurity. Connected and automated cars, electronic medical devices, industrial automation control systems and smart grids are only some examples of sectors in which certification is already widely used or is likely to be used in the near future. The sectors regulated by Directive (EU) 2016/1148 are also sectors in which cybersecurity certification is critical.

(66)  In the 2016 Communication "Strengthening Europe's Cyber Resilience System and Fostering a Competitive and Innovative Cybersecurity Industry", the Commission outlined the need for high-quality, affordable and interoperable cybersecurity products and solutions. The supply of ICT products ▌, ICT services and ICT processes within the single market remains very fragmented geographically. This is because the cybersecurity industry in Europe has developed largely on the basis of national governmental demand. In addition, the lack of interoperable solutions (technical standards), practices and Union-wide mechanisms of certification are among the other gaps affecting the single market in the field of cybersecurity. This makes it difficult for European businesses to compete at national, Union and global level. It also reduces the choice of viable and usable cybersecurity technologies that individuals and businesses have access to. Similarly, in the 2017 Communication on the Mid-Term Review on the implementation of the Digital Single Market Strategy – A Connected Digital Single Market for All, the Commission highlighted the need for safe connected products and systems, and indicated that the creation of a European ICT security framework setting rules on how to organise ICT security certification in the Union could both preserve trust in the internet and tackle the current fragmentation of the internal market.

(67)  Currently, the cybersecurity certification of ICT products ▌, ICT services and ICT processes is used only to a limited extent. When it exists, it mostly occurs at Member State level or in the framework of industry driven schemes. In that context, a certificate issued by a national cybersecurity certification authority is not in principle recognised in other Member States. Companies thus may have to certify their ICT products ▌, ICT services and ICT processes in several Member States where they operate, for example, with a view to participating in national procurement procedures, which thereby adds to their costs. Moreover, while new schemes are emerging, there seems to be no coherent and holistic approach to horizontal cybersecurity issues, for instance in the field of the IoT. Existing schemes present significant shortcomings and differences in terms of product coverage, levels of assurance, substantive criteria and actual use, impeding mutual recognition mechanisms within the Union.

(68)  Some efforts have been made in order to ensure the mutual recognition of certificates within the Union. However, they have been only partly successful. The most important example in this regard is the Senior Officials Group – Information Systems Security (SOG-IS) Mutual Recognition Agreement (MRA). While it represents the most important model for cooperation and mutual recognition in the field of security certification, ▌SOG-IS includes only some of the Member States. That fact has limited the effectiveness of SOG-IS MRA from the point of view of the internal market.

(69)  Therefore, it is necessary to adopt a common approach and to establish a European cybersecurity certification framework that lays down the main horizontal requirements for European cybersecurity certification schemes to be developed and allows European cybersecurity certificates and EU statements of conformity for ICT products, ICT services or ICT processes to be recognised and used in all Member States. In doing so, it is essential to build on existing national and international schemes, as well as on mutual recognition systems, in particular SOG-IS, and to make possible a smooth transition from the existing schemes under such systems to schemes under the new European cybersecurity certification framework. The European cybersecurity certification framework should have a twofold purpose. First, it should help increase trust in ICT products ▌, ICT services and ICT processes that have been certified according to European cybersecurity certification schemes. Second, it should help avoid the multiplication of conflicting or overlapping national cybersecurity certification schemes and thus reduce costs for undertakings operating in the digital single market. The European cybersecurity certification schemes should be non-discriminatory and based on European or international standards, unless those standards are ineffective or inappropriate to fulfil the Union’s legitimate objectives in that regard.

(70)  The European cybersecurity certification framework should be established in a uniform manner in all Member States in order to prevent ‘certification shopping’ based on different levels of stringency in different Member States.

(71)  European cybersecurity certification schemes should be built on what already exists at international and national level and, if necessary, on technical specifications from forums and consortia, learning from current strong points and assessing and correcting weaknesses.

(72)  Flexible cybersecurity solutions are necessary for the industry to stay ahead of cyber threats, and therefore any certification scheme should be designed in a way that avoids the risk of being outdated quickly.

(73)  The Commission should be empowered to adopt European cybersecurity certification schemes concerning specific groups of ICT products ▌, ICT services and ICT processes. Those schemes should be implemented and supervised by national cybersecurity certification ▌ authorities, and certificates issued under those schemes should be valid and recognised throughout the Union. Certification schemes operated by the industry or by other private organisations should fall outside of the scope of this Regulation. However, the bodies operating such schemes should be able to propose that the Commission consider such schemes as a basis for approving them as a European cybersecurity certification scheme.

(74)  The provisions of this Regulation should be without prejudice to Union law providing specific rules on the certification of ICT products ▌, ICT services and ICT processes. In particular, Regulation (EU) 2016/679 lays down provisions for the establishment of certification mechanisms and of data protection seals and marks, for the purpose of demonstrating the compliance of processing operations by controllers and processors with that Regulation. Such certification mechanisms and data protection seals and marks should allow data subjects to quickly assess the level of data protection of the relevant ICT products, ICT services and ICT processes. This Regulation is without prejudice to the certification of data processing operations under Regulation (EU) 2016/679, including when such operations are embedded in ICT products, ICT services and ICT processes.

(75)  The purpose of European cybersecurity certification schemes should be to ensure that ICT products ▌, ICT services and ICT processes certified under such schemes comply with specified requirements that aim to protect the availability, authenticity, integrity and confidentiality of stored, transmitted or processed data or of the related functions of or services offered by, or accessible via those products, services and processes throughout their lifecycle. It is not possible to set out in detail the cybersecurity requirements relating to all ICT products ▌, ICT services and ICT processes in this Regulation. ICT products ▌, ICT services and ICT processes and the cybersecurity needs related to those products, services and processes are so diverse that it is very difficult to develop general cybersecurity requirements that are valid in all circumstances. It is therefore necessary to adopt a broad and general notion of cybersecurity for the purpose of certification, which should be complemented by a set of specific cybersecurity objectives that are to be taken into account when designing European cybersecurity certification schemes. The arrangements by which such objectives are to be achieved in specific ICT products ▌, ICT services and ICT processes should then be further specified in detail at the level of the individual certification scheme adopted by the Commission, for example by reference to standards or technical specifications if no appropriate standards are available.

(76)  The technical specifications to be used in European cybersecurity certification schemes should respect the requirements set out in Annex II of Regulation (EU) No 1025/2012 of the European Parliament and of the Council(21). Some deviations from those requirements could, however, be considered to be necessary in duly justified cases where those technical specifications are to be used in a European cybersecurity certification scheme referring to assurance level 'high'. The reasons for such deviations should be made publicly available.

(77)  A conformity assessment is a procedure for evaluating whether specified requirements relating to an ICT product, ICT service or ICT process have been fulfilled. That procedure is carried out by an independent third party that is not the manufacturer or provider of the ICT products, ICT services or ICT processes that are being assessed. A European cybersecurity certificate should be issued following the successful evaluation of an ICT product, ICT service or ICT process. A European cybersecurity certificate should be considered to be a confirmation that the evaluation has been properly carried out. Depending on the assurance level, the European cybersecurity certification scheme should indicate whether the European cybersecurity certificate is to be issued by a private or public body. Conformity assessment and certification cannot guarantee per se that certified ICT products, ICT services and ICT processes are cyber secure. They are instead procedures and technical methodologies for attesting that ICT products, ICT services and ICT processes have been tested and that they comply with certain cybersecurity requirements laid down elsewhere, for example in technical standards.

(78)  The choice of the appropriate certification and associated security requirements by the users of European cybersecurity certificates should be based on an analysis of the risks associated with the use of the ICT products, ICT services or ICT processes. Accordingly, the assurance level should thus be commensurate with the level of the risk associated with the intended use of an ICT product, ICT service or ICT process.

(79)  European cybersecurity certification schemes could provide for a conformity assessment to be carried out under the sole responsibility of the manufacturer or provider of ICT products, ICT services or ICT processes (conformity self-assessment). In such cases, it should be sufficient that the manufacturer or provider of ICT products, ICT services or ICT processes itself carry out all of the checks to ensure that the ICT products, ICT services or ICT processes conform with the European cybersecurity certification scheme. Conformity self-assessment should be considered to be appropriate for low complexity ICT products, ICT services or ICT processes that present a low risk to the public, such as simple design and production mechanisms. Moreover, conformity self-assessment should be permitted for ICT products, ICT services or ICT processes only where they correspond to assurance level 'basic'.

(80)  European cybersecurity certification schemes could allow for both conformity self-assessments and certifications of ICT products, ICT services or ICT processes. In such a case, the scheme should provide for clear and understandable means for consumers or other users to differentiate between ICT products, ICT services or ICT processes with regard to which the manufacturer or provider of ICT products, ICT services or ICT processes is responsible for the assessment, and ICT products, ICT services or ICT processes that are certified by a third party.

(81)  The manufacturer or provider of ICT products, ICT services or ICT processes who carry out a conformity self-assessment should be able to issue and sign the EU statement of conformity as part of the conformity-assessment procedure. An EU statement of conformity is a document that states that a specific ICT product, ICT service or ICT process complies with the requirements of the European cybersecurity certification scheme. By issuing and signing the EU statement of conformity, the manufacturer or provider of ICT products, ICT services or ICT processes assumes responsibility for the compliance of the ICT product, ICT service or ICT process with the legal requirements of the European cybersecurity certification scheme. A copy of the EU statement of conformity should be submitted to the national cybersecurity certification authority and to ENISA.

(82)  Manufacturers or providers of ICT products, ICT services or ICT processes should make the EU statement of conformity, technical documentation, and all other relevant information relating to the conformity of the ICT products, ICT services or ICT processes with a European cybersecurity certification scheme available to the competent national cybersecurity certification authority for a period provided for in the relevant European cybersecurity certification scheme. The technical documentation should specify the requirements applicable under the scheme and should cover the design, manufacture and operation of the ICT product, ICT service or ICT process to the extent relevant to the conformity self-assessment. The technical documentation should be so compiled as to enable the assessment of whether an ICT product or ICT service complies with the requirements applicable under that scheme.

(83)  The governance of the European cybersecurity certification framework takes into account the involvement of Member States as well as the appropriate involvement of stakeholders, and establishes the role of the Commission during the planning and proposing, requesting, preparing, adopting and reviewing of European cybersecurity certification schemes.

(84)  ▌The Commission should prepare, with the support of the European Cybersecurity Certification Group (the 'ECCG') and the Stakeholder Cybersecurity Certification Group and after an open and wide consultation, a Union rolling work programme for European cybersecurity certification schemes and should publish it in the form of a non-binding instrument. The Union rolling work programme should be a strategic document that allows industry, national authorities and standardisation bodies, in particular, to prepare in advance for future European cybersecurity certification schemes. The Union rolling work programme should include a multiannual overview of the requests for candidate schemes which the Commission intends to submit to ENISA for preparation on the basis of specific grounds. The Commission should take into account the Union rolling work programme while preparing its Rolling Plan for ICT Standardisation and standardisation requests to European standardisation organisations. In light of the rapid introduction and uptake of new technologies, the emergence of previously unknown cybersecurity risks, and legislative and market developments, the Commission or the ECCG should be entitled to request ENISA to prepare candidate schemes which have not been included in the Union rolling work programme. In such cases, the Commission and the ECCG should also assess the necessity of such a request, taking into account the overall aims and objectives of this Regulation and the need to ensure continuity as regards ENISA’s planning and use of resources.

Following such a request, ENISA should prepare the candidate schemes for specific ICT products, ICT services and ICT processes without undue delay. The Commission should evaluate the positive and negative impact of its request on the specific market in question, especially its impact on SMEs, on innovation, on barriers to entry to that market and on costs to end users. The Commission, on the basis of the candidate scheme prepared by ENISA, should be empowered to adopt the European cybersecurity certification scheme by means of implementing acts. Taking account of the general purpose and security objectives laid down in this Regulation, European cybersecurity certification schemes adopted by the Commission should specify a minimum set of elements concerning the subject matter, scope and functioning of the individual scheme. Those elements should include, among other things, the scope and object of the cybersecurity certification, including the categories of ICT products ▌, ICT services and ICT processes covered, the detailed specification of the cybersecurity requirements, for example by reference to standards or technical specifications, the specific evaluation criteria and evaluation methods, as well as the intended assurance level ('basic', 'substantial' or 'high') and the evaluation levels where applicable. ENISA should be able to refuse a request by the ECCG. Such decisions should be taken by the Management Board and should be duly reasoned.

(85)  ENISA should maintain a website providing information on and publicising European cybersecurity certification schemes, which should include, among other things, the requests for the preparation of a candidate scheme as well as the feedback received in the consultation process carried out by ENISA in the preparation phase. The website should also provide information about the European cybersecurity certificates and EU statements of conformity issued under this Regulation including information regarding the withdrawal and expiry of such European cybersecurity certificates and EU statements of conformity. The website should also indicate the national cybersecurity certification schemes that have been replaced by a European cybersecurity certification scheme.

(86)  The assurance level of a European certification scheme is a basis for confidence that an ICT product, ICT service or ICT process meets the security requirements of a specific European cybersecurity certification scheme. In order to ensure the consistency of the European cybersecurity certification framework, a European cybersecurity certification scheme should be able to specify assurance levels for European cybersecurity certificates and EU statements of conformity issued under that scheme. Each European cybersecurity certificate might refer to one of the assurance levels: 'basic', 'substantial' or 'high', while the EU statement of conformity might only refer to the assurance level 'basic'. The assurance levels would provide the corresponding rigour and depth of the evaluation of the ICT product, ICT service or ICT process and would be characterised by reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to mitigate or prevent incidents. Each assurance level should be consistent among the different sectorial domains where certification is applied.

(87)  A European cybersecurity certification scheme might specify several evaluation levels depending on the rigour and depth of the evaluation methodology used. Evaluation levels should correspond to one of the assurance levels and should be associated with an appropriate combination of assurance components. For all assurance levels, the ICT product, ICT service or ICT process should contain a number of secure functions, as specified by the scheme, which may include: a secure out-of-the-box configuration, a signed code, secure update and exploit mitigations and full stack or heap memory protections. Those functions should have been developed, and be maintained, using security-focused development approaches and associated tools to ensure that effective software and hardware mechanisms are reliably incorporated.

(88)  For assurance level 'basic', the evaluation should be guided at least by the following assurance components: the evaluation should at least include a review of the technical documentation of the ICT product, ICT service or ICT process by the conformity assessment body. Where the certification includes ICT processes, the process used to design, develop and maintain an ICT product or ICT service should also be subject to the technical review. Where a European cybersecurity certification scheme provides for a conformity self-assessment, it should be sufficient that the manufacturer or provider of ICT products, ICT services or ICT processes has carried out a self-assessment of the compliance of the ICT product, ICT service or ICT process with the certification scheme.

(89)  For assurance level 'substantial', the evaluation, in addition to the requirements for assurance level 'basic', should be guided at least by the verification of the compliance of the security functionalities of the ICT product, ICT service or ICT process with its technical documentation.

(90)  For assurance level 'high', the evaluation, in addition to the requirements for assurance level 'substantial', should be guided at least by an efficiency testing which assesses the resistance of the security functionalities of ICT product, ICT service or ICT process against elaborate cyberattacks performed by persons who have significant skills and resources.

(91)  Recourse to European cybersecurity certification and to EU statements of conformity should remain voluntary, unless otherwise provided for in Union law, or in Member State law adopted in accordance with Union law. In the absence of harmonised Union law, Member States are able to adopt national technical regulations providing for mandatory certification under a European cybersecurity certification scheme in accordance with Directive (EU) 2015/1535 of the European Parliament and of the Council(22). Member States also have recourse to European cybersecurity certification in the context of public procurement and of Directive 2014/24/EU of the European Parliament and of the Council(23),.

(92)  In some areas, it could be necessary in the future to impose specific cybersecurity requirements and make the certification thereof mandatory for certain ICT products, ICT services or ICT processes, in order to improve the level of cybersecurity in the Union. The Commission should regularly monitor the impact of adopted European cybersecurity certification schemes on the availability of secure ICT products, ICT services and ICT processes in the internal market and should regularly assess the level of use of the certification schemes by the manufacturers or providers of ICT products, ICT services or ICT processes in the Union. The efficiency of the European cybersecurity certification schemes, and whether specific schemes should be made mandatory, should be assessed in light of the cybersecurity-related legislation of the Union, in particular Directive (EU) 2016/1148, taking into consideration the security of the network and information systems used by operators of essential services.

(93)  European cybersecurity certificates and EU statements of conformity should help end users to make informed choices. Therefore, ICT products, ICT services and ICT processes that have been certified or for which an EU statement of conformity has been issued should be accompanied by structured information that is adapted to the expected technical level of the intended end user. All such information should be available online, and, where appropriate, in physical form. The end user should have access to information regarding the reference number of the certification scheme, the assurance level, the description of the cybersecurity risks associated with the ICT product, ICT service or ICT process, and the issuing authority or body, or should be able to obtain a copy of the European cybersecurity certificate. In addition, the end user should be informed of the cybersecurity support policy, namely for how long the end user can expect to receive cybersecurity updates or patches, of the manufacturer or provider of ICT products, ICT services or ICT processes. Where applicable, guidance on actions or settings that the end user can implement to maintain or increase the cybersecurity of the ICT product or of the ICT service and contact information of a single point of contact to report and receive support in the case of cyberattacks (in addition to automatic reporting) should be provided. That information should be regularly updated and made available on a website providing information on European cybersecurity certification schemes.

(94)  With a view to achieving the objectives of this Regulation and avoiding the fragmentation of the internal market, national cybersecurity certification schemes or procedures for ICT products, ICT services or ICT processes covered by a European cybersecurity certification scheme should cease to be effective from a date established by the Commission by means of implementing acts. Moreover, Member States should not introduce new national cybersecurity certification schemes for ICT products, ICT services or ICT processes already covered by an existing European cybersecurity certification scheme. However, Member States should not be prevented from adopting or maintaining national cybersecurity certification schemes for national security purposes. Member States should inform the Commission and the ECCG of any intention to draw up new national cybersecurity certification schemes. The Commission and the ECCG should evaluate the impact of the new national cybersecurity certification schemes on the proper functioning of the internal market and in light of any strategic interest in requesting a European cybersecurity certification scheme instead.

(95)  European cybersecurity certification schemes are intended to help harmonise cybersecurity practices within the Union. They need to contribute to increase the level of cybersecurity within the Union. The design of the European cybersecurity certification schemes should take into account and allow for the development of innovations in the field of cybersecurity.

(96)  European cybersecurity certification schemes should take into account current software and hardware development methods and, in particular, the impact of frequent software or firmware updates on individual European cybersecurity certificates. European cybersecurity certification schemes should specify the conditions under which an update may require that an ICT product, ICT service or ICT process be recertified or that the scope of a specific European cybersecurity certificate be reduced, taking into account any possible adverse effects of the update on compliance with the security requirements of that certificate.

(97)  Once a European cybersecurity certification scheme is adopted, manufacturers or providers of ICT products, ICT services or ICT processes should be able to submit applications for certification of their ICT products or ICT services to the conformity assessment body of their choice anywhere in the Union. Conformity assessment bodies should be accredited by a national accreditation body if they comply with certain specified requirements set out in this Regulation. Accreditation should be issued for a maximum of five years and should be renewable on the same conditions provided that the conformity assessment body still meets the requirements. National accreditation bodies should restrict, suspend or revoke the accreditation of a conformity assessment body where the conditions for the accreditation have not been met or are no longer met, or where the conformity assessment body infringes this Regulation.

(98)  References in national legislation to national standards which have ceased to be effective due to the entry into force of a European cybersecurity certification scheme can be a source of confusion. Therefore, Member States should reflect the adoption of a European cybersecurity certification scheme in their national legislation.

(99)  In order to achieve equivalent standards throughout the Union, to facilitate mutual recognition and to promote the overall acceptance of European cybersecurity certificates and EU statements of conformity, it is necessary to put in place a system of peer review between national cybersecurity certification authorities. Peer review should cover procedures for supervising the compliance of ICT products, ICT services and ICT processes with European cybersecurity certificates, for monitoring the obligations of manufacturers or providers of ICT products, ICT services or ICT processes who carry out the conformity self-assessment, for monitoring conformity assessment bodies, as well as the appropriateness of the expertise of the staff of bodies issuing certificates for assurance level 'high'. The Commission should be able, by means of implementing acts, to establish at least a five-year plan for peer reviews, as well as lay down criteria and methodologies for the operation of the peer review system.

(100)  Without prejudice to the general peer review system to be put in place across all national cybersecurity certification authorities within the European cybersecurity certification framework, certain European cybersecurity certification schemes may include a peer-assessment mechanism for the bodies that issue European cybersecurity certificates for ICT products, ICT services and ICT processes with an assurance level 'high' under such schemes. The ECCG should support the implementation of such peer-assessment mechanisms. The peer assessments should assess in particular whether the bodies concerned carry out their tasks in a harmonised way, and may include appeal mechanisms. The results of the peer assessments should be made publicly available. The bodies concerned may adopt appropriate measures to adapt their practices and expertise accordingly.

(101)  ▌ Member States should designate one or more national cybersecurity certification authorities to supervise compliance with obligations arising from this Regulation. A national cybersecurity certification authority may be an existing or new authority. A Member State should also be able to designate, after agreeing with another Member State, one or more national cybersecurity certification authorities in the territory of that other Member State.

(102)  National cybersecurity certification authorities should in particular monitor and enforce the obligations of manufacturers or providers of ICT products, ICT services or ICT processes established in its respective territory in relation to the EU statement of conformity, should assist the national accreditation bodies in the monitoring and supervision of activities of conformity assessment bodies by providing them with expertise and relevant information, should authorise conformity assessment bodies to carry out their tasks where such bodies meet additional requirements set out in a European cybersecurity certification scheme, and should monitor relevant developments in the field of cybersecurity certification ▌. National cybersecurity certification ▌authorities should also handle complaints lodged by natural or legal persons in relation to European cybersecurity certificates issued by those authorities or in relation to European cybersecurity certificates issued by conformity assessment bodies, where such certificates indicate assurance level 'high', should investigate, to the extent appropriate, the subject matter of the complaint and should inform the complainant of the progress and the outcome of the investigation within a reasonable period. Moreover, national cybersecurity certification authorities should cooperate with other national cybersecurity certification ▌ authorities or other public authorities, including by the sharing of information on the possible non-compliance of ICT products, ICT services and ICT processes with the requirements of this Regulation or with specific European cybersecurity certification schemes. The Commission should facilitate that sharing of information by making available a general electronic information support system, for example the Information and Communication System on Market Surveillance (ICSMS) and the Rapid Alert System for dangerous non-food products (RAPEX), already used by market surveillance authorities pursuant to Regulation (EC) No 765/2008.

(103)  With a view to ensuring the consistent application of the European cybersecurity certification framework, an ECCG that consists of representatives of national cybersecurity certification authorities or other relevant national authorities should be established. The main tasks of the ECCG should be to advise and assist the Commission in its work towards ensuring the consistent implementation and application of the European cybersecurity certification framework, to assist and closely cooperate with ENISA in the preparation of candidate cybersecurity certification schemes, in duly justified cases to request ENISA to prepare a candidate scheme, and to adopt opinions addressed to ENISA on candidate schemes and to adopt opinions addressed to the Commission on the maintenance and review of existing European cybersecurity certifications schemes. The ECCG should facilitate the exchange of good practices and expertise between the various national cybersecurity certification authorities that are responsible for the authorisation of conformity assessment bodies and the issuance of European cybersecurity certificates.

(104)  In order to raise awareness and to facilitate the acceptance of future European cybersecurity certification schemes, the Commission may issue general or sector-specific cybersecurity guidelines, for example on good cybersecurity practices or responsible cybersecurity behaviour highlighting the positive effect of the use of certified ICT products ▌, ICT services and ICT processes.

(105)  In order to further facilitate trade, and recognising that ICT supply chains are global, mutual recognition agreements concerning European cybersecurity certificates may be concluded by the Union in accordance with Article 218 of the Treaty on the Functioning of the European Union (TFEU). The Commission, taking into account the advice from ENISA and the European Cybersecurity Certification Group, may recommend the opening of relevant negotiations. Each European cybersecurity certification scheme should provide specific conditions for such mutual recognition agreements with third countries.

(106)  In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council(24).

(107)  The examination procedure should be used for the adoption of implementing acts on European cybersecurity certification schemes for ICT products, ICT services or ICT processes, for the adoption of implementing acts on arrangements for carrying out inquiries by ENISA, for the adoption of implementing acts on a plan for the peer review of national cybersecurity certification authorities, as well as for the adoption of implementing acts on the circumstances, formats and procedures of notifications of accredited conformity assessment bodies by the national cybersecurity certification ▌authorities to the Commission.

(108)  ENISA’s operations should be subject to regular and independent evaluation. That evaluation should have regard to ENISA's objectives, its working practices and the relevance of its tasks, in particular its tasks relating to the operational cooperation at Union level. That evaluation should also assess the impact, effectiveness and efficiency of the European cybersecurity certification framework. In the event of a review, the Commission should evaluate how ENISA’s role as a reference point for advice and expertise can be reinforced and should also evaluate the possibility of a role for ENISA on supporting the assessment of third country ICT products, ICT services and ICT processes that do not comply with Union rules, where such products, services and processes enter the Union.

(109)  Since the objectives of this Regulation cannot be sufficiently achieved by the Member States but can rather be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.

(110)  Regulation (EU) No 526/2013 should be repealed,

HAVE ADOPTED THIS REGULATION:

TITLE I

GENERAL PROVISIONS

Article 1

Subject matter and scope

1.   With a view to ensuring the proper functioning of the internal market while aiming to achieve a high level of cybersecurity, cyber resilience and trust within the Union, this Regulation lays down:

(a)  objectives, tasks and organisational matters relating to ENISA (the European Union Agency for Cybersecurity) ▌; and

(b)  a framework for the establishment of European cybersecurity certification schemes for the purpose of ensuring an adequate level of cybersecurity for ICT products, ICT services and ICT processes in the Union, as well as for the purpose of avoiding the fragmentation of the internal market with regard to cybersecurity certification schemes in the Union.

The framework referred to in point (b) of the first subparagraph applies without prejudice to specific provisions in other Union legal acts regarding voluntary or mandatory certification ▌.

2.  This Regulation is without prejudice to the competences of the Member States regarding activities concerning public security, defence, national security and the activities of the State in areas of criminal law.

Article 2

Definitions

For the purposes of this Regulation, the following definitions apply:

(1)  ‘cybersecurity’ means the activities necessary to protect network and information systems, the users of such systems, and other persons affected by cyber threats;

(2)  ‘network and information system’ means a network and information system as defined in point (1) of Article 4 of Directive (EU) 2016/1148;

(3)  ‘national strategy on the security of network and information systems’ means a national strategy on the security of network and information systems as defined in point (3) of Article 4 of Directive (EU) 2016/1148;

(4)  ‘operator of essential services’ means an operator of essential services as defined in point (4) of Article 4 of Directive (EU) 2016/1148;

(5)  ‘digital service provider’ means ▌a digital service provider as defined in point (6) of Article 4 of Directive (EU) 2016/1148;

(6)  ‘incident’ means an incident as defined in point (7) of Article 4 of Directive (EU) 2016/1148;

(7)  ‘incident handling’ means incident handling as defined in point (8) of Article 4 of Directive (EU) 2016/1148;

(8)  ‘cyber threat’ means any potential circumstance ▌, event or action that could damage, disrupt or otherwise adversely impact network and information systems, the users of such systems and other persons;

(9)  ‘European cybersecurity certification scheme’ means a comprehensive set of rules, technical requirements, standards and procedures ▌that are established at Union level and that apply to the certification or conformity assessment of specific ICT products ▌, ICT services or ICT processes;

(10)  ‘national cybersecurity certification scheme’ means a comprehensive set of rules, technical requirements, standards and procedures developed and adopted by a national public authority and that apply to the certification or conformity assessment of ICT products, ICT services and ICT processes falling under the scope of the specific scheme;

(11)  ‘European cybersecurity certificate’ means a document issued by a relevant body, attesting that a given ICT product ▌, ICT service or ICT process has been evaluated for compliance with specific security requirements laid down in a European cybersecurity certification scheme;

(12)  ‘ICT product ▌ means an element or a group of elements of a network or information system;

(13)  ‘ICT service’ means a service consisting fully or mainly in the transmission, storing, retrieving or processing of information by means of network and information systems;

(14)  ‘ICT process’ means a set of activities performed to design, develop, deliver or maintain an ICT product or ICT service;

(15)  ‘accreditation’ means accreditation as defined in point (10) of Article 2 of Regulation (EC) No 765/2008;

(16)  ‘national accreditation body’ means a national accreditation body as defined in point (11) of Article 2 of Regulation (EC) No 765/2008;

(17)  ‘conformity assessment’ means a conformity assessment as defined in point (12) of Article 2 of Regulation (EC) No 765/2008;

(18)  ‘conformity assessment body’ means a conformity assessment body as defined in point (13) of Article 2 of Regulation (EC) No 765/2008;

(19)  ‘standard’ means a standard as defined in point (1) of Article 2 of Regulation (EU) No 1025/2012;

(20)  ‘technical specification’ means a document that prescribes the technical requirements to be met by, or conformity assessment procedures relating to, an ICT product, ICT service or ICT process;

(21)  ‘assurance level’ means a basis for confidence that an ICT product, ICT service or ICT process meets the security requirements of a specific European cybersecurity certification scheme, indicates the level at which an ICT product, ICT service or ICT process has been evaluated but as such does not measure the security of the ICT product, ICT service or ICT process concerned;

(22)  ‘conformity self-assessment’ means an action carried out by a manufacturer or provider of ICT products, ICT services or ICT processes, which evaluates whether those ICT products, ICT services or ICT processes meet the requirements of a specific European cybersecurity certification scheme.

TITLE II

ENISA (the European Union Agency for Cybersecurity)

CHAPTER I

MANDATE AND OBJECTIVES

Article 3

Mandate

1.  ENISA shall carry out the tasks assigned to it under this Regulation for the purpose of achieving a high common level of cybersecurity across the Union, including by actively supporting Member States, Union institutions, bodies, offices and agencies in improving cybersecurity. ENISA shall act as a reference point for advice and expertise on cybersecurity for Union institutions, bodies, offices and agencies as well as for other relevant Union stakeholders.

ENISA shall contribute to reducing the fragmentation of the internal market by carrying out the tasks assigned to it under this Regulation.

2.  ENISA shall carry out the tasks assigned to it by Union legal acts that set out measures for approximating the laws, regulations and administrative provisions of the Member States which are related to cybersecurity.

3.  When carrying out its tasks, ENISA shall act independently while avoiding the duplication of Member States activities and taking into consideration existing Member State expertise.

4.  ENISA shall develop its own resources, including technical and human capabilities and skills, necessary to perform the tasks assigned to it under this Regulation.

Article 4

Objectives

1.  ENISA shall be a centre of expertise on cybersecurity by virtue of its independence, the scientific and technical quality of the advice and assistance it delivers, the information it provides, the transparency of its operating procedures, the methods of operation, and its diligence in carrying out its tasks.

2.  ENISA shall assist the Union institutions, bodies, offices and agencies, as well as Member States, in developing and implementing Union policies related to cybersecurity, including sectoral policies on cybersecurity.

3.  ENISA shall support capacity-building and preparedness across the Union by assisting the Union institutions, bodies, offices and agencies, as well as Member States and public and private stakeholders, to increase the protection of their network and information systems, to develop and improve cyber resilience and response capacities, and to develop skills and competencies in the field of cybersecurity ▌.

4.  ENISA shall promote cooperation, including information sharing and coordination at Union level, among Member States, Union institutions, bodies, offices and agencies, and relevant private and public stakeholders ▌ on matters related to cybersecurity.

5.  ENISA shall contribute to increasing cybersecurity capabilities at Union level in order to support the actions of Member States in preventing and responding to cyber threats, in particular in the event of cross-border incidents.

6.  ENISA shall promote the use of European cybersecurity certification, with a view to avoiding the fragmentation of the internal market. ENISA shall contribute to the establishment and maintenance of a European cybersecurity certification framework in accordance with Title III of this Regulation, with a view to increasing the transparency of the cybersecurity of ICT products, ICT services and ICT processes, thereby strengthening trust in the digital internal market and its competitiveness.

7.  ENISA shall promote a high level of cybersecurity awareness, including cyber-hygiene and cyber-literacy among citizens, organisations and businesses.

CHAPTER II

TASKS

Article 5

Development and implementation of Union policy and law

ENISA shall contribute to the development and implementation of Union policy and law, by:

(1)  assisting and advising on the development and review of Union policy and law in the field of cybersecurity and on sector-specific policy and law initiatives where matters related to cybersecurity are involved, in particular by providing its independent opinion and analysis as well as carrying out preparatory work;

(2)  assisting Member States to implement the Union policy and law regarding cybersecurity consistently, in particular in relation to Directive (EU) 2016/1148, including by means of issuing opinions, guidelines, providing advice and best practices on topics such as risk management, incident reporting and information sharing, as well as by facilitating the exchange of best practices between competent authorities in that regard;

(3)  assisting Member States and Union institutions, bodies, offices and agencies in developing and promoting cybersecurity policies related to sustaining the general availability or integrity of the public core of the open internet;

(4)  contributing to the work of the Cooperation Group pursuant to Article 11 of Directive (EU) 2016/1148, by providing its expertise and assistance;

(5)  supporting:

(a)  the development and implementation of Union policy in the field of electronic identity and trust services, in particular by providing advice and issuing technical guidelines, as well as by facilitating the exchange of best practices between competent authorities;

(b)  the promotion of an enhanced level of security of electronic communications, including by providing advice and expertise, as well as by facilitating the exchange of best practices between competent authorities;

(c)  Member States in the implementation of specific cybersecurity aspects of Union policy and law relating to data protection and privacy, including by providing advice to the European Data Protection Board upon request.

(6)  supporting the regular review of Union policy activities by preparing an annual report on the state of the implementation of the respective legal framework regarding:

(a)  information on Member States' incident notifications provided by the single points of contact to the Cooperation Group pursuant to Article 10(3) of Directive (EU) 2016/1148;

(b)  summaries of notifications of breach of security or loss of integrity received from trust service providers provided by the supervisory bodies to ENISA, pursuant to Article 19(3) of Regulation (EU) 910/2014 of the European Parliament and of the Council(25);

(c)  notifications of ▌security incidents transmitted by the providers of public electronic communications networks or of publicly available electronic communications services, provided by the competent authorities to ENISA, pursuant to Article 40 of Directive (EU) 2018/1972.

Article 6

Capacity-building

1.  ENISA shall assist:

(a)  Member States in their efforts to improve the prevention, detection and analysis of, and the capability to respond to cyber threats and incidents by providing them with knowledge and expertise;

(b)  Member States and Union institutions, bodies, offices and agencies in establishing and implementing vulnerability disclosure policies on a voluntary basis;

(c)  Union institutions, bodies, offices and▌agencies in their efforts to improve the prevention, detection and analysis of cyber threats and incidents and to improve their capabilities to respond to such cyber threats and incidents, in particular through appropriate support for the CERT-EU;

(d)  Member States in developing national CSIRTs, where requested pursuant to Article 9(5) of Directive (EU) 2016/1148;

(e)  Member States in developing national strategies on the security of network and information systems, where requested pursuant to Article 7(2) of Directive (EU) 2016/1148 and promote the dissemination of those strategies and note the progress in their implementation across the Union in order to promote best practices;

(f)  Union institutions in developing and reviewing Union strategies regarding cybersecurity, promoting their dissemination and tracking the progress in their implementation;

(g)  national and Union CSIRTs in raising the level of their capabilities, including by promoting dialogue and exchanges of information, with a view to ensuring that, with regard to the state of the art, each CSIRT possesses a common set of minimum capabilities and operates according to best practices;

(h)  Member States by regularly organising the cybersecurity exercises at Union level referred to in Article 7(5) on at least a biennial basis and by making policy recommendations based on the evaluation process of the exercises and lessons learned from them;

(i)  relevant public bodies by offering trainings regarding cybersecurity, where appropriate in cooperation with stakeholders;

(j)  the Cooperation Group, in the exchange of best practices, in particular with regard to the identification by Member States of operators of essential services, pursuant to point (l) of Article 11(3) of Directive (EU) 2016/1148, including in relation to cross-border dependencies, regarding risks and incidents.

2.  ENISA shall support information sharing in and between sectors, in particular in the sectors listed in Annex II of Directive (EU) 2016/1148, by providing best practices and guidance on available tools, procedures, as well as on how to address regulatory issues related to information sharing.

Article 7

Operational cooperation at Union level

1.  ENISA shall support operational cooperation among Member States, Union institutions, bodies, offices and agencies, and between stakeholders.

2.  ENISA shall cooperate at the operational level and establish synergies with Union institutions, bodies, offices and▌agencies, including the CERT-EU, with the services dealing with cybercrime and with supervisory authorities dealing with the protection of privacy and personal data, with a view to addressing issues of common concern, including by means of:

(a)  the exchange of know-how and best practices;

(b)  the provision of advice and issuing of guidelines on relevant matters related to cybersecurity;

(c)  the establishment of practical arrangements for the execution of specific tasks, after consulting the Commission.

3.  ENISA shall provide the secretariat of the CSIRTs network pursuant to Article 12(2) of Directive (EU) 2016/1148, and in that capacity shall actively support the information sharing and the cooperation among its members.

4.  ENISA shall support Member States with respect to operational cooperation within the CSIRTs network ▌by:

(a)  advising on how to improve their capabilities to prevent, detect and respond to incidents and, at the request of one or more Member States, providing advice in relation to a specific cyber threat;

(b)  ▌ assisting, at the request of one or more Member States, in the assessment of incidents having a significant or substantial impact through the provision of expertise and facilitating the technical handling of such incidents including in particular by supporting the voluntary sharing of relevant information and technical solutions between Member States;

(c)  analysing vulnerabilities ▌ and incidents on the basis of publicly available information or information provided voluntarily by Member States for that purpose; and

(d)  at the request of one or more Member States, providing support in relation to ex-post technical inquiries regarding incidents having a significant or substantial impact within the meaning of Directive (EU) 2016/1148.

In performing those tasks, ENISA and CERT-EU shall engage in structured cooperation to benefit from synergies and to avoid the duplication of activities.

5.  ENISA shall regularly organise cybersecurity exercises at Union level, and shall support Member States and Union institutions, bodies, offices and agencies in organising cybersecurity exercises following their requests. Such cybersecurity exercises at Union level may include technical, operational or strategic elements. On a biennial basis, ENISA shall organise a large-scale comprehensive exercise.

Where appropriate, ENISA shall also contribute to and help organise sectoral cybersecurity exercises together with relevant organisations that also participate in cybersecurity exercises at Union level.

6.  ENISA, in close cooperation with the Member States, shall prepare a regular in-depth EU Cybersecurity Technical Situation Report on incidents and cyber threats based on publicly available information, its own analysis, and reports shared by, among others, the Member States' CSIRTs ▌ or the single points of contact established by Directive (EU) 2016/1148, both on a voluntary basis, EC3 and CERT-EU.

7.  ENISA shall contribute to developing a cooperative response at Union and Member States level to large-scale cross-border incidents or crises related to cybersecurity, mainly by:

(a)  aggregating and analysing reports from national sources that are in the public domain or shared on a voluntary basis with a view to contributing to the establishment of common situational awareness;

(b)  ensuring the efficient flow of information and the provision of escalation mechanisms between the CSIRTs network and the technical and political decision-makers at Union level;

(c)  upon request, facilitating the technical handling of such incidents or crises, including, in particular, by supporting the voluntary sharing of technical solutions between Member States;

(d)  supporting Union institutions, bodies, offices and agencies and, at their request, Member States, in the public communication relating to such incidents or crises;

(e)  testing the cooperation plans for responding to such incidents or crises at Union level and, at their request, supporting Member States in testing such plans at national level.

Article 8

Market, cybersecurity certification, and standardisation

1.  ENISA shall support and promote the development and implementation of Union policy on cybersecurity certification of ICT products ▌, ICT services and ICT processes, as established in Title III of this Regulation, by:

(a)  monitoring developments, on an ongoing basis, in related areas of standardisation and recommending appropriate technical specifications for use in the development of European cybersecurity certification schemes pursuant to point (c) of Article 54(1) where standards are not available;

(b)  preparing candidate European cybersecurity certification schemes ('candidate schemes') for ICT products, ICT services and ICT processes in accordance with Article 49;

(c)  evaluating adopted European cybersecurity certification schemes in accordance with Article 49(8);

(d)  participating in peer reviews pursuant to Article 59(4);

(e)  assisting the Commission in providing the secretariat of the ECCG pursuant to Article 62(5).

2.  ENISA shall provide the secretariat of the Stakeholder Cybersecurity Certification Group pursuant to Article 22(4).

3.  ENISA shall compile and publish guidelines and develop good practices, concerning the cybersecurity requirements of ICT products, ICT services and ICT processes, in cooperation with national cybersecurity certification authorities and industry in a formal, structured and transparent way.

