COMMISSION IMPLEMENTING DECISION (EU) 2015/450
of 16 March 2015
laying down test requirements for Member States integrating into the second generation Schengen Information System (SIS II) or changing substantially their directly related national systems
(notified under document C(2015) 1612)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EC) No 1987/2006 of the European Parliament and of the Council of 20 December 2006 on the establishment, operation and use of the second generation Schengen Information System (SIS II)(1), and in particular Articles 8(4), 9(1) and 20(3), point (a) of Article 22, and Articles 36(4) and 37(7) thereof,
Having regard to Council Decision 2007/533/JHA of 12 June 2007 on the establishment, operation and use of the second generation Schengen Information System (SIS II)(2), and in particular Articles 8(4), 9(1) and 20(4), point (a) of Article 22, and Articles 51(4) and 52(7) thereof,
Having consulted the European Data Protection Supervisor,
Whereas:
(1) The Schengen Information System was set up pursuant to the provisions of Title IV of the Convention of 19 June 1990 implementing the Schengen Agreement of 14 June 1985 between the governments of the States of the Benelux Economic Union, the Federal Republic of Germany and the French Republic on the gradual abolition of checks at their common borders(3). That system constituted an essential tool for the application of the provision of the Schengen
acquis
as integrated into the framework of the Union.
(2) The Schengen Information System was replaced on 9 April 2013 by the second generation Schengen Information System (SIS II) when Regulation (EC) No 1987/2006 and Decision 2007/533/JHA became applicable. Like its predecessor system, SIS II constitutes a major counterpart to the abolition of controls at the internal borders as well as a crucial contribution to the maintenance of a high level of security within the area of freedom, security and justice.
(3) The technical architecture of SIS II is composed of a central system (Central SIS II), national applications and a communication infrastructure between Central SIS II and the national applications.
(4) It was and remains necessary to conduct tests in order to assess whether SIS II operates in accordance with the technical and functional requirements as defined in Regulation (EC) No 1987/2006 and Decision 2007/533/JHA.
(5) The testing requirements applicable for the major test phases of the technical development of SIS II were laid down in Council Regulation (EC) No 189/2008(4) and Council Decision 2008/173/JHA(5) as well as in Council Regulation (EC) No 1104/2008(6) and Council Decision 2008/839/JHA(7). Those instruments defined the basic requirements and organisation of the tests of the SIS II Central system, the SIS II national systems, the interaction between them as well as the tests related to the communication infrastructure. As those instruments related to the technical development of SIS II, they exhausted their legal effect once SIS II entered into operation on 9 April 2013. Regulation (EC) No 1104/2008 and Decision 2008/839/JHA expired on 8 May 2013 and were moreover repealed by Council Regulation (EU) No 1273/2012(8) and Council Regulation (EU) No 1272/2012(9) respectively. The repeal of Regulation (EC) No 189/2008 and Decision 2008/173/JHA has been proposed in 2014(10).
(6) Regulation (EC) No 189/2008, Decision 2008/173/JHA, Regulation (EC) No 1104/2008 and Decision 2008/839/JHA made the tests of the communication infrastructure, the national compliance tests, the comprehensive tests as well as the test of the exchange of supplementary of information obligatory for Member States which migrated from SIS 1+ to SIS II. Success of testing of the Central SIS II, national compliance tests and tests related to the communication infrastructure was a precondition to start with the comprehensive test. The Commission had to declare the successful completion of the comprehensive test as a precondition of to apply Regulation (EC) No 1987/2006 and Decision 2007/533/JHA.
(7) In the light of enlargement of the Union and in particular the enlargement of the area of freedom, security and justice it is necessary to define the tests which demonstrate the technical readiness of a Member State to integrate into SIS II. In order to reinforce legal certainty it is necessary to define testing requirements. These tests should prove that a Member State is able to exchange supplementary information, its national system is fully in compliance with Central SIS II, it is able to enter, update, delete and search data, it is able to upload photographs and fingerprints in the quality required and it is able to process data on misused identity.
(8) Member States which intend to implement a substantial change in their SIS II national systems (N.SIS II) or SIRENE application as referred to in Regulation (EC) No 1987/2006 and Decision 2007/533/JHA should also undergo testing as defined by the Management Authority in order to prove full compliance with Central SIS II or demonstrate the ability to exchange supplementary information. The European Agency for the operational management of large-scale IT-systems in the area of freedom security and justice was empowered to be the Management Authority by Regulation (EC) No 1987/2006 and Decision 2007/533/JHA combined with Regulation (EU) No 1077/2011 of the European Parliament and of the Council(11).
