Commission Implementing Regulation (EU) 2024/1942 of 5 July 2024 laying down common procedures and detailed rules for accessing and processing electronic freight transport information by competent authorities in accordance with Regulation (EU) 2020/1056 of the European Parliament and of the Council (Text with EEA relevance)
Commission Implementing Regulation (EU) 2024/1942 of 5 July 2024 laying down common procedures and detailed rules for accessing and processing electronic freight transport information by competent authorities in accordance with Regulation (EU) 2020/1056 of the European Parliament and of the Council (Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2020/1056 of the European Parliament and of the Council of 15 July 2020 on electronic freight transport information(1), and in particular Article 8 thereof,
Whereas:
Regulation (EU) 2020/1056 requires Member States to ensure that all their competent authorities have access to electronic freight transport information (‘eFTI’) in line with common procedures and detailed rules, including common technical specifications and procedures for processing regulatory information and for communicating with the economic operators in relation to that information.
In order to lay down these common procedures and rules, pursuant to Article 8 of Regulation (EU) 2020/1056, the Commission should list the main information communication technology (‘ICT’) components of the eFTI exchange environment to be provided by the Members States and detail their functional and technical specifications.
To ensure flexibility in the application of these common procedures and detailed rules, Member States should be able to decide how to organise the provision of the ICT components, provided those components comply with the respective functional and technical specifications laid down in this Regulation. More specifically, Member State may decide to set these up as separate components, or integrated in a single component or in several distinct components performing the respective functionalities. They may also set up multiple components performing the same set of functionalities.
Member States should be able to reuse existing ICT components they already developed for other digital public services, insofar as these components already provide or are adjusted to provide the required functionalities in line with the specifications, including technical requirements, where applicable, set out in this Regulation. Member States should also be able to choose to establish, develop and maintain one or more of the ICT components provided for in this Regulation jointly with other Member States.
Each Member State should be responsible for ensuring the maintenance and security of the ICT components that they set up or for which they are responsible, including for ensuring the security and confidentiality of the information processed within those components. If several Member States decide to set up and manage jointly some of these components, they should ensure that their respective responsibilities are laid down in appropriate agreements or memoranda of understanding.
Pursuant to Regulation (EU) 2020/1056 all communication within the eFTI exchange environment is to take place by means of secure connections between duly identified and authorised parties. Therefore, the common functional and technical specifications laid down in this Regulation should ensure that such requirements are met for all communication taking place among the participants in the eFTI exchange environment by means of ICT components, including with the eFTI platforms.
The number of participants in the eFTI exchange environment is expected to be high, both at the level of the competent authorities, and at the level of the economic operators concerned, who will be free to use the eFTI platforms of their choice. An adequate number of secure, authenticated and authorised connections would therefore need to be established and maintained between the ICT components of the eFTI exchange environment. To reduce the costs associated with such a high number of connections, some of the ICT components of the eFTI exchange environment to be established by the Member States should mediate this exchange by playing a gateway function, while maintaining a high level of security and compliance with applicable authorisations.
Such gateways, or ‘eFTI Gates’ should mediate the exchange of regulatory freight transport information between the economic operators concerned and the competent authorities. The eFTI Gates should ensure secure and authenticated connections to the ICT components that mediate the access of individual officers at the level of the competent authorities in a specific Member State, on the one hand, and to the eFTI platforms that hold the data to which these officers would need to have access, on the other hand. They should not store or process eFTI data, except for metadata connected to eFTI data processing such as identifiers or operation logs, and only for legitimate purposes such as routing, format validation or adaptation and for monitoring or statistical purposes.
Furthermore, to reduce the costs involved in establishing connections between eFTI platforms and an eFTI Gate, particularly for the economic operators – but also for the competent authorities, as provided for in Article 8(2) of Regulation (EU) 2020/1056 – eFTI platforms should be required to establish and maintain a secure and authenticated connection to only one eFTI Gate. That eFTI Gate should then mediate the connection to all the competent authorities in all the Member States, by means of a network of secure and authenticated connections between the different eFTI Gates.
