Commission Implementing Regulation (EU) 2022/1463 of 5 August 2022 setting out technical and operational specifications of the technical system for the cross-border automated exchange of evidence and application of the ‘once-only’ principle in accordance with Regulation (EU) 2018/1724 of the European Parliament and of the Council (Text with EEA relevance)
Commission Implementing Regulation (EU) 2022/1463of 5 August 2022setting out technical and operational specifications of the technical system for the cross-border automated exchange of evidence and application of the once-only principle in accordance with Regulation (EU) 2018/1724 of the European Parliament and of the Council(Text with EEA relevance)THE EUROPEAN COMMISSION,Having regard to the Treaty on the Functioning of the European Union,Having regard to Regulation (EU) 2018/1724 of the European Parliament and of the Council of 2 October 2018 establishing a single digital gateway to provide access to information, to procedures and to assistance and problem-solving services and amending Regulation (EU) No 1024/2012OJ L 295, 21.11.2018, p. 1., and in particular Article 14(9) thereof,Whereas:(1)Article 14(1) of Regulation (EU) 2018/1724 requires the Commission, in cooperation with Member States, to establish a technical system for the exchange of evidence as required for the online procedures listed in Annex II to that Regulation and the procedures provided for in Directives 2005/36/ECDirective 2005/36/EC of the European Parliament and of the Council of 7 September 2005 on the recognition of professional qualifications (OJ L 255, 30.9.2005, p. 22)., 2006/123/ECDirective 2006/123/EC of the European Parliament and of the Council of 12 December 2006 on services in the internal market (OJ L 376, 27.12.2006, p. 36)., 2014/24/EUDirective 2014/24/EU of the European Parliament and of the Council of 26 February 2014 on public procurement and repealing Directive 2004/18/EC (OJ L 94, 28.3.2014, p. 65). and 2014/25/EUDirective 2014/25/EU of the European Parliament and of the Council of 26 February 2014 on procurement by entities operating in the water, energy, transport and postal services sectors and repealing Directive 2004/17/EC (OJ L 94, 28.3.2014, p. 243). of the European Parliament and of the Council.(2)The technical and operational specifications of the "once-only" technical system (OOTS) contained in this Regulation should set out the main components of the architecture of the OOTS, define the technical and operational roles and obligations of the Commission, Member States, evidence requesters, evidence providers and intermediary platforms. Furthermore, these specifications should establish a log system in order to monitor the exchanges and delineate the responsibility for the maintenance, operation and security of the OOTS.(3)In order to enable the establishment of the OOTS by the date set out in Regulation (EU) 2018/1724, it is envisaged to complement this Regulation by more detailed, non-binding technical design documents drawn up in a consensual manner by the Commission in cooperation with the Member States within the gateway coordination group and in accordance with the Commission’s Guidelines for the implementation of the single digital gateway Regulation 2021-2022 work programme. However, where deemed necessary in the light of new technical developments or discussions or differences of opinion within the gateway coordination group, notably on the finalisation of the technical design documents and major design choices, or when the need arises to make certain elements of the technical design documents binding, it will be possible to complement/amend the technical and operational specifications set out in this Regulation in accordance with the examination procedure referred to in Article 37(2) of Regulation (EU) 2018/1724.(4)In order to reduce the costs of, and the time necessary for, establishing the OOTS, the architecture of the OOTS should, to the extent possible, rely on reusable solutions, be implementation technology neutral and accommodate different national solutions. For example, the OOTS should be able to use the existing national, including central, regional and local level, procedure portals, data services or intermediary platforms, which have been created for national use. The components developed by the Commission should be released under an open software license that promotes reuse and collaboration.(5)One such reusable solution developed at Union level is the system of eIDAS nodes laid down in Commission Implementing Regulation (EU) 2015/1501Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework pursuant to Article 12(8) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (OJ L 235, 9.9.2015, p. 1)., which, by enabling the communication with other nodes of the eIDAS network, can process the request for, and the provision of, cross-border authentication of a user. The eIDAS nodes should enable evidence requesters and, where relevant, evidence providers to identify users requesting evidence to be exchanged through the OOTS so that evidence providers can match the identification data to their existing records.