2025/13

8.1.2025

REGULATION (EU) 2025/13 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

of 19 December 2024

on the collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, and amending Regulation (EU) 2019/818

THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 82(1), point (d), and Article 87(2), point (a), thereof,

Having regard to the proposal from the European Commission,

After transmission of the draft legislative act to the national parliaments,

Having regard to the opinion of the European Economic and Social Committee (1),

Acting in accordance with the ordinary legislative procedure (2),

Whereas:

(1) The transnational dimension of serious crime and organised crime and the continuous threat of terrorist attacks on European soil call for action at Union level to adopt appropriate measures to ensure security within an area of freedom, security and justice without internal borders. Information on passengers, such as passenger name records (PNR) and in particular advance passenger information (API), is essential in order to identify high-risk passengers, including those who are not otherwise known to law enforcement authorities, to establish links between members of criminal groups, and to counter terrorist activities.

(2) While Council Directive 2004/82/EC (3) establishes a legal framework for the collection and transfer of API data by air carriers with the aims of improving border control and combating illegal immigration, it also states that Member States can use API data for law enforcement purposes. However, only creating such a possibility leads to several gaps and shortcomings. In particular, it means that, API data are not systematically collected and transferred by air carriers for law enforcement purposes. The possibility to use API data for law enforcement purposes also means that, where Member States acted upon that possibility, air carriers are faced with diverging requirements under national law as regards when and how to collect and transfer API data for those purposes. Those divergences not only lead to unnecessary costs and complications for air carriers, but they are also prejudicial to the Union’s internal security and effective cooperation between the competent law enforcement authorities of the Member States. Moreover, in view of the different nature of the purposes of facilitating border controls and law enforcement, it is appropriate to establish a distinct legal framework for the collection and transfer of API data for each of those purposes.

(3) Directive (EU) 2016/681 of the European Parliament and of the Council (4) lays down rules on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. Under that Directive, Member States are to adopt the necessary measures to ensure that air carriers transfer PNR data, including any API data collected, to the national passenger information unit (PIU) established under that Directive to the extent that they have already collected such data in the normal course of their business. Consequently, that Directive does not ensure the collection and transfer of API data in all cases, as air carriers do not have any business-related reason to collect a full set of such data. Ensuring that PIUs receive API data together with PNR data is important, since the joint processing of such data is needed for the competent authorities of the Member States to be able to effectively prevent, detect, investigate and prosecute terrorist offences and serious crime. In particular, such joint processing allows for the accurate identification of those passengers that might need to be further examined, in accordance with the applicable law, by those authorities. In addition, that Directive does not specify in detail which information constitutes API data. For those reasons, complementary rules should be established requiring air carriers to collect and subsequently transfer a specifically defined set of API data, which requirements should apply to the extent that the air carriers are bound under that Directive to collect and transfer PNR data on the same flight.

(4) It is therefore necessary to establish clear, harmonised and effective rules at Union level on the collection and transfer of API data for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime.

(5) Considering the close relationship between both acts, this Regulation should be understood as complementing the rules provided for in Directive (EU) 2016/681, as interpreted by the Court of Justice of the European Union (CJEU). Therefore, API data are only to be collected and transferred under this Regulation in accordance with the specific requirements set out herein, including as regards the situations and the manner in which that is to be done. However, the rules of that Directive apply in respect of matters not specifically covered by this Regulation, especially regarding the rules on the subsequent processing of the API data received by the PIUs, exchange of information between Member States, conditions of access by the European Union Agency for Law Enforcement Cooperation (Europol), transfers to third countries, retention and depersonalisation, as well as the protection of personal data. Insofar as those rules apply, the rules of that Directive on penalties and the national supervisory authorities apply as well. This Regulation should leave those rules unaffected and should therefore, in particular, be without prejudice to the requirements and safeguards applicable to the processing of API data by the PIUs.

(6) The collection and transfer of API data affect the privacy of individuals and entail the processing of their personal data. In order to fully respect their fundamental rights, in particular the right of respect for private life and the right to the protection of personal data, in accordance with the Charter of Fundamental Rights of the European Union (the ‘Charter’), adequate limits and safeguards should be provided for. For example, any processing of API data and, in particular, API data constituting personal data should remain strictly limited to what is necessary for and proportionate to achieving the objectives pursued by this Regulation. In addition, it should be ensured that the processing of any API data collected and transferred under this Regulation does not lead to any form of discrimination precluded by the Charter.

(7) In view of the complementary nature of this Regulation in relation to Directive (EU) 2016/681, the obligations of air carriers under this Regulation should apply in respect of all flights for which Member States are to require air carriers to transmit PNR data under Directive (EU) 2016/681, irrespective of the place of establishment of the air carriers conducting those flights. Those flights should concern both scheduled and non-scheduled flights, both between Member States and third countries (extra-EU flights), and between several Member States (intra-EU flights) provided that such intra-EU flights will depart from, land on, or make a stop-over on the territory of at least one Member State that has notified its decision to apply Directive (EU) 2016/681 to intra-EU flights in accordance with Article 2(1) of that Directive and in line with the case-law of the CJEU. As regards the intra-EU flights covered by this Regulation, such a targeted approach, enacted in application of Article 2 of Directive (EU) 2016/681 and centred on the demands of effective law enforcement, should also be required in view of the need to ensure compliance with requirements of Union law on the necessity and proportionality of the data processing, the free movement of persons and the abolition of internal border controls. The collection of data from any other civil aircraft operations, such as flight schools, medical flights, emergency flights, as well as from military flights, is not within the scope of this Regulation. This Regulation is without prejudice to the collection of data from such flights as provided for in national law that is compatible with Union law. The Commission should assess the feasibility of a Union scheme obliging operators of private flights to collect and transfer air passenger data.

(8) The obligations on air carriers to collect and transfer API data under this Regulation should include all passengers and crew members on flights into the Union, transit passengers and crew members whose final destination is outside of the Union and any off-duty crew member positioned on a flight by an air carrier in connection with their duties.

(9) Accordingly, given that Directive (EU) 2016/681 does not cover domestic flights that depart and land on the territory of the same Member State without any stop-over in the territory of another Member State or a third country, and in view of the transnational dimension of the terrorist offences and the serious crime covered by this Regulation, such flights should not be within the scope of this Regulation either. This Regulation should not be understood as affecting the possibility for Member States to provide, under their national law and in compliance with Union law, for obligations on air carriers to collect and transfer API data on such domestic flights.

(10) In view of the close relationship between Union legal acts concerned and in the interest of consistency and coherence, the definitions set out in this Regulation should, where appropriate, be aligned with, interpreted and applied in the light of, the definitions set out in Directive (EU) 2016/681 and Regulation (EU) 2025/12 of the European Parliament and of the Council (5).

(11) In particular, the items of information that together constitute the API data to be collected and subsequently transferred under this Regulation should be listed clearly and exhaustively, covering both information relating to each passenger and crew member and information on the flight of that passenger and crew member. Under this Regulation, and in accordance with international standards, such flight information should cover seating and baggage information, where such information is available, and information on the border crossing point of entry into the territory of the Member State concerned only where applicable, not when the API data relate to intra-EU flights. Where baggage or seat information is available within other IT systems that the air carrier, its handler, its system provider or the airport authority has at its disposal, air carriers should integrate that information in the API data to be transferred to the PIUs. API data as defined and regulated under this Regulation do not include biometric data.

(12) In order to enable travelling without carrying a travel document where Member States allow such practice under national law in accordance with Union law, including on the basis of an international agreement, it should be possible for a Member State to impose an obligation on air carriers to provide the possibility for passengers to voluntarily upload API data by automated means and to have such data stored by the air carrier with a view to transferring the data for the purpose of future flights.

(13) In order to allow for flexibility and innovation, it should in principle be left to each air carrier to determine how it meets its obligations regarding the collection of API data set out in this Regulation, taking into account the different types of air carrier as defined in this Regulation and their respective business models, including as regards check-in times and cooperation with airports. However, considering that suitable technological solutions exist that allow certain API data to be collected automatically while ensuring that the API data concerned are accurate, complete and up to date, and having regard to the advantages of the use of such technology in terms of effectiveness and efficiency, air carriers should be required to collect such API data using automated means, by reading information from the machine-readable data of the travel document. Where the use of such automated means is not technically possible in exceptional circumstances, air carriers should exceptionally collect the API data manually, either as part of the online check-in process or as part of the check-in at the airport, in such a manner as to ensure compliance with their obligations under this Regulation.

(14) The collection of API data by automated means should be strictly limited to the alphanumerical data contained in the travel document and should not lead to the collection of any biometric data from it. As the collection of API data is part of the check-in process, either online or at the airport, this Regulation does not include an obligation for air carriers to check a travel document of the passenger at the moment of boarding. Compliance with this Regulation does not include any obligation for passengers to carry a travel document at the moment of boarding. This should be without prejudice to obligations stemming from other Union legal acts or national law that is compatible with Union law.

(15) The collection of API data from travel documents should also be consistent with the International Civil Aviation Organisation (ICAO) standards on machine-readable travel documents, which have been incorporated into Union law by means of Regulation (EU) 2019/1157 of the European Parliament and of the Council (6), Council Regulation (EC) No 2252/2004 (7) and Council Directive (EU) 2019/997 (8).

(16) In order to avoid a situation in which air carriers have to establish and maintain multiple connections with the PIUs of the Member States for the transfer of API data collected under this Regulation, and thereby avoid the related inefficiencies and security risks, provision should be made for a single router, created and operated at Union level in accordance with this Regulation and Regulation (EU) 2025/12, that serves as a connection and distribution point for those transfers. In the interest of efficiency and cost effectiveness, the router should, to the extent technically possible and in full compliance with the rules of this Regulation and Regulation (EU) 2025/12, rely on technical components from other relevant systems created under Union law, in particular the web service referred to in Regulation (EU) 2017/2226 of the European Parliament and of the Council (9), the carrier gateway referred to in Regulation (EU) 2018/1240 of the European Parliament and of the Council (10) and the carrier gateway referred to in Regulation (EC) No 767/2008 of the European Parliament and of the Council (11). In order to reduce the impact on air carriers and ensure a harmonised approach towards air carriers, the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), established by Regulation (EU) 2018/1726 of the European Parliament and of the Council (12) should design the router, to the extent technically and operationally possible, in a way that is coherent and consistent with the obligations for air carriers set out in Regulations (EC) No 767/2008, (EU) 2017/2226 and (EU) 2018/1240.

(17) With the aim of ensuring the readability of PNR data by the PIUs and the proper functioning of their PNR systems, the digital messages sent by an air carrier containing one or several passenger name records (‘PNR messages’), should be transferred by air carriers and transmitted by the router in a standardised format by means of standardised data fields or codes, in terms of both content and structure. Before the router starts operations in relation to other PNR data, the tests to be conducted by eu-LISA, should ensure the capability, speed and reliability of the router to provide for such standardisation. To that end, the Commission should take the steps necessary to revise existing implementing legislation adopted pursuant to Article 16 of Directive (EU) 2016/681 setting out common protocols and supported data formats. Such revision should be carried out in close consultation with representatives of the Member States in order to draw on their expertise and guarantee that the best practices they have developed when implementing Directive (EU) 2016/681 at national level are taken into account at Union level for the functioning of the router. The API-PNR Contact Group should support such revision.

(18) In order to improve the efficiency of the transmission of air traffic data and support the monitoring of the API data transmitted to PIUs, the router should receive real-time flight traffic information collected by other organisations, such as the European Organisation for the Safety of Air Navigation (‘Eurocontrol’).

(19) The router should serve only to facilitate the transfer of API data and other PNR data from the air carriers to the PIUs in accordance with this Regulation, and should not be a repository of API data or other PNR data. Therefore, and in order to minimise any risk of unauthorised access or other misuse and in accordance with the principle of data minimisation, no storage should take place unless strictly necessary for technical purposes related to the transmission and the API data or other PNR data should be deleted from the router, immediately, permanently and in an automated manner, from the moment that the transmission has been completed or, where relevant under this Regulation, the API data or other PNR data are not to be transmitted at all.

(20) In order to allow air carriers to benefit as soon as possible from the advantages offered by the use of the router developed by eu-LISA in accordance with this Regulation and Regulation (EU) 2025/12, and to gain experience in using it, air carriers should be provided with the possibility, but not the obligation, to use the router to transfer the information that they are required to transfer under Directive 2004/82/EC during an interim period. That interim period should commence at the moment at which the router starts operations and end when the obligations under that Directive cease to apply. With a view to ensuring that any such voluntary use of the router takes place in a responsible manner, the prior written agreement of the Member State that is to receive the information should be required, upon request of the air carrier and after that Member State having conducted verifications and obtained assurances, as necessary. Similarly, in order to avoid a situation in which air carriers repeatedly start and stop using the router, once an air carrier starts such use on a voluntary basis, it should be required to continue it, unless there are objective reasons to discontinue the use of the router for the transfer of the information to the Member State concerned, such as it having become apparent that the information is not transferred in a lawful, secure, effective and swift manner. In the interest of the proper application of the possibility of voluntarily using the router, with due regard to the rights and interests of all affected parties, the necessary rules on consultations and the provision of information should be provided for in this Regulation. Any such voluntary use of the router in application of Directive 2004/82/EC as provided for in this Regulation should not be understood as affecting in any way the obligations of air carriers and Member States under that Directive.