In view of the requirement in Article 11 of Regulation (EU) 2020/1056 that Member States maintain an up-to-date list of the eFTI platforms which hold a valid certification issued by a conformity assessment body accredited in their Member State, this single connection of an eFTI platform to the network of eFTI Gates should be established with the eFTI Gate of the Member State where that platform’s certification was issued. This would facilitate and make less costly the process of verifying the validity of the certification of an eFTI platform, as part of the process of ensuring the security and authenticity of the communication with an eFTI platform. However, to accommodate situations where no conformity assessment bodies have been accredited to certify eFTI platforms in a Member State, eFTI platforms should be able to establish their single connection to the eFTI Gate of that Member State, even when they obtained the certification in other Member States.
To ensure a high level of trust in the eFTI exchange environment, Member States should remain responsible for ensuring that all access by their competent authorities to the eFTI exchange environment is duly identified, authenticated and authorised. Member States should ensure that accessing and processing by competent authorities of data made available by economic operators on eFTI platforms is allowed only following due identification and authentication of the identity of the responsible officers, as well as due authorisation based on assigned access and processing rights of the officers, based on their respective responsibilities in relation to the EU and national provisions falling under the scope of Regulation (EU) 2020/1056. For that purpose, Member States should ensure that all competent authorities establish and maintain registries that keep updated records of the access and processing rights of each responsible officer, and that all requests for accessing and processing eFTI data include references to the access and processing rights of the officer responsible for the request. Those access and processing rights should be expressed as coded references to minimise the transfer of the personal data of the officers, as defined by Regulation (EU) 2016/679 of the European Parliament and of the Council(2). Member States should also ensure that their competent authorities take any necessary measures, such as testing, trainings and audits, to ensure that their officers access and process data in compliance with applicable EU and national rules on data privacy and commercial confidentiality.
Regulation (EU) 2020/1056 requires the economic operators concerned to communicate to the competent authorities the ‘unique electronic identifying link’ to the machine-readable eFTI data corresponding to the regulatory information. Procedurally, this communication should be done in two ways, and the ICT components to be set up by the Member States should support both procedures. The competent authorities should be able to choose either procedure when requesting access to eFTI data to perform regulatory information checks.
Firstly, in line with current paper-based compliance check procedures, the economic operators concerned should be able to communicate directly to the competent authority the unique electronic identifying link during checks performed in physical presence, either during the transport operation or during checks performed at the premises of the economic operator, where applicable EU or national provisions provide for the possibility of checks after the completion of transport operations. To facilitate processing by the competent authorities, the unique electronic identifying link should be communicated in a machine-readable format such as a bar code or QR code, displayed on the screen of an electronic handheld device such as a mobile phone or tablet, or printed on paper. Member States’ authorities should be able to decide to accept that, during physical checks of ongoing transport operations, the economic operator may on an exceptional basis communicate the unique electronic identifying link by email or other electronic messaging application, in situations where the link could not be directly displayed by the operator on screen or on paper. For checks performed at the premises of the economic operators, when the number of transport operations to be inspected is substantially higher, competent authorities should be able to choose to receive the unique electronic identifying links via email or other electronic messaging application, to facilitate and optimise the processing of these links. The choice of these additional communication means should remain with the respective competent authorities.
Secondly, and more compatible with a future where processes are increasingly automated, economic operators should communicate the unique electronic identifying link by publishing it in an electronic repository, or registry, together with certain identifiers, such as the unique identification of the means of transport, derived from the eFTI data set associated with that unique electronic identifying link. Competent authorities could then retrieve that link from the registry by running a query based on those identifiers. This would enable competent authorities to check the information on the goods being transported on a truck, train or barge without physically stopping or boarding the means of transport and, where relevant, apply follow-up measures in accordance with national law. It would also allow competent authorities to more easily or reliably retrieve the information on multiple transport operations performed by a given means of transport, in a given time period, such as in the case of road cabotage checks, in line with the provisions of Regulation (EC) No 1072/2009 of the European Parliament and of the Council(3).