4.   ENISA shall contribute to capacity-building related to evaluation and certification processes by compiling and issuing guidelines as well as by providing support to Member States at their request.

5.  ENISA shall facilitate the establishment and take-up of European and international standards for risk management and for the security of ICT products, ICT services and ICT processes▌.

6.   ENISA shall draw up, in collaboration with Member States and industry, advice and guidelines regarding the technical areas related to the security requirements for operators of essential services and digital service providers, as well as regarding already existing standards, including Member States' national standards, pursuant to Article 19(2) of Directive (EU) 2016/1148.

7.  ENISA shall perform and disseminate regular analyses of the main trends in the cybersecurity market on both the demand and supply sides, with a view to fostering the cybersecurity market in the Union.

Article 9

Knowledge and information

ENISA shall:

(a)  perform analyses of emerging technologies and provide topic-specific assessments on the expected societal, legal, economic and regulatory impact of technological innovations on cybersecurity;

(b)  perform long-term strategic analyses of cyber threats and incidents in order to identify emerging trends and help prevent ▌incidents;

(c)  in cooperation with experts from Member States authorities and relevant stakeholders, provide advice, guidance and best practices for the security of network and information systems, in particular for the security of the ▌infrastructures supporting the sectors listed in Annex II of Directive (EU) 2016/1148 and those used by the providers of the digital services listed in Annex III of that Directive;

(d)  through a dedicated portal, pool, organise and make available to the public information on cybersecurity provided by the Union institutions, bodies, offices and agencies and information on cybersecurity provided on a voluntary basis by Member States and private and public stakeholders;

(e)  collect and analyse publicly available information regarding significant incidents and compile reports with a view to providing guidance to citizens, organisations and businesses across the Union.

Article 10

Awareness-raising and education

ENISA shall:

(a)  raise public awareness of cybersecurity risks, and provide guidance on good practices for individual users aimed at citizens, organisations and businesses, including cyber-hygiene and cyber-literacy;

(b)  in cooperation with the Member States ▌, Union institutions, bodies, offices and ▌agencies and industry, organise regular outreach campaigns to increase cybersecurity and its visibility in the Union and encourage a broad public debate;

(c)  assist Member States in their efforts to raise cybersecurity awareness and promote cybersecurity education;

(d)  support closer coordination and exchange of best practices among Member States on cybersecurity awareness and education.

Article 11

Research and innovation

In relation to research and innovation, ENISA shall:

(a)  advise the Union institutions, bodies, offices and agencies and the Member States on research needs and priorities in the field of cybersecurity, with a view to enabling effective responses to current and emerging risks and cyber threats, including with respect to new and emerging information and communications technologies, and with a view to using risk-prevention technologies effectively;

(b)  where the Commission has conferred the relevant powers on it, participate in the implementation phase of research and innovation funding programmes or as a beneficiary;

(c)  contribute to the strategic research and innovation agenda at Union level in the field of cybersecurity.

Article 12

International cooperation

ENISA shall contribute to the Union’s efforts to cooperate with third countries and international organisations as well as within relevant international cooperation frameworks to promote international cooperation on issues related to cybersecurity, by:

(a)  where appropriate, engaging as an observer in the organisation of international exercises, and analysing and reporting to the Management Board on the outcome of such exercises;

(b)  at the request of the Commission, facilitating the exchange of best practices ▌;

(c)  at the request of the Commission, providing it with expertise;

(d)  providing advice and support to the Commission on matters concerning agreements for the mutual recognition of cybersecurity certificates with third countries, in collaboration with the ECCG established under Article 62.

CHAPTER III

ORGANISATION OF ENISA

Article 13

Structure of ENISA

The administrative and management structure of ENISA shall be composed of the following:

(a)  a Management Board;

(b)  an Executive Board;

(c)  an Executive Director; ▌

(d)  an ENISA Advisory Group;

(e)  a National Liaison Officers Network.

SECTION 1

MANAGEMENT BOARD

Article 14

Composition of the Management Board

1.  The Management Board shall be composed of one member appointed by each Member State, and two members appointed by the Commission. All members shall have the right to vote.

2.  Each member of the Management Board shall have an alternate. That alternate shall represent the member in the member’s absence.

3.  Members of the Management Board and their alternates shall be appointed on the basis of their knowledge in the field of cybersecurity, taking into account their relevant managerial, administrative and budgetary skills. The Commission and the Member States shall make efforts to limit the turnover of their representatives on the Management Board, in order to ensure continuity of the Management Board’s work. The Commission and the Member States shall aim to achieve gender balance on the Management Board.

4.  The term of office of the members of the Management Board and their alternates shall be four years. That term shall be renewable.

Article 15

Functions of the Management Board

1.  The Management Board shall:

(a)  establish the general direction of the operation of ENISA and ensure that ENISA operates in accordance with the rules and principles laid down in this Regulation; it shall also ensure the consistency of ENISA’s work with activities conducted by the Member States as well as at Union level;

(b)  adopt ENISA’s draft single programming document referred to in Article 24, before its submission to the Commission for an opinion;

(c)  adopt ENISA's single programming document, taking into account the Commission opinion;

(d)  supervise the implementation of the multiannual and annual programming included in the single programming document;

(e)  adopt the annual budget of ENISA and exercise other functions in respect of ENISA's budget in accordance with Chapter IV;

(f)  assess and adopt the consolidated annual report on ENISA’s activities, including the accounts and a description of how ENISA has met its performance indicators, submit both the annual report and the assessment thereof by 1 July of the following year, to the European Parliament, to the Council, to the Commission and to the Court of Auditors, and make the annual report public;

(g)  adopt the financial rules applicable to ENISA in accordance with Article 32;

(h)  adopt an anti-fraud strategy that is proportionate to the fraud risks, having regard to a cost-benefit analysis of the measures to be implemented;

(i)  adopt rules for the prevention and management of conflicts of interest in respect of its members;

(j)  ensure adequate follow-up to the findings and recommendations resulting from investigations of the European Anti-Fraud Office (OLAF) and the various internal or external audit reports and evaluations;

(k)  adopt its rules of procedure, including rules for provisional decisions on the delegation of specific tasks, pursuant to Article 19(7);

(l)  with respect to the staff of ENISA, exercise the powers conferred by the Staff Regulations of Officials (the ‘Staff Regulations of Officials’) and the Conditions of Employment of Other Servants of the European Union (the ‘Conditions of Employment of Other Servants’), laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68(26) on the appointing authority and on the Authority Empowered to Conclude a Contract of Employment (‘appointing authority powers’) in accordance with paragraph 2;

(m)  adopt rules implementing the Staff Regulations of Officials and the Conditions of Employment of Other Servants in accordance with the procedure provided for in Article 110 of the Staff Regulations of Officials;

(n)  appoint the Executive Director and where relevant extend his or her term of office or remove him or her from office in accordance with Article 36;

(o)  appoint an accounting officer, who may be the Commission's accounting officer, who shall be wholly independent in the performance of his or her duties;

(p)  take all decisions concerning the establishment of ENISA's internal structures and, where necessary, the modification of those internal structures, taking into consideration ENISA's activity needs and having regard to sound budgetary management;

(q)  authorise the establishment of working arrangements with regard to Article 7;

(r)  authorise the establishment or conclusion of working arrangements in accordance with Article 42.

2.  In accordance with Article 110 of the Staff Regulations of Officials, the Management Board shall adopt a decision based on Article 2(1) of the Staff Regulations of Officials and Article 6 of the Conditions of Employment of Other Servants, delegating the relevant appointing authority powers to the Executive Director and determining the conditions under which that delegation of powers can be suspended. The Executive Director may sub-delegate those powers.

3.  Where exceptional circumstances so require, the Management Board may adopt a decision to temporarily suspend the delegation of appointing authority powers to the Executive Director and any appointing authority powers sub-delegated by the Executive Director and instead exercise them itself or delegate them to one of its members or to a staff member other than the Executive Director.

Article 16

Chairperson of the Management Board

The Management Board shall elect a Chairperson and a Deputy Chairperson from among its members, by a majority of two thirds of the members. Their terms of office shall be four years, which shall be renewable once. If, however, their membership of the Management Board ends at any time during their term of office, their term of office shall automatically expire on that date. The Deputy Chair shall replace the Chairperson ex officio if the Chairperson is unable to attend to his or her duties.

Article 17

Meetings of the Management Board

1.  Meetings of the Management Board shall be convened by its Chairperson.

2.  The Management Board shall hold at least two ordinary meetings a year. It shall also hold extraordinary meetings at the request of its Chairperson, at the request of the Commission, or at the request of at least one third of its members.

3.  The Executive Director shall take part in the meetings of the Management Board but shall not have the right to vote.

4.  Members of the ENISA Advisory Group may take part in the meetings of the Management Board at the invitation of the Chairperson, but shall not have the right to vote.

5.  The members of the Management Board and their alternates may be assisted at the meetings of the Management Board by advisers or experts, subject to the rules of procedure of the Management Board.

6.  ENISA shall provide the secretariat of the Management Board.

Article 18

Voting rules of the Management Board

1.  The Management Board shall take its decisions by a majority of its members.

2.  A two-thirds majority of the Management Board members shall be required for the adoption of the single programming document and of the annual budget and for the appointment, extension of the term of office or removal of the Executive Director.

3.  Each member shall have one vote. In the absence of a member, their alternate shall be entitled to exercise the member’s right to vote.

4.  The Chairperson of the Management Board shall take part in the voting.

5.  The Executive Director shall not take part in the voting.

6.  The Management Board's rules of procedure shall establish more detailed voting arrangements, in particular the circumstances in which a member may act on behalf of another member.

SECTION 2

EXECUTIVE BOARD

Article 19

Executive Board

1.  The Management Board shall be assisted by an Executive Board.

2.  The Executive Board shall:

(a)  prepare decisions to be adopted by the Management Board;

(b)  together with the Management Board, ensure the adequate follow-up to the findings and recommendations stemming from investigations of OLAF and the various internal or external audit reports and evaluations;

(c)  without prejudice to the responsibilities of the Executive Director set out in Article 20, assist and advise the Executive Director in implementing the decisions of the Management Board on administrative and budgetary matters pursuant to Article 20.

3.  The Executive Board shall be composed of five members. The members of the Executive Board shall be appointed from among the members of the Management Board. One of the members shall be the Chairperson of the Management Board, who may also chair the Executive Board, and another shall be one of the representatives of the Commission. The appointments of the members of the Executive Board shall aim to ensure gender balance on the Executive Board. The Executive Director shall take part in the meetings of the Executive Board but shall not have the right to vote.

4.  The term of office of the members of the Executive Board shall be four years. That term shall be renewable.

5.  The Executive Board shall meet at least once every three months. The Chairperson of the Executive Board shall convene additional meetings at the request of its members.

6.  The Management Board shall lay down the rules of procedure of the Executive Board.

7.  When necessary because of urgency, the Executive Board may take certain provisional decisions on behalf of the Management Board, in particular on administrative management matters, including the suspension of the delegation of the appointing authority powers and budgetary matters. Any such provisional decisions shall be notified to the Management Board without undue delay. The Management Board shall then decide whether to approve or reject the provisional decision no later than three months after the decision was taken. The Executive Board shall not take decisions on behalf of the Management Board that require the approval of a two-thirds majority of the Management Board members.

SECTION 3

EXECUTIVE DIRECTOR

Article 20

Duties of the Executive Director

1.  ENISA shall be managed by its Executive Director, who shall be independent in the performance of his or her duties. The Executive Director shall be accountable to the Management Board.

2.  The Executive Director shall report to the European Parliament on the performance of his or her duties when invited to do so. The Council may invite the Executive Director to report on the performance of his or her duties.

3.  The Executive Director shall be responsible for:

(a)  the day-to-day administration of ENISA;

(b)  implementing the decisions adopted by the Management Board;

(c)  preparing the draft single programming document and submitting it to the Management Board for approval before its submission to the Commission;

(d)  implementing the single programming document and reporting to the Management Board thereon;

(e)  preparing the consolidated annual report on the ENISA’s activities, including the implementation of the ENISA’s annual work programme, and presenting it to the Management Board for assessment and adoption;

(f)  preparing an action plan that follows up on the conclusions of the retrospective evaluations, and reporting on progress every two years to the Commission;

(g)  preparing an action plan that follows up on the conclusions of internal or external audit reports, as well as on investigations by OLAF and reporting on progress biannually to the Commission and regularly to the Management Board;

(h)  preparing the draft financial rules applicable to ENISA as referred to in Article 32;

(i)  preparing ENISA's draft statement of estimates of revenue and expenditure and implementing its budget;

(j)  protecting the financial interests of the Union by the application of preventive measures against fraud, corruption and any other illegal activities, by effective checks and, if irregularities are detected, by the recovery of the amounts wrongly paid and, where appropriate, by effective, proportionate and dissuasive administrative and financial penalties;

(k)  preparing an anti-fraud strategy for ENISA and presenting it to the Management Board for approval;

(l)  developing and maintaining contact with the business community and consumers’ organisations to ensure regular dialogue with relevant stakeholders;

(m)  exchanging views and information regularly with Union institutions, bodies, offices and agencies regarding their activities relating to cybersecurity to ensure coherence in the development and the implementation of Union policy;

(n)  carrying out other tasks assigned to the Executive Director by this Regulation.

4.  Where necessary and within ENISA’s objectives and tasks, the Executive Director may set up ad hoc working groups composed of experts, including experts from the Member States’ competent authorities. The Executive Director shall inform the Management Board in advance thereof. The procedures regarding in particular the composition of the working groups, the appointment of the experts of the working groups by the Executive Director and the operation of the working groups shall be specified in ENISA’s internal rules of operation.

5.  Where necessary, for the purpose of carrying out the ENISA's tasks in an efficient and effective manner and based on an appropriate cost-benefit analysis, the Executive Director may decide to establish one or more local offices in one or more Member States. Before deciding to establish a local office, the Executive Director shall seek the opinion of the Member States concerned, including the Member State in which the seat of ENISA is located, and shall obtain the prior consent of the Commission and the Management Board. In cases of disagreement during the consultation process between the Executive Director and the Member States concerned, the issue shall be brought to the Council for discussion. The aggregate number of staff in all local offices shall be kept to a minimum and shall not exceed 40 % of the total number of ENISA’s staff located in the Member State in which the seat of ENISA is located. The number of the staff in each local office shall not exceed 10 % of the total number of ENISA’s staff located in the Member State in which the seat of ENISA is located.

The decision establishing a local office shall specify the scope of the activities to be carried out at the local office in a manner that avoids unnecessary costs and duplication of administrative functions of ENISA. ▌

SECTION 4

ENISA ADVISORY GROUP, STAKEHOLDER CYBERSECURITY CERTIFICATION GROUP AND NATIONAL LIAISON OFFICERS NETWORK

Article 21

ENISA Advisory Group

1.  The Management Board, acting on a proposal from the Executive Director, shall establish in a transparent manner the ENISA Advisory Group composed of recognised experts representing the relevant stakeholders, such as the ICT industry, providers of electronic communications networks or services available to the public, SMEs, operators of essential services, consumer groups, academic experts in the field of cybersecurity, and representatives of competent authorities notified in accordance with▌Directive (EU) 2018/1972, of European standardisation organisations, as well as of law enforcement and data protection supervisory authorities. The Management Board shall aim to ensure an appropriate gender and geographical balance as well as a balance between the different stakeholder groups.

2.  Procedures for the ENISA Advisory Group, in particular regarding its composition, the proposal by the Executive Director referred to in paragraph 1, the number and appointment of its members and the operation of the ENISA Advisory Group, shall be specified in ENISA’s internal rules of operation and shall be made public.

3.▌ The ENISA Advisory Group shall be chaired by the Executive Director or by any person who the Executive Director appoints on a case-by-case basis.

4.  The term of office of the members of the ENISA Advisory Group shall be two-and-a-half years. Members of the Management Board shall not be members of the ENISA Advisory Group. Experts from the Commission and the Member States shall be entitled to be present at the meetings of the ENISA Advisory Group and to participate in its work. Representatives of other bodies deemed to be relevant by the Executive Director, who are not members of the ENISA Advisory Group, may be invited to attend the meetings of the ENISA Advisory Group and to participate in its work.

5.  The ENISA Advisory Group shall advise ENISA in respect of the performance of ENISA’s tasks, except of the application of the provisions of Title III of this Regulation. It shall in particular advise the Executive Director on the drawing up of a proposal for ENISA’s annual work programme, and on ensuring communication with the relevant stakeholders on ▌issues related to the annual work programme.

6.  The ENISA Advisory Group shall inform the Management Board of its activities on a regular basis.

Article 22

Stakeholder Cybersecurity Certification Group

1.  The Stakeholder Cybersecurity Certification Group shall be established.

2.  The Stakeholder Cybersecurity Certification Group shall be composed of members selected from among recognised experts representing the relevant stakeholders. The Commission, following a transparent and open call, shall select, on the basis of a proposal from ENISA, members of the Stakeholder Cybersecurity Certification Group ensuring a balance between the different stakeholder groups as well as an appropriate gender and geographical balance.

3.  The Stakeholder Cybersecurity Certification Group shall:

(a)  advise the Commission on strategic issues regarding the European cybersecurity certification framework;

(b)  upon request, advise ENISA on general and strategic matters concerning the ENISA's tasks relating to market, cybersecurity certification, and standardisation;

(c)  assist the Commission in the preparation of the Union rolling work programme referred to in Article 47;

(d)  issue an opinion on the Union rolling work programme pursuant to Article 47(4); and

(e)  in urgent cases, provide advice to the Commission and the ECCG on the need for additional certification schemes not included in the Union rolling work programme, as outlined in Articles 47 and 48.

4.  The Stakeholder Certification Group shall be co-chaired by the representatives of the Commission and of ENISA, and its secretariat shall be provided by ENISA.

Article 23

National Liaison Officers Network

1.  The Management Board, acting on a proposal from the Executive Director, shall set up a National Liaison Officers Network composed of representatives of all Member States (National Liaison Officers). Each Member State shall appoint one representative to the National Liaison Officers Network. The meetings of the National Liaison Officers Network may be held in different expert formations.

2.  The National Liaison Officers Network shall in particular facilitate the exchange of information between ENISA and the Member States, and shall support ENISA in disseminating its activities, findings and recommendations to the relevant stakeholders across the Union.

3.  National Liaison Officers shall act as a point of contact at national level to facilitate cooperation between ENISA and national experts in the context of the implementation of the ENISA's annual work programme.

4.  While National Liaison Officers shall cooperate closely with the Management Board representatives of their respective Member States, the National Liaisons Officers Network itself shall not duplicate the work of the Management Board or of other Union forums.

5.  The functions and procedures of the National Liaisons Officers Network shall be specified in the ENISA’s internal rules of operation and shall be made public.

SECTION 5

OPERATION

Article 24

Single programming document

1.  ENISA shall operate in accordance with a single programming document containing its annual and multiannual programming, which shall include all of its planned activities.

2.  Each year, the Executive Director shall draw up a draft single programming document containing its annual and multiannual programming with the corresponding financial and human resources planning in accordance with Article 32 of Commission Delegated Regulation (EU) No 1271/2013(27) and taking into account the guidelines set by the Commission.

3.  By 30 November each year, the Management Board shall adopt the single programming document referred to in paragraph 1 and shall transmit it to the European Parliament, to the Council and to the Commission no later than 31 January of the following year, as well as any subsequently updated versions of that document.

4.  The single programming document shall become final after the definitive adoption of the general budget of the Union and shall be adjusted as necessary.

5.  The annual work programme shall comprise detailed objectives and expected results including performance indicators. It shall also contain a description of the actions to be financed and an indication of the financial and human resources allocated to each action, in accordance with the principles of activity-based budgeting and management. The annual work programme shall be coherent with the multiannual work programme referred to in paragraph 7. It shall clearly indicate tasks that have been added, changed or deleted in comparison with the previous financial year.

6.  The Management Board shall amend the adopted annual work programme when a new task is assigned to ENISA. Any substantial amendments to the annual work programme shall be adopted by the same procedure as for the initial annual work programme. The Management Board may delegate the power to make non-substantial amendments to the annual work programme to the Executive Director.

7.  The multiannual work programme shall set out the overall strategic programming including objectives, expected results and performance indicators. It shall also set out the resource programming including multi-annual budget and staff.

8.  The resource programming shall be updated annually. The strategic programming shall be updated where appropriate and in particular where necessary to address the outcome of the evaluation referred to in Article 67.

Article 25

Declaration of interests

1.  Members of the Management Board, the Executive Director, and officials seconded by Member States on a temporary basis, shall each make a declaration of commitments and a declaration indicating the absence or presence of any direct or indirect interest which might be considered to be prejudicial to their independence. The declarations shall be accurate and complete, shall be made annually in writing, and shall be updated whenever necessary.

2.  Members of the Management Board, the Executive Director, and external experts participating in ad hoc working groups, shall each accurately and completely declare, at the latest at the start of each meeting, any interest which might be considered to be prejudicial to their independence in relation to the items on the agenda, and shall abstain from participating in the discussion of and voting on such items.

3.  ENISA shall lay down, in its internal rules of operation, the practical arrangements for the rules on declarations of interest referred to in paragraphs 1 and 2.

Article 26

Transparency

1.  ENISA shall carry out its activities with a high level of transparency and in accordance with Article 28.

2.  ENISA shall ensure that the public and any interested parties are provided with appropriate, objective, reliable and easily accessible information, in particular with regard to the results of its work. It shall also make public the declarations of interest made in accordance with Article 25.

3.  The Management Board, acting on a proposal from the Executive Director, may authorise interested parties to observe the proceedings of some of ENISA’s activities.

4.  ENISA shall lay down, in its internal rules of operation, the practical arrangements for implementing the transparency rules referred to in paragraphs 1 and 2.

Article 27

Confidentiality

1.  Without prejudice to Article 28, ENISA shall not divulge to third parties information that it processes or receives in relation to which a reasoned request for confidential treatment has been made.

2.  Members of the Management Board, the Executive Director, the members of the ENISA Advisory Group, external experts participating in ad hoc working groups, and members of the staff of ENISA, including officials seconded by Member States on a temporary basis, shall comply with the confidentiality requirements of Article 339 TFEU, even after their duties have ceased.

3.  ENISA shall lay down, in its internal rules of operation, the practical arrangements for implementing the confidentiality rules referred to in paragraphs 1 and 2.

4.  If required for the performance of ENISA’s tasks, the Management Board shall decide to allow ENISA to handle classified information. In that case ENISA, in agreement with the Commission services, shall adopt security rules applying the security principles set out in Commission Decisions (EU, Euratom) 2015/443(28) and 2015/444(29). Those security rules shall include provisions for the exchange, processing and storage of classified information.

Article 28

Access to documents

1.  Regulation (EC) No 1049/2001 shall apply to documents held by ENISA.

2.  The Management Board shall adopt arrangements for implementing Regulation (EC) No 1049/2001 by ... [six months after the entry into force of this Regulation].

3.  Decisions taken by ENISA pursuant to Article 8 of Regulation (EC) No 1049/2001 may be the subject of a complaint to the European Ombudsman under Article 228 TFEU or of an action before the Court of Justice of the European Union under Article 263 TFEU.

CHAPTER IV

ESTABLISHMENT AND STRUCTURE OF ENISA’S BUDGET

Article 29

Establishment of ENISA’s budget

1.  Each year, the Executive Director shall draw up a draft statement of estimates of ENISA’s revenue and expenditure for the following financial year, and shall transmit it to the Management Board, together with a draft establishment plan. Revenue and expenditure shall be in balance.

2.  Each year the Management Board, on the basis of the draft statement of estimates, shall produce a statement of estimates of ENISA’s revenue and expenditure for the following financial year.

3.  The Management Board, by 31 January each year, shall send the statement of estimates, which shall be part of the draft single programming document, to the Commission and the third countries with which the Union has concluded agreements as referred to in Article 42(2).

4.  On the basis of the statement of estimates, the Commission shall enter in the draft general budget of the Union the estimates it deems to be necessary for the establishment plan and the amount of the contribution to be charged to the general budget of the Union, which it shall submit to the European Parliament and to the Council in accordance with Article 314 TFEU.

5.  The European Parliament and the Council shall authorise the appropriations for the contribution from the Union to ENISA.

6.  The European Parliament and the Council shall adopt ENISA’s establishment plan.

7.  The Management Board shall adopt ENISA’s budget together with the single programming document. ENISA’s budget shall become final following the definitive adoption of the general budget of the Union. Where necessary, the Management Board shall adjust ENISA’s budget and single programming document in accordance with the general budget of the Union.

Article 30

Structure of ENISA’s budget

1.  Without prejudice to other resources, ENISA's revenue shall be composed of:

(a)  a contribution from the general budget of the Union;

(b)  revenue assigned to specific items of expenditure in accordance with its financial rules referred to in Article 32;

(c)  Union funding in the form of delegation agreements or ad hoc grants in accordance with its financial rules referred to in Article 32 and with the provisions of the relevant instruments supporting the policies of the Union;

(d)  contributions from third countries participating in the work of ENISA as referred to in Article 42;

(e)  any voluntary contributions from Member States in money or in kind.

Member States that provide voluntary contributions under point (e) of the first subparagraph shall not claim any specific right or service as a result thereof.

2.  The expenditure of ENISA shall include staff, administrative and technical support, infrastructure and operational expenses, and expenses resulting from contracts with third parties.

Article 31

Implementation of ENISA’s budget

1.  The Executive Director shall be responsible for the implementation of ENISA’s budget.

2.  The Commission’s internal auditor shall exercise the same powers over ENISA as over Commission departments.

3.  ENISA’s accounting officer shall send the provisional accounts for the financial year (year N) to the Commission’s accounting officer and to the Court of Auditors by 1 March of the following financial year (year N + 1).

4.  Upon the receipt of the Court of Auditors' observations on ENISA’s provisional accounts pursuant to Article 246 of Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council(30), ENISA's accounting officer shall draw up ENISA's final accounts under his or her responsibility and shall submit them to the Management Board for an opinion.

5.  The Management Board shall deliver an opinion on ENISA’s final accounts.

6.  By 31 March of year N + 1, the Executive Director shall transmit the report on the budgetary and financial management to the European Parliament, to the Council, to the Commission and to the Court of Auditors.

7.  By 1 July of year N + 1, ENISA’s accounting officer shall transmit ENISA’s final accounts to the European Parliament, to the Council, to the Commission’s accounting officer and to the Court of Auditors, together with the Management Board’s opinion.

8.  At the same date as the transmission of ENISA’s final accounts, ENISA’s accounting officer shall also send to the Court of Auditors a representation letter covering those final accounts, with a copy to the Commission’s accounting officer.

9.  By 15 November of year N+1, the Executive Director shall publish ENISA’s final accounts in the Official Journal of the European Union.

10.  By 30 September of year N + 1, the Executive Director shall send the Court of Auditors a reply to its observations and shall also send a copy of that reply to the Management Board and to the Commission.

11.  The Executive Director shall submit to the European Parliament, at the latter’s request, any information required for the smooth application of the discharge procedure for the financial year concerned in accordance with Article 261(3) of Regulation (EU, Euratom) 2018/1046.

12.  On a recommendation from the Council, the European Parliament shall, before 15 May of year N + 2, give a discharge to the Executive Director in respect of the implementation of the budget for the year N.

Article 32

Financial rules

The financial rules applicable to ENISA shall be adopted by the Management Board after consulting the Commission. They shall not depart from Delegated Regulation (EU) No 1271/2013 unless such a departure is specifically required for the operation of ENISA and the Commission has given its prior consent.

Article 33

Combating fraud

1.  In order to facilitate the combating of fraud, corruption and other unlawful activities under Regulation (EU, Euratom)▌883/2013 of the European Parliament and of the Council(31), ENISA shall by ... [six months after the entry into force of this Regulation], accede to the Interinstitutional Agreement of 25 May 1999 between the European Parliament, the Council of the European Union and the Commission of the European Communities concerning internal investigations by the European Anti-Fraud Office (OLAF)(32). ENISA shall adopt appropriate provisions applicable to all employees of ENISA, using the template set out in the Annex to that Agreement.

2.  The Court of Auditors shall have the power of audit, on the basis of documents and of on-the-spot inspections, over all grant beneficiaries, contractors and subcontractors who have received Union funds from ENISA.

3.  OLAF may carry out investigations, including on-the-spot checks and inspections, in accordance with the provisions and procedures laid down in Regulation ▌ (EU, Euratom) 883/2013 and Council Regulation (Euratom, EC) No 2185/96(33), with a view to establishing whether there has been fraud, corruption or any other illegal activity affecting the financial interests of the Union in connection with a grant or a contract funded by ENISA.

4.  Without prejudice to paragraphs 1, 2 and 3, cooperation agreements with third countries or international organisations, contracts, grant agreements and grant decisions of ENISA shall contain provisions expressly empowering the Court of Auditors and OLAF to conduct such audits and investigations, according to their respective competences.

CHAPTER V

STAFF

Article 34

General provisions

The Staff Regulations of Officials and the Conditions of Employment of Other Servants, as well as the rules adopted by agreement between the Union institutions for giving effect to the Staff Regulations of Officials and the Conditions of Employment of Other Servants shall apply to the staff of ENISA.

Article 35

Privileges and immunity

Protocol No 7 on the privileges and immunities of the European Union, annexed to the TEU and to the TFEU, shall apply to ENISA and its staff.

Article 36

Executive Director

1.  The Executive Director shall be engaged as a temporary agent of ENISA under point (a) of Article 2 of the Conditions of Employment of Other Servants.

2.  The Executive Director shall be appointed by the Management Board from a list of candidates proposed by the Commission, following an open and transparent selection procedure.

3.  For the purpose of concluding the employment contract with the Executive Director, ENISA shall be represented by the Chairperson of the Management Board.

4.  Before appointment, the candidate selected by the Management Board shall be invited to make a statement before the relevant committee of the European Parliament and to answer Members’ questions.

5.  The term of office of the Executive Director shall be five years. By the end of that period, the Commission shall carry out an assessment of the performance of the Executive Director and ENISA’s future tasks and challenges.

6.  The Management Board shall reach decisions on appointment, extension of the term of office or removal from office of the Executive Director in accordance with Article 18(2).

7.  The Management Board, acting on a proposal from the Commission which takes into account the assessment referred to in paragraph 5, may extend the term of office of the Executive Director once by ▌ five years.

8.  The Management Board shall inform the European Parliament about its intention to extend the Executive Director’s term of office. Within three months before any such extension, the Executive Director , if invited, shall make a statement before the relevant committee of the European Parliament and answer Members’ questions.

9.  An Executive Director whose term of office has been extended shall not participate in another selection procedure for the same post.

10.  The Executive Director may be removed from office only by decision of the Management Board ▌ acting on a proposal from the Commission.

Article 37

Seconded national experts and other staff

1.  ENISA may make use of seconded national experts or other staff not employed by ENISA. The Staff Regulations of Officials and the Conditions of Employment of Other Servants shall not apply to such staff.

2.  The Management Board shall adopt a decision laying down rules on the secondment of national experts to ENISA.

CHAPTER VI

GENERAL PROVISIONS CONCERNING ENISA

Article 38

Legal status of ENISA

1.  ENISA shall be a body of the Union and shall have legal personality.

2.  In each Member State ENISA shall enjoy the most extensive legal capacity accorded to legal persons under national law. It may, in particular, acquire or dispose of movable and immovable property and be a party to legal proceedings.

3.  ENISA shall be represented by the Executive Director.

Article 39

Liability of ENISA

1.  The contractual liability of ENISA shall be governed by the law applicable to the contract in question.

2.  The Court of Justice of the European Union shall have jurisdiction to give judgment pursuant to any arbitration clause contained in a contract concluded by ENISA.

3.  In the case of non-contractual liability, ENISA shall make good any damage caused by it or its staff in the performance of their duties, in accordance with the general principles common to the laws of the Member States.

4.  The Court of Justice of the European Union shall have jurisdiction in any dispute over compensation for damage referred to in paragraph 3.

5.  The personal liability of ENISA’s staff towards ENISA shall be governed by the relevant conditions applying to ENISA’s staff.

Article 40

Language arrangements

1.  Council Regulation No 1(34) shall apply to ENISA. The Member States and the other bodies appointed by the Member States may address ENISA and receive a reply in the official language of the institutions of the Union that they choose.

2.  The translation services required for the functioning of ENISA shall be provided by the Translation Centre for Bodies of the European Union.

Article 41

Protection of personal data

1.  The processing of personal data by ENISA shall be subject to Regulation (EU) 2018/1725.

2.  The Management Board shall adopt implementing rules referred to in Article 45(3) of Regulation (EU) 2018/1725. The Management Board may adopt additional measures necessary for the application of Regulation (EU) 2018/1725 by ENISA.

Article 42

Cooperation with third countries and international organisations

1.  To the extent necessary in order to achieve the objectives set out in this Regulation, ENISA may cooperate with the competent authorities of third countries or with international organisations or both. To that end, ENISA may establish working arrangements with the authorities of third countries and international organisations, subject to the prior approval of the Commission. Those working arrangements shall not create legal obligations incumbent on the Union and its Member States.

2.  ENISA shall be open to the participation of third countries that have concluded agreements with the Union to that effect. Under the relevant provisions of such agreements, working arrangements shall be established specifying in particular the nature, extent and manner in which those third countries are to participate in ENISA’s work, and shall include provisions relating to participation in the initiatives undertaken by ENISA, to financial contributions and to staff. As regards staff matters, those working arrangements shall comply with the Staff Regulations of Officials and Conditions of Employment of Other Servants in any event.

3.  The Management Board shall adopt a strategy for relations with third countries and international organisations concerning matters for which ENISA is competent. The Commission shall ensure that ENISA operates within its mandate and the existing institutional framework by concluding appropriate working arrangements with the Executive Director.

Article 43

Security rules on the protection of sensitive non-classified information and classified information

After consulting the Commission, ENISA shall adopt security rules applying the security principles contained in the Commission’s security rules for protecting sensitive non-classified information and EUCI, as set out in Decisions (EU, Euratom) 2015/443 and 2015/444. ENISA’s security rules shall include provisions for the exchange, processing and storage of such information.

Article 44

Headquarters Agreement and operating conditions

1.  The necessary arrangements concerning the accommodation to be provided for ENISA in the host Member State and the facilities to be made available by that Member State together with the specific rules applicable in the host Member State to the Executive Director, members of the Management Board, ENISA’s staff and members of their families shall be laid down in a headquarters agreement between ENISA and the host Member State, concluded after obtaining the approval of the Management Board ▌.

2.  ENISA’s host Member State shall provide the best possible conditions for ensuring the proper functioning of ENISA, taking into account the accessibility of the location, the existence of adequate education facilities for the children of staff members, appropriate access to the labour market, social security and medical care for both children and spouses of staff members.

Article 45

Administrative control

The operations of ENISA shall be supervised by the European Ombudsman in accordance with Article 228 TFEU.

TITLE III

CYBERSECURITY CERTIFICATION FRAMEWORK

Article 46

European cybersecurity certification framework

1.  The European cybersecurity certification framework shall be established in order to improve the conditions for the functioning of the internal market by increasing the level of cybersecurity within the Union and enabling a harmonised approach at Union level to European cybersecurity certification schemes, with a view to creating a digital single market for ICT products, ICT services and ICT processes.

2.  The European cybersecurity certification framework shall provide for a mechanism to establish European cybersecurity certification schemes and to attest that the ICT products, ICT services and ICT processes that have been evaluated in accordance with such schemes comply with specified security requirements for the purpose of protecting the availability, authenticity, integrity or confidentiality of stored or transmitted or processed data or the functions or services offered by, or accessible via, those products, services and processes throughout their life cycle.

Article 47

The Union rolling work programme for European cybersecurity certification

1.  The Commission shall publish a Union rolling work programme for European cybersecurity certification (the ‘Union rolling work programme') that shall identify strategic priorities for future European cybersecurity certification schemes.

2.  The Union rolling work programme shall in particular include a list of ICT products, ICT services and ICT processes or categories thereof that are capable of benefiting from being included in the scope of a European cybersecurity certification scheme.

3.  Inclusion of specific ICT products, ICT services and ICT processes or categories thereof in the Union rolling work programme shall be justified on the basis of one or more of the following grounds:

(a)  the availability and the development of national cybersecurity certification schemes covering a specific category of ICT products, ICT services or ICT processes and, in particular, as regards the risk of fragmentation;

(b)  relevant Union or Member State law or policy;

(c)  market demand;

(d)  developments in the cyber threat landscape;

(e)  request for the preparation of a specific candidate scheme by the ECCG.

4.  The Commission shall take due account of the opinions issued by the ECCG and the Stakeholder Certification Group on the draft Union rolling work programme.

5.  The first Union rolling work programme shall be published by ... [twelve months after the entry into force of this Regulation]. The Union rolling work programme shall be updated at least once every three years and more often if necessary.

Article 48

Request for a European cybersecurity certification scheme

1.  The Commission may request ENISA to prepare a candidate scheme or to review an existing European cybersecurity certification scheme on the basis of the Union rolling work programme.

2.  In duly justified cases, the Commission or the ECCG may request ENISA to prepare a candidate scheme or to review an existing European cybersecurity certification scheme which is not included in the Union rolling work programme. The Union rolling work programme shall be updated accordingly.

Article 49

Preparation ▌, adoption and review of a European cybersecurity certification scheme

1.  Following a request from the Commission pursuant to Article 48, ENISA shall prepare a candidate scheme which meets the requirements set out in Articles 51, 52 and 54.

2.  Following a request from the ECCG pursuant to Article 48(2), ENISA may prepare a candidate scheme which meets the requirements set out in Articles 51, 52 and 54. ▌If ENISA refuses such a request, it shall give reasons for its refusal. Any decision to refuse such a request shall be taken by the Management Board.

3.  When preparing a candidate scheme, ENISA shall consult all relevant stakeholders by means of a formal, open, transparent and inclusive consultation process.

4.  For each candidate scheme, ENISA shall establish an ad hoc working group in accordance with Article 20(4) for the purpose of providing ENISA with specific advice and expertise.

5.  ENISA shall closely cooperate with the ECCG. The ECCG shall provide ENISA with ▌assistance and expert advice ▌in relation to the preparation of the candidate scheme and shall adopt an opinion on the candidate scheme.

6.  ENISA shall take utmost account of the opinion of the ECCG before transmitting the candidate ▌ scheme prepared in accordance with paragraphs 3, 4 and 5 to the Commission. The opinion of the ECCG shall not bind ENISA, nor shall the absence of such an opinion prevent ENISA from transmitting the candidate scheme to the Commission.

7.  The Commission, based on the candidate scheme prepared by ENISA, may adopt implementing acts providing for a European cybersecurity certification scheme for ICT products, ICT services and ICT processes which meets the requirements set out in Articles 51, 52 and 54. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 66(2).

8.  At least every 5 years, ENISA shall evaluate each adopted European cybersecurity certification scheme, taking into account the feedback received from interested parties. If necessary, the Commission or the ECCG may request ENISA to start the process of developing a revised candidate scheme in accordance with Article 48 and this Article.

Article 50

Website on European cybersecurity certification schemes

1.  ENISA shall maintain a dedicated website providing information on, and publicising, European cybersecurity certification schemes, European cybersecurity certificates and EU statements of conformity, including information with regard to European cybersecurity certification schemes which are no longer valid, to withdrawn and expired European cybersecurity certificates and EU statements of conformity, and to the repository of links to cybersecurity information provided in accordance with Article 55.

2.  Where applicable, the website referred to in paragraph 1 shall also indicate the national cybersecurity certification schemes that have been replaced by a European cybersecurity certification scheme.

Article 51

Security objectives of European cybersecurity certification schemes

A European cybersecurity certification scheme shall be designed to achieve, as applicable, at least the following security objectives:

(a)  to protect stored, transmitted or otherwise processed data against accidental or unauthorised storage, processing, access or disclosure during the entire lifecycle of the ICT product, ICT service or ICT process;

(b)  to protect stored, transmitted or otherwise processed data against accidental or unauthorised destruction, ▌loss or alteration or lack of availability during the entire lifecycle of the ICT product, ICT service or ICT process;

(c)  ▌ that authorised persons, programs or machines are able only to access the data, services or functions to which their access rights refer;

(d)  to identify and document known dependencies and vulnerabilities;

(e)  to record which data, services or functions have been accessed, used or otherwise processed, at what times and by whom;

(f)   to make it possible to check which data, services or functions have been accessed, used or otherwise processed, at what times and by whom;

(g)  to verify that ICT products , ICT services and ICT processes do not contain known vulnerabilities;

(h)  to restore the availability and access to data, services and functions in a timely manner in the event of a physical or technical incident;

(i)  that ICT products, ICT services and ICT processes are secure by default and by design;

(j)  ▌ that ICT products, ICT services and ICT processes are provided with up-to-date software and hardware that do not contain publicly known vulnerabilities, and are provided with mechanisms for secure ▌ updates.