(21) The requirements set out in this Regulation and the corresponding delegated and implementing acts should lead to the uniform implementation of this Regulation by the air carriers, thereby minimising the cost of the interconnection of their respective systems. To facilitate the harmonised implementation of those requirements by the air carriers, in particular as regards the data structure, format and transmission protocol, the Commission, on the basis of its cooperation with the PIUs, other Member States authorities, air carriers, and relevant Union agencies, should ensure that the practical handbook to be prepared by the Commission provides all the necessary guidance and clarifications.

(22) In order to enhance the quality of API data, the router to be established under this Regulation should verify whether the API data transferred to it by the air carriers comply with the supported data formats. Where the verification determines that the data are not compliant with those data formats, the router should, immediately and in an automated manner, notify the air carrier concerned.

(23) Passengers should have the possibility to provide certain API data themselves by automated means during an online check-in process, for example via a secure application on a passenger’s smartphone, a computer or a webcam with the capability to read the machine-readable data of the travel document. Where passengers do not check in online, air carriers should provide them with the possibility to provide the required machine-readable API data during check-in at the airport with the assistance of a self-service kiosk or of air carriers’ staff at the check-in counter. Without prejudice to air carriers’ freedom to set air fares and define their commercial policy, it is important that the obligations under this Regulation do not lead to disproportionate obstacles for passengers unable to use online means to provide API data, such as additional fees for providing API data at the airport. In addition, this Regulation should provide for a transitional period during which passengers are given the possibility to provide API data manually as part of the online check-in process. In such cases, air carriers should use data verification techniques.

(24) It is important that automated data collection systems and other processes established under this Regulation do not have a negative impact on the employees in the aviation industry, who are to be provided with upskilling and reskilling opportunities that would increase the efficiency and reliability of data collection and transfer as well as the working conditions in the sector.

(25) In order to ensure the joint processing of API data and PNR data to effectively fight terrorism and serious crime in the Union and at the same time minimise the interference with passengers’ fundamental rights protected under the Charter, the PIUs should be the competent authorities in the Member States that are entrusted to receive, and subsequently further process and protect, API data collected and transferred under this Regulation. In the interest of efficiency and to minimise any security risks, the router, as designed, developed, hosted and technically maintained by eu-LISA in accordance with this Regulation and Regulation (EU) 2025/12, should transmit the API data, collected and transferred to it by the air carriers under this Regulation, to the relevant PIUs. Given the necessary level of protection of API data constituting personal data, including to ensure the confidentiality of the information concerned, the API data should be transmitted by the router to the relevant PIUs in an automated manner. This Regulation should not affect the possibility for Member States to provide for a single data entry point that ensures their connection to and integration with the router.

(26) With a view to ensuring the fulfilment of the rights provided for under the Charter, as well as ensuring accessible and inclusive travel options, especially for vulnerable groups and persons with disabilities, and in accordance with the rights of disabled persons and persons with reduced mobility when travelling by air set out in Regulation (EC) No 1107/2006 of the European Parliament and of the Council (13), air carriers, supported by the Member States, should ensure that an option for the provision of the necessary data by passengers at the airport is available at all times.

(27) For extra-EU flights, the PIU of the Member State on whose territory the flight will land or from whose territory the flight will depart should receive the API data from the router for all those flights for which PNR data are collected in accordance with Directive (EU) 2016/681. The router should identify the flight and the corresponding PIUs using the information contained in the PNR record locator, a data element common to both the API data sets and the PNR data sets allowing for the joint processing of API data and PNR data by the PIUs.

(28) As regards intra-EU flights, in line with the case-law of the CJEU, in order to avoid unduly interfering with passengers’ relevant fundamental rights as protected under the Charter and to ensure compliance with the requirements of Union law on the free movement of persons and the abolition of internal border controls, a selective approach should be provided for. In view of the importance of ensuring that API data can be processed together with PNR data, that approach should be aligned with that of Directive (EU) 2016/681. For those reasons, API data on those flights should only be transmitted from the router to the relevant PIUs, where the Member States have selected the flights concerned in application of Article 2 of Directive (EU) 2016/681 and in accordance with the selective approach provided for in this Regulation. Only in situations of a genuine and present or foreseeable terrorist threat and on the basis of a decision that is based on a threat assessment, limited in time to what is strictly necessary and that is open to effective review, Member States should be able to apply Directive (EU) 2016/681 to all intra-EU flights arriving at or departing from its territory. In other situations, a selective approach should be provided for. As recalled by the CJEU, the selection entails Member States targeting the obligations in question only at, inter alia, certain routes, travel patterns or airports, subject to the regular review of that selection. Furthermore, the selection should be based on an objective, duly reasoned and non-discriminatory assessment that takes into account only criteria which are relevant for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, having an objective link, including an indirect link, with the carriage of passengers by air. Member States should keep all relevant documentation related to the assessment in order to allow for proper supervision and review their assessment regularly and at least every 12 months in line with Article 13(7) of this Regulation.

(29) In order to enable the application of the selective approach under this Regulation in respect of intra-EU flights, the Member States should be required to draw up lists of the flights or routes they selected and insert them into the router, so that eu-LISA can ensure that only API data for those flights or routes is transmitted from the router to the relevant PIUs and that the API data on other intra-EU flights is immediately and permanently deleted.

(30) In order to increase cohesion among the selective approaches taken by the different Member States, the Commission should facilitate a regular exchange of views on the choice of selection criteria, including the sharing of best practices, as well as, on a voluntary basis, the exchange of information on selected flights.

(31) In order not to endanger the effectiveness of the system that relies on the collection and transfer of API data set up by this Regulation, and of PNR data under the system set up by Directive (EU) 2016/681, for the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime, in particular by creating the risk of circumvention, information on which intra-EU flights the Member States selected should be treated in a confidential manner. For that reason, such information should not be shared with the air carriers and they should therefore be required to collect API data on all flights covered by this Regulation, including all intra-EU flights, and then transfer it to the router, where the necessary selection should be implemented. Moreover, by collecting API data on all intra-EU flights, passengers are not made aware on which selected intra-EU flights API data, and hence also PNR data, is transmitted to the PIUs in accordance with the assessment of Member States. That approach also ensures that any changes relating to that selection can be implemented swiftly and effectively, without imposing any undue economic and operational burdens on the air carriers.

(32) This Regulation does not permit the collection or transfer of API data on intra-EU flights for the purpose of combating illegal immigration, in accordance with Union law and the case-law of the CJEU.

(33) In the interest of ensuring compliance with the fundamental right to protection of personal data, this Regulation should identify the controller and processor and set out rules on audits. In the interest of effective monitoring, ensuring adequate protection of personal data and minimising security risks, rules should also be provided for on logging, security of processing and self-monitoring. Where they relate to the processing of personal data, those provisions should be in line with the generally applicable Union legal acts on the protection of personal data, in particular Regulations (EU) 2016/679 (14) and (EU) 2018/1725 (15) of the European Parliament and the Council.

(34) Without prejudice to more specific rules laid down in this Regulation for the processing of personal data, Regulation (EU) 2016/679 should apply to the processing of personal data by air carriers under this Regulation. Directive (EU) 2016/680 of the European Parliament and of the Council (16) should apply to the processing of personal data under this Regulation by national competent authorities, as defined in that directive, for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. Regulation (EU) 2018/1725 should apply to the processing of personal data by eu-LISA when carrying out its responsibilities under this Regulation.

(35) Taking into account the right of passengers to be informed of the processing of their personal data, Member States should ensure that passengers are provided with accurate information about the collection of API data, the transfer of such data to the PIU and their rights as data subjects that is easily accessible and easy to understand, at the moment of booking and at the moment of check-in.

(36) The personal data protection audits that Member States are responsible for should be carried out by the independent supervisory authorities referred to in Article 41 of Directive (EU) 2016/680 or by an auditing body entrusted with this task by the supervisory authority.

(37) The purposes of the processing operations under this Regulation, namely the transmission of API data from air carriers via the router to the PIUs of the Member States, are to assist those authorities in the performance of their obligations and tasks in accordance with Directive (EU) 2016/681. Therefore, Member States should designate authorities to be controllers for the processing of the data in the router, the transmission of the data from the router to the PIU, and the subsequent processing of those data in accordance with Directive (EU) 2016/681. Member States should communicate those authorities to the Commission and eu-LISA. For the processing of personal data in the router, Member States should be joint controllers in accordance with Article 21 of Directive (EU) 2016/680. The air carriers, in turn, should be separate controllers with regard to the processing of API data constituting personal data under this Regulation. On this basis, both the air carriers and the PIUs should be separate controllers with regard to the processing operations for API data under this Regulation. As eu-LISA is responsible for the design, development, hosting and technical management of the router, it should be the processor for the processing of API data constituting personal data via the router, including the transmission of the data from the router to the PIUs and the storage of those data on the router insofar as such storage is needed for technical purposes.

(38) The router to be created and operated under this Regulation and Regulation (EU) 2025/12 should reduce and simplify the technical connections needed to transfer API data under this Regulation, limiting them to a single connection per air carrier and per PIU. Therefore, this Regulation should provide for the obligation for the PIUs and air carriers to each establish such a connection to, and achieve the required integration with, the router, to ensure that the system for transferring API data established by this Regulation can function properly. The design and development of the router by eu-LISA should enable the effective and efficient connection and integration of air carriers’ systems and infrastructure by providing for all relevant standards and technical requirements. To ensure the proper functioning of the system set up by this Regulation, detailed rules should be provided. When designing and developing the router, eu-LISA should ensure that API data and other PNR data transferred by air carriers and transmitted to PIUs are encrypted in transit.

(39) In view of the Union interests at stake, all the costs incurred by eu-LISA for the performance of its tasks under this Regulation in respect of the router should be borne by the Union budget, including the design and development of the router, the hosting and technical management of the router, and the governance structure at eu-LISA to support the design, development, hosting and technical management of the router. The same might apply for the costs incurred by the Member States in relation to their connections to, and integration with, the router and their maintenance, as required under this Regulation, in accordance with the applicable Union law. It is important that the Union budget provides appropriate financial support to the Member States for those costs. To that end, the financial needs of the Member States should be supported by the general budget of the Union, in accordance with the eligibility rules and co-financing rates set by the relevant Union legal acts. The annual Union contribution allocated to eu-LISA should cover the needs related to the hosting and the technical management of the router based on an assessment carried out by eu-LISA. The Union budget should also cover the support, such as training, provided by eu-LISA to air carriers and PIUs to enable effective transfer and transmission of API data through the router. The costs incurred by the independent national supervisory authorities in relation to the tasks entrusted to them under this Regulation should be borne by the respective Member States.

(40) In accordance with Regulation (EU) 2018/1726, Member States can entrust eu-LISA with the task of facilitating connectivity with air carriers in order to assist Member States in the implementation of Directive (EU) 2016/681, particularly by collecting and transferring PNR data via a router. To that end, and for reasons of cost effectiveness and efficiency for both Member States and air carriers, this Regulation should require air carriers to use the router for the transfer to the databases of their respective PIUs of other PNR data covered by Directive (EU) 2016/681, as part of national measures implementing the provision of that Directive on the obligation for Member States to ensure that air carriers transfer, by the ‘push method’, PNR data to the relevant PIUs.

(41) In order to ensure that the data at issue are processed in a lawful, secure, effective and swift manner, the rules established by this Regulation in relation to the router and to the transmission of API data from the router to the PIUs should also apply accordingly to other PNR data. Those rules also include the obligations of this Regulation regarding the transfer and transmission of data in connection to intra-EU flights, in line with the case-law of the CJEU, as well as regarding the air carriers’ and the PIU’s connections to the router. As regards the rules on the timing of the transfers, the transmission protocols and the data formats in which the PNR messages are to be transferred to the router, the relevant provisions of Directive (EU) 2016/681 apply.

(42) It is appropriate to clarify that the use of the router in connection to other PNR data affects only the manner in which those data are transferred and transmitted to the databases of the PIUs of the Member States concerned. The obligations of this Regulation regarding the collection of API data are not applicable in respect of all those other PNR data. Such collection should instead continue to be regulated solely by Directive (EU) 2016/681, only to the extent that air carriers have already collected such data in the normal course of their business within the meaning of the relevant provision of that Directive. Moreover, as is the case for API data collected by air carriers and transferred to the PIUs in accordance with this Regulation, the rules of that Directive in respect of matters not specifically covered by this Regulation, especially the rules on the subsequent processing of other PNR data received by the PIUs, should be left unaffected. Therefore, those rules continue to apply in respect of such data.

