Commission Implementing Regulation (EU) 2021/1224 of 27 July 2021 concerning the detailed rules on the conditions for the operation of the web service and data protection and security rules applicable to the web service as well as measures for the development and technical implementation of the web service provided for by Regulation (EU) 2017/2226 of the European Parliament and of the Council and repealing Commission Implementing Decision C(2019)1230
Commission Implementing Regulation (EU) 2021/1224of 27 July 2021concerning the detailed rules on the conditions for the operation of the web service and data protection and security rules applicable to the web service as well as measures for the development and technical implementation of the web service provided for by Regulation (EU) 2017/2226 of the European Parliament and of the Council and repealing Commission Implementing Decision C(2019)1230THE EUROPEAN COMMISSION,Having regard to the Treaty on the Functioning of the European Union,Having regard to Regulation (EU) 2017/2226 of the European Parliament and of the Council of 30 November 2017 establishing an Entry/Exit System (EES) to register entry and exit data and refusal of entry data of third-country nationals crossing the external borders of the Member States and determining the conditions for access to the Entry/Exit System for law enforcement purposes, and amending the Convention implementing the Schengen Agreement and Regulations (EC) No 767/2008 and (EU) No 1077/2011OJ L 327, 9.12.2017, p. 20., and in particular Article 13(7) and Article 36, first paragraph, point (h), thereof,Whereas:(1)Regulation (EU) 2017/2226 establishes the Entry/Exit System, for the electronic recording and storage of the date, time and place of entry and exit of third-country nationals admitted or refused for a short stay in the territory of the Member States and calculates the duration of their authorised stay.(2)The European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice, established by Regulation (EU) No 1077/2011 of the European Parliament and of the CouncilRegulation (EU) No 1077/2011 of the European Parliament and of the Council of 25 October 2011 establishing a European Agency for the operational management of large-scale IT systems in the area of freedom, security and justice (OJ L 286, 1.11.2011, p. 1). (eu-LISA) is responsible for the development and operational management of the Entry/Exit System.(3)Commission Implementing Decision C(2019)1230 lays down specifications and conditions for the operation of the web service provided for in Article 13 of Regulation (EU) 2017/2226, including specific provisions for data protection and security. Those specifications and conditions must be adapted by taking into account visa-exempt travellers within the meaning of Article 45 of Regulation (EU) 2018/1240 of the European Parliament and of the CouncilRegulation (EU) 2018/1240 of the European Parliament and of the Council of 12 September 2018 establishing a European Travel Information and Authorisation System (ETIAS) (OJ L 236, 19.9.2018, p. 1)..(4)Article 13(3) of Regulation (EU) 2017/2226 requires carriers to use the web service to verify whether third-country nationals holding a short-stay visa issued for one or two entries have already used the number of entries authorised by their visa.(5)In order to enable carriers to fulfil their obligation to verify the use of the single and double entry visa, they should have access to the web service. Carriers should access the web service through an authentication scheme and be able to dispatch and receive messages in a format to be determined by eu-LISA.(6)Technical rules on the message format and authentication scheme should be laid down in order to enable carriers to connect and use the web service to be specified in the technical guidelines, which are part of the technical specifications referred to in Article 37(1) of Regulation (EU) 2017/2226, to be adopted by eu-LISA.(7)Carriers should be able to indicate that the passengers fall outside the scope of the Regulation (EU) 2017/2226 and in such case carriers should receive an automatic "Not applicable" reply from the web service, without querying the read only database and without logging.(8)The Commission, eu-LISA and the Member States should endeavour to inform all known carriers of how and when they can register. Upon successful completion of the registration procedure as well as, where relevant, the successful completion of testing, eu-LISA should connect the carrier to the carrier interface.(9)Authenticated carriers should only give access to the web service to duly authorised staff.(10)This Regulation should provide for data protection and security rules applicable to the authentication scheme.(11)In order to ensure that the verification query is based on information, which is as up-to-date as possible, queries should be introduced at the earliest 48 hours prior to the scheduled time of departure.