Updated 11.01.2019 […] means that there will be no text in this line - 'DS' means drafting session with EP and COM - 'TM' means technical meeting with EP and COM Amended Commission EP Council negotiation mandate proposal amendments (ST 11312/18) interoperability components have access only to the data covered by their access authorisation, by means of individual user identities and confidential access modes only; interoperability components have access only to the data covered by their access authorisation, by means of individual user identities and confidential access modes only; interoperability components have access only to the data covered by their access authorisation, by means of individual user identities and confidential access modes only; authorised to access the interoperability components have access only to the data covered by their access authorisation, by means of individual user identities and confidential access modes only; (f) ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment; (f) ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment; (f) ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment; Provisionally agreed (f) ensure that it is possible to verify and establish to which bodies personal data may be transmitted using data communication equipment; ensure that it is possible to 531. (g) verify and establish what data has been processed in the interoperability components, when, by whom and for what purpose; (g) ensure that it is possible to verify and establish what data has been processed in the interoperability components, when, by whom and for what purpose; (g) ensure that it is possible to verify and establish what data has been processed in the interoperability components, when, by whom and for what purpose; Provisionally agreed (g) ensure that it is possible to verify and establish what data has been processed in the interoperability components, when, by whom and for what purpose; (h) prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data (h) prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data (h) prevent the unauthorised reading, copying, modification or deletion of personal data during the transmission of personal data Provisionally agreed (h) prevent the unauthorised reading, copying, modification or deletion of personal data during Compromise text proposals (ST 10178/18) 530. 532. 235

Updated 11.01.2019 […] means that there will be no text in this line - 'DS' means drafting session with EP and COM - 'TM' means technical meeting with EP and COM Amended Commission EP Council negotiation mandate proposal amendments (ST 11312/18) Compromise text proposals (ST 10178/18) to or from the interoperability components or during the transport of data media, in particular by means of appropriate encryption techniques; to or from the interoperability components or during the transport of data media, in particular by means of appropriate encryption techniques; to or from the interoperability components or during the transport of data media, in particular by means of appropriate encryption techniques; the transmission of personal data to or from the interoperability components or during the transport of data media, in particular by means of appropriate encryption techniques; 533. (ha) ensure that, in the event of interruption, installed systems can be restored to normal operation; Presidency compromise proposal (OK for MS) (ha) ensure that, in the event of interruption, installed systems can be restored to normal operation; NB: same text as in Article 59(3)(m) ETIAS Regulation 534. (hb) ensure reliability by making sure that any faults in the functioning of the interoperability components are properly reported; Presidency compromise proposal (OK for MS) (hb) ensure reliability by making sure that any faults in the functioning of the interoperability components are properly reported; NB: same text as in Article 59(3)(n) ETIAS Regulation 236

Updated 11.01.2019 […] means that there will be no text in this line - 'DS' means drafting session with EP and COM - 'TM' means technical meeting with EP and COM Amended Commission EP Council negotiation mandate proposal amendments (ST 11312/18) (i) monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation and to assess those security measures in the light of new technological developments. (i) monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation. Presidency compromise proposal (OK for MS) (i) monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation and to assess those security measures in the light of new technological developments. 4. Member States, Europol and the European Border and Coast Guard Agency shall take measures equivalent to those referred to in paragraph 3 as regards security in respect of the processing of personal data by the authorities having a right to access any of the interoperability components. 4. Member States, [the ETIAS Central Unit] and Europol shall take measures equivalent to those referred to in paragraph 3 as regards security in respect of the processing of personal data by the authorities having a right to access any of the interoperability components. Provisionally agreed 4. Member States, Europol and the ETIAS Central Unit shall take measures equivalent to those referred to in paragraph 3 as regards security in respect of the processing of personal data by the authorities having a right to access any of the interoperability components. Compromise text proposals (ST 10178/18) 535. (i) monitor the effectiveness of the security measures referred to in this paragraph and take the necessary organisational measures related to internal monitoring to ensure compliance with this Regulation. Member States shall take 536. 4. measures equivalent to those referred to in paragraph 3 as regards security in respect of the processing of personal data by the authorities having a right to access any of the interoperability components. 237