(43) It cannot be excluded that, due to exceptional circumstances and despite all reasonable measures having been taken in accordance with this Regulation, the central infrastructure or one of the technical components of the router, or the communication infrastructures connecting the PIUs and the air carriers thereto fail to function properly, thus leading to a technical impossibility for air carriers to transfer, or for PIUs to receive, API data. Given the unavailability of the router and that it will generally not be reasonably possible for air carriers to transfer the API data affected by the failure in a lawful, secure, effective and swift manner through alternative means, the obligation for air carriers to transfer such API data to the router should cease to apply for as long as the technical impossibility persists. However, to ensure the availability of API data necessary for the prevention, detection, investigation and prosecution of terrorist offences and serious crime, air carriers should continue to collect and store API data so that they can be transferred as soon as the technical impossibility has been resolved. In order to minimise the duration and negative consequences of any technical impossibility, the parties concerned should in such a case immediately inform each other and immediately take all measures necessary to address the technical impossibility. This arrangement should be without prejudice to the obligations under this Regulation of all parties concerned to ensure that the router and their respective systems and infrastructure function properly, as well as to the fact that air carriers are subject to penalties if they fail to meet those obligations, including in cases where they seek to rely on this arrangement where such reliance is not justified. In order to deter such abuse and to facilitate supervision and, where necessary, the imposition of penalties, air carriers that rely on this arrangement on account of the failure of their own system and infrastructure should report thereon to the competent supervisory authority.

(44) Where air carriers maintain direct connections to PIUs for the transfer of API data, those connections can constitute appropriate means, ensuring the necessary level of data security, to transfer API data directly to the PIUs where it is technically impossible to use the router. PIUs should be able, in the exceptional case of technical impossibility to use the router, to request air carriers to use such appropriate means, which does not imply an obligation on air carriers to maintain or introduce such direct connections or any other appropriate means, ensuring the necessary level of data security, to transfer API data directly to the PIUs. The exceptional transfer of API data by any other appropriate means, such as encrypted email or a secure web portal, and excluding the use of non-standard electronic formats, should ensure the necessary level of data security, data quality and data protection. API data received by the PIUs by such other appropriate means should be further processed in accordance with the rules and data protection safeguards set out in Directive (EU) 2016/681. Following the notification from eu-LISA that the technical impossibility has been successfully addressed, and where it is confirmed that the transmission of the API data through the router to the PIU has been completed, the PIU should immediately delete the API data they previously received by any other appropriate means. That deletion should not affect specific cases where the API data that PIUs received by any other appropriate means has meanwhile been further processed in accordance with Directive (EU) 2016/681 for the specific purposes of preventing, detecting, investigating or prosecuting terrorist offences or serious crime.

(45) In order to ensure that the rules of this Regulation are applied effectively by air carriers, provision should be made for the designation and empowerment of national authorities as national API supervision authorities charged with monitoring the application of those rules. Member States can designate their PIUs as national API supervision authorities. The rules of this Regulation on such monitoring, including as regards the imposition of penalties where necessary, should leave the tasks and powers of the supervisory authorities established in accordance with Regulation (EU) 2016/679 and Directive (EU) 2016/680 unaffected, including in relation to the processing of personal data under this Regulation.

(46) Effective, proportionate and dissuasive penalties, which include financial as well as non-financial penalties, should be provided for by Member States against those air carriers failing to meet their obligations under this Regulation, including on the collection of API data by automated means and the transfer of the data in accordance with the required time frames, formats and protocols. In particular, Member States should ensure that a recurrent failure on the part of air carriers as legal persons to comply with their obligation to transfer any API data to the router in accordance with this Regulation is subject to proportionate financial penalties of up to 2 % of the air carrier’s global turnover of the preceding financial year. In addition, Member States should be able to apply penalties, including financial penalties, to air carriers for other forms of non-compliance with obligations under this Regulation.

(47) When providing for rules on the penalties applicable to air carriers under this Regulation, Member States could take into account the technical and operational feasibility of ensuring complete data accuracy. Additionally, when penalties are imposed, their application and value should be established. National API supervision authorities could take into consideration the actions undertaken by the air carrier to mitigate the issue as well as its level of cooperation with national authorities.

(48) As the router should be designed, developed, hosted and technically managed by the eu-LISA, it is necessary to amend Regulation (EU) 2018/1726 by adding that task to the tasks of eu-LISA. In order to store reports and statistics of the router on the Central Repository for Reporting and Statistics (CRRS) established by Regulation (EU) 2019/818 of the European Parliament and of the Council (17), it is necessary to amend that Regulation. In order to support the enforcement of this Regulation by the national API supervision authority, it is necessary that the amendments to Regulation (EU) 2019/818 include provisions on statistics on whether the API data are accurate and complete, for example by indicating whether the data were collected by automated means. It is also important to collect reliable and useful statistics concerning the implementation of this Regulation in order to support its objectives and inform the evaluations under this Regulation. At the request of the Commission, eu-LISA should provide it with statistics on specific aspects related to the implementation of this Regulation, such as aggregated statistics on the transmission of API data to the PIUs. Such statistics should not contain any personal data. Therefore, the CRRS should provide statistics based on API data only for the implementation and effective monitoring of the application of this Regulation. The data that the router automatically transmits to the CRRS to that end should not allow for the identification of the passengers concerned.

(49) In order to increase clarity and legal certainty, to contribute to ensuring data quality, ensuring the responsible use of the automated means for the collection of machine-readable API data under this Regulation and ensuring the manual collection of API data in exceptional circumstances and during the transitional period, to provide clarity on the technical requirements that are applicable to air carriers and that are needed to ensure the API data that they collected under this Regulation are transferred to the router in a secure, effective and swift manner and so that it does not impact passengers’ travel and air carriers more than necessary, and to ensure that inaccurate or incomplete data or data that are no longer up to date are corrected, completed or updated, the power to adopt acts in accordance with Article 290 of the Treaty on the Functioning of the European Union (TFEU) should be delegated to the Commission to terminate the transitional period for the manual collection of API data; to adopt measures relating to the technical requirements and operational rules with which air carriers should comply with regard to the use of automated means for the collection of machine-readable API data under this Regulation and for the manual collection of API data in exceptional circumstances and during the transitional period, including requirements for data security; to lay down detailed rules on the common protocols and supported data formats to be used for the encrypted transfers of API data to the router, including requirements for data security; and to lay down detailed rules on correcting, completing and updating API data. It is of particular importance that the Commission carry out appropriate consultations with relevant stakeholders, including air carriers, during its preparatory work, including at expert level, and that those consultations be conducted in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making (18). In particular, to ensure equal participation in the preparation of delegated acts, the European Parliament and the Council receive all documents at the same time as Member States’ experts, and their experts systematically have access to meetings of Commission expert groups dealing with the preparation of delegated acts. Taking into account the state of the art, those technical requirements and operational rules might change over time.

(50) In order to ensure uniform conditions for the implementation of this Regulation, namely as regards the start of operations of the router, the technical and procedural rules for the data verifications and notifications, the technical and procedural rules for the transmission of API data from the router to the PIUs in a way that ensures that the transmission is secure, effective and swift and impacts passengers’ travel and air carriers no more than necessary, and the PIUs’ connections to and integration with the router, and to specify the responsibilities of the Member States as joint controllers, such as regards the identification and management of security incidents, including of personal data breaches, and the relationship between the joint controllers and eu-LISA as the processor, including the assistance of eu-LISA to the controllers with appropriate technical and organisational measures, insofar as it is possible, for the fulfilment of the controller’s obligations to respond to requests for exercising the data subject’s rights, implementing powers should be conferred on the Commission. Those powers should be exercised in accordance with Regulation (EU) No 182/2011 of the European Parliament and of the Council (19).

(51) All interested parties, and in particular the air carriers and the PIUs, should be afforded sufficient time to make the preparations necessary to be able to meet their respective obligations under this Regulation, taking into account that some of those preparations, such as those regarding the obligations on the connection to and integration with the router, can be finalised only when the design and development phases of the router have been completed and the router starts operations. Therefore, this Regulation should apply only from an appropriate date after the date on which the router starts operations, as specified by the Commission in accordance with this Regulation and Regulation (EU) 2025/12. However, it should be possible for the Commission to adopt delegated and implementing acts under this Regulation already from an earlier date, so as to ensure that the system set up by this Regulation is operational as soon as possible.

(52) The design and development phases of the router established under this Regulation and Regulation (EU) 2025/12 should be commenced and completed as soon as possible so that the router can start operations as soon as possible, which also requires the adoption of the relevant implementing acts provided for by this Regulation. For the smooth and effective development of those phases, a dedicated Programme Management Board should be established with the function to supervise eu-LISA on fulfilling its tasks during those phases. It should cease to exist two years after the router has started its operations. In addition, a dedicated advisory body, the API-PNR Advisory Group, should be created in accordance with Regulation (EU) 2018/1726, with the objective of providing expertise to eu-LISA and to the Programme Management Board on the design and development phases of the router, as well as to eu-LISA on the hosting and management of the router. The Programme Management Board and the API-PNR Advisory Group should be established and operated following the models of existing programme management boards and advisory groups.

(53) The clarification provided by this Regulation regarding the application of specifications concerning the use of automated means in application of Directive 2004/82/EC should also be provided without delay. Therefore, the provisions on those matters should apply from the date of the entry into force of this Regulation. In addition, in order to allow for the voluntary use of the router as soon as possible, the provisions on such use, as well as certain other provisions needed to ensure that such use takes place in a responsible manner, should apply from the earliest possible moment, that is, from the moment at which the router starts operations.

(54) There should be a single governance structure for the purposes of this Regulation and Regulation (EU) 2025/12. With the objective of enabling and fostering communication between the representatives of air carriers, and the representatives of Member States authorities competent under this Regulation and under Regulation (EU) 2025/12 to have API data transmitted from the router, two dedicated bodies should be established at the latest two years after the start of operations of the router. Technical matters related to the usage and functioning of the router should be discussed in the API-PNR Contact Group where eu-LISA representatives should be also present. Policy matters such as in relation to penalties should be discussed in the API Expert Group.

(55) This Regulation should be subject to regular evaluations to ensure the monitoring of its effective application. In particular, the collection of API data should not be to the detriment of the travel experience of legitimate passengers. Therefore, the Commission should include in its regular evaluation reports on the application of this Regulation an assessment of the impact of this Regulation on the travel experience of legitimate passengers. The evaluation should also include an assessment of the quality of the data sent by the router, as well as the performance of the router in respect of the PIUs.

(56) Given that this Regulation requires additional adjustment and administrative costs by air carriers, the overall regulatory burden for the aviation sector should be kept under close review. Against this backdrop, the report evaluating the functioning of this Regulation should assess the extent to which the objectives of this Regulation have been met and the extent to which it has had an impact on the competitiveness of the sector.

(57) The objectives of this Regulation, namely contributing to the prevention, detection, investigation and prosecution of terrorist offences and serious crime, in view of the transnational dimension of the offences concerned and the need to cooperate on a cross-border basis to effectively address them, cannot be sufficiently achieved by the Member States individually, but can rather be better achieved at Union level. The Union may therefore adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union (TEU). In accordance with the principle of proportionality, as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.

(58) This Regulation is without prejudice to the competences of Member States with regard to national law concerning national security, provided that such law complies with Union law.

(59) This Regulation is without prejudice to the competence of Member States to collect, under their national law, passenger data from transportation providers other than those specified in this Regulation, provided that such national law complies with Union law.

(60) In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the TEU and to the TFEU, Denmark is not taking part in the adoption of this Regulation and is not bound by it or subject to its application.

(61) In accordance with Article 3 of the Protocol No 21 on the position of the United Kingdom and Ireland in respect of the area of freedom, security and justice, annexed to the TEU and the TFEU, Ireland has notified its wish to take part in the adoption and application of this Regulation

(62) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered an opinion on 8 February 2023 (20),

HAVE ADOPTED THIS REGULATION:

CHAPTER 1

GENERAL PROVISIONS

Article 1

Subject matter

For the purpose of preventing, detecting, investigating and prosecuting terrorist offences and serious crime, this Regulation lays down the rules on:

(a) the collection of advance passenger information (API) by air carriers on extra-EU flights and intra-EU flights;

(b) the transfer of API data and other PNR data by air carriers to the router;

(c) the transmission of API data and other PNR data from the router to the passenger information units (PIUs) on extra-EU flights and selected intra-EU flights.