Article 52

Assurance levels of European cybersecurity certification schemes

1.  A European cybersecurity certification scheme may specify one or more of the following assurance levels for ICT products ▌, ICT services and ICT processes: 'basic', 'substantial' or 'high'. The assurance level shall be commensurate with the level of the risk associated with the intended use of the ICT product, ICT service or ICT process, in terms of the probability and impact of an incident.

2.  European cybersecurity certificates and EU statements of conformity shall refer to any assurance level specified in the European cybersecurity certification scheme under which the European cybersecurity certificate or EU statement of conformity is issued.

3.  The security requirements corresponding to each assurance level shall be provided in the relevant European cybersecurity certification scheme, including the corresponding security functionalities and the corresponding rigour and depth of the evaluation that the ICT product, ICT service or ICT process is to undergo.▌

4.  The certificate or the EU statement of conformity shall refer to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of, or to prevent cybersecurity incidents. ▌

5.  A European cybersecurity certificate or EU statement of conformity that refers to assurance level 'basic' shall provide assurance that the ICT products, ICT services and ICT processes for which that certificate or that EU statement of conformity is issued meet the corresponding security requirements, including security functionalities, and that they have been evaluated at a level intended to minimise the known basic risks of incidents and cyberattacks. The evaluation activities to be undertaken shall include at least a review of technical documentation. Where such a review is not appropriate, substitute evaluation activities with equivalent effect shall be undertaken.

6.  A European cybersecurity certificate that refers to assurance level 'substantial' shall provide assurance that the ICT products, ICT services and ICT processes for which that certificate is issued meet the corresponding security requirements, including security functionalities, and that they have been evaluated at a level intended to minimise the known cybersecurity risks, and the risk of incidents and cyberattacks carried out by actors with limited skills and resources. The evaluation activities to be undertaken shall include at least the following: a review to demonstrate the absence of publicly known vulnerabilities and testing to demonstrate that the ICT products, ICT services or ICT processes correctly implement the necessary security functionalities. Where any such evaluation activities are not appropriate, substitute evaluation activities with equivalent effect shall be undertaken.

7.  A European cybersecurity certificate that refers to assurance level 'high' shall provide assurance that the ICT products, ICT services and ICT processes for which that certificate is issued meet the corresponding security requirements, including security functionalities, and that they have been evaluated at a level intended to minimise the risk of state-of-the-art cyberattacks carried out by actors with significant skills and resources. The evaluation activities to be undertaken shall include at least the following: a review to demonstrate the absence of publicly known vulnerabilities; testing to demonstrate that the ICT products, ICT services or ICT processes correctly implement the necessary security functionalities at the state of the art; and an assessment of their resistance to skilled attackers, using penetration testing. Where any such evaluation activities are not appropriate, substitute activities with equivalent effect shall be undertaken.

8.  A European cybersecurity certification scheme may specify several evaluation levels depending on the rigour and depth of the evaluation methodology used. Each of the evaluation levels shall correspond to one of the assurance levels and shall be defined by an appropriate combination of assurance components.

Article 53

Conformity self-assessment

1.  A European cybersecurity certification scheme may allow for the conformity self-assessment under the sole responsibility of the manufacturer or provider of ICT products, ICT services or ICT processes. Conformity self-assessment shall be permitted only in relation to ICT products, ICT services and ICT processes that present a low risk corresponding to assurance level 'basic'.

2.  The manufacturer or provider of ICT products, ICT services or ICT processes may issue an EU statement of conformity stating that the fulfilment of the requirements set out in the scheme has been demonstrated. By issuing such a statement, the manufacturer or provider of ICT products, ICT services or ICT processes shall assume responsibility for the compliance of the ICT product, ICT service or ICT process with the requirements set out in that scheme.

3.  The manufacturer or provider of ICT products, ICT services or ICT processes shall make the EU statement of conformity, technical documentation, and all other relevant information relating to the conformity of the ICT products or ICT services with the scheme available to the national cybersecurity certification authority referred to in Article 58 for the period provided for in the corresponding European cybersecurity certification scheme. A copy of the EU statement of conformity shall be submitted to the national cybersecurity certification authority and to ENISA.

4.  The issuing of an EU statement of conformity is voluntary, unless otherwise specified in Union law or Member State law.

5.  EU statements of conformity shall be recognised in all Member States.

Article 54

Elements of European cybersecurity certification schemes

1.  A European cybersecurity certification scheme shall include at least the following elements:

(a)  the subject matter and scope of the certification scheme, including the type or categories of ICT products, ICT services and ICT processes covered;

(b)  a clear description of the purpose of the scheme and of how the selected standards, evaluation methods and assurance levels correspond to the needs of the intended users of the scheme;

(c)  references to the international, European or national standards applied in the evaluation or, where such standards are not available or appropriate, to technical specifications that meet the requirements set out in Annex II of Regulation (EU) No 1025/2012 or, if such specifications are not available, to technical specifications or other cybersecurity requirements defined in the European cybersecurity certification scheme;

(d)  where applicable, one or more assurance levels;

(e)  an indication of whether conformity self-assessment is permitted under the scheme;

(f)  where applicable, specific or additional requirements to which conformity assessment bodies are subject in order to guarantee their technical competence to evaluate the cybersecurity requirements;

(g)  the specific evaluation criteria and methods to be used, including types of evaluation, in order to demonstrate that the security objectives referred to in Article 51 are achieved;

(h)   where applicable, the information which is necessary for certification and which is to be supplied or otherwise be made available to the conformity assessment bodies by an applicant;

(i)  where the scheme provides for marks or labels, the conditions under which such marks or labels may be used;

(j)  ▌ rules for monitoring compliance of ICT products, ICT services and ICT processes with the requirements of the European cybersecurity certificates or the EU statements of conformity, including mechanisms to demonstrate continued compliance with the specified cybersecurity requirements;

(k)  where applicable, the conditions for issuing, maintaining, continuing ▌ and renewing the European cybersecurity certificates, as well as the conditions for extending ▌or reducing the scope of certification;

(l)  rules concerning the consequences for ICT products ▌, ICT services and ICT processes that have been certified or for which an EU statement of conformity has been issued, but which do not comply with the ▌requirements of the scheme;

(m)  rules concerning how previously undetected cybersecurity vulnerabilities in ICT products, ICT services and ICT processes are to be reported and dealt with;

(n)   where applicable, rules concerning the retention of records by conformity assessment bodies;

(o)  the identification of national or international cybersecurity certification schemes covering the same type or categories of ICT products, ICT services and ICT processes, security requirements, evaluation criteria and methods, and assurance levels;

(p)  the content and the format of the European cybersecurity certificates and the EU statements of conformity to be issued;

(q)  the period of the availability of the EU statement of conformity, technical documentation, and all other relevant information to be made available by the manufacturer or provider of ICT products, ICT services or ICT processes;

(r)  maximum period of validity of European cybersecurity certificates issued under the scheme;

(s)  disclosure policy for European cybersecurity certificates issued, amended or withdrawn under the scheme;

(t)  conditions for the mutual recognition of certification schemes with third countries;

(u)  where applicable, rules concerning any peer assessment mechanism established by the scheme for the authorities or bodies issuing European cybersecurity certificates for assurance level 'high' pursuant to Article 56(6). Such mechanism shall be without prejudice to the peer review provided for in Article 59;

(v)  format and procedures to be followed by manufacturers or providers of ICT products, ICT services or ICT processes in supplying and updating the supplementary cybersecurity information in accordance with Article 55.

2.  The specified requirements of the European cybersecurity certification scheme shall be consistent with any applicable legal requirements, in particular requirements emanating from harmonised Union law.

3.  Where a specific Union legal act so provides, a certificate or an EU statement of conformity issued under a European cybersecurity certification scheme may be used to demonstrate the presumption of conformity with requirements of that legal act.

4.  In the absence of harmonised Union law, Member State law may also provide that a European cybersecurity certification scheme may be used for establishing the presumption of conformity with legal requirements.

Article 55

Supplementary cybersecurity information for certified ICT products, ICT services and ICT processes

1.  The manufacturer or provider of certified ICT products, ICT services or ICT processes or of ICT products, ICT services and ICT processes for which an EU statement of conformity has been issued shall make publicly available the following supplementary cybersecurity information:

(a)  guidance and recommendations to assist end users with the secure configuration, installation, deployment, operation and maintenance of the ICT products or ICT services;

(b)  the period during which security support will be offered to end users, in particular as regards the availability of cybersecurity related updates;

(c)  contact information of the manufacturer or provider and accepted methods for receiving vulnerability information from end users and security researchers;

(d)  a reference to online repositories listing publicly disclosed vulnerabilities related to the ICT product, ICT service or ICT process and to any relevant cybersecurity advisories.

2.  The information referred to in paragraph 1 shall be available in electronic form and shall remain available and be updated as necessary at least until the expiry of the corresponding European cybersecurity certificate or EU statement of conformity.

Article 56

Cybersecurity certification

1.  ICT products, ICT services and ICT processes that have been certified under a European cybersecurity certification scheme adopted pursuant to Article 49 shall be presumed to comply with the requirements of such scheme.

2.  The cybersecurity certification shall be voluntary, unless otherwise specified by Union law or Member State law.

3.  The Commission shall regularly assess the efficiency and use of the adopted European cybersecurity certification schemes and whether a specific European cybersecurity certification scheme is to be made mandatory through relevant Union law to ensure an adequate level of cybersecurity of ICT products, ICT services and ICT processes in the Union and improve the functioning of the internal market. The first such assessment shall be carried out no later than 31 December 2023, and subsequent assessments shall be carried out at least every two years thereafter. Based on the outcome of those assessments, the Commission shall identify the ICT products, ICT services and ICT processes covered by an existing certification scheme which are to be covered by a mandatory certification scheme.

As a priority, the Commission shall focus on the sectors listed in Annex II of Directive (EU) 2016/1148, which shall be assessed at the latest two years after the adoption of the first European cybersecurity certification scheme.

When preparing the assessment the Commission shall:

(a)  take into account the impact of the measures on the manufacturers or providers of such ICT products, ICT services or ICT processes and on the users in terms of the cost of those measures and the societal or economic benefits stemming from the anticipated enhanced level of security for the targeted ICT products, ICT services or ICT processes;

(b)  take into account the existence and implementation of relevant Member State and third country law;

(c)  carry out an open, transparent and inclusive consultation process with all relevant stakeholders and Member States;

(d)  take into account any implementation deadlines, transitional measures and periods, in particular with regard to the possible impact of the measure on the manufacturers or providers of ICT products, ICT services or ICT processes, including SMEs;

(e)  propose the most speedy and efficient way in which the transition from a voluntary to mandatory certification schemes is to be implemented.

4.  The conformity assessment bodies referred to in Article 60 shall issue European cybersecurity certificates pursuant to this Article referring to assurance level 'basic' or 'substantial' on the basis of criteria included in the European cybersecurity certification scheme adopted by the Commission pursuant to Article 49.

5.  By ▌way of derogation from paragraph 4, in duly justified cases a European cybersecurity certification scheme may provide that European cybersecurity certificates resulting from that scheme are to be issued only by a public body. Such ▌body shall be one of the following:

(a)  a national cybersecurity certification ▌ authority as referred to in Article 58(1); or

(b)  a public body that is accredited as a conformity assessment body pursuant to Article 60(1) ▌.

6.  Where a European cybersecurity certification scheme adopted pursuant to Article 49 requires an assurance level 'high', the European cybersecurity certificate under that scheme is to be issued only by a national cybersecurity certification authority or, in the following cases, by a conformity assessment body:

(a)  upon prior approval by the national cybersecurity certification authority for each individual European cybersecurity certificate issued by a conformity assessment body; or

(b)  on the basis of a general delegation of the task of issuing such European cybersecurity certificates to a conformity assessment body by the national cybersecurity certification authority.

7.  The natural or legal person who submits ICT products, ICT services or ICT processes for certification shall make available to the national cybersecurity certification authority referred to in Article 58, where that authority is the body issuing the European cybersecurity certificate, or to the conformity assessment body referred to in Article 60 all information necessary to conduct the certification.

8.  The holder of a European cybersecurity certificate shall inform the authority or body referred to in paragraph 7 of any subsequently detected vulnerabilities or irregularities concerning the security of the certified ICT product, ICT service or ICT process that may have an impact on its compliance with the requirements related to the certification. That authority or body shall forward that information without undue delay to the national cybersecurity certification authority concerned.

9.  A European cybersecurity certificate shall be issued for the period provided for in the European cybersecurity certification scheme and may be renewed ▌, provided that the relevant requirements continue to be met.

10.  A European cybersecurity certificate issued pursuant to this Article shall be recognised in all Member States.

Article 57

National cybersecurity certification schemes and certificates

1.  Without prejudice to paragraph 3 of this Article, national cybersecurity certification schemes, and the related procedures for the ICT products, ICT services and ICT processes that are covered by a European cybersecurity certification scheme shall cease to produce effects from the date established in the implementing act adopted pursuant to Article 49(7). National cybersecurity certification schemes and the related procedures for the ICT products, ICT services and ICT processes that are not covered by a European cybersecurity certification scheme shall continue to exist.

2.  Member States shall not introduce new national cybersecurity certification schemes for ICT products, ICT services and ICT processes already covered by a European cybersecurity certification scheme that is in force.

3.  Existing certificates that were issued under national cybersecurity certification schemes and are covered by a European cybersecurity certification scheme shall remain valid until their expiry date.

4.  With a view to avoiding the fragmentation of the internal market, Member States shall inform the Commission and the ECCG of any intention to draw up new national cybersecurity certification schemes.

Article 58

National cybersecurity certificationauthorities

1.  Each Member State shall designate one or more national cybersecurity certification authorities in its territory or, with the agreement of another Member State, shall designate one or more national cybersecurity certification authorities established in that other Member State to be responsible for the supervisory tasks in the designating Member State.

2.  Each Member State shall inform the Commission of the identity of the▌designated national cybersecurity certification authorities. Where a Member State designates more than one authority, it shall also inform the Commission about the tasks assigned to each of those authorities.

3.  Without prejudice to point (a) of Article 56(5) and Article 56(6), each national cybersecurity certification ▌ authority shall be independent of the entities it supervises in its organisation, funding decisions, legal structure and decision-making.

4.  Member States shall ensure that the activities of the national cybersecurity certification authorities that relate to the issuance of European cybersecurity certificates referred to in point (a) of Article 56(5) and in Article 56(6) are strictly separated from their supervisory activities set out in this Article and that those activities are carried out independently from each other.

5.  Member States shall ensure that national cybersecurity certification authorities have adequate resources to exercise their powers and to carry out their tasks in an effective and efficient manner.

6.  For the effective implementation of this Regulation, it is appropriate that national cybersecurity certification authorities participate in the ECCG in an active, effective, efficient and secure manner.

7.  National cybersecurity certification ▌ authorities shall:

(a)  supervise and enforce rules included in European cybersecurity certification schemes pursuant to point (j) of Article 54(1) for the monitoring of the compliance of ICT products, ICT services and ICT processes with the requirements of the European cybersecurity certificates that have been issued in their respective territories, in cooperation with other relevant market surveillance authorities;

(b)  monitor compliance with and enforce the obligations of the manufacturers or providers of ICT products, ICT services or ICT processes that are established in their respective territories and that carry out conformity self-assessment, and shall, in particular, monitor compliance with and enforce the obligations of such manufacturers or providers set out in Article 53(2) and (3) and in the corresponding European cybersecurity certification scheme;

(c)  without prejudice to Article 60(3), actively assist and support the national accreditation bodies in the monitoring and supervision of the activities of conformity assessment bodies, for the purposes of this Regulation; ▌

(d)  monitor and supervise the activities of the public bodies referred to in Article 56(5);

(e)  where applicable, authorise conformity assessment bodies in accordance with Article 60(3) and restrict, suspend or withdraw existing authorisation where conformity assessment bodies infringe the requirements of this Regulation;

(f)  handle complaints by natural or legal persons in relation to European cybersecurity certificates issued by national cybersecurity certification authorities or to European cybersecurity certificates issued by conformity assessment bodies in accordance with Article 56(6) or in relation to EU statements of conformity issued under Article 53, and shall investigate the subject matter of such complaints to the extent appropriate, and shall inform the complainant of the progress and the outcome of the investigation within a reasonable period;

(g)  provide an annual summary report on the activities conducted under points (b), (c) and (d) of this paragraph or under paragraph 8 to ENISA and the ECCG;

(h)  cooperate with other national cybersecurity certification ▌ authorities or other public authorities, including by sharing information on the possible non-compliance of ICT products, ICT services and ICT processes with the requirements of this Regulation or with the requirements of specific European cybersecurity certification schemes; and

(i)  monitor relevant developments in the field of cybersecurity certification.

8.  Each national cybersecurity certification ▌ authority shall have at least the following powers:

(a)  to request conformity assessment bodies ▌, European cybersecurity certificates' holders and issuers of EU statements of conformity to provide any information it requires for the performance of its tasks;

(b)  to carry out investigations, in the form of audits, of conformity assessment bodies ▌, European cybersecurity certificates' holders and issuers of EU statements of conformity, for the purpose of verifying their compliance with this Title;

(c)  to take appropriate measures, in accordance with national law, to ensure that conformity assessment bodies ▌, European cybersecurity certificates' holders and issuers of EU statements of conformity comply with this Regulation or with a European cybersecurity certification scheme;

(d)  to obtain access to the premises of any conformity assessment bodies or holders of European cybersecurity certificates, for the purpose of carrying out investigations in accordance with Union or Member State procedural law;

(e)  to withdraw, in accordance with national law, European cybersecurity certificates issued by the national cybersecurity certification authorities or European cybersecurity certificates issued by conformity assessment bodies in accordance with Article 56(6), where such certificates do not comply with this Regulation or with a European cybersecurity certification scheme;

(f)  to impose penalties in accordance with national law, as provided for in Article 65, and to require the immediate cessation of breaches of the obligations set out in this Regulation.

9.  National cybersecurity certification ▌ authorities shall cooperate with each other and with the Commission, in particular, by exchanging information, experience and good practices as regards cybersecurity certification and technical issues concerning the cybersecurity of ICT products, ICT services and ICT processes.

Article 59

Peer review

1.  With a view to achieving equivalent standards throughout the Union in respect of European cybersecurity certificates and EU statements of conformity, national cybersecurity certification authorities shall be subject to peer review.

2.  Peer review shall be carried out on the basis of sound and transparent evaluation criteria and procedures, in particular concerning structural, human resource and process requirements, confidentiality and complaints.

3.  Peer review shall assess:

(a)  where applicable, whether the activities of the national cybersecurity certification authorities that relate to the issuance of European cybersecurity certificates referred to in point (a) of Article 56(5) and in Article 56(6) are strictly separated from their supervisory activities set out in Article 58 and whether those activities are carried out independently from each other;

(b)  the procedures for supervising and enforcing the rules for monitoring the compliance of ICT products, ICT services and ICT processes with European cybersecurity certificates pursuant to point (a) of Article 58(7);

(c)  the procedures for monitoring and enforcing the obligations of manufacturers or providers of ICT products, ICT services or ICT processes pursuant to point (b) of Article 58(7);

(d)  the procedures for monitoring, authorising and supervising the activities of the conformity assessment bodies;

(e)  where applicable, whether the staff of authorities or bodies that issue certificates for assurance level 'high' pursuant to Article 56(6) have the appropriate expertise.

4.  Peer review shall be carried out by at least two national cybersecurity certification authorities of other Member States and the Commission and shall be carried out at least once every five years. ENISA may participate in the peer review.

5.  The Commission may adopt implementing acts establishing a plan for peer review which covers a period of at least five years, laying down the criteria concerning the composition of the peer review team, the methodology to be used in peer review, and the schedule, the frequency and other tasks related to it. In adopting those implementing acts, the Commission shall take due account of the views of the ECCG. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 66(2).

6.  The outcomes of peer reviews shall be examined by the ECCG, which shall draw up summaries that may be made publicly available and which shall, where necessary, issue guidelines or recommendations on actions or measures to be taken by the entities concerned.

Article 60

Conformity assessment bodies

1.  The conformity assessment bodies shall be accredited by national accreditation bodies appointed pursuant to Regulation (EC) No 765/2008. Such accreditation shall be issued only where the conformity assessment body meets the requirements set out in the Annex to this Regulation.

2.  Where a European cybersecurity certificate is issued by a national cybersecurity certification authority pursuant to point (a) of Article 56(5) and Article 56(6), the certification body of the national cybersecurity certification authority shall be accredited as a conformity assessment body pursuant to paragraph 1 of this Article.

3.  Where European cybersecurity certification schemes set out specific or additional requirements pursuant to point (f) of Article 54(1), only conformity assessment bodies that meet those requirements shall be authorised by the national cybersecurity certification authority to carry out tasks under such schemes.

4.  The accreditation referred to in paragraph 1 shall be issued to the conformity assessment bodies for a maximum of five years and may be renewed on the same conditions, provided that the conformity assessment body still meets the requirements set out in this Article. National accreditation bodies shall take all appropriate measures within a reasonable timeframe to restrict, suspend or revoke the accreditation of a conformity assessment body issued pursuant to paragraph 1 where the conditions for the accreditation have not been met or are no longer met, or where the conformity assessment body infringes this Regulation.

Article 61

Notification

1.  For each European cybersecurity certification scheme, the national cybersecurity certification ▌authorities shall notify the Commission of the ▌conformity assessment bodies that have been accredited and, where applicable, authorised pursuant to Article 60(3) to issue European cybersecurity certificates at specified assurance levels as referred to in Article 52. The national cybersecurity certification authorities shall notify the Commission of any subsequent changes thereto without undue delay.

2.  One year after the entry into force of a European cybersecurity certification scheme, the Commission shall publish a list of the conformity assessment bodies notified under that scheme in the Official Journal of the European Union.

3.  If the Commission receives a notification after the expiry of the period referred to in paragraph 2, it shall publish the amendments to the list of notified conformity assessment bodies in the Official Journal of the European Union within two months of the date of receipt of that notification.

4.  A national cybersecurity certification ▌authority may submit to the Commission a request to remove a conformity assessment body notified by that authority from the list referred to in paragraph 2. The Commission shall publish the corresponding amendments to that list in the Official Journal of the European Union within one month of the date of receipt of the national cybersecurity certification ▌ authority’s request.

5.  The Commission may adopt implementing acts to establish the circumstances, formats and procedures for notifications referred to in paragraph 1 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 66(2).

Article 62

European Cybersecurity Certification Group

1.  The European Cybersecurity Certification Group (the‘ECCG’) shall be established.

2.  The ECCG shall be composed of representatives of national cybersecurity certification ▌authorities ▌ or representatives of other relevant national ▌authorities. A member of the ECCG shall not represent more than two Member States.

3.  Stakeholders and relevant third parties may be invited to attend meetings of the ECCG and to participate in its work.

4.  The ECCG shall have the following tasks:

(a)  to advise and assist the Commission in its work to ensure the consistent implementation and application of this Title, in particular regarding the Union rolling work programme, cybersecurity certification policy issues, the coordination of policy approaches, and the preparation of European cybersecurity certification schemes;

(b)  to assist, advise and cooperate with ENISA in relation to the preparation of a candidate scheme pursuant to Article 49;

(c)  to adopt an opinion on candidate schemes prepared by ENISA pursuant to Article 49;

(d)  to request ENISA to prepare candidate schemes pursuant to Article 48(2);

(e)  to adopt opinions addressed to the Commission relating to the maintenance and review of existing European cybersecurity certifications schemes;

(f)  to examine relevant developments in the field of cybersecurity certification and to exchange information and good practices on cybersecurity certification schemes;

(g)  to facilitate the cooperation between national cybersecurity certification ▌authorities under this Title through capacity-building and the exchange of information, in particular by establishing methods for the efficient exchange of information relating to issues concerning cybersecurity certification;

(h)  to support the implementation of peer assessment mechanisms in accordance with the rules established in a European cybersecurity certification scheme pursuant to point (u) of Article 54(1);

(i)  to facilitate the alignment of European cybersecurity certification schemes with internationally recognised standards, including by reviewing existing European cybersecurity certification schemes and, where appropriate, making recommendations to ENISA to engage with relevant international standardisation organisations to address insufficiencies or gaps in available internationally recognised standards.

5.  With the assistance of ENISA, the Commission shall chair the ECCG, and the Commission shall provide the ECCG with a secretariat in accordance with point (e) of Article 8(1).

Article 63

Right to lodge a complaint

1.  Natural and legal persons shall have the right to lodge a complaint with the issuer of a European cybersecurity certificate or, where the complaint relates to a European cybersecurity certificate issued by a conformity assessment body when acting in accordance with Article 56(6), with the relevant national cybersecurity certification authority.

2.  The authority or body with which the complaint has been lodged shall inform the complainant of the progress of the proceedings and of the decision taken, and shall inform the complainant of the right to an effective judicial remedy referred to in Article 64.

Article 64

Right to an effective judicial remedy

1.  Notwithstanding any administrative or other non-judicial remedies, natural and legal persons shall have the right to an effective judicial remedy with regard to:

(a)  decisions taken by the authority or body referred to in Article 63(1) including, where applicable, in relation to the improper issuing, failure to issue or recognition of a European cybersecurity certificate held by those natural and legal persons;

(b)  the failure to act on a complaint lodged with the authority or body referred to in Article 63(1).

2.  Proceedings pursuant to this Article shall be brought before the courts of the Member State in which the authority or body against which the judicial remedy is sought is located.

Article 65

Penalties

Member States shall lay down the rules on penalties applicable to infringements of this Title and to infringements of European cybersecurity certification schemes, and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive. Member States shall without delay notify the Commission of those rules and of those measures and shall notify it of any subsequent amendment affecting them.

TITLE IV

FINAL PROVISIONS

Article 66

Committee procedure

1.  The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2.  Where reference is made to this paragraph, point (b) of Article 5(4) of Regulation (EU) No 182/2011 shall apply.

Article 67

Evaluation and review

1.  By … [five years after the entry into force of this Regulation], and every five years thereafter, the Commission shall evaluate the impact, effectiveness and efficiency of ENISA and of its working practices, the possible need to modify the ENISA’s mandate and the financial implications of any such modification. The evaluation shall take into account any feedback provided to ENISA in response to its activities. Where the Commission considers that the continued operation of ENISA is no longer justified in light of the objectives, mandate and tasks assigned to it, the Commission may propose that this Regulation be amended with regard to the provisions related to ENISA.

2.  The evaluation shall also assess the impact, effectiveness and efficiency of the provisions of Title III of this Regulation with regard to the objectives of ensuring an adequate level of cybersecurity of ICT products, ICT services and ICT processes in the Union and improving the functioning of the internal market.

3.  The evaluation shall assess whether essential cybersecurity requirements for access to the internal market are necessary in order to prevent ICT products, ICT services and ICT processes entering the Union market which do not meet basic cybersecurity requirements.

4.  By … [five years after the entry into force of this Regulation], and every five years thereafter, the Commission shall transmit a report on the evaluation together with its conclusions to the European Parliament, to the Council and to the Management Board. The findings of that report shall be made public.

Article 68

Repeal and succession

1.  Regulation (EU) No 526/2013 is repealed with effect from … [date of entry into force of this Regulation].

2.  References to Regulation (EU) No 526/2013 and to the ENISA as established by that Regulation shall be construed as references to this Regulation and to ENISA as established by this Regulation.

3.  ENISA as established by this Regulation shall succeed ENISA as established by Regulation (EU) No 526/2013 as regards all ownership, agreements, legal obligations, employment contracts, financial commitments and liabilities. All decisions of the Management Board and the Executive Board adopted in accordance with Regulation (EU) No 526/2013 shall remain valid, provided that they comply with this Regulation.

4.  ENISA shall be established for an indefinite period as of … [date of entry into force of this Regulation].

5.  The Executive Director appointed pursuant to Article 24(4) of Regulation (EU) No 526/2013 shall remain in office and exercise the duties of the Executive Director as referred to in Article 20 of this Regulation for the remaining part of the Executive Director’s term of office. The other conditions of his or her contract shall remain unchanged.

6.  The members of the Management Board and their alternates appointed pursuant to Article 6 of Regulation (EU) No 526/2013 shall remain in office and exercise the functions of the Management Board as referred to in Article 15 of this Regulation for the remaining part of their term of office.

Article 69

Entry into force

1.  This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

2.  Articles 58, 60, 61, 63, 64 and 65 shall apply from … [24 months after the date of entry into force of this Regulation].

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at,

For the European Parliament For the Council

The President The President

ANNEX

REQUIREMENTS TO BE MET BY CONFORMITY ASSESSMENT BODIES

Conformity assessment bodies that wish to be accredited shall meet the following requirements:

1.  A conformity assessment body shall be established under national law and shall have legal personality.

2.  A conformity assessment body shall be a third-party body that is independent of the organisation or the ICT products, ICT services or ICT processes that it assesses.

3.  A body that belongs to a business association or professional federation representing undertakings involved in the design, manufacturing, provision, assembly, use or maintenance of ICT products, ICT services or ICT processes which it assesses may be considered to be a conformity assessment body, provided that its independence and the absence of any conflict of interest are demonstrated.

4.  The conformity assessment bodies, their top-level management and the persons responsible for carrying out the conformity assessment tasks shall not be the designer, manufacturer, supplier, installer, purchaser, owner, user or maintainer of the ICT product, ICT service or ICT process which is assessed, or the authorised representative of any of those parties. That prohibition shall not preclude the use of the ICT products assessed that are necessary for the operations of the conformity assessment body or the use of such ICT products for personal purposes.

5.  The conformity assessment bodies, their top-level management and the persons responsible for carrying out the conformity assessment tasks shall not be directly involved in the design, manufacture or construction, the marketing, installation, use or maintenance of the ICT products, ICT services or ICT processes which are assessed, or represent parties engaged in those activities. The conformity assessment bodies, their top-level management and the persons responsible for carrying out the conformity assessment tasks shall not engage in any activity that may conflict with their independence of judgement or integrity in relation to their conformity assessment activities. That prohibition shall apply, in particular, to consultancy services.

6.  If a conformity assessment body is owned or operated by a public entity or institution, the independence and absence of any conflict of interest shall be ensured between the national cybersecurity certification authority and the conformity assessment body, and shall be documented.

7.  Conformity assessment bodies shall ensure that the activities of their subsidiaries and subcontractors do not affect the confidentiality, objectivity or impartiality of their conformity assessment activities.

8.  Conformity assessment bodies and their staff shall carry out conformity assessment activities with the highest degree of professional integrity and the requisite technical competence in the specific field, and shall be free from all pressures and inducements which might influence their judgement or the results of their conformity assessment activities, including pressures and inducements of a financial nature, especially as regards persons or groups of persons with an interest in the results of those activities.

9.  A conformity assessment body shall be capable of carrying out all the conformity assessment tasks assigned to it under this Regulation, regardless of whether those tasks are carried out by the conformity assessment body itself or on its behalf and under its responsibility. Any subcontracting to, or consultation of, external staff shall be properly documented, shall not involve any intermediaries and shall be subject to a written agreement covering, among other things, confidentiality and conflicts of interest. The conformity assessment body in question shall take full responsibility for the tasks performed.

10.  At all times and for each conformity assessment procedure and each type, category or sub-category of ICT products, ICT services or ICT processes, a conformity assessment body shall have at its disposal the necessary:

(a)  staff with technical knowledge and sufficient and appropriate experience to perform the conformity assessment tasks;

(b)  descriptions of procedures in accordance with which conformity assessment is to be carried out, to ensure the transparency of those procedures and the possibility of reproducing them. It shall have in place appropriate policies and procedures that distinguish between tasks that it carries out as a body notified pursuant to Article 61 and its other activities;

(c)  procedures for the performance of activities which take due account of the size of an undertaking, the sector in which it operates, its structure, the degree of complexity of the technology of the ICT product, ICT service or ICT process in question and the mass or serial nature of the production process.

11.  A conformity assessment body shall have the means necessary to perform the technical and administrative tasks connected with the conformity assessment activities in an appropriate manner, and shall have access to all necessary equipment and facilities.

12.  The persons responsible for carrying out conformity assessment activities shall have the following:

(a)  sound technical and vocational training covering all conformity assessment activities;

(b)  satisfactory knowledge of the requirements of the conformity assessments they carry out and adequate authority to carry out those assessments;

(c)  appropriate knowledge and understanding of the applicable requirements and testing standards;

(d)  the ability to draw up certificates, records and reports demonstrating that conformity assessments have been carried out.

13.  The impartiality of the conformity assessment bodies, of their top-level management, of the persons responsible for carrying out conformity assessment activities, and of any subcontractors shall be guaranteed.

14.  The remuneration of the top-level management and of the persons responsible for carrying out conformity assessment activities shall not depend on the number of conformity assessments carried out or on the results of those assessments.

15.  Conformity assessment bodies shall take out liability insurance unless liability is assumed by the Member State in accordance with its national law, or the Member State itself is directly responsible for the conformity assessment.

16.  The conformity assessment body and its staff, its committees, its subsidiaries, its subcontractors, and any associated body or the staff of external bodies of a conformity assessment body shall maintain confidentiality and observe professional secrecy with regard to all information obtained in carrying out their conformity assessment tasks under this Regulation or pursuant to any provision of national law giving effect to this Regulation, except where disclosure is required by Union or Member State law to which such persons are subject, and except in relation to the competent authorities of the Member States in which its activities are carried out. Intellectual property rights shall be protected. The conformity assessment body shall have documented procedures in place in respect of the requirements of this point.

17.  With the exception of point 16, the requirements of this Annex shall not preclude exchanges of technical information and regulatory guidance between a conformity assessment body and a person who applies for certification or who is considering whether to apply for certification.

18.  Conformity assessment bodies shall operate in accordance with a set of consistent, fair and reasonable terms and conditions, taking into account the interests of SMEs in relation to fees.

19.  Conformity assessment bodies shall meet the requirements of the relevant standard that is harmonised under Regulation (EC) No 765/2008 for the accreditation of conformity assessment bodies performing certification of ICT products, ICT services or ICT processes.

20.  Conformity assessment bodies shall ensure that testing laboratories used for conformity assessment purposes meet the requirements of the relevant standard that is harmonised under Regulation (EC) No 765/2008 for the accreditation of laboratories performing testing.

(1) OJ C 227, 28.6.2018, p. 86.
(2) OJ C 176, 23.5.2018, p. 29.
(3)OJ C 227, 28.6.2018, p. 86.
(4)OJ C 176, 23.5.2018, p. 29.
(5)Position of the European Parliament of 12 March 2019.
(6)Commission Recommendation of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).
(7)Regulation (EU) No 526/2013 of the European Parliament and of the Council of 21 May 2013 concerning the European Union Agency for Network and Information Security (ENISA) and repealing Regulation (EC) No 460/2004 (OJ L 165, 18.6.2013, p.41).
(8)Regulation (EC) No 460/2004 of the European Parliament and of the Council of 10 March 2004 establishing the European Network and Information Security Agency (OJ L 77, 13.3.2004, p. 1).
(9)Regulation (EC) No 1007/2008 of the European Parliament and of the Council of 24 September 2008 amending Regulation (EC) No 460/2004 establishing the European Network and Information Security Agency as regards its duration (OJ L 293, 31.10.2008, p. 1).
(10)Regulation (EU) No 580/2011 of the European Parliament and of the Council of 8 June 2011 amending Regulation (EC) No 460/2004 establishing the European Network and Information Security Agency as regards its duration (OJ L 165, 24.6.2011, p. 3).
(11)Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1).
(12)Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
(13)Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)(OJ L 201, 31.7.2002, p. 37).
(14)Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code (OJ L 321, 17.12.2018, p. 36).
(15)Decision (2004/97/EC,Euratom) taken by common agreement between the Representatives of the Member States, meeting at Head of State or Government level, of 13 December 2003 on the location of the seats of certain offices and agencies of the European Union (L 29, 3.2.2004, p. 15).
(16)OJ C 12, 13.1.2018, p. 1.
(17) Commission Recommendation (EU) 2017/1584 of 13 September 2017 on coordinated response to large-scale cybersecurity incidents and crises (OJ L 239, 19.9.2017, p. 36).
(18)Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/9 (OJ L 218, 13.8.2008, p. 30).
(19)Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).
(20)Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
(21)Regulation (EU) No 1025/2012 of the European Parliament and of the Council of 25 October 2012 on European standardisation, amending Council Directives 89/686/EEC and 93/15/EEC and Directives 94/9/EC, 94/25/EC, 95/16/EC, 97/23/EC, 98/34/EC, 2004/22/EC, 2007/23/EC, 2009/23/EC and 2009/105/EC of the European Parliament and of the Council and repealing Council Decision 87/95/EEC and Decision No 1673/2006/EC of the European Parliament and of the Council (OJ L 316, 14.11.2012, p. 12).
(22)Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 laying down a procedure for the provision of information in the field of technical regulations and of rules on Information Society services (OJ L 241, 17.9.2015, p. 1).
(23)Directive 2014/24/EU of the European Parliament and of the Council of 26 February 2014 on public procurement and repealing Directive 2004/18/EC (OJ L 94, 28.3.2014, p. 65).
(24)Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).
(25)Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73).
(26)OJ L 56, 4.3.1968, p. 1.
(27)Commission Delegated Regulation (EU) No 1271/2013 of 30 September 2013 on the framework financial regulation for the bodies referred to in Article 208 of Regulation (EU, Euratom) No 966/2012 of the European Parliament and of the Council (OJ L 328, 7.12.2013, p. 42).
(28)Commission Decision (EU, Euratom) 2015/443 of 13 March 2015 on Security in the Commission (OJ L 72, 17.3.2015, p. 41).
(29)Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 on the security rules for protecting EU classified information (OJ L 72, 17.3.2015, p. 53).
(30)Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18 July 2018 on the financial rules applicable to the general budget of the Union, amending Regulations (EU) No 1296/2013, (EU) No 1301/2013, (EU) No 1303/2013, (EU) No 1304/2013, (EU) No 1309/2013, (EU) No 1316/2013, (EU) No 223/2014, (EU) No 283/2014, and Decision No 541/2014/EU and repealing Regulation (EU, Euratom) No 966/2012 (OJ L 193, 30.7.2018, p. 1).
(31)Regulation (EU, Euratom) No 883/2013 of the European Parliament and of the Council of 11 September 2013 concerning investigations conducted by the European Anti-Fraud Office (OLAF) and repealing Regulation (EC) No 1073/1999 of the European Parliament and of the Council and Council Regulation (Euratom) No 1074/1999 (OJ L 248, 18.9.2013, p. 1).
(32)OJ L 136, 31.5.1999, p. 15.
(33)Council Regulation (Euratom, EC) No 2185/96 of 11 November 1996 concerning on-the-spot checks and inspections carried out by the Commission in order to protect the European Communities' financial interests against fraud and other irregularities (OJ L 292, 15.11.1996, p. 2).
(34)Council Regulation No 1 determining the languages to be used by the European Economic Community (OJ 17, 6.10.1958, p. 385).


Unfair trading practices in business-to-business relationships in the food supply chain ***I
PDF 246kWORD 72k
Resolution
Consolidated text
European Parliament legislative resolution of 12 March 2019 on the proposal for a directive of the European Parliament and of the Council on unfair trading practices in business-to-business relationships in the food supply chain (COM(2018)0173 – C8-0139/2018 – 2018/0082(COD))
P8_TA-PROV(2019)0152A8-0309/2018

(Ordinary legislative procedure: first reading)

The European Parliament,

–  having regard to the Commission proposal to Parliament and the Council (COM(2018)0173),

–  having regard to Article 294(2) and Article 43(2) of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C8‑0139/2018),

–  having regard to Article 294(3) of the Treaty on the Functioning of the European Union,

–  having regard to the reasoned opinion submitted, within the framework of Protocol No 2 on the application of the principles of subsidiarity and proportionality, by the Swedish Parliament, asserting that the draft legislative act does not comply with the principle of subsidiarity,

–  having regard to the opinion of the European Economic and Social Committee of 19 September 2018(1),

–  having regard to the opinion of the Committee of the Regions of 4 July 2018(2)

–  having regard to the provisional agreement approved by the committee responsible under Rule 69f(4) of its Rules of Procedure and the undertaking given by the Council representative by letter of 14 January 2019 to approve Parliament’s position, in accordance with Article 294(4) of the Treaty on the Functioning of the European Union,

–  having regard to Rule 59 of its Rules of Procedure,

–  having regard to the report of the Committee on Agriculture and Rural Development and the opinions of the Committee on the Internal Market and Consumer Protection, the Committee on Development and the Committee on the Environment, Public Health and Food Safety (A8-0309/2018),

1.  Adopts its position at first reading hereinafter set out;

2.  Approves its statement annexed to this resolution;

3.  Approves the joint statement of the Parliament, the Council and the Commission annexed to this resolution;

4.  Calls on the Commission to refer the matter to Parliament again if it replaces, substantially amends or intends to substantially amend its proposal;

5.  Instructs its President to forward its position to the Council, the Commission and the national parliaments.

Position of the European Parliament adopted at first reading on 12 March 2019 with a view to the adoption of Directive (EU) 2019/… of the European Parliament and of the Council on unfair trading practices in business-to-business relationships in the agricultural and food supply chain

P8_TC1-COD(2018)0082


THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 43(2) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee(3),

Having regard to the opinion of the Committee of the Regions(4),

Acting in accordance with the ordinary legislative procedure(5),

Whereas:

(1)  Within the agricultural and food supply chain, significant imbalances in bargaining power between suppliers and buyers of agricultural and food products are a common occurrence. Those imbalances in bargaining power are likely to lead to unfair trading practices when larger and more powerful trading partners seek to impose certain practices or contractual arrangements which are to their advantage in relation to a sales transaction. Such practices may, for example: grossly deviate from good commercial conduct, be contrary to good faith and fair dealing and be unilaterally imposed by one trading partner on the other; impose an unjustified and disproportionate transfer of economic risk from one trading partner to another; or impose a significant imbalance of rights and obligations on one trading partner. Certain practices might be manifestly unfair even when both parties agree to them. A minimum Union standard of protection against unfair trading practices should be introduced to reduce the occurrence of such practices which are likely to have a negative impact on the living standards of the agricultural community. The minimum harmonisation approach in this Directive allows Member States to adopt or maintain national rules which go beyond the unfair trading practices listed in this Directive.