Updated 11.01.2019 […] means that there will be no text in this line - 'DS' means drafting session with EP and COM - 'TM' means technical meeting with EP and COM Amended Commission EP Council negotiation mandate proposal amendments (ST 11312/18) Compromise text proposals (ST 10178/18) 537. Article 43 Confidentiality of SIS data Article 43 Confidentiality of SIS data Article 43 Confidentiality of SIS data Provisionally agreed […] 538. 1. Each Member State shall apply its rules of professional secrecy or other equivalent duties of confidentiality to all persons and bodies required to work with SIS data accessed through any of the interoperability components in accordance with its national law. That obligation shall also apply after those persons leave office or employment or after the termination of the activities of those bodies. 1. Each Member State shall apply its rules of professional secrecy or other equivalent duties of confidentiality to all persons and bodies required to work with SIS data accessed through any of the interoperability components in accordance with its national law. That obligation shall also apply after those persons leave office or employment or after the termination of the activities of those bodies. 1. Each Member State shall apply its rules of professional secrecy or other equivalent duties of confidentiality to all persons and bodies required to work with SIS data accessed through any of the interoperability components in accordance with its national law. That obligation shall also apply after those persons leave office or employment or after the termination of the activities of those bodies. Provisionally agreed […] 539. 2. Without prejudice to Article 17 of the Staff Regulations of officials and the Conditions of Employment of other servants of the European Union, eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality of comparable standards to those laid down in paragraph 1 to all its staff 2. Without prejudice to Article 17 of the Staff Regulations of officials and the Conditions of Employment of other servants of the European Union, eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality of comparable standards to those laid down in paragraph 1 of this Article to all 2. Without prejudice to Article 17 of the Staff Regulations of officials and the Conditions of Employment of other servants of the European Union, eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality of comparable standards to those laid down in paragraph 1 to all its staff Provisionally agreed […] 238

Updated 11.01.2019 […] means that there will be no text in this line - 'DS' means drafting session with EP and COM - 'TM' means technical meeting with EP and COM Amended Commission EP Council negotiation mandate proposal amendments (ST 11312/18) its staff required to work with SIS data. This obligation shall also apply after those persons leave office or employment or after the termination of their activities. required to work with SIS data. This obligation shall also apply after those persons leave office or employment or after the termination of their activities. Compromise text proposals (ST 10178/18) required to work with SIS data. This obligation shall also apply after those persons leave office or employment or after the termination of their activities. Provisionally agreed […] 2a. Where eu-LISA or a Member State cooperates with external contractors in any task related to the interoperability components, it shall closely monitor the activities of the contractor to ensure compliance with all provisions of this Regulation, in particular those on security, confidentiality and data protection. 540. 541. Article 44 Security incidents Article 44 Security incidents Article 44 Security incidents Article 44 Security incidents 542. 1. Any event that has or may have an impact on the security of the interoperability components and may cause damage to or loss of data stored in them shall be considered to be a security incident, in particular where unauthorised access to data may 1. Any event that has or may have an impact on the security of the interoperability components and may cause unauthorised access to, damage to or loss of data stored in them shall be considered to be a security incident, in particular where 1. Any event that has or may have an impact on the security of the interoperability components and may cause damage to or loss of data stored in them shall be considered to be a security incident, in particular where unauthorised access to data may Provisionally agreed 1. Any event that has or may have an impact on the security of the interoperability components and may cause damage to or loss of data stored in them shall be considered to be a security incident, in particular 239

