Eurlexa

English
- Sign in
- Register

Commission Implementing Regulation (EU) 2024/3084 of 4 December 2024 on the functioning of the information system pursuant to Regulation (EU) 2023/1115 of the European Parliament and of the Council on the making available on the Union market and the export from the Union of certain commodities and products associated with deforestation and forest degradation

Commission Implementing Regulation (EU) 2024/3084of 4 December 2024on the functioning of the information system pursuant to Regulation (EU) 2023/1115 of the European Parliament and of the Council on the making available on the Union market and the export from the Union of certain commodities and products associated with deforestation and forest degradation THE EUROPEAN COMMISSION,Having regard to the Treaty on the Functioning of the European Union,Having regard to Regulation (EU) 2023/1115 of the European Parliament and of the Council of 31 May 2023 on the making available on the Union market and the export from the Union of certain commodities and products associated with deforestation and forest degradation and repealing Regulation (EU) No 995/2010OJ L 150, 9.6.2023, p. 206, ELI: http://data.europa.eu/eli/reg/2023/1115/oj., and in particular Article 33 thereof,Whereas:(1)Regulation (EU) 2023/1115 lays down rules to minimise the Union’s contribution to deforestation and forest degradation. It does this by imposing due diligence obligations on operators and traders placing on, making available on, or exporting from the Union market certain commodities and products. Where reference is made to operators in this Regulation, it should be understood as referring also to non-SME traders making relevant products available on the market if the provisions in this Regulation are generally applicable to them in accordance with their obligations under Regulation (EU) 2023/1115, specifically Article 5(1) thereof.(2)Operators formally take responsibility for the compliance of the relevant products that they intend to place on the market or export by making available due diligence statements ("Due Diligence Statements").(3)It is necessary to develop an Information System and provide access to it to operators and traders, and if applicable, their authorised representatives, competent authorities, and customs authorities, to implement their respective obligations laid down in Regulation (EU) 2023/1115. The Information System should facilitate the transfer of information between Member States competent authorities, and customs authorities.(4)The Information System should be a software application based on the TRACES platform established by Regulation (EU) 2017/625 of the European Parliament and of the CouncilRegulation (EU) 2017/625 of the European Parliament and of the Council of 15 March 2017 on official controls and other official activities performed to ensure the application of food and feed law, rules on animal health and welfare, plant health and plant protection products, amending Regulations (EC) No 999/2001, (EC) No 396/2005, (EC) No 1069/2009, (EC) No 1107/2009, (EU) No 1151/2012, (EU) No 652/2014, (EU) 2016/429 and (EU) 2016/2031 of the European Parliament and of the Council, Council Regulations (EC) No 1/2005 and (EC) No 1099/2009 and Council Directives 98/58/EC, 1999/74/EC, 2007/43/EC, 2008/119/EC and 2008/120/EC, and repealing Regulations (EC) No 854/2004 and (EC) No 882/2004 of the European Parliament and of the Council, Council Directives 89/608/EEC, 89/662/EEC, 90/425/EEC, 91/496/EEC, 96/23/EC, 96/93/EC and 97/78/EC and Council Decision 92/438/EEC (Official Controls Regulation) (OJ L 95, 7.4.2017, p. 1, ELI: http://data.europa.eu/eli/reg/2017/625/oj)., to be developed and maintained by the Commission.(5)Therefore, it is necessary to set out the practical and operational arrangements of the functioning of the Information System to facilitate effective and harmonised implementation and enforcement of Regulation (EU) 2023/1115.(6)In order to overcome language barriers, the Information System should be available in all official languages of the Union. To that end, the Commission should translate the user interface of the Information System to all official languages of the Union.(7)In order to fulfil their obligations and tasks under Regulation (EU) 2023/1115, operators, traders, competent authorities, customs authorities, and the Commission may need to exchange information which may include personal data. Any such exchange of information should comply with the rules on the protection of personal data laid down in Regulations (EU) 2016/679Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj). and (EU) 2018/1725Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj). of the European Parliament and of the Council. Accordingly, the exchange of personal data necessary to comply with the obligations and to fulfil the tasks laid down in Regulation (EU) 2023/1115 falls within the scope of the lawful processing of data pursuant to Article 5(1), point (a) of Regulation (EU) 2018/1725, and Article 6(1), point (e) of Regulation (EU) 2016/679.(8)The Information System should be used to support the operators, traders and the competent authorities in presenting and accessing the necessary information on relevant products placed or made available on the market or exported. Personal data which may be exchanged via the Information System should only be processed for the purpose of fulfilling obligations and tasks under Regulation (EU) 2023/1115. Where personal data is processed in the operation of the Information System for the purpose to fulfil obligations and tasks under Regulation (EU) 2023/1115, operators and traders, and if applicable, their authorised representatives, competent authorities, and customs authorities should be controllers within the meaning of Regulation (EU) 2016/679 and the Commission should be a controller within the meaning of Regulation (EU) 2018/1725 for the processing activities they carry out. The competent authorities and customs authorities should be joint controllers within the meaning of Regulation (EU) 2016/679 for the processing activities when they carry out tasks in cooperation pursuant to Article 21 of Regulation (EU) 2023/1115.(9)The processing, transmission, storage, and other processing of personal data of natural persons should take place in the Information System, for the purpose of fulfilling obligations and tasks under Regulation (EU) 2023/1115.(10)The Information system should process personal data insofar as strictly necessary for the purpose of fulfilling obligations under Regulation (EU) 2023/1115. The Information System should only process the categories of personal data listed in Article 12(2) of this Implementing Regulation.