Commission Implementing Regulation (EU) 2022/1380 of 8 August 2022 laying down the rules and conditions for verification queries by carriers, provisions for data protection and security for the carriers’ authentication scheme as well as fall back procedures in case of technical impossibility and repealing Implementing Regulation (EU) 2021/1217

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226⁽¹⁾, and in particular Article 45(2), third paragraph, and (3) and Article 46(4) and (5) thereof,

Whereas:

1. Regulation (EU) 2018/1240 establishes the European Travel Information and Authorisation System (ETIAS) applicable to visa exempt third-country nationals seeking to enter the territory of the Member States.

2. The purpose of this Regulation is to lay down the rules and conditions for the verification query by carriers as well as to establish provisions for data protection and security for the carriers’ authentication scheme and fall back procedures in case of technical impossibility. The obligations set out in this Regulation are applicable to air carriers, sea carriers and international carriers transporting groups overland by coach, coming into the territory of the Member States.

3. Pursuant to Article 45(1) of Regulation (EU) 2018/1240, air carriers, sea carriers and international carriers transporting groups overland by coach are to send a query to ETIAS in order to verify whether travellers subject to travel authorisation requirement are in possession of a valid travel authorisation. Such a query is to be made by means of secure access to a carrier gateway.

4. Carriers should access the carrier interface by means of an authentication scheme. This Implementing Regulation should provide for data protection and security rules applicable to the authentication scheme pursuant to Article 45(3) of Regulation (EU) 2018/1240 in order to allow carriers exclusive access to the carrier gateway.

5. In order to fulfil their obligation, access to the carrier gateway should be provided to carriers operating and transporting passengers into the territory of the Member States.

6. Technical rules on the message format and authentication scheme should be laid down in order to enable carriers to connect and use the carrier gateway to be specified in the technical guidelines, which are part of the technical specifications referred to in Article 73 of Regulation (EU) 2018/1240, to be adopted by the European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (eu-LISA).

7. Carriers should be able to indicate that the passengers fall outside the scope of the Regulation (EU) 2018/1240 and in such case carriers should receive an automatic ‘Not applicable’ reply from the carrier gateway, without querying the Read Only Database and without logging.

8. This Regulation should apply to air carriers, sea carriers and international carriers transporting groups overland by coach, coming into the territory of the Member States. Border checks for entry into the territory of the Member States may precede boarding. In such cases, carriers should be relieved of the obligation to verify the travel authorisation status of travellers.

9. In accordance with Article 83 of Regulation (EU) 2018/1240, during the transitional and the grace periods, rules applicable to carriers should be adapted to the specificities of these periods. Travellers should be allowed to enter without a travel authorisation during the transitional period as such authorisation should be optional. The transitional period is followed by a grace period, during which travellers should be allowed to enter the territory of the Member States without a travel authorisation if it is their first entry during that grace period.

10. In order to ensure that the verification query is based on as up-to-date information as possible, queries should not be introduced earlier than 48 hours prior to the scheduled time of departure.

11. Passengers who are required to be in possession of a valid travel authorisation should be considered as being in possession of such an authorisation where carriers have queried the carrier interface within 48 hours prior to scheduled time of departure and received ‘OK’. There may be circumstances in which a carrier may not be able to proceed with a query referred to in Article 45(1) of Regulation (EU) 2018/1240 on account of a technical failure occurring within any part of the European Travel Information and Authorisation System. In order to limit possible adverse consequences resulting from such a failure, it is necessary to lay down the detailed rules for the fall-back procedures as provided for in Article 46 of Regulation (EU) 2018/1240.

12. To ensure that the data accessed by carriers is accurate and consistent with the data stored in the European Travel Information and Authorisation System, the read only database referred to in Article 45(4) of Regulation (EU) 2018/1240 should be updated as necessary.

13. The Commission, eu-LISA and the Member States should endeavour to inform all known carriers of how and when they can register. Upon successful completion of the registration procedure as well as, where relevant, the successful completion of testing, eu-LISA should connect the carrier to the carrier interface.

14. Carriers should have access to a web form on a public website allowing them to request assistance. When requesting assistance carriers should receive an acknowledgement of receipt containing a ticket number. eu-LISA or the ETIAS Central Unit may contact carriers that have received a ticket by any means necessary, including by phone, in order to provide an adequate response.

15. Commission Implementing Regulation (EU) 2021/1217⁽²⁾ laid down the rules and conditions for verification queries by carriers, provisions for data protection and security for the carriers’ authentication scheme as well as fall-back procedures in case of technical impossibility. It is necessary to further specify the fall back procedures in case of technical impossibility. In the interests of clarity that Regulation should be replaced.

16. Given that Regulation (EU) 2018/1240 builds upon the Schengen acquis, Denmark notified on 21 December 2018, in accordance with Article 4 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, its decision to implement Regulation (EU) 2018/1240 in its national law. Denmark is therefore bound by this Regulation.

17. This Regulation constitutes a development of the provisions of the Schengen acquis in which Ireland does not take part, as it falls outside the scope of the measures provided for in Council Decision 2002/192/EC⁽³⁾. Ireland is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

18. As regards Iceland and Norway, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis⁽⁴⁾, which fall within the area referred to in Article 1, point A of Council Decision 1999/437/EC⁽⁵⁾.

19. As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis⁽⁶⁾, which fall within the area referred to in Article 1, point A of Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/EC⁽⁷⁾.

20. As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis⁽⁸⁾ which fall within the area referred to in Article 1, point A of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU⁽⁹⁾.

21. As regards Cyprus, Bulgaria and Romania and Croatia, this Regulation constitutes an act building upon, or otherwise relating to, the Schengen acquis within, respectively, the meaning of Article 3(1) of the 2003 Act of Accession, Article 4(1) of the 2005 Act of Accession and Article 4(1) of the 2011 Act of Accession.

22. The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council⁽¹⁰⁾ and delivered an opinion on 30 April 2021.

23. The measures provided for in this Regulation are in accordance with the opinion of the Smart Borders Committee (ETIAS),

HAS ADOPTED THIS REGULATION: