- The Common Vulnerability Assessment Methodology (CVAM) which was adopted in the Management Board decision 30/2019 of 17 December 2019 and is set out in the annex to that decision. - The CVAM which was adopted in the Management Board decision 34/2018 of 6 November 2018 and is set out in the annex to that decision. - All handbooks concerning the abovementioned versions of the CVAM. - All handbooks concerning the implementation of the Vulnerability Assessment procedure in general. I note your arguments in your confirmatory application 1 In accordance with Article 8(2) of Regulation (EC) No 1049/2001 of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43). Frontex - European Border and Coast Guard Agency www.frontex.europa.eu | Pl. Europejski 6, 00-844 Warsaw, Poland | Tel. +48 22 205 95 00 | Fax +48 22 205 95 01

Paragraph 1 “Pursuant to Art. 7 para. 2 of Regulation 1049/2001, I ask you to reconsider your position in decision CGO/TO/PAD-2021-00102 on the refusal of my request for access to documents.” Paragraph 2 “Your reasoning seems to me to be flawed for both legal and factual reasons.” Paragraph 3 “According to settled case-law, there is a broad discretion with regard to granting or refusing access to documents in connection with the public security exception pursuant to Art. 4 para. 1 lit. a 1st indent of Regulation 1049/2001. Nevertheless, the statement of reasons must provide obvious indications as to how access to the documents at issue could concretely and actually impair the protection of the public security of the Union and whether the alleged impairment can be considered within the limits of Frontex discretion under the exceptions of Art. 4(1) of Regulation No 1049/2001 as reasonably foreseeable and not purely hypothetical (most recently ECJ, Case T-31/18, Semsrott and Others v Frontex, ECLI:EU:T:2019:815, para. 66).” Frontex - European Border and Coast Guard Agency www.frontex.europa.eu | Pl. Europejski 6, 00-844 Warsaw, Poland | Tel. +48 22 205 95 00 | Fax +48 22 205 95 01

Pargraph 4 “In this context, I take it from your reasoning that criminal networks would be enabled by the Vulnerability Assessment Methodology (CVAM) information to adapt their behaviour in such a way that they could evade effective border surveillance, which would ultimately result in a threat to public security. However, I actually consider it purely hypothetical and factually impossible that the abstract benchmarks contained in the CVAM allow a concrete conclusion to be drawn about individual capacities for border management, for example at individual border crossings. This may at best be true for the concrete recommendations that concern weak points at individual border crossings and could contain information that could be used by smugglers or others. The fact that information such as on the abstract-general design of the processes and sub-processes of the vulnerability assessment could have an influence on the behaviour of criminal networks is excluded.” Paragraph 5 “Furthermore, I understand from your justification that you have omitted to consider partial accessibility in this respect, with redaction of the relevant passages of the methodology. However, you would have been obliged to do so pursuant to Article 4 (6) of Regulation 1049/2001 and the established case law of the ECJ (cf. in this sense already ECJ, Case C-353/99, Council v. Hautala, [2001] ECR I-9565, para. 25 ff.). Your approach would only be permissible if the manuals or the CVAM itself were subject in all parts to the exception of Art. 4(1)(a), 1st indent, of Regulation 1049/2001, which cannot be the case for the above reasons. “ Paragraph 6 “On the contrary, I understand from your reasoning that you did not even consider partial access, so that your refusal in this respect is already vitiated by an error of judgement and is therefore unlawful.” Paragraph 7 “To make matters worse, the CVAM of 2016 was published independently and without reservations by the Agency as an annex to Management Board Decision 39/2016 of 23 November 2016. In this respect, the Agency is at least self-binding with regard to the contents of this version of the CVAM on the basis of an existing administrative practice. At the very least, it is incomprehensible that this CVAM in its entirety does not have any detrimental effect on public security, while the two new versions in all their parts are subject to the exception of Art 4 para. 1 lit. a 1st indent.” Paragraph 8 “I therefore request a new decision regarding access to the documents in question, examining the possibility of partial access, in particular taking into account the contents of the CVAM, which have already been published by the Agency itself and therefore, according to the legal interpretation expressed by the Agency's administrative practice, do not fall under the exception of Art. 4(1)(a), 1st indent, of Regulation 1049/2001.” In regard to paragraph 3 of your confirmatory application, Frontex, when considering a refusal to grant access to a document which disclosure would undermine the protection of the public interest as regards public security as laid down in Article 4(1)(a) first indent of Regulation (EC) No 1049/2001, enjoys a wide discretion for the purpose of determining whether such disclosure to the public would undermine the interests protected by that                  2 provision .  Further to our reply of 16 April 2021, in which we explained how access to the documents at issue could specifically and actually undermine the protection of the European Union’s public security and that the risk of that undermining could be considered reasonably foreseeable and not purely hypothetical, kindly note that Article 3(1)(k) of the European Border and Coast Guard Regulation3 lays down that the vulnerability assessment, which forms part of a quality control mechanism to ensure the implementation of Union law in the area of border management, is one of the core components of European integrated border management and also one of the fundamental tasks of Frontex. In this regard, Article 32(1) of the European Border and Coast Guard Regulation tasks the Agency to establish a Common Vulnerability Assessment Methodology 2 Judgment of 27 November 2019 in case T-31/18, Izuzquiza and Semsrott v European Border and Coast Guard Agency (FRONTEX), para 65. 3 Regulation (EU) 2019/1896 of 13 November 2019 on the European Border and Coast Guard (OJ L 295, 14.11.2019, p. 1). Frontex - European Border and Coast Guard Agency www.frontex.europa.eu | Pl. Europejski 6, 00-844 Warsaw, Poland | Tel. +48 22 205 95 00 | Fax +48 22 205 95 01