This Regulation is without prejudice to Regulation (EU) 2016/679, Regulation (EU) 2018/1725 and Directive (EU) 2016/680.

Article 2

Scope

This Regulation applies to air carriers conducting:

(a) extra-EU flights;

(b) intra-EU flights that will depart from, arrive in or make a stop-over on the territory of at least one Member State that notified the Commission of its decision to apply Directive (EU) 2016/681 to intra-EU flights in accordance with Article 2(1) of that Directive.

Article 3

Definitions

For the purposes of this Regulation, the following definitions apply:

(1) ‘air carrier’ means an air carrier as defined in Article 3, point (1), of Directive (EU) 2016/681;

(2) ‘extra-EU flight’ means any extra-EU flight as defined in Article 3, point (2), of Directive (EU) 2016/681;

(3) ‘intra-EU flight’ means any intra-EU flight as defined in Article 3, point (3), of Directive (EU) 2016/681;

(4) ‘scheduled flight’ means a scheduled flight as defined in Article 3, point (5), of Regulation (EU) 2025/12;

(5) ‘non-scheduled flight’ means a non-scheduled flight as defined in Article 3, point (6), of Regulation (EU) 2025/12;

(6) ‘passenger’ means a passenger as defined in Article 3, point (4), of Directive (EU) 2016/681;

(7) ‘crew’ means any person on board of an aircraft during the flight, other than a passenger, who works on or operates the aircraft, including flight crew and cabin crew;

(8) ‘advance passenger information’ or ‘API data’ means the data and the flight information referred to in Article 4(2) and (3) respectively;

(9) ‘other passenger name record data’ or ‘other PNR data’ means the passenger name record as defined in Article 3, point (5), of Directive (EU) 2016/681, and as listed in Annex I to that Directive, with the exception of point 18 of that Annex;

(10) ‘passenger information unit’ or ‘PIU’ means the passenger information unit, as contained in the Member States’ notifications to the Commission and modifications thereof published by the Commission pursuant to Article 4(5) of Directive (EU) 2016/681;

(11) ‘terrorist offences’ means terrorist offences as referred to in Articles 3 to 12 of Directive (EU) 2017/541 of the European Parliament and the Council (21);

(12) ‘serious crime’ means serious crime as defined in Article 3, point (9), of Directive (EU) 2016/681;

(13) ‘the router’ means the router referred to in Article 9 of this Regulation and in Article 11 of Regulation (EU) 2025/12;

(14) ‘personal data’ means personal data as defined in Article 3, point (1), of Directive (EU) 2016/680, and Article 4, point 1, of Regulation (EU) 2016/679;

(15) ‘real-time flight traffic data’ means information on the inbound and outbound flight traffic of an airport covered by this Regulation.

CHAPTER 2

COLLECTION, TRANSFER, STORAGE AND DELETION OF API DATA

Article 4

Collection of API data by air carriers

1.   Air carriers shall collect the API data of each passenger and crew member on the flights referred to in Article 2 to be transferred to the router in accordance with Article 5. Where the flight is code-shared between air carriers, the obligation to transfer the API data shall be on the air carrier that operates the flight.

2.   The API data shall consist only of the following data relating to each passenger and crew member on the flight:

(a) the surname (family name), first name or names (given names);

(b) the date of birth, sex and nationality;

(c) the type and number of the travel document and the three-letter code of the issuing country of the travel document;

(d) the date of expiry of the validity of the travel document;

(e) the number identifying a passenger name record used by an air carrier to locate a passenger within its information system (PNR record locator);

(f) the seating information corresponding to the seat in the aircraft assigned to a passenger, where such information is available;

(g) the baggage tag number or numbers and the number and weight of checked bags, where such information is available;

(h) a code indicating the method used to capture and validate the data referred to in points (a) to (d).

3.   The API data shall also consist only of the following flight information relating to the flight of each passenger and crew member:

(a) the flight identification number or, where the flight is code-shared between air carriers, the flight identification numbers, or, if no such number exists, other clear and suitable means to identify the flight;

(b) where applicable, the border crossing point of entry into the territory of the Member State;

(c) the code of the airport of arrival or, where the flight is planned to land in one or several airports within the territories of one or more Member States to which this Regulation applies, the codes of the airports of call on the territories of the Member States concerned;

(d) the code of the airport of departure of the flight;

(e) the code of the airport of the initial point of embarkation, where available;

(f) the local date and time of departure;

(g) the local date and time of arrival;

(h) the contact details of the air carrier;

(i) the format used for the transfer of API data.

4.   Air carriers shall collect the API data in a manner that ensures that the API data that they transfer in accordance with Article 5 are accurate, complete and up to date. Compliance with this obligation does not require air carriers to check the travel document at the moment of boarding the aircraft, without prejudice to national law that is compatible with Union law.

5.   This Regulation does not impose an obligation on passengers to carry a travel document when travelling, without prejudice to other Union legal acts or national law that is compatible with Union law.

6.   A Member State may impose an obligation on air carriers to provide the possibility for passengers to voluntarily upload the data referred to in Article 4(2), points (a) to (d), of Regulation (EU) 2025/12 by automated means and to have such data stored by the air carrier with a view to transferring the data for the purpose of future flights in accordance with Article 5 of this Regulation and in a manner compliant with the requirements set out in paragraphs 4, 7 and 8 of this Article. A Member State that imposes such an obligation shall lay down the rules and safeguards on data protection, in accordance with Regulation (EU) 2016/679, including rules on storage period. However, the data shall be deleted where the passenger no longer consents to the storage of the data, or at the latest on the date of expiry of the validity of the travel document.

7.   Air carriers shall collect the API data referred to in paragraph 2, points (a) to (d), using automated means to collect the machine-readable data of the travel document of the passenger concerned. They shall do so in accordance with the detailed technical requirements and operational rules referred to in paragraph 12, once such rules have been adopted and are applicable.

Where air carriers provide an online check-in process, they shall enable passengers to provide the API data referred to in paragraph 2, points (a) to (d), by automated means during that online check-in process. For passengers that do not check in online, air carriers shall enable those passengers to provide those API data by automated means during check-in at the airport with the assistance of a self-service kiosk or of air-carriers’ staff at the counter.

Where the use of automated means is not technically possible, air carriers shall exceptionally collect the API data referred to in paragraph 2, points (a) to (d), manually, either as part of the online check-in or as part of the check-in at the airport, in such a manner as to ensure compliance with paragraph 4.

8.   Any automated means used by air carriers to collect API data under this Regulation shall be reliable, secure and up to date. Air carriers shall ensure that API data are encrypted during the transfer of such data from the passenger to the air carrier.

9.   During a transitional period, and in addition to the automated means referred to in paragraph 7, air carriers shall make it possible for passengers to provide API data manually as part of the online check-in. In such cases, air carriers shall use data verification techniques to ensure compliance with paragraph 4.

10.   The transitional period referred to in paragraph 9 shall not affect the right of air carriers to verify, at the airport prior to the boarding of the aircraft, API data collected as part of the online check-in in order to ensure compliance with paragraph 4, in accordance with the applicable Union law.

11.   The Commission is empowered to adopt, as of the date four years after the start of operations of the router in relation to API data referred to in Article 34, and on the basis of an evaluation of the availability and accessibility of automated means to collect API data, a delegated act in accordance with Article 43 to terminate the transitional period referred to in paragraph 9 of this Article.

12.   The Commission is empowered to adopt delegated acts in accordance with Article 43 to supplement this Regulation by laying down detailed technical requirements and operational rules for the collection of the API data referred to in paragraph 2, points (a) to (d) of this Article, using automated means in accordance with paragraphs 7 and 8 of this Article, and for the manual collection of API data in exceptional circumstances in accordance with paragraph 7 of this Article and during the transitional period referred to in paragraph 9 of this Article. Those technical requirements and operational rules shall include requirements for data security and for using the most reliable automated means available to collect the machine-readable data of a travel document.

Article 5

Obligations for air carriers regarding transfers of API data and other PNR data

1.   Air carriers shall transfer the encrypted API data to the router, by electronic means for the purposes of their transmission to PIUs in accordance with Article 12. Air carriers shall transfer the API data in accordance with the detailed rules referred to in paragraph 4 of this Article, once such rules have been adopted and are applicable.

2.   When adopting measures in accordance with Article 8(1) of Directive (EU) 2016/681, Member States shall require air carriers to transfer any other PNR data they collect in the normal course of their business exclusively to the router, in accordance with the common protocols and data formats set out pursuant to Article 16 of that Directive.

3.   Air carriers shall transfer the API data:

(a) for passengers:

(i) per passenger at the moment of check-in, but not earlier than 48 hours prior to the scheduled flight departure time; and

(ii) for all boarded passengers immediately after flight closure, namely once the passengers have boarded the aircraft in preparation for departure and it is no longer possible for passengers to board or to leave the aircraft;

(b) for all members of the crew immediately after flight closure, namely once the crew is on board the aircraft in preparation for departure and it is no longer possible for them to leave the aircraft.

4.   The Commission is empowered to adopt delegated acts in accordance with Article 43 to supplement this Regulation by laying down the necessary detailed rules on the common protocols and supported data formats to be used for the encrypted transfers of API data to the router referred to in paragraph 1 of this Article, including the transfer of API data at the moment of check-in and requirements for data security. Such detailed rules shall ensure that air carriers transfer API data using the same structure and content.

Article 6

Storage period and deletion of API data

Air carriers shall store, for a period of 48 hours from the moment of receipt by the router of the API data transferred to it in accordance with Article 5(3), point (a)(ii) and point (b), the API data relating to all passengers and crew that they collected pursuant to Article 4. They shall immediately and permanently delete such API data after the expiry of that period, without prejudice to the possibility for air carriers to retain and use the data where necessary for the normal course of their business in compliance with applicable law, and to Article 16(1) and (3).

Article 7

Correcting, completing and updating API data

1.   Where an air carrier becomes aware that data that it stores under this Regulation were processed unlawfully, or do not constitute API data, it shall immediately and permanently delete those data. If those data have been transferred to the router, the air carrier shall immediately inform the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA). Upon receiving such information, eu-LISA shall immediately inform the PIU that received the data transmitted through the router.

2.   Where an air carrier becomes aware that the data that it stores under this Regulation are inaccurate, incomplete or no longer up to date, it shall immediately correct, complete or update those data. This is without prejudice to the possibility for air carriers to retain and use the data where necessary for the normal course of their business in compliance with the applicable law.

3.   Where an air carrier becomes aware after the transfer of API data under Article 5(3), point (a)(i), but before the transfer under Article 5(3), point (a)(ii), that the data it has transferred are inaccurate, the air carrier shall immediately transfer the corrected API data to the router.

4.   Where an air carrier becomes aware, after the transfer of API data under Article 5(3), point (a)(ii) or point (b), that the data it has transferred are inaccurate, incomplete or no longer up to date, the air carrier shall immediately transfer the corrected, completed or updated API data to the router.

5.   The Commission is empowered to adopt delegated acts in accordance with Article 43 to supplement this Regulation by laying down the necessary detailed rules on correcting, completing and updating API data within the meaning of this Article.

Article 8

Fundamental rights

1.   The collection and processing of personal data in accordance with this Regulation and Regulation (EU) 2025/12 by air carriers and competent authorities shall not result in discrimination against persons on the grounds listed in Article 21 of the Charter of Fundamental Rights of the European Union (the ‘Charter’).

2.   This Regulation shall fully respect human dignity and the fundamental rights and principles recognised by the Charter, including the right to respect for one’s private life, to asylum, to the protection of personal data, to freedom of movement and to effective legal remedies.

3.   Particular attention shall be paid to children, the elderly, persons with a disability and vulnerable persons. The best interests of the child shall be a primary consideration when implementing this Regulation.

CHAPTER 3

PROVISIONS RELATING TO THE ROUTER

Article 9

The router

1.   eu-LISA shall design, develop, host and technically manage, in accordance with Articles 25 and 26, a router for the purpose of facilitating the transfer of encrypted API data and other PNR data by air carriers to the PIUs in accordance with this Regulation.

2.   The router shall be composed of:

(a) a central infrastructure, including a set of technical components enabling the reception and transmission of encrypted API data and other PNR data;

(b) a secure communication channel between the central infrastructure and the PIUs, and a secure communication channel between the central infrastructure and the air carriers, for the transfer and transmission of API data and other PNR data and for any communications relating thereto, and for the insertion by the Member States of selected flights as referred to in Article 12(4) into the router and any related updates;

(c) a secure channel to receive real-time flight traffic data.

3.   Without prejudice to Article 10 of this Regulation, the router shall, where appropriate and to the extent technically possible, share and reuse the technical components, including hardware and software components, of the web service referred to in Article 13 of Regulation (EU) 2017/2226, the carrier gateway referred to in Article 6(2), point (k), of Regulation (EU) 2018/1240, and the carrier gateway referred to in Article 45c of Regulation (EC) No 767/2008.

eu-LISA shall design the router, to the extent technically and operationally possible, in a way that is coherent and consistent with the obligations for air carriers set out in Regulations (EC) No 767/2008, (EU) 2017/2226 and (EU) 2018/1240.

