| demo | 2025-10-04 · NEW:  Appunta · Stampa · Cita: 'Doc 100222' · pdf |
|
abstract:
Documento annotato il 04.10.2025
Fonte: europa.eu
Link: https://www.edpb.europa.eu/system/files/2025-10/re
Link: https://www.edpb.europa.eu/system/files/2025-10/re
analisi:
L'analisi è riservata agli iscritti. Segui la newsletter dell'Osservatorio oppure il Podcast iscrizione gratuita 30 giorni
-
index:
testo:
Eestimated reading time: 4 min 1
Recommendations on calculating the audit cycle in E ...
ations on calculating the audit cycle in EU Large- Scale IT Systems
The EU's Large-Scale IT Systems’ regulations establish specific audit cycle requirements for
Supervisory Authorities expressed in years. For Schengen Information System
1 (SIS), Visa
Information System
2 (VIS) and in the framework for interoperability 3, the required min imum
frequency is once every four years. For Entry/Exit System
4 (EES) and European Travel
Information and Authorisation System
5 (ETIAS), audits must be conducted at least every three
years.
Compliance with these audit cycles is a key element of the Schengen Evaluations, during
which the on- site teams assess whether supervisory obligations have been met. In this
context, the CSC recommends that both evaluated a uthorities and on-site teams consider the
following aspects when evaluating the application of the Schengen acquis:
1. Full four calendar years without a completed audit in SIS
6, VIS 7 and in the framework for
interoperability
8 (respectively three calendar years in EES 9 and ETIAS 10) should be found
non -compliant with applicable regulations. This conclusion stems from the clear wording
of the relevant EU legal acts, which establish maximum time intervals between successive
audits.
2. The audit cycle should be calculated in years, in accordance with Art. 3(2)(c) of Regulation
1182/71
11 which lays down the general rules for determining periods, dates and time
limits in legal acts adopted by the EU institutions.
3. The date of audit comple tion should mark the starting point for calculating the next audit
cycle. Although EU legal acts do not explicitly define what constitutes the completion of
an audit, it is generally understood as the point at which all planned audit activities have
been c arried out. Common reference points include the final day of the on- site visit or
the date of the audit report. This moment may vary depending on national procedures ,
methodologies and the international auditing standards followed.
Given their independent status, Supervisory Authorities should have flexibility in
determining when an audit is considered complete —particularly in cases where
unforeseen developments (e.g. procedural delays, need to collect additional information
or operational constraints) prev ent strict adherence to the original plan. Nevertheless,
such flexibility must not compromise compliance with the maximum intervals established
by law.
2
4. Supervisory Authorities should remain responsible for determining the timing of the next
audit within the legally allowed timeframe. While the regulations establish min imum
audit frequency, they do not prescribe specific scheduling, leaving this decision to the
discretion of each authority. This autonomy is essential to accommodate national
specificities, including available resources, prioritisation of supervisory activities, and the
results of previous audits.
1 Regulation (EU) 2018/1860 of the European Parliament and of the Council of 28 November 2018 on the use of
the Schengen Information System for the return of illegally staying third- country nationals
Regulation (EU) 2018/186 1 of the European Parliament and of the Council of 28 Novem ber 2018 on the
establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and
amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC)
No 1987/2006
Regulation (EU ) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the
establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation
and judicial cooperation in criminal matters, amending and rep ealing Council Decision 2007/533/JHA, and
repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission
Decision 2010/261/EU
2 Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 co ncerning the Visa
Information System (VIS) and the exchange of information between Member States on short -stay visas, long -
stay visas and residence permits (VIS Regulation)
3 Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a
framework for interoperability between EU information systems in the field of borders and visa and amending
Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 20 18/1240, (EU) 2018/1726 and (EU)
2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and
2008/633/JHA
Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a
framework fo r interoperability between EU information systems in the field of police and judicial cooperation,
asylum and migration and amending Regulations (EU) 2018/1726, (EU) 2018/1862 and (EU) 2019/816
4 Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing
an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third- country nationals
crossing the external borders of the Member States and determining the conditions for access to the EES for law
enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations
(EC) No 767/2008 and (EU) No 1077/2011
5 Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establi shing
a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011,
(EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226
6 Art. 19 Regulation 2018/186 0, Art. 55(2) Regulation 2018/1861, art. 69(2) Regulation 2018/1862
7 A rt. 41(3) VIS Regulation
8 A rt. 51(3) Interoperability regulations
9 Art. 55(2) EES Regulation
10 A rt. 66(4) ETIAS Regulation
11 Regulation (EEC, Euratom) No 1182/71 of the Council of 3 June 1971 determining the rules applicable to
periods, dates and time limits
The EU's Large-Scale IT Systems’ regulations establish specific audit cycle requirements for
Supervisory Authorities expressed in years. For Schengen Information System
1 (SIS), Visa
Information System
2 (VIS) and in the framework for interoperability 3, the required min imum
frequency is once every four years. For Entry/Exit System
4 (EES) and European Travel
Information and Authorisation System
5 (ETIAS), audits must be conducted at least every three
years.