(CVAM), which has to include objective criteria against which the Agency has to carry out the vulnerability assessments, the frequency of such assessments, how consecutive vulnerability assessments are to be carried out, as well as arrangements for an effective system for monitoring the implementation of recommendations. The aim of the vulnerability assessment is for the Agency to assess the capacity and readiness of Member States to face present and upcoming challenges at the external borders. The CVAM, which Frontex has established in close consultation with Member States and the Commission, is based on four overarching principles. Firstly, it provides for the engagement of Member States to ensure ownership of the results and consistent application. Secondly, vulnerabilities are assessed – on a continuous basis - taking into account, apart from the available technical and human resources capacity, the type and level of threats to which Member States are exposed and their impact. It has to be pointed out that the CVAM is founded on - regularly changing - EU risks. Thirdly, it adopts a future-oriented approach so that the implementation of recommendations can prevent the development of crises. Finally, it does not seek to establish a mere checklist of available capacities but focuses on the analysis of data collected from a wide range of sources, so that the actual mobilisation of these capacities can be assessed. Furthermore, the CVAM is structured around one single overall process resulting in annual baseline assessments. These assessments are complemented with specific assessments stimulated by the identification of upcoming challenges, the monitoring of the situation along the external borders and the assessment of Member States’ contributions to the European Border and Coast Guard. Consequently, the CVAM and the handbooks constitute key elements of Frontex risk analysis structure. The information contained therein, in particular in regard to the patterns and the focusses of the risk analyses to be conducted, would enable criminal networks, especially in combination with publicly available information, to understand such patterns and focusses. This knowledge would put such networks in a position to anticipate outcomes of vulnerability assessments for areas of interest for their activities. Furthermore, criminal networks would be able, through such knowledge, to influence and even to manipulate the outcomes of vulnerability assessments by creating scenarios that do not reflect the real factual situation in the countries being subject to such assessments. In particular the latter case could lead to inadequate measures being taken within the European integrated border management framework, which would, as stated on 16 April 2021, with ascertainable likelihood, seriously jeopardize the effective control and surveillance of the external borders of the EU and the fight against cross- border crime within the meaning of Article 4(1)(a) first indent of Regulation (EC) No 1049/2001. As just illustrated also in reply to your arguments in paragraph 4 of your confirmatory application, in addition to this real and not merely hypothetical threat in regard to public security, the dissemination of this knowledge beyond the stakeholders would seriously undermine internal decision-making processes regarding current and future activities of Frontex and Member States in regard to this cornerstone of European integrated border management, which are based on the documents you apply for, require therefore special protection. Namely, disclosing the documents would erode the mutual trust among all participants. Such information would enable criminal networks to influence the outcome of this process. Furthermore, in general, third parties would be enabled to draw preliminary conclusions and thus, hamper ongoing and future decision-making processes in regard to the methodology and concrete conduct of vulnerability assessments. As no overriding public interest Frontex - European Border and Coast Guard Agency www.frontex.europa.eu | Pl. Europejski 6, 00-844 Warsaw, Poland | Tel. +48 22 205 95 00 | Fax +48 22 205 95 01