(11)The Information System should not store the personal data submitted by the Information System users in a form which permits identification of data subjects longer than strictly necessary for the purposes for which the personal data are processed. This period should be 10 years from the date the Due Diligence Statement is submitted through the information system, taking into account manufacturing processes over a long period of time to allow operators and traders, and if applicable, their authorised representatives, to reference existing Due Diligence Statements pursuant to Article 33(2)(c) of Regulation (EU) 2023/1115 and fulfil their obligations to ascertain that due diligence relating to the relevant products contained in or made from the relevant products was exercised pursuant to Article 4(9) of Regulation (EU) 2023/1115. A longer storage and processing of personal data should be possible where necessary to fulfil the individual responsibilities and obligations of Information System actors set out in Regulation (EU) 2023/1115.(12)The Commission should provide access to the wider public to the datasets of the Information System in a completely anonymised and machine-readable open format in line with the Union’s Open Data Policy, which shall be established in form of properly aggregated and anonymised datasets which should be accessible on the Commission’s website.(13)Following the protection-by-design and by-default principles, the Information System should be developed and designed with due respect to the requirements of data protection legislation, in particular due to restrictions imposed on access to personal data exchanged in the Information System. Therefore, the Information System should offer a considerably higher level of protection and security than other methods of information exchange, such as telephone, regular mail, or electronic mail.(14)The Commission should supply and manage the software and IT infrastructure of the Information System, ensure its reliability, security, availability, maintenance and operation, and be involved in the training of and technical assistance to Information System actors and users. The Information System should allow for an effective data exchange with relevant systems and data sources of Commission Services.(15)Member States should be able to adapt their functions and responsibilities in relation to the Information System to reflect their internal administrative structures, and to implement in the Information System a specific type of work or order of stages in a given work process while respecting their obligations arising from Chapter 3 of Regulation (EU) 2023/1115.(16)To facilitate the effective implementation of Regulation (EU) 2023/1115 the competent authorities should be able to perform actions within the Information System to ensure compliance with that Regulation, including risk profiling for the plan of checks referred to in Article 16(5) of Regulation (EU) 2023/1115, results of checks on operators and traders, suspending the issuance of reference numbers assigned to the Due Diligence Statements, and in case of non-rectifiable and non-compliance to reject the concerned Due Diligence Statements. Pursuant to Article 16(1) of Regulation (EU) 2023/1115 which foresees that competent authorities carry out checks within their territory, competent authorities should be able to act on the Due Diligence Statements for which information is provided in the Information System by Information System users regarding the Member State where a product enters or leaves or is made available on the Union market. In the absence of such information, competent authorities should be able to act on the Due Diligence Statements of the Information System users established in or associated with their Member State.(17)Information received by the competent authority, customs authority, the Commission, or any other authority that has been granted access to the information through the Information System from another competent authority, customs authority, the Commission or another such authority should not be deprived of its value as evidence in criminal, civil or administrative proceedings in accordance with relevant Union and national law solely on the ground that it originated in another Member State, or was received by electronic means. Such information should be treated by relevant Information System users in the same way as similar documents originating in its Member State.(18)It should be possible to process the name and contact details of Information System users where necessary to fulfil the objectives and obligations of Regulation (EU) 2023/1115 and of this Regulation, including monitoring the use of the Information System by Information System administrators and Information System users, communication, training and awareness-raising initiatives, and gathering information in connection with the scope of Regulation (EU) 2023/1115, or mutual assistance under that Regulation.(19)In order to ensure the effective monitoring of, and reporting on, the functioning of the Information System, the competent authorities, customs authorities, or other authorities that have been granted access to the Information System should make relevant information available to the Commission where such information is necessary for the Commission to fulfil its obligations under Regulation (EU) 2023/1115 and under this Regulation.(20)Data subjects should be informed about the processing of their personal data in the Information System and the rights they benefit from in accordance with Regulation (EU) 2016/679 and Regulation (EU) 2018/1725, in particular the right of access to data relating to them, and the right to have inaccurate data corrected and illegally processed data erased.(21)Each Information System user, as controller with respect to the data processing activities that it performs in connection within the scope of Regulation (EU) 2023/1115 should ensure that data subjects can exercise their rights in accordance with Regulation (EU) 2016/679 and Regulation (EU) 2018/1725. This should include establishing a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.(22)The implementation of this Regulation and the performance of the Information System should be monitored in the report on the functioning of the Information System based on statistical data from the Information System and any other relevant data. The Commission should submit the report to the European Parliament, the Council and the European Data Protection Supervisor. The report should also address aspects relating to the protection of personal data in Information System, including data security.(23)The European Data Protection Supervisor has been consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725, and delivered an opinion on 5 November 2024.(24)The measures provided for in this Regulation are in accordance with the opinion of the European Union (EU) Deforestation-free Regulation CommitteeHAS ADOPTED THIS REGULATION:

