Under the applicable rules, European Union (EU) Member States, the EU Agency for Law Enforcement Cooperation (Europol), the EU Agency for Criminal Justice Cooperation (Eurojust) and the European Border and Coast Guard Agency (Frontex) are obliged to notify the European Commission, the European Union Agency for the Operational Management of Large-Scale IT Systems in the Area of Freedom, Security and Justice (eu-LISA), the competent Supervisory Authority and the European Data Protection Supervisor (EDPS), without delay, whenever they detect a security incident affecting or having affected a Large Scale IT System (LSITs) under their responsibility.
The concerned Large Scale IT Systems are:
- the Schengen Information System (SIS),
- the European Asylum Dactyloscopy database (Eurodac),
- the Entry/Exit System (EES),
- European Travel Information and Authorisation System (ETIAS), and
- the interoperability components.
eu-LISA also has the obligation to notify the European Commission and the EDPS without delay of any security incident concerning the corresponding Central system.
| System | Legal Provisions | Eu-LISA obligation to notify EDPS | Member States/other EU Institutions, bodies and agencies obligation to notify EDPS |
| SIS |
Article 45 of Regulation (EU) 2018/1861
Article 60 of Regulation (EU) 2018/1862 |
YES |
YES (Member States, Europol, Frontex) |
| Eurodac | Article 34 of Regulation (EU) 603/2013 | YES | NO |
| ETIAS | Article 60 of Regulation (EU) 2018/1240 | YES |
YES (Member States, Europol) |
| EES | Article 44 of Regulation (EU) 2017/2226 | YES |
YES (Member States) |
| Interoperability components |
Article 43 of Regulation (EU) 2019/817
Article 43 of Regulation (EU) 2019/818 |
YES |
YES (Member States, Europol, Frontex) |
Table 1 - Legal requirements for notification to EDPS of security incidents concerning LSITs in the Area of Freedom, Security, and Justice (AFSJ)
A security incident is any event that has or may have an impact on the security of one of the above systems, and/or may cause damage or loss to its data or to the supplementary information. It is considered to be a security incident especially where unlawful access to data may have occurred or where the availability, integrity and confidentiality of data has or may have been compromised.
Information shall be provided to all Member States without delay and reported in compliance with the incident management plan provided by eu-LISA when it concerns a security incident that has or may have an impact on:
- the operation of the specific system in a Member State or within eu-LISA,
- the availability, integrity and confidentiality of the data entered or sent by other Member States, or
- supplementary information exchanged.
All involved stakeholders acting as controllers or processors should ensure the prevention and detection of security incidents, as well as their investigation, and they should have internal reporting procedures. They must also ensure that when they identify a security incident, they are able to respond effectively to mitigate the negative effects of the incident and inform the required entities so that the latter can act as necessary in a coordinated manner.
How to report a security incident to the EDPS
You can report a security incident to the EDPS by downloading and filling the specific form[1] and sending it encrypted to the following email address.
All communication must be encrypted. Therefore, when sending an email about a security incident that has affected one of the above systems to the EDPS functional email address, the form and any additional attachments must be encrypted (zip) and the password shared with the EDPS by alternate means (by text message to a shared signal number or by telephone call).
Please also include a separate telephone number in your email that we can use to contact you for the password.
Notifying Authorities should avoid the inclusion of EU classified information in the notification to the EDPS, unless strictly necessary for the purpose of the notification. In such a case, the notification should not be provided via email and the Notifying Authority should use the appropriate means and security measures according to the level of the classification.
Personal data is processed in accordance with the Regulation (EU) 2018/1725. For more information, please refer to the data protection notice.
[1] This form will be replaced as soon as a common form to notify security incidents to all concerned authorities, such as eu-LISA and the European Commission, is established.