Ga verder naar contentGa verder naar content en skip ook inhoudsopgave
SduIn- en Uitvoer
Home

Commission Implementing Regulation (EU) 2022/1463 of 5 August 2022 setting out technical and operational specifications of the technical system for the cross-border automated exchange of evidence and application of the ‘once-only’ principle in accordance with Regulation (EU) 2018/1724 of the European Parliament and of the Council (Text with EEA relevance)

Commission Implementing Regulation (EU) 2022/1463 of 5 August 2022 setting out technical and operational specifications of the technical system for the cross-border automated exchange of evidence and application of the ‘once-only’ principle in accordance with Regulation (EU) 2018/1724 of the European Parliament and of the Council (Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) 2018/1724 of the European Parliament and of the Council of 2 October 2018 establishing a single digital gateway to provide access to information, to procedures and to assistance and problem-solving services and amending Regulation (EU) No 1024/2012(1), and in particular Article 14(9) thereof,

Whereas:

  1. Article 14(1) of Regulation (EU) 2018/1724 requires the Commission, in cooperation with Member States, to establish a technical system for the exchange of evidence as required for the online procedures listed in Annex II to that Regulation and the procedures provided for in Directives 2005/36/EC(2), 2006/123/EC(3), 2014/24/EU(4) and 2014/25/EU(5) of the European Parliament and of the Council.

  2. The technical and operational specifications of the ‘once-only’ technical system (OOTS) contained in this Regulation should set out the main components of the architecture of the OOTS, define the technical and operational roles and obligations of the Commission, Member States, evidence requesters, evidence providers and intermediary platforms. Furthermore, these specifications should establish a log system in order to monitor the exchanges and delineate the responsibility for the maintenance, operation and security of the OOTS.

  3. In order to enable the establishment of the OOTS by the date set out in Regulation (EU) 2018/1724, it is envisaged to complement this Regulation by more detailed, non-binding technical design documents drawn up in a consensual manner by the Commission in cooperation with the Member States within the gateway coordination group and in accordance with the Commission’s Guidelines for the implementation of the single digital gateway Regulation 2021-2022 work programme. However, where deemed necessary in the light of new technical developments or discussions or differences of opinion within the gateway coordination group, notably on the finalisation of the technical design documents and major design choices, or when the need arises to make certain elements of the technical design documents binding, it will be possible to complement/amend the technical and operational specifications set out in this Regulation in accordance with the examination procedure referred to in Article 37(2) of Regulation (EU) 2018/1724.

  4. In order to reduce the costs of, and the time necessary for, establishing the OOTS, the architecture of the OOTS should, to the extent possible, rely on reusable solutions, be implementation technology neutral and accommodate different national solutions. For example, the OOTS should be able to use the existing national, including central, regional and local level, procedure portals, data services or intermediary platforms, which have been created for national use. The components developed by the Commission should be released under an open software license that promotes reuse and collaboration.

  5. One such reusable solution developed at Union level is the system of eIDAS nodes laid down in Commission Implementing Regulation (EU) 2015/1501(6), which, by enabling the communication with other nodes of the eIDAS network, can process the request for, and the provision of, cross-border authentication of a user. The eIDAS nodes should enable evidence requesters and, where relevant, evidence providers to identify users requesting evidence to be exchanged through the OOTS so that evidence providers can match the identification data to their existing records.

  6. The OOTS should build on the work already done and exploit synergies with other existing systems for the exchange of evidence or information among authorities relevant for the procedures referred to in Article 14(1) of Regulation (EU) 2018/1724, including systems not covered by Article 14(10) of that Regulation. For example, as far as vehicle and driving license register data is concerned, the OOTS should take into account already developed data models and, where feasible, establish technical bridges to facilitate the connection of competent authorities already using other existing networks (RESPER(7) or EUCARIS(8)) to the OOTS for the provision of evidence in the procedures covered by the OOTS. A similar approach should be taken in relation to other systems such as, but not limited to: the Emrex User Group (EUG)(9) in the education domain, the Electronic Exchange of Social Security Information (EESSI) under Regulation (EC) No 987/2009 of the European Parliament and of the Council(10) in the social security area, the European Criminal Records Information System established by Council Decision 2009/316/JHA(11) for the purpose of judicial cooperation and eCertis(12) used in public procurement procedures. The cooperation between these systems and the OOTS should be defined on a case-by-case basis.