(12)This Regulation should apply to air carriers, sea carriers and international carriers transporting groups overland by coach, coming into the territory of the Member States. Border checks for entry into the territory of the Member States may precede boarding. In such cases, carriers should be relieved of the obligation to verify the travel authorisation status of travellers.(13)Carriers should have access to a web form on a public website allowing them to request assistance. When requesting assistance carriers should receive an acknowledgement of receipt containing a ticket number. eu-LISA or the ETIAS Central Unit may contact carriers that have received a ticket by any means necessary, including by phone, in order to provide an adequate response.(14)Due to the need to limit the administrative burden on passenger travel and carrier to the extent possible by integrating with the European Travel Information and Authorisation System and therefore adapting the conditions for the operation of the web service referred to in Article 13 of Regulation (EU) 2017/2226 to the adoption of Regulation (EU) 2018/1240, the provisions on assistance to carriers and the procedures to follow in case of technical impossibility established for Regulation (EU) 2018/1240 should apply.(15)This Regulation is without prejudice to the application of Directive 2004/38/EC of the European Parliament and of the CouncilDirective 2004/38/EC of the European Parliament and of the Council of 29 April 2004 on the right of citizens of the Union and their family members to move and reside freely within the territory of the Member States amending Regulation (EEC) No 1612/68 and repealing Directives 64/221/EEC, 68/360/EEC, 72/194/EEC, 73/148/EEC, 75/34/EEC, 75/35/EEC, 90/364/EEC, 90/365/EEC and 93/96/EEC (OJ L 158, 30.4.2004, p. 77)..(16)In accordance with Articles 1 and 2 of Protocol No 22 on the position of Denmark, annexed to the Treaty on European Union and to the Treaty on the Functioning of the European Union, Denmark did not take part in the adoption of Regulation (EU) 2017/2226 and is not bound by it or subject to its application. However, given that Regulation (EU) 2017/2226 builds upon the Schengen acquis, Denmark, in accordance with Article 4 of that Protocol, notified on 30 May 2018 its decision to implement Regulation (EU) 2017/2226 in its national law. Denmark is therefore bound under international law to implement this Regulation.(17)This Regulation constitutes a development of the provisions of the Schengen acquis in which Ireland does not take partThis Regulation falls outside the scope of the measures provided for in Council Decision 2002/192/EC of 28 February 2002 concerning Ireland’s request to take part in some of the provisions of the Schengen acquis (OJ L 64, 7.3.2002, p. 20).. Ireland is therefore not taking part in the adoption of this Regulation and is not bound by it or subject to its application.(18)As regards Iceland and Norway, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquisOJ L 176, 10.7.1999, p. 36., which fall within the area referred to in Article 1, point A of Council Decision 1999/437/ECCouncil Decision 1999/437/EC of 17 May 1999 on certain arrangements for the application of the Agreement concluded by the Council of the European Union and the Republic of Iceland and the Kingdom of Norway concerning the association of those two States with the implementation, application and development of the Schengen acquis (OJ L 176, 10.7.1999, p. 31)..(19)As regards Switzerland, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquisOJ L 53, 27.2.2008, p. 52., which fall within the area referred to in Article 1, point A of Decision 1999/437/EC, read in conjunction with Article 3 of Council Decision 2008/146/ECCouncil Decision 2008/146/EC of 28 January 2008 on the conclusion, on behalf of the European Community, of the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis (OJ L 53, 27.2.2008, p. 1)..(20)As regards Liechtenstein, this Regulation constitutes a development of the provisions of the Schengen acquis within the meaning of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquisOJ L 160, 18.6.2011, p. 21. which fall within the area referred to in Article 1, point A of Decision 1999/437/EC read in conjunction with Article 3 of Council Decision 2011/350/EUCouncil Decision 2011/350/EU of 7 March 2011 on the conclusion, on behalf of the European Union, of the Protocol between the European Union, the European Community, the Swiss Confederation and the Principality of Liechtenstein on the accession of the Principality of Liechtenstein to the Agreement between the European Union, the European Community and the Swiss Confederation on the Swiss Confederation’s association with the implementation, application and development of the Schengen acquis, relating to the abolition of checks at internal borders and movement of persons (OJ L 160, 18.6.2011, p. 19)..