4.   The router shall automatically extract and make available the data, in accordance with Article 39 of this Regulation, to the central repository for reporting and statistics (CRRS) established by Article 39 of Regulation (EU) 2019/818.

5.   eu-LISA shall design and develop the router in such a way that, for any transfer of API data and other PNR data from the air carriers to the router in accordance with Article 5, and for any transmission of API data and other PNR data from the router to the PIUs in accordance with Article 12 and to the CRRS in accordance with Article 39(2), the API data and other PNR data are end-to-end encrypted during transit.

Article 10

Exclusive use of the router

For the purposes of this Regulation, the router shall be used only:

(a) by air carriers to transfer encrypted API data and other PNR data in accordance with this Regulation;

(b) by PIUs to receive encrypted API data and other PNR data in accordance with this Regulation;

(c) on the basis of international agreements enabling the transfer of PNR data via the router, concluded by the Union with third countries that have concluded an agreement providing for their association with the implementation, application and development of the Schengen

acquis

.

This Article is without prejudice to Article 12 of Regulation (EU) 2025/12.

Article 11

Data format and transfer verifications

1.   The router shall, in an automated manner and on the basis of real-time flight traffic data, verify whether the air carrier transferred the API data in accordance with Article 5(1) or other PNR data in accordance with Article 5(2).

2.   The router shall, immediately and in an automated manner, verify whether the API data transferred to it in accordance with Article 5(1) comply with the detailed rules on the supported data formats, referred to in Article 5(4).

3.   The router shall, immediately and in an automated manner, verify whether the other PNR data transferred to it in accordance with Article 5(2) comply with the rules on the supported data formats, referred to in Article 16 of Directive (EU) 2016/681.

4.   Where the verification referred to in paragraph 1 determines that the data were not transferred by the air carrier or where the verification referred to in paragraph 2 or 3 determines that data are not compliant with the detailed rules on the supported data formats, the router shall, immediately and in an automated manner, notify the air carrier concerned and the PIUs of the Member States to which the data were to be transmitted pursuant to Article 12(1). In such cases, the air carrier shall immediately transfer the API data and other PNR data in accordance with Article 5.

5.   The Commission shall adopt implementing acts specifying the detailed technical and procedural rules necessary for the verifications and notifications referred to in paragraphs 1 to 4 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 42(2).

Article 12

Transmission of API data and other PNR data from the router to the PIUs

1.   Upon the data format and transfer verifications referred to in Article 11, the router shall transmit the encrypted API data and any other PNR data, transferred to it by air carriers pursuant to Article 5(1) and (2), and where applicable, Article 7(3) and (4), to the PIUs of the Member State on whose territory the flight will land or from whose territory it will depart, or to both in the case of intra-EU flights. It shall transmit those data immediately and in an automated manner, without changing their content in any way. Where a flight has one or more stop-overs at the territory of other Member States than the one from which it departed, the router shall transmit the API data and any other PNR data to the PIUs of all the Member States concerned.

For the purposes of such transmission, eu-LISA shall establish and keep up to date a table of correspondence between the different airports of origin and destination and the countries to which they belong.

However, for intra-EU flights, the router shall transmit only API data and other PNR data of the flights included in the list referred to in paragraph 4 to the relevant PIUs.

2.   The router shall transmit the API data and other PNR data in accordance with the detailed rules referred to in paragraph 6, once such rules have been adopted and are applicable.

3.   Member States shall ensure that their PIUs, upon receipt of API data and other PNR data in accordance with paragraph 1, immediately and in an automated manner confirm receipt of such data to the router.

4.   Member States that decide to apply Directive (EU) 2016/681 to intra-EU flights in accordance with Article 2 of that Directive shall each establish a list of the intra-EU flights or routes selected. Member States may use the code of the airport of departure and the airport of arrival for indicating the selected flights or routes. Those Member States shall, in accordance with Article 2 of that Directive and Article 13 of this Regulation, regularly review and where necessary update those lists. A Member State may select all intra-EU flights or routes when duly justified, in accordance with Directive (EU) 2016/681 and Article 13 of this Regulation.

Member States shall, by the relevant date of application of this Regulation referred to in Article 45, second paragraph, insert the selected flights or routes into the router, by automated means through the secure communication channel referred to in Article 9(2)(b), and thereafter provide the router with any updates thereof.

5.   The information inserted by the Member States into the router shall be treated confidentially and access to that information by eu-LISA staff shall be limited to what is strictly necessary for the resolution of technical problems. eu-LISA shall ensure, upon receipt by the router of that information or any updates thereto from a Member State, that the router immediately transmits the API data and other PNR data to the PIU of that Member State in respect of the selected flights or routes, in accordance with paragraph 1.

6.   The Commission shall adopt implementing acts specifying the detailed technical and procedural rules necessary for the transmission of API data and other PNR data from the router referred to in paragraph 1 of this Article and for the insertion of information into the router referred to in paragraph 4 of this Article, including on requirements for data security. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 42(2).

Article 13

Selection of intra-EU flights

1.   Member States that decide, in accordance with Article 2 of Directive (EU) 2016/681, to apply that Directive and consequently this Regulation to intra-EU flights shall select such intra-EU flights in accordance with this Article.

2.   Member States may apply Directive (EU) 2016/681 and consequently this Regulation to all intra-EU flights arriving at or departing from their territory only in situations of a genuine and present or foreseeable terrorist threat, on the basis of a decision that is based on a threat assessment, limited in time to what is strictly necessary and open to effective review either by a court or by an independent administrative body whose decision is binding.

3.   In the absence of a genuine and present or foreseeable terrorist threat, Member States that apply Directive (EU) 2016/681 and consequently this Regulation to intra-EU flights shall select such intra-EU flights according to the outcome of an assessment carried out on the basis of the requirements set out in paragraphs 4 to 7 of this Article.

4.   The assessment referred to in paragraph 3 shall:

(a) be carried out in an objective, duly reasoned and non-discriminatory way in accordance with Article 2 of Directive (EU) 2016/681;

(b) take into account only criteria which are relevant for the prevention, detection, investigation and prosecution of terrorist offences and serious crime having an objective link, including an indirect link, with the carriage of passengers by air, and not be purely based on the grounds as listed in Article 21 of the Charter of any passengers or groups of passengers;

(c) use only information that can support an objective, duly reasoned and non-discriminatory assessment.

5.   On the basis of the assessment referred to in paragraph 3, Member States shall select only intra-EU flights relating to, inter alia, specific routes, travel patterns or airports for which there are indications of terrorist offenses and serious crime and that justify the processing of API and other PNR data. The selection of intra-EU flights shall be limited to what is strictly necessary for achieving the objectives of Directive (EU) 2016/681 and this Regulation.

6.   Member States shall keep all documentation of the assessment referred to in paragraph 3, including where relevant any review thereof, and make it available, in accordance with Directive (EU) 2016/680, to their independent supervisory authorities and national supervisory authorities upon request.

7.   Member States shall, in accordance with Article 2 of Directive (EU) 2016/681, review their assessment referred to in paragraph 3 regularly and at least every 12 months, in order to take into account changes in the circumstances that justified the selection of intra-EU flights and for the purpose of ensuring that the selection of intra-EU flights continues to be limited to what is strictly necessary.

8.   The Commission shall facilitate a regular exchange of views on the selection criteria for the assessment referred to in paragraph 3, including the sharing of best practices, as well as, on a voluntary basis, the exchange of information on selected flights.

Article 14

Deletion of API data and other PNR data from the router

API data and other PNR data, transferred to the router pursuant to this Regulation shall be stored on the router only insofar as necessary to complete the transmission to the relevant PIUs in accordance with this Regulation and shall be deleted from the router, immediately, permanently and in an automated manner, in both of the following situations:

(a) where it is confirmed, in accordance with Article 12(3), that the transmission of the API data and other PNR data to the relevant PIUs has been completed;

(b) where the API data or other PNR data relate to intra-EU flights other than those included in the lists referred to in Article 12(4).

The router shall automatically inform eu-LISA and the PIUs of the immediate deletion of intra-EU flights as referred to in point (b).

Article 15

Processing of API data and other PNR data by PIUs

API data and other PNR data transmitted to PIUs in accordance with this Regulation shall subsequently be processed by the PIUs in accordance with Directive (EU) 2016/681, in particular as regards the rules on the processing of API data and other PNR data by PIUs, including those set out in Articles 6, 10, 12 and 13 of that Directive, and solely for the purposes of the prevention, detection, investigation and prosecution of terrorist offences and serious crime.

The PIUs or other competent authorities shall under no circumstances process API data and other PNR data for the purposes of profiling, as referred to in Article 11(3) of Directive (EU) 2016/680.

Article 16

Actions where it is technically impossible to use the router

1.   Where it is technically impossible to use the router to transmit API data or other PNR data because of a failure of the router, eu-LISA shall immediately notify the air carriers and PIUs of that technical impossibility in an automated manner. In that case, eu-LISA shall immediately take measures to address the technical impossibility to use the router and shall immediately notify the air carriers and PIUs when it has been successfully addressed.

During the period of time between those notifications, Article 5(1) shall not apply, insofar as the technical impossibility prevents the transfer of API data or other PNR data to the router. Air carriers shall store the API data or other PNR data until the technical impossibility has been successfully addressed. As soon as the technical impossibility has been successfully addressed, air carriers shall transfer the data to the router in accordance with Article 5(1).

Where it is technically impossible to use the router and in exceptional cases related to the objectives of this Regulation that make it necessary for PIUs to immediately receive API data or other PNR data during the technical impossibility to use the router, PIUs may request air carriers to use any other appropriate means, ensuring the necessary level of data security, data quality and data protection, to transfer the API data or other PNR data directly to the PIUs. The PIUs shall process the API data or other PNR data received through any other appropriate means in accordance with the rules and safeguards set out in Directive (EU) 2016/681.

Following the notification from eu-LISA that the technical impossibility has been successfully addressed, and where it is confirmed in accordance with Article 12(3) that the transmission of the API data or other PNR data through the router to the relevant PIU has been completed, the PIU shall immediately delete the API data or other PNR data received by any other appropriate means.

2.   Where it is technically impossible to use the router to transmit API data or other PNR data because of a failure of the systems or infrastructure referred to in Article 23 of a Member State, the PIU of that Member State shall immediately notify the other PIUs, eu-LISA and the Commission of that technical impossibility in an automated manner. In that case, that Member State shall immediately take measures to address the technical impossibility to use the router and shall immediately notify the other PIUs, eu-LISA and the Commission when it has been successfully addressed. The router shall store the API data or other PNR data until the technical impossibility has been successfully addressed. As soon as the technical impossibility has been successfully addressed, the router shall transmit the data in accordance with Article 12(1).

Where it is technically impossible to use the router and in exceptional cases related to the objectives of this Regulation that make it necessary for PIUs to immediately receive API data or other PNR data during the technical impossibility to use the router, PIUs may request air carriers to use any other appropriate means, ensuring the necessary level of data security, data quality and data protection to transfer the API data or other PNR data directly to the PIUs. The PIUs shall process the API data or other PNR data received through any other appropriate means in accordance with the rules and safeguards set out in Directive (EU) 2016/681.

Following the notification from eu-LISA that the technical impossibility has been successfully addressed, and where it is confirmed in accordance with Article 12(3) that the transmission of the API data or other PNR data through the router to the relevant PIU has been completed, the PIU shall immediately delete the API data or other PNR data received by any other appropriate means.

3.   Where it is technically impossible to use the router to transfer API data or other PNR data because of a failure of the systems or infrastructure referred to in Article 24 of an air carrier, that air carrier shall immediately notify the PIUs, eu-LISA and the Commission of that technical impossibility in an automated manner. In that case, that air carrier shall immediately take measures to address the technical impossibility to use the router and shall immediately notify the PIUs, eu-LISA and the Commission when it has been successfully addressed.

During the period of time between those notifications, Article 5(1) shall not apply, insofar as the technical impossibility prevents the transfer of API data or other PNR data to the router. Air carriers shall store the API data or other PNR data until the technical impossibility has been successfully addressed. As soon as the technical impossibility has been successfully addressed, air carriers shall transfer the data to the router in accordance with Article 5(1).

Where it is technically impossible to use the router and in exceptional cases related to the objectives of this Regulation that make it necessary for PIUs to immediately receive API data or other PNR data during the technical impossibility to use the router, PIUs may request air carriers to use any other appropriate means, ensuring the necessary level of data security, data quality and data protection, to transfer the API data or other PNR data directly to the PIUs. The PIUs shall process the API data or other PNR data received through any other appropriate means in accordance with the rules and safeguards set out in Directive (EU) 2016/681.