Compliance with these audit cycles is a key element of the Schengen Evaluations, during
which the on- site teams assess whether supervisory obligations have been met. In this
context, the CSC recommends that both evaluated a uthorities and on-site teams consider the
following aspects when evaluating the application of the Schengen acquis:
1. Full four calendar years without a completed audit in SIS
6, VIS 7 and in the framework for
interoperability
8 (respectively three calendar years in EES 9 and ETIAS 10) should be found
non -compliant with applicable regulations. This conclusion stems from the clear wording
of the relevant EU legal acts, which establish maximum time intervals between successive
audits.
2. The audit cycle should be calculated in years, in accordance with Art. 3(2)(c) of Regulation
1182/71
11 which lays down the general rules for determining periods, dates and time
limits in legal acts adopted by the EU institutions.
3. The date of audit comple tion should mark the starting point for calculating the next audit
cycle. Although EU legal acts do not explicitly define what constitutes the completion of
an audit, it is generally understood as the point at which all planned audit activities have
been c arried out. Common reference points include the final day of the on- site visit or
the date of the audit report. This moment may vary depending on national procedures ,
methodologies and the international auditing standards followed.
Given their independent status, Supervisory Authorities should have flexibility in
determining when an audit is considered complete —particularly in cases where
unforeseen developments (e.g. procedural delays, need to collect additional information
or operational constraints) prev ent strict adherence to the original plan. Nevertheless,
such flexibility must not compromise compliance with the maximum intervals established
by law.
2
4. Supervisory Authorities should remain responsible for determining the timing of the next
audit within the legally allowed timeframe. While the regulations establish min imum
audit frequency, they do not prescribe specific scheduling, leaving this decision to the
discretion of each authority. This autonomy is essential to accommodate national
specificities, including available resources, prioritisation of supervisory activities, and the
results of previous audits.
1 Regulation (EU) 2018/1860 of the European Parliament and of the Council of 28 November 2018 on the use of
the Schengen Information System for the return of illegally staying third- country nationals
Regulation (EU) 2018/186 1 of the European Parliament and of the Council of 28 Novem ber 2018 on the
establishment, operation and use of the Schengen Information System (SIS) in the field of border checks, and
amending the Convention implementing the Schengen Agreement, and amending and repealing Regulation (EC)
No 1987/2006
Regulation (EU ) 2018/1862 of the European Parliament and of the Council of 28 November 2018 on the
establishment, operation and use of the Schengen Information System (SIS) in the field of police cooperation
and judicial cooperation in criminal matters, amending and rep ealing Council Decision 2007/533/JHA, and
repealing Regulation (EC) No 1986/2006 of the European Parliament and of the Council and Commission
Decision 2010/261/EU
2 Regulation (EC) No 767/2008 of the European Parliament and of the Council of 9 July 2008 co ncerning the Visa
Information System (VIS) and the exchange of information between Member States on short -stay visas, long -
stay visas and residence permits (VIS Regulation)
3 Regulation (EU) 2019/817 of the European Parliament and of the Council of 20 May 2019 on establishing a
framework for interoperability between EU information systems in the field of borders and visa and amending
Regulations (EC) No 767/2008, (EU) 2016/399, (EU) 2017/2226, (EU) 20 18/1240, (EU) 2018/1726 and (EU)
2018/1861 of the European Parliament and of the Council and Council Decisions 2004/512/EC and
2008/633/JHA
Regulation (EU) 2019/818 of the European Parliament and of the Council of 20 May 2019 on establishing a
framework fo r interoperability between EU information systems in the field of police and judicial cooperation,
asylum and migration and amending Regulations (EU) 2018/1726, (EU) 2018/1862 and (EU) 2019/816
4 Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing
an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third- country nationals
crossing the external borders of the Member States and determining the conditions for access to the EES for law
enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations
(EC) No 767/2008 and (EU) No 1077/2011
5 Regulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establi shing
a European Travel Information and Authorisation System (ETIAS) and amending Regulations (EU) No 1077/2011,
(EU) No 515/2014, (EU) 2016/399, (EU) 2016/1624 and (EU) 2017/2226
6 Art. 19 Regulation 2018/186 0, Art. 55(2) Regulation 2018/1861, art. 69(2) Regulation 2018/1862
7 A rt. 41(3) VIS Regulation
8 A rt. 51(3) Interoperability regulations
9 Art. 55(2) EES Regulation
10 A rt. 66(4) ETIAS Regulation
11 Regulation (EEC, Euratom) No 1182/71 of the Council of 3 June 1971 determining the rules applicable to
periods, dates and time limits
Link: https://www.edpb.europa.eu/system/files/2025-10/re
Testo del 2025-10-04 Fonte: europa.eu
Demo Altre chiavi solo per gli iscritti
Commenta
i commenti sono anonimi e inviati via mail e cancellati dopo aver migliorato la voce alla quale si riferiscono: non sono archiviati; comunque non lasciare dati particolari. Si applica la privacy policy.