that is objective and general in nature and not indistinguishable from individual or private interests for the release of these documents is ascertainable in the present case, a release of the documents is thus further precluded based on Article 4(3) of Regulation (EC) No 1049/2001. Concerning your arguments under paragraphs 5 and 6 of your confirmatory application, I would like to emphasize that the principle laid down in Article 4(6) of Regulation (EC) No 1049/2001 forms part of every appraisal of documents to which, based on Article 4 of Regulation (EC) No 1049/2001, no full access can be granted. However, in regard to the documents at hand as explained on 16 April 2021 and further elaborated above, Frontex had and has to deviate from the principle laid down in Article 4(6) as the significant number of pieces of information falling under the exceptions led us, while balancing all interests, to decide against their partial release. This was and is motivated by “the administrative burden of blanking out the parts that may not be [disclosed, which] proves to be particularly heavy, thereby exceeding the limits of what may reasonably be required”4 combined with the fact that a partial access would be meaningless because the parts of the documents that 5 could be disclosed would be of no use . Therefore, no partial access within the meaning of Article 4(6) of Regulation (EC) No 1049/2001 is possible. Turning now to your arguments under paragraph 7 of your confirmatory application. While indeed the CVAM for the year 2016                - but not the handbooks - was publicly available for a short time on the webpage due to a technical mistake, the proactive communication obligation based on which this decision of the Management Board was made public stems from Article 74(2) of Regulation (EU) 6 2016/1624 . It has therefore to be distinguished from the obligations under Regulation (EC) No 1049/2001. I thus recall the Judgment of 27 November 2019 in case T-31/18 quoted by you, in which the Court held in regard to Article 74(2) of Regulation (EU) 2016/1624: In that regard, it must be observed that, although Frontex is required under Article 8(3) and Article 74(2) of Regulation 2016/1624 to communicate with the public on matters falling within the scope of its tasks, it cannot reveal operational information which would jeopardise attainment of the objective of those operations.7 As even releases of documents under Regulation (EC) No 1049/2001 do not prejudice subsequent releases of documents within this framework on the same subject8, publications under Article 74(2) of Regulation (EU) 2016/1624 are thus a fortiori not to be “setting a precedent that would require [Frontex] to communicate information which it believes puts public security at risk”9 under Regulation (EC) No 1049/2001. Consequently, I cannot agree to your arguments – also as your application pertained, besides to the CVAMs for the years 2018 and 2019, to the handbooks. 4 Applicable also for Regulation (EC) No 1049/2001: Judgment of 7 February 2002 in case T-211/00, Kuijer v Council, para. 57. 5 Judgment of 5 December 2018 in case T-875/16, Falcon Technologies v Commission, para. 103, et seq. 6 Regulation (EU) 2016/1624 of 14 September 2016 on the European Border and Coast Guard (OJ L 251, 16.9.2016, p. 1). 7 Judgment of 27 November 2019 in case T-31/18, Izuzquiza and Semsrott v European Border and Coast Guard Agency (FRONTEX), para. 91. 8 Judgment of 12 July 2001 in case T-204/99, Mattila v Council and Commission, paras. 64 and 73. 9 Judgment of 27 November 2019 in case T-31/18, Izuzquiza and Semsrott v European Border and Coast Guard Agency (FRONTEX), para. 93. Frontex - European Border and Coast Guard Agency www.frontex.europa.eu | Pl. Europejski 6, 00-844 Warsaw, Poland | Tel. +48 22 205 95 00 | Fax +48 22 205 95 01

While I thus amend the decision of 16 April 2021 as above, the Vulnerability Assessment Unit would be happy to accommodate your questions in regard to the documents in an oral/virtual discussion. Kindly contact us under pad@frontex.europa.eu to arrange a date and time. In accordance with Article 8(1) of Regulation (EC) No 1049/2001, you are entitled to institute court proceedings and/or make a complaint to the European Ombudsman under the relevant provisions of the Treaty on the Functioning of the European Union. Frontex - European Border and Coast Guard Agency www.frontex.europa.eu | Pl. Europejski 6, 00-844 Warsaw, Poland | Tel. +48 22 205 95 00 | Fax +48 22 205 95 01