  7. For the purpose of cross-border authentication of a user, the architecture of the OOTS should be aligned with Regulation (EU) No 910/2014 of the European Parliament and of the Council(13). On 3 June 2021, the Commission adopted a Recommendation on a common Union Toolbox for a coordinated approach towards a European Digital Identity Framework(14). This Recommendation sets up a structured process for cooperation between Member States, the Commission and, where relevant, private sector operators to work on the technical aspects of the European Digital Identity Framework. In order to ensure the necessary alignment between that process and the OOTS, the Commission should ensure appropriate coordination, in particular through the Synergies and Interoperability Contact Group, between the Cooperation Network established by Commission Implementing Decision (EU) 2015/296(15) and the gateway coordination group.

  8. To ensure the security of the cross-border electronic delivery services for the purposes of the OOTS, Member States should ensure that such services comply with the requirements for electronic registered delivery services, laid down in Article 44 of Regulation (EU) No 910/2014. To that effect, it is appropriate that the OOTS uses eDelivery Access Points to create a network of nodes for secure digital data exchange. In addition to enabling secure cross-border delivery, eDelivery provides metadata service functionalities that may support future versions of the OOTS with larger numbers of secure data exchange nodes. Within that framework, Member States should be able to choose the providers of their eDelivery software.

  9. To ensure flexibility in the application of this Regulation, Member States should be able to decide to have either one or several eDelivery Access Points, as part of the OOTS. A Member State should therefore be able to deploy a single Access Point managing all OOTS-related eDelivery messaging to the evidence requesters or evidence providers through an intermediary platform, where applicable, or, alternatively, to deploy multiple Access Points at any hierarchical level or for specific domains or sectors or geographic levels of its public administrations.

  10. According to Union law, including Directives 2005/36/EC, 2006/123/EC, 2014/24/EU, 2014/25/EU and Regulation (EU) 2018/1724, certain administrative procedures are to be made available to users online. As those procedures and the evidence required are not harmonised under Union law, common services should be established to enable the cross-border exchange of evidence required for these procedures through the OOTS.

  11. Where there is no agreed evidence type that is harmonised across the Union and that all Member States can provide, an evidence broker should help determine which evidence types can be accepted for a particular procedure.

  12. The evidence broker should be based on rule content provided by Member States and should provide an on-line mechanism for Member States to query their information requirements and evidence type sets. The evidence broker should allow Member States to manage and share information about rules relating to types of evidence.

  13. In cases where interoperability is needed between the procedure portal and the data services and the common services, this should be supported by technical design documents.

  14. This Regulation should specify when structured and unstructured pieces of evidence that are required for the procedures listed in Article 14(1) of Regulation (EU) 2018/1724 are considered as lawfully issued in electronic format that allows automatic exchange. Unstructured pieces of evidence issued in an electronic format can be exchanged through the OOTS if they are supplemented by the metadata elements of the OOTS generic metadata model contained in the semantic repository referred to in Article 7(1) of this Regulation. Structured pieces of evidence can be exchanged through the OOTS if they are supplemented by the metadata elements of the OOTS generic metadata model referred to in Article 7(1) of this Regulation and are either in compliance with the OOTS data model for the relevant evidence type as referred to in Article 7(2) of this Regulation or accompanied by a human-readable version.

  15. Member States should be free to determine when they convert pieces of evidence to an electronic format that allows their automated exchange through the OOTS. However, in order to enhance the usefulness of the OOTS for its users and since the use of data models and metadata schemata for both unstructured and structured formats is generally highly recommended, the Commission should support Member States in their efforts to work towards this goal.

  16. In order to avoid duplication, ensure synergies and provide user choice, the development of OOTS data models for structured evidence types and the standardisation of use cases for the provision of credentials in accordance with the structured process foreseen by Commission Recommendation (EU) 2021/946 of 3 June 2021 on a common Union Toolbox for a coordinated approach towards a European Digital Identity Framework(16) should be done in close cooperation and alignment with each other as far as evidence covered by Article 14 of Regulation (EU) 2018/1724 is concerned, including by identifying common use cases. The alignment of the OOTS data models and the standardised use cases under the aforementioned Commission Recommendation should allow users to rely on alternative means for the provision of evidence covered by Article 14 of Regulation (EU) 2018/1724 either independently of or in combination with the OOTS. When changes are made to the data models and metadata schemata for pieces of evidence contained in the semantic repository, Member States should be given 12 months from the adoption of any update to apply any changes to the pieces of evidence concerned.