(21)As regards Bulgaria and Romania, as the verification in accordance with applicable Schengen evaluation procedures has been successfully completed, as confirmed by Council conclusions of 9 June 2011; the provisions of the Schengen acquis relating to the Schengen Information System have been put into effect by Council Decision (EU) 2018/934Council Decision (EU) 2018/934 of 25 June 2018 on the putting into effect of the remaining provisions of the Schengen acquis relating to the Schengen Information System in the Republic of Bulgaria and Romania (OJ L 165, 2.7.2018, p. 37). on the putting into effect of the remaining provisions of the Schengen acquis relating to the Schengen Information System in the Republic of Bulgaria and Romania; the provisions of the Schengen acquis relating to the Visa Information System have been put into effect by Council Decision (EU) 2017/1908Council Decision (EU) 2017/1908 of 12 October 2017 on the putting into effect of certain provisions of the Schengen acquis relating to the Visa Information System in the Republic of Bulgaria and Romania (OJ L 269, 19.10.2017, p. 39). on the putting into effect of certain provisions of the Schengen acquis relating to the Visa Information System in the Republic of Bulgaria and Romania, all the conditions for the operation of the Entry/Exit System set out in Article 66(2)(b) of Regulation (EU) 2017/2226 are met and those Member States should therefore operate the Entry/Exit System from the start of operations as decided in accordance with Article 66(1) of Regulation (EU) 2017/2226.(22)As regards Cyprus and Croatia, the operation of the Entry/Exit System requires the granting of passive access to the Visa Information System and the putting into effect of all the provisions of the Schengen acquis relating to the Schengen Information System in accordance with the relevant Council Decisions. Those conditions can only be met once the verification in accordance with the applicable Schengen evaluation procedure has been successfully completed. Therefore, the Entry/Exit System should be operated only by those Member States which fulfil those conditions at the start of the operation of the Entry/Exit System. Member States not operating the Entry/Exit System from the start of operations should be connected to the Entry/Exit System, in accordance with the procedure set out in Regulation (EU) 2017/2226, as soon as all of those conditions are met.(23)The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the CouncilRegulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39). and delivered an opinion on 29 April 2021.(24)The measures provided for in this Regulation are in accordance with the opinion of the Smart Borders Committee (EES),HAS ADOPTED THIS REGULATION:
Article 1Subject matterThis Regulation establishes:(a)the detailed rules and conditions for the operation of the web service and the data protection and security rules applicable to the web service provided for in Article 13(1) and (3) and Article 36, first paragraph, point (h), of Regulation (EU) 2017/2226;(b)an authentication scheme for carriers to enable them to fulfil their obligations pursuant to Article 13(3) of Regulation (EU) 2017/2226 as well as detailed rules and conditions on registration of carriers in order to gain access to the authentication scheme;(c)details of the procedures to be followed where it is technically impossible for carriers to access the web service.Article 2DefinitionsFor the purposes of this Regulation the following definitions apply:(1)"carrier interface" means the web service to be developed by eu-LISA in accordance with Article 37(1) of Regulation (EU) 2017/2226 where used for the purposes of Article 13(3) of that Regulation and consisting of an IT interface connected to a read only database;(2)"technical guidelines" means the part of the technical specifications, referred to in Article 37(1) of Regulation (EU) 2017/2226 that is relevant for carriers for the implementation of the authentication scheme and the development of the message format of the Application Programming Interface referred to in Article 4(2)(a);(3)"duly authorised staff" means natural persons that are employees of or contractually engaged by the carrier or other legal or natural under that carrier’s direction or supervision, assigned with the tasks of verifying whether the number of entries authorised by a visa has already been used on behalf of the carrier, in accordance with Article 13(3) of Regulation (EU) 2017/2226.Article 3Obligations of carriers1.Carriers shall launch a query to verify whether the number of entries authorised by a visa has already been used as referred to in Article 13 of Regulation (EU) 2017/2226 ("verification query") through the carrier interface.2.The verification query shall be introduced at the earliest 48 hours prior to the scheduled time of departure.3.Carriers shall ensure that only duly authorised staff have access to the carrier interface. The carriers shall put in place at least the following mechanisms:(a)physical and logical access control mechanisms to prevent unauthorised access to the infrastructure or the systems used by the carriers;(b)authentication;(c)logging to ensure access traceability;(d)regular review of the access rights.Article 4Connection and access to the carrier interface1.Carriers shall connect to the carrier interface through one of the following:(a)a dedicated network connection;(b)an internet connection.2.Carriers shall access the carrier interface