JANUARY 2013
Krum Garkov
Executive Director of the EU Agency for the operational management of
large-scale IT systems in the area of freedom, security and justice
on
“Key priorities for the newly established EU Agency for the operational
management of large-scale IT systems in the area of freedom, security and justice”
Ü Eurasylum: The EU Agency for the operational management of large-scale IT systems in the area of freedom, security and justice became operational on 1 December 2012. It is responsible for the long-term operational management of the second generation Schengen Information System (SIS II), the Visa Information System (VIS) and EURODAC. In the future, the Agency may also be made responsible for the preparation, development and operational management of other large-scale IT systems in the area of freedom, security and justice, if so entrusted by means of separate legal instruments. Can you guide us through the Agency’s initial priorities and work programme?
Ü Krum Garkov: The Agency was established in the political context of the Stockholm programme and the action plan implementing this programme, which set the framework for the EU’s response to major challenges in this policy area and which outline a number of key developments in the area of home affairs.
Cooperation in the field of justice and home affairs is largely based on information exchange and common information systems. In this context the mission of the Agency is to continuously add value to the Member States, supporting through technology their efforts for a safer Europe.
The mission of the Agency is implemented through the vision for the organization which includes:
• Providing high quality and efficient services and solutions
• Earning trust, continuously aligning capabilities of technology with evolving needs of the Member States
• Growing as a Centre of Excellence
In practical terms, the core task of the Agency initially is to keep the SIS II, VIS and EURODAC systems functioning 24 hours a day, seven days a week, ensuring the continuous, uninterrupted exchange of data between national authorities. In that sense the main objectives of the Agency in 2013 , as per the approved Work Programme, are:
1. Consolidate the Agency’s structure and cohesion
To implement the necessary measures to ensure good governance and to strengthen cooperation and team building across the Agency, in order to deliver a seamless service on goals overarching the different units and sites of the Agency.
2. Move towards becoming a centre of excellence
To nurture and enhance the expertise and best practices within the organisation and to put in place effective governance, structure, resources, information tools, procedures and methodologies to enable the Agency to move forward towards becoming a centre of excellence for the management and development of large scale IT systems in the field of freedom, justice and security. A key part of this process will be to ensure alignment of business and ICT goals, by implementing Enterprise Governance of ICT.
3. Preparations for taking on board additional systems
Subject to the adoption of the legal bases for the Registered Traveller Programme and Entry Exit System, it is possible that the Agency may be asked to start developing these systems as from 2015. The Agency should already start planning ahead, strategically, anticipating on its specific infrastructure, staffing and organisational requirements, taking account of the financial information in the legislative proposals for these systems.
4. Continuous move to optimise cost-effectiveness
To move towards more cost effective ways of delivering the requisite level of service or technical excellence for the Agency’s own internal operations and for the IT systems under its management. This includes examining the scope for achieving cost savings for stakeholders.
The Agency is governed by a Management Board with one representative from each Member State and two from the European Commission. It will be assisted by advisory groups composed of representatives from Member States which participate in the IT systems and a representative of the Commission.
Beyond that, there are two major factors that will ensure the success of the agency. They are its governance model and its ability to continuously maximize value added to the stakeholders. With regard to governance it will be based on following values:
• Integrity, ensuring that the Agency makes the best use of expertise, knowledge and investments made by the Commission and member countries so far, and continues to develop them
• Accountability, deploying sound governance framework, cost-efficient operations and sound financial management
• Transparency, providing regular and open communication to the Agency’s key stakeholders and engaging them in a continuous dialogue to define long-term strategy for development of the agency
• Excellence, through having the right organizational structure, the right people and the right processes in place to ensure service continuity and functional comprehensiveness of tools provided to the member states and the Commission
• Team work, empowering each individual team member to make the best use of their knowledge and experience, thus contributing to the common success.