(2)  Three Commission publications since 2009 (the communication of the Commission of 28 October 2009 on a better functioning of the food supply chain in Europe, the communication of the Commission of 15 July 2014 on tackling unfair trading practices in the business-to-business food supply chain, and the report of the Commission of 29 January 2016 on unfair business-to-business trading practices in the food supply chain) have focused on the working of the food supply chain, including the occurrence of unfair trading practices. ▌ The Commission suggested desirable features for national and voluntary governance frameworks for dealing with unfair trading practices in the food supply chain. Not all of those features have become part of the legal framework or voluntary governance regimes in Member States, leaving the occurrence of such practices still the focus of the political debate in the Union.

(3)  In 2011, the Commission-led High Level Forum for a Better Functioning Food Supply Chain endorsed a set of principles of good practice in vertical relations in the food supply chain, which was agreed by organisations representing a majority of the operators in the food supply chain. Those principles became the basis for the Supply Chain Initiative launched in 2013.

(4)  The European Parliament, in its resolution of 7 June 2016 on unfair trading practices in the food supply chain(6), invited the Commission to submit a proposal for a Union legal framework concerning unfair trading practices. The Council, in its conclusions of 12 December 2016 on Strengthening farmers’ position in the food supply chain and tackling unfair trading practices, invited the Commission to undertake, in a timely manner, an impact assessment with a view to proposing a Union legislative framework or non-legislative measures to address unfair trading practices. An impact assessment was prepared by the Commission, which was preceded by an open public consultation as well as targeted consultations. In addition, during the legislative process the Commission provided information demonstrating that large operators represent a considerable share of the overall value of production.

(5)  Different operators are active in the agricultural and food supply chain at different stages of the production, processing, marketing, distribution and retail of agricultural and food products. That chain is by far the most important channel for bringing agricultural and food products from “farm to fork”. Those operators trade agricultural and food products, that is to say primary agricultural products, including fishery and aquaculture products, as listed in Annex I to the Treaty on the Functioning of the European Union (TFEU) ▌, and ▌products not listed in that Annex but processed for use as food using products listed in that Annex.

(6)  While business risk is inherent in all economic activity, agricultural production is particularly fraught with uncertainty due to its reliance on biological processes and its exposure to weather conditions. That uncertainty is compounded by the fact that agricultural and food products are to a greater or lesser extent perishable and seasonal ▌. In an agricultural policy environment that is distinctly more market-oriented than in the past, protection against unfair trading practices has become more important for operators active in the agricultural and food supply chain ▌.

(7)  In particular, such unfair trading practices are likely to have a negative impact on the living standards of the agricultural community. That impact is understood to be either direct, as it concerns agricultural producers and their organisations as suppliers, or indirect, through a cascading of the consequences of the unfair trading practices occurring in the agricultural and food supply chain in a manner that negatively affects the primary producers in that chain.

(8)  A majority of ▌ Member States, but not all of them, have specific national rules that protect suppliers against unfair trading practices occurring in business-to-business relationships in the agricultural and food supply chain. Where reliance on contract law or self-regulatory initiatives is possible, fear of commercial retaliation against a complainant, as well as financial risks involved in challenging such practices, limit the practical value of those forms of redress. Certain Member States which have specific rules on unfair trading practices ▌ therefore entrust the enforcement of such rules to administrative authorities. However, Member States’ unfair trading practices rules - to the extent they exist - are characterised by significant divergence.

(9)  The number and size of operators vary across the different stages of the agricultural and food supply chain. Differences in bargaining power, which correspond to the economic dependence of the supplier on the buyer, are likely to lead to larger operators imposing unfair trading practices on smaller operators. A dynamic approach, which is based on the relative size of the supplier and the buyer in terms of annual turnover, should provide better protection against unfair trading practices for those operators who need it most. Unfair trading practices are particularly harmful for small and medium-sized enterprises (SMEs) in the agricultural and food supply chain. Enterprises larger than SMEs but with an annual turnover not exceeding EUR 350 000 000 should also be protected against unfair trading practices to avoid the costs of such practices being passed on to agricultural producers. The cascading effect on agricultural producers appears to be particularly significant for enterprises with an annual turnover of up to EUR 350 000 000. The protection of intermediary suppliers of agricultural and food products, including processed products, can also serve to avoid the diversion of trade away from agricultural producers and their associations which produce processed products to non-protected suppliers.

(10)  The protection provided by this Directive should benefit agricultural producers and natural or legal persons that supply agricultural and food products, including producer organisations, whether recognised or not, and associations of producer organisations, whether recognised or not, subject to their relative bargaining power. Those producer organisations and associations of producer organisations include cooperatives. Those producers and persons are particularly vulnerable to unfair trading practices and least able to weather them without negative effects on their economic viability. As regards the categories of suppliers that should be protected under this Directive, it is noteworthy that a significant proportion of farmer-constituted cooperatives are enterprises larger than SMEs but with an annual turnover not exceeding EUR 350 000 000.

(11)  This Directive should cover commercial transactions irrespective of whether they are carried out between enterprises or between enterprises and public authorities, given that public authorities, when buying agricultural and food products, should be held to the same standards. This Directive should apply to all public authorities acting as buyers.

(12)  Suppliers in the Union should be protected not only against unfair trading practices by buyers that are established in the same Member State as the supplier or in a different Member State than the supplier, but also against unfair trading practices by buyers established outside the Union. Such protection would avoid possible unintended consequences, such as choosing the place of establishment on the basis of applicable rules. Suppliers established outside the Union should also enjoy protection against unfair trading practices when they sell agricultural and food products into the Union. Not only are such suppliers liable to be equally vulnerable to unfair trading practices, but a broader scope could also avoid the unintended diversion of trade towards non-protected suppliers, which would undermine the protection of suppliers in the Union.

(13)  Certain services that are ancillary to the sale of agricultural and food products should be included in the scope of this Directive.

(14)  This Directive should apply to the business conduct of larger operators towards operators who have less bargaining power. A suitable approximation for relative bargaining power is the annual turnover of the different operators. While being an approximation, this criterion gives operators predictability concerning their rights and obligations under this Directive. An upper limit should prevent protection from being afforded to operators who are not vulnerable or are significantly less vulnerable than their smaller partners or competitors. Therefore, this Directive establishes turnover-based categories of operators according to which protection is afforded.

(15)  As unfair trading practices may occur at any stage of the sale of an agricultural or food product, ▌ before, during or after a sales transaction, Member States should ensure that this Directive applies to such practices whenever they occur.

(16)  When deciding whether a particular trading practice is considered unfair, it is important to reduce the risk of limiting the use of fair and efficiency-creating agreements agreed between parties. Therefore, it is appropriate to distinguish between practices that are provided for in clear and unambiguous terms in supply agreements or in subsequent agreements between parties and practices that occur after the transaction has started without having been agreed beforehand, so that only unilateral and retrospective changes to those clear and unambiguous terms of the supply agreement are prohibited. However, certain trading practices are considered as unfair by their very nature and should not be subject to the parties’ contractual freedom ▌.

(17)  Late payments for agricultural and food products, including late payments for perishable products, and short notice cancellations of orders of perishable products impact negatively on the economic viability of the supplier, without providing off-setting benefits. Such practices should therefore be prohibited. In that context, it is appropriate to provide for a definition of perishable agricultural and food products for the purposes of this Directive. The definitions used in Union acts relating to food law relate to different objectives, such as health and food safety, and are therefore not appropriate for the purposes of this Directive. A product should be considered perishable if it can be expected to become unfit for sale within 30 days from the last act of harvesting, production or processing by the supplier, regardless of whether the product is further processed after sale, and regardless of whether the product is handled after sale in accordance with other rules, in particular food safety rules. Perishable products are normally used or sold quickly. Payments for perishable products that are made later than 30 days after delivery, 30 days after the end of an agreed delivery period where products are delivered on a regular basis, or 30 days after the date on which the amount payable is set, are not compatible with fair trading. In order to provide increased protection to farmers and their liquidity, suppliers of other agricultural and food products should not have to wait for payment longer than 60 days after delivery, 60 days after the end of an agreed delivery period where products are delivered on a regular basis, or 60 days after the date on which the amount payable is set. Those limitations should only apply to payments related to the sale of agricultural and food products, and not to other payments such as supplementary payments by a cooperative to its members. In accordance with Directive 2011/7/EU of the European Parliament and of the Council(7), it should also be possible to consider the date on which the amount payable for an agreed delivery period is set, for the purposes of this Directive, as the date of the issuance of the invoice or the date of its receipt by the buyer.

(18)  The late payment provisions laid down in this Directive constitute specific rules for the agricultural and food sector in relation to the provisions on the payment periods set out in Directive 2011/7/EU. The late payment provisions laid down in this Directive should not affect agreements concerning value-sharing clauses within the meaning of Article 172a of Regulation (EU) No 1308/2013 of the European Parliament and of the Council(8). In order to safeguard the smooth functioning of the school scheme pursuant to Article 23 of Regulation (EU) No 1308/2013, the late payment provisions laid down in this Directive should not apply to payments made by a buyer (i.e. aid applicant) to a supplier in the framework of the school scheme. Taking into account the challenges for public entities providing healthcare to prioritise healthcare in a way that balances the needs of individual patients with the financial resources, these provisions should also not apply to public entities providing healthcare within the meaning of point (b) of Article 4(4) of Directive 2011/7/EU.

(19)  Grapes and must for wine production have special characteristics, because grapes are harvested only during a very limited period of the year, but are used to produce wine which in some cases will only be sold many years later. In order to cater for that special situation, producer organisations and interbranch organisations have traditionally developed standard contracts for the supply of such products. Such standard contracts provide for specific payment deadlines with instalments. As those standard contracts are used by suppliers and buyers for multiannual arrangements, they not only provide agricultural producers with the security of longstanding sales relations, but also contribute to the stability of the supply chain. Where such standard contracts have been drawn up by a recognised producer organisation, interbranch organisation or association of producer organisations and been made binding by a Member State under Article 164 of Regulation (EU) No 1308/2013 ("extension") before 1 January 2019, or where the extension of the standard contracts is renewed by a Member State without any significant changes to the payment terms to the disadvantage of suppliers of grapes and must, the late payment provisions laid down in this Directive should not apply to such contracts between suppliers of grapes and must for wine production and their direct buyers. Member States are required to notify the respective agreements of recognised producer organisations, interbranch organisations and associations of producer organisations to the Commission under Article 164(6) of Regulation (EU) No 1308/2013.

(20)  Notices of cancellation for perishable products of less than 30 days should be considered unfair, as the supplier would not be in a position to find an alternative outlet for those products. However, for products in certain sectors, even shorter cancellation periods might still leave sufficient time for suppliers to sell the products elsewhere or to use them themselves. Member States should therefore be allowed to provide for shorter cancellation periods for such sectors in duly justified cases.

(21)  Stronger buyers should not change agreed contract terms unilaterally, e.g. by delisting products covered by a supply agreement. However, this should not apply in situations in which there is an agreement between a supplier and a buyer that specifically stipulates that the buyer can specify a concrete element of the transaction at a later stage in respect of future orders. This could for instance relate to the quantities ordered. An agreement is not necessarily concluded at one point in time for all aspects of the transaction between the supplier and the buyer.

(22)  Suppliers and buyers of agricultural and food products should be able to freely negotiate sales transactions, including prices. Such negotiations also include payments for services provided by the buyer to the supplier, such as listing, marketing and promotion. However, where a buyer charges a supplier payments which are not related to a specific sales transaction, this should be considered unfair and should be prohibited under this Directive.

(23)  While there should be no obligation to use written contracts, the use of written contracts in the agricultural and food supply chain may help to avoid certain unfair trading practices. Therefore, and in order to protect suppliers from those unfair practices, suppliers or their associations should have the right to request written confirmation of the terms of a supply agreement where those terms have already been agreed. In such cases, the refusal by a buyer to confirm in writing the terms of the supply agreement should be considered as an unfair trading practice and should be prohibited. In addition, Member States might identify, share and promote best practices concerning the conclusion of long-term contracts aimed at strengthening the bargaining position of producers within the agricultural and food supply chain.

(24)  This Directive does not harmonise the rules on the burden of proof to be applied in proceedings before the national enforcement authorities, nor does it harmonise the definition of supply agreements. Therefore, the rules on the burden of proof and the definition of supply agreements are those laid down by the national law of Member States.

(25)  Under this Directive, suppliers should be able to file complaints against certain unfair trading practices. Commercial retaliation by buyers against suppliers who exercise their rights, or the threat thereof, e.g. by delisting products, reducing the quantities of products ordered or stopping certain services which the buyer provides to the supplier such as marketing or promotions on the suppliers’ products, should be prohibited and treated as an unfair trading practice.

(26)  The costs of stocking, displaying or listing agricultural and food products, or of making such products available on the market, are normally borne by the buyer. As a consequence, it should be prohibited under this Directive for a supplier to be charged payment, to be made either to the buyer or to a third party for those services, unless the payment has been agreed in clear and unambiguous terms at the conclusion of the supply agreement or in a subsequent agreement between the buyer and the supplier. Where such a payment is agreed, it should be based on objective and reasonable estimates.

(27)  For contributions by a supplier to the costs of the promotion, marketing or advertising of agricultural and food products, including promotional displays in stores and sales campaigns, to be considered fair, they should be agreed in clear and unambiguous terms at the conclusion of the supply agreement or in a subsequent agreement between the buyer and the supplier. Otherwise, they should be prohibited under this Directive. Where such a contribution is agreed, it should be based on objective and reasonable estimates.

(28)  Member States should designate enforcement authorities to ensure the effective enforcement of the prohibitions laid down in this Directive ▌. Those authorities should be able to act either on their own initiative or on the basis of complaints by parties affected by unfair trading practices in the agricultural and food supply chain, complaints by whistle-blowers, or anonymous complaints. An enforcement authority might find that there are not sufficient grounds to act on a complaint. Administrative priorities might also lead to such a finding. If the enforcement authority finds that it will not be able to give priority to a complaint, it should inform the complainant and give the reasons therefor. Where a complainant requests that its identity remain confidential because of fear of commercial retaliation, the enforcement authorities of the Member States should take appropriate measures.

(29)  If a Member State has more than one enforcement authority, it should designate a single contact point with a view to facilitating effective cooperation among the enforcement authorities and cooperation with the Commission.

(30)  Suppliers might find it easier to address complaints to the enforcement authority of their own Member State, e.g. for linguistic reasons. However, in terms of enforcement, filing a complaint with the enforcement authority of the Member State in which the buyer is established might be more effective. Suppliers should be given a choice as to the authority to which they address complaints.

(31)  Complaints by producer organisations, other organisations of suppliers and associations of such organisations, including representative organisations, can serve to protect the identities of individual members of the organisation who ▌consider that they are affected by unfair trading practices. Other organisations that have a legitimate interest in representing suppliers should also have the right to submit complaints at the request of a supplier and in the interest of that supplier, provided that such organisations are independent non-profit-making legal persons. The enforcement authorities of the Member States should therefore be able to accept and act upon complaints by such entities, while protecting the procedural rights of the buyer.

(32)  In order to ensure the effective enforcement of the prohibition of unfair trading practices, the designated enforcement authorities should have the necessary resources and expertise.

(33)  The enforcement authorities of the Member States should have the necessary powers and expertise to conduct investigations. The empowerment of those authorities does not mean that they are obliged to use those powers in each investigation that they conduct. The powers of the enforcement authorities should, for example, enable them to effectively gather factual information, and the enforcement authorities should have the power to order the termination of a prohibited practice, where applicable.

(34)   The existence of a deterrent, such as the power to impose, or initiate proceedings, e.g. court proceedings, for the imposition of, fines and other equally effective penalties, and to publish investigation results, including the publication of information relating to buyers that have committed infringements, can encourage behavioural changes and pre-litigation solutions between the parties, and should therefore be part of the powers of the enforcement authorities. Fines may be particularly effective and dissuasive. However, the enforcement authority should be able to decide in each investigation which of its powers it will exercise and whether it will impose, or initiate proceedings for the imposition of, a fine or another equally effective penalty.

(35)  The exercise of the powers conferred on enforcement authorities pursuant to this Directive should be subject to appropriate safeguards which meet the standards of the general principles of Union law and the Charter of Fundamental Rights of the European Union, in accordance with the case-law of the Court of Justice of the European Union, including the respect of the buyer's rights of defence.

(36)  The Commission and the enforcement authorities of the Member States should cooperate closely to ensure a common approach with respect to the application of the rules set out in this Directive. In particular, the enforcement authorities should provide each other with mutual assistance, for example by sharing information and assisting in investigations that have a cross-border dimension.

(37)  To facilitate effective enforcement, the Commission should help organise regular meetings between the enforcement authorities of the Member States at which ▌relevant information, best practices, new developments, enforcement practices and recommendations with regard to the application of the provisions laid down in this Directive can be shared. ▌

(38)  To facilitate those exchanges, the Commission should establish a public website which contains references to the national enforcement authorities including information on the national measures that transpose this Directive.

(39)  As a majority of Member States already have national rules on unfair trading practices, albeit diverging rules, it is appropriate to use a Directive to introduce a minimum standard of protection under Union law. This should enable Member States to integrate the relevant rules into their national legal order in such a way as to enable cohesive regimes to be established. Member States should not be precluded from maintaining or introducing in their territory stricter national rules that provide for a higher level of protection against unfair trading practices in business-to-business relationships in the agricultural and food supply chain, subject to the limits of Union law applicable to the functioning of the internal market, provided that such rules are proportionate.

(40)  Member States should also be able to maintain or introduce national rules designed to combat unfair trading practices that are not within the scope of this Directive, subject to the limits of Union law applicable to the functioning of the internal market, provided that such rules are proportionate. Such national rules could go beyond this Directive, for example as regards the size of the buyers and suppliers, protection of buyers, the scope of products and the scope of services. Such national rules could also go beyond the number and type of prohibited unfair trading practices listed in this Directive.

(41)  Such national rules would apply alongside voluntary governance measures, such as national codes of conduct or the Supply Chain Initiative. The use of voluntary alternative dispute resolution between suppliers and buyers should be explicitly encouraged, without prejudice to the right of the supplier to submit complaints or turn to civil law courts.

(42)  The Commission should have an overview of the implementation of this Directive in the Member States. In addition, the Commission should be able to assess the effectiveness of this Directive. To that end, the enforcement authorities of the Member States should submit annual reports to the Commission. Those reports should, where applicable, provide quantitative and qualitative information on complaints, investigations and decisions taken. In order to ensure uniform conditions for the implementation of the reporting obligation, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council(9).

(43)  In the interest of an effective implementation of the policy in respect of unfair trading practices in business-to-business relationships in the agricultural and food supply chain, the Commission should review the application of this Directive and submit a report to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. That review should assess, in particular, the effectiveness of national measures aimed at combating unfair trading practices in the agricultural and food supply chain and the effectiveness of cooperation among enforcement authorities. The review should also pay particular attention to whether the protection of ▌ buyers of agricultural and food products in the supply chain – in addition to the protection of ▌ suppliers – in the future would be justified. The report should be accompanied, if appropriate, by legislative proposals.

(44)  Since the objective of this Directive, namely the laying down of a minimum Union standard of protection by harmonising Member States’ diverging measures relating to unfair trading practices, cannot be sufficiently achieved by the Member States, but can rather, by reason of its scale and effects, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality, as set out in that Article, this Directive does not go beyond what is necessary in order to achieve that objective,

HAVE ADOPTED THIS DIRECTIVE:

Article 1

Subject matter and scope

1.  With a view to combating practices that grossly deviate from good commercial conduct, that are contrary to good faith and fair dealing and that are unilaterally imposed by one trading partner on another, this Directive establishes a minimum list of prohibited unfair trading practices in relations between buyers and suppliers in the agricultural and food supply chain and lays down minimum rules concerning the enforcement of those prohibitions and arrangements for coordination between enforcement authorities.

2.  This Directive applies to certain unfair trading practices which occur in relation to sales of agricultural and food products by:

(a)  suppliers which have an annual turnover not exceeding EUR 2 000 000 to buyers which have an annual turnover of more than EUR 2 000 000;

(b)  suppliers which have an annual turnover of more than EUR 2 000 000 and not exceeding EUR 10 000 000 to buyers which have an annual turnover of more than EUR 10 000 000;

(c)  suppliers which have an annual turnover of more than EUR 10 000 000 and not exceeding EUR 50 000 000 to buyers which have an annual turnover of more than EUR 50 000 000;

(d)  suppliers which have an annual turnover of more than EUR 50 000 000 and not exceeding EUR 150 000 000 to buyers which have an annual turnover of more than EUR 150 000 000;

(e)  suppliers which have an annual turnover of more than EUR 150 000 000 and not exceeding EUR 350 000 000 to buyers which have an annual turnover of more than EUR 350 000 000.

The annual turnover of the suppliers and buyers referred to in points (a) to (e) of the first subparagraph shall be understood in accordance with the relevant parts of the Annex to Commission Recommendation 2003/361/EC(10) and in particular Articles 3, 4 and 6 thereof, including the definitions of "autonomous enterprise", "partner enterprise" and "linked enterprise", and other issues relating to the annual turnover.

By way of derogation from the first subparagraph, this Directive applies in relation to sales of agricultural and food products by suppliers which have an annual turnover not exceeding EUR 350 000 000 to all buyers which are public authorities.

This Directive applies to sales where either the supplier or the buyer, or both, are established in the Union.

This Directive also applies to services, insofar as explicitly referred to in Article 3, provided by the buyer to the supplier.

This Directive does not apply to agreements between suppliers and consumers.

3.  This Directive applies to supply agreements concluded after the date of application of the measures transposing this Directive in accordance with the second subparagraph of Article 13(1).

4.  Supply agreements concluded before the date of publication of the measures transposing this Directive in accordance with the first subparagraph of Article 13(1) shall be brought into compliance with this Directive within 12 months after that date of publication.

Article 2

Definitions

For the purposes of this Directive, the following definitions apply:

(1)  “agricultural and food products” means products listed in Annex I to the TFEU ▌as well as products not listed in that Annex, but processed for use as food using products listed in that Annex;

(2)  “buyer” means any natural or legal person, irrespective of that person's place of establishment, or any public authority in the Union, who buys agricultural and food products ▌; the term "buyer" may include a group of such natural and legal persons;

(3)  “public authority” means national, regional or local authorities, bodies governed by public law or associations formed by one or more such authorities or one or more such bodies governed by public law;

(4)  “supplier” means any agricultural producer or any natural or legal person, irrespective of their place of establishment, who sells agricultural and food products; the term “supplier” may include a group of such agricultural producers or a group of such natural and legal persons, such as producer organisations, organisations of suppliers and associations of such organisations;

(5)  “perishable agricultural and food products” means agricultural and food products that by their nature or at their stage of processing are liable to become unfit for sale within 30 days after harvest, production or processing.

Article 3

Prohibition of unfair trading practices

1.  Member States shall ensure that at least all the following unfair trading practices are prohibited:

(a)  the buyer pays the supplier ▌,

(i)  where the supply agreement provides for the delivery of products on a regular basis:

—  for perishable agricultural and food products, later than 30 days after the end of an agreed delivery period in which deliveries have been made or later than 30 days after the date on which the amount payable for that delivery period is set, whichever of those two dates is the later;

—  for other agricultural and food products, later than 60 days after the end of an agreed delivery period in which deliveries have been made or later than 60 days after the date on which the amount payable for that delivery period is set, whichever of those two dates is the later;

for the purposes of the payment periods in this point, the agreed delivery periods shall in any event be considered not to exceed one month;

(ii)  where the supply agreement does not provide for the delivery of products on a regular basis:

—  for perishable agricultural and food products, later than 30 days after the date of delivery or later than 30 days after the date on which the amount payable is set, whichever of those two dates is the later;

—  for other agricultural and food products, later than 60 days after the date of delivery or later than 60 days after the date on which the amount payable is set, whichever of those two dates is the later.

Notwithstanding points (i) and (ii) of this point, where the buyer sets the amount payable:

—  the payment periods referred to in point (i) shall start to run from the end of an agreed delivery period in which the deliveries have been made; and

—  the payment periods referred to in point (ii) shall start to run from the date of delivery;

(b)  the buyer cancels orders of perishable agricultural and food products at such short notice that a supplier cannot reasonably be expected to find an alternative means of commercialising or using those products; notice of less than 30 days shall always be considered as short notice; Member States may set periods shorter than 30 days for specific sectors in duly justified cases;

(c)  the buyer unilaterally ▌ changes the terms of a supply agreement for agricultural and food products that concern the frequency, method, place, timing or volume of the supply or delivery of the agricultural and food products, the quality standards, the terms of payment or the prices, or as regards the provision of services insofar as these are explicitly referred to in paragraph 2;

(d)  the buyer requires payments from the supplier that are not related to the sale of the agricultural and food products of the supplier;

(e)  the buyer requires the supplier to pay for the deterioration or loss, or both, of agricultural and food products that occurs on the buyer's premises or after ownership has been transferred to the buyer, where such deterioration or loss is not caused by the negligence or fault of the supplier;

(f)  the buyer refuses to confirm in writing the terms of a supply agreement between the buyer and the supplier for which the supplier has asked for written confirmation; this shall not apply where the supply agreement concerns products to be delivered by a member of a producer organisation, including a cooperative, to the producer organisation of which the supplier is a member, if the statutes of that producer organisation or the rules and decisions provided for in, or derived from, those statutes contain provisions having similar effects to the terms of the supply agreement;

(g)  the buyer unlawfully acquires, uses or discloses the trade secrets of the supplier within the meaning of Directive (EU) 2016/943 of the European Parliament and of the Council (11);

(h)  the buyer threatens to carry out, or carries out, acts of commercial retaliation against the supplier if the supplier exercises its contractual or legal rights, including by filing a complaint with enforcement authorities or by cooperating with enforcement authorities during an investigation;

(i)  the buyer requires compensation from the supplier for the cost of examining customer complaints relating to the sale of the supplier’s products despite the absence of negligence or fault on the part of the supplier.

The prohibition referred to in point (a) of the first subparagraph shall be without prejudice:

—  to the consequences of late payments and remedies as laid down in Directive 2011/7/EU, which shall apply, by way of derogation from the payment periods set out in that Directive, on the basis of the payment periods set out in this Directive;

—  to the option of a buyer and a supplier to agree on a value sharing clause within the meaning of Article 172a of Regulation (EU) No 1308/2013.

The prohibition referred to in point (a) of the first subparagraph shall not apply to payments:

—  made by a buyer to a supplier where such payments are made in the framework of the school scheme pursuant to Article 23 of Regulation (EU) No 1308/2013;

—  made by public entities providing healthcare in the meaning of point (b) of Article 4(4) of Directive 2011/7/EU:

—  under supply agreements between suppliers of grapes or must for wine production and their direct buyers, provided:

(i)  that the specific terms of payment for the sales transactions are included in standard contracts which have been made binding by the Member State pursuant to Article 164 of Regulation (EU) No 1308/2013 before 1 January 2019, and that this extension of the standard contracts is renewed by the Member States from that date without any significant changes to the terms of payment to the disadvantage of suppliers of grapes or must; and

(ii)  that the supply agreements between suppliers of grapes or must for wine production and their direct buyers are multiannual or become multiannual.

2.  Member States shall ensure that at least all the following trading practices are prohibited, unless they have been previously agreed in clear and unambiguous terms in the ▌ supply agreement or in a subsequent agreement between the supplier and the buyer:

(a)  the buyer returns unsold agricultural and food products to the supplier without paying for those unsold products or without paying for the disposal of those products, or both;

(b)  the ▌ supplier is charged payment as a condition for stocking, displaying or listing its agricultural and food products, or of making such products available on the market;

(c)  the buyer requires the supplier to bear all or part of the cost of any discounts on agricultural and food products that are sold by the buyer as part of a promotion;

(d)  the buyer requires the supplier to pay for the advertising by the buyer of agricultural and food products;

(e)  the buyer requires the supplier to pay for the marketing by the buyer of agricultural and food products;

(f)  the buyer charges the supplier for staff for fitting-out premises used for the sale of the supplier's products.

Member States shall ensure that the trading practice referred to in point (c) of the first subparagraph is prohibited unless the buyer, prior to a promotion that is initiated by the buyer, specifies the period of the promotion and the expected quantity of the agricultural and food products to be ordered at the discounted price.

3.  Where a payment is required by the buyer for the situations referred to in points (b), (c), (d), (e) or (f) of the first subparagraph of paragraph 2, ▌ if requested by the supplier, the buyer shall provide the supplier with an estimate in writing of the payments per unit or the overall payments, whichever is appropriate, and, insofar as the situations referred to in points (b), (d), (e) or (f) of the first subparagraph of paragraph 2 are concerned, shall also provide, in writing, an estimate of the cost to the supplier and the basis for that estimate.

4.  Member States shall ensure that the prohibitions laid down in paragraphs 1 and 2 constitute overriding mandatory provisions which are applicable to any situation falling within the scope of those prohibitions, irrespective of the law that would otherwise be applicable to the supply agreement between the parties.

Article 4

Designated enforcement authorities

1.  Each Member State shall designate one or more authorities to enforce the prohibitions laid down in Article 3 at national level ("enforcement authority"), and shall inform the Commission of that designation.

2.  If a Member State designates more than one enforcement authority in its territory, it shall designate a single contact point for both cooperation among the enforcement authorities and cooperation with the Commission.

Article 5

Complaints and confidentiality

1.  Suppliers may address complaints either to the enforcement authority of the Member State in which the supplier is established or to the enforcement authority of the Member State in which the buyer that is suspected to have engaged in a prohibited trading practice is established. The enforcement authority to which the complaint is addressed shall be competent to enforce the prohibitions laid down in Article 3.

2.  Producer organisations, other organisations of suppliers and associations of such organisations, shall have the right to submit a complaint at the request of one or more of their members or, where appropriate, at the request of one or more members of their member organisations, where those members consider that they have been affected by a prohibited trading practice. Other organisations that have a legitimate interest in representing suppliers shall have the right to submit complaints, at the request of a supplier, and in the interest of that supplier, provided that such organisations are independent non-profit-making legal persons.

3.  Member States shall ensure that, where the complainant so requests, the enforcement authority shall take the necessary measures for the appropriate protection of the identity of the complainant or the members or suppliers referred to in paragraph 2 and for the appropriate protection of any other information ▌ in respect of which the complainant considers that the disclosure of such information would be harmful to the interests of the complainant or of those members or suppliers. The complainant shall identify any information ▌for which it requests confidentiality.

4.  Member States shall ensure that the enforcement authority that receives the complaint shall inform the complainant within a reasonable period of time after the receipt of the complaint of how it intends to follow up on the complaint.

5.  Member States shall ensure that, where an enforcement authority considers that there are insufficient grounds for acting on a complaint, it shall inform the complainant of the reasons therefor within a reasonable period of time after the receipt of the complaint.

6.  Member States shall ensure that, where an enforcement authority considers that there are sufficient grounds for acting on a complaint, it shall initiate, conduct and conclude an investigation of the complaint within a reasonable period of time.

7.  Member States shall ensure that, where an enforcement authority finds that a buyer has infringed the prohibitions referred to in Article 3, it shall require the buyer to bring the prohibited trading practice to an end.

Article 6

Powers of enforcement authorities

1.  Member States shall ensure that each of their enforcement authorities has the necessary resources and expertise to perform its duties, and shall confer on it the following powers:

(a)  the power to initiate and conduct investigations on its own initiative or on the basis of a complaint;

(b)  the power to require buyers and suppliers to provide all necessary information in order to conduct investigations of prohibited trading practices;

(c)  the power to carry out unannounced on-site inspections within the framework of its investigations, in accordance with national rules and procedures;

(d)  the power to take decisions finding an infringement of the prohibitions laid down in Article 3 and requiring the buyer to bring the prohibited trading practice to an end; the authority may abstain from taking any such decision, if that decision would risk revealing the identity of a complainant or would risk disclosing any other information in respect of which the complainant considers that such disclosure would be harmful to its interests, and provided that the complainant has identified that information in accordance with Article 5(3);

(e)  the power to impose, or initiate proceedings for the imposition of, fines and other equally effective penalties and interim measures on the author of the infringement, in accordance with national rules and procedures;

(f)  the power to publish its decisions taken under points (d) and (e) on a regular basis.

The penalties referred to in point (e) of the first subparagraph shall be effective, proportionate and dissuasive, taking into account the nature, duration, recurrence and gravity of the infringement.

2.  Member States shall ensure that the exercise of the powers referred to in paragraph 1 is subject to appropriate safeguards in respect of rights of defence, in accordance with the general principles of Union law and the Charter of Fundamental Rights of the European Union, including in cases where the complainant requests confidential treatment of information pursuant to Article 5(3).

Article 7

Alternative dispute resolution

Without prejudice to the right of suppliers to submit complaints under Article 5, and the powers of enforcement authorities under Article 6, Member States may promote the voluntary use of effective and independent alternative dispute resolution mechanisms, such as mediation, with a view to the settlement of disputes between suppliers and buyers regarding the use of unfair trading practices by the buyer.

Article 8

Cooperation among enforcement authorities

1.  Member States shall ensure that enforcement authorities cooperate effectively with each other and with the Commission, and that they provide each other with mutual assistance in investigations that have a cross-border dimension.

2.  The enforcement authorities shall meet at least once per year to discuss the application of this Directive, on the basis of the annual reports referred to in Article 10(2) ▌. The enforcement authorities shall discuss best practices, new cases and new developments in the area of unfair trading practices in the agricultural and food supply chain, and shall exchange information, in particular on the implementing measures that they have adopted in accordance with this Directive and on their enforcement practices. The enforcement authorities may adopt recommendations in order to encourage the consistent application of this Directive and to improve enforcement. The Commission shall facilitate those meetings.

3.  The Commission shall establish and manage a website that allows the exchange of information among the enforcement authorities and the Commission, in particular in relation to the annual meetings. The Commission shall establish a public website that provides the contact details of the designated enforcement authorities and links to websites of the national enforcement authorities or other authorities of Member States that provide information about the measures transposing this Directive referred to in Article 13(1).

Article 9

National rules

1.  With a view to ensuring a higher level of protection, Member States may maintain or introduce stricter rules aimed at combating unfair trading practices than those laid down by this Directive, provided that such national rules are compatible with the rules on the functioning of the internal market.

2.  This Directive shall be without prejudice to national rules aimed at combating unfair trading practices that are not within the scope of this Directive, provided that such rules are compatible with the rules on the functioning of the internal market.

Article 10

Reporting ▌

1.  Member States shall ensure that their enforcement authorities publish an annual report about their activities falling within the scope of this Directive, which shall, inter alia, state the number of complaints received and the number of investigations opened or closed during the previous year. For each closed investigation, the report shall contain a summary description of the matter, the outcome of the investigation and, where applicable, the decision taken, subject to the confidentiality requirements laid down in Article 5(3).

2.  By 15 March of each year, Member States shall send to the Commission a report on unfair trading practices in business-to-business relationships in the agricultural and food supply chain. That report shall contain, in particular, all relevant data on the application and enforcement of the rules under this Directive in the Member State concerned during the previous year.

3.  The Commission may adopt implementing acts laying down:

(a)  rules on the information necessary for the application of paragraph 2;

(b)  arrangements for the management of the information to be sent by Member States to the Commission and rules on the content and form of such information;

(c)  arrangements for transmitting, or for making information and documents available, to the Member States, international organisations, the competent authorities in third countries, or the public, subject to the protection of personal data and the legitimate interests of agricultural producers and enterprises in the protection of their business secrets.

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 11(2).

Article 11

Committee procedure

1.  The Commission shall be assisted by the Committee for the Common Organisation of the Agricultural Markets established by Article 229 of Regulation (EU) No 1308/2013. That Committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2.  Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

Article 12

Evaluation

1.  By …[78 months after the date of entry into force of this Directive], the Commission shall carry out the first evaluation of this Directive and shall present a report on the main findings of that evaluation to the European Parliament and to the Council, as well as to the European Economic and Social Committee and the Committee of the Regions. Such report shall be accompanied, if appropriate, by legislative proposals.

2.  That evaluation shall assess at least:

(a)  the effectiveness of the measures implemented at national level aimed at combating unfair trading practices in the agricultural and food supply chain;

(b)  the effectiveness of cooperation among competent enforcement authorities and, where appropriate, shall identify ways to improve that cooperation.

3.  The Commission shall base the report referred to in paragraph 1 on the annual reports referred to in Article 10(2). If necessary, the Commission may request additional information from Member States, including information on the effectiveness of the measures that were implemented at national level and the effectiveness of cooperation and mutual assistance.

4.  By [30 months after the date of entry into force of this Directive], the Commission shall present an interim report on the state of the transposition and implementation of this Directive to the European Parliament and to the Council, as well as to the European Economic and Social Committee and the Committee of the Regions.

Article 13

Transposition

1.  Member States shall adopt and publish, by …[24 months after the date of entry into force of this Directive] ▌, the laws, regulations and administrative provisions necessary to comply with this Directive. They shall immediately communicate ▌ the text of those measures to the Commission.

They shall apply those measures not later than …[30 months after the date of entry into force of this Directive].

When Member States adopt those measures, they shall contain a reference to this Directive or be accompanied by such a reference on the occasion of their official publication. Member States shall determine how such reference is to be made.

2.  Member States shall communicate to the Commission the text of the main provisions of national law which they adopt in the field covered by this Directive.

Article 14

Entry into force

This Directive shall enter into force on the fifth day following that of its publication in the Official Journal of the European Union.

Article 15

Addressees

This Directive is addressed to the Member States.

Done at …,

For the European Parliament For the Council

The President The President

ANNEX TO THE LEGISLATIVE RESOLUTION

Statement by the European Parliament on buying alliances

The European Parliament, while acknowledging the possible role played by alliances of buyers in creating economic efficiencies in the agricultural and food supply chain, stresses that the current lack of information does not allow for an evaluation of the economic effects of such alliances of buyers on the functioning of the supply chain.

In this regard, the European Parliament calls on the Commission to launch without delay an in-depth analysis on the extent and effects of these national and international buying alliances on the economic functioning of the agricultural and food supply chain.

Joint statement by the European Parliament, the Council and the Commission on transparency of the agricultural and food markets

The European Parliament, the Council and the Commission stress that the transparency of agricultural and food markets is a key element of a well-functioning agricultural and food supply chain, in order to better inform the choices of economic operators and public authorities as well as to facilitate the understanding of operators on market developments. The Commission is encouraged to continue its ongoing work to enhance market transparency at EU level. This may include the strengthening of the work on EU market observatories and improving the collection of statistical data necessary for the analysis of price formation mechanisms along the agricultural and food supply chain.

(1) OJ C 440, 6.12.2018, p. 165.
(2) OJ C 387, 25.10.2018, p. 48.
(3)OJ C 440, 6.12.2018, p. 165.
(4)OJ C 387, 25.10.2018, p. 48.
(5) Position of the European Parliament of 12 March 2019.
(6)OJ C 86, 6.3.2018, p. 40.
(7)Directive 2011/7/EU of the European Parliament and of the Council of 16 February 2011 on combating late payment in commercial transactions (OJ L 48, 23.2.2011, p. 1).
(8)Regulation (EU) No 1308/2013 of the European Parliament and of the Council of 17 December 2013 establishing a common organisation of the markets in agricultural products and repealing Council Regulations (EEC) No 922/72, (EEC) No 234/79, (EC) No 1037/2001 and (EC) No 1234/2007 (OJ L 347, 20.12.2013, p. 671).
(9)Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission's exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).
(10)Commission Recommendation 2003/361/EC of 6 May 2003 concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).
(11) Directive (EU) 2016/943 of the European Parliament and of the Council of 8 June 2016 on the protection of undisclosed know-how and business information (trade secrets) against their unlawful acquisition, use and disclosure (OJ L 157, 15.6.2016, p. 1).