Following the notification from eu-LISA that the technical impossibility has been successfully addressed, and where it is confirmed in accordance with Article 12(3) that the transmission of the API data or other PNR data through the router to the relevant PIU has been completed, the PIU shall immediately delete the API data or other PNR data received by any other appropriate means.

When the technical impossibility has been successfully addressed, the air carrier concerned shall, without delay, submit to the national API supervision authority referred to in Article 37 a report containing all necessary details on the technical impossibility, including the reasons for the technical impossibility, its extent and consequences as well as the measures taken to address it.

CHAPTER 4

SPECIFIC PROVISIONS ON THE PROTECTION OF PERSONAL DATA AND SECURITY

Article 17

Keeping of logs

1.   Air carriers shall create logs of all processing operations related to API data under this Regulation undertaken using the automated means referred to in Article 4(7). Those logs shall cover the date, time, and place of transfer of the API data. Those logs shall not contain any personal data, other than the information necessary to identify the relevant member of the staff of the air carrier.

2.   eu-LISA shall keep logs of all processing operations relating to the transfer and transmission of API data and other PNR data through the router under this Regulation. Those logs shall cover the following:

(a) the air carrier that transferred the API data and other PNR data to the router;

(b) the air carrier that transferred other PNR data to the router;

(c) the PIUs to which the API data were transmitted through the router;

(d) the PIUs to which other PNR data were transmitted through the router;

(e) the date and time of the transfer or transmission referred to in points (a) to (d), and the place of that transfer or transmission;

(f) any access by the staff of eu-LISA necessary for the maintenance of the router, as referred to in Article 26(3);

(g) any other information relating to those processing operations necessary to monitor the security and integrity of the API data and other PNR data and the lawfulness of those processing operations.

Those logs shall not include any personal data, other than the information necessary to identify the relevant member of the staff of eu-LISA, referred to in point (f) of the first subparagraph.

3.   The logs referred to in paragraphs 1 and 2 of this Article shall be used only for ensuring the security and integrity of the API data and other PNR data and the lawfulness of the processing, in particular as regards compliance with the requirements set out in this Regulation, including proceedings for penalties for infringements of those requirements in accordance with Articles 37 and 38.

4.   Air carriers and eu-LISA shall take appropriate measures to protect the logs that they created pursuant to paragraphs 1 and 2, respectively, against unauthorised access and other security risks.

5.   The national API supervision authority referred to in Article 37 and PIUs shall have access to the relevant logs referred to in paragraph 1 of this Article where necessary for the purposes referred to in paragraph 3 of this Article.

6.   Air carriers and eu-LISA shall keep the logs that they created pursuant to paragraphs 1 and 2, respectively, for a period of one year from the moment of the creation of those logs. They shall immediately and permanently delete those logs upon the expiry of that period.

However, if those logs are needed for procedures for monitoring or ensuring the security and integrity of the API data or the lawfulness of the processing operations, as referred to in paragraph 3, and those procedures have already begun at the moment of the expiry of the time period referred to in the first subparagraph of this paragraph, air carriers and eu-LISA shall keep those logs for as long as necessary for those procedures. In that case, they shall immediately delete those logs when they are no longer necessary for those procedures.

Article 18

Data protection responsibilities

1.   Air carriers shall be controllers, within the meaning of Article 4, point (7), of Regulation (EU) 2016/679, for the processing of API data and other PNR data constituting personal data in relation to the collection of such data and the transfer thereof to the router under this Regulation.

2.   Each Member State shall designate a competent authority as controller in accordance with this Article. Member States shall notify the Commission, eu-LISA and the other Member States of those authorities.

All the competent authorities designated by Member States shall be joint controllers in accordance with Article 21 of Directive (EU) 2016/680 for the purposes of the processing of personal data in the router.

3.   eu-LISA shall be a processor within the meaning of Article 3, point (12), of Regulation (EU) 2018/1725 for the purposes of the processing of API data and other PNR data constituting personal data under this Regulation through the router, including transmission of the data from the router to the PIUs and storage for technical reasons of those data on the router. eu-LISA shall ensure that the router is operated in accordance with this Regulation.

4.   The Commission shall adopt implementing acts establishing the respective responsibilities of the joint controllers, and the respective obligations between the joint controllers and the processor. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 42(2).

Article 19

Information for passengers

In accordance with Article 13 of Regulation (EU) 2016/679, air carriers shall provide passengers, on flights covered by this Regulation, with information on the purpose of the collection of their personal data, the type of personal data collected, the recipients of the personal data and the means to exercise their rights as data subjects.

That information shall be communicated to passengers in writing and in an easily accessible format at the moment of booking and at the moment of check-in, irrespective of the means used to collect the personal data at the moment of check-in, in accordance with Article 4.

Article 20

Security

1.   eu-LISA shall ensure the security and encryption of the API data and other PNR data, in particular data constituting personal data, that it processes pursuant to this Regulation. PIUs and air carriers shall ensure the security of the API data, in particular API data constituting personal data, that they process pursuant to this Regulation.eu-LISA, PIUs and air carriers shall cooperate, in accordance with their respective responsibilities and in compliance with Union law, with each other to ensure such security.

2.   eu-LISA shall ensure the security and the confidentiality of the data related to flights and routes selected by the Member States in accordance with Article 12(4). The PIUs and the air carriers shall ensure the security of the API data, in particular API data constituting personal data, that they process pursuant to this Regulation. eu-LISA, PIUs and air carriers shall cooperate, in accordance with their respective responsibilities and in compliance with Union law, with each other to ensure such security.

3.   eu-LISA shall take the measures necessary to ensure the security of the router and the API data and other PNR data, in particular data constituting personal data, transmitted through the router, including by establishing, implementing and regularly updating a security plan, a business continuity plan and a disaster recovery plan, in order to:

(a) physically protect the router, including by making contingency plans for the protection of critical components thereof;

(b) prevent any unauthorised processing of the API data or other PNR data, including any unauthorised access thereto and the copying, modification or deletion thereof, both during the transfer of the API data or other PNR data to and from the router and during any storage of the API data or other PNR data on the router where necessary to complete the transmission, in particular by means of appropriate encryption techniques;

(c) ensure that the persons authorised to access the router have access only to the data covered by their access authorisation;

(d) ensure that it is possible to verify and establish to which PIUs the API data or other PNR data are transmitted through the router;

(e) properly report to its Management Board any faults in the functioning of the router;

(f) monitor the effectiveness of the security measures required under this Article and under Regulation (EU) 2018/1725, and assess and update those security measures where necessary in the light of technological or operational developments.

The measures referred to in the first subparagraph of this paragraph shall not affect Article 32 of Regulation (EU) 2016/679, Article 33 of Regulation (EU) 2018/1725 or Article 29 of Directive (EU) 2016/680.

Article 21

Self-monitoring

Air carriers and the PIUs shall monitor their compliance with their respective obligations under this Regulation, in particular as regards their processing of API data constituting personal data. For air carriers the monitoring shall include frequent verification of the logs referred to in Article 17.

Article 22

Personal data protection audits

1.   The independent supervisory authorities referred to in Article 41 of Directive (EU) 2016/680 shall carry out an audit of processing operations of API data constituting personal data performed by the PIUs for the purposes of this Regulation at least once every four years. Member States shall ensure that their independent supervisory authorities have sufficient resources and expertise to fulfil the tasks entrusted to them under this Regulation.

2.   The European Data Protection Supervisor shall carry out an audit of processing operations of API data and other PNR data constituting personal data performed by eu-LISA for the purposes of this Regulation, in accordance with relevant international auditing standards at least once every year. A report of that audit shall be sent to the European Parliament, to the Council, to the Commission, to the Member States and to eu-LISA. eu-LISA shall be given an opportunity to make comments before the reports are adopted.

3.   In relation to the processing operations referred to in paragraph 2, upon request, eu-LISA shall supply information requested by the European Data Protection Supervisor, shall grant the European Data Protection Supervisor access to all the documents it requests and to the logs referred to in Article 17(2), and shall allow the European Data Protection Supervisor access to all eu-LISA’s premises at any time.

CHAPTER 5

MATTERS RELATING TO THE ROUTER

Article 23

PIUs’ connections to the router

1.   Member States shall ensure that their PIUs are connected to the router. They shall ensure that their national systems and infrastructure for the reception and further processing of API data and other PNR data transferred pursuant to this Regulation are integrated with the router.

Member States shall ensure that the connection to the router and integration with it enables their PIUs to receive and further process those API data and other PNR data, as well as to exchange any communications relating thereto, in a lawful, secure, effective and swift manner.

2.   The Commission shall adopt implementing acts specifying the necessary detailed rules on the connections to and integration with the router referred to in paragraph 1 of this Article, including on requirements for data security. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 42(2).

Article 24

Air carriers’ connections to the router

1.   Air carriers shall ensure that they are connected to the router. They shall ensure that their systems and infrastructure for the transfer of API data and other PNR data to the router pursuant to this Regulation are integrated with the router.

Air carriers shall ensure that the connection to the router and the integration with it enables them to transfer those API data and other PNR data as well as to exchange any communications relating thereto, in a lawful, secure, effective and swift manner. To that end, air carriers shall conduct tests of the transfer of API data and other PNR data to the router in cooperation with eu-LISA in accordance with Article 27(3).

2.   The Commission shall adopt implementing acts specifying the necessary detailed rules on the connections to and integration with the router referred to in paragraph 1 of this Article, including on requirements for data security. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 42(2).

Article 25

eu-LISA’s tasks relating to the design and development of the router

1.   eu-LISA shall be responsible for the design of the physical architecture of the router, including defining its technical specifications.

2.   eu-LISA shall be responsible for the development of the router, including for any technical adaptations necessary for the operation of the router.

The development of the router shall consist of the elaboration and implementation of the technical specifications, testing and overall project management and coordination of the development phase.

3.   eu-LISA shall ensure that the router is designed and developed in such a manner that the router provides the functionalities specified in this Regulation, and that the router starts operations as soon as possible after the adoption by the Commission of the delegated acts provided for in Article 4(12), Article 5(3), Article 7(2), and of the implementing acts provided for in Article 11(5), Article 12(4), Article 23(2), Article 24(2) of this Regulation, and of the implementing acts provided for in Article 16(3) of Directive (EU) 2016/681, and after the carrying out of a data protection impact assessment in accordance with Article 35 of Regulation (EU) 2016/679.

4.   eu-LISA shall provide PIUs, other relevant Member States’ authorities and air carriers with a compliance test set. The compliance test set shall include a test environment, a simulator, test data sets and a test plan. The compliance test set shall allow for comprehensive tests of the router referred to in paragraphs 5 and 6 and it shall remain available after the completion of those tests.

5.   Where eu-LISA considers that the development phase has been completed in relation to API data, it shall, without undue delay, conduct a comprehensive test of the router, in cooperation with the PIUs and other relevant Member States’ authorities and air carriers and inform the Commission of the outcome of that test.

6.   Where eu-LISA considers that the development phase has been completed in relation to other PNR data, it shall, without undue delay, conduct comprehensive tests of the router to ensure the reliability of the connections of the router with air carriers and PIUs, the necessary standardised transmission of other PNR data by air carriers and the transfer and transmission of other PNR data in accordance with Article 16 of Directive (EU) 2016/681, including the use of the common protocols and supported standardised data formats referred to in Article 16, paragraphs 2 and 3, of that Directive to ensure the readability of the other PNR data. Such tests shall be conducted in cooperation with the PIUs and other relevant Member States’ authorities and air carriers. eu-LISA shall inform the Commission of the outcome of those tests.

Article 26

eu-LISA’s tasks relating to the hosting and technical management of the router

1.   eu-LISA shall host the router in its technical sites.

2.   eu-LISA shall be responsible for the technical management of the router, including its maintenance and technical developments, in such a manner as to ensure that the API data and other PNR data are securely, effectively and swiftly transmitted through the router, in compliance with this Regulation.

The technical management of the router shall consist of carrying out all the tasks and enacting all technical solutions necessary for the proper functioning of the router in accordance with this Regulation, in an uninterrupted manner, 24 hours a day, 7 days a week. It shall include the maintenance work and technical developments necessary to ensure that the router functions at a satisfactory level of technical quality, in particular as regards availability, accuracy and reliability of the transmission of API data and other PNR data, in accordance with the technical specifications and, as much as possible, in line with the operational needs of the PIUs and air carriers.

3.   eu-LISA’s staff shall not have access to any of the API data or other PNR data that are transmitted through the router. However, that prohibition shall not preclude eu-LISA’s staff from having such access insofar as strictly necessary for the maintenance and technical management of the router.