The ability of the agency to increase continuously the value added to the member states will depend on:
o Fulfilment of its initial mission to ensure 24 x 7 availability of existing information systems, with all the required resources in place to guarantee their stability, and establish and follow the highest standards of security and data protection, given the sensitive nature of the data collected and processed
o In a longer term perspective the Agency must become a centre of excellence where technology toolsets in the area of JHA will be continuously monitored, developed and aligned with evolving needs of the member states
o The Agency will also have to develop expertise in the areas of R & D, systems architectures, project and program management, vendor & contract management, trainings and knowledge transfer. They will enable further maximization of value added through taking responsibilities for development & implementation of new technology solutions and systems in the area of JHA and pro-actively supporting member states to get the best value out of the existing ones
o Last but not least, to maximize further its value, the Agency will also work in close cooperation with other agencies such as Cepol, Frontex, Europol, ENISA, EASO etc. Applying the principle of complementarity, the Agency will exchange experience and knowledge, and will innovate and contribute to the deployment of common EU technology platforms and tools in the area of JHA and in a broader context.
Ü Eurasylum: A number of political and societal phenomena will influence the environment of the IT systems managed by the Agency, including new trends and challenges in the migratory flows towards the Union. These will highlight the importance of having effective systems for controlling the borders, maintaining security, effectively managing asylum applications and implementing visa-issuing processes. At the same time, the changes in the legal basis of the IT systems managed by the Agency require further actions for implementation. Could you provide a snapshot of the actions that shall be taken by the Agency in order to meet these operational and legal requirements?
Ü Krum Garkov: The Agency must demonstrate its ability to deliver on the needs of stakeholders, whilst taking full account of EU interests and priorities. Furthermore, our stakeholders expect state of the art solutions in terms of functionalities, response time and continuity of operations. The pace of operational and legal changes is both a challenge and an opportunity. The Agency will embrace this pro-actively by putting in place adequate governance procedures, structures and processes to enable it to meet all the requirements.
In concrete terms, as I have already mentioned, the Agency is responsible for all the tasks necessary to keep SIS II, VIS and EURODAC functioning 24 hours a day, seven days a week, including the maintenance work and technical developments necessary for the smooth running of the systems.
As regards the SIS II, the main priority area shall be biometrics. Initially photographs and fingerprints will only be used to confirm the identity of a person who has been located as the result of an alphanumeric search made in SIS II. The SIS II legal instruments also specify that, as soon as this becomes technically possible, fingerprints may also be used to identify such a person on the basis of his/her biometric identifier. The Commission is required by the legal bases to present a report on this matter and the Agency shall contribute to this report, if required.
On the VIS the main aim should be to achieve the completion of the world-wide roll-out while ensuring a stable level of operation and support to Member States. The system shall be upgraded in order to increase its capacity according to the requirements of the Member States as well as to introduce modifications related to the implementation of the new Visa Code adopted on 5 May 2010.
The Agency shall also conclude the activities related to the development of the Visa Information System Mail Communication mechanism 2 (the VIS Mail 2). The VIS Mail 2 allows transmission of information between Member States via the infrastructure of the Visa Information System and is due to be operational by the completion of the world-wide roll-out of the VIS.
Negotiations on a proposed recast of the EURODAC Regulation are in progress and the recast will soon be adopted. Changes foreseen by the current text include the marking of records (instead of blocking) and changes to time limits for Member States to submit an asylum request. It is possible that other functionalities may be retained in the final version to be adopted.
The Agency will implement the changes foreseen in the Recast Regulation and ensure that the technical changes make optimal use of new technologies and processes. A prior assessment study is necessary, in order to clearly identify the technical (hardware, software, professional services) and financial impacts of these changes on the current systems. The implementation of these changes will most likely start in 2014, depending on the outcome of legal negotiations, the assessment study and the procurement procedure.
Another important objective related to EURODAC is the removal of this system from Luxembourg to Strasbourg and Sankt Johann im Pongau. At its meeting in November 2011, after considering the feasibility, the financial aspects as well as the operational risks, the Management Board of the Agency decided on the technical solution for removal of EURODAC. The EURODAC Advisory Group is currently assessing the implementing steps. Concerning the communication infrastructure for the IT systems under the Agency’s management, the Agency will be responsible for supervision, security and coordination of relations between the Member States and the network provider for the communication infrastructure for SIS II, VIS and EURODAC. The Agency will also ensure that external private sector network providers fully respect the security measures and have no access to operational data in the IT systems.