CHAPTER IGENERAL PROVISIONS

Article 1Subject matterThis Regulation lays down the rules for the functioning of the Information System, including rules for the protection of personal data and exchange of data with other IT systems.

Article 2Deployment and Use of the Information System1.The Commission shall:(a)develop the Information System as an independent module of TRACES platform;(b)ensure the functioning, maintenance, support and any necessary update or development of the Information System.2.The Information System shall be used by operators and traders, and if applicable, their authorised representatives, for submitting and managing Due Diligence Statements and verifying the validity of reference numbers, and by competent authorities, customs authorities and the Commission for accessing and acting on Due Diligence Statements, including the exchange of information containing personal data between competent authorities, customs authorities and the Commission in relation to implementation and enforcement of Regulation (EU) 2023/1115. Any such exchange of information shall comply with the rules on the protection of personal data laid down in Regulations (EU) 2016/679 and (EU) 2018/1725.3.The Due Diligence Statements are attributed in the Information System to the competent authorities in the following order:(a)if the Information System user provides information indicating the Member State where the relevant product enters or leaves the Union market, or in the absence of that, where the relevant product is placed or made available on the market, the Due Diligence Statements shall be attributed to the competent authorities of that Member State;(b)in the absence of the information required by subparagraph a), the Due Diligence Statements shall be attributed to the competent authorities of the Member State in which the Information System user is established. In case the Information System user is established outside the Union, then the Due Diligence Statements shall be attributed to the competent authorities of the Member State with which the Information System user is associated according to their identifier provided upon registration in the Information System.

Article 3DefinitionsFor the purposes of this Regulation, in addition to the definitions set out in Article 2 of Regulation (EU) 2023/1115, Article 4 of Regulation (EU) 2016/679, and Article 3 of Regulation (EU) 2018/1725, the following definitions shall apply:(a)"Information System" means the information system established and maintained by the Commission pursuant to Article 33 of Regulation (EU) 2023/1115;(b)"Information System actor" means the competent authorities and customs authorities pursuant to Regulation (EU) 2023/1115, and the Commission, to carry out the tasks conferred on them in accordance with Regulation (EU) 2023/1115;(c)"Information System user" means operators and traders, and their authorised representatives, where applicable, pursuant to Regulation (EU) 2023/1115 which are identified by individual registration within EU Login, the user authentication service of the European Commission;(d)"Due Diligence Statement" means Due Diligence Statement submitted by the Information System user pursuant to Regulation (EU) 2023/1115;(e)"Reference number" means the reference number assigned by the Information System to the Due Diligence Statement submitted by the Information System user pursuant to Regulation (EU) 2023/1115;(f)"Verification number" means a security number assigned by the Information System to the Due Diligence Statement submitted by the Information System user to ensure additional security of data contained in the Due Diligence Statement;(g)"Risk profiling" means the identification of the risks of non-compliance of a relevant product within the scope of Regulation (EU) 2023/1115 within the Information System, based on risk criteria, for the purpose of assigning to each Due Diligence Statement submitted in the Information System, including after any amendment thereof, a risk status reflecting these risks.