  17. To minimise the amount of data exchanged, in the case of structured evidence, if only a subset of data is requested in the evidence request, the evidence provider or an intermediary platform, where applicable, could enable automated filtering of the data and, where necessary to the transfer, transformation of the data on behalf of the responsible data controller so that only the requested data are exchanged.

  18. Where Member States manage national registries and services that play the same or an equivalent role as the data service directory or the evidence broker, they should not be required to duplicate their work by contributing to the relevant common services. However, in such a case they should ensure that their national services are connected to the common services in such a way that they can be used by other Member States. Alternatively, those Member States should be able to copy the relevant data from the national registries or services to the data service directory or evidence broker.

  19. In the 2017 Tallinn Declaration on eGovernment(17), Member States reaffirmed their commitment to progress in linking up their public eServices and implement the once-only principle in order to provide efficient and secure digital public services that will make citizens and businesses lives easier. The 2020 Berlin Declaration on Digital Society and Value-Based Digital Government(18), built on the principles of user centricity and user-friendliness, and set out further key principles on which digital public services should be based, including trust and security in digital government interactions and digital sovereignty and interoperability. This Regulation should implement those commitments by putting users at the centre of the system and requiring that users should be informed about the OOTS, its steps and the consequences of using the system.

  20. It is important that an appropriate system is in place to allow users to identify themselves for the purposes of the exchange of evidence. The only mutual recognition framework for national electronic identification means at Union level is set out in Regulation (EU) No 910/2014. Electronic identification means issued under electronic identification schemes notified in accordance with that Regulation should therefore be used by evidence requesters to authenticate the identity of a user before the user explicitly requests the use of the OOTS. Where the identification of the relevant evidence provider requires the provision of attributes beyond the mandatory attributes of the minimum data set listed in the Annex to Implementing Regulation (EU) 2015/1501, such additional attributes should also be requested from the user by the evidence requester and provided to the evidence provider or intermediary platform, where applicable, as part of the evidence request.

  21. Some of the procedures listed in Article 14(1) of Regulation (EU) 2018/1724 require that evidence can be requested on behalf of a legal or natural person. For example, certain procedures are relevant for businesses and entrepreneurs should therefore be able to request the exchange of evidence either on their own behalf or through a representative. Regulation (EU) No 910/2014 provides a trusted legal framework for electronic identification means issued for legal persons or for natural persons representing legal persons. The mutual recognition of national electronic identification means under that Regulation applies to these cases of representation. This Regulation should therefore rely on Regulation (EU) No 910/2014, and any implementing acts adopted on its basis, for the identification of users in cases of representation. The gateway coordination group and its subgroups should cooperate closely with the governance structures established under Regulation (EU) No 910/2014 to help develop solutions for powers of representation and mandates. Given the reliance of some of the procedures covered by the OOTS on the framework created by Regulation (EU) No 910/2014, pieces of evidence requested by representatives should also be able to be processed through the OOTS when and to the extent to which these solutions will have been found.

  22. In order to reduce the time and cost to implement the OOTS, and to benefit from each other’s implementation experience, the Commission should support Member States and foster collaboration between them on the development of reusable technical solutions and components that can be used to implement national procedure portals, preview spaces and data services.

  23. In order to guarantee that users retain control over their personal data at all times while using the OOTS as provided for in Regulation (EU) 2018/1724, the OOTS should allow users to express their decision in relation to these data in two instances. First, it should be ensured that users receive sufficient information to enable them to make an informed and explicit request to process their request for evidence through the OOTS in accordance with Article 14(3), point (a), and Article 14(4), of Regulation (EU) 2018/1724. It should then ensure that they can view the evidence to be exchanged in a secure preview space before deciding whether or not to proceed with the exchange of evidence in accordance with Article 14(3), point (f), of Regulation (EU) 2018/1724, except in the cases referred to in Article 14(5) of that Regulation.

  24. Responsibility for the establishment of the OOTS is shared between Member States and the Commission and the gateway coordination group should therefore play a central role in the governance of the system. In view of the technical nature of its work and in order to facilitate implementation in existing national systems of technical design documents, the work of the gateway coordination group should be supported and prepared by experts coming together in one or several sub-groups created in accordance with its rules of procedure. The functioning of this OOTS governance should be assessed in the report that the Commission is required to submit to the European Parliament and to the Council by 12 December 2022 pursuant to Article 36 of Regulation (EU) 2018/1724.