through one of the following:(a)a system to system interface (Application Programming Interface);(b)a web interface (browser);(c)an application for mobile devices.Article 5Queries1.In order to send a verification query, the carrier shall provide the following traveller data:(a)surname (family name); first name or names (given names);(b)date of birth; sex; nationality;(c)the type and number of the travel document and the three letter code of the issuing country of the travel document;(d)the date of expiry of the validity of the travel document;(e)the scheduled date of arrival at the border of a Member State which applies the Schengen acquis in full or a Member State which does not apply the Schengen acquis in full but operates the Entry/Exit system;(f)one of the following:(1)the scheduled Member State of entry which applies the Schengen acquis in full;(2)where possible to identify the scheduled Member State of entry, an airport in the Member State of entry which applies the Schengen acquis in full;(3)the scheduled Member State of entry which does not apply the Schengen acquis in full but operates the Entry/Exit System;(4)where possible to identify the scheduled Member State of entry, an airport in the Member State of entry which does not apply the Schengen acquis in full but operates the Entry/Exit System;(g)the details (local date and time of scheduled departure, identification number, where available, or other means to identify the transport) of the means of transportation used to access the territory of a Member State which applies the Schengen acquis in full or the Member State which does not apply the Schengen acquis in full but operates the Entry/Exit System.2.Where the itinerary requires a double-entry visa from the traveller, the carrier shall provide information that the itinerary includes two entries into the Member States when submitting the verification query.3.For the purposes of providing the information referred to in paragraph 1, points (a) to (d), carriers may scan the machine-readable zone of the travel document.4.Where the passenger is exempt from the scope of Regulation (EU) 2017/2226 in accordance with Article 2 of that Regulation or is in airport transit, the carrier shall be able to specify it in the verification query.5.Carriers shall be able to send a verification query for one or more passengers. The carrier interface shall include the reply referred to in Article 6 for each passenger included in the query.Article 6Reply1.Where the passenger is exempt from the scope of Regulation (EU) 2017/2226 in accordance with Article 2 of that Regulation, is in airport transit or is a holder of a national short-stay visa in the meaning of Article 3(1), point 10 of that Regulation, the reply shall be "Not applicable". In all other cases, the reply shall be "OK" or "Not OK".Where a verification query returns a "Not OK" reply, the carrier interface shall specify that the reply is coming from the Entry/Exit System.2.Replies to verification queries shall be determined in accordance with the following rules:(a)where the traveller is the holder of a uniform short-stay visa:(i)where the authorised number of entries (one or two) on the visa has not yet been reached: OK;(ii)where the authorised number of entries (one or two) on the visa has already been reached: Not OK;(iii)where the visa has expired, or has been revoked or annulled: Not OK;(b)where the traveller is subject to a visa obligation and no visa information is available: Not OK;(c)where the carrier specifies that the itinerary requires a double entry visa:(i)where the traveller is in possession of a double entry visa, valid for the date of arrival and neither entry has been used: OK;(ii)where the traveller is not in possession of a double entry visa: Not OK;(iii)where the traveller is in possession of a double entry visa but at least one entry has been used: Not OK;(iv)where the traveller is in possession of a double entry visa but at least one entry is not valid for the date of arrival: Not OK.3.Where the traveller is visa exempt or the traveller falls within the scope of Regulation (EU) 2018/1240, the provisions defined in the Commission Implementing Regulation (EU) 2021/1217Commission Implementing Regulation (EU) 2021/1217 of 26 July 2021 laying down the rules and conditions for verification queries by carriers, provisions for data protection and security for the carriers’ authentication scheme as well as fall back procedures in case of technical impossibility (OJ L 267, 27.7.2021, p. 1). applies.Article 7Message formateu-LISA shall specify the data formats and structure of messages to be used for transmitting verification queries and replies to those queries through the carrier interface in the technical guidelines. eu-LISA shall include at least the following data formats:(a)UN/EDIFACT;(b)PAXLST/CUSRES;(c)XML;(d)JSON.Article 8Data extraction requirements for the carrier interface and the web service for third country nationals and data quality1.Data on issued, annulled and revoked short stay visas, and travel authorisations shall be regularly and automatically extracted from the Visa