Updated 11.01.2019 […] means that there will be no text in this line - 'DS' means drafting session with EP and COM - 'TM' means technical meeting with EP and COM Amended Commission EP Council negotiation mandate proposal amendments (ST 11312/18) have occurred or where the availability, integrity and confidentiality of data has or may have been compromised. unauthorised access to data may have occurred or where the availability, integrity and confidentiality of data has or may have been compromised. have occurred or where the availability, integrity and confidentiality of data has or may have been compromised. where unauthorised access to data may have occurred or where the availability, integrity and confidentiality of data has or may have been compromised. 543. 2. Security incidents shall be managed so as to ensure a quick, effective and proper response. 2. Security incidents shall be managed so as to ensure a quick, effective and proper response. 2. Security incidents shall be managed so as to ensure a quick, effective and proper response. Provisionally agreed 2. Security incidents shall be managed so as to ensure a quick, effective and proper response. 544. 3. Without prejudice to the notification and communication of a personal data breach pursuant to Article 33 of Regulation (EU) 2016/679, Article 30 of Directive (EU) 2016/680, or both, Member States shall notify the Commission, eu-LISA and the European Data Protection Supervisor of security incidents. 3. Without prejudice to the notification and communication of a personal data breach pursuant to Article 33 of Regulation (EU) 2016/679, Article 30 of Directive (EU) 2016/680, or both, Member States and Europol shall notify the Commission, eu-LISA, competent supervisory authorities and the European Data Protection Supervisor of any security incidents without delay. In the event of a security incident in relation to the central infrastructure of the interoperability components, eu- 3. Without prejudice to the notification and communication of a personal data breach pursuant to Article 33 of Regulation (EU) 2016/679, Article 30 of Directive (EU) 2016/680, or both, Member States shall notify the Commission, eu-LISA and the European Data Protection Supervisor of any security incidents. Provisionally agreed Compromise text proposals (ST 10178/18) 3. Without prejudice to the notification and communication of a personal data breach pursuant to Article 33 of Regulation (EU) 2016/679, Article 30 of Directive (EU) 2016/680, or both, Member States shall notify the Commission, eu-LISA, competent supervisory authorities and the European Data Protection Supervisor of any security incidents without delay. 240

Updated 11.01.2019 […] means that there will be no text in this line - 'DS' means drafting session with EP and COM - 'TM' means technical meeting with EP and COM Amended Commission EP Council negotiation mandate proposal amendments (ST 11312/18) Compromise text proposals (ST 10178/18) 545. 546. LISA shall notify the Commission and the European Data Protection Supervisor. See also line 546 3a. The Commission shall report serious incidents immediately to the European Parliament and to the Council. Those reports shall be classified as EURESTRICTED/ RESTREINT UE in accordance with applicable security rules. To be further discussed - COM and PRES express doubts on the inclusion of this EP amendment. Indeed, what would be the added value to report these serious incidents to EP immediately as EP would not be able to solve them anyway? Without prejudice to [Articles 34 and 35 of Regulation XX/2018 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC] and Article 34 of Regulation (EU) 2016/794, [the Provisionally agreed Without prejudice to [Articles 34 and 35 of Regulation XX/2018 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 241

Updated 11.01.2019 […] means that there will be no text in this line - 'DS' means drafting session with EP and COM - 'TM' means technical meeting with EP and COM Amended Commission EP Council negotiation mandate proposal amendments (ST 11312/18) Compromise text proposals (ST 10178/18) ETIAS Central Unit] and Europol shall notify the Commission, eu-LISA and the European Data Protection Supervisor of any security incident. 1247/2002/EC] and Article 34 of Regulation (EU) 2016/794, [the ETIAS Central Unit] and Europol shall notify the Commission, eu-LISA and the European Data Protection Supervisor of any security incident, without delay. See also line 544 In the event of a security incident in relation to the central infrastructure of the interoperability components, eu-LISA shall notify the Commission and the European Data Protection Supervisor. In the event of a security incident in relation to the central infrastructure of the interoperability components, eu-LISA shall notify the Commission and the European Data Protection Supervisor. In the event of a security incident in relation to the central infrastructure of the interoperability components, eu-LISA shall notify the Commission and the European Data Protection Supervisor. Provisionally agreed In the event of a security incident in relation to the central infrastructure of the interoperability components, eu-LISA shall notify the Commission and the European Data Protection Supervisor. Information regarding a 548. 4. security incident that has or may have an impact on the operation of the interoperability components or on the availability, integrity and confidentiality of the data shall be provided to the Member States and reported in 4. Information regarding a security incident that has or may have an impact on the operation of the interoperability components or on the availability, integrity and confidentiality of the data shall be provided to the Member States , the ETIAS 4. Information regarding a security incident that has or may have an impact on the operation of the interoperability components or on the availability, integrity and confidentiality of the data shall be provided to the Member States, [the ETIAS Provisionally agreed 4. Information regarding a security incident that has or may have an impact on the operation of the interoperability components or on the availability, integrity and 547. 242