To ensure the interoperability and security of the information exchange between the eFTI Gates set up by the different Member States, and between the eFTI Gates and the eFTI platforms, a set of harmonised standards and specifications for message exchange, including the configuration of message exchange agreements, business processes, data formats, identifiers and security certificates should be used within the eFTI environment. Member States should also agree on secure procedures for the exchange of the security certificates, such as by means of a custom-built system or secure file transfer protocol.
To reduce the costs and the time taken to set up the eFTI Gates and the other ICT components, Member States should, to the extent possible, rely on open standards maintained by European or international organisations, and on reusable solutions. For message exchange formats, the most widely used, internationally accepted open standards are XML and JSON. While JSON is a more recent and, in certain respects, simpler to implement format, XML is the most common format used by the ICT systems of competent authorities in most Member States. Therefore, to allow Member States to re-use existing solutions and thus reduce their initial implementation costs, all communication between eFTI Gates and between eFTI Gates and eFTI platforms should be done using a single message exchange format, the XML. Similarly, the standards for secure message exchanges maintained by the Commission as part of the eDelivery digital building block(4), and in particular the eDelivery AS4 profile, provide a cost-efficient technical solution that Member States already have experience in implementing.
At the same time, Member States should be able to reuse message exchange standards and solutions already in use for other digital public services for the communication between the eFTI Gate and the eFTI platforms set up in that Member State, in addition to eDelivery. The detailed requirements and standards underlying those solutions should be made publicly available to enable their implementation by interested eFTI platforms developers, and to enable the accredited conformity assessment bodies to assess their compliance with the specifications.
Similarly, to allow competent authorities’ officers to make use of the ICT components that constitute the point of access, or the ‘authority access points’, to the eFTI environment, Member States should be able to make use of existing electronic solutions that ensure the identification and authentication of the identity of officers when accessing other national digital public services that give access to personal or commercial data of third parties. These solutions should rely, where available, on the means of electronic identification set out in Regulation (EU) No 910/2014 of the European Parliament and of the Council(5).
In the same spirit, Member States should be able to re-use any other existing components of their competent authorities’ ICT systems that perform similar functions to those specified in this Regulation, such as authorisation registries, provided they are adapted in line with the specific requirements laid down in this Regulation.
To make it as easy as possible for competent authority officers to use the eFTI exchange environment and to facilitate their analysis of the eFTI data made available by economic operators on an eFTI platform, Member States should be able to tailor the user application and its graphical user interface to the needs of their officers. Member States should also be able to introduce additional functionalities to be supported by the user applications, such as the use of smart algorithms that can pre-process the eFTI data, also combining information from other electronic sources, should they so wish.
The continuous and smooth functioning of the eFTI environment requires that any operational issues related to the ICT components set up by the Member States be speedily resolved. To help ensure that, the Member States and the Commission should establish a network of technical support, consisting of dedicated helpdesks at national and, respectively, Union level. This network should establish clear communication procedures and ensure synchronised minimum periods of availability to enable quick reaction to any possible incidents and downtimes which may affect the functioning of the eFTI exchange environment. Those technical support contact points should have the powers and sufficient human and financial resources to enable them to carry out their tasks. Based on activity reports, helpdesks may publish aggregated information on dedicated helpdesk dashboards. The minimum periods of common availability of the helpdesks should be periodically revised, to allow adjusting their activity and efficiently allocate resources.
The ICT components to be set up by the Member States will work as integral components of the wider eFTI exchange environment. That means that the establishment and maintenance of these components should rely on coordinated efforts, based on a harmonised interpretation of the specifications laid down in this Regulation. To this end, Member States should also create a network of operational support, in cooperation with the Commission, in the form of a dedicated group of experts. To harness the expertise and experience developed within the Digital Transport and Logistics Forum (DTLF), the expert group set up by the Commission(6) to assist in the development and implementation of the Union’s activities and programmes aimed at the digitalisation of the transport and logistics sector, that group of experts should be set up as a subgroup of the DTLF.