Information System, the European Travel Information and Authorisation System and the Entry/Exit System and transmitted to the read-only database.2.All extractions of data into the read-only database pursuant to paragraph 1 shall be logged.3.eu-LISA shall be responsible for the security of the web service and of the personal data it contains, and for the process of extracting and transmitting the data referred to in paragraph 1 to the read-only database.4.It shall not be possible to transmit data from the read-only database to the Entry/Exit System or the Visa Information System.Article 9Authentication scheme1.eu-LISA shall develop an authentication scheme, taking into account information on security risk management and the principles of data protection by design and default and allowing to trace the initiator of the verification query.2.The details of the authentication scheme shall be set out in the technical guidelines.3.The authentication scheme shall be tested in accordance with Article 12.4.Where carriers access the carrier interface using the Application Programming Interface referred to in Article 4(2), point (a), the authentication scheme shall be implemented by means of mutual authentication.Article 10Registration for the authentication scheme1.Carriers referred to in Article 13(3) of Regulation (EU) 2017/2226 operating and transporting passengers into the territory of the Member States shall be required to register prior to gaining access to the authentication scheme.2.eu-LISA shall make available a registration form on a public website to be completed on-line. Submission of the registration form shall only be possible where all the fields have been correctly completed.3.The registration form shall include fields requiring carriers to provide the following information:(a)the legal name of the carrier as well as its contact details (email address, telephone number and postal address);(b)the contact details of the legal representative of the company requesting the registration and of back-up points of contact (names, telephone numbers, email and postal addresses) as well as the functional email address and other means of communication that the carrier intends to use for the purposes of Articles 13 and 14;(c)the Member State or third country that issued the official company registration referred to in paragraph 6 and any available registration number;(d)where the carrier has attached, in accordance with paragraph 6, an official company registration issued by a third country, the Member States in which the carrier operates or intends to operate within the next year.4.The registration form shall inform the carriers of the minimum security requirements, which shall ensure compliance with the following objectives:(a)identifying and managing security risks related to the connection to the carrier interface;(b)protecting the environments and the devices connected to the carrier interface;(c)detecting, analysing, responding to and recovering from cyber security incidents.5.The registration form shall require carriers to declare:(a)that they operate and transport passengers into the territory of the Member States or intend to do so within the next six months;(b)that they will access and make use of the carrier interface in accordance with the minimum security requirements set out in the registration form, in accordance with paragraph 4;(c)that only duly authorised staff will have access to the carrier interface.6.The registration form shall require carriers to attach an electronic copy of their instruments of constitution, including statutes, as well as an electronic copy of an extract of their official company registration from either at least one Member State, where applicable, or from a third country in, or officially translated into, one of the official Union or one of the Schengen Associated Countries languages. An electronic copy of an authorisation to operate in one or more Member States, such as an Air Operator Certificate, can substitute the official company registration.7.The registration form shall notify carriers:(a)that they are required to inform eu-LISA of any changes regarding the information referred to in paragraphs 3, 4 and 5 or in case of technical changes affecting their "system to system" connection to the carrier interface that may require additional testing in accordance with Article 12 through specified contact details of eu-LISA to be used for this purpose;(b)that they will be automatically deregistered from the authentication scheme if the logs show that the carrier has not used the carrier interface during a period of one year;(c)that they may be deregistered from the authentication scheme in case of a breach of the provisions of this Regulation, the security requirements referred to in paragraph 4 or the technical guidelines, including in case of abuse of the carrier interface;(d)that they are obliged to inform eu-LISA of any personal data breach that may occur and regularly review the access rights of their dedicated staff.8.Where the registration form has been submitted correctly, eu-LISA shall register the carrier and notify