(9) Taking into account the principle that the same technical requirements should apply to all Member States, it is appropriate to apply the same test phases to Member States envisaging to integrate SIS II as the ones Member States had to execute for the migration from SIS 1+ to SIS II.
(10) It is also appropriate to make use of the experience gained during development of SIS II and add tests which were not foreseen in any legal instruments but were added by Member States acting within preparatory bodies of the Council, in particular the test on the exchange of SIRENE forms.
(11) The tests should be organised, defined and executed by the Management Authority assisted by the Member States.
(12) Given that Regulation (EC) No 1987/2006 builds upon the Schengen
acquis
, Denmark, in accordance with Article 5 of the Protocol on the position of Denmark annexed to the Treaty on European Union and the Treaty establishing the European Community, notified by letter of 15 June 2007 the transposition of this
acquis
into its national law. Denmark participates in Decision 2007/533/JHA. It is therefore bound to implement this Decision.
(13) The United Kingdom is taking part in this Decision to the extent that it does not concern the exchange of supplementary information in relation to Articles 24 and 25 of Regulation (EC) No 1987/2006, in accordance with Article 5 of the Protocol on the Schengen
acquis
integrated into the framework of the European Union annexed to the Treaty on European Union and the Treaty on the Functioning of the European Union, and Article 8(2) of Council Decision 2000/365/EC(12).
(14) Ireland is taking part in this Decision to the extent that it does not concern the exchange of supplementary information in relation to Articles 24 and 25 of Regulation (EC) No 1987/2006, in accordance with Article 5 of the Protocol on the Schengen
acquis
integrated into the framework of the European Union annexed to the Treaty on European Union and the Treaty on the Functioning of the European Union, and Article 6(2) of Council Decision 2002/192/EC(13).
(15) As regards Cyprus, this Decision constitutes an act building upon the Schengen
acquis
or otherwise related to it within the meaning of Article 3(2) of the 2003 Act of Accession.
(16) As regards Croatia, this Decision constitutes an act building upon the Schengen
acquis
or otherwise related to it within the meaning of Article 4(1) of the 2012 Act of Accession.
(17) As regards Iceland and Norway, this Decision constitutes a development of provisions of the Schengen
acquis
within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen
acquis
(14), which fall within the area referred to in Article 1, point G of Council Decision 1999/437/EC(15).
(18) As regards Switzerland, this Decision constitutes a development of provisions of the Schengen
acquis
within the meaning of the Agreement signed between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen
acquis
(16), which falls within the area referred to in Article 1, point G of Decision 1999/437/EC read in conjunction with Article 4(1) of Council Decision 2004/860/EC(17).
(19) As regards Liechtenstein, this Decision constitutes a development of provisions of the Schengen
acquis
within the meaning of the Protocol signed between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen
acquis
(18), which fall within the area referred to in Article 1, point G, of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EU(19).
(20) The measures provided for in this Decision are in accordance with the opinion of the Committee set up by Article 51 of Regulation (EC) No 1987/2006 and Article 67 of Decision 2007/533/JHA,
HAS ADOPTED THIS DECISION:
Article 1
1. Before integrating into the second generation Schengen Information System (SIS II), Member States shall conduct and undergo the tests and test procedure set out in the Annex to this Decision.
2. Member States which intend to implement a substantial change in their N.SIS II or SIRENE application shall request the Management Authority to determine which of the tests among those set out in the Annex to this Decision have to be performed and undergo the test procedure set out in the Annex to this Decision. The Member States concerned shall not implement those changes before the tests have been successfully performed.
Article 2
This Decision is addressed to the Member States.
Done at Brussels, 16 March 2015.
For the Commission
Dimitris AVRAMOPOULOS
Member of the Commission
(1)
OJ L 381, 28.12.2006, p. 4
.
(2)
OJ L 205, 7.8.2007, p. 63
.
(3)
OJ L 239, 22.9.2000, p. 19
.
(4) Council Regulation (EC) No 189/2008 of 18 February 2008 on the tests of the second generation Schengen Information System (SIS II) (
OJ L 57, 1.3.2008, p. 1
).
(5) Council Decision 2008/173/JHA of 18 February 2008 on the tests of the second generation Schengen Information System (SIS II) (
OJ L 57, 1.3.2008, p. 14
).
(6) Council Regulation (EC) No 1104/2008 of 24 October 2008 on migration from the Schengen Information System (SIS 1+) to the second generation Schengen Information System (SIS II) (
OJ L 299, 8.11.2008, p. 1
).
(7) Council Decision 2008/839/JHA of 24 October 2008 on migration from the Schengen Information System (SIS 1+) to the second generation Schengen Information System (SIS II) (
OJ L 299, 8.11.2008, p. 43
).