European citizens’ initiative ***I
PDF 286kWORD 93k
Resolution
Consolidated text
European Parliament legislative resolution of 12 March 2019 on the proposal for a regulation of the European Parliament and of the Council on the European citizens’ initiative (COM(2017)0482 – C8-0308/2017 – 2017/0220(COD))
P8_TA-PROV(2019)0153A8-0226/2018

(Ordinary legislative procedure: first reading)

The European Parliament,

–  having regard to the Commission proposal to Parliament and the Council (COM(2017)0482),

–  having regard to Article 294(2) and Article 24 of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C8‑0308/2017),

–  having regard to Article 294(3) of the Treaty on the Functioning of the European Union,

–  having regard to the opinion of the European Economic and Social Committee of 14 March 2018(1),

–  having regard to the opinion of the Committee of the Regions of 23 March 2018(2),

–  having regard to the provisional agreement approved by the responsible committee under Rule 69f(4) of its Rules of Procedure and the undertaking given by the Council representative by letter of 20 December 2018 to approve Parliament’s position, in accordance with Article 294(4) of the Treaty on the Functioning of the European Union,

–  having regard to Rule 59 of its Rules of Procedure,

–  having regard to the report of the Committee on Constitutional Affairs and the opinions of the Committee on Culture and Education and the Committee on Petitions (A8-0226/2018),

1.  Adopts its position at first reading hereinafter set out;

2.  Calls on the Commission to refer the matter to Parliament again if it replaces, substantially amends or intends to substantially amend its proposal;

3.  Instructs its President to forward its position to the Council, the Commission and the national parliaments.

Position of the European Parliament adopted at first reading on 12 March 2019 with a view to the adoption of Regulation (EU) 2019/… of the European Parliament and of the Council on the European citizens’ initiative

P8_TC1-COD(2017)0220


(Text with EEA relevance)

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 24 thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee(3),

Having regard to the opinion of the Committee of the Regions(4),

Acting in accordance with the ordinary legislative procedure(5),

Whereas:

(1)  The Treaty on European Union (TEU) establishes the citizenship of the Union. The Union's citizens (‘citizens’) are granted the right to approach the Commission directly with a request inviting it to submit a proposal for a legal act of the Union for the purpose of implementing the Treaties, similar to the right conferred on the ▌European Parliament under Article 225 ▌of the Treaty on the functioning of the European Union (TFEU) and on the Council under Article 241 TFEU. The European citizens’ initiative thus contributes to enhancing the democratic functioning of the Union through the participation of citizens in its democratic and political life. As is apparent from the structure of Article 11 TEU and Article 24 TFEU, the European citizens’ initiative should be considered in the context of other means by which citizens may bring certain issues to the attention of institutions of the Union and which consist notably of dialogue with representative associations and civil society, consultations with parties concerned, petitions and applications to the Ombudsman.

(2)  Regulation (EU) No 211/2011 of the European Parliament and of the Council(6) laid down the rules and procedures for the European citizens’ initiative and was complemented by Commission Implementing Regulation (EU) No 1179/2011(7).

(3)  In its report on the application of Regulation (EU) No 211/2011 of 31 March 2015, the Commission listed a number of challenges arising in the implementation of that Regulation and made a commitment to analyse further the impact of those issues on the effectiveness of the European citizens' initiative instrument and to improve its functioning.

(4)  The European Parliament, in its resolution of 28 October 2015 on the European citizens’ initiative(8) and its own-initiative legislative draft report of 26 June 2017(9), called on the Commission to review Regulation (EU) No 211/2011 and Implementing Regulation (EU) No 1179/2011.

(5)  This Regulation aims to make the European citizens’ initiative more accessible, less burdensome and easier to use for organisers and supporters, and to strengthen its follow-up in order to achieve its full potential ▌as a tool to foster debate. It should also facilitate the participation of as many citizens as possible in the democratic decision-making process of the Union ▌.

(6)  To achieve those objectives, the procedures and conditions required for the European citizens’ initiative should be effective, transparent, clear, simple, user-friendly, accessible for persons with disabilities and proportionate to the nature of this instrument. They should strike a judicious balance between rights and obligations and should ensure that valid initiatives receive an appropriate examination and response by the Commission.

(7)  It is appropriate to set a minimum age for supporting an initiative. That minimum age should correspond to the age at which citizens are entitled to vote in elections to the European Parliament. In order to enhance the participation of young citizens in the democratic life of the Union and thus achieve the full potential of the European citizens’ initiative as an instrument of participatory democracy, Member States which consider it appropriate should be able to set the minimum age for supporting an initiative at 16 years and should inform the Commission accordingly. The Commission should periodically review the functioning of the European citizens' initiative, including as regards the minimum age to support initiatives. Member States are encouraged to consider setting the minimum age at 16 years in accordance with their national laws.

(8)  In accordance with Article 11(4) TEU, an initiative inviting the Commission, within the framework of its powers, to submit any appropriate proposal on matters where citizens consider that a legal act of the Union is required to implement the Treaties, is to be taken by not less than one million citizens of the Union who are nationals of a significant number of Member States.

(9)  In order to ensure that an initiative is representative of a Union interest while ensuring that the instrument remains easy to use, the minimum number of Member States from which citizens must come should be set at one quarter of Member States.

(10)  In order to ensure that an initiative is representative and that the conditions for citizens to support an initiative are similar, it is also appropriate to establish the minimum number of signatories coming from each of those Member States. Those minimum numbers of signatories required in each Member State should be degressively proportional and correspond to the number of Members of the European Parliament elected in each Member State, multiplied by the total number of the Members of the European Parliament.

(11)  In order to make European citizens’ initiatives more inclusive and visible, organisers can use for their own promotion and communication activities languages other than the official languages of the institutions of the Union which, in accordance with the Member States’ constitutional order, have official status in all or part of their territory.

(12)  While personal data processed in application of this Regulation might include sensitive ▌data, given the nature of the European citizens’ initiative as an instrument of participatory democracy, it is justified to require the provision of personal data to support an initiative and to process such data as far as it is necessary in order to allow statements of support to be verified in accordance with national law and practice.

(13)  In order to make the European citizens’ initiative more accessible, ▌the Commission should provide information, assistance and practical support to citizens and groups of organisers, in particular on those aspects of this Regulation within its competence. To reinforce this information and assistance, the Commission should also make an online collaborative platform available that provides a dedicated discussion forum and independent support, information and legal advice about the European citizens’ initiative. The platform should be open to citizens, groups of organisers, organisations and external experts with experience in organising European citizens’ initiatives. The platform should be accessible for persons with disabilities.

(14)  In order to allow the groups of organisers to manage their initiative throughout the procedure, the Commission should make an online register for the European citizens’ initiative (‘register’) available. To raise awareness and ensure transparency on all the initiatives, the register should comprise a public website providing comprehensive information on the European citizens’ initiative in general, as well as up-to-date information on individual initiatives, their status and the declared sources of support and funding on the basis of the information submitted by the group of organisers.

(15)  To ensure proximity to citizens and to raise awareness about the European citizens’ initiative, Member States should establish one or more contact points ▌ in their respective territories to provide citizens with information and assistance regarding the European citizens’ initiative. Such information and assistance should concern, in particular, those aspects of this Regulation whose implementation falls under the competence of national authorities in the Member States, or which concern the applicable national law, and for which those authorities are therefore best placed to inform and assist citizens and groups of organisers. Where appropriate, Member States should seek synergies with services that provide support for the use of similar national instruments. The Commission, including its representations in the Member States, should ensure close cooperation with the national contact points on those information and assistance activities, including, where appropriate, communication activities at Union level.

(16)  A minimum organised structure is needed in order to launch and manage citizens’ initiatives successfully. That structure should take the form of a group of organisers, composed of natural persons resident in at least seven different Member States, in order to encourage the emergence of Union-wide issues and to foster reflection on those issues. For the sake of transparency and smooth and efficient communication, the group of organisers should designate a representative to liaise between the group of organisers and the institutions of the Union throughout the procedure. The group of organisers should have the possibility to create, in accordance with national law, a legal entity to manage an initiative. That legal entity should be considered to be the group of organisers for the purposes of this Regulation.

(17)  While liability and penalties in connection with the processing of personal data will remain regulated under Regulation (EU) 2016/679 of the European Parliament and of the Council(10), the group of organisers should be jointly and severally liable, in accordance with applicable national law, for any damage that its members cause in the organisation of an initiative by unlawful acts committed intentionally or with serious negligence. Member States should ensure that the group of organisers is subject to appropriate penalties for infringements of this Regulation.

(18)  In order to ensure coherence and transparency in relation to initiatives and to avoid a situation where signatures are collected for an initiative which does not comply with the conditions laid down by the Treaties and this Regulation, initiatives that comply with the conditions laid down in this Regulation should be registered by the Commission before starting to collect statements of support from citizens. The Commission should, when dealing with registration, fully respect the obligation to state reasons under the second paragraph of Article 296 TFEU and the general principle of good administration as set out in Article 41 of the Charter of Fundamental Rights of the European Union.

(19)  In order to make the European citizens’ initiative effective and more accessible, taking into account that the procedures and conditions required for the European citizens’ initiative need to be clear, simple, user-friendly and proportionate, and in order to ensure that as many initiatives as possible are registered, it is appropriate to partially register an initiative in cases where only part or parts of the initiative meet the requirements for registration under this Regulation. Initiatives should be partially registered provided that a ▌ part of the initiative, including its main objectives, does not manifestly fall outside the framework of the Commission’s powers to submit a proposal for a legal act of the Union for the purpose of implementing the Treaties and all the other registration requirements are met. Clarity and transparency should be ensured as regards the scope of the partial registration, and potential signatories should be informed of the scope of the registration and of the fact that statements of support are being collected only in relation to the scope of the registration of the initiative. The Commission should inform the group of organisers in a sufficiently detailed manner of the reasons for its decision not to register or to register an initiative only partially, and of all possible judicial and extrajudicial remedies available to it.

(20)  Statements of support for an initiative should be collected within a specific time limit. In order to ensure that an initiative remains relevant, whilst taking into account the complexity of collecting statements of support across the Union, that time limit should not be longer than 12 months from the date of the start of the collection period determined by the group of organisers. The group of organisers should have the possibility to choose the start date of the collection period within six months from the registration of the initiative. The group of organisers should inform the Commission of the date chosen at the latest 10 working days before that date. To ensure coordination with the national authorities, the Commission should inform the Member States of the date communicated by the group of organisers.

(21)  In order to make the European citizens’ initiative more accessible, less burdensome and easier to use for organisers and citizens, the Commission should set up and operate a central system for the online collection of statements of support. That system should be made available free of charge to groups of organisers and should comprise the necessary technical features enabling online collection, including the hosting and software, as well as accessibility features ensuring that citizens with disabilities can provide support to the initiatives. That system should be set up and maintained in accordance with Commission Decision (EU, Euratom) 2017/46(11).

(22)  Citizens should have the possibility of supporting initiatives online or in paper form by providing only the personal data set out in Annex III of this Regulation. Member States should inform the Commission as to whether they wish to be included in part A or B, respectively, of Annex III. Citizens using the central online collection system for the European citizens' initiative should be able to support an initiative online by using notified electronic identification means or by signing with an electronic signature within the meaning of Regulation (EU) No 910/2014 of the European Parliament and of the Council(12). To this end, the Commission and the Member States should implement the relevant technical features within the framework of that Regulation ▌. Citizens should sign a statement of support only once.

(23)  To facilitate the transition to the new central online collection system, a group of organisers should continue to have the possibility to set up its own online collection system and to collect statements of support through this system for initiatives registered in accordance with this Regulation by 31 December 2022. The group of organisers should use a single individual online collection system for each initiative. Individual online collection systems set up and operated by a group of organisers should have adequate technical and security features in order to ensure that the data are securely collected, stored and transferred throughout the procedure. For that purpose, the Commission should set out detailed technical specifications for the individual online collection systems, in cooperation with the Member States. It should be possible for the Commission to seek the advice of the European Union Agency for Network and Information Security (ENISA), which assists the Union institutions in developing and implementing policies related to security of network and information systems.

(24)  It is appropriate for Member States to verify the conformity of the individual online collection systems set up by the group of organisers with the requirements of this Regulation and to issue a document certifying such conformity before statements of support are collected. The certification of the individual online collection systems should be carried out by the competent national authority of the Member States in which the data collected through the individual online collection system is stored. Without prejudice to the powers of the national supervisory authorities under Regulation (EU) 2016/679, Member States should designate the competent national authority responsible for the certification of the systems. Member States should mutually recognise the certificates issued by their competent authorities.

(25)  Where an initiative has received the necessary statements of support from signatories, each Member State should be responsible for the verification and certification of statements of support signed by its nationals, in order to assess whether the required minimum numbers of signatories having the right to support a European citizens' initiative have been reached. Taking the need to limit the administrative burden for Member States into account, such verifications should be carried out on the basis of appropriate checks, which may be based on random sampling. Member States should issue a document certifying the number of valid statements of support received.

(26)  In order to promote participation and public debate on the issues raised by the initiatives, where an initiative supported by the required number of signatories and fulfilling the other requirements of this Regulation is submitted to the Commission, the group of organisers should have the right to present that initiative at a public hearing at Union level. ▌ The European Parliament should organise the public hearing within three months of the submission of the initiative to the Commission. The European Parliament should ensure a balanced representation of the interests of relevant stakeholders, including civil society, social partners, and experts. The Commission should be represented at an appropriate level. The Council, other institutions and advisory bodies of the Union, as well as interested stakeholders, should have the opportunity to participate in the hearing in order to guarantee its inclusive character and further its public interest.

(27)  The European Parliament, as the institution in which the citizens are directly represented at Union level, should be entitled to assess the support for a valid initiative after its submission and following a public hearing on it. The European Parliament should be also able to assess the actions taken by the Commission in response to the initiative and outlined in a communication.

(28)  To ensure the effective participation of citizens in the democratic life of the Union, the Commission should examine a valid initiative and respond to it. The Commission should therefore set out its legal and political conclusions as well as the action that it intends to take within a period of six months from the receipt of the initiative. The Commission should explain in a clear, comprehensible and detailed manner the reasons for its intended action, including whether it will adopt a proposal for a legal act of the Union in response to the initiative, and should likewise give its reasons if it does not intend to take any action. The Commission should examine initiatives in accordance with the general principles of good administration as set out in Article 41 of the Charter of Fundamental Rights of the European Union.

(29)  In order to ensure transparency of its funding and support, the group of organisers should provide regularly updated and detailed information on the sources of funding and support ▌for its initiatives between the date of registration and the date at which the initiative is submitted to the Commission. This information should be made public in the register and on the public website on the European citizens’ initiative. The declaration of sources of funding and support by the group of organisers should include information on financial support exceeding EUR 500 per sponsor, as well as on organisations assisting the group of organisers, on a voluntary basis, where such support is not economically quantifiable. Entities, notably organisations which under the Treaties contribute to forming European political awareness and expressing the will of citizens of the Union, should be able to promote and provide funding and support ▌to initiatives, provided that they do so in accordance with the procedures and conditions laid down by this Regulation ▌.

(30)  To ensure full transparency, the Commission should make a contact form available, in the register and on the public website on the European citizens’ initiative, to enable citizens to submit a complaint relating to the completeness and correctness of the information on sources of funding and support as declared by the groups of organisers. The Commission should be entitled to request from the group of organisers any additional information in relation to the complaints and, where necessary, to update the information, in the register, on the declared sources of funding and support.

(31)  Regulation (EU) 2016/679 applies to the processing of personal data carried out under this Regulation. In that respect, for the sake of legal certainty, it is appropriate to clarify that the representative of the group of organisers or, where applicable, the legal entity created for the purpose of managing the initiative, and the competent authorities of the Member States are to be considered ▌ to be the data controllers within the meaning of Regulation (EU) 2016/679 in relation to the processing of personal data when collecting statements of support, email addresses and data on the sponsors of the initiatives, and for the purposes of verification and certification of statements of support, and to specify the maximum period within which the personal data collected for the purposes of an initiative can be retained. In their capacity as data controllers, the representative of the group of organisers or, where applicable, the legal entity created for the purpose of managing the initiative, and the competent authorities of the Member States should take all appropriate measures to comply with the obligations imposed by Regulation (EU) 2016/679, in particular those relating to the lawfulness of the processing and the security of the processing activities, the provision of information and the rights of data subjects.

(32)  Regulation (EU) 2018/1725 of the European Parliament and of the Council ▌(13) applies to the processing of personal data carried out by the Commission in application of this Regulation. It is appropriate to clarify that the Commission is to be considered the data controller within the meaning of Regulation (EU) 2018/1725 in relation to the processing of personal data in the register, the online collaborative platform, the central online collection system and the collection of email addresses. The central online collection system allowing the groups of organisers to collect statements of support for their initiatives online should be set up and operated by the Commission in accordance with this Regulation. The Commission and the representative of the group of organisers or, where applicable, the legal entity created for the purpose of managing the initiative should be joint controllers within the meaning of Regulation (EU) 2016/679 in relation to the processing of personal data in the central online collection system.

(33)  In order to contribute to the promotion of active participation of citizens in the political life of the Union, the Commission should raise public awareness about the European citizens’ initiative, making particular use of digital technologies and social media, and in the framework of actions to promote Union citizenship and citizens' rights. The European Parliament should contribute to the communication activities of the Commission.

(34)  In order to facilitate communication with the signatories and to inform them about the follow-up actions in response to an initiative, the Commission and the group of organisers should be able to collect, in accordance with data protection rules, email addresses of signatories ▌. The collection of email addresses should be optional and subject to the explicit consent of signatories. Email addresses should not be collected as part of the statements of support forms and potential signatories should be informed that their right to support an initiative is not conditional on giving their consent to collecting their email addresses.

(35)  In order to adapt this Regulation to future needs, the power to adopt acts in accordance with Article 290 TFEU should be delegated to the Commission in respect of the amendment of the Annexes to this Regulation. It is of particular importance that the Commission carry out appropriate consultations during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making(14). In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States' experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts.

(36)  In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission, in particular for laying down the technical specifications for online collection systems in compliance with this Regulation. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council(15).

(37)  In accordance with the principle of proportionality, it is necessary and appropriate for the achievement of the basic objective of enhancing the participation of citizens in the democratic and political life of the Union to lay down rules on the European citizens’ initiative. This Regulation does not go beyond what is necessary in order to achieve the objective pursued, in accordance with Article 5(4) TEU.

(38)  This Regulation respects fundamental rights and observes the principles enshrined in the Charter of Fundamental Rights of the European Union ▌.

(39)  For reasons of legal certainty and clarity, Regulation (EU) No 211/2011 should be repealed.

(40)  The European Data Protection Supervisor was consulted in accordance with Article 28(2) of Regulation (EC) No 45/2001 of the European Parliament and of the Council(16) and delivered formal comments on 19 December 2017,

HAVE ADOPTED THIS REGULATION:

CHAPTER I

GENERAL PROVISIONS

Article 1

Subject matter

This Regulation establishes the procedures and conditions required for an initiative inviting the Commission, within the framework of its powers, to submit any appropriate proposal on matters where citizens of the Union consider that a legal act of the Union is required for the purpose of implementing the Treaties (the 'European citizens’ initiative' or 'initiative').

Article 2

Right to support a European citizens’ initiative

1.  Every citizen of the Union who is at least of the age to be entitled to vote in elections to the European Parliament shall have the right to support an initiative by signing a statement of support, in accordance with this Regulation.

Member States may set the minimum age entitling to support an initiative at 16 years, in accordance with their national laws, and in such a case they shall inform the Commission accordingly.

2.  In accordance with the applicable law, Member States and the Commission shall ensure that persons with disabilities can exercise their right to support initiatives and can access all relevant sources of information on initiatives, on an equal basis with other citizens.

Article 3

Required number of signatories

1.  An initiative is valid if:

(a)  it has received the support of at least one million citizens of the Union in accordance with Article 2(1) ('signatories') from at least one quarter of the Member States; and

(b)  in at least one quarter of the Member States, the number of signatories is at least equal to the minimum number set out in Annex I, corresponding to the number of the Members of the European Parliament elected in each Member State, multiplied by the total number of Members of the European Parliament, at the time of registration of the initiative.

2.  For the purposes of paragraph 1, a signatory shall be counted in his or her Member State of nationality, irrespective of the place where the statement of support was signed by the signatory.

Article 4

Information and assistance by the Commission and by Member States

1.  The Commission shall ▌provide easily accessible and comprehensive information and assistance about the European citizens’ initiative to citizens and groups of organisers, including by redirecting them to the relevant sources of information and assistance.

The Commission shall make a guide on the European citizens' initiative publicly available, both online and in paper form and in all the official languages of the institutions of the Union.

2.  The Commission shall make an online collaborative platform for the European citizens’ initiative available, free of charge.

The platform shall provide practical and legal advice, and a discussion forum about the European citizens’ initiative for the exchange of information and best practices among citizens, groups of organisers, stakeholders, non-governmental organisations, experts and other institutions and bodies of the Union wishing to participate.

The platform shall be accessible for persons with disabilities.

The costs of operating and maintaining the platform shall be borne by the general budget of the European Union.

3.  The Commission shall make an online register available that allows groups of organisers to manage their initiative throughout the procedure.

The register shall comprise a public website that provides information on the European citizens’ initiative in general as well as on specific initiatives and their respective status.

The Commission shall update the register on a regular basis by making the information submitted by the group of organisers available.

4.  After the Commission has registered an initiative in accordance with Article 6, it shall provide the translation of the content of that initiative, including its annex, into all the official languages of the institutions of the Union, within the limits set out in Annex II, for its publication in the register and its use for the collection of statements of support in accordance with this Regulation. ▌

The group of organisers may, in addition, provide translations into all the official languages of the institutions of the Union of the additional information on the initiative and, if any, a draft legal act referred to in Annex II, submitted in accordance with Article 6(2). Those translations shall be the responsibility of the group of organisers. The content of the translations provided by the group of organisers shall correspond to the content of the initiative submitted in accordance with Article 6(2).

The Commission shall ensure the publication in the register and on the public website on the European citizens’ initiative of the information submitted in accordance with Article 6(2) and the translations submitted in accordance with this paragraph.

5.  The Commission shall develop a ▌file exchange service for the transfer of statements of support to the competent authorities of the Member States, in accordance with Article 12, ▌and make it ▌ available ▌ free of charge to the groups of organisers.

6.  Each Member State shall establish one or more contact points to provide, free of charge, information and assistance to groups of organisers, in accordance with applicable Union and national law.

CHAPTER II

PROCEDURAL PROVISIONS

Article 5

Group of organisers

1.  An initiative shall be prepared and managed by a group of at least seven natural persons (the ‘group of organisers’). Members of the European Parliament shall not be counted for the purpose of that minimum number.

2.  The members of the group of organisers shall be citizens of the Union of the age to be entitled to vote in elections to the European Parliament and the group shall include residents of at least seven different Member States, at the time of registration of the initiative.

For each initiative, the Commission shall publish the names of all members of the group of organisers in the register in accordance with Regulation (EU) 2018/1725.

3.  The group of organisers shall designate two of its members as representative and substitute, respectively, who shall be responsible for liaising between the group of organisers and the institutions of the Union throughout the procedure and who shall be mandated to act on behalf of the group of organisers (the 'contact persons').

The group of organisers may also designate a maximum of two other natural persons, chosen from among its members or otherwise, who are mandated to act on behalf of the contact persons for the purpose of liaising with the institutions of the Union throughout the procedure.

4.  The group of organisers shall inform the Commission of any changes regarding its composition throughout the procedure and shall provide appropriate proof that the requirements laid down in paragraphs 1 and 2 are fulfilled. The changes in the composition of the group of organisers shall be reflected in the statement of support forms and the names of the current and former members of the group of organisers shall remain available in the register throughout the procedure.

5.  Without prejudice to the liability of the representative of the group of organisers as data controller under Article 82(2) of Regulation (EU) 2016/679, the members of a group of organisers shall be jointly and severally liable ▌for any damage caused in the organisation of an initiative by unlawful acts committed intentionally, or with serious negligence, under applicable national law.

6.  Without prejudice to the penalties under Article 84 of Regulation (EU) 2016/679, Member States shall ensure that the members of a group of organisers are, in accordance with national law, subject to effective, proportionate and dissuasive penalties for infringements of this Regulation and in particular for:

(a)  false declarations;

(b)  the fraudulent use of data.

7.  Where a legal entity has been created, in accordance with the national law of a Member State, specifically for the purpose of managing a given initiative, that legal entity shall be considered to be the group of organisers or its members, for the purpose of, as applicable, paragraphs 5 and 6 of this Article, Articles 6(2) and (4) to (7) and Articles 7 to 19 and Annexes II to VII, provided that the member of the group of organisers designated as its representative is given a mandate to act on behalf of the legal entity.

Article 6

Registration

1.  Statements of support for an initiative may only be collected after the initiative has been registered by the Commission.

2.  The group of organisers shall submit the request for registration to the Commission through the register.

When submitting the request the group of organisers shall also:

(a)  transmit the information referred to in Annex II in one of the official languages of the institutions of the Union;

(b)  indicate the seven members to be taken into account for the purpose of Article 5(1) and (2), where the group of organisers is made up of more than seven members;

(c)  where relevant, indicate that a legal entity has been created pursuant to Article 5(7).

Without prejudice to paragraphs 5 and 6, the Commission shall decide on the request for registration within two months of its submission.

3.  The Commission shall register the initiative if:

(a)  the group of organisers has provided appropriate evidence that it fulfils the requirements laid down in Article 5(1) and (2) and has designated the contact persons in accordance with the first subparagraph of Article 5(3);

(b)  in the situation referred to in Article 5(7), the legal entity has been created specifically for the purpose of managing the initiative and the member of the group of organisers designated as the representative thereof is mandated to act on behalf of the legal entity;

(c)  none of the parts of the initiative manifestly falls outside the framework of the Commission’s powers to submit a proposal for a legal act of the Union for the purpose of implementing the Treaties;

(d)  the initiative is not manifestly abusive, frivolous or vexatious;

(e)  the initiative is not manifestly contrary to the values of the Union as set out in Article 2 TEU and rights enshrined in the ▌ Charter of Fundamental Rights of the European Union.

For the purpose of determining if the requirements set out in points (a) to (e) of the first subparagraph of this paragraph are met, the Commission shall assess the information provided by the group of organisers in accordance with paragraph 2.

If one or more of the requirements set out in points (a) to (e) of the first subparagraph of this paragraph are not met, the Commission shall refuse to register the initiative, without prejudice to paragraphs 4 and 5.

4.  Where it considers that the requirements laid down in points (a), (b), (d) and (e) of the first subparagraph of paragraph 3 are met but that the requirement laid down in point (c) of the first subparagraph of paragraph 3 is not met, the Commission shall, within one month of the submission of the request, inform the group of organisers of its assessment and of the reasons thereof.

In such case, the group of organisers may either amend the initiative to take into account the Commission's assessment to ensure that the initiative is in conformity with the requirement laid down in point (c) of the first subparagraph of paragraph 3, ▌ or maintain, or withdraw, the initial initiative. The group of organisers shall inform the Commission of its choice within two months of the receipt of the Commission's assessment giving the reasons thereof, and shall submit amendments, if any, to the initial initiative.

Where the group of organisers amends or maintains its initial initiative in accordance with the second subparagraph of this paragraph, the Commission shall:

(a)  register the initiative, if it meets the requirement laid down in point (c) of the first subparagraph of paragraph 3 ▌;

(b)  partially register the initiative, if ▌ part of the initiative, including its main objectives, does not manifestly fall outside the framework of the Commission’s powers to submit a proposal for a legal act of the Union for the purpose of implementing the Treaties;

(c)  otherwise, refuse to register the initiative.

The Commission shall decide on the request within one month of receipt of the information referred to in the second subparagraph of this paragraph from the group of organisers.

5.  An initiative that has been registered shall be made public in the register.

Where the Commission partially registers an initiative it shall publish information on the scope of the registration of the initiative in the register.

In such a case, the group of organisers shall ensure that potential signatories are informed of the scope of the registration of the initiative and of the fact that statements of support are collected only in relation to the scope of the registration.

6.  The Commission shall register an initiative under a single registration number and inform the group of organisers thereof.

7.  Where it refuses to register or only partially registers an initiative in accordance with paragraph 4, the Commission shall state reasons for its decision and inform the group of organisers. It shall also inform the group of organisers about all possible judicial and extrajudicial remedies available to it.

The Commission shall make all decisions on requests for registration it adopts in accordance with this Article publicly available in the register and on the public website on the European citizens’ initiative.

8.  The Commission shall inform the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions of the registration of an initiative.

Article 7

Withdrawal of an initiative

At any time before submitting an initiative to the Commission in accordance with Article 13, the group of organisers may withdraw an initiative that has been registered in accordance with Article 6. Such withdrawal shall be published in the register.

Article 8

Collection period

1.  All statements of support shall be collected within a period not exceeding 12 months from a date chosen by the group of organisers (the 'collection period'), without prejudice to Article 11(6). That date must be not later than six months from the registration of the initiative in accordance with Article 6.

The group of organisers shall inform the Commission of the date chosen at the latest 10 working days before that date.

Where, during the collection period, the group of organisers wishes to terminate the collection of statements of support before the end of the collection period ▌, it shall inform the Commission of that intention at least 10 working days before the new date chosen for the end of the collection period.

The Commission shall inform the Member States of the date referred to in the first subparagraph.

2.  The Commission shall indicate the beginning and end dates of the collection period in the register.

3.  The Commission shall close the operation of the central online collection system referred to in Article 10, and the group of organisers shall close the operation of an individual online collection system referred to in Article 11, on the date at which the collection period ends.

Article 9

Procedure for the collection of statements of support

1.  Statements of support may be signed online or in paper form.

2.  Only forms which comply with the models set out in Annex III may be used to collect statements of support.

The group of organisers shall complete the forms set out in Annex III prior to initiating the collection of statements of support. The information given in the forms shall correspond to that contained in the register.

Where the group of organisers choses to collect statements of support online through the central online collection system provided for in Article 10, the Commission shall be responsible for providing the appropriate forms, in accordance with Annex III.

Where an initiative has been partially registered in accordance with Article 6(4), the forms set out in Annex III as well as the central online collection system and an individual online collection system, as applicable, shall reflect the scope of the registration of the initiative. The forms for the statement of support may be adapted for the purpose of the ▌ collection online or in paper form.

Annex III shall not apply where the citizens support an initiative online, through the central online collection system referred to in Article 10, using their notified electronic identification means within the meaning of Regulation (EU) No 910/2014 referred to in Article 10(4) of this Regulation. Citizens shall provide their nationality and Member States shall accept the minimum data set for a natural person in accordance with Commission Implementing Regulation (EU) 2015/1501(17).

3.  A person signing a statement of support shall be required to provide only the personal data set out in Annex III.

4.  Member States shall inform the Commission of whether they wish to be included in part A or B, respectively, of Annex III by 30 June 2019. Member States that wish to be included in part B of Annex III, shall indicate the type(s) of personal identification (document) number ▌referred to therein.

By 1 January 2020, the Commission shall publish the forms set out in Annex III in the register.

A Member State included in one part of Annex III may make a request to the Commission to be transferred to the other part of Annex III. It shall make its request to the Commission at least six months before the date from which the new forms will be applicable.

5.  The group of organisers shall be responsible for the collection of the statements of support from signatories in paper form.

6.  A person may sign a statement of support for a given initiative only once.

7.  The group of organisers shall inform the Commission of the number of collected statements of support in each Member State at least every two months during the collection period and of the final number within three months of the end of the collection period for publication in the register.

Where the required number of statements of support has not been reached, or in the absence of a response from the group of organisers within three months of the end of the collection period, the Commission shall close the initiative and publish a notice to that effect in the register.

Article 10

Central online collection system

1.  For the purpose of online collection of statements of support, the Commission shall set up, by 1 January 2020, and operate as of that date, a central online collection system, in accordance with Decision (EU, Euratom) 2017/46.

The costs of the setting up and operation of the central online collection system shall be borne by the general budget of the European Union. The use of the central online collection system shall be free of charge.

The central online collection system shall be accessible for persons with disabilities.

The data obtained through the central online collection system shall be stored in the servers made available by the Commission for that purpose.

The central online collection system shall allow for the uploading of statements of support collected in paper form.

2.  For each initiative, the Commission shall ensure that statements of support can be collected through the central online collection system during the collection period determined in accordance with Article 8.

3.  At the latest 10 working days before the start of the collection period, the group of organisers shall inform the Commission as to whether it wishes to use the central online collection system and whether it wishes to upload the statements of support collected in paper form.

Where a group of organisers wishes to upload the statements of support collected in paper form, it shall upload all statements of support collected in paper form not later than two months after the end of the collection period, and inform the Commission thereof.

4.  Member States shall ensure that:

(a)  citizens can support initiatives online through statements of support by using notified electronic identification means or by signing the statement of support with an electronic signature within the meaning of Regulation (EU) No 910/2014;

(b)  the Commission e-IDAS node developed within the framework of Regulation (EU) No 910/2014 and Implementing Regulation (EU) 2015/1501 is recognised.

5.  The Commission shall consult stakeholders on further developments and improvements of the central online collection system to take into account their suggestions and concerns.

Article 11

Individual online collection systems

1.  Where a group of organisers does not use the central online collection system, it may collect online statements of support in several or all Member States through another single online collection system (the 'individual online collection system').

The data collected through the individual online collection system shall be stored in the territory of a Member State.

2.  The group of organisers shall ensure that the individual online collection system complies with the requirements laid down in paragraph 4 of this Article and in Article 18(3) throughout the collection period.

3.  After the registration of the initiative and before the beginning of the collection period, and without prejudice to the powers of the national supervisory authorities under Chapter VI of Regulation (EU) 2016/679, the group of organisers shall request the competent authority of the Member State in which the data collected through the individual online collection system will be stored to certify that that system complies with the requirements laid down in paragraph 4 of this Article.

Where an individual online collection system complies with the requirements laid down in paragraph 4 of this Article, the competent authority shall issue a certificate to that effect in accordance with the model set out in Annex IV within one month of the request. The group of organisers shall make a copy of that certificate publicly available on the website used for the individual online collection system.

Member States shall recognise the certificates issued by the competent authorities of other Member States.

4.  Individual online collection systems shall have the adequate security and technical features to ensure throughout the collection period that:

(a)  only natural persons are able to sign a statement of support;

(b)  the information provided on the initiative corresponds to the information published in the register;

(c)  data are collected from signatories in accordance with Annex III;

(d)  the data provided by signatories are securely collected and stored.

5.  By 1 January 2020, the Commission shall adopt implementing acts laying down the technical specifications for the implementation of paragraph 4 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 22.

The Commission may seek the advice of the European Union Agency for Network and Information Security (ENISA) in developing the technical specifications referred to in the first subparagraph.

6.  Where statements of support are collected through an individual online collection system, the collection period may begin only once the certificate referred to in paragraph 3 has been issued for that system.

7.  This Article shall apply only to initiatives registered in accordance with Article 6 by 31 December 2022.

Article 12

Verification and certification of statements of support by the Member States

1.  Each Member State shall verify and certify that the statements of support signed by its nationals comply with the provisions of this Regulation (the 'responsible Member State').

2.  Within three months of the end of the collection period and without prejudice to paragraph 3 of this Article, the group of organisers shall submit the statements of support, collected online or in paper form, to the competent authorities referred to in Article 20(2) of the responsible Member State.

The group of organisers shall submit the statements of support to the competent authorities only where the minimum numbers of signatories laid down in Article 3 have been reached.

Statements of support shall be submitted to each competent authority in the responsible Member State only once, using the form set out in Annex V.

Statements of support which have been collected online shall be submitted in accordance with an electronic schema made publicly available by the Commission.

Statements of support collected in paper form and those collected online through an individual online collection system shall be submitted separately.

3.  The Commission shall submit the statements of support collected online through the central online collection system, as well as those collected in paper form and uploaded pursuant to the second subparagraph of Article 10(3), to the competent authority of the responsible Member State as soon as the group of organisers has submitted the form set out in Annex V to the competent authority of the responsible Member State in accordance with paragraph 2 of this Article.

Where a group of organisers has collected statements of support through an individual online collection system, it may request the Commission to submit these statements of support to the competent authority of the responsible Member State.

The Commission shall submit the statements of support in accordance with the second to fourth subparagraph of paragraph 2 of this Article, using the file exchange service referred to in Article 4(5).

4.  Within three months of receiving the statements of support, the competent authorities shall verify them on the basis of appropriate checks, which may be based on random sampling, in accordance with national law and practice.

Where statements of support collected online and in paper form are submitted separately, that period shall start running when the competent authority has received all statements of support.

For the purpose of the verification of statements of support collected in paper form, the authentication of signatures shall not be required.

5.  On the basis of the verifications carried out, the competent authority shall certify the number of valid statements of support for the Member State concerned. That certificate shall be delivered, free of charge, to the group of organisers, using the model set out in Annex VI.

The certificate shall specify the number of valid statements of support collected in paper form and online, including those collected in paper form and uploaded pursuant to the second subparagraph of Article 10(3).

Article 13

Submission to the Commission

Within three months of obtaining the last certificate provided for in Article 12(5), the group of organisers shall submit the initiative to the Commission.

The group of organisers shall submit the completed form set out in Annex VII, together with copies, in paper or electronic form, of the certificates referred to in Article 12(5).

The form set out in Annex VII shall be made publicly available by the Commission in the register.

Article 14

Publication and public hearing

1.  When the Commission receives a valid initiative in respect of which the statements of support have been collected and certified in accordance with Articles 8 to 12, it shall publish without delay a notice to that effect in the register and transmit the initiative to the European Parliament, the Council, the European Economic and Social Committee, the Committee of the Regions, as well as to the national parliaments.

2.  Within three months of the submission of the initiative, the group of organisers shall be given the opportunity to present the initiative at a public hearing held by the European Parliament.

The ▌ European Parliament shall organise the public hearing at its premises.

The Commission shall be represented in the hearing at an appropriate level.

The Council, other institutions and advisory bodies of the Union, the national parliaments and civil society shall be given the opportunity to attend the hearing.

▌The European Parliament shall ensure a balanced representation of relevant public and private interests.

3.  Following the public hearing, the European Parliament shall assess the political support for the initiative.

Article 15

Examination by the Commission

1.  Within one month of the submission of the initiative in accordance with Article 13, the Commission shall receive the group of organisers at an appropriate level to allow it to explain in detail the objectives of the initiative.

2.  Within six months of the publication of the initiative in accordance with Article 14(1), and after the public hearing referred to in Article 14(2), the Commission shall set out in a communication its legal and political conclusions on the initiative, the action it intends to take, if any, and its reasons for taking or not taking action.

Where the Commission intends to take action in response to the initiative, including, where appropriate, the adoption of one or more proposals for a legal act of the Union, the communication shall also set out the envisaged timeline for these actions.

The communication shall be notified to the group of organisers as well as to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions and shall be made public.

3.  The Commission and the group of organisers shall inform the signatories on the response to the initiative in accordance with Article 18(2) and (3).

The Commission shall provide, in the register and on the public website on the European citizens’ initiative, up-to-date information on the implementation of the actions set out in the communication adopted in response to the initiative.

Article 16

Follow-up to successful citizens' initiatives by the European Parliament

The European Parliament shall assess the measures taken by the Commission as a result of its communication referred to in Article 15(2).

CHAPTER III

OTHER PROVISIONS

Article 17

Transparency

1.  The group of organisers shall provide, for the publication in the register and, where appropriate, on its campaign website, clear, accurate and comprehensive information on the sources of ▌funding for the initiative exceeding EUR 500 per sponsor.

The declared sources of funding and support, including the sponsors, and corresponding amounts shall be clearly identifiable.

The group of organisers shall also provide information on the organisations assisting it on a voluntary basis, where such support is not economically quantifiable.

That information shall be updated at least every two months during the period from the date of registration to the date on which the initiative is submitted to the Commission in accordance with Article 13. It shall be made publicly available by the Commission in a clear and accessible manner in the register and on the public website on the European citizens’ initiative.

2.  The Commission shall be entitled to request that the group of organisers provide any additional information and clarification on the sources of funding and support declared in accordance with this Regulation.

3.  The Commission shall enable citizens to submit a complaint relating to the completeness and correctness of the information on the sources of funding and support as declared by the groups of organisers and make a contact form publicly available in the register and on the public website on the European citizens’ initiative to that effect.

The Commission may request any additional information in relation to complaints received in accordance with this paragraph from the group of organisers, and, as appropriate, update the information on the declared sources of funding and support in the register.

Article 18

Communication

1.  The Commission shall raise public awareness about the existence, objectives and functioning of the European citizens’ initiative through communication activities and information campaigns, thereby contributing to promoting the active participation of citizens in the political life of the Union.

The European Parliament shall contribute to the communication activities of the Commission.

2.  For the purposes of communication and information activities regarding the initiative concerned and subject to explicit consent by a signatory, his or her email address may be collected by a group of organisers or by the Commission.