(6)The OOTS should build on the work already done and exploit synergies with other existing systems for the exchange of evidence or information among authorities relevant for the procedures referred to in Article 14(1) of Regulation (EU) 2018/1724, including systems not covered by Article 14(10) of that Regulation. For example, as far as vehicle and driving license register data is concerned, the OOTS should take into account already developed data models and, where feasible, establish technical bridges to facilitate the connection of competent authorities already using other existing networks (RESPERDriving licence network set up on the basis of Article 15 of Directive 2006/126/EC of the European Parliament and of the Council of 20 December 2006 on driving licences (OJ L 403, 30.12.2006, p. 18). or EUCARISTreaty concerning a European Vehicle and Driving Licence Information System (EUCARIS), adopted in Luxembourg on 29 June 2000.) to the OOTS for the provision of evidence in the procedures covered by the OOTS. A similar approach should be taken in relation to other systems such as, but not limited to: the Emrex User Group (EUG)Emrex User Group (EUG) is an independent, international network which unites various actors interested in enhancing student data portability; https://emrex.eu/ in the education domain, the Electronic Exchange of Social Security Information (EESSI) under Regulation (EC) No 987/2009 of the European Parliament and of the CouncilRegulation (EC) No 987/2009 of the European Parliament and of the Council of 16 September 2009 laying down the procedure for implementing Regulation (EC) No 883/2004 on the coordination of social security systems (OJ L 284, 30.10.2009, p. 1). in the social security area, the European Criminal Records Information System established by Council Decision 2009/316/JHACouncil Decision 2009/316/JHA of 6 April 2009 on the establishment of the European Criminal Records Information System (ECRIS) in application of Article 11 of Framework Decision 2009/315/JHA (OJ L 93, 7.4.2009, p. 33). for the purpose of judicial cooperation and eCertishttps://ec.europa.eu/tools/ecertis/#/homePage used in public procurement procedures. The cooperation between these systems and the OOTS should be defined on a case-by-case basis.(7)For the purpose of cross-border authentication of a user, the architecture of the OOTS should be aligned with Regulation (EU) No 910/2014 of the European Parliament and of the CouncilRegulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73).. On 3 June 2021, the Commission adopted a Recommendation on a common Union Toolbox for a coordinated approach towards a European Digital Identity FrameworkA trusted and secure European e-ID - Recommendation | Shaping Europe’s digital future (europa.eu). This Recommendation sets up a structured process for cooperation between Member States, the Commission and, where relevant, private sector operators to work on the technical aspects of the European Digital Identity Framework. In order to ensure the necessary alignment between that process and the OOTS, the Commission should ensure appropriate coordination, in particular through the Synergies and Interoperability Contact Group, between the Cooperation Network established by Commission Implementing Decision (EU) 2015/296Commission Implementing Decision (EU) 2015/296 of 24 February 2015 establishing procedural arrangements for cooperation between Member States on electronic identification pursuant to Article 12(7) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (OJ L 53, 25.2.2015, p. 14). and the gateway coordination group.(8)To ensure the security of the cross-border electronic delivery services for the purposes of the OOTS, Member States should ensure that such services comply with the requirements for electronic registered delivery services, laid down in Article 44 of Regulation (EU) No 910/2014. To that effect, it is appropriate that the OOTS uses eDelivery Access Points to create a network of nodes for secure digital data exchange. In addition to enabling secure cross-border delivery, eDelivery provides metadata service functionalities that may support future versions of the OOTS with larger numbers of secure data exchange nodes. Within that framework, Member States should be able to choose the providers of their eDelivery software.(9)To ensure flexibility in the application of this Regulation, Member States should be able to decide to have either one or several eDelivery Access Points, as part of the OOTS. A Member State should therefore be able to deploy a single Access Point managing all OOTS-related eDelivery messaging to the evidence requesters or evidence providers through an intermediary platform, where applicable, or, alternatively, to deploy multiple Access Points at any hierarchical level or for specific domains or sectors or geographic levels of its public administrations.(10)According to Union law, including Directives 2005/36/EC, 2006/123/EC, 2014/24/EU, 2014/25/EU and Regulation (EU) 2018/1724, certain administrative procedures are to be made available to users online. As those procedures and the evidence required are not harmonised under Union law, common services should be established to enable the cross-border exchange of evidence required for these procedures through the OOTS.(11)Where there is no agreed evidence type that is harmonised across the Union and that all Member States can provide, an evidence broker should help determine which evidence types can be accepted for a particular procedure.(12)The evidence broker should be based on rule content provided by Member States and should provide an on-line mechanism for Member States to query their information requirements and evidence type sets. The evidence broker should allow Member States to manage and share information about rules relating to types of evidence.(13)In cases where interoperability is needed between the procedure portal and the data services and the common services, this should be supported by technical design documents.