4.   Without prejudice to paragraph 3 of this Article and to Article 17 of the Staff Regulations of Officials of the European Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (22), eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality to its staff required to work with API data and other PNR data transmitted through the router. This obligation shall also apply after such staff leave office or employment or after the termination of their activities.

Article 27

eu-LISA’s support tasks relating to the router

1.   eu-LISA shall, upon the request of PIUs, other relevant Member States’ authorities or air carriers, provide training to them on the technical use of the router and on their connection to and integration with the router.

2.   eu-LISA shall provide support to the PIUs regarding the reception of API data and other PNR data through the router pursuant to this Regulation in particular as regards the application of Articles 12 and 23.

3.   In accordance with Article 24(1) and making use of the compliance test set referred to in Article 25(4), eu-LISA shall conduct, in cooperation with air carriers, tests of the transfer of API data and other PNR data to the router.

CHAPTER 6

GOVERNANCE

Article 28

Programme Management Board

1.   By 28 January 2025, eu-LISA’s Management Board shall establish a Programme Management Board. It shall be composed of 10 members and shall consist of:

(a) seven members appointed by eu-LISA’s Management Board from among its members or its alternates;

(b) the chair of the API-PNR Advisory Group referred to in Article 29;

(c) one member of the eu-LISA staff appointed by its Executive Director; and

(d) one member appointed by the Commission.

As regards point (a), the members appointed by eu-LISA’s Management Board shall be elected only from its members or its alternates from those Member States to which this Regulation applies.

2.   The Programme Management Board shall draft its rules of procedure to be adopted by eu-LISA’s Management Board.

The chairpersonship shall be held by a Member State that is a member of the Programme Management Board.

3.   The Programme Management Board shall supervise the effective fulfilment of eu-LISA’s tasks relating to the design and development of the router in accordance with Article 25.

Upon request of the Programme Management Board, eu-LISA shall provide detailed and updated information on the design and development of the router, including on the resources allocated by eu-LISA.

4.   The Programme Management Board shall regularly, and at least three times per quarter, submit written reports on progress in the design and development of the router to eu-LISA’s Management Board.

5.   The Programme Management Board shall have no decision-making power, nor any mandate to represent eu-LISA’s Management Board or its members.

6.   The Programme Management Board shall cease to exist by the date of the application of this Regulation referred to in Article 45, second paragraph.

Article 29

API-PNR Advisory Group

1.   As from 28 January 2025, the API-PNR Advisory Group, established pursuant to Article 27(1), point (de), of Regulation (EU) 2018/1726, shall provide eu-LISA’s Management Board with the necessary expertise related to API-PNR in particular in the context of the preparation of its annual work programme and its annual activity report.

2.   Whenever available, eu-LISA shall provide the API-PNR Advisory Group with versions, even intermediary ones, of the technical specifications and the compliance test sets referred to in Article 25(1), (2) and (4).

3.   The API-PNR Advisory Group shall exercise the following functions:

(a) provide expertise to eu-LISA and to the Programme Management Board on the design and development of the router in accordance with Article 25;

(b) provide expertise to eu-LISA on the hosting and technical management of the router in accordance with Article 26;

(c) provide its opinion to the Programme Management Board, upon its request, on the progress of the design and development of the router, including on the progress of the technical specifications and compliance test sets referred to in paragraph 2.

4.   The API-PNR Advisory Group shall have no decision-making power, nor any mandate to represent the eu-LISA’s Management Board or its members.

Article 30

API-PNR Contact Group

1.   By the relevant date of the application of this Regulation referred to in Article 45, second paragraph, eu-LISA’s Management Board shall establish an API-PNR Contact Group.

2.   The API-PNR Contact Group shall enable communication between Member States’ relevant authorities and air carriers on technical matters related to their respective tasks and obligations under this Regulation.

3.   The API-PNR Contact Group shall be composed of representatives of Member States’ relevant authorities and air carriers, the chairperson of the API-PNR Advisory Group and eu-LISA’s experts.

4.   eu-LISA’s Management Board shall establish the rules of procedure of the API-PNR Contact Group, following an opinion of the API-PNR Advisory Group.

5.   Where deemed necessary, eu-LISA’s Management Board may also establish sub-groups of the API-PNR Contact Group to discuss specific technical matters related to the respective tasks and obligations of Member States’ relevant authorities and air carriers under this Regulation.

6.   The API-PNR Contact Group, including its sub-groups, shall have no decision-making power, nor any mandate to represent the eu-LISA’s Management Board or its members.

Article 31

API Expert Group

1.   By the date of application of this Regulation referred to in Article 45, second paragraph, point (a), the Commission shall establish an API Expert Group in accordance with the horizontal rules on the creation and operation of Commission expert groups.

2.   The API Expert Group shall enable communication among Member States’ relevant authorities, and between Member States’ relevant authorities and air carriers, on policy matters related to their respective tasks and obligations under this Regulation, including in relation to the penalties referred to in Article 38.

3.   The API Expert Group shall be chaired by the Commission and constituted in accordance with the horizontal rules on the creation and operation of Commission expert groups. It shall be composed of representatives of Member States’ relevant authorities, representatives of air carriers and eu-LISA’s experts. Where relevant for the performance of its tasks, the API Expert Group may invite relevant stakeholders, in particular representatives of the European Parliament, the European Data Protection Supervisor and the independent national supervisory authorities, to participate in its work.

4.   The API Expert Group shall carry out its tasks in accordance with the principle of transparency. The Commission shall publish the minutes of the meetings of the API Expert Group and other relevant documents on the Commission website.

Article 32

Costs incurred by eu-LISA, the European Data Protection Supervisor, the national supervisory authorities and Member States

1.   Costs incurred by eu-LISA in relation to the establishment and operation of the router under this Regulation shall be borne by the general budget of the Union.

2.   Costs incurred by the Member States in relation to the implementation of this Regulation, in particular to their connection to and the integration with the router referred to in Article 23, shall be supported by the general budget of the Union, in accordance with the eligibility rules and co-financing rates set in the applicable Union legal acts.

3.   Costs incurred by the European Data Protection Supervisor in relation to the tasks entrusted to it under this Regulation shall be borne by the general budget of the Union.

4.   Costs incurred by independent national supervisory authorities in relation to the tasks entrusted to them under this Regulation shall be borne by the Member States.

Article 33

Liability regarding the router

If a failure of a Member State or an air carrier to comply with its obligations under this Regulation causes damage to the router, that Member State or air carrier shall be liable for such damage, as provided for by the applicable Union or national law, unless and insofar as it is demonstrated that eu-LISA, another Member State or another air carrier failed to take reasonable measures to prevent the damage from occurring or to minimise its impact.

Article 34

Start of operations of the router in relation to API data

The Commission shall determine, without undue delay, the date from which the router starts operations in relation to API data by means of an implementing act once eu-LISA has informed the Commission of the successful completion of the comprehensive test of the router referred to in Article 25(5). That implementing act shall be adopted in accordance with the examination procedure referred to in Article 42(2).

The Commission shall set the date referred to in the first paragraph to be no later than 30 days from the date of the adoption of that implementing act.

Article 35

Start of operations of the router in relation to other PNR data

The Commission shall determine, without undue delay, the date from which the router starts operations in relation to other PNR data by means of an implementing act once eu-LISA has informed the Commission of the successful completion of the comprehensive tests of the router referred to in Article 25(6), including on the reliability of the connections of the router with air carriers and PIUs and on the readability of other PNR data transferred by air carriers and transmitted by the router in the necessary standardised format, in accordance with Article 16 of Directive (EU) 2016/681. That implementing act shall be adopted in accordance with the examination procedure referred to in Article 42(2).

The Commission shall set the date referred to in the first paragraph to be no later than 30 days from the date of the adoption of that implementing act.

Article 36

Voluntary use of the router

1.   Air carriers shall be entitled to use the router to transmit the information referred to in Article 3(1) and (2) of Directive 2004/82/EC or other PNR data collected pursuant to Article 8 of Directive (EU) 2016/681 to one or more of the responsible PIUs, in accordance with those Directives, provided that the Member State concerned has agreed with such use, from an appropriate date set by that Member State. That Member State shall agree only after having established that, in particular as regards both its own PIU’s connection to the router and that of the air carrier concerned, the information can be transmitted in a lawful, secure, effective and swift manner.

2.   Where an air carrier starts using the router in accordance with paragraph 1 of this Article, it shall continue using the router to transmit such information to the PIU of the Member State concerned until the relevant date of application of this Regulation referred to in Article 45, second paragraph. However, that use shall be discontinued, from an appropriate date set by that Member State, where that Member State considers that there are objective reasons that require such discontinuation and has informed the air carrier accordingly.

3.   The Member State concerned shall:

(a) consult eu-LISA before agreeing with the voluntary use of the router in accordance with paragraph 1;

(b) except in situations of duly justified urgency, afford the air carrier concerned an opportunity to comment on its intention to discontinue such use in accordance with paragraph 2 and, where relevant, also consult eu-LISA thereon;

(c) immediately inform eu-LISA and the Commission of any such use to which it agreed and any discontinuation of such use, providing all necessary information, including the date of the start of the use, the date of the discontinuation and the reasons for the discontinuation, as applicable.

CHAPTER 7

SUPERVISION, PENALTIES, STATISTICS AND HANDBOOK

Article 37

National API supervision authority

1.   Member States shall designate one or more national API supervision authorities responsible for monitoring the application within their territory by air carriers of the provisions of this Regulation and ensuring compliance with those provisions.

2.   Member States shall ensure that the national API supervision authorities have all the means and all the investigative and enforcement powers necessary to carry out their tasks under this Regulation, including by imposing the penalties referred to in Article 38 where appropriate. Member States shall ensure that the exercise of the powers conferred on the national API supervision authority is subject to appropriate safeguards in compliance with the fundamental rights guaranteed under Union law.

3.   Member States shall, by the relevant date of application of this Regulation referred to in Article 45, second paragraph, notify the Commission of the name and the contact details of the authorities that they designated under paragraph 1 of this Article. They shall notify the Commission without delay of any subsequent changes or amendments thereto.

4.   This Article is without prejudice to the powers of the supervisory authorities referred to in Article 51 of Regulation (EU) 2016/679, Article 41 of Directive (EU) 2016/680 and Article 15 of Directive (EU) 2016/681.

Article 38

Penalties

1.   Member States shall lay down the rules on penalties applicable to infringements of this Regulation and shall take all measures necessary to ensure that they are implemented. The penalties provided for shall be effective, proportionate and dissuasive.

2.   Member States shall, by the relevant date of application of this Regulation referred to in Article 45, second paragraph, notify the Commission of those rules and of those measures and shall notify it, without delay, of any subsequent amendment affecting them.

3.   Member States shall ensure that the national API supervision authorities, when deciding whether to impose a penalty and when determining the type and level of penalty, take into account relevant circumstances, which may include:

(a) the nature, gravity and duration of the infringement;

(b) the degree of the air carrier’s fault;

(c) previous infringements by the air carrier;

(d) the overall level of cooperation of the air carrier with the competent authorities;

(e) the size of the air carrier, such as the annual number of passengers carried;

(f) whether previous penalties have already been applied by other national API supervision authorities to the same air carrier for the same infringement.

4.   Member States shall ensure that a recurrent failure to transfer API data in accordance with Article 5(1) is subject to proportionate financial penalties of up to 2 % of the air carrier’s global turnover of the preceding financial year. Member States shall ensure that failure to comply with other obligations set out in this Regulation is subject to proportionate penalties, including financial penalties.

Article 39

Statistics

1.   In order to support the implementation and monitoring of the application of this Regulation, and on the basis of the statistical information referred to in paragraphs 5 and 6, eu-LISA shall publish every quarter statistics on the functioning of the router and on the compliance of air carriers with the obligations set out in this Regulation. Those statistics shall not allow for the identification of individuals.

2.   For the purposes set out in paragraph 1, the router shall automatically transmit the data listed in paragraphs 5 and 6 to the CRRS.

3.   In order to support the implementation and monitoring of the application of this Regulation, each year, eu-LISA shall compile statistical data in an annual report for the previous year. It shall publish that annual report and transmit it to the European Parliament, the Council, the Commission, the European Data Protection Supervisor, the European Border and Coast Guard Agency and the national API supervision authorities referred to in Article 37. The annual report shall not disclose confidential working methods or jeopardise ongoing investigations of the Member States’ competent authorities.

4.   At the request of the Commission, eu-LISA shall provide it with statistics on specific aspects related to the implementation of this Regulation as well as the statistics pursuant to paragraph 3.