Potential signatories shall be informed that their right to support an initiative is not conditional on giving their consent to collecting their email address.

3.  Email addresses may not be collected as part of the statement of support forms. However, they may be collected at the same time as statements of support, provided they are processed separately.

Article 19

Protection of personal data

1.  The representative of the group of organisers shall be the data controller within the meaning of Regulation (EU) 2016/679 in relation to the processing of personal data when collecting statements of support, email addresses and data on the sponsors of the initiatives. Where the legal entity referred to in Article 5(7) of this Regulation is created, that entity shall be the data controller.

2.  The competent authorities designated in accordance with Article 20(2) of this Regulation shall be the data controllers within the meaning of Regulation (EU) 2016/679 in relation to the processing of personal data for the purposes of verification and certification of statements of support.

3.  The Commission shall be the data controller within the meaning of Regulation (EU) 2018/1725 in relation to the processing of personal data in the register, the online collaborative platform, the central online collection system referred to in Article 10 of this Regulation, and the collection of email addresses.

4.  The personal data provided in the statements of support forms shall be collected for the purpose of the operations required for the secure collection and storage in accordance with Articles 9 to 11, for the submission to the Member States, the verification and certification in accordance with Article 12, and for the necessary quality checks and statistical analysis.

5.  The group of organisers and the Commission, as appropriate, shall destroy all statements of support signed for an initiative and any copies thereof not later than one month after the submission of the initiative to the Commission in accordance with Article 13 or not later than 21 months after the beginning of the collection period, whichever is the earlier. However, where an initiative is withdrawn after the beginning of the collection period, the statements of support and any copies thereof shall be destroyed no later than one month after the withdrawal referred to in Article 7.

6.  The competent authority shall destroy all statements of support and copies thereof not later than three months after issuing the certificate referred to in Article 12(5).

7.  Statements of support for a given initiative and copies thereof may be retained beyond the time limits laid down in paragraphs 5 and 6 if necessary for the purpose of legal or administrative proceedings relating to the initiative concerned. They shall be destroyed not later than one month after the date of conclusion of the said proceedings by a final decision.

8.  The Commission and the group of organisers shall destroy records of the email addresses collected in accordance with Article 18(2), not later than one month after the withdrawal of an initiative or 12 months after the end of the collection period or the submission of the initiative to the Commission, respectively. However, where the Commission sets out, by means of a communication, the actions it intends to take in accordance with Article 15(2), records of the email addresses shall be destroyed at the latest three years after the publication of the communication.

9.  Without prejudice to their rights under Regulation (EU) 2018/1725, the members of the group of organisers have the right to request the removal of their personal data from the register after two years from the date of registration of the initiative concerned.

Article 20

Competent authorities within the Member States

1.  For the purpose of Article 11, each Member State shall designate one or more competent authorities responsible for issuing the certificate referred to in Article 11(3).

2.  For the purpose of Article 12, each Member State shall designate one competent authority responsible for coordinating the process of verification of statements of support and for issuing the certificates referred to in Article 12(5).

3.  By 1 January 2020, Member States shall transmit the names and addresses of the authorities designated pursuant to paragraphs 1 and 2 to the Commission. They shall inform the Commission of any update of that information.

The Commission shall make the names and addresses of the authorities designated pursuant to paragraphs 1 and 2 publicly available in the register.

Article 21

Communication of national provisions

1.  By 1 January 2020, Member States shall communicate the specific provisions adopted in order to implement this Regulation to the Commission.

2.  The Commission shall make these provisions publicly available in the register in the language of the communication by the Member States in accordance with paragraph 1.

CHAPTER IV

DELEGATED ACTS AND IMPLEMENTING ACTS

Article 22

Committee procedure

1.  For the purpose of implementing Article 11(5) of this Regulation, the Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2.  Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

Article 23

Delegated powers

The Commission is empowered to adopt delegated acts in accordance with Article 24 to amend the Annexes to this Regulation within the scope of the provisions of this Regulation relevant to those Annexes.

Article 24

Exercise of the delegation

1.  The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

2.  The power to adopt the delegated acts referred to in Article 23 shall be conferred on the Commission for a ▌period of five years from … [date of entry into force of this Regulation].

3.  The delegation of power referred to in Article 23 may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

4.  Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.

5.  As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

6.  A delegated act adopted pursuant to Article 23 shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.

CHAPTER V

FINAL PROVISIONS

Article 25

Review

The Commission shall periodically review the functioning of the European citizens' initiative and present a report to the European Parliament and the Council on the application of this Regulation no later than 1 January 2024, and every four years thereafter. These reports shall cover also the minimum age to support European citizens’ initiatives in the Member States. The reports shall be made public.

Article 26

Repeal

Regulation (EU) No 211/2011 is repealed with effect from 1 January 2020.

References to the repealed Regulation shall be construed as references to this Regulation.

Article 27

Transitional provision

Articles 5 to 9 of Regulation (EU) No 211/2011 shall continue to apply after 1 January 2020 to European citizens’ initiatives which are registered before 1 January 2020.

Article 28

Entry into force and applicability

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

It shall apply from 1 January 2020.

However Articles 9(4), 10, 11(5) and 20 to 24 shall apply from the entry into force of this Regulation.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at ...,

For the European Parliament For the Council

The President The President

ANNEXES

ANNEX I

Minimum number of signatories per Member State

Belgium

15 771

Bulgaria

12 767

Czechia

15 771

Denmark

9 763

Germany

72 096

Estonia

4 506

Ireland

8 261

Greece

15 771

Spain

40 554

France

55 574

Croatia

8 261

Italy

54 823

Cyprus

4 506

Latvia

6 008

Lithuania

8 261

Luxembourg

4 506

Hungary

15 771

Malta

4 506

Netherlands

19 526

Austria

13 518

Poland

38 301

Portugal

15 771

Romania

24 032

Slovenia

6 008

Slovakia

9 763

Finland

9 763

Sweden

15 020

United Kingdom

54 823

ANNEX II

REQUIRED INFORMATION FOR REGISTERING AN INITIATIVE

1.  The title of the initiative, in no more than 100 characters;(*)

2.  The objectives of the initiative on which the Commission is invited to act, in no more than 1 100 characters without spaces; (adjusted mean per language(*));

The group of organisers may provide an annex on the subject, objectives and background to the initiative, in no more than 5 000 characters without spaces (adjusted mean per language(*));

The group of organisers may provide additional information on the subject, objectives and background to the initiative. It may also, if it wishes, submit a draft legal act;

3.  The provisions of the Treaties considered relevant by the group of organisers for the proposed action;

4.  The full names, postal addresses, nationalities and dates of birth of seven members of the group of organisers residing in seven different Member States indicating specifically the representative and the substitute as well as their e-mail addresses and telephone numbers(18);

If the representative and/or the substitute are not among the seven members referred to in the first subparagraph, their full names, postal addresses, nationalities, dates of birth, e-mail addresses and telephone numbers.

5.  Documents that prove the full names, postal addresses, nationalities and dates of birth of each of the seven members referred to in point 4 and of the representative and the substitute if they are not among those seven members;

6.  The names of the other members of the group of organisers;

7.  In the situation referred to in Article 5(7) of Regulation (EU) .../... (19), where appropriate, documents that prove the creation of a legal entity in accordance with the national law of a Member State specifically for the purpose of managing a given initiative and that the member of the group of organisers designated as the representative thereof is mandated to act on behalf of the legal entity.

8.  All sources of support and funding for the initiative at the time of registration.(20)

(*) The Commission provides the translation into all the official languages of the institutions of the Union of these elements, for all the registered initiatives.

ANNEX III

STATEMENT OF SUPPORT FORM — Part A(21)

(for Member States that do not require the provision of a personal identification number/personal identification document number)

All fields on this form are mandatory.

TO BE PRE-COMPLETED BY THE GROUP OF ORGANISERS:

1.  All signatories on this form are citizens of:

Please mark only one Member State per list.

2.  European Commission registration number: 3. Dates of start and end of the collection period:

4.  Web address of this initiative in the European Commission’s register:

5.  Title of this initiative:

6.  Objectives of the initiative:

7.  Names and e-mail addresses of registered contact persons:

[In the situation referred to in Article 5(7) of Regulation (EU) .../... (22), where appropriate, additionally: the name and the country of the seat of the legal entity]:

8.  Website of this initiative (if any):

TO BE COMPLETED BY THE SIGNATORIES IN CAPITAL LETTERS:

‘I hereby certify that the information that I have provided in this form is correct and that I have not already supported this initiative.’

Full first names

Family names

RESIDENCE(23)

(street, number, postal code, city, country)

Date

of birth

Date

signature(24)

Privacy statement(25) for the statements of support collected on paper ▌ or via individual online collection systems:

In accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation), your personal data provided on this form ▌will only be used for the support of the initiative and made available to the competent national authorities for the purpose of verification and certification. You are entitled to request from the ▌ group of organisers of this ▌initiative access to, rectification of, erasure and restriction of processing of your personal data.

Your data will be stored by the group of organisers for a maximum retention period of one month after the submission of the initiative to the European Commission or 21 months after the beginning of the collection period, whichever is the earlier. It might be retained beyond these time limits in the case of administrative or legal proceedings, for a maximum of one month after the date of conclusion of these proceedings.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge at any time a complaint with a data protection authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that your data is unlawfully processed.

The representative of the group of organisers of the initiative or, where appropriate, the legal entity created by it, is the controller within the meaning of the General Data Protection Regulation and can be contacted using the details provided on this form.

The contact details of the data protection officer (if any) are available at the web address of this initiative in the European Commission’s register, as provided in point 4 of this form.

The contact details of the national authority which will receive and process your personal data and the contact details of the national data protection authorities can be consulted at: http://ec.europa.eu/citizens-initiative/public/data-protection.

Privacy statement for the statements of support collected online via the central online collection system:

In accordance with Regulation (EU) 2018/1725 and Regulation (EU) 2016/679 (the General Data Protection Regulation) your personal data provided on this form ▌will only be used for the support of the initiative and made available to the competent national authorities for the purpose of verification and certification. You are entitled to request from the European Commission and from the representative of the group of organisers of the initiative or, where appropriate, the legal entity created by it, access to, rectification of, erasure and restriction of processing of your personal data.

Your data will be stored by the European Commission for a maximum retention period of one month after the submission of the initiative to the European Commission or 21 months after the beginning of the collection period, whichever is the earlier. It might be retained beyond these time limits in the case of administrative or legal proceedings, for a maximum of one month after the date of conclusion of these proceedings.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge at any time a complaint with the European Data Protection Supervisor or with a data protection authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that your data is unlawfully processed.

The European Commission and the representative of the group of organisers of the initiative or, where appropriate, the legal entity created by it, are joint controllers within the meaning of Regulation (EU) 2018/1725 and the General Data Protection Regulation and can be contacted using the details provided on this form.

The contact details of the data protection officer of the group of organisers (if any) are available at the web address of this initiative in the European Commission’s register, as provided in point 4 of this form.

The contact details of the data protection officer of the European Commission, of the national authority which will receive and process your personal data, of the European Data Protection Supervisor and of the national data protection authorities can be consulted at: http://ec.europa.eu/citizens-initiative/public/data-protection.

STATEMENT OF SUPPORT FORM — Part B(26)

(for Member States that require the provision of ▌a personal identification number / personal identification document number)

All fields on this form are mandatory.

TO BE PRE-COMPLETED BY THE GROUP OF ORGANISERS:

1.  All signatories on this form are citizens of:

Please mark only one Member State per list.

See the European Commission´s website on the European Citizens' Initiative for personal identification numbers/personal identification document numbers, one of which must be provided.

2.  European Commission registration number: 3. Dates of start and end of the collection period:

4.  Web address of this initiative in the European Commission’s register:

5.  Title of this initiative:

6.  Objectives of the initiative:

7.  Names and e-mail addresses of registered contact persons:

[In the situation referred to in Article 5(7) of Regulation (EU) .../... (27), where appropriate, additionally: the name and the country of the seat of the legal entity]:

8.  Website of this initiative (if any):

TO BE COMPLETED BY THE SIGNATORIES IN CAPITAL LETTERS:

‘I hereby certify that the information that I have provided in this form is correct and that I have not already supported this initiative.’

Full first names

Family names

▌PERSONAL identification NUMBER/

PERSONAL identification DOcuMENT NUMBER

type of personal identification number or document

Date

signature(28)

Privacy statement(29) for the statements of support collected on paper ▌ or via individual online collection systems:

In accordance with Regulation (EU) 2016/679 (the General Data Protection Regulation), your personal data provided on this form ▌will only be used for the support of the initiative and made available to the competent national authorities for the purpose of verification and certification. You are entitled to request from the ▌ group of organisers of this ▌initiative access to, rectification of, erasure and restriction of processing of your personal data.

Your data will be stored by the group of organisers for a maximum retention period of one month after the submission of the initiative to the European Commission or 21 months after the beginning of the collection period, whichever is the earlier. It might be retained beyond these time limits in the case of administrative or legal proceedings, for a maximum of one month after the date of conclusion of these proceedings.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge at any time a complaint with a data protection authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that your data is unlawfully processed.

The representative of the group of organisers of the initiative or, where appropriate, the legal entity created by it, is the controller within the meaning of the General Data Protection Regulation and can be contacted using the details provided on this form.

The contact details of the data protection officer (if any) are available at the web address of this initiative in the European Commission’s register, as provided in point 4 of this form.

The contact details of the national authority which will receive and process your personal data and the contact details of the national data protection authorities can be consulted at: http://ec.europa.eu/citizens-initiative/public/data-protection.

Privacy statement for the statements of support collected online via the central online collection system:

In accordance with Regulation (EU) 2018/1725 and Regulation (EU) 2016/679 (the General Data Protection Regulation) your personal data provided on this form ▌will only be used for the support of the initiative and made available to the competent national authorities for the purpose of verification and certification. You are entitled to request from the European Commission and from the representative of the group of organisers of the initiative or, where appropriate, the legal entity created by it, access to, rectification of, erasure and restriction of processing of your personal data.

Your data will be stored by the European Commission for a maximum retention period of one month after the submission of the initiative to the European Commission or 21 months after the beginning of the collection period, whichever is the earlier. It might be retained beyond these time limits in the case of administrative or legal proceedings, for a maximum of one month after the date of conclusion of these proceedings.

Without prejudice to any other administrative or judicial remedy, you have the right to lodge at any time a complaint with the European Data Protection Supervisor or with a data protection authority, in particular in the Member State of your habitual residence, place of work or place of the alleged infringement if you consider that your data is unlawfully processed.

The European Commission and the representative of the group of organisers of the initiative or, where appropriate, the legal entity created by it, are joint controllers within the meaning of Regulation (EU) 2018/1725 and the General Data Protection Regulation and can be contacted using the details provided on this form.

The contact details of the data protection officer of the group of organisers (if any) are available at the web address of this initiative in the European Commission’s register, as provided in point 4 of this form.

The contact details of the data protection officer of the European Commission, of the national authority which will receive and process your personal data, of the European Data Protection Supervisor and of the national data protection authorities can be consulted at: http://ec.europa.eu/citizens-initiative/public/data-protection.

ANNEX IV

CERTIFICATE CONFIRMING THE CONFORMITY OF AN ONLINE COLLECTION SYSTEM WITH REGULATION (EU) …/…(30) OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL OF …(31)(32) ON THE EUROPEAN CITIZENS’ INITIATIVE

… (name of competent authority) of … (name of Member State) hereby certifies that the individual online collection system … (website address) used for the collection of statements of support for … (title of the initiative) having the registration number … (registration number of the initiative) complies with the relevant provisions of Regulation (EU) …/…(33) of the European Parliament and of the Council of …(34)(35) on the European citizens’ initiative.

Date, signature and official stamp of the competent authority:

ANNEX V

FORM FOR THE SUBMISSION OF STATEMENTS OF SUPPORT TO THE MEMBER STATES’ COMPETENT AUTHORITIES

1.  Full names, postal addresses and e-mail addresses of the contact persons (representative and substitute of the group of organisers) or of the legal entity managing the initiative and its representative:

2.  Title of the initiative:

3.  Commission registration number:

4.  Date of registration:

5.  Number of signatories who are nationals of (name of Member State):

6.  Total number of collected statements of support:

7.  Number of Member States where the threshold has been reached:

8.  Annexes:

(Include all statements of support from signatories who are nationals of the relevant Member State.

If applicable, include the relevant certificate of conformity of the individual online collection system with Regulation (EU) … /…(36) of the European Parliament and of the Council of …(37)(38) on the European citizens’ initiative.)

9.  I hereby declare that the information provided in this form is correct and that the statements of support have been collected in accordance with Article 9 of Regulation (EU) …/…(39) of the European Parliament and of the Council of …(40)(41) on the European citizens’ initiative.

10.  Date and signature of one of the contact persons (representative/substitute(42)) or of the representative of the legal entity:

ANNEX VI

CERTIFICATE CONFIRMING THE NUMBER OF VALID STATEMENTS OF SUPPORT COLLECTED FOR … (NAME OF MEMBER STATE)

… (name of competent authority) of … (name of Member State), having made the necessary verifications required by Article 12 of Regulation (EU) …/…(43) of the European Parliament and of the Council of …(44)(45) on the European citizens’ initiative, hereby certifies that … (number of valid statements of support) statements of support for the initiative having the registration number … (registration number of the initiative) are valid in accordance with the provisions of that Regulation.

Date, signature and official stamp

ANNEX VII

FORM FOR THE SUBMISSION OF AN INITIATIVE TO THE EUROPEAN COMMISSION

1.  Title of the initiative:

2.  Commission registration number:

3.  Date of registration:

4.  Number of valid statements of support received (must be at least one million):

5.  Number of signatories certified by Member States:

 

BE

BG

CZ

DK

DE

EE

IE

EL

ES

FR

HR

IT

CY

LV

LT

LU

Number of signatories

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

HU

MT

NL

AT

PL

PT

RO

SI

SK

FI

SE

UK

TOTAL

Number of signatories

 

 

 

 

 

 

 

 

 

 

 

 

 

6.  Full names, postal addresses and e-mail addresses of the contact persons (representative and substitute of the group of organisers)(46) or of the legal entity managing the initiative and its representative.

7.  Indicate all sources of support and funding received for the initiative, including the amount of financial support at the time of submission.

8.  I hereby declare that the information provided in this form is correct and that all relevant procedures and conditions set out in Regulation (EU) …/…(47) of the European Parliament and of the Council of …(48)+ on the European citizens’ initiative have been complied with.

Date and signature of one of the contact persons (representative/substitute(49)) or of the representative of the legal entity:

9.  Annexes: (Include all certificates)

(1) OJ C 237, 6.7.2018, p. 74.
(2) OJ C 247, 13.7.2018, p. 62.
(3) OJ C 237, 6.7.2018, p. 74.
(4)OJ C 247, 13.7.2018, p. 62.
(5) Position of the European Parliament of 12 March 2019.
(6) Regulation (EU) No 211/2011 of the European Parliament and of the Council of 16 February 2011 on the citizens’ initiative (OJ L 65, 11.3.2011, p. 1).
(7)Commission Implementing Regulation (EU) No 1179/2011 of 17 November 2011 laying down technical specifications for online collection systems pursuant to Regulation (EU) No 211/2011 of the European Parliament and of the Council on the citizens’ initiative (OJ L 301, 18.11.2011, p. 3).
(8)OJ C 355, 20.10.2017, p. 17.
(9) 2017/2024(INL).
(10) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
(11) Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission (OJ L 6, 11.1.2017, p. 40).
(12) Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73).
(13) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
(14) OJ L 123, 12.5.2016, p. 1.
(15)Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).
(16) Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1).
(17) Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework pursuant to Article 12(8) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (OJ L 235, 9.9.2015, p. 1).
(18) Only the full names of the members of the group of organisers, the country of residence of the representative or, where appropriate, the name and the country of the seat of the legal entity, the e-mail addresses of the contact persons and information relating to the sources of support and funding will be made available to the public in the Commission’s online register. Data subjects are entitled to object to the publication of their personal data on compelling legitimate grounds relating to their particular situation.
(19)+ OJ: please insert the number of this Regulation.
(20)
(21)The form shall be printed on one sheet. Group of organisers may use a double-sided sheet. For the purpose of uploading the statements of support collected in paper form to the central online collection system a code made available by the European Commission shall be used.
(22)+ OJ: please insert the number of this Regulation.
(23) German nationals residing outside the country only if they have registered their current permanent residence at their responsible German diplomatic representation abroad.
(24)Signature is not mandatory if the form is submitted online via the central online collection system as referred to in Article 10 of Regulation (EU) .../... + or an individual online collection system as referred to in Article 11 of the said Regulation.
(25)Only one of the two proposed versions of the privacy statements is to be used, depending on the mode of collection.
(26)The form shall be printed on one sheet. Group of organisers may use a double-sided sheet. For the purpose of uploading the statements of support collected in paper form to the central online collection system a code made available by the European Commission shall be used.
(27)+ OJ: please insert the number of this Regulation.
(28)Signature is not mandatory if the form is submitted online via the central online collection system as referred to in Article 10 of Regulation (EU) .../... + or an individual online collection system as referred to in Article 11 of the said Regulation.
(29)Only one of the two proposed versions of the privacy statements is to be used, depending on the mode of collection.
(30)+ OJ: please insert the number of this Regulation.
(31)++ OJ: please insert date of adoption of this Regulation.
(32)
(33)
(34)
(35)
(36)+ OJ: please insert the number of this Regulation.
(37)++ OJ: please insert date of adoption of this Regulation.
(38)
(39)
(40)
(41)
(42) Delete as appropriate.
(43)+ OJ: please insert the number of this Regulation.
(44)++ OJ: please insert date of adoption of this Regulation.
(45)
(46)Only the full names of the members of the group of organisers, the country of residence of the representative or, where appropriate, the name and the country of the seat of the legal entity, the e-mail addresses of the contact persons and information relating to the sources of support and funding will be made available to the public on the Commission’s online register. Data subjects are entitled to object to the publication of their personal data on compelling legitimate grounds relating to their particular situation.
(47)+ OJ: please insert the number of this Regulation.
(48)++OJ: please insert date of adoption of this Regulation.
(49)Delete as appropriate.


Import of cultural goods ***I
PDF 222kWORD 81k
Resolution
Consolidated text
European Parliament legislative resolution of 12 March 2019 on the proposal for a regulation of the European Parliament and of the Council on the import of cultural goods (COM(2017)0375 – C8-0227/2017 – 2017/0158(COD))
P8_TA-PROV(2019)0154A8-0308/2018

(Ordinary legislative procedure: first reading)

The European Parliament,

–  having regard to the Commission proposal to Parliament and the Council (COM(2017)0375),

–  having regard to Article 294(2) and Article 207(2) of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C8‑0227/2017),

–  having regard to Article 294(3) of the Treaty on the Functioning of the European Union,

–  having regard to the provisional agreement approved by the committees responsible under Rule 69f(4) of its Rules of Procedure and the undertaking given by the Council representative by letter of 19 December 2018 to approve Parliament’s position, in accordance with Article 294(4) of the Treaty on the Functioning of the European Union,

–  having regard to Rule 59 of its Rules of Procedure,

–  having regard to the joint deliberations of the Committee on International Trade and the Committee on the Internal Market and Consumer Protection under Rule 55 of the Rules of Procedure,

–  having regard to the report of the Committee on International Trade and the Committee on the Internal Market and Consumer Protection and the opinions of the Committee on Culture and Education and the Committee on Civil Liberties, Justice and Home Affairs (A8-0308/2018),

1.  Adopts its position at first reading hereinafter set out(1);

2.  Calls on the Commission to refer the matter to Parliament again if it replaces, substantially amends or intends to substantially amend its proposal;

3.  Instructs its President to forward its position to the Council, the Commission and the national parliaments.

Position of the European Parliament adopted at first reading on 12 March 2019 with a view to the adoption of Regulation (EU) 2019/… of the European Parliament and of the Council on the introduction and the import of cultural goods

P8_TC1-COD(2017)0158


THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION ▌

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 207(2) thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Acting in accordance with the ordinary legislative procedure(2),

Whereas,

(1)  In ▌ light of the Council Conclusions of 12 February 2016 on the fight against the financing of terrorism, the Communication from the Commission to the European Parliament and the Council of 2 February 2016 on an Action Plan for strengthening the fight against terrorist financing and ▌ Directive (EU) 2017/541 of the European Parliament and of the Council(3), common rules on trade with third countries should be adopted so as to ensure the effective protection against illicit trade in cultural goods and against their loss or destruction, the preservation of humanity's cultural heritage and the prevention of terrorist financing and money laundering through the sale of pillaged cultural goods to buyers in the Union.

(2)  The exploitation of peoples and territories can lead to the illicit trade in cultural goods, in particular when such illicit trade originates from a context of armed conflict. In this respect, this Regulation should take into account regional and local characteristics of peoples and territories, rather than the market value of cultural goods.

(3)  Cultural goods are a part of cultural heritage and are often of major cultural, artistic, historical and scientific importance. Cultural heritage constitutes one of the basic elements of civilisation having, inter alia, symbolic value, and forming part of the cultural memory of humankind. It enriches the cultural life of all peoples and unites people through shared memory, knowledge and development of civilisation. It should therefore be protected from unlawful appropriation and pillage. Pillaging of archaeological sites has always happened, but has now reached an industrial scale and, together with trade in illegally excavated cultural goods, is a serious crime that causes significant suffering to those directly or indirectly affected. The illicit trade in cultural goods in many cases contributes to forceful cultural homogenisation or forceful loss of cultural identity, while the pillage of cultural goods leads, inter alia, to the disintegration of cultures. As long as it is possible to engage in lucrative trade in illegally excavated cultural goods and to profit therefrom without any notable risk, such excavations and pillaging will continue. Due to the economic and artistic value of cultural goods they are in high demand on the international market. The absence of strong international legal measures and the ineffective enforcement of any measures that do exist, lead to the transfer of such goods to the shadow economy. The Union should accordingly prohibit the introduction into the customs territory of the Union of cultural goods unlawfully exported from third countries, with particular emphasis on cultural goods from third countries affected by armed conflict, in particular where such cultural goods have been illicitly traded by terrorist or other criminal organisations. While that general prohibition should not entail systematic controls, Member States should be allowed to intervene when receiving intelligence regarding suspicious shipments and to take all appropriate measures to intercept illicitly exported cultural goods.

(4)  In view of different rules applying in Member States regarding the import of cultural goods into the customs territory of the Union, measures should be taken in particular to ensure that certain imports of cultural goods are subject to uniform controls upon their entry into the customs territory of the Union, on the basis of existing processes, procedures and administrative tools aiming to achieve a uniform implementation of Regulation (EU) No 952/2013 of the European Parliament and of the Council(4).

(5)  The protection of cultural goods which are considered national treasures of the Member States is already covered by Council Regulation (EC) No 116/2009(5) and Directive 2014/60/EU of the European Parliament and of the Council(6). Consequently, this Regulation should not apply to cultural goods which were created or discovered in the customs territory of the Union. The common rules introduced by this Regulation should cover the customs treatment of non-Union cultural goods entering the customs territory of the Union ▌. For the purposes of this Regulation, the relevant customs territory should be the customs territory of the Union at the time of import.

(6)  Control measures to be put in place regarding free zones ▌and so-called free ports ▌ should have as broad a scope as possible in terms of the customs procedures concerned in order to prevent circumvention of this Regulation through the exploitation of those free zones, which have the potential to be used for the continued proliferation of illicit trade. Those control measures should therefore not only concern cultural goods released for free circulation but also cultural goods placed under a special customs procedure. However, the scope should not ▌ go beyond the objective of preventing illicitly exported cultural goods from entering the customs territory of the Union. Accordingly, while encompassing the release for free circulation and some of the special customs procedures under which goods entering the customs territory of the Union may be placed, systematic control measures should exclude transit.

(7)  Many third countries and most Member States are familiar with the definitions used in the UNESCO Convention on the Means of Prohibiting and Preventing the Illicit Import, Export and Transfer of Ownership of Cultural Property signed in Paris on 14 November 1970 ('the 1970 UNESCO Convention') to which a significant number of Member States are a party, and in the UNIDROIT Convention on Stolen or Illegally Exported Cultural Objects signed in Rome on 24 June 1995▌. For that reason the definitions used in this Regulation are based on those definitions.

(8)  The legality of export of cultural goods should be primarily examined based on the laws and regulations of the country where those cultural goods were created or discovered▌. However, in order not to impede legitimate trade unreasonably, a person who seeks to import cultural goods into the customs territory of the Union should, in certain cases, be exceptionally allowed to demonstrate instead the licit export from a different third country where the cultural goods were located before their dispatch to the Union. That exception should apply in cases where the country in which the cultural goods were created or discovered cannot be reliably determined or when the export of the cultural goods in question took place before the 1970 UNESCO Convention entered into force, namely 24 April 1972. In order to prevent circumvention of this Regulation by simply sending illicitly exported cultural goods to another third country prior to importing them into the Union, the exceptions should be applicable where the cultural goods have been located in a third country for a period of more than five years for purposes other than temporary use, transit, re-export or transhipment. Where those conditions are fulfilled for more than one country, the relevant country should be the last of those countries before the introduction of the cultural goods into the customs territory of the Union.

(9)  Article 5 of the 1970 UNESCO Convention calls on the States Parties to establish one or more national services for the protection of cultural goods against illicit import, export and transfer of ownership. Such national services should be equipped with qualified staff sufficient in number to ensure that protection in accordance with that Convention, and should also enable the necessary active collaboration between the competent authorities of Member States which are Parties to that Convention in the area of security and in the fight against the illegal import of cultural goods, especially from areas affected by armed conflict.

(10)  In order not to disproportionately impede trade in cultural goods across the Union’s external border, this Regulation should only apply to cultural goods above a certain age limit, which is established by this Regulation. It also seems appropriate to set a financial threshold in order to exclude cultural goods of lower value from the application of the conditions and procedures for import into the customs territory of the Union. Those thresholds will ensure that the measures provided for in this Regulation focus on those cultural goods most likely to be targeted by pillagers in conflict areas, without excluding other goods the control of which is necessary for ensuring the protection of cultural heritage.

(11)  Illicit trade in pillaged cultural goods has been identified as a possible source of terrorist financing and money laundering activities in the context of the supranational risk assessment on money laundering and terrorist financing risks affecting the internal market.

(12)  Since certain categories of cultural goods, namely archaeological objects and elements of monuments ▌, are particularly vulnerable to pillage and destruction, it seems necessary to provide for a system of increased scrutiny before they are permitted to enter the customs territory of the Union. Such a system should require the presentation of an import licence issued by the competent authority of a Member State ▌prior to the release for free circulation of those cultural goods into the Union or their placement under a special customs procedure other than transit. Persons seeking to obtain such a licence should be able to prove licit export from the ▌country where the cultural goods were created or discovered with the appropriate supportive documents and evidence, such as export certificates, ▌ ownership titles, invoices, sales contracts, insurance documents, transport documents and experts appraisals. Based on complete and accurate applications, the competent authorities of the Member States should decide whether to issue a licence without undue delay. All import licences should be stored in an electronic system.

(13)  An icon is any representation of a religious figure or a religious event. It can be produced in various media and sizes and can be monumental or portable. In cases where an icon was once part, for example, of the interior of a church, a monastery, a chapel, either free-standing or as part of architectural furniture, for example an iconostasis or icon stand, it is a vital and inseparable part of divine worship and liturgical life, and should be considered as forming an integral part of a religious monument which has been dismembered. Even in cases where the specific monument that the icon belonged to is unknown, but where there is evidence that it once formed an integral part of a monument, in particular when there are signs or elements present which indicate that it was once part of an iconostasis or an icon stand, the icon should still be covered by the category "elements of artistic or historical monuments or archaeological sites which have been dismembered" listed in the Annex.

(14)  Taking into account the particular nature of the cultural goods, the role of the customs authorities is extremely relevant and they should be able, where necessary, to require additional information from the declarant and to analyse the cultural goods by means of a physical examination.

(15)  For categories of cultural goods the import of which does not require an import licence, the persons seeking to import such goods into the customs territory of the Union should, by means of a statement, certify and assume responsibility for their lawful export from the third country and should provide sufficient information for those cultural goods to be identified by the customs authorities. In order to facilitate the procedure and for reasons of legal certainty, the information about the cultural goods should be provided using a standardised document. The Object ID standard, recommended by UNESCO, could be used to describe the cultural goods. The holder of the goods should register those details in an electronic system, in order to facilitate identification by the customs authorities, to allow for risk analysis and targeted controls and to ensure traceability after the cultural goods enter the internal market.

(16)  In the context of the EU Single Window environment for customs, the Commission should be responsible for the establishment of a centralised electronic system for the submission of applications for import licences and of importer statements, as well as the storage and the exchange of information between the authorities of the Member States, in particular regarding importer statements and import licences.

(17)  It should be possible for the processing of data under this Regulation to also cover personal data and such processing should be carried out in accordance with Union law. Member States and the Commission should process personal data only for the purposes of this Regulation or in duly justified circumstances for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Any collection, disclosure, transmission, communication and other processing of personal data within the scope of this Regulation should be subject to the requirements of Regulations (EU) 2016/679(7) and (EU) 2018/1725(8) of the European Parliament and of the Council. The processing of personal data for the purposes of this Regulation should also respect the right to respect for private and family life recognised by Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms of the Council of Europe, as well as the right to respect for private and family life, and the right to the protection of personal data recognised, respectively, by Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.

(18)  Cultural goods which were not created or discovered in the customs territory of the Union but which have been exported as Union goods should not be subject to the presentation of an import licence or of an importer statement when they are returned to that territory as returned goods within the meaning of Regulation (EU) No 952/2013.

(19)  The temporary admission of cultural goods for the purpose of education, science, conservation, restoration, exhibition, digitisation, performing arts, research conducted by academic institutions or cooperation between museums or similar institutions should not be subject to the presentation of an import licence or of an importer statement.

(20)  The storage of cultural goods from countries affected by armed conflict or a natural disaster for the exclusive purpose of ensuring their safe keeping and preservation by, or under the supervision of, a public authority should not be subject to the presentation of an import licence or an importer statement.

(21)  In order to facilitate the presentation of cultural goods at commercial art fairs, an import licence should not be necessary where the cultural goods are under temporary admission, within the meaning of Article 250 of Regulation (EU) No 952/2013, and where an importer statement has been provided instead of the import licence. However, the presentation of an import licence should be required where such cultural goods are to remain in the Union after the art fair.

(22)  In order to ensure uniform conditions for the implementation of this Regulation, implementing powers should be conferred on the Commission to adopt detailed arrangements for: cultural goods that are returned goods or, the temporary admission of cultural goods into the customs territory of the Union and their safe keeping, the templates for import licence applications and for import licence forms, the templates for importer statements and their accompanying documents, and further procedural rules on their submission and processing. Implementing powers should also be conferred on the Commission to make arrangements for the establishment of an electronic system for the submission of applications for import licences and importer statements and for the storage of information and the exchange of information between Member States. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council(9).

(23)  In order to ensure effective co-ordination and to avoid duplication of efforts when organising training, capacity building activities and awareness-raising campaigns, as well as to commission relevant research and the development of standards, where appropriate, the Commission and the Member States should co-operate with international organisations and bodies, such as UNESCO, INTERPOL, EUROPOL, the World Customs Organization, the International Centre for the Preservation and Restoration of Cultural Property and the International Council of Museums (ICOM).

(24)  Relevant information on trade flows of cultural goods should be electronically collected and shared by Member States and the Commission in order to support the efficient implementation of this Regulation and to provide the basis for its future evaluation. In the interest of transparency and public scrutiny, as much information as possible should be made public. Trade flows of cultural goods cannot be efficiently monitored by their value or weight only. It is essential to electronically collect information on the number of items declared. As no supplementary measurement unit is specified in the Combined Nomenclature for cultural goods, it is necessary to require that the number of items is declared.

(25)  The EU Strategy and Action Plan for customs Risk Management aims, inter alia, to strengthen capacities of customs authorities to increase the responsiveness to risks in the area of cultural goods. The common risk management framework laid down in Regulation

(EU) No 952/2013 should be used and relevant risk information should be exchanged between customs authorities.

(26)  In order to benefit from the expertise of international organisations and bodies which are active in cultural matters and from their experience with illicit trade in cultural goods, recommendations and guidance issued from those organisations and bodies should be taken into consideration in the common risk management framework when identifying risks related to cultural goods. In particular, the Red Lists published by ICOM should serve as guidance to identify those third countries whose heritage is most at risk and the objects exported from there that would more often be the object of illicit trade.

(27)  It is necessary to establish awareness-raising campaigns targeted at buyers of cultural goods regarding the risk of illicit trade and to assist market actors in their understanding and application of this Regulation. Member States should involve relevant national contact points and other information provision services in the dissemination of that information.

(28)  The Commission should ensure that micro, small and medium-sized enterprises (SMEs) benefit from adequate technical assistance and should facilitate the provision of information to them in order to efficiently implement this Regulation. SMEs established in the Union which import cultural goods should therefore benefit from current and future Union programmes in support of the competitiveness of small and medium-sized enterprises.

(29)  In order to encourage compliance and deter circumvention, Member States should introduce effective, proportionate and dissuasive penalties for failing to comply with the provisions of this Regulation and communicate those penalties to the Commission. Penalties introduced by Member States for infringements of this Regulation should have an equivalent deterrent effect across the Union.

(30)  Member States should ensure that the customs authorities and the competent authorities agree on measures under Article 198 of Regulation (EU) No 952/2013. The details of those measures should be subject to national law.

(31)  The Commission should, without delay, adopt rules implementing this Regulation, in particular those regarding the appropriate electronic standardised forms to be used to apply for an import licence or to prepare an importer statement, and establish the electronic system afterwards within the shortest possible timeframe. The application of the provisions regarding import licences and importer statements should be deferred accordingly.

(32)  In accordance with the principle of proportionality, it is necessary and appropriate for the achievement of the basic objectives of this Regulation to lay down rules on the introduction, and the conditions and procedures for the import, of cultural goods into the customs territory of the Union. This Regulation does not go beyond what is necessary in order to achieve the objectives pursued, in accordance with Article 5(4) of the Treaty on European Union,

HAVE ADOPTED THIS REGULATION ▌:

Article 1

Subject matter and scope

1.  This Regulation sets out the conditions for the introduction of cultural goods and the conditions and procedures for the import of cultural goods for the purpose of safeguarding humanity's cultural heritage and preventing the illicit trade in cultural goods, in particular where such illicit trade could contribute to terrorist financing.

2.  This Regulation does not apply to cultural goods which were either created or discovered in the customs territory of the Union.

Article 2

Definitions

▌For the purposes of this Regulation, the following definitions apply:

(1)  'cultural goods' means any item which is of importance for archaeology, prehistory, history, literature, art or science as listed in the Annex;

(2)   'introduction of cultural goods' means any entry into the customs territory of the Union of cultural goods which are subject to customs supervision or customs control within the customs territory of the Union in accordance with Regulation (EU) No 952/2013;

(3)  ‘import of cultural goods’ means:

(a)  the release of cultural goods for free circulation as referred to in Article 201 of Regulation (EU) No 952/2013; or

(b)  the placing of cultural goods under one of the following categories of special ▌ procedures referred to in ▌Article 210 of Regulation (EU) No 952/2013:

(i)  storage, comprising customs warehousing and free zones;

(ii)  specific use, comprising temporary admission and end-use;

(iii)  inward processing;

(4)  'holder of the goods' means holder of the goods as defined in point (34) of Article 5 of Regulation (EU) No 952/2013;

(5)  ‘competent authorities’ means the public authorities designated by the Member States to issue import licences.

Article 3

Introduction and import of cultural goods

1.  The introduction of cultural goods referred to in Part A of the Annex which were removed from the territory of the country where they were created or discovered in breach of the laws and regulations of that country shall be prohibited.

The customs authorities and the competent authorities shall take any appropriate measure when there is an attempt to introduce cultural goods as referred to in the first subparagraph.

2.  The import of cultural goods listed in Parts B and C of the Annex shall be permitted only upon the provision of either:

(a)  an import licence issued in accordance with Article 4; or

(b)  an importer statement submitted in accordance with Article 5.

3.  The import licence or the importer statement referred to in paragraph 2 of this Article shall be provided to the customs authorities in accordance with Article 163 of Regulation (EU) No 952/2013. In the event that the cultural goods are placed under the free zone procedure, the holder of the goods shall provide the import licence or the importer statement upon presentation of the goods in accordance with points (a) and (b) of Article 245(1) of Regulation (EU) No 952/2013.

4.  Paragraph 2 of this Article shall not apply to:

(a)  cultural goods that are returned goods within the meaning of Article 203 of Regulation (EU) No 952/2013;

(b)  the import of cultural goods for the exclusive purpose of ensuring their safekeeping by, or under the supervision of, a public authority, with the intent to return those cultural goods, when the situation so allows;

(c)  the temporary admission of cultural goods, within the meaning of Article 250 of Regulation (EU) No 952/2013, into the customs territory of the Union for the purpose of education, science, conservation, restoration, exhibition, digitisation, performing arts, research conducted by academic institutions or cooperation between museums or similar institutions.