(14)This Regulation should specify when structured and unstructured pieces of evidence that are required for the procedures listed in Article 14(1) of Regulation (EU) 2018/1724 are considered as lawfully issued in electronic format that allows automatic exchange. Unstructured pieces of evidence issued in an electronic format can be exchanged through the OOTS if they are supplemented by the metadata elements of the OOTS generic metadata model contained in the semantic repository referred to in Article 7(1) of this Regulation. Structured pieces of evidence can be exchanged through the OOTS if they are supplemented by the metadata elements of the OOTS generic metadata model referred to in Article 7(1) of this Regulation and are either in compliance with the OOTS data model for the relevant evidence type as referred to in Article 7(2) of this Regulation or accompanied by a human-readable version.(15)Member States should be free to determine when they convert pieces of evidence to an electronic format that allows their automated exchange through the OOTS. However, in order to enhance the usefulness of the OOTS for its users and since the use of data models and metadata schemata for both unstructured and structured formats is generally highly recommended, the Commission should support Member States in their efforts to work towards this goal.(16)In order to avoid duplication, ensure synergies and provide user choice, the development of OOTS data models for structured evidence types and the standardisation of use cases for the provision of credentials in accordance with the structured process foreseen by Commission Recommendation (EU) 2021/946 of 3 June 2021 on a common Union Toolbox for a coordinated approach towards a European Digital Identity FrameworkOJ L 210, 14.6.2021, p. 51. should be done in close cooperation and alignment with each other as far as evidence covered by Article 14 of Regulation (EU) 2018/1724 is concerned, including by identifying common use cases. The alignment of the OOTS data models and the standardised use cases under the aforementioned Commission Recommendation should allow users to rely on alternative means for the provision of evidence covered by Article 14 of Regulation (EU) 2018/1724 either independently of or in combination with the OOTS. When changes are made to the data models and metadata schemata for pieces of evidence contained in the semantic repository, Member States should be given 12 months from the adoption of any update to apply any changes to the pieces of evidence concerned.(17)To minimise the amount of data exchanged, in the case of structured evidence, if only a subset of data is requested in the evidence request, the evidence provider or an intermediary platform, where applicable, could enable automated filtering of the data and, where necessary to the transfer, transformation of the data on behalf of the responsible data controller so that only the requested data are exchanged.(18)Where Member States manage national registries and services that play the same or an equivalent role as the data service directory or the evidence broker, they should not be required to duplicate their work by contributing to the relevant common services. However, in such a case they should ensure that their national services are connected to the common services in such a way that they can be used by other Member States. Alternatively, those Member States should be able to copy the relevant data from the national registries or services to the data service directory or evidence broker.(19)In the 2017 Tallinn Declaration on eGovernmentSigned on 6 October 2017, https://digital-strategy.ec.europa.eu/en/news/ministerial-declaration-egovernment-tallinn-declaration, Member States reaffirmed their commitment to progress in linking up their public eServices and implement the once-only principle in order to provide efficient and secure digital public services that will make citizens and businesses lives easier. The 2020 Berlin Declaration on Digital Society and Value-Based Digital GovernmentSigned on 8 December 2020; https://digital-strategy.ec.europa.eu/en/news/berlin-declaration-digital-society-and-value-based-digital-government, built on the principles of user centricity and user-friendliness, and set out further key principles on which digital public services should be based, including trust and security in digital government interactions and digital sovereignty and interoperability. This Regulation should implement those commitments by putting users at the centre of the system and requiring that users should be informed about the OOTS, its steps and the consequences of using the system.(20)It is important that an appropriate system is in place to allow users to identify themselves for the purposes of the exchange of evidence. The only mutual recognition framework for national electronic identification means at Union level is set out in Regulation (EU) No 910/2014. Electronic identification means issued under electronic identification schemes notified in accordance with that Regulation should therefore be used by evidence requesters to authenticate the identity of a user before the user explicitly requests the use of the OOTS. Where the identification of the relevant evidence provider requires the provision of attributes beyond the mandatory attributes of the minimum data set listed in the Annex to Implementing Regulation (EU) 2015/1501, such additional attributes should also be requested from the user by the evidence requester and provided to the evidence provider or intermediary platform, where applicable, as part of the evidence request.