5.   The CRRS shall provide eu-LISA with the following statistical information necessary for the reporting referred to in Article 44 and for generating statistics in accordance with this Article, without such statistics on API data allowing for the identification of the passengers concerned:

(a) whether the data concern a passenger or a crew member;

(b) the nationality, sex and year of birth of the passenger or crew member;

(c) the date and the initial point of embarkation, the date and airport of departure, and the date and airport of arrival;

(d) the type of travel document, the three-letter code of the issuing country and the date of expiry of the validity of the travel document;

(e) the number of passengers checked-in on the same flight;

(f) the code of the air carrier operating the flight;

(g) whether the flight is a scheduled or a non-scheduled flight;

(h) whether API data were transferred immediately after flight closure;

(i) whether the personal data of the passenger are accurate, complete and up to date;

(j) the technical means used to capture the API data.

6.   The CRRS shall provide eu-LISA with the following statistical information necessary for the reporting referred to in Article 44 and for generating statistics in accordance with this Article, without such statistics on other PNR data allowing for the identification of the passengers concerned:

(a) the date and time the PNR message was received by the router;

(b) flight information contained in the travel itinerary in the specific PNR message;

(c) code share information contained in the specific PNR message.

7.   For the purposes of the reporting referred to in Article 44 and for generating statistics in accordance with this Article, eu-LISA shall store the data referred to in paragraphs 5 and 6 of this Article in the CRRS. It shall store such data for a period of five years in accordance with paragraph 2, while ensuring that the data do not allow for the identification of the passengers concerned. The CRRS shall provide the duly authorised staff of the PIUs and other relevant authorities of the Member States with customisable reports and statistics on API data as referred to in paragraph 5 of this Article and other PNR data as referred to in paragraph 6 of this Article for the implementation and monitoring of the application of this Regulation.

8.   The use of the data referred to in paragraphs 5 and 6 of this Article shall not result in the profiling of individuals as referred to in Article 11(3) of Directive (EU) 2016/680 or discrimination against persons on the grounds listed in Article 21 of the Charter. The data referred to in paragraph 5 and paragraph 6 of this Article shall not be used to compare or match them with personal data or to combine them with personal data.

9.   The procedures put in place by eu-LISA to monitor the development and the functioning of the router referred to in Article 39(2) of Regulation (EU) 2019/818 shall include the possibility to produce regular statistics to ensure that monitoring.

Article 40

Practical handbook

The Commission shall, in close cooperation with the PIUs, other relevant authorities of the Member States, air carriers and relevant Union bodies and agencies, prepare and make publicly available a practical handbook, containing guidelines, recommendations and best practices for the implementation of this Regulation, including on fundamental rights compliance as well as on penalties in accordance with Article 38.

The practical handbook shall take into account other relevant handbooks.

The Commission shall adopt the practical handbook in the form of a recommendation.

CHAPTER 8

RELATIONSHIP TO OTHER EXISTING INSTRUMENTS

Article 41

Amendment to Regulation (EU) 2019/818

In Article 39 of Regulation (EU) 2019/818, paragraphs 1 and 2 are replaced by the following:

‘1.   A central repository for reporting and statistics (CRRS) is established for the purpose of supporting the objectives of the SIS, Eurodac and ECRIS-TCN, in accordance with the respective legal instruments governing those systems, and to provide cross-system statistical data and analytical reporting for policy, operational and data quality purposes. The CRRS shall also support the objectives of Regulation (EU) 2025/13 of the European Parliament and of the Council

 (

*1

)

.

2.   eu-LISA shall establish, implement and host in its technical sites the CRRS containing the data and statistics referred to in Article 74 of Regulation (EU) 2018/1862 and Article 32 of Regulation (EU) 2019/816 logically separated by EU information system. eu-LISA shall also collect the data and statistics from the router referred to in Article 39(1) of Regulation (EU) 2025/13. Access to the CRRS shall be granted by means of controlled, secured access and specific user profiles, solely for the purposes of reporting and statistics, to the authorities referred to in Article 74 of Regulation (EU) 2018/1862, Article 32 of Regulation (EU) 2019/816 and Article 13(1) of Regulation(EU) 2025/13.

CHAPTER 9

FINAL PROVISIONS

Article 42

Committee procedure

1.   The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2.   Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply. Where the committee delivers no opinion, the Commission shall not adopt the draft implementing act and Article 5(4), third subparagraph, of Regulation (EU) No 182/2011 shall apply.

Article 43

Exercise of delegation

1.   The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

2.   The power to adopt delegated acts referred to in Article 4(11) and (12), Article 5(4), and Article 7(5) shall be conferred on the Commission for a period of five years from 28 January 2025. The Commission shall draw up a report in respect of the delegation of power not later than nine months before the end of the five-year period. The delegation of power shall be tacitly extended for periods of an identical duration, unless the European Parliament or the Council opposes such extension not later than three months before the end of each period.

As regards a delegated act adopted pursuant to Article 4(11), if an objection under paragraph 6 of this Article has been expressed either by the European Parliament or by the Council, the European Parliament or the Council shall not oppose the tacit extension referred to in the first subparagraph of this paragraph.

3.   The delegation of power referred to in Article 4(12), Article 5(4) and Article 7(5) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the

Official Journal of the European Union

or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

4.   Before adopting a delegated act, the Commission shall consult experts designated by each Member State in accordance with the principles laid down in the Interinstitutional Agreement of 13 April 2016 on Better Law-Making.

5.   As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

6.   A delegated act adopted pursuant to Article 4(11) or (12), Article 5(4) or Article 7(5) shall enter into force only if no objection has been expressed either by the European Parliament or by the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.

Article 44

Monitoring and evaluation

1.   eu-LISA shall ensure that procedures are in place to monitor the development of the router in light of objectives relating to planning and costs, and to monitor the functioning of the router in light of objectives relating to the technical output, cost-effectiveness, security and quality of service.

2.   By 29 January 2026 and every year thereafter during the development phase of the router, eu-LISA shall produce a report on the state of play of the development of the router, and submit that report to the European Parliament and to the Council. The report shall contain detailed information about the costs incurred and about any risks which may impact the overall costs to be borne by the general budget of the Union in accordance with Article 32.

3.   Once the router starts operations, eu-LISA shall produce a report and submit it to the European Parliament and to the Council explaining in detail how the objectives, in particular relating to planning and costs, were achieved and giving reasons for any divergences.

4.   By 29 January 2029, and every four years thereafter, the Commission shall produce a report containing an overall evaluation of this Regulation, including on the necessity and added value of the collection of API data, including an assessment of:

(a) the application of this Regulation;

(b) the extent to which this Regulation achieved its objectives;

(c) the impact of this Regulation on fundamental rights protected under Union law;

(d) the impact of this Regulation on the travel experience of legitimate passengers;

(e) the impact of this Regulation on the competitiveness of the aviation sector and the burden incurred by businesses;

(f) the quality of the data transmitted by the router to the PIUs;

(g) the performance of the router in respect of the PIUs.

For the purposes of point (e) of the first subparagraph, the Commission’s report shall also address this Regulation’s interaction with other relevant Union legislative acts, in particular Regulations (EC) No 767/2008, (EU) 2017/2226 and (EU) 2018/1240 and, in order to assess the overall impact of related reporting obligations on air carriers, identify provisions that could be updated and simplified, where appropriate, to mitigate the burden on air carriers, and consider actions and measures that could be taken to reduce the total cost pressure on air carriers.

5.   The evaluation referred to in paragraph 4 shall also include an assessment of the necessity, proportionality and effectiveness of including the mandatory collection and transfer of API data relating to intra-EU flights within the scope of this Regulation.

6.   The Commission shall submit the evaluation report to the European Parliament, the Council, the European Data Protection Supervisor and the European Agency for Fundamental Rights. If appropriate, in light of the evaluation conducted, the Commission shall make a legislative proposal to the European Parliament and to the Council with a view to amending this Regulation.

7.   The Member States and air carriers shall, upon request, provide eu-LISA and the Commission with the information necessary to draft the reports referred to in paragraphs 2, 3 and 4. In particular, Member States shall provide quantitative and qualitative information on the collection of API data from an operational perspective. The information provided shall not include personal data. Member States may refrain from providing such information if, and to the extent, necessary not to disclose confidential working methods or jeopardise ongoing investigations of their PIUs or other competent authorities. The Commission shall ensure that any confidential information provided is appropriately protected.

Article 45

Entry into force and application

This Regulation shall enter into force on the twentieth day following that of its publication in the

Official Journal of the European Union

.

It shall apply:

(a) in relation to API data, from the date two years from the date on which the router starts operations, as determined by the Commission in accordance with Article 34; and

(b) in relation to other PNR data, from the date four years from the date on which the router starts operations, as determined by the Commission in accordance with Article 35.

However:

(a) Article 4(12), Article 5(3), Article 7(5), Article 11(5), Article 12(6), Article 18(4), Article 23(2), Article 24(2), Article 25, Article 28, Article 29, Article 32(1), Article 34, Article 35, Article 42 and Article 43 shall apply from 28 January 2025;

(b) Article 6, Article 17(1), (2) and (3), Article 18(1), (2) and (3), Article 19, Article 20, Article 26, Article 27, Article 33 and Article 36 shall apply from the date on which the router starts operations, as determined by the Commission in accordance with Article 34 and Article 35.

This Regulation shall be binding in its entirety and directly applicable in the Member States in accordance with the Treaties.

Done at Brussels, 19 December 2024.

For the European Parliament

The President

R. METSOLA

For the Council

The President

BÓKA J.

(1)  

OJ C 228, 29.6.2023, p. 97

.

(2)  Position of the European Parliament of 25 April 2024 (not yet published in the Official Journal) and decision of the Council of 12 December 2024.

(3)  Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data (

OJ L 261, 6.8.2004, p. 24

).

(4)  Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (

OJ L 119, 4.5.2016, p. 132

).

(5)  Regulation (EU) 2025/12 of the European Parliament and of the Council of 19 December 2024 on the collection and transfer of advance passenger information for enhancing and facilitating external border checks, amending Regulations (EU) 2018/1726 and (EU) 2019/817, and repealing Council Directive 2004/82/EC (

OJ L, 2025/12, 8.1.2025, ELI: http://data.europa.eu/eli/reg/2025/12/oj

).

(6)  Regulation (EU) 2019/1157 of the European Parliament and of the Council of 20 June 2019 on strengthening the security of identity cards of Union citizens and of residence documents issued to Union citizens and their family members exercising their right of free movement (

OJ L 188, 12.7.2019, p. 67

).

(7)  Council Regulation (EC) No 2252/2004 of 13 December 2004 on standards for security features and biometrics in passports and travel documents issued by Member States (

OJ L 385, 29.12.2004, p. 1

).

(8)  Council Directive (EU) 2019/997 of 18 June 2019 establishing an EU Emergency Travel Document and repealing Decision 96/409/CFSP (

OJ L 163, 20.6.2019, p. 1

).

(9)  Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the EES for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011 (

OJ L 327, 9.12.2017, p. 20

).

(10)  Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011, (EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226 (

OJ L 236, 19.9.2018, p. 1

).

(11)  Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 concerning the Visa Information System (VIS) and the exchange of data between Member States on short-stay visas (VIS Regulation) (

OJ L 218, 13.8.2008, p. 60

).

(12)  Regulation (EU) 2018/1726 of the European Parliament and of the Council of 14 November 2018 on the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), and amending Regulation (EC) No 1987/2006 and Council Decision 2007/533/JHA and repealing Regulation (EU) No 1077/2011 (

OJ L 295, 21.11.2018, p. 99

).

(13)  Regulation (EC) No 1107/2006 of the European Parliament and of the Council of 5 July 2006 concerning the rights of disabled persons and persons with reduced mobility when travelling by air (

OJ L 204, 26.7.2006, p. 1

).

(14)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (

OJ L 119, 4.5.2016, p. 1

).

(15)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (

OJ L 295, 21.11.2018, p. 39

).

(16)  Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (

OJ L 119, 4.5.2016, p. 89

).

(17)  Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a framework for interoperability between EU information systems in the field of police and judicial cooperation, asylum and migration and amending Regulations (EU) 2018/1726, (EU) 2018/1862 and (EU) 2019/816 (

OJ L 135, 22.5.2019, p. 85

).

(18)  

OJ L 123, 12.5.2016, p. 1

.

(19)  Regulation (EU) No 182/2011 of the European Parliament and of the Council of 16 February 2011 laying down the rules and general principles concerning mechanisms for control by Member States of the Commission’s exercise of implementing powers (

OJ L 55, 28.2.2011, p. 13

, ELI: http://data.europa.eu/eli/reg/2011/182/oj).

(20)  

OJ C 84, 7.3.2023, p. 2

.

(21)  Directive (EU) 2017/541 of the European Parliament and of the Council of 15 March 2017 on combating terrorism and replacing Council Framework Decision 2002/475/JHA and amending Council Decision 2005/671/JHA (

OJ L 88, 31.3.2017, p. 6

).

(22)  

OJ L 56, 4.3.1968, p. 1

.

ELI: http://data.europa.eu/eli/reg/2025/13/oj

ISSN 1977-0677 (electronic edition)