5.  An import licence shall not be required for cultural goods that have been placed under the temporary admission procedure within the meaning of Article 250 of Regulation (EU) No 952/2013, where such goods are to be presented at commercial art fairs. In such cases an importer statement shall be provided in accordance with the procedure in Article 5 of this Regulation.

However, if those cultural goods are subsequently placed under another customs procedure referred to in point (3) of Article 2 of this Regulation, an import licence issued in accordance with Article 4 of this Regulation shall be required.

6.  The Commission shall lay down, by means of implementing acts, detailed arrangements for cultural goods that are returned goods, for the import of cultural goods for their safe keeping and for the temporary admission of cultural goods as referred to in paragraphs 4 and 5 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 13(2).

7.  Paragraph 2 of this Article shall be without prejudice to other measures adopted by the Union in accordance with Article 215 of the Treaty on the Functioning of the European Union.

8.  When submitting a customs declaration for the import of cultural goods listed in Parts B and C of the Annex, the number of items shall be indicated using the supplementary unit, as set out in that Annex. Where the cultural goods are placed under the free zone procedure, the holder of the goods shall indicate the number of items upon presentation of the goods in accordance with points (a) and (b) of Article 245(1) of Regulation (EU) No 952/2013.

Article 4

Import licence

1.   The import of cultural goods listed in Part B of the Annex other than those referred to in Article 3(4) and (5) shall require an import licence. That import licence shall be issued by the competent authority of the Member State in which the cultural goods are placed under one of the customs procedures referred to in point (3) of Article 2 for the first time.

2.  Import licences issued by the competent authorities of a Member State in accordance with this Article shall be valid throughout the Union.

3.  An import licence issued in accordance with this Article shall not be construed to be evidence of licit provenance or ownership of the cultural goods in question.

4.  The holder of the goods shall apply for an import licence to the competent authority of the Member State referred to in paragraph 1 of this Article via the electronic system referred to in Article 8. The application shall be accompanied by any supporting documents and information providing evidence that the cultural goods in question have been exported from the ▌country where they were created or discovered in accordance with the ▌laws and regulations of that country or providing evidence of the absence of such laws and regulations at the time they were taken out of its territory. ▌

By way of derogation from the first subparagraph, the application may be accompanied instead by any supporting documents and information providing evidence that the cultural goods in question have been exported in accordance with the laws and regulations of the last country where they were located for a period of more than five years and for purposes other than temporary use, transit, re-export or transhipment, in the following cases:

(a)  the country where the cultural goods were created or discovered cannot be reliably determined; or

(b)  the cultural goods were taken out of the country where they were created or discovered before 24 April 1972.

5.  Evidence that the cultural goods in question have been exported in accordance with paragraph 4 shall be provided in the form of export certificates or export licences where the country in question has established such documents for the export of cultural goods at the time of the export.

6.  The competent authority ▌ shall check whether the application is complete. It shall request any missing or additional information or document from the applicant within 21 days of receipt of the application.

7.  Within 90 days of receipt of the complete application ▌, the competent authority shall ▌ examine it and decide whether to issue the import licence or to reject the application. ▌

The competent authority shall reject the application where:

(a)  it has information or reasonable grounds to believe that the cultural goods were removed from the territory of the country where they were created or discovered in breach of the laws and regulations of that country;

(b)   the evidence required by paragraph 4 has not been provided;

(c)   it has information or reasonable grounds to believe that the holder of the goods did not acquire them lawfully; or

(d)  it has been informed that there are pending claims for the return of the cultural goods by the authorities of the country where they were created or discovered.

8.  In the event that the application is rejected, the administrative decision referred to in paragraph 7, together with a statement of reasons and information on the appeal procedure, shall be communicated to the applicant without delay.

9.  Where an application is made for an import licence relating to cultural goods for which such an application has been previously rejected, the applicant shall inform the competent authority to which the application is submitted of the previous rejection.

10.  Where a Member State rejects an application, that rejection, as well as the grounds on which it was based, shall be communicated to the other Member States and to the Commission via the electronic system referred to in Article 8.

11.  Member States shall designate without delay the competent authorities for the issuing of import licences in accordance with this Article. The Member States shall communicate the details of the competent authorities as well as any changes in that respect to the Commission.

The Commission shall publish the details of the competent authorities and any changes thereto in the 'C' series of the Official Journal of the European Union.

12.  The Commission shall lay down, by means of implementing acts, the template for and the format of the application for the import licence and shall indicate possible supporting documents to prove licit provenance of the cultural goods in question as well as the procedural rules on the submission and processing of such an application. In establishing those elements, the Commission shall endeavour to achieve uniform application by competent authorities of the import licencing procedures. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 13(2).

Article 5

Importer statement

1.   The import of the cultural goods listed in Part C of the Annex shall require an importer statement ▌ which the holder of the goods shall submit via the electronic system referred to in Article 8.

2.  The importer statement shall consist of:

(a)  a declaration signed by the holder of the goods stating that the cultural goods have been exported from the ▌country where they were created or discovered in accordance with the laws and regulations of that country at the time they were taken out of its territory; and

(b)  a standardised document describing the cultural goods in question in sufficient detail for them to be identified by the ▌authorities and to perform risk analysis and targeted controls.

By way of derogation from point (a) of the first subparagraph, the declaration may instead state that the cultural goods in question have been exported in accordance with the laws and regulations of the last country where they were located for a period of more than five years and for purposes other than temporary use, transit, re-export or transhipment, in the following cases:

(a)  the country where the cultural goods were created or discovered cannot be reliably determined; or

(b)  the cultural goods were taken out of the country where they were created or discovered before 24 April 1972.

3.  The Commission shall lay down, by means of implementing acts, the standardised template for and the format of the importer statement as well as the procedural rules on its submission and shall indicate possible supporting documents to prove licit provenance of the cultural goods in question that should be in the possession of the holder of the goods and the rules on processing of the importer statement. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 13(2).

Article 6

Competent customs offices

▌Member States may restrict the number of customs offices competent to handle the import of cultural goods subject to this Regulation. Where Member States apply such a restriction, they shall communicate the details of those customs offices as well as any changes in that respect to the Commission.

The Commission shall publish the details of the competent customs offices and any changes thereto in the 'C' series of the Official Journal of the European Union.

Article 7

Administrative co-operation

▌For the purposes of implementing this Regulation, Member States shall ensure co-operation between their customs authorities and with the competent authorities referred to in Article 4.

Article 8

Use of an electronic system ▌

1.  The storage and the exchange of information between the authorities of the Member States, in particular regarding import licences and importer statements, shall be carried out by means of a centralised electronic system.

In the event of a temporary failure of the electronic system, other means for the storage and exchange of information may be used on a temporary basis.

2.  The Commission shall lay down, by means of implementing acts: ▌

(a)  the arrangements for the deployment, operation and maintenance of the electronic system referred to in paragraph 1;

(b)  the detailed rules regarding the submission, processing, storage and exchange of information between the authorities of the Member States by means of the electronic system or by other means referred to in paragraph 1.

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 13(2) by ... [two years after the entry into force of this Regulation].

Article 9

Establishment of an electronic system

The Commission shall establish the electronic system referred to in Article 8. The electronic system shall be operational at the latest four years after the entry into force of the first of the implementing acts referred to in Article 8(2).

Article 10

Personal data protection and data retention periods

1.  The customs authorities and competent authorities of the Member States shall act as controllers of the personal data obtained pursuant to Articles 4, 5 and 8.

2.  The processing of personal data on the basis of this Regulation shall take place only for the purpose defined in Article 1(1).

3.  The personal data obtained in accordance with Articles 4, 5 and 8 shall be accessed only by duly authorised staff of the authorities and shall be adequately protected against unauthorised access or communication. The data shall not be disclosed or communicated without the express written authorisation of the authority which originally obtained the information. However, such authorisation shall not be necessary where the authorities are required to disclose or communicate that information pursuant to legal provisions in force in the Member State in question, particularly in connection with legal proceedings.

4.  The authorities shall store personal data obtained pursuant to Articles 4, 5 and 8 for a period of 20 years from the date on which the data were obtained. Those personal data shall be erased upon the expiry of that period.

Article 11

Penalties

Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all ▌measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive.

By ...[18 months after the date of application of this Regulation], Member States shall notify the Commission of the rules on penalties applicable to the introduction of cultural goods in breach of Article 3(1), and of the related measures.

By ... [six years after the date of application of this Regulation], Member States shall notify the Commission of the rules on penalties applicable to other infringements of this Regulation, in particular the making of false statements and the submission of false information ▌, and of the related measures.

The Member States shall notify the Commission ▌ without delay ▌ of any subsequent amendment affecting those rules.

Article 12

Cooperation with third countries

The Commission may, in matters covered by its activities and to the extent required for the fulfilment of its tasks under this Regulation, organise training and capacity building activities for third countries in cooperation with Member States.

Article 13

Committee procedure

1.  The Commission shall be assisted by the committee established by Article 8 of Council Regulation (EC) No 116/2009. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2.  Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply.

Article 14

Reporting and evaluation

1.  Member States shall provide information to the Commission on the implementation of this Regulation. ▌

For that purpose, the Commission shall address relevant questionnaires to the Member States. Member States shall have six months from receipt of the questionnaire to communicate the requested information to the Commission.

2.  Within three years of the date on which this Regulation becomes applicable in its entirety, and ▌every five years thereafter, the Commission shall present a report to the European Parliament and to the Council on the implementation of this Regulation. That report shall be publicly available and shall include relevant statistical information at both Union and national level, such as the number of import licences issued, of applications rejected and of importer statements submitted. It shall include a consideration of practical implementation, including the impact on Union economic operators, particularly SMEs.

3.  By ... [twelve months after the date of entry into force of this Regulation] and every 12 months thereafter until the electronic system as set out in Article 9 has been established, the Commission shall present a report to the European Parliament and to the Council on the progress made in adopting the implementing acts as set out in Article 8(2) and in establishing the electronic system as set out in Article 9.

Article 15

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

Article 16

Application

1.  This Regulation shall apply from the date of its entry into force.

2.  Notwithstanding paragraph 1:

(a)  Article 3(1) shall apply from ... [18 months after the date of entry into force of this Regulation];

(b)  Article 3(2) to (5), (7) and (8), Article 4(1) to (10), Article 5(1) and (2) and Article 8(1) shall apply from the date on which the electronic system referred to in Article 8 becomes operational or at the latest from ... [six years after the date of entry into force of this Regulation]. The Commission shall publish the date on which the conditions of this paragraph have been fulfilled in the 'C' series of the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at ...,

For the European Parliament For the Council

The President The President

ANNEX

Part A. Cultural goods covered by Article 3(1)

(a)  rare collections and specimens of fauna, flora, minerals and anatomy, and objects of palaeontological interest;

(b)  property relating to history, including the history of science and technology and military and social history, to the life of national leaders, thinkers, scientists and artists and to events of national importance;

(c)  products of archaeological excavations (including regular and clandestine) or of archaeological discoveries on land or underwater;

(d)  elements of artistic or historical monuments or archaeological sites which have been dismembered(10);

(e)  antiquities more than one hundred years old, such as inscriptions, coins and engraved seals;

(f)  objects of ethnological interest;

(g)  objects of artistic interest, such as:

(i)  pictures, paintings and drawings produced entirely by hand on any support and in any material (excluding industrial designs and manufactured articles decorated by hand);

(ii)  original works of statuary art and sculpture in any material;

(iii)  original engravings, prints and lithographs;

(iv)  original artistic assemblages and montages in any material;

(h)  rare manuscripts and incunabula;

(i)  old books, documents and publications of special interest (historical, artistic, scientific, literary, etc.) singly or in collections;

(j)  postage, revenue and similar stamps, singly or in collections;

(k)  archives, including sound, photographic and cinematographic archives;

(l)  articles of furniture more than one hundred years old and old musical instruments.

Part B. Cultural goods covered by Article 4

Categories of cultural goods according to Part A

Combined Nomenclature (CN) Chapter, Heading or Subheading

Minimum age threshold

Minimum financial threshold (customs value)

Supplementary units

(c)  products of archaeological excavations (including regular and clandestine) or of archaeological discoveries on land or underwater;

ex 9705; ex 9706

More than 250 years old

Whatever the value

number of items (p/st)

(d)  elements of artistic or historical monuments or archaeological sites which have been dismembered(11);

ex 9705; ex 9706

More than 250 years old

Whatever the value

number of items (p/st)

Part C. Cultural goods covered by Article 5

Categories of cultural goods according to Part A

Combined Nomenclature (CN) Chapter, Heading or Subheading

Minimum age threshold

Minimum financial threshold (customs value)

Supplementary units

(a)  rare collections and specimens of fauna, flora, minerals and anatomy, and objects of palaeontological interest;

ex 9705

More than 200 years old

EUR 18 000 or more per item

number of items (p/st)

(b)  property relating to history, including the history of science and technology and military and social history, to the life of national leaders, thinkers, scientists and artists and to events of national importance;

ex 9705

More than 200 years old

EUR 18 000 or more per item

number of items (p/st)

(e)  antiquities, such as inscriptions, coins and engraved seals;

ex 9706

More than 200 years old

EUR 18 000 or more per item

number of items (p/st)

(f)  objects of ethnological interest;

ex 9705

More than ▌200 years old

EUR 18 000 or more per item

number of items (p/st)

(g)  objects of artistic interest, such as:

 

(i)  pictures, paintings and drawings produced entirely by hand on any support and in any material ▌ (excluding industrial designs and manufactured articles decorated by hand);

ex 9701

More than 200 years old

EUR 18 000 or more per item

number of items (p/st)

(ii)  original works of statuary art and sculpture in any material;

ex 9703

More than 200 years old

EUR 18 000 or more per item

number of items (p/st)

(iii)  original engravings, prints and lithographs;

▌ex 9702;

More than 200 years old

EUR 18 000 or more per item

number of items (p/st)

(iv)  original artistic assemblages and montages in any material;

ex 9701

More than 200 years old

EUR 18 000 or more per item

number of items (p/st)

(h)  rare manuscripts and incunabula; ▌

ex 9702; ex 9706 ▌

More than 200 years old

EUR 18 000 or more per item

number of items (p/st)

(i)  old books, documents and publications of special interest ▌

(historical, artistic, scientific, literary, etc.) singly or in collections.

ex 9705; ex 9706

More than ▌

200 years old

EUR 18 000 or more per item

number of items (p/st)

______________________

(1) This position replaces the amendments adopted on 25 October 2018 (Texts adopted, P8_TA-PROV(2018)0418)
(2) Position of the European Parliament of 12 March 2019.
(3)Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (OJ L 88, 31.3.2017, p. 6).
(4)Regulation (EU) No 952/2013 of the European Parliament and of the Council of 9 October 2013 laying down the Union Customs Code (OJ L 269, 10.10.2013, p. 1).
(5) Council Regulation (EC) No 116/2009 of 18 December 2008 on the export of cultural goods (OJ L 39, 10.2.2009, p. 1).
(6)Directive 2014/60/EU of the European Parliament and of the Council of 15 May 2014 on the return of cultural objects unlawfully removed from the territory of a Member State and amending Regulation (EU) No 1024/2012 (OJ L 159, 28.5.2014, p. 1).
(7)Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
(8) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).
(9) Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (OJ L 55, 28.2.2011, p. 13).
(10)Liturgical icons and statues, even free-standing, are to be considered as cultural goods belonging to this category.
(11)9Liturgical icons and statues, even free-standing, are to be considered as cultural goods belonging to this category.


Protection of personal data in the context of elections to the European Parliament ***I
PDF 169kWORD 58k
Resolution
Consolidated text
European Parliament legislative resolution of 12 March 2019 on the proposal for a regulation of the European Parliament and of the Council amending Regulation (EU, Euratom) No 1141/2014 as regards a verification procedure related to infringements of rules on the protection of personal data in the context of elections to the European Parliament (COM(2018)0636 – C8-0413/2018 – 2018/0336(COD))
P8_TA-PROV(2019)0155A8-0435/2018

(Ordinary legislative procedure: first reading)

The European Parliament,

–  having regard to the Commission proposal to Parliament and the Council (COM(2018)0636),

–  having regard to Article 294(2) and Article 224 of the Treaty on the Functioning of the European Union, pursuant to which the Commission submitted the proposal to Parliament (C8‑0413/2018),

–  having regard to the Treaty establishing the European Atomic Energy Community, and in particular Article 106a thereof,

–  having regard to Article 294(3) of the Treaty on the Functioning of the European Union,

–  having regard to the opinion of the European Economic and Social Committee of 12 December 2018(1),

–  after consulting the Committee of the Regions,

–  having regard to the provisional agreement approved by the committee responsible under Rule 69f(4) of its Rules of Procedure and the undertaking given by the Council representative by letter of 25 January 2019 to approve Parliament’s position, in accordance with Article 294(4) of the Treaty on the Functioning of the European Union,

–  having regard to Rule 59 of its Rules of Procedure,

–  having regard to the report of the Committee on Constitutional Affairs and also the opinion of the Committee on Civil Liberties, Justice and Home Affairs (A8-0435/2018),

1.  Adopts its position at first reading hereinafter set out;

2.  Calls on the Commission to refer the matter to Parliament again if it replaces, substantially amends or intends to substantially amend its proposal;

3.  Instructs its President to forward its position to the Council, the Commission and the national parliaments.

Position of the European Parliament adopted at first reading on 12 March 2019 with a view to the adoption of Regulation (EU, Euratom) 2019/… of the European Parliament and of the Council amending Regulation (EU, Euratom) No 1141/2014 of the European Parliament and of the Council as regards a verification procedure related to infringements of rules on the protection of personal data in the context of elections to the European Parliament

P8_TC1-COD(2018)0336


THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 224 thereof,

Having regard to the Treaty establishing the European Atomic Energy Community, and in particular Article 106a thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee(2),

After consulting the Committee of the Regions,

Acting in accordance with the ordinary legislative procedure(3),

Whereas:

(1)  Regulation (EU, Euratom) No 1141/2014 of the European Parliament and of the Council(4) established a specific European legal status for European political parties and European political foundations and provides for their funding from the general budget of the European Union. It also established an Authority for European political parties and European political foundations ("the Authority").

(2)  In order to enable the Authority to fully fulfil its tasks, including the new ones provided for in this Regulation, and to enable it to do so in an independent manner, it is necessary to staff it in a permanent way and to confer the powers of an appointing authority on the Director of the Authority.

(3)  Recent events have demonstrated the potential risks to electoral processes and to democracy that can arise from the unlawful use of personal data. It is therefore necessary to protect the integrity of the European democratic process by providing for financial sanctions in situations where European political parties or European political foundations take advantage of infringements of rules on protection of personal data with a view to influencing the outcome of elections to the European Parliament.

(4)  To that end, a verification procedure should be established whereby the Authority must, in certain circumstances, ask the committee of independent eminent persons established by Regulation (EU, Euratom) No 1141/2014 to assess whether a European political party or a European political foundation has deliberately influenced or attempted to influence the outcome of elections to the European Parliament by taking advantage of an infringement of the applicable rules on protection of personal data. Where, in accordance with the verification procedure, that is found to be the case, the Authority should impose sanctions under the effective, proportionate and dissuasive sanctioning system established by Regulation (EU, Euratom) No 1141/2014.

(5)  When the Authority imposes a sanction on a European political party or foundation in accordance with the verification procedure, it should take due account of the ne bis in idem principle, whereby sanctions cannot be imposed twice for the same offence. The Authority should also ensure that the principle of legal certainty is respected and that the European political party or European political foundation concerned has been given the opportunity to be heard.

(6)  The new procedure should exist alongside the current procedures used for the verification of compliance with registration conditions and in cases of manifest and serious breaches of the values on which the Union is founded. However, the time limits for verification of compliance with registration conditions and requirements set in Article 10 of Regulation (EU, Euratom) No 1141/2014 should not apply to the new procedure.

(7)  Since the new procedure is triggered by a decision of a competent national data protection supervisory authority, it should be possible for the European political party or European political foundation concerned to request that the sanction be reviewed if the decision of that national supervisory authority is repealed, or a remedy against that decision has been granted, provided that all national remedies have been exhausted.

(8)  In order to ensure that the 2019 elections to the European Parliament take place in accordance with strong democratic rules and in full respect of the European values of democracy, rule of law and respect of fundamental rights, it is important that the provisions on the new verification procedure enter into force in timely manner and that the procedure applies as soon as possible. In order to achieve this, the amendments to Regulation (EU, Euratom) No 1141/2014 introduced by this Regulation should enter into force on the date of its publication in the Official Journal of the European Union.

(9)  Regulation (EU, Euratom) No 1141/2014 should therefore be amended accordingly,

HAVE ADOPTED THIS REGULATION:

Article 1

Regulation (EU, Euratom) No 1141/2014 is amended as follows:

(1)  In Article 6, paragraph (5) is replaced by the following:"

“5. The Director of the Authority shall be assisted by staff in respect of whom he or she shall exercise the powers conferred on the appointing authority by the Staff Regulations of Officials of the European Union and the powers conferred on the authority empowered to conclude contracts of employment of other servants by the Conditions of Employment of Other Servants of the Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (‘the appointing authority’s powers’). The Authority may make use in any areas of its work of other seconded national experts or of other staff not employed by the Authority.

The Staff Regulations and the Conditions of Employment of Other Servants and the rules adopted by agreement between the institutions of the Union for giving effect to those Staff Regulations and Conditions of Employment of Other Servants shall apply to the staff of the Authority.

The selection of the staff shall not be liable to result in a conflict of interests between their duties at the Authority and any other official duties, and they shall refrain from any act which is incompatible with the nature of their duties.”.

"

(2)  In Article 10(3), the third subparagraph is replaced by the following:"

"The procedures laid down in the first and second subparagraphs shall not be initiated within a period of two months prior to elections to the European Parliament. That time limit shall not apply with regard to the procedure set out in Article 10a.”.

"

(3)  The following Article is inserted:"

"Article 10a

Verification procedure related to infringements of rules on the protection of personal data

1.  No European political party or European political foundation shall deliberately influence, or attempt to influence, the outcome of elections to the European Parliament by taking advantage of an infringement by a natural or legal person of the applicable rules on the protection of personal data.

2.  If the Authority is informed of a decision of a national supervisory authority within the meaning of point 21 of Article 4 of Regulation (EU) 2016/679 of the European Parliament and of the Council* finding that a natural or legal person has infringed applicable rules on the protection of personal data, and if it follows from that decision, or if there are otherwise reasonable grounds to believe, that the infringement is linked to political activities by a European political party or a European political foundation in the context of elections to the European Parliament, the Authority shall refer this matter to the committee of independent eminent persons established by Article 11 of this Regulation. The Authority may, if necessary, liaise with the national supervisory authority concerned.

3.  The committee referred to in paragraph 2 shall give an opinion as to whether the European political party or European political foundation concerned has deliberately influenced or attempted to influence the outcome of elections to the European Parliament by taking advantage of that infringement. The Authority shall request the opinion without undue delay, and no later than 1 month after being informed of the decision of the national supervisory authority. The Authority shall set a short, reasonable deadline for the committee to give its opinion. The committee shall comply with that deadline.

4.   Having regard to the committee's opinion, the Authority shall decide, pursuant to point (a)(vii) of Article 27(2), whether to impose financial sanctions on the European political party or European political foundation concerned. The decision of the Authority shall be duly reasoned, in particular with regard to the committee’s opinion, and shall be published expeditiously.

5.   The procedure set out in this Article is without prejudice to the procedure set out in Article 10.

——————————

* Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).".

"

(4)  In Article 11(3), the first subparagraph is replaced by the following:"

"When requested by the Authority, the committee shall give an opinion on:

   (a) any possible manifest and serious breach of the values on which the Union is founded, as referred to in point (c) of Article 3(1) and point (c) of Article 3(2), by a European political party or a European political foundation;
   (b) whether a European political party or a European political foundation has deliberately influenced or attempted to influence the outcome of elections to the European Parliament by taking advantage of an infringement of the applicable rules on the protection of personal data.

In the cases referred to in points (a) and (b) of the first subparagraph, the committee may request any relevant document or evidence from the Authority, the European Parliament, the European political party or European political foundation concerned, other political parties, political foundations or other stakeholders, and it may request to hear their representatives. In the case referred to in point (b) of the first subparagraph, the national supervisory authority referred to in Article 10a shall cooperate with the committee in accordance with applicable law.”.

"

(5)  In Article 18, paragraph (2) is replaced by the following:"

“2. The European political party and the European political foundation must, at the time of its application, comply with the obligations listed in Article 23, and, from the date of its application until the end of the financial year or of the action covered by the contribution or grant, remain registered in the Register and may not be the subject of any of the sanctions provided for in Article 27(1) and in point (a) (v), (vi) and (vii) of Article 27(2).”.

"

(6)  Article 27 is amended as follows:

(a)  in point (a) of paragraph (2), the following point is added:"

“(vii) where, in accordance with the verification procedure provided for in Article 10a, it is established that a European political party or a European political foundation has deliberately influenced or attempted to influence the outcome of elections to the European Parliament by taking advantage of an infringement of the applicable rules on the protection of personal data.”;

"

(b)  the following paragraph is added:"

"7. Where a decision of the national supervisory authority as referred to in Article 10a has been repealed, or where a remedy against such decision has been granted, provided that all national remedies have been exhausted, the Authority shall review any sanction imposed pursuant to point (a)(vii) of paragraph 2 at the request of the European political party or European political foundation concerned.".

"

Article 2

This Regulation shall enter into force on the day of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at ...,

For the European Parliament For the Council

The President The President

(1) Not yet published in the Official Journal.
(2) Opinion of 12 December 2018 (not yet published in the Official Journal).
(3) Position of the European Parliament of 12 March 2019.
(4)Regulation (EU, Euratom) No 1141/2014 of the European Parliament and of the Council of 22 October 2014 on the statute and funding of European political parties and European political foundations (OJ L 317, 4.11.2014, p. 1).


Security threats connected with the rising Chinese technological presence in the EU and possible action on the EU level to reduce them
PDF 145kWORD 48k
European Parliament resolution of 12 March 2019 on security threats connected with the rising Chinese technological presence in the EU and possible action on the EU level to reduce them (2019/2575(RSP))
P8_TA-PROV(2019)0156RC-B8-0154/2019

The European Parliament,

—  having regard to Directive (EU) 2018/1972 of the European Parliament and of the Council of 11 December 2018 establishing the European Electronic Communications Code(1),

–  having regard to Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union(2),

–  having regard to Directive 2013/40/EU of the European Parliament and of the Council of 12 August 2013 on attacks against information systems and replacing Council Framework Decision 2005/222/JHA(3),

–  having regard to the Commission proposal for a regulation of the European Parliament and of the Council, of 13 September 2017, on ENISA, the ‘EU Cybersecurity Agency’, and repealing Regulation (EU) 526/2013, and on Information and Communication Technology cybersecurity certification (‘Cybersecurity Act’) (COM(2017)0477),

–  having regard to the Commission proposal of 12 September 2018 for a regulation establishing the European Cybersecurity Industrial, Technology and Research Competence Centre and the Network of National Coordination Centres (COM(2018)0630),

–  having regard to the adoption of the new National Intelligence Law by the Chinese National People’s Congress on 28 June 2017,

–  having regard to the statements by the Council and the Commission of 13 February 2019 on security threats connected with the rising Chinese technological presence in the EU and possible action on the EU level to reduce them,

–  having regard to the adoption by the Australian Government of the Government’s Telecommunications Sector Security Reforms, which entered into force on 18 September 2018,

–  having regard to its position adopted at first reading on 14 February 2019 on the proposal for a regulation of the European Parliament and of the Council establishing a framework for the screening of foreign direct investments into the European Union(4),

–  having regard to its previous resolutions on the state of EU-China relations, in particular that of 12 September 2018(5),

–  having regard to the Commission communication of 14 September 2016 entitled ‘5G for Europe: an action plan’ (COM(2016)0588),

–  having regard to its resolution of 1 June 2017 on internet connectivity for growth, competitiveness and cohesion: European gigabit society and 5G(6),

–  having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)(7),

–  having regard to Regulation (EU) No 1316/2013 of the European Parliament and of the Council of 11 December 2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010(8),

–  having regard to the Commission proposal of 6 June 2018 for a regulation of the European Parliament and of the Council establishing the Digital Europe programme for the period 2021-2027 (COM(2018)0434),

–  having regard to Rules 123(2) and (4) of its Rules of Procedure,

A.  whereas the EU must drive forward its cybersecurity agenda in order to fulfil its potential in becoming a leading player in cybersecurity and use this to its industry’s advantage;

B.  whereas vulnerabilities in 5G networks could be exploited in order to compromise IT systems, potentially causing very serious damage to economies at European and national levels; whereas a risk analysis-based approach across the value chain is necessary in order to minimise the risks;

C.  whereas the 5G network will be the backbone of our digital infrastructure, extending the possibility to connect various devices to networks (internet of things, etc.), and will bring new benefits and opportunities to society and businesses in many areas, including critical sectors of the economy such as the transport, energy, health, finance, telecoms, defence, space and security sectors;

D.  whereas establishing an appropriate mechanism to respond to security challenges would give the EU the opportunity to actively take steps in setting standards for 5G;

E.  whereas concerns were raised about third-country equipment vendors that might present a security risk for the EU due to the laws of their country of origin, especially after the enactment of the Chinese State Security Laws, which impose obligations on all citizens, enterprises and other entities to cooperate with the state to safeguard state security, in connection with a very broad definition of national security; whereas there is no guarantee that these obligations are not applied extraterritorially, and whereas reactions to the Chinese laws have varied in different countries, ranging from security assessments to outright bans;

F.  whereas in December 2018, the Czech national authority for cybersecurity issued a warning against security threats posed by the technologies provided by the Chinese companies Huawei and ZTE; whereas subsequently, in January 2019, the Czech tax authorities excluded Huawei from a tender to build a tax portal;

G.  whereas a thorough investigation is needed to clarify whether the devices involved, or any other devices or suppliers, pose security risks due to features such as backdoors to systems;

H.  whereas solutions should be coordinated and dealt with at EU level in order to avoid creating different levels of security and potential gaps in cybersecurity, while coordination at a global level is needed in order to provide a strong response;

I.  whereas the benefits of the single market come with the obligation to comply with EU standards and the Union’s legal framework, and whereas suppliers should not be treated differently on the basis of their country of origin;

J.  whereas the regulation on screening of foreign direct investment, which should enter into force by the end of 2020, reinforces Member States’ ability to screen foreign investment based on security and public order criteria, and establishes a cooperation mechanism which allows the Commission and the Member States to cooperate in their assessment of security risks, including cybersecurity risks, posed by sensitive foreign investments, and also covers projects and programmes that are of EU interest, such as the Trans-European Telecommunications Networks and Horizon 2020;

1.  Believes that the Union must take the lead on cybersecurity, by means of a common approach based on the effective and efficient use of EU, Member State and industry expertise, since a patchwork of divergent national decisions would be detrimental to the digital single market;

2.  Expresses deep concern about the recent allegations that 5G equipment developed by Chinese companies may have embedded backdoors that would allow manufacturers and authorities to have unauthorised access to private and personal data and telecommunications from the EU;

3.  Is equally concerned about the potential presence of major vulnerabilities in the 5G equipment developed by these manufacturers if they were to be installed when rolling out 5G networks in the coming years;

4.  Underlines that the implications for the security of networks and equipment are similar around the world and calls for the EU to draw lessons from the experience available, in order to be able to ensure the highest standards of cybersecurity; calls on the Commission to develop a strategy that puts Europe in a leading position in cybersecurity technology and is aimed at reducing Europe’s dependency on foreign technology in the field of cybersecurity; is of the view that whenever compliance with security requirements cannot be guaranteed adequate measures must be applied;

5.  Calls on the Member States to inform the Commission of any national measure they intend to adopt in order to coordinate the Union’s response so as to ensure the highest standards of cybersecurity throughout the Union, and reiterates the importance of refraining from introducing disproportionate unilateral measures that would fragment the single market;

6.  Reiterates that any entities providing equipment or services in the EU, irrespective of their country of origin, must comply with fundamental rights obligations and with EU and Member State law, including the legal framework as regards privacy, data protection and cybersecurity;

7.  Calls on the Commission to assess the robustness of the Union’s legal framework in order to address concerns about the presence of vulnerable equipment in strategic sectors and backbone infrastructure; urges the Commission to present initiatives, including legislative proposals where appropriate, to address in due time any shortfalls detected, since the Union is in a constant process of identifying and addressing cybersecurity challenges and enhancing cybersecurity resilience in the EU;

8.  Urges those Member States that have not yet fully transposed the NIS Directive to do so without delay, and calls on the Commission to monitor this transposition closely so as to ensure that its provisions are properly applied and enforced and that European citizens are better protected from external and internal security threats;

9.  Urges the Commission and Member States to make sure that the reporting mechanisms introduced by the NIS Directive are properly applied; notes that the Commission and the Member States should follow up thoroughly on any security incidents or inappropriate reactions of suppliers, so as to address detected gaps;

10.  Calls on the Commission to assess the need to further enlarge the scope of the NIS Directive to other critical sectors and services that are not covered by sector-specific legislation;

11.  Welcomes and supports the agreement reached on the Cybersecurity Act and the reinforcement of the mandate of the EU Agency for Network and Information Security (ENISA), in order to better support Member States in tackling cybersecurity threats and attacks;

12.  Urges the Commission to mandate ENISA to make it a priority to work on a certification scheme for 5G equipment in order to ensure that the rollout of 5G in the Union meets the highest security standards and is resilient to backdoors or major vulnerabilities that would endanger the security of the Union’s telecommunication networks and dependent services; recommends that special attention be given to commonly used processes, products and software that by their sheer scale have a significant impact on the day-to-day life of citizens and the economy;

13.  Warmly welcomes the proposals on cybersecurity competence centres and a network of national coordination centres, which are designed to help the EU retain and develop the technological and industrial capacities in cybersecurity that are needed to secure its digital single market; recalls, however, that certification should not exclude competent authorities and operators from scrutinising the supply chain in order to ensure the integrity and security of their equipment that operates in critical environments and telecom networks;

14.  Recalls that cybersecurity demands high security standards; calls for a network that is secure by default and by design; urges the Member States, together with the Commission, to explore all available means to ensure a high level of security;

15.  Calls on the Commission and the Member States, in cooperation with ENISA, to provide guidance on how to tackle cyber threats and vulnerabilities when procuring 5G equipment, for example by diversifying equipment from different vendors or introducing multi-phase procurement processes;

16.  Reaffirms its position on the Digital Europe programme, which imposes security requirements and Commission oversight on entities established in the EU but controlled from third countries, in particular for cybersecurity-related actions;

17.  Calls on the Member States to ensure that public institutions and private companies involved in ensuring the proper functioning of critical infrastructure networks such as telecoms, energy, health and social systems, undertake relevant risk assessments that take into account the security threats specifically linked to technical features of the respective system or dependence on external suppliers of hardware and software technologies;

18.  Recalls that the current legal framework on telecommunications mandates the Member States to ensure that telecoms operators comply with the integrity and availability of public electronic communication networks, including end-to-end encryption where appropriate; highlights that under the European Electronic Communications Code, Member States have extensive powers to investigate products on the EU market and apply a wide variety of remedies in the event of their non-compliance;

19.  Calls on the Commission and the Member States to make security an obligatory aspect in all public procurement procedures for relevant infrastructure at both EU and national level;

20.  Reminds Member States of their obligation under the EU legal framework, notably Directive 2013/40/EU on attacks against information systems, to impose sanctions on legal persons that have committed criminal offences such as attacks against such systems; emphasises that Member States should also make use of their ability to impose other sanctions on these legal entities, such as temporary or permanent disqualification from practicing commercial activities;

21.  Calls on the Member States, cybersecurity agencies, telecoms operators, manufacturers and providers of critical infrastructure services to report to the Commission and ENISA any evidence of backdoors or other major vulnerabilities that could compromise the integrity and security of telecoms networks or infringe Union law and fundamental rights; expects national data protection authorities as well as the European Data Protection Supervisor to thoroughly investigate indications of data breaches of personal data by external vendors and to impose appropriate penalties and sanctions in line with European data protection law;

22.  Welcomes the upcoming entry into force of a regulation establishing a framework for the screening of foreign direct investments (FDI) for reasons of security and public order, and underlines that this regulation establishes for the first time a list of areas and factors, including communications and cybersecurity, which are relevant for security and public order at EU level;

23.  Calls on the Council to speed up its work on the proposed ePrivacy Regulation;

24.  Reiterates that the EU needs to support cybersecurity across the entire value chain, from research to the deployment and uptake of key technologies, disseminate relevant information, and promote cyber hygiene and educational curricula including cybersecurity, and believes that, among other measures, the Digital Europe programme will be an efficient tool for that;

25.  Urges the Commission and the Member States to take the necessary steps, including robust investment schemes, to create an innovation-friendly environment within the EU, which should be accessible to all businesses in the EU digital economy, including small and medium-sized enterprises (SMEs); urges, furthermore that such an environment should allow European vendors to develop new products, services and technologies which would enable them to be competitive;

26.  Urges the Commission and the Member States to take into account the above requests in the framework of the upcoming discussions on the future EU-China strategy, as preconditions for the EU to remain competitive and for ensuring the security of its digital infrastructure;

27.  Instructs its President to forward this resolution to the Council and the Commission.

(1) OJ L 321, 17.12.2018, p. 36.
(2) OJ L 194, 19.7.2016, p. 1.
(3) OJ L 218, 14.8.2013, p. 8.
(4) Texts adopted, P8_TA(2019)0121.
(5) Texts adopted, P8_TA(2018)0343.
(6) OJ C 307, 30.8.2018, p. 144.
(7) OJ L 119, 4.5.2016, p. 1.
(8) OJ L 348, 20.12.2013, p. 129.


