1.   A set of core data shall be returned via the router within 48 hours of all of the following conditions being met:

2.   Where, under its national law, a Member State can provide a particular set of core data only after having obtained a judicial authorisation, that Member State may deviate from the time limit set out in paragraph 1 in so far as necessary for the purpose of obtaining such an authorisation.

3.   The set of core data referred to in paragraph 1 of this Article shall be returned by the requested Member State or, in the case of DNA profiles referred to in Article 6(7), by the requesting Member State.

4.   Where the confirmed match concerns identified data of a person, the set of core data referred to in paragraph 1 shall contain the following data to the extent that they are available:

5.   Where the confirmed match concerns unidentified data or traces, the set of core data referred to in paragraph 1 shall contain the following data to the extent that they are available:

6.   The return of core data by the requested Member State or, in the case of DNA profiles referred to in Article 6(7), by the requesting Member State shall be subject to the decision of a human.

1.   Member States shall, in accordance with Regulation (EU) 2016/794, have access to, and be able to search via the router, biometric data which have been provided to Europol by third countries for the purposes of Article 18(2), points (a), (b) and (c), of Regulation (EU) 2016/794.

2.   Where a search as referred to in paragraph 1 results in a match between the data used for the search and data provided by a third country and stored by Europol, the follow-up shall take place in accordance with Regulation (EU) 2016/794.

1.   Where necessary to achieve the objectives set out in Article 3 of Regulation (EU) 2016/794, Europol shall, in accordance with that Regulation and this Regulation, have access to data which are stored by Member States in their national databases and police record indexes.

2.   Europol queries performed with biometric data as a search criterion shall be carried out using the router.

3.   Europol queries performed with vehicle registration data as a search criterion shall be carried out using Eucaris.

4.   Europol queries performed with biographical data of suspects and convicted persons as referred to in Article 25 as a search criterion shall be carried out using EPRIS.

5.   Europol shall conduct searches with data provided by third countries in accordance with paragraphs 1 to 4 of this Article only where necessary for carrying out its tasks for the purposes of Article 18(2), points (a) and (c), of Regulation (EU) 2016/794.

6.   Where the procedures referred to in Article 6, 11 or 20 show a match between the data used for the search and data held in the national database of the requested Member State or Member States, Europol shall inform only the Member State or Member States involved.

The requested Member State shall decide whether to return a set of core data via the router within 48 hours of all of the following conditions being met:

Where, under its national law, a Member State can provide a particular set of core data only after having obtained a judicial authorisation, that Member State may deviate from the time limit set out in the second subparagraph in so far as necessary for the purpose of obtaining such an authorisation.

Where the confirmed match concerns identified data of a person, the set of core data referred to in the second subparagraph shall contain the following data to the extent that they are available:

Where the confirmed match concerns unidentified data or traces, the set of core data referred to in the second subparagraph shall contain the following data to the extent that they are available:

The return of core data by the requested Member State shall be subject to the decision of a human.

7.   Europol’s use of information obtained from a query made in accordance with this Article, and from the exchange of a set of core data in accordance with paragraph 6, shall be subject to the consent of the Member State in whose database the match occurred. Where the Member State allows such information to be used, its handling by Europol shall be governed by Regulation (EU) 2016/794.

1.   Processing of personal data received by a Member State or Europol shall be permitted solely for the purposes for which the data were supplied by the Member State which provided the data in accordance with this Regulation. Processing for other purposes shall be permitted solely with the prior authorisation of the Member State which provided the data.

2.   Processing of data supplied by a Member State or Europol pursuant to Article 6, 11, 16, 20 or 26 shall be permitted solely where necessary for the purpose of:

3.   The data received by a Member State or Europol shall be deleted immediately following automated replies to searches unless further processing is necessary for the purposes referred to in paragraph 2 or is authorised in accordance with paragraph 1.

4.   Prior to connecting their national databases to the router or EPRIS, Member States shall conduct a data protection impact assessment as referred to in Article 27 of Directive (EU) 2016/680 and, where appropriate, consult the supervisory authority as provided for in Article 28 of that Directive. The supervisory authority may use any of the powers it has under Article 47 of that Directive, in accordance with Article 28(5) of that Directive.