(21)Some of the procedures listed in Article 14(1) of Regulation (EU) 2018/1724 require that evidence can be requested on behalf of a legal or natural person. For example, certain procedures are relevant for businesses and entrepreneurs should therefore be able to request the exchange of evidence either on their own behalf or through a representative. Regulation (EU) No 910/2014 provides a trusted legal framework for electronic identification means issued for legal persons or for natural persons representing legal persons. The mutual recognition of national electronic identification means under that Regulation applies to these cases of representation. This Regulation should therefore rely on Regulation (EU) No 910/2014, and any implementing acts adopted on its basis, for the identification of users in cases of representation. The gateway coordination group and its subgroups should cooperate closely with the governance structures established under Regulation (EU) No 910/2014 to help develop solutions for powers of representation and mandates. Given the reliance of some of the procedures covered by the OOTS on the framework created by Regulation (EU) No 910/2014, pieces of evidence requested by representatives should also be able to be processed through the OOTS when and to the extent to which these solutions will have been found.(22)In order to reduce the time and cost to implement the OOTS, and to benefit from each other’s implementation experience, the Commission should support Member States and foster collaboration between them on the development of reusable technical solutions and components that can be used to implement national procedure portals, preview spaces and data services.(23)In order to guarantee that users retain control over their personal data at all times while using the OOTS as provided for in Regulation (EU) 2018/1724, the OOTS should allow users to express their decision in relation to these data in two instances. First, it should be ensured that users receive sufficient information to enable them to make an informed and explicit request to process their request for evidence through the OOTS in accordance with Article 14(3), point (a), and Article 14(4), of Regulation (EU) 2018/1724. It should then ensure that they can view the evidence to be exchanged in a secure preview space before deciding whether or not to proceed with the exchange of evidence in accordance with Article 14(3), point (f), of Regulation (EU) 2018/1724, except in the cases referred to in Article 14(5) of that Regulation.(24)Responsibility for the establishment of the OOTS is shared between Member States and the Commission and the gateway coordination group should therefore play a central role in the governance of the system. In view of the technical nature of its work and in order to facilitate implementation in existing national systems of technical design documents, the work of the gateway coordination group should be supported and prepared by experts coming together in one or several sub-groups created in accordance with its rules of procedure. The functioning of this OOTS governance should be assessed in the report that the Commission is required to submit to the European Parliament and to the Council by 12 December 2022 pursuant to Article 36 of Regulation (EU) 2018/1724.(25)To ensure a quick reaction to any possible incidents and downtimes which may affect the functioning of the OOTS, the Member States and the Commission should establish a network of technical support contact points. In order to ensure the proper functioning of the OOTS, those technical support contact points should have the powers and sufficient human and financial resources to enable them to carry out their tasks.(26)To ensure an efficient functioning and maintenance of the OOTS, the responsibilities for its different components should be clearly distributed. The Commission, as the owner and operator of the common services, should be responsible for their maintenance, hosting and security. Each Member State should be responsible for ensuring maintenance and the security of those components of the OOTS that they own and for which they are responsible, such as eIDAS nodes, eDelivery Access Points or national registries, in accordance with the relevant Union and national law.(27)In order to ensure appropriate protection of personal data, as required by Regulation (EU) 2016/679 of the European Parliament and of the CouncilRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1)., this Regulation should specify the role of Member States, in particular that of the respective competent authorities in their capacity as evidence requester or evidence provider, and of the intermediary platforms, where applicable, in relation to the personal data contained in the evidence that is exchanged through the OOTS.(28)To ensure that the common services are protected against potential threats that harm the confidentiality, integrity or availability of the Commission’s communication and information systems Commission Decision (EU, Euratom) 2017/46Commission Decision (EU, Euratom) 2017/46 of 10 January 2017 on the security of communication and information systems in the European Commission (OJ L 6, 11.1.2017, p. 40). should apply to these services.(29)Article 14(1) to (8) and (10) of Regulation (EU) 2018/1724 apply from 12 December 2023. Therefore, the requirements laid down in this Regulation should also apply from that date.(30)The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the CouncilRegulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39). and delivered Formal Comments on 6 May 2021https://edps.europa.eu/data-protection/our-work/publications/formal-comments/draft-commission-implementing-regulation-4_en.(31)The measures provided for in this Regulation are in accordance with the opinion of the Single Digital Gateway Committee,HAS ADOPTED THIS REGULATION: