Legislative Observatory
European Parliament
Please fill in this field to find a procedure

Second generation Schengen Information System (SIS II): establishment, operation and use

2005/0106(COD)

PURPOSE: to establish the SIS II and to lay down specific provisions to support the free movement of persons within the context of visas and external borders (falling within the scope of the EC Treaty and relating to the strengthening of measures in regard to fighting illegal immigration).

LEGISLATIVE ACT: Regulation (EC) No 1987/2006 of the European Parliament and of the Council on the establishment, operation and use of the second generation Schengen Information System (SIS II).

BACKGROUND: the SIS is a common information system allowing Member States’ competent authorities to exchange information with a view to facilitating the establishment of an area without internal border controls in the Union. Designed as a measure to enable Member States to maintain a high level of security in an area with free movement, the SIS was established in 1990 within an intergovernmental framework by means of the Schengen Agreement. Since then, the main provisions of the Schengen Agreement have been incorporated within the framework of the EU.

After several years of operation, it became necessary to reform the SIS in order to respond to new challenges arising from the Union’s enlargement and the fight against terrorism. It was in this context that the Council established the basis of the second-generation SIS by making provision for its technical development and its funding by the Community budget (see Regulation No. 2424/2001/EC – CNS/2001/0818 and Decision 2001/886/JHA – CNS/2001/0819).

This Regulation and the related decision (Council Decision 2007/533/JHA, see CNS/2005/0103), which constitute the legal base of SIS II, mark the second stage of the development of the SIS and lay down the provisions relating to the launch, operation and utilisation of the SIS II.

It should also be noted that a third instrument designed to extend the access of the SIS (and under certain conditions) to national services responsible for the issuing of vehicle registration certificates (see COD/2005/0104).

CONTENT: along with Council Decision 2007/533/JHA, this Regulation lays down the general objectives of the SIS II, its technical architecture and funding, as well as provisions regarding its operation and utilisation. The legislative framework governing the SIS II also defines the categories of data to used in the system, their purpose, the criteria for their inclusion, the authorities who are entitled to have access to them, as well as additional rules to be observed in relation to the processing and protection of personal data.

Technical architecture and operation of SIS II

The SIS II includes:

  1. a central system (‘Central SIS II’) composed of a technical support function (‘CS-SIS’) containing the SIS II database, as well as a uniform national interface (‘NI-SIS’);
  2. a national system (the ‘N.SIS II’) in each of the Member States, consisting of the national data systems which communicate with Central SIS II.
  3. a communication infrastructure between CS-SIS and NI-SIS  that provides an encrypted virtual network dedicated to SIS II data and the exchange of data between SIRENE Bureaux

SIS II data shall be entered, updated, deleted and searched via the various N.SIS II systems. The CS-SIS, which performs technical supervision and administration functions, is located in Strasbourg (France) and a backup CS-SIS, in the event of failure of this system, in Sankt Johann im Pongau (Austria). The CS-SIS provides the services necessary for the entry and processing of SIS II data, including searches in the SIS II database. The costs of setting up, operating and maintaining Central SIS II and the Communication Infrastructure are borne by the general budget of the European Union.

Authorities responsible for SIS II data management

Provisions are made that lay down the responsibilities of Member States and the management authority set in place to ensure, with the Member States, the smooth operation of the Central SIS II:

  • responsibilities of Member States: Each Member State shall be responsible for setting up, operating and maintaining its N.SIS II and connecting its N.SIS II to the central system. The Member States are responsible for any damage caused to a person arising from the use of the N. SIS II and are required to ensure the correct utilisation of data introduced in the SIS II. Any exchange of information infringing the Regulation would be subject to penalties.
  • responsibilities of the management authority: after a transitional period, a management authority shall be responsible for the supervisory and security tasks, as well as the coordination of relations between the Member States and the provider of the communications infrastructure.

In other provisions, the Regulation:

  • establishes a manual that sets out the detailed rules for the exchange of certain supplementary information on alerts;
  • awards the Commission, for a transitional period only, responsibility for the operational management of Central SIS II and parts of the communication infrastructure. (The transitional period should last for no longer than five years);
  • states that SIS II is to contain alerts for the purpose of refusing entry or stay. It therefore harmonises certain provision on the grounds for issuing alerts concerning third-country nationals. It also clarifies the use of alerts in the framework of asylum, immigration and return policies;
  • states that alerts, used for the purpose of refusing entry or stay, should not be kept longer on SIS II that the time required to fulfil the purposes for which they were supplied. As a general principle, alerts should be automatically erased from SIS II after a period of three years;
  • states that SIS II should permit the processing of biometric data in order to assist in the reliable identification of the individuals concerned. By the same token, SIS II should also allow for the processing of data concerning individuals whose identity has been misused in order to avoid inconveniences caused by their misidentification;
  • allows Member States to establish links between alerts in SIS II;
  • specifies that data processed in SIS II should not be transferred or made available to third countries or to international organisations;
  • specifies that Directive 95/46/EC on the protection of individuals with regard to the processing of personal data on the free movement of data will apply to the processing of personal data in relation to this Regulation; as will with Regulation (EC) No 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data;
  • sets out confidentiality requirements;
  • states that national supervisory authorities responsible for personal data will monitor the processing of personal data relating to this Regulation; as will the European Data Protection Supervisor;
  • requires the Member States and the Commission to draw up a security plan in order to facilitate the implementation of security obligations and requires them to cooperate with each other in order to address common security issues;
  • requires the Commission to prepare a report on the technical functioning of Central SIS II and the communications infrastructure every two years. An overall evaluation should be prepared by the Commission every four years;
  • specifies the technical rules on entering data, including data required for entering an alert, updating, deleting and searching data, rules on compatibility and priority of alerts, links between alerts and the exchange of supplementary information etc. are to be prepared by the Commission through implementing powers; and
  • lastly, sets out appropriate transitional provisions in respect of alerts issued in SIS 1+, which are to be transferred to SIS II.

Territorial provisions: Switzerland, Norway and Iceland are associated with the application of this Regulation, in line with the bilateral agreements reached with these countries. Denmark, the United Kingdom and Ireland did not take part in the adoption of this Regulation and are not bound by it or subject to its application.

ENTRY INTO FORCE: 17 January 2007.