the carrier that it has been registered. Where the registration form has not been submitted correctly, eu-LISA shall refuse registration and notify the carrier of the reasons.Article 11Deregistration from the authentication scheme1.Where a carrier informs eu-LISA that it no longer operates or transports passengers into the territory of the Member States, eu-LISA shall deregister the carrier.2.Where the logs show that the carrier has not used the carrier interface during a period of one year, it shall be automatically deregistered.3.Where a carrier no longer fulfils the conditions referred to in Article 10(5), or has otherwise breached the provisions of this Regulation, the security requirements referred to in Article 10(4) or the technical guidelines, including in case of abuse of the carrier interface, eu-LISA may deregister the carrier.4.eu-LISA shall inform the carrier of its intention to deregister the carrier pursuant to paragraphs 1, 2 or 3, together with the reason for the deregistration, one month before deregistration. Before deregistration, eu-LISA shall give the carrier the opportunity to provide written comments.5.In case of urgent IT security concerns, including where the carrier is not complying with the security requirements referred to in Article 10(4) or with the technical guidelines, eu-LISA may immediately disconnect a carrier. eu-LISA shall inform the carrier of the disconnection, together with the reason for the disconnection.6.To the extent appropriate, eu-LISA shall assist carriers that have received a notice of deregistration or disconnection to remedy the deficiencies that gave rise to the notice and, where possible, for a limited time and under strict conditions, provide the opportunity for disconnected carriers to send verification queries by other means than those referred to in Article 4.7.Disconnected carriers may again be connected to the carrier interface following successful removal of the security concerns that gave rise to the disconnection. Deregistered carriers may submit a new request for registration.8.eu-LISA shall maintain an up to date register of registered carriers. Personal data contained in the registration of carriers shall be deleted at the latest one year after the carrier has been deregistered. At any time following the registration of carriers pursuant to Article 10, eu-LISA may, in particular where there is reasoned suspicion that one or more carriers are abusing the carrier interface or do not fulfil the conditions referred to in Article 10(4), make inquiries with Member States or third countries.9.Where the registration form referred to in Article 10(2) is not available for a prolonged period of time, eu-LISA shall ensure that registration in accordance with that Article is possible via other means.Article 12Development, testing and connection of the carrier interface1.eu-LISA shall make the technical guidelines available to carriers in order to enable them to develop and test the carrier interface.2.Where carriers choose to connect through the Application Programming Interface referred to in Article 4(2), point (a), the implementation of the message format referred to in Article 7 and of the authentication scheme referred to in Article 9 shall be tested.3.Where carriers choose to connect through the web interface (browser) or application for mobile devices referred to in Article 4(2), points (b) and (c) respectively, they shall notify eu-LISA that they have successfully tested their connection to the carrier interface and that their duly authorised staff has been successfully trained in using the carrier interface.4.For the purpose of paragraph 2, eu-LISA shall develop and make available a testing plan, a test environment and a simulator allowing eu-LISA and carriers to test the carriers’ connection to the carrier interface. For the purpose of paragraph 3, eu-LISA shall develop and make available a test environment allowing carriers to train their staff.5.Upon successful completion of the registration procedure referred to in Article 10 as well as the successful completion of the testing referred to in paragraph 2 or reception of the notification referred to in paragraph 3, eu-LISA shall connect the carrier to the carrier interface.Article 13Technical impossibility to proceed with verification queriesWhere it is technically impossible to send a verification query because a component of the Entry/Exit System failed, Article 13 of Implementing Regulation (EU) 2021/1217 shall apply, mutatis mutandis, in the event of a technical impossibility to proceed with a verification query due to a failure of any component of the Entry/Exit System.Article 14Assistance to carriersIn order to allow carriers to request assistance, Article 14 of Implementing Regulation (EU) 2021/1217 shall apply, mutatis mutandis, with regard to requests for assistance by carriers in relation to the Entry/Exit System.Article 15Access to the web service by third country nationals1.When verifying the remaining days of authorised stay via a secure internet access to the web service, third country nationals shall indicate the Member State