Updated 11.01.2019 […] means that there will be no text in this line - 'DS' means drafting session with EP and COM - 'TM' means technical meeting with EP and COM Amended Commission EP Council negotiation mandate proposal amendments (ST 11312/18) Compromise text proposals (ST 10178/18) compliance with the incident management plan to be provided by eu-LISA. Central Unit where necessary, and Europol without delay and reported in compliance with the incident management plan to be provided by eu-LISA. Central Unit] and Europol and reported in compliance with the incident management plan to be provided by eu-LISA. confidentiality of the data shall be provided to the Member States, the ETIAS Central Unit and Europol without delay and reported in compliance with the incident management plan to be provided by eu-LISA. NB: Council text to be tested by EP 549. 5. The Member States concerned and eu-LISA shall cooperate in the event of a security incident. The Commission shall lay down the specification of this cooperation procedure by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 64(2). 5. The Member States concerned, the ETIAS Central Unit, Europol and eu-LISA shall cooperate in the event of a security incident. The Commission shall lay down the specification of this cooperation procedure by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 64(2). 5. The Member States concerned, [the ETIAS Central Unit], Europol and eu-LISA shall cooperate in the event of a security incident. The Commission shall lay down the specification of this cooperation procedure by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 64(2). Provisionally agreed 5. The Member States concerned, the ETIAS Central Unit, Europol and eu-LISA shall cooperate in the event of a security incident. The Commission shall lay down the specification of this cooperation procedure by means of implementing acts. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 64(2). 243

Updated 11.01.2019 […] means that there will be no text in this line - 'DS' means drafting session with EP and COM - 'TM' means technical meeting with EP and COM Amended Commission EP Council negotiation mandate proposal amendments (ST 11312/18) Article 45 Self-monitoring Article 45 Self-monitoring Article 45 Self-monitoring Article 45 Self-monitoring 551. Member States and the relevant EU bodies shall ensure that each authority entitled to access the interoperability components takes the measures necessary to monitor its compliance with this Regulation and cooperates, where necessary, with the supervisory authority. Member States and the relevant EU bodies Union agencies shall ensure that each authority entitled to access the interoperability components takes the measures necessary to monitor its compliance with this Regulation and cooperates, where necessary, with the supervisory authority. Member States and the relevant EU bodies agencies shall ensure that each authority entitled to access the interoperability components takes the measures necessary to monitor its compliance with this Regulation and cooperates, where necessary, with the supervisory authority. Provisionally agreed Member States and the relevant Union EU bodies agencies shall ensure that each authority entitled to access the interoperability components takes the measures necessary to monitor its compliance with this Regulation and cooperates, where necessary, with the supervisory authority. 552. The data controllers as referred to in Article 40 shall take the necessary measures to monitor the compliance of the data processing pursuant to this Regulation, including frequent verification of logs, and cooperate, where necessary, with the supervisory authorities referred to in Articles 49 and 50. The data controllers as referred to in Article 40 shall take the necessary measures to monitor the compliance of the data processing pursuant to this Regulation, including frequent verification of logs, and cooperate, where necessary, with the supervisory authorities referred to in Articles 49 and 50. The data controllers as referred to in Article 40 shall take the necessary measures to monitor the compliance of the data processing pursuant to this Regulation, including frequent verification of logs, and cooperate, where necessary, with the supervisory authorities referred to in Articles 49 and with the European Data Protection Supervisor as referred to in Article 50. Presidency compromise proposal (to be tested with MS) The data controllers as referred to in Article 40 shall take the necessary measures to monitor the compliance of the data processing pursuant to this Regulation, including frequent verification of the logs referred to in Articles 10, 16, 24 and 36, and cooperate, where necessary, with the supervisory authorities referred to in Articles 49 and Compromise text proposals (ST 10178/18) 550. 244