To facilitate Members States’ implementation efforts and ensure uniform implementation of these specifications, it is envisaged to complement this Regulation by more detailed, non-binding technical support documents drawn up by the Commission in cooperation with the Member States within this dedicated group of experts.
The measures provided for in this Regulation are in accordance with the opinion of the Digital Transport and Trade Facilitation Committee,
HAS ADOPTED THIS REGULATION:
CHAPTER I GENERAL PROVISIONS
Article 1 Definitions
For the purpose of this Regulation, the following definitions shall apply:
‘eFTI exchange environment’ means the ensemble of ICT components used for the exchange of data in accordance with Regulation (EU) 2020/1056 and the implementing and delegated acts adopted pursuant to that Regulation;
‘ICT component’ means a material (hardware) or immaterial (software) unit or set of such units used to perform specific functionalities to enable electronic data communication;
‘competent authority officer’ means a physical person entitled to access and process regulatory information requirements referred to in Article 2(1) of Regulation (EU) 2020/1056, on behalf of a competent authority in a Member State;
‘eFTI data’ means data corresponding to regulatory information, when made available by economic operators on an eFTI platform in accordance with Regulation (EU) 2020/1056;
‘request for access to eFTI data’ means a request on behalf of a competent authority to receive the eFTI data made available by economic operators on an eFTI platform;
‘follow-up communication’ means communication between competent authorities and the economic operators concerned on the information made available by the economic operators on an eFTI platform, following a compliance check by a competent authority officer of that information as provided in response to a request for access to eFTI data. This follow-up communication may consist of a request for missing eFTI data, or information in relation to follow-up action taken by the competent authority in accordance with applicable national provisions;
‘access rights’ means the permissions granted to a competent authority officer to perform operations in relation to one or more eFTI data subsets;
‘processing rights’ means the operations or sets of operations that a competent authority officer is allowed to perform on a specific eFTI data subset received in response to a request for access to eFTI data;
‘electronic identification means’ means a material or immaterial unit, containing person identification data and which is used for authentication for an online service;
‘identification references’ means a personal identification number or coded reference that allows the unique identification of a competent authority officer;
‘Authority Access Point (AAP)’ means an ICT component or a set of ICT components performing the functionalities set out in Article 4;
‘eFTI Gate’ means an ICT component or a set of ICT components performing the functionalities set out in Article 6;
‘requesting Gate’ means an eFTI Gate that processes a request for access to eFTI data lodged via an AAP connected to or integrated into that eFTI Gate;
‘receiving Gate’ means an eFTI Gate that processes a request for access to eFTI data received from a requesting Gate;
‘eDelivery’ means a set of technical specifications and standards for electronic message exchange developed by the Commission under the Connecting Europe Facility programme(7) and continued under the Digital Europe programme(8);
‘eDelivery Access Point’ means a communication component that is part of the eDelivery electronic delivery service based on technical specifications and standards;
‘static discovery’ means a mechanism for an eDelivery Access Point to obtain the connection details of another eDelivery Access Point without resorting to third party systems;
‘dynamic discovery’ means a mechanism for an eDelivery Access Point to obtain the connection details of another eDelivery Access Point by looking up these details in a third-party system;
‘security keys’ means pairs of public and private cryptographic keys, generated by cryptographic algorithms in the form of very large numbers that have a unique relationship to each other;
‘security certificate’ means a digital document issued by a certificate authority that is used to establish a secure electronic communication channel between two parties; it includes the public security key and information about the subject of the certificate;
‘certificate authority’ means an entity that manages the life cycle of digital certificates, which may include enrolment processes and processes for the issuance, delivery, activation, suspension, revocation, renewal or reactivation of the security certificates;
‘user application’ means an ICT component performing the functionalities set out in Article 7;
‘technical guidance documents’ means a set of detailed and non-binding technical documents, drawn up by the Commission in cooperation with Member States in the framework of the working group referred to in Article 13.