(8) Council Regulation (EU) No 1273/2012 of 20 December 2012 on migration from the Schengen Information System (SIS 1+) to the second generation Schengen Information System (SIS II) (
OJ L 359, 29.12.2012, p. 32
).
(9) Council Regulation (EU) No 1272/2012 of 20 December 2012 on migration from the Schengen Information System (SIS 1+) to the second generation Schengen Information System (SIS II) (
OJ L 359, 29.12.2012, p. 21
).
(10) COM(2014) 713 final and COM(2014) 714 final.
(11) Regulation (EU) No 1077/2011 of the European Parliament and of the Council of 25 October 2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (
OJ L 286, 1.11.2011, p. 1
).
(12) Council Decision 2000/365/EC of 29 May 2000 concerning the request of the United Kingdom of Great Britain and Northern Ireland to take part in some of the provisions of the Schengen
acquis
(
OJ L 131, 1.6.2000, p. 43
).
(13) Council Decision 2002/192/EC of 28 February 2002 concerning Ireland's request to take part in some of the provisions of the Schengen
acquis
(
OJ L 64, 7.3.2002, p. 20
).
(14)
OJ L 176, 10.7.1999, p. 36
.
(15) Council Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen
acquis
(
OJ L 176, 10.7.1999, p. 31
).
(16)
OJ L 53, 27.2.2008, p. 52
.
(17) Council Decision 2004/860/EC of 25 October 2004 on the signing, on behalf of the European Community, and on the provisional application of certain provisions of the Agreement between the European Union, the European Community and the Swiss Confederation, concerning the Swiss Confederation's association with the implementation, application and development of the Schengen
acquis
(
OJ L 370, 17.12.2004, p. 78
).
(18)
OJ L 160, 18.6.2011, p. 21
.
(19) Council Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation's association with the implementation, application and development of the Schengen
acquis
, relating to the abolition of checks at internal borders and movement of persons (
OJ L 160, 18.6.2011, p. 19
).
ANNEX
‘SIS II TESTS
1. OBJECTIVES
The tests listed hereafter serve to demonstrate that the national system (N.SIS II), the communication infrastructure and the interactions between Central SIS II (C.SIS II) and N.SIS II work in accordance with the technical and functional requirements set out in Regulation (EC) No 1987/2006 and Decision 2007/533/JHA.
Moreover, those SIS II tests are also to demonstrate that N.SIS II, the communication infrastructure and the interactions between C.SIS II and the N.SIS II can work in accordance with non-functional requirements such as robustness, availability and performance set out in Regulation (EC) No 1987/2006 and Decision 2007/533/JHA.
2. PROCESS, DETAILED SCOPE AND ORGANISATION OF SIS II TESTS
The sequence of tests, their objective, scope (depending on the national implementation) and organisation is as follows.
2.1.
Connectivity tests
are the first phase of tests which address the testing of the connectivity and resilience of the SIS II communication infrastructure.
2.2.
National compliance tests
are the second phase of tests which address the testing of the compliance of N.SIS II to the specifications described in the reference version of the Interface Control Document (ICD).
2.3. Local National Interfaces (
LNI
)/Back-up Local National Interface
(BLNI) tests
are the third phase of the tests which address the connectivity and the resilience of the SIS II communication infrastructure with the aim of testing the correct functioning and resilience of the N.SIS II behind both the LNI and the BLNI, if a Member State has a BLNI.
2.4.
Global tests
are the fourth phase of the tests which address proper functioning of the N.SIS II against the valid ICD specification under similar conditions and with the involvement of other countries connected to SIS II, as required during the daily operations. They are split into two distinct phases:
2.4.1. Member State Tests
During this test phase all established Member States which are connected to SIS II already have to demonstrate their capabilities to consume messages from the acceding Member State. The acceding Member State's traffic may be generated by using simulators.
2.4.2. Comprehensive Tests
During this phase the system under test (SUT) will be exposed to traffic(nominal, stress and peak traffic) as can be expected during normal operations. Member States (except the SUT) are replaced by simulators. The aim of this phase is to ensure that the SUT can consume and process all incoming messages and perform normal operations, including resilience testing.
2.5.
ITSM tests
are the fifth phase of the tests which address the organisation of IT Service Management, including the operation and communication procedures via communication systems such as the SIS II SPoC mail, eOPM, SM7.
2.6.
SIRENE connectivity tests
are the sixth phase of the tests which address connectivity and resilience of the SIRENE Mail infrastructure and check the basic functioning of the mailboxes through simulating basic traffic.
2.7.