CHAPTER IIFUNCTIONING OF THE INFORMATION SYSTEM

Article 4Submission of the Due Diligence Statements1.Except where the Due Diligence Statement is made available through the electronic interface referred to in Article 28(2) of Regulation (EU) 2023/1115, the Information System users shall submit and manage the Due Diligence Statements of relevant products in the Information System.2.Where a relevant product contains or has been made using wood, Information System users shall enter in the Due Diligence Statement the common names and full scientific names of the wood species which the relevant products contain or have been made with.

Article 5Amendment and withdrawal of Due Diligence Statements1.The Information System shall enable Information System users to amend or withdraw Due Diligence Statements within 72 hours after the reference number for the Due Diligence Statement was made available in the Information System.2.Due Diligence Statements cannot be amended or withdrawn within the duration set out in paragraph 1 after the Due Diligence Statement was used as a reference in a Due Diligence Statement submitted by the same or another Information System user.3.The Due Diligence Statement shall not be amended or withdrawn by an Information System user after:(a)the Information System user was notified about the intention to carry out a check on the Due Diligence Statement or on the relevant product associated with the Due Diligence Statement, for the period of the check;(b)the relevant product was placed on or made available on the Union market pursuant to Regulation (EU) 2023/1115;(c)the reference number of the Due Diligence Statement was provided or made available to customs authorities before the release for free circulation or export of a relevant product entering or leaving the market as part of the procedures laid down in Chapter 4 of Regulation (EU) 2023/1115.4.Without prejudice to paragraphs 2 and 3, upon individual and reasoned request of an Information System user, the competent authorities may extend the period referred to in paragraph 1 only when such period referred to in paragraph 1 has expired. Such extension shall not be longer than 8 calendar days. The request shall be based on reasons beyond the control of the Information System user, who shall, as part of their reasoned request, state that paragraph 3 of this Article is not applicable. Such extension shall also be possible retroactively after the period referred to in paragraph 1 has passed.5.The amended Due Diligence Statement shall be subject to risk profiling as set out in Article 6. The risk profiling shall apply to the whole amended Due Diligence Statement.

Article 6Risk profiling1.The Information System shall enable competent authorities to identify situations within the Information System where relevant products present such a high risk of non-compliance that they require immediate action before those relevant products are placed or made available on the market or exported, pursuant to Article 17 of Regulation (EU) 2023/1115, and to inform the competent authorities to identify the checks to be carried out and fulfil tasks conferred on them pursuant to Chapter 3 of Regulation (EU) 2023/1115.2.For the purposes of paragraph 1, the Information System shall enable competent authorities to set up risk profiles in the Information System to support informed decision for selecting operators or traders or relevant products associated to the Due Diligence Statements on which to carry out checks. These risk profiles shall be based, inter alia, on the risk criteria set out in their annual plan of checks pursuant to Article 16(5) of Regulation (EU) 2023/1115, which is established in accordance with their risk-based approach pursuant to Article 16(3) of Regulation (EU) 2023/1115.3.Upon its submission in the Information System, each Due Diligence Statement shall be subjected to an automated electronic risk profiling and the Information System shall assign a risk status to each Due Diligence Statement.4.At any stage after submission of a Due Diligence Statement, competent authorities may review a Due Diligence Statement to determine whether a relevant product complies with Article 3 of Regulation (EU) 2023/1115. In such case, they may assign to the Due Diligence Statement a new risk status as a result of the review. If the competent authority assigns a new risk status to a Due Diligence Statement, such new risk status takes precedence over a risk status assigned pursuant to paragraph 3 of this Article.

Article 7Assigning and making available reference numbers1.The Information System shall, without undue delay, assign a reference number and verification number to the Due Diligence Statement submitted by the Information System user after concluding the risk profiling referred to in Article 6.2.The reference number and verification number shall be made available to the Information System user upon concluding the risk profiling referred to in Article 6.3.The Information System shall enable competent authorities to delay the making available of the reference number to establish whether the relevant products comply with Article 3 of Regulation (EU) 2023/1115 and, in particular, to verify that the identified situation referred to in Article 6(1) of this Regulation is not applicable to that relevant product. Such delay shall be as short as possible and shall not exceed the period set out in Article 17(3) of Regulation (EU) 2023/1115. It may be further extended at the discretion of the competent authority.