1.   Member States and Europol shall ensure the accuracy and relevance of personal data which are processed pursuant to this Regulation. Where a Member State or Europol become aware that data which are incorrect or no longer up to date or data which should not have been supplied have been supplied, it shall notify the Member State which received the data or Europol of that fact without undue delay. All Member States concerned or Europol shall correct or delete the data accordingly without undue delay. Where the Member State which received the data or Europol has reason to believe that the data supplied are incorrect or should be deleted, it shall inform the Member State which provided the data without undue delay.

2.   Member States and Europol shall put in place appropriate measures for updating data relevant for the purposes of this Regulation.

3.   Where a data subject contests the accuracy of data in the possession of a Member State or Europol, where the accuracy cannot be reliably established by the Member State concerned or Europol and where requested by the data subject, the data concerned shall be marked with a flag. Where such a flag exists, Member States or Europol may remove it only with the permission of the data subject or based on a decision of the competent court, of the supervisory authority or of the European Data Protection Supervisor, as relevant.

4.   Data which should not have been supplied or received shall be deleted. Data which are lawfully supplied and received shall be deleted:

Where there is reason to believe that the deletion of data would prejudice the interests of the data subject, the processing of those data shall be restricted instead of being deleted. Where the processing of data has been restricted, they shall be processed solely for the purpose which prevented their deletion.

1.   eu-LISA shall be the processor within the meaning of Article 3, point (12), of Regulation (EU) 2018/1725 for the processing of personal data via the router.

2.   Europol shall be the processor within the meaning of Article 3, point (12), of Regulation (EU) 2018/1725 for the processing of personal data via EPRIS.

1.   The Member States’ competent authorities, eu-LISA and Europol shall ensure the security of the processing of personal data under this Regulation. The Member States’ competent authorities, eu-LISA and Europol shall cooperate on security-related tasks.

2.   Without prejudice to Article 33 of Regulation (EU) 2018/1725 and Article 32 of Regulation (EU) 2016/794, eu-LISA and Europol shall take the necessary measures to ensure the security of the router and EPRIS, respectively, and of their related communication infrastructure.

3.   eu-LISA shall adopt the necessary measures concerning the router, and Europol shall adopt the necessary measures concerning EPRIS, in order to:

The necessary measures referred to in the first subparagraph shall include a security plan, a business continuity plan and a disaster recovery plan.

1.   Any event that has or may have an impact on the security of the router or EPRIS and may cause damage to or loss of data stored in the router or EPRIS shall be considered to be a security incident, in particular where unauthorised access to data may have occurred or where the availability, integrity and confidentiality of data has or may have been compromised.

2.   In the event of a security incident concerning the router, eu-LISA and the Member States concerned or, where applicable, Europol shall cooperate with one another in order to ensure a swift, effective and proper response.

3.   In the event of a security incident concerning EPRIS, the Member States concerned and Europol shall cooperate with one another in order to ensure a swift, effective and proper response.

4.   Member States shall notify their competent authorities of any security incidents without undue delay.

Without prejudice to Article 92 of Regulation (EU) 2018/1725, in the event of a security incident in relation to the central infrastructure of the router, eu-LISA shall notify the Cybersecurity Service for the Union institutions, bodies, offices and agencies (CERT-EU) of significant cyber threats, significant vulnerabilities and significant incidents without undue delay and, in any event, no later than 24 hours after becoming aware of them. Actionable and appropriate technical details of cyber threats, vulnerabilities and incidents that enable proactive detection, incident response or mitigating measures shall be disclosed to CERT-EU without undue delay.

Without prejudice to Article 34 of Regulation (EU) 2016/794 and Article 92 of Regulation (EU) 2018/1725, in the event of a security incident in relation to the EPRIS central infrastructure, Europol shall notify CERT-EU of significant cyber threats, significant vulnerabilities and significant incidents without undue delay and, in any event, no later than 24 hours after becoming aware of them. Actionable and appropriate technical details of cyber threats, vulnerabilities and incidents that enable proactive detection, incident response or mitigating measures shall be disclosed to CERT-EU without undue delay.

5.   Information regarding a security incident that has or may have an impact on the operation of the router or on the availability, integrity and confidentiality of the data shall be provided by the Member States and Union agencies concerned to the Member States and Europol without delay and reported in compliance with the incident management plan to be provided by eu-LISA.

6.   Information regarding a security incident that has or may have an impact on the operation of EPRIS or on the availability, integrity and confidentiality of the data shall be provided by the Member States and Union agencies concerned to the Member States without delay and reported in compliance with the incident management plan to be provided by Europol.