State of EU-Russia political relations
PDF 168kWORD 68k
European Parliament resolution of 12 March 2019 on the state of EU-Russia political relations (2018/2158(INI))
P8_TA-PROV(2019)0157A8-0073/2019

The European Parliament,

–  having regard to its resolution of 10 June 2015 on the state of EU-Russia relations(1),

–  having regard to the agreements reached in Minsk on 5 and 19 September 2014 and on 12 February 2015(2),

–  having regard to its previous resolutions, in particular that of 14 June 2018 on Georgian occupied territories 10 years after the Russian invasion(3), as well as of 4 February 2016 on the human rights situation in Crimea, in particular of the Crimean Tatars(4),

–  having regard to its recommendation to the Council of 2 April 2014 on establishing common visa restrictions for Russian officials involved in the Sergei Magnistky case(5),

–  having regard to the Foreign Affairs Council conclusions on Russia of 14 March 2016,

–  having regard to the 2018 Sakharov Prize for Freedom of Thought awarded to the Ukrainian filmmaker Oleg Sentsov,

–  having regard to its resolution of 14 June 2018 on Russia, notably the case of Ukrainian political prisoner Oleg Sentsov(6),

–  having regard to its resolution of 25 October 2018 on the situation in the Sea of Azov(7),

–  having regard to the OSCE/Office for Democratic Institutions and Human Rights (ODIHR) Final Report on the 18 March 2018 Presidential Elections in the Russian Federation,

–  having regard to Rule 52 of its Rules of Procedure,

–  having regard to the report of the Committee on Foreign Affairs (A8-0073/2019),

A.  whereas the EU is a community based on a key set of common values that include peace, freedom, democracy, the rule of law, and respect for fundamental and human rights;

B.  whereas it acknowledges that the principles enshrined in the UN Charter, the 1975 Helsinki Final Act and the 1990 OSCE Charter of Paris represent the cornerstones of a peaceful European continent;

C.  whereas those values form the basis of the EU’s relations with third parties;

D.  whereas the EU’s relations with Russia must be based on the principles of international law, respect for human rights, democracy and peaceful conflict resolution, and, as a result of Russia’s disregard of these principles, the EU’s relations with Russia are currently based on cooperation in selected areas of common interest as defined in the Foreign Affairs Council conclusions of 14 March 2016 and on credible deterrence;

E.  whereas the EU remains open to a stronger relationship and to dialogue leading thereto, and wishes to return to cooperative relations with Russia, once the Russian authorities have met their international and legal obligations and have proven Russia’s genuine commitment to restore broken trust; whereas a constructive and predictable relationship would be mutually beneficial and ideally in the interest of both parties;

F.  whereas the Russian Federation, as a full member of the Council of Europe and the OSCE, has committed itself to the principles of democracy, the rule of law and respect for human rights; whereas continued serious violations of the rule of law and the adoption of restrictive laws over the last few years are increasingly calling Russia’s compliance with its international and national obligations into question; whereas Russia has failed to implement more than a thousand judgements of the European Court of Human Rights (ECtHR);

G.  whereas a number of governmental reports show the sharp increase in hostile spying activity by Russia in recent years, reaching levels not seen since the Cold War;

H.  whereas the full implementation of the Minsk Agreements and broader respect for international law remain key preconditions for closer cooperation with Russia; whereas in reaction to the illegal annexation of Crimea and the hybrid war against Ukraine by Russia, the EU has adopted a series of restrictive measures that should remain in place until the Minsk Agreements have been fulfilled;

I.  whereas new areas of tension between the EU and Russia have arisen since 2015, including: Russian intervention in Syria and interference in countries such as Libya and Central African Republic; large-scale military exercises (Zapad 2017); Russian interference aimed at influencing elections and referenda and stoking tensions in European societies; Kremlin support for anti-EU parties and far‑right movements; restrictions on fundamental freedoms and extensive human rights violations in Russia, the spreading of anti-LGTBI sentiment; the crackdown against political opposition; the systemic targeting of human rights defenders, journalists and civil society in Russia, including the arbitrary detention of Oyub Titiev, head of the Human Rights Centre Memorial (HRC Memorial) office in Chechnya or the case of Yury Dmitriev from the Karelian branch of Memorial; the stigmatisation of civil society activists by labelling them as ‘Foreign Agents’; gross violations of human rights in the North Caucasus, in particular in the Chechen Republic (abductions, torture, extrajudicial executions, fabrication of criminal cases, etc.); discrimination against the Tatar minority in occupied Crimea, and the politically motivated persecution of Alexei Navalny and many others, as well as killings, the most notable cases being those of Boris Nemtsov and Sergei Magnitsky; cyber and hybrid attacks and assassinations on European soil carried out by Russian intelligence agents using chemical weapons; the intimidation, arrest and imprisonment of foreign citizens in Russia in breach of international law, including the 2018 Sakharov Prize laureate Oleg Sentsov and many others; the organisation of illegal and illegitimate elections in the Donbas; the holding of non-democratic presidential elections lacking any real choice and with restrictions on fundamental freedoms; disinformation campaigns, the illegal construction of the Kerch Bridge; large-scale militarisation of illegally occupied and annexed Crimea, as well as parts of the Black Sea and the Sea of Azov; restrictions on international navigation in the Sea of Azov and through the Kerch Strait, including ships sailing under the flags of EU Member States; the illegal attack on and seizure of Ukrainian naval vessels and the arrest of Ukrainian servicemen in the Kerch Strait; violations of arms control agreements; the oppressive climate for journalists and the independent media with continued detentions of journalists and bloggers; and the World Press Freedom Index ranking of Russia at 148 out of 180 on media freedom in 2018;

J.  whereas by 1 March 2018, HRC Memorial had recorded 143 cases of political prisoners, including 97 who were being persecuted on religious grounds; whereas an analysis of HRC Memorial’s list of political prisoners shows that in 2017, there were 23 cases of people being prosecuted for crimes relating to public events (mass riots, violent actions against a public authority), and there were 21 cases, mostly linked to publishing posts on the Internet, of prosecutions being initiated under the ‘anti-extremist’ articles of the criminal code;

K.  whereas Russia is directly or indirectly party to a number of protracted conflicts in the common neighbourhood – in Transnistria, South Ossetia, Abkhazia, Donbas and Nagorno Karabakh – that constitute serious impediments to the development and stability of the neighbouring countries concerned, undermine their independence and limit their free sovereign choices;

L.  whereas the conflict in Eastern Ukraine has lasted more than four years and claimed over 10 000 lives, almost one third of them civilians, and thousands of conflict-related civilian injuries;

M.  whereas the current persistent tensions and confrontation between the EU and Russia are not in the interests of either party; whereas the communication channels should remain open in spite of the disappointing results; whereas the new division of the continent jeopardises the security of both the EU and Russia;

N.  whereas Russia is currently the EU’s most important external supplier of natural gas; whereas energy continues to play a central and strategic role in EU-Russia relations; whereas Russia uses energy as a means to protect and promote its foreign policy interests; whereas the EU’s dependency on Russian gas supplies has increased since 2015; whereas the EU’s resilience to external pressures can be built up through the diversification of energy supply and a decrease in its dependence on Russia; whereas the EU must speak with one voice and show strong internal solidarity when it comes to its energy security; whereas the EU’s strong dependence on fossil fuels undermines the development of a balanced, coherent and value-driven European approach vis-à-vis Russia; whereas there is a need for a more reliable and strategic energy infrastructure in the EU, Member States and Eastern Partnership (EaP) countries in order to enhance resilience to Russian hybrid activity;

O.  whereas the irresponsible actions of Russian jet fighters near the airspace of EU and NATO Member States are jeopardising the safety of civilian flights and could be a threat to European airspace security; whereas provocative large-scale military manoeuvres have been conducted by Russia in the immediate vicinity of the EU;

P.  whereas Russia continues to ignore judgments of the ECtHR, as well as binding awards by the Permanent Court of Arbitration such as in the case of Naftogaz, which undermines the international trade dispute settlement mechanisms;

Q.  whereas Russia’s polycentric vision of the concert of powers contradicts the EU’s belief in multilateralism and a rules-based international order; whereas Russia’s adherence to and support for the multilateral rules-based order would create the conditions for closer relations with the EU;

R.  whereas the Russian authorities continue to treat illegally occupied regions as if they were an internal part of Russian territory by allowing the participation of representatives of these territories in the legislative and executive bodies of the Russian Federation, which is in violation of international law;

S.  whereas on 21 December 2018, the Council, having assessed the implementation of the Minsk Agreements, prolonged the economic sanctions targeting specific sectors of the Russian economy until 31 July 2019;

T.  whereas Russia’s actions are in breach of international law and commitments and good neighbourly relations;

U.  whereas in the strategic documents of the Russian Federation, the EU and NATO are portrayed as Russia’s primary adversaries;

Challenges and shared interests

1.  Underlines that Russia’s illegal occupation and annexation of Crimea, a region of Ukraine, its direct and indirect involvement in armed conflicts in the eastern part of Ukraine and its continuous violation of the territorial integrity of Georgia and Moldova constitute a deliberate violation of international law, democratic principles and fundamental values; strongly condemns human rights violations carried out by Russian representatives on the occupied territories;

2.  Stresses that the EU cannot envisage a gradual return to ‘business as usual’ until Russia fully implements the Minsk Agreement and restores the territorial integrity of Ukraine; calls, in this regard, for a critical, comprehensive re-assessment by the EU of its relations with the Russian Federation;

3.  Stresses that under the present circumstances, Russia can no longer be considered a ‘strategic partner’; is of the view that that the principles of Article 2 of the Partnership and Cooperation Agreement (PCA) are no longer being met, and that the PCA should therefore be reconsidered; believes that any framework for the EU-Russia relationship should be based on the full respect of international law, the Helsinki OSCE principles, democratic principles, human rights and the rule of law, and allow for dialogue on managing global challenges, the strengthening of global governance and ensuring enforcement of international rules, particularly with a view to guaranteeing European peace order, and security in EU’s neighbourhood and the Western Balkans;

4.  Believes that implementation of the Minsk Agreements would demonstrate Russia’s good will in contributing to resolving the conflict in Eastern Ukraine and its capacity to guarantee European security; stresses the necessity for consultations to be advanced within the Normandy format process, including a stronger EU role; reiterates its support for the sovereignty and territorial integrity of Ukraine;

5.  Believes in the importance of de-escalating current tensions and of engaging in consultations with Russia to reduce the risk of misunderstandings, misinterpretation and misreading; recognises, however, that the EU must be firm in relation to its expectations on Russia; underlines the importance of cooperation between the EU and Russia in the international rules‑based order and of positive engagement in the international and multilateral organisations that Russia is a member of, particularly in the framework of the OSCE with regard to the contentious issues and crises;

6.  Strongly condemns Russia’s involvement in the Skripal case, and in disinformation campaigns and cyber attacks carried out by the Russian intelligence services aimed at destabilising public and private communications infrastructure and at increasing tensions within the EU and its Member States;

7.  Is deeply concerned about the links between the Russian Government and the extreme right and populist nationalist parties and governments in the EU that pose a threat to the fundamental values of the Union, which are enshrined in Article 2 of the Treaty on European Union and reflected in the Charter of Fundamental Rights of the European Union, including respect for democracy, equality, the rule of law and human rights;

8.  Regrets, furthermore, Russia’s efforts to destabilise EU candidate countries with regard, in particular and by way of an example, to the support provided by Moscow to the organisations and political forces opposing the Prespa Agreement that should end the long‑standing dispute on the name between the former Yugoslav Republic of Macedonia and Greece;

9.  Believes that Russian state actors interfered in the Brexit referendum campaign using overt and covert means, including social media and potentially illegal financial support, currently under investigation by the UK authorities;

10.  Emphasises that increased mutual transparency in military and border guard activities is important in order to avoid further tensions; strongly denounces Russia’s violation of the airspace of EU Member States; calls for a clear code of conduct concerning airspace used by military and civilian aircraft; strongly condemns, in this context, Russia’s repeated violations of territorial waters and the airspace of countries in the Baltic Sea region; condemns the Russian Federation for its responsibility in the shooting down of flight MH17 over Eastern Ukraine in 2014, as proved by an international team of investigators, and calls for those responsible to be brought to justice;

11.  Regrets the significant deterioration in the human rights situation, widespread and undue restrictions of the rights to freedom of expression, association and peaceful assembly in Russia, and expresses its deep concern at the ongoing crackdown on, and harassment and persecution of human rights defenders, protest activists and other critics;

12.  Is deeply concerned that Russia so manifestly demonstrates its military powers, articulates threats to other countries and manifests the willingness and readiness to use military force against other nations in real actions, including advanced nuclear weapons, as reiterated by President Putin on several occasions in 2018;

13.  Condemns the government’s continuing crackdown on dissent and media freedom, as well as the repression of activists, political opponents and those who openly express disagreement with the government;

14.  Expresses its concern at reports of arbitrary detention and torture of men perceived to be gay in Chechnya, and condemns the Chechen Government’s statements denying the existence of homosexuals in their country and inciting violence against LGBTI people;

15.  Highlights that the global challenges of climate change, the environment, energy security, digitalisation together with algorithmic decision making and artificial intelligence, foreign and security issues, the non-proliferation of weapons of mass destruction and the fight against terrorism and organised crime, and developments in the sensitive Arctic environment, call for selective engagement with Russia;

16.  Expresses concern over the potentially hundreds of billions of euros being laundered through the EU every year by Russian companies and individuals looking to legitimise the proceeds of corruption, and calls for investigations into these crimes;

17.  Underlines that money laundering and organised criminal financial activities by Russia are being used for subversive political purposes and pose a threat to European security and stability; considers the magnitude of this money laundering to be such as to form part of the hostile activities intended to undermine, misinform and destabilise, while at the same time sustaining criminal activities and corruption; notes that Russian money laundering activities within the EU constitute a threat to sovereignty and the rule of law in all Member States where Russia operates such activities; states that this is a threat to European security and stability, and a major challenge to the European Union’s Common Foreign and Security Policy;

18.  Condemns money laundering activities, illegal financial activities and other means of economic warfare by Russia; calls for competent financial authorities in the EU to step up cooperation both with each other and with the relevant intelligence and security services, in order to tackle Russian money laundering activities;

19.  Reiterates that while the EU’s stance is firm, coherent and concerted with respect to EU sanctions on Russia, which will be prolonged as long as Russian violations of international law continue, further coordination and coherence is required in its foreign and security policy approach to Russia; calls, in this context, on Member States to end ‘golden visa/passport’ programmes which benefit Russian oligarchs who are often Kremlin supporters, and may undermine the effectiveness of international sanctions; reiterates its previous calls for a European Magnitsky Act (the EU Global Human Rights Sanctions Regime), and calls on the Council to pursue its work on this matter without undue delay; calls on the Member States to fully cooperate at European level with regard to their policy towards Russia;

20.  Stresses that the restrictive targeted measures relating to Eastern Ukraine and occupied Crimea are not directed against the Russian people but against certain individuals and enterprises connected to the Russian leadership;

21.  Underlines, in this regard, that coherence between its internal and external policies and better coordination of the latter is the key to a more coherent, effective and successful EU external and security policy, including vis-à-vis Russia; stresses that this applies in particular to policy areas such as the European Defence Union, the European Energy Union, cyber defence and strategic communication tools;

22.  Condemns Russia’s violation of the territorial integrity of neighbouring countries including through the illegal kidnapping of citizens of those countries so that they can be charged before a Russian court; further condemns Russia’s abuse of Interpol by issuing ‘wanted person alerts’ – so‑called ‘red notices’ – to persecute political opponents;

23.  Condemns Russia’s actions in the Sea of Azov in so far as they constitute a breach of international maritime law and Russia’s international commitments, as well as the building of the Kerch Bridge and the laying of underwater cables to the illegally annexed Crimean peninsula without the consent of Ukraine; remains deeply concerned about the Russian militarisation of the Sea of Azov, the Black Sea region and Kaliningrad District, as well as the recurring pattern of violating the territorial waters of European countries in the Baltic Sea;

24.  Reaffirms its unequivocal support for the sovereignty and territorial integrity of Georgia; demands that the Russian Federation cease its occupation of the Georgian territories of Abkhazia and Tskhinvali Region/South Ossetia and fully respect the sovereignty and territorial integrity of Georgia; stresses the need for the Russian Federation to unconditionally fulfil all the provisions of the ceasefire agreement of 12 August 2008, in particular the commitment to withdrawing all its military forces from the territory of Georgia;

25.  Underscores that Russia’s disregard of international rules – in this case the freedom of the seas, bilateral agreements and the illegal annexation of Crimea – poses a threat to Russia’s neighbours in all parts of Europe, not only in the Black Sea region, but also in the Baltic Sea region and the Mediterranean; highlights the importance of developing a firm policy towards Russia in all these respects;

26.  Notes that the Presidential elections of 18 March 2018 were observed by the International Election Observation Mission (IEOM) of the ODIHR EOM and the OSCE Parliamentary Assembly (OSCE PA); notes that the ODIHR Election Observation Mission Final Report states that elections took place in an overly controlled legal and political environment marked by continued pressure on critical voices and restrictions being placed on the fundamental freedoms of assembly, association and expression, as well as on candidate registration, and therefore lacked genuine competition;

27.  Is concerned about the continuous Russian support for authoritarian regimes and countries such as North Korea, Iran, Venezuela, Syria, Cuba, Nicaragua and others, and its ongoing practice of blocking any international action by using its veto powers in the UN Security Council (UNSC);

Areas of common interest

28.  Reiterates its support for the five principles guiding the EU’s policy towards Russia, and calls for further definition of the selective engagement principle; recommends that the focus be placed on issues relating to the MENA and the Northern and Arctic region, terrorism, violent extremism, non-proliferation, arms control, strategic stability in the cyber sphere, organised crime, migration and climate change, including joint efforts to safeguard the UNSC-endorsed Joint Comprehensive Plan of Action (JCPOA) with Iran, and bringing an end to the war in Syria; reiterates that while consultations between the EU and Russia on cyber terrorism and organised crime need to continue, Russia’s systematic hybrid threats require strong deterrence; calls, in this context, for an EU-Russia-China-Central Asia dialogue on connectivity;

29.  Underlines that the EU is currently Russia’s largest trading partner and will keep its position as key economic partner for the foreseeable future, but that Nord Stream 2 reinforces EU dependency on Russian gas supplies, threatens the EU internal market and is not in line with EU energy policy or its strategic interests, and therefore needs to be stopped; emphasises that the EU remains committed to completing the European Energy Union and diversifying its energy resources; underlines that no new projects should be implemented without a prior legal assessment of their legal conformity with EU law and with the agreed political priorities; deplores Russia’s policy of using its energy resources as a political tool to exert, maintain and increase its political influence over and pressure on its perceived sphere of influence and end-consumers;

30.  Underlines that EU-Russia cross-border cooperation programmes and the constructive cooperation in the Northern Dimension Partnerships and in the Barents-Euro-Arctic bring tangible benefits to the citizens of cross-border areas and support the sustainable development of these areas; recommends, in this context, that all of these positive areas of constructive cooperation continue to be fostered;

31.  Notes the importance of people-to-people contacts, for example through education and culture;

32.  Calls on the Vice-President of the Commission / High Representative of the Union for Foreign Affairs and Security Policy and on the Member States to strengthen their efforts towards a resolution of the so-called ‘frozen conflicts’ in the Eastern neighbourhood, in order to ensure greater security and stability for the EU’s Eastern partners;

Recommendations

33.  Stresses the importance of continued political and financial support for people-to-people contacts in general and, in particular, for civil society activists, human rights defenders, bloggers, independent media, investigative journalists, outspoken academics and public figures, and NGOs; calls on the Commission to programme more ambitious and long-term financial, institutional and capacity building assistance to Russian civil society from the existing external financial instruments, and calls on the Member States to further contribute to this assistance; encourages the Member States to actively implement the EU guidelines on human rights defenders by providing effective and timely support and protection to human rights defenders, journalists and other activists; particularly encourages Member States to issue long-term visas to human rights defenders at risk and their family members; supports increased funding for journalist training and exchanges with European journalists and for instruments that advance human rights and democracy, such as the European Instrument for Democracy and Human Rights (EIDHR) and the European Endowment for Democracy (EED);

34.  Calls for more people-to-people contacts with a focus on young people, on reinforcing dialogue and cooperation between EU and Russian experts, researchers, civil societies and local authorities and for intensified student, vocational trainee and youth exchanges, particularly in the Erasmus+ framework; supports, in this context, increased funding for the new Erasmus + programmes 2021-2027; notes that the EU provides the highest number of academic mobility opportunities to Russia in comparison with other international partner countries;

35.  Calls for the unconditional release of all human rights defenders and other persons detained for peacefully exercising their rights to freedom of expression, assembly and association, including of the Director of the Memorial HRC in the Chechen Republic, Oyub Titiev, who is on trial on the basis of fabricated charges of drug possession; urges the Russian authorities to ensure full respect for their human and legal rights, including access to a lawyer and medical care, physical integrity and dignity, and protection from judicial harassment, criminalisation and arbitrary arrest;

36.  Notes that civil society organisations are often too weak to have a substantial impact on the fight against corruption in Russia, while NGOs are systematically discouraged from actively engaging in any anti-corruption efforts or promoting public integrity; underlines that it is necessary to involve civil society in the independent monitoring of the effectiveness of anti-corruption policies; calls on Russia to correctly implement international anti-corruption standards formulated in, for example, the UN Convention against Corruption and the OECD Convention on Combating Bribery of Foreign Public Officials in International Business Transactions (the Anti-Bribery Convention);

37.  Underlines that the promotion of human rights and the rule of law must be at the core of the EU’s engagement with Russia; calls, therefore, for the EU and the Member States to continue bringing up human rights issues in all contacts with Russian officials; encourages the EU to continuously call on Russia to repeal or amend all laws and regulations incompatible with international human rights standards, including provisions restricting the right to freedom of expression, assembly and association;

38.  Expresses its conviction that Russia’s membership in the Council of Europe is an important element of the present landscape of institutional relations in Europe; hopes that ways can be found to convince Russia of not abandoning its Council of Europe membership;

39.  Condemns the attempts by the Russian Government to block internet messaging services and websites; urges the Russian Government to uphold the fundamental rights to freedom of expression and privacy online as well as offline;

40.  Calls for the EU institutions and Member States to make greater efforts to build resilience, particularly in the cyber and media fields, including mechanisms to detect and fight election interference; calls for resilience against cyberattacks to be increased; expresses deep concern that the EU reaction and response to the Russian propaganda campaign and massive direct disinformation attacks has been insufficient and should be further strengthened, in particular before the upcoming European elections in May 2019; stresses, in this context, that EU funding and human resources for the East Stratcom Task Force must be substantially increased; calls for EU-wide support for the European cyber-security industry, a functioning digital internal market and a stronger engagement in research; encourages, in this context, the promotion of European values in Russian by East Stratcom; welcomes the adoption of EU Action Plan against Disinformation, and calls on Member States and all relevant EU actors to implement its actions and measures, in particular in the run‑up to the upcoming European elections in May 2019;

41.  Calls for the EU to consider developing a binding legal framework, both at EU and international level, for tackling hybrid warfare that would allow for a robust response by the Union to campaigns that threaten democracy or the rule of law, including targeted sanctions against those responsible for orchestrating and implementing these campaigns;

42.  Believes that meaningful dialogue requires firmer unity among Member States and clearer communication of the red lines on the EU side; stresses, therefore, that the EU should stand ready to adopt further sanctions, including targeted personal sanctions, and limiting access to finances and technology if Russia’s violation of international law continues; stresses, however, that such measures are not against the Russian people but targeted individuals; calls on the Council to carry out an in-depth analysis of the efficiency and strictness of the sanctions regime in place; welcomes the Council’s decision to impose restrictive measures on European companies involved in the illegal construction of the Kerch Bridge; reiterates its concern at the involvement of these companies which, through this involvement, either knowingly or unknowingly undermined the EU sanctions regime; calls on the Commission, in this context, to assess and verify the application of the EU restrictive measures in force, and on the Member States to share information regarding any national customs or criminal investigations into cases of potential violations;

43.  Calls for an EU-wide mechanism allowing the screening of political parties’ funding, and for subsequent measures to be taken to avoid some parties and movements being used to destabilise the European project from within;

44.  Condemns the increasing scope and number of Russian military drills, where Russian forces practice offensive scenarios with the use of nuclear weapons;

45.  Urges the Commission and the European External Action Service (EEAS) to prepare without delay a legislative proposal for an EU-wide Magnitsky Act which would allow the imposition of visa bans and targeted sanctions, such as blocking property and interests in property within the EU’s jurisdiction on individual public officials or persons acting in an official capacity, who are responsible for acts of corruption or serious human rights violations; stresses the importance of an immediate sanctions list in order to secure the effective implementation of a European Magnitsky Act;

46.  Calls for the EU to verify the application of the EU restrictive measures in force, as well as the sharing of information between Member States, in order to ensure that the EU sanctions regime against Russia’s actions is not undermined, but applied in proportion to the threats posed by Russia; underlines the danger of weakening the sanctions without Russia demonstrating through clear actions, not only in words, that it respects the borders of Europe and the sovereignty of its neighbours and other nations, as well as international rules and agreements; reiterates that business as usual only can be possible once Russia fully respects the rules and restricts itself to acting in a peaceful manner;

47.  Reiterates that Russia has no right of veto over the Euro-Atlantic aspirations of European nations;

48.  Calls on the Commission to closely monitor the consequences of Russian counter-sanctions on economic actors and, if needed, consider compensatory measures;

49.  Underlines that there can only be political solutions to the conflict in Eastern Ukraine; encourages confidence-building measures in the Donbas region; supports a mandate for deploying a UN peacekeeping force in this region of Eastern Ukraine; reiterates its call to appoint an EU Special Envoy for Crimea and the Donbas region;

50.  Condemns the arbitrary measure of banning EU politicians, among them current and former Members of the European Parliament, and EU officials from access to Russian territory; calls for the immediate and unconditional lifting of the entry ban;

51.  Calls on Russia to immediately release political prisoners, including foreign citizens, and journalists;

52.  Calls on Russia to cooperate fully in relation to the international investigation into the downing of flight MH17, which could possibly constitute a war crime; condemns any attempt or decision to grant amnesty to, or delay the prosecution of, those identified as responsible, as the perpetrators should be held to account;

53.  Calls on the Russian Government to refrain from blocking UNSC resolutions on the situation in Syria that seek to address the ongoing violence against civilians, including the use of chemical weapons, gross violations of the Geneva Conventions and violations of universal human rights;

54.  Supports the swift completion of an integrated European Energy Union that would in future include the Eastern Partners; stresses the role that an ambitious policy on energy efficiency and renewables can play in this regard; strongly condemns Russian pressure on Belarus to essentially renounce its independence; underlines that independently of advancing an EU-Russia strategy, the EU must reinforce its commitment and support for its Eastern Partners and support reforms to strengthen security and stability, democratic governance and the rule of law;

55.  Supports increased funding for the EED, the Russian Language News Exchange (RLNE) and other instruments to advance democracy and human rights in Russia and elsewhere;

56.  Calls on the Russian authorities to condemn Communism and the Soviet regime, and to punish the perpetrators of the crimes and offences committed under that regime;

o
o   o

57.  Instructs its President to forward this resolution to the Council, the Commission and the Vice-President of the Commission / High Representative of the Union for Foreign Affairs and Security Policy.

(1) OJ C 407, 4.11.2016, p. 35.
(2) ‘Protocol on the results of consultations of the Trilateral Contact Group’, signed on 5 September 2014, and ‘Package of measures for the Implementation of the Minsk Agreements’, adopted on 12 February 2015.
(3) Texts adopted, P8_TA(2018)0266.
(4) OJ C 35, 31.1.2018, p. 38.
(5) OJ C 408, 30.11.2017, p. 43.
(6) Texts adopted, P8_TA(2018)0259.
(7) Texts adopted, P8_TA(2018)0435.


Building EU capacity on conflict prevention and mediation
PDF 162kWORD 57k
European Parliament resolution of 12 March 2019 on building EU capacity on conflict prevention and mediation (2018/2159(INI))
P8_TA-PROV(2019)0158A8-0075/2019

The European Parliament,

–  having regard to the Universal Declaration of Human Rights and other UN human rights treaties and instruments,

–  having regard to the principles and purposes of the UN Charter,

–  having regard to the European Convention on Human Rights,

–  having regard to the 1975 Helsinki Final Act of the Organisation for Security and Cooperation in Europe (OSCE) and all its principles, as a cornerstone document for the European and wider regional security order,

–  having regard to the Charter of Fundamental Rights of the European Union,

–  having regard to the Treaty on European Union and the Treaty on the Functioning of the European Union,

–  having regard to the UN’s Sustainable Development Goals (SDGs) and to the 2030 Agenda for Sustainable Development,

–  having regard to the UN Security Council’s resolutions on conflict prevention and mediation, as well as those on women, peace and security, and on youth, peace and security,

–  having regard to the Council’s Concept on Strengthening EU Mediation and Dialogue Capacities, of 10 November 2009 (15779/09),

–  having regard to the Global Strategy for the European Union’s Foreign and Security Policy presented by the Vice-President of the Commission / High Representative of the Union for Foreign Affairs and Security Policy (VP/HR) Federica Mogherini on 28 June 2016, and to the first report on its implementation entitled ‘From Shared Vision to Common Action: Implementing the EU Global Strategy’, published on 18 June 2017,

–   having regard to its recommendation of 15 November 2017 to the Council, the Commission and the EEAS on the Eastern Partnership, in the run-up to the November 2017 Summit(1),

–  having regard to its recommendation of 5 July 2018 to the Council on the 73rd session of the United Nations General Assembly(2),

–  having regard to Regulation (EU) 2017/2306 of the European Parliament and of the Council of 12 December 2017 amending Regulation (EU) No 230/2014 establishing an instrument contributing to stability and peace(3),

–  having regard to the Proposal of 13 June 2018 of the High Representative of the Union for Foreign Affairs and Security Policy, with the support of the Commission, to the Council for a Council Decision establishing a European Peace Facility (HR(2018) 94),

–  having regard to Rule 52 of its Rules of Procedure,

–  having regard to the report of the Committee on Foreign Affairs (A8-0075/2019),

A.  whereas promoting international peace and security is part of the EU’s raison d’être, recognised by the 2012 Nobel Peace Prize, and is central to the Lisbon Treaty;

B.  whereas the EU is committed to implementing the Women, Peace and Security Agenda in line with UN Security Council Resolution 1325 and subsequent updates, and the Youth, Peace and Security Agenda in line with UN Security Council Resolution 2250 and subsequent updates;

C.  whereas the EU is one of the biggest donors in support of conflict prevention and peace building through its external assistance instruments;

D.  whereas the EU, as a key contributor to international organisations, a core aid donor and the world's largest trading partner, should take a leading role in global peacebuilding, conflict prevention and the strengthening of international security; whereas conflict prevention and mediation should be articulated as part of a comprehensive approach combining security, diplomacy and development;

E.  whereas cooperation is necessary with regional organisations such as the OSCE, which, in its 1975 Helsinki Final Act, stipulates, among others, the principles of the non-use of force, territorial integrity of states, equal rights and self-determination of peoples, and whereas these organisations play a key role in conflict prevention and mediation;

F.  whereas the prevention of violent conflict is fundamental in addressing the security challenges facing Europe and its neighbourhood and for political and social advancement; whereas it is also an essential element of effective multilateralism and it is instrumental to achieving the SDGs, specifically Goal 16 on peaceful and inclusive societies, access to justice for all and effective, accountable and inclusive institutions at all levels;

G.  whereas continued EU support to civil and military actors in third countries is an important factor in preventing recurrent violent conflict; whereas sustainable and lasting peace and security are inseparable from sustainable development;

H.  whereas conflict prevention and mediation should ensure the maintenance of stability and development in those states and geographical areas whose situation represents a direct security issue for the Union;

I.  whereas prevention is a strategic function which aims to ensure effective action ahead of crises; whereas mediation is another tool of diplomacy that can be used to prevent, contain or resolve a conflict;

J.  whereas internal and external security are increasingly inextricably linked and the complex nature of global challenges requires a comprehensive and integrated EU approach to external conflicts and crises;

K.  whereas a stronger interinstitutional approach is required in order to ensure that the EU is able to develop and to implement its capacities to their full potential;

L.  whereas the EU Global Strategy, political statements and institutional developments are welcome signs of the commitment of the VP/HR to prioritising conflict prevention and mediation;

M.  whereas the external financing instruments provide a significant contribution in support of conflict prevention and peacebuilding;

N.  whereas transitional justice is an important set of judicial and non-judicial mechanisms focusing on accountability for past abuses as well as the establishment of a sustainable, just and peaceful future;

O.  whereas Parliament has taken a prominent role in parliamentary diplomacy, including mediation and dialogue processes, drawing on its ingrained culture of dialogue and consensus building;

P.  whereas violent conflict and war have a disproportionate impact on civilians, particularly women and children, and put women at greater risk than men of economic and sexual exploitation, forced labour, displacement, detention and sexual violence such as rape, which is used as a tactic of war; whereas the active participation of women and young people is important for conflict prevention and peacebuilding as well as in the prevention of all forms of violence, including sexual and gender-based violence;

Q.  whereas it is essential to include and support the active and meaningful participation of civil society and local actors, both civilian and military, including women, minorities, indigenous peoples and young people, when promoting and facilitating capacity and confidence building in mediation, dialogue and reconciliation;

R.  whereas conflict prevention, peacebuilding and peace keeping efforts are frequently underfunded, despite policy commitments at EU level, which has knock-on effects on the capacity to promote and facilitate action in these areas;

1.  Encourages the Union to further prioritise conflict prevention and mediation in the framework or in support of existing agreed negotiating formats and principles; underlines that this approach is delivering a high degree of EU added value in political, social, economic and human security terms globally; recalls that conflict prevention and mediation actions contribute to asserting the presence and credibility of the Union on the international scene;

2.  Recognises the role played by civil and military missions carried out by the common security and defence policy (CSDP) in maintaining peace, avoiding conflicts and strengthening international security;

3.  Calls on the VP/HR, the President of the Commission and the President of the European Parliament to set joint, long-term priorities in the area of conflict prevention and mediation, which should become part of a regular strategic programming exercise;

4.  Calls for long-term peacebuilding addressing the root causes of conflict;

5.  Calls for the enhancement of the current architecture to support the EU’s priorities as described below;

6.  Calls for conflict-sensitive and people-centred approaches which put human security at the core of EU engagement in order to achieve positive and sustainable results on the ground;

7.  Invites the European External Action Service (EEAS) and the Commission’s services dealing with external action to present a yearly report to Parliament on the progress made in implementing EU policy commitments on conflict prevention and mediation;

On enhancing the EU’s institutional capacities for conflict prevention and mediation

8.  Supports the more coherent and holistic engagement of the EU in external conflicts and crises, considers that the integrated approach to external conflicts and crises constitutes the added value of the Union’s external action and that all means must be implemented as rapidly as possible in order to clarify EU responses at each stage of the conflict and to make this integrated approach more operational and more effective; recalls in this context the norms and principles of international law and the UN Charter, and expresses support for existing negotiating frameworks, approaches and principles; reiterates that each conflict should be viewed independently;

9.  Stresses that this capacity building should enable Member States to identify priority geographical areas for conflict prevention and mediation actions, and facilitate bilateral cooperation between European countries;

10.  Calls for the establishment, under the authority of the VP/HR, of an EU high-level advisory board on conflict prevention and mediation, with the aim of setting up a comprehensive pool of experienced senior political mediators and conflict prevention experts to make available political and technical expertise at short notice; believes that a pool of experts covering reconciliation and transitional justice is also needed; calls for the establishment of reconciliation and accountability mechanisms to be systematically encouraged in all post-conflict areas in order to ensure accountability for past crimes, as well as prevention and deterrence for the future;

11.  Calls for the appointment of an EU Special Envoy for peace to chair the EU high-level advisory board, in order to promote coherence and coordination across the institutions, including in their engagement with civil society, to improve the exchange of information and lead to increased and earlier action;

12.  Calls for the establishment of other interinstitutional mechanisms such as task forces for specific conflict prevention situations;

13.  Calls for the establishment of a dedicated Council working group on conflict prevention and mediation, emphasising EU’s strong commitment to peace and stability in its neighbouring regions;

On the European External Action Service

14.  Welcomes the establishment of a dedicated EEAS ‘Conflict prevention, Peace building and Mediation Instruments Division’ and the development of tools such as the Early Warning System and horizon scanning; calls for investments to further develop such tools;

15.  Calls for more systematic gathering, management and dissemination of relevant knowledge in formats that are accessible, practical and operationally relevant for staff across the EU institutions;

16.  Calls for further capacity development on gender-sensitive conflict analysis, early warning, reconciliation and conflict prevention for in-house staff, mediators and other experts, as well as for third parties, engaging with the EEAS and including civil society organisations;

On the European Commission

17.  Recalls the growing need for conflict prevention in addressing the root causes of conflict and in achieving the SDGs, with a particular focus on democracy and human rights, the rule of law, judicial reform and support for civil society;

18.  Highlights the fact that all EU interventions in violent and conflict-affected areas need to be conflict and gender sensitive; calls for immediate action to embed these aspects in all relevant policies, strategies, actions and operations, entailing a greater focus on the avoidance of doing harm, while maximising the EU’s contribution to achieving long-term conflict prevention and peace-building objectives;

On the European Parliament

19.  Underlines the role of the Democracy Support and Election Coordination Group (DEG) and its lead MEPs as the operational body for coordinating mediation and dialogue initiatives and welcomes new initiatives such as the Jean Monnet Dialogue for peace and democracy (using the historic Jean Monnet House in Bazoches, France), activities on election-related violence, and inter-party dialogue and consensus-building, as well as the Young Political Leaders’ programme, and recommends that these should be developed further as key instruments of the European Parliament in the area of mediation, facilitation and dialogue; welcomes the decision of the DEG to build on the success of the Jean Monnet Dialogue process with the Macedonian Sobranie by extending the Jean Monnet Dialogue’s methodology throughout the countries of the Western Balkans;

20.  Welcomes the partnership with the Ukrainian Verkhovna Rada in the format of the Jean Monnet Dialogues, which has the aim of building consensus among political factions and parties in the Verkhovna Rada and, most importantly, of transforming the political culture towards a modern European parliamentary approach based on democratic dialogue and consensus building;

21.  Welcomes the conclusions of the fifth Jean Monnet Dialogue, which took place from 11 to 13 October 2018 and where steps were taken concerning support for the implementation of the Association Agreement; recognises the request for the European Parliament to work with the Commission to facilitate a dialogue with key stakeholders from the Verkhovna Rada and the Government of Ukraine on improving the effectiveness of the Verkhovna Rada in its role in relation to the implementation of the Association Agreement;

22.  Welcomes the new tri-partite initiative of the Speakers of the Parliaments of Ukraine, Moldova and Georgia to establish a regional parliamentary assembly as an important platform for regional dialogue on strategic issues including the implementation of Association Agreements and for responding to key security challenges including hybrid war and disinformation; considers Parliament’s support for this regional parliamentary dialogue to be an important sign of its commitment to the region in the face of common regional security challenges;

23.  Recognises its growing role in the political mediation processes; highlights, in this respect, the joint initiative of the Commissioner for European Neighbourhood Policy and Enlargement Negotiations and three mediators of the European Parliament, Mr Kukan, Mr Vajgl and Mr Fleckenstein, in supporting the party leaders in the Former Yugoslav Republic of Macedonia in overcoming the political crisis through the adoption of the 2015 Przino Agreement; confirms its readiness to build on this example of close interinstitutional cooperation with the Commission and the EEAS by stepping up its engagement to strengthen political dialogues and reconciliation throughout the Western Balkans and the wider neighbourhood;

24.  Calls for further development of the Young Political Leaders’ programme in the context of the Youth, Peace and Security Agenda, based on UN Security Council Resolution 2250, as well as for the continuation of the excellent cooperation with the VP/HR’s regional initiative for the Mediterranean under the Young Med Voices programme;

25.  Considers that the High Level Youth Dialogue ‘Bridging the gap’ provides a space for dialogue among youth representatives and young members of parliaments from the Western Balkans, which is important in supporting a culture of cross-party dialogue and reconciliation as well as fostering the European perspective of the countries in the region;

26.  Recommends that the existing parliamentary training and coaching programmes available for Members of the European Parliament, particularly those appointed as mediators or Chief Observers, as well as training programmes for third country parliamentarians, political parties and staff, be further developed, including those on gender and youth aspects, also in coordination with structures in Member States which have developed expertise in this field;

27.  Considers that Parliament’s capacities could be further developed with the appointment of a vice-president responsible for coordinating mediation and facilitation of dialogue activities, who would act in close cooperation with the DEG; calls for the establishment of a pool of current and former Members of the European Parliament;

28.  Underlines the role of European Parliament’s Sakharov Prize in raising awareness about conflicts around the world; calls for an increase in the prize money awarded in the next Parliamentary term;

29.  Recognises the need for Parliament, in support of overall EU efforts, to institutionalise its procedures on mediation; calls for the strengthening of parliamentary diplomacy and exchange activities, including through the work of parliamentary delegations;

30.  Underlines the long-standing close cooperation between Parliament and the OSCE Office for Democratic Institutions and Human Rights (ODIHR) in the area of elections and support for democracy; calls for the extension of this cooperation into the area of mediation and dialogue;

On women, peace and security – enhancing gender capacities in EU conflict prevention and mediation

31.  Calls for the EU to take a leading role in the implementation of the UN Security Council resolutions on women, peace and security and the incorporation of the principles contained therein at all stages of EU conflict prevention and mediation activities;

32.  Calls for the implementation of full gender equality and for particular efforts to ensure the participation of women, girls and young people and the protection of their rights across the conflict cycle, from conflict prevention to post-conflict reconstruction, in the context of EU conflict prevention and mediation activities;

33.  Calls for all exercises in cooperation, training and intervention to be gender sensitive; welcomes the EU initiatives in this regard, as well as its active contribution to the next Gender Action Plan, and the new EU Strategic Approach to women, peace and security;

34.  Calls for the inclusion of expertise on gender, including gender-based violence and conflict-related sexual violence, in all stages of conflict prevention, the mediation process and peacebuilding;

35.  Calls for the EU to take a leading role in the implementation of the UN Security Council resolutions on youth, peace and security, and the integration of the principles enshrined therein in EU conflict prevention and mediation activities;

36.  Calls for all cooperation, training and interventions to be sensitive to and informed by the needs and aspirations of young women and young men, keeping in mind the differentiated ways in which violent conflict impacts their lives and futures and the valuable contributions they can make to preventing and resolving violent conflict;

On enhancing the role and capabilities of civil society organisations in the EU’s approach to conflict prevention and mediation

37.  Considers that the role of civil society organisations should be taken into account in the EU’s overall approach and its priorities for capacity development;

38.  Underlines the importance of confidence building measures and people-to-people contacts in conflict prevention and resolution;

39.  Calls for consultations with civil society organisations, especially those specialised in women’s rights and minorities’ human rights, when establishing and implementing EU programmes and policies on peace, security and mediation;

On financial and budgetary resources available for EU conflict prevention and mediation

40.  Takes the view that growing challenges demand higher appropriations for conflict prevention and the provision of dedicated staff capacity;

41.  Stresses the need for sufficient and earmarked financial resources to be made available for the EU’s conflict prevention and mediation actions under the next multiannual financial framework (2021-2027);

42.  Invites the VP/HR to provide Parliament with an update on the EEAS budget line dedicated to conflict analysis and conflict sensitivity, early warning, mediation support and the future priorities in this field;

o
o   o

43.  Instructs its President to forward this resolution to the Presidents of the Commission and the Council, the Commission Vice-President / High Representative of the Union for Foreign Affairs and Security Policy, the Council, the EEAS, the EU Special Representative for Human Rights, the Commission, the OSCE, the UN Secretary-General, and the governments and parliaments of the Member States.

(1) OJ C 356, 4.10.2018, p. 130.
(2) Texts adopted, P8_TA(2018)0312.
(3) OJ L 335, 15.12.2017, p. 6.

Legal notice