Article 8Rejecting Due Diligence statements1.In order to prevent a relevant product not complying with Regulation (EU) 2023/1115 from being placed or made available on the market or exported pursuant to Article 17 of Regulation (EU) 2023/1115, the competent authorities may reject a Due Diligence Statement, unless the reference number of a Due Diligence Statement has already become available to the Information System user.2.The relevant product declared in a rejected Due Diligence Statement shall be deemed not covered by a Due Diligence Statement as required in Article 3, point (c) of Regulation (EU) 2023/1115.3.The rejection shall be reflected in the Information System by the assignment of a specific status to the concerned Due Diligence Statement.

CHAPTER IIIFUNCTIONS AND RESPONSIBILITIES IN RELATION TO THE INFORMATION SYSTEM

Article 9Functions and responsibilities of the CommissionIn addition to the tasks listed in Article 2(1), the Commission shall be responsible for carrying out the following tasks in relation to the Information System:(a)providing knowledge, training, and support, including technical assistance, to Information System users and Information System actors in relation to the use of the Information System;(b)granting access to Information System actors designated by each Member State;(c)granting access to Information System users, who are under the supervision of the competent authorities;(d)processing personal data in the Information System, where required in this Regulation, or for the implementation and enforcement under Regulation (EU) 2023/1115;(e)providing webservices for Information System users to submit and manage Due Diligence Statements in the Information System in an automated manner;(f)providing webservices for Member States competent authorities to perform tasks on submitted Due Diligence Statements in the Information System in an automated manner.(g)providing the electronic interface pursuant to Article 28 of Regulation (EU) 2023/1115;(h)suspending and revoking access of Information System users upon request of the competent authorities of the Member State in which the Information System user is established, or, in case the user is established outside the Union, the competent authorities of the Member State with which the Information System user is associated according to its identifier provided upon registration in the Information system.

Article 10Access rights of Information System users1.Only registered Information System users shall have access to the Information System.2.Authentication to the Information System shall take place via EU Login, the European Commission Authentication Service.3.Information System users shall have access to the information in the Information System which they have submitted, or to which they have been given access by another Information System user through reference numbers and verification numbers of associated Due Diligence Statements.

Article 11Access rights of Information System actors1.The Commission shall have access to all data, information and documents in the Information System for the purpose of producing reports and for the development, functioning and maintenance of the system.2.The Commission shall grant and may revoke access rights to the Information System actors in case of change in competencies pursuant to Article 14(2) of Regulation (EU) 2023/1115.3.Authentication to the Information System shall take place via EU Login, the European Commission Authentication Service.4.Information System actors shall put in place appropriate means to ensure that individual users representing Information System actors in the Information System are allowed to access personal data processed in the Information system only where strictly necessary for the implementation and enforcement under Regulation (EU) 2023/1115.5.Information System actors shall have access to all relevant information in the Information System which is necessary for the purpose of fulfilling their obligations and tasks under Regulation (EU) 2023/1115.

CHAPTER IVPROCESSING OF PERSONAL DATA AND SECURITY

Article 12Processing of personal data in the Information System1.The transmission, storage and other processing of personal data in the Information System may take place only as necessary and proportionate and only for the following purposes:(a)supporting communications between Information System actors in connection with the implementation and enforcement under Regulation (EU) 2023/1115;(b)case-handling by Information System actors when carrying out their own activities in connection with the implementation and enforcement under Regulation (EU) 2023/1115;(c)performing the business and technical transformations of data listed in this Regulation, where this is necessary to enable the exchange and use of information referred to in points (a) and (b).2.The processing of personal data may take place in the Information System only in respect of the following categories of personal data:(a)identification data: first name and surname, unique identifier including the Economic Operators Registration and Identification number ("EORI"), in accordance with Article 9 of Regulation (EU) No 952/2013 of the European Parliament and of the CouncilRegulation (EU) No 952/2013 of the European Parliament and of the Council of 9 October 2013 laying down the Union Customs Code (OJ L 269, 10.10.2013, p. 1, ELI: http://data.europa.eu/eli/reg/2013/952/oj)., if applicable;(b)professional contact details: email and postal address, country of residence or country of registered office, phone number and fax number, if applicable;(c)role of the Information System user;(d)data on geolocation pursuant to Article 2(28) of Regulation (EU) 2023/1115, where natural persons can be identified;(e)user authentication and access data to access the Information System: IP address and user name.3.The Information System shall store the categories of personal data listed in paragraph 2 which has been processed for the implementation and enforcement under Regulation (EU) 2023/1115.4.The storage of data referred to in paragraph 2 shall be performed using information technology infrastructure located in the European Economic Area.5.The Information System shall store the personal data contained in Due Diligence Statements not longer than 10 years from the date when the Due Diligence Statement is submitted in the Information System. The storage period may be further extended by the Commission upon individual request of Information System users or Information System actors where it is necessary to comply with their responsibilities and obligations under Regulation (EU) 2023/1115.6.Without prejudice to the data processing activities set out in Article 14, each Information System actor shall be a separate controller within the meaning of Regulations (EU) 2016/679 and (EU) 2018/1725 with respect to the data processing activities which the Information System actor performs.7.The national Supervisory Authorities and the European Data Protection Supervisor, each acting within the scope of their respective competence, shall ensure coordinated supervision of the Information System and its use by Information System actors and Information System users in accordance with Article 62 of Regulation (EU) 2018/1725.