  25. To ensure a quick reaction to any possible incidents and downtimes which may affect the functioning of the OOTS, the Member States and the Commission should establish a network of technical support contact points. In order to ensure the proper functioning of the OOTS, those technical support contact points should have the powers and sufficient human and financial resources to enable them to carry out their tasks.

  26. To ensure an efficient functioning and maintenance of the OOTS, the responsibilities for its different components should be clearly distributed. The Commission, as the owner and operator of the common services, should be responsible for their maintenance, hosting and security. Each Member State should be responsible for ensuring maintenance and the security of those components of the OOTS that they own and for which they are responsible, such as eIDAS nodes, eDelivery Access Points or national registries, in accordance with the relevant Union and national law.

  27. In order to ensure appropriate protection of personal data, as required by Regulation (EU) 2016/679 of the European Parliament and of the Council(19), this Regulation should specify the role of Member States, in particular that of the respective competent authorities in their capacity as evidence requester or evidence provider, and of the intermediary platforms, where applicable, in relation to the personal data contained in the evidence that is exchanged through the OOTS.

  28. To ensure that the common services are protected against potential threats that harm the confidentiality, integrity or availability of the Commission’s communication and information systems Commission Decision (EU, Euratom) 2017/46(20) should apply to these services.

  29. Article 14(1) to (8) and (10) of Regulation (EU) 2018/1724 apply from 12 December 2023. Therefore, the requirements laid down in this Regulation should also apply from that date.

  30. The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council(21) and delivered Formal Comments on 6 May 2021(22).

  31. The measures provided for in this Regulation are in accordance with the opinion of the Single Digital Gateway Committee,

HAS ADOPTED THIS REGULATION:

SECTION 1 GENERAL PROVISIONS

Article 1 Definitions

For the purposes of this Regulation, the following definitions shall apply:

  1. ‘once-only technical system’ (‘OOTS’) means the technical system for the cross-border automated exchange of evidence referred to in Article 14(1) of Regulation (EU) 2018/1724;

  2. ‘evidence provider’ means a competent authority as referred to in Article 14(2) of Regulation (EU) 2018/1724 that lawfully issues structured or unstructured evidence;

  3. ‘evidence requester’ means a competent authority responsible for one or more of the procedures referred to in Article 14(1) of Regulation (EU) 2018/1724;

  4. ‘eDelivery Access Point’ means a communication component that is part of the eDelivery electronic delivery service based on technical specifications and standards, including the AS4 messaging protocol and ancillary services developed under the Connecting Europe Facility Programme and continued under the Digital Europe Programme, to the extent that these technical specifications and standards overlap with the ISO 15000-2 standard;

  5. ‘eIDAS node’ means a node as defined in Article 2, point (1), of Implementing Regulation (EU) 2015/1501 and complying with the technical and operational requirements laid down in and on the basis of that Regulation;

  6. ‘intermediary platform’ means a technical solution acting in its own capacity or on behalf of other entities such as evidence providers or evidence requesters, depending on the administrative organisation of Member States in which the intermediary platform operates, and through which evidence providers or evidence requesters connect to the common services referred to in Article 4(1) or to evidence providers or evidence requesters from other Member States;

  7. ‘data service directory’ means a registry containing the list of evidence providers and the evidence types they issue together with the relevant accompanying information;

  8. ‘evidence broker’ means a service allowing an evidence requester to determine which evidence type from another Member State satisfies the evidence requirement for the purposes of a national procedure;

  9. ‘electronic identification means’ means a material and/or immaterial unit, containing person identification data and which is used for authentication for an online service;

  10. ‘semantic repository’ means a collection of semantic specifications, linked to the evidence broker and the data service directory, composed of definitions of names, data types and data elements associated with specific evidence types to ensure mutual understanding and cross-lingual interpretation for evidence providers, evidence requesters and users, when exchanging evidence through the OOTS;