of destination.2.The third country national shall insert the following data in the web service:(a)type and number of the travel document or documents and three-letter code of the issuing country of the travel document or documents;(b)optionally, intended date of entry or exit or both, set as Central European Time by default, editable by the user;(c)Member State of destination.3.The web service shall provide one of the following replies:(a)"OK" and the remaining days of authorised stay;(b)"NOT OK" and 0 remaining days of authorised stay;(c)"Not available".4.Where the number of remaining days of authorised stay is provided, the web service shall indicate that the number of days was calculated on the basis of the intended date of entry provided by the third country national and that the actual number of days remaining may vary depending on the actual date of entry. Where no intended date of entry has been provided by the third country national, the remaining authorised stay will be calculated on the basis of the calendar date of the query. In this case, the web service shall indicate that the number of days remaining for authorised stay was calculated on the basis of the calendar date of the query.5.During the transitional period provided for in Article 22 of Regulation (EU) 2017/2226, where no data exist in the Entry/Exit System for the third country national, replies to the verification queries shall be determined in accordance with the following rules:(a)Authorised stay: OK;(b)Remaining days: information not available, including a note stating that the stays that occurred before the Entry/Exit System started operations have not been taken into account.6.After the transitional period provided for in Article 22 of Regulation (EU) 2017/2226, replies to the verification queries shall be determined in accordance with the following rules:(a)where the third country national has sufficient remaining days of authorised stay, the reply shall be:(i)Authorised stay: OK;(ii)Remaining days: remaining days of authorised stay calculated by the Entry/Exit System;(b)where the third country national has consumed part of the authorised stay and intends to stay longer than the authorised stay, the reply shall be:(i)Authorised stay: NOT OK;(ii)Remaining days: 0;(c)where the third country national has consumed all the days of the authorised stay, the reply shall be:(i)Authorised stay: NOT OK;(ii)Remaining days: 0;(d)where the third country national is subject to a visa obligation and has no valid visa or the visa has expired, or has been revoked or annulled, or has a limited territorial validity visa which does not match the inserted Member State of destination, the reply shall be:(i)Authorised stay: NOT OK;(ii)Remaining days: 0;(e)where the third country national is not subject to a visa obligation and has no valid travel authorisation or has a travel authorisation that has expired, or has been revoked or annulled, the reply shall be:(i)Authorised stay: NOT OK;(ii)Remaining days: 0;(f)where there are no entries in the Entry/Exit System for a third country national who is a holder of a short stay visa, the number of remaining days shall be capped according to the expiration date of the short stay visa. In the case of visa exempt third country nationals, after start of operations of the European Travel Information and Authorisation System, the number of remaining days shall be capped according to the expiration date of the travel authorisation, taking into account the transitional period and grace period referred to in Article 83 of Regulation (EU) 2018/1240.7.The web service shall provide additional information to the third country national as follows:(a)in a prominent place, the Member States for which the calculation of the stay is applicable;(b)close to the field to enter the travel document number, that the travel document to be used for the purposes of the web service shall be one of the travel documents used for previous stays;(c)the list of Member States;(d)all possible reasons for receiving the reply: "Information not available";(e)a general disclaimer stating clearly that the answer "OK/NOT OK" cannot be interpreted as a decision to grant or refuse entry to the Schengen area;(f)the regime applicable to third country nationals who are members of the family of a Union citizen to whom Directive 2004/38/EC applies or of a national of a third country enjoying the right of free movement equivalent to that of Union citizens under an agreement between the Union and its Member States, on the one hand, and a third country, on the other and do not hold a residence card pursuant to Directive 2004/38/EC or a residence permit pursuant to Regulation (EC) No 1030/2002.Article 16Repeal of Implementing Decision C(2019) 1230The Implementing Decision C(2019) 1230 shall be repealed.Article 17Entry into force and applicabilityThis Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.This Regulation shall be binding in its entirety and directly applicable in all Member States in accordance with the Treaties.Done at Brussels, 27 July 2021.For the CommissionThe PresidentUrsula von der Leyen