Article 2 Common measures
Member States shall ensure that their competent authorities have access to ICT systems that can process the unique electronic identifying links (UIL) communicated by the economic operators pursuant to Article 4(3) of Regulation (EU) 2020/1056, and that allow their competent authorities’ officers to access and process eFTI data in either of the following procedures:
by directly processing the UIL, when communicated by the economic operator in machine readable format, by displaying it on the screen of an electronic device or printed on a physical support such as paper or, when the competent authority chooses to allow such communication, also by sending it by email or other electronic messaging application;
by retrieving first the UIL, as communicated by the economic operators through publication on a dedicated registry, by means of a unique identifier associated with a transport operation.
Member States shall ensure that the ICT systems referred to in paragraph 1 provide at least the following functionalities:
duly authenticated identification and due authorisation of the competent authorities’ officers, each time an officer lodges a request for access to eFTI data;
mediation of the requests for access to eFTI data lodged by the competent authorities’ officers, including retrieval of the information requested from the appropriate eFTI platform or platforms, by means of secure connections to those platforms.
To implement the functionalities listed in paragraph 2, those ICT systems shall comprise at least the following components:
authority access points (AAP);
an authorisation registry;
eFTI Gates;
a search mechanism;
a user application.
Member States shall ensure that the components listed in paragraph 3 comply with the requirements laid down in Chapter II. Member States shall be responsible for the setting up, hosting, development, availability, monitoring, updating and maintenance of those components and for the security of the information processed within those components. Where two or more Member States set up or develop one or more of those components jointly, they shall be jointly responsible for their setting up, hosting, development, availability, monitoring, updating, maintenance and security.
Member States remain responsible for ensuring that the access and processing by competent authorities of eFTI data is done only for the purposes of checking compliance with the applicable EU and national legal provisions, and in accordance with applicable EU and national provisions laying down the conditions for performing those compliance checks, and rules on respect of personal data privacy and confidentiality of commercial data.
Article 3 Requests for access to eFTI data, responses and follow-up communication
Competent authority officers shall lodge all requests for access to eFTI data via the AAP component described in Article 4, by means of the user application described in Article 7.
A request for access to eFTI data shall contain the following information:
the UIL of the eFTI data to which access is requested, or one or more identifiers that allow the retrieval of that UIL from the registry of identifiers described in Article 11. This information shall be provided by the competent authority officer responsible for the request;
the references to the access rights of the competent authority officer responsible for lodging the request, as recorded in the authorisation registry described in Article 5. This information shall be automatically added by the user application;
the unique identification number of the request, as issued by the AAP. This information shall be automatically added by the user application.
Responses to a request for access to eFTI data may take one of the following forms:
eFTI data, as transmitted by an eFTI platform based on the information contained in a request, and associated message exchange metadata or identifiers, necessary to enable the receiving eFTI Gates or authority access points to map the eFTI data to the respective request;
error messages, containing coded or brief textual specification of the type of error when an eFTI Gate or an eFTI platform cannot provide the requested eFTI data for technical or business process reasons;
message indicating that no data is available, to be issued by a receiving eFTI Gate when it processes a request that contains identifiers and the search mechanism of the Gate detects no active UIL linked to those identifiers in its registry of identifiers;
‘no response’ message, transmitted by an eFTI Gate or eFTI platform when that eFTI Gate or platform confirmed receipt of request but did not send a message containing the requested eFTI data within 60 seconds from confirmation of receipt.
Where the competent authority officer establishes that the information made available by an economic operator on an eFTI platform, and as retrieved in response to a request for access to eFTI data, is incomplete or fails in other ways to comply with the regulatory information requirements on the basis of which the request was made, the officer may communicate those findings to the economic operator by lodging a specific follow-up communication for that information. Any such follow-up communication shall comply with applicable national legal requirements on follow-up actions to regulatory compliance checks.
Where a specific follow-up communication referred to in paragraph 4 is lodged, the competent authority shall also transmit it via the AAP component, by means of the user application. It shall contain:
the information to be communicated by the competent authority to the economic operator, in free text format, or as an attached document;
the UIL of the eFTI data and the unique identification number of the request for access to that data for which the follow-up communication is lodged.