Article 13Processing of personal data by the Commission1.The Commission shall be a controller within the meaning of Article 3, point (8), of Regulation (EU) 2018/1725 with respect to the processing of personal data of the Information System users, including the processing of personal data when registering Information System users in the Information System.2.Where the Commission processes personal data in the operation of the Information System on behalf of other Information System actors for the purpose of exchanging information under Article 27 of Regulation (EU) 2023/1115, it shall be considered a processor within the meaning of Article 3, point (12), of Regulation (EU) 2018/1725.3.The Commission shall be a processor within the meaning of Article 3, point (12), of Regulation (EU) 2018/1725 for the processing of personal data carried out for joint investigations pursuant to Article 21 of Regulation (EU) 2023/1115 carried out in the context of the implementation and enforcement under Regulation (EU) 2023/1115.

Article 14Joint controllership in the Information SystemWhen competent authorities and customs authorities pursuant to Regulation (EU) 2023/1115 carry out implementation and enforcement in cooperation pursuant to Article 21 of Regulation (EU) 2023/1115, the concerned competent authorities and customs authorities shall be joint controllers, within the meaning of Article 26(1) of Regulation (EU) 2016/679, for the transmission, storage, and other processing of personal data in the Information System in the context of such particular cooperation. Where required according to Article 26(1) of Regulation (EU) 2016/679, the controllers shall determine their respective responsibilities for compliance with the obligations under Regulation (EU) 2016/679 by means of an arrangement between them.

Article 15Security1.The Commission shall put in place the necessary, state-of-the-art measures to ensure security of personal data processed in the Information System, including appropriate data access control and a security plan, which shall be kept up-to-date.2.The Commission shall put in place the necessary, state-of-the-art measures in the event of a security incident, take remedial action, and ensure that it shall be possible to verify what personal data have been processed in the Information System, when, by whom, and for what purpose.3.The Commission shall inform the competent authorities about the measures regarding paragraph 1 and 2 of this Article.

Article 16Confidentiality1.Each Member State and the Commission shall apply their own rules on professional secrecy or other equivalent duties of confidentiality in relation to the Information System in accordance with national or Union law.2.Each Information System actor shall ensure that demands from other Information System actors for confidential treatment of information exchanged in the Information System are complied with by individuals working under their authority.

CHAPTER VFINAL PROVISIONS

Article 17Translation1.The Commission shall make the Information System available in all official languages of the Union.2.An Information System actor may produce and use, in relation to the performance of any of the tasks conferred on it in accordance with Regulation (EU) 2023/1115, any information, document, finding, statement, or certified true copy which it has received in the Information System, on the same basis as similar information obtained in its own country, for purposes compatible with those for which the data were originally collected and in accordance with relevant Union and national law.

Article 18Costs1.The costs incurred for the set-up, maintenance and operation of the Information System shall be borne by the Commission.2.The costs associated to the Information System at Member State level, including the human resources needed for training, promotion, technical assistance activities, as well as for the use of the Information System at national level and any adaptations required to national networks and information systems shall be borne by the Member State which incurs them.

Article 19Entry into forceThis Regulation shall enter into force on the third day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.Done at Brussels, 4 December 2024.For the CommissionThe PresidentUrsula von der Leyen