  11. ‘technical design documents’ means a set of detailed and non-binding technical documents, drawn up by the Commission in cooperation with Member States in the framework of the gateway coordination group referred to in Article 29 of Regulation (EU) 2018/1724 or any sub-groups referred to in Article 19 of this Regulation, which includes but is not limited to, a high-level architecture, exchange protocols, standards and ancillary services that support the Commission, Member States, evidence providers, evidence requesters, intermediary platforms and other entities concerned in establishing the OOTS in compliance with this Regulation;

  12. ‘data service’ means a technical service through which an evidence provider handles the evidence requests and dispatches evidence;

  13. ‘data model’ means an abstraction that organises elements of data, standardises how they relate to one another and specifies the entities, their attributes and the relationship between such entities;

  14. ‘preview space’ means a functionality that enables the user to preview the requested evidence as referred to in Article 15(1), point (b)(ii);

  15. ‘structured evidence’ means any evidence in electronic format required for the procedures listed in Article 14(1) of Regulation (EU) 2018/1724 that is organised in predefined elements or fields that have a specific meaning and technical format allowing for processing by software systems, supplemented by the metadata elements of the OOTS generic metadata model referred to in Article 7(1) of this Regulation and either in compliance with the OOTS data model for the relevant evidence type as referred to in Article 7(2) of this Regulation, or accompanied by a human-readable version;

  16. ‘unstructured evidence’ means evidence in electronic format required for the procedures listed in Article 14(1) of Regulation (EU) 2018/1724 that is not organised in predefined elements or fields that have specific meaning and technical format, but is supplemented by the metadata elements of the OOTS generic metadata model referred to in Article 7(1) of this Regulation;

  17. ‘evidence type’ means a category of structured or unstructured evidence with a common purpose or content;

  18. ‘incident’ means a situation where the OOTS is not performing, fails to transmit the evidence or transmits evidence that has not been requested, or where the evidence has changed or been disclosed during the transmission, as well as any breach of security referred to in Article 29;

  19. ‘procedure portal’ means a webpage or a mobile application where a user can access and complete an online procedure referred to in Article 14(1) of Regulation (EU) 2018/1724.

Article 2 Structure of the OOTS

The OOTS shall consist of the following:

  1. the procedure portals of evidence requesters and the data services of evidence providers;

  2. intermediary platforms, where relevant;

  3. the preview spaces referred to in Article 15(1), point (b)(ii);

  4. the national registries and services referred to in Article 8, where relevant;

  5. eIDAS nodes for user authentication and identity matching;

  6. eDelivery Access Points;

  7. the common services referred to in Article 4(1);

  8. the integration elements and interfaces required to connect the components referred to in points (a) to (g).

SECTION 2 SERVICES OF THE OOTS

Article 3 eIDAS nodes and eDelivery Access Points

Article 4 Common services

Article 5 Data service directory

Article 6 Evidence broker

Article 7 Semantic repository and data models

Article 8 National registries and services

SECTION 3 EVIDENCE REQUESTERS

Article 9 Explanation to users

Article 10 Evidence type selection

Article 11 User authentication

Article 12 Explicit request

Article 13 Evidence request

Article 14 User redirection to the evidence provider

SECTION 4 EVIDENCE PROVIDERS

Article 15 Role in the exchange of evidence

Article 16 Identity and evidence matching

SECTION 5 LOG SYSTEM OF THE OOTS

Article 17 Log system

SECTION 6 GOVERNANCE OF THE OOTS

Article 18 Gateway coordination group

Article 19 Sub-groups of the gateway coordination group

SECTION 7 TECHNICAL SUPPORT

Article 20 Commission single point of contact for technical support

Article 21 National single point of contact for technical support

Article 22 Technical support dashboard

SECTION 8 COOPERATION WITH OTHER GOVERNANCE STRUCTURES

Article 23 Scope of the cooperation

SECTION 9 RESPONSIBILITY FOR MAINTENANCE AND OPERATION OF COMPONENTS OF THE OOTS

Article 24 Responsibilities of the Commission

Article 25 Responsibilities of Member States

Article 26 Changes and updates

Article 27 Availability of OOTS

SECTION 10 SECURITY

Article 28 Security of common services and national components

Article 29 Monitoring of the electronic systems

Article 30 Administration management system

SECTION 11 FINAL PROVISIONS

Article 31 Testing of the OOTS

Article 32 Commission assistance

Article 33 Processing of personal data

Article 34 Responsibilities of evidence requester as data controller

Article 35 Responsibilities of evidence provider as data controller

Article 36 Entry into force