I would like to point out that the Agency stands ready to provide assistance to Croatia with its technical preparations for accession to SIS II, VIS and EURODAC, in light of its preparations for membership of the EU.
At the same time, we have to take into account other possible developments at EU level. As announced in the Smart Borders Communication of 25 October 2011 (COM(2011)680), the Commission intends to put forward proposals for a Registered Traveller Programme and an Entry Exit System. Subject to the adoption of these legal bases, it is envisaged that the Agency would be the Management Authority for these systems.
No work will be done on the development of these new systems until the European Parliament and the Council have adopted the respective legal bases, setting out clearly the requirements. However, the Agency should already start planning ahead proactively with a view to defining more specific requirements in terms of infrastructure, staffing and organisation, taking account of the information included in the financial fiches of the legislative proposals for these systems in order to ensure timely implementation of the legal acts.
Ü Eurasylum: According to the Regulation establishing the Agency, the development and operational management of large-scale IT systems should follow European and international standards taking into account the highest professional requirements, in particular the European Union Information Management Strategy. Can you describe, briefly, some of these standards and how they might feed into the operational management of SIS II, VIS and EURODAC?
Ü Krum Garkov: Security in the EU and implementation of the fundamental right of free movement depends on effective mechanisms for exchanging information and collaboration between national law enforcement authorities and other European players.
The Information Management Strategy for EU internal security, adopted by the Council in 2009, entails a business driven development, a strong data protection regime, interoperability of IT systems and a rationalisation of tools as well as overall coordination, convergence and coherence. Further on, the recent Commission Communication on the European Information Exchange Model (EIXM) guides the EU and Member States activity on how to improve the implementation of existing instruments and streamline the communication channels used as well as ensuring high data quality, security and protection.
In the context of this model the Agency shall put in place adequate governance for ensuring alignment of the Agency’s business and ICT goals and the creation of value from IT-enabled business developments by implementing recognised standards and business models in this field, namely the Enterprise Governance of ICT model, essential maturity levels of the COBIT framework for IT governance and best practices for IT service management from ITIL. The Agency will also work towards putting in place total quality management, with a view to full implementation of ISO 9001 in the medium term. The Agency will have to ensure full implementation and compliance with the various security measures and security plans for the organisation itself, the IT systems that it manages (covering matters such as organisation of security, technical measures including measures to ensure protection of records, business continuity, access control, accountability – ensuring that every access to and all exchanges of personal data are recorded at central level, cooperation with EDPS and follow-up of EDPS audits), the communication networks for these systems (including procedures and security provisions for business continuity, management of contractors and management of encryption keys), and data protection measures.
In the context of this model the issue of cost-efficiency is addressed as well, in the sense that the most sustainable, easily traceable and cost-effective solutions should be identified and implemented. High focus is placed on data protection including data security. Adequate use of modern technologies, as well as adaptation of business processes and measures to implement data protection will protect business interests as well as citizens’ private lives.
We shall also produce the reporting and statistics on the use of the IT systems as foreseen in the legal bases for the IT systems and reflected in the establishing Regulation of the Agency. Our reports on the technical functioning of the systems, including security, will be presented regularly to the European Parliament, the Council and the Commission. Other reports with information required for the regular evaluation of VIS, EURODAC and SIS II shall be submitted to the Commission.
The Agency will provide training on the technical use of SIS II, VIS and EURODAC to the national authorities participating in these systems. It will also provide training for SIRENE staff (SIRENE- Supplementary Information Request at the National Entries) and training for Schengen evaluation team members and lead experts on the technical aspects of SIS II.
I believe that the EU Information Management Strategy and the European Information Exchange Model are essential tools in achieving the objectives of increasing the EU internal security and protecting its citizens. Still, they are only means to this end and will be dependent on the political, policy, and operational priorities, and on the business vision on how to achieve such objectives.