SIRENE functional tests
are the seventh phase of the tests which will address the functioning of the national SIRENE technical solution and exchange of information between SIRENE Bureaux through forms sent via the SIRENE Mail infrastructure according to the specifications provided for in the SIRENE Manual set out by Commission Implementing Decision (EU) 2015/219(1), entering, modifying, flagging, deleting corresponding alerts in SIS II and attaching/detaching relevant additional information to SIS II alerts.
Other types of tests may be foreseen depending on the legal framework pertaining to the particular Member State intending to integrate to SIS II.
2.8. Coordination of the tests
The European Agency for the operational management of large-scale IT-systems in the area of freedom security and justice (eu-LISA) as the Management Authority coordinates all tests, eu-LISA draws up the test specifications, the test schedule and the final outcome of the tests. Moreover, it will identify, categorise and describe any issues it detects and propose options for solutions.
Member States will assist eu-LISA in the overall performance of all tasks related to the test executions.
2.9. Test documentation
eu-LISA will define the detailed test specifications. It will make available to the Member State involved the draft and final version of test specifications.
2.10. Running the tests
eu-LISA will execute the tests together with the Member State and other relevant stakeholders involved on the basis of the test specifications and in accordance with the schedule agreed together with Member State's experts, and demonstrate that the expected test results as foreseen in the test specifications are met. eu-LISA will provide the C.SIS II test environment for testing purposes, including the SIRENE functional tests, where SIRENE functional tests and corresponding alert modifications can be executed.
2.11. Acceptance of the tests
The verdict on a Member State test can be “passed”, “passed with remark”, “inconclusive”“failed” or “Not tested”/“Not applicable”.
(a) “Passed”:
(i) Actual results are as expected in the “Expected result” description;
(ii) All test conditions and the Test Plan were respected;
(iii) No inconclusive criteria apply.
(b) “Passed with remark”
The conditions listed in point (a) are fulfilled but specific conditions and/or well substantiated reasons caused a unexpected result or event during the test therefore the test passed with remark.
(c) “Inconclusive”: unexpected events independent of the SUT occurred during the test.
(d) “Failed”: one of the criteria for passing the test is not met.
(e) “Not tested”/“Not applicable”
eu-LISA will report on the results of the SIS II tests. It will identify, categorise and describe any issue it detects and propose options for solutions. The Member State's experts will provide all necessary information for the Test Coordination Group to perform its tasks.
Where the test documentation divides the tests into separate phases eu-LISA will inform the Member State of the results of each phase before the start of the following phase.
The acceptance of the tests will be based on reports containing a detailed analysis of the test results and conclusions as to the validation of the Member State's national system (N.SIS II or SIRENE application). If the Member State undergoing testing or eu-LISA considers that the tests could not be successfully completed, this is to be noted in the report. eu-LISA will provide an opinion on the successful completion of the SIS II tests, taking into account the views expressed by the Member State's experts and eu-LISA will submit the test result with its opinion to the relevant formations of the SISVIS Committee for the final approval.
3. INTERFACE CONTROL DOCUMENT (ICD) AND DETAILED TECHNICAL SPECIFICATION (DTS) FOR TESTING
The N.SIS II in each of the countries getting integrated to SIS II will be tested against the latest specifications.
The Detailed Technical Specifications (DTS) prepared by eu-LISA define the functional and non-functional specifications of the C.SIS II.
The ICD prepared by the eu-LISA will define the interface between the C.SIS II and N.SIS II. It contains the technical specifications of the system-to-system interactions in terms of data items and messages passed, protocols used as well as timing and sequencing of events.
Specifications, as provided in the ICD and DTS, will be fixed for a given period and the timing of the update of both systems will be laid down in a release plan that will define the reference version for a given test phase. Issues found during the test campaigns will be reported, analysed and solved in accordance with established operational procedures, taking into account the opinion of the experts of the Member State which is undergoing testing.
4. INTERIM AND FINAL REPORT ON THE RESULTS OF THE TEST PHASES
eu-LISA will draw up, on a regular basis, reports on the status of the tests. The reports will note which test phase is currently being dealt with and whether the Member State has completed, begun or not yet begun any of the phases. If any repercussions for the test timetable are noticeable, they and their cause should be recorded.
On the conclusion of each test phase eu-LISA will draw up a report on the results, any issues it detects and options for solutions. In cases where the Member State undergoing testing or eu-LISA considers that tests could not be successfully completed they will record this fact, stating the reasons, in a separate note.’
(1) Commission Implementing Decision (EU) 2015/219 of 29 January 2015 replacing the Annex to Implementing Decision 2013/115/EU on the SIRENE Manual and other implementing measures for the second generation Schengen Information System (SIS II) (
OJ L 44, 18.2.2015, p. 75
).
Feedback