1.   Member States shall ensure that each authority entitled to use the Prüm II framework takes the measures necessary to monitor its compliance with this Regulation and cooperates, where necessary, with the supervisory authority. Europol shall take the measures necessary to monitor its compliance with this Regulation and shall cooperate, where necessary, with the European Data Protection Supervisor.

2.   Data controllers shall implement the necessary measures to effectively monitor the compliance of data processing with this Regulation, including by frequently verifying the logs referred to in Articles 18, 40 and 45. They shall cooperate, where necessary and as appropriate, with the supervisory authorities or with the European Data Protection Supervisor.

1.   The European Data Protection Supervisor shall ensure that an audit of personal data processing operations by eu-LISA and Europol for the purposes of this Regulation is carried out in accordance with relevant international auditing standards at least every four years. A report of that audit shall be sent to the European Parliament, to the Council, to the Commission, to the Member States and to the Union agency concerned. eu-LISA and Europol shall be given an opportunity to make comments before the reports are adopted.

2.   eu-LISA and Europol shall supply information requested by the European Data Protection Supervisor to it, grant the European Data Protection Supervisor access to all the documents it requests and to their logs referred to in Articles 40 and 45 and allow the European Data Protection Supervisor access to all their premises at any time. This paragraph is without prejudice to the powers of the European Data Protection Supervisor under Article 58 of Regulation (EU) 2018/1725 and, with regard to Europol, under Article 43(3) of Regulation (EU) 2016/794.

1.   The supervisory authorities and the European Data Protection Supervisor shall, each acting within the scope of their respective competences, cooperate actively within the framework of their respective responsibilities to ensure a coordinated supervision of the application of this Regulation, in particular if the European Data Protection Supervisor or a supervisory authority finds major discrepancies between practices of Member States or finds potentially unlawful transfers using the communication channels of the Prüm II framework.

2.   In the cases referred to in paragraph 1 of this Article, coordinated supervision shall be ensured in accordance with Article 62 of Regulation (EU) 2018/1725.

3.   Two years after the start of operations of the router and EPRIS and every two years thereafter, the European Data Protection Board shall send a report of its activities under this Article to the European Parliament, to the Council, to the Commission, to eu-LISA and to Europol. That report shall include a chapter on each Member State prepared by the supervisory authority of the Member State concerned.

1.   Each Member State shall be responsible for:

2.   Each Member State shall be responsible for connecting its competent authorities to the router, EPRIS and Eucaris.

1.   Europol shall be responsible for the management of, and arrangements for the access by its duly authorised staff to, the router, EPRIS and Eucaris in accordance with this Regulation.

2.   Europol shall be responsible for processing the queries of Europol data by the router. Europol shall adapt its information systems accordingly.

3.   Europol shall be responsible for any technical adaptations in Europol infrastructure required for establishing the connection to the router and to Eucaris.

4.   Without prejudice to searches by Europol pursuant to Article 49, Europol shall not have access to any of the personal data processed through EPRIS.

5.   Europol shall be responsible for the development of EPRIS in cooperation with the Member States. EPRIS shall provide the functionalities laid down in Articles 42 to 46.

Europol shall be responsible for the technical management of EPRIS. Technical management of EPRIS shall consist of all the tasks and technical solutions necessary to keep the EPRIS central infrastructure functioning and providing uninterrupted services to Member States 24 hours a day, 7 days a week in accordance with this Regulation. It shall include the maintenance work and technical developments necessary to ensure that EPRIS functions are at a satisfactory level of technical quality, in particular as regards the response time for submitting requests to the national databases in accordance with the technical specifications.

6.   Europol shall provide training on the technical use of EPRIS.

7.   Europol shall be responsible for the procedures provided for in Articles 48 and 49.

1.   eu-LISA shall ensure that the central infrastructure of the router is operated in accordance with this Regulation.

2.   The router shall be hosted by eu-LISA in its technical sites and shall provide the functionalities laid down in this Regulation in accordance with the conditions of security, availability, quality and performance referred to in Article 67(1).

3.   eu-LISA shall be responsible for the development of the router and for any technical adaptations necessary for the operations of the router.

4.   eu-LISA shall not have access to any of the personal data processed through the router.

5.   eu-LISA shall determine the design of the physical architecture of the router, including its secure communication infrastructure and the technical specifications, and its evolution as regards the central infrastructure and the secure communication infrastructure. eu-LISA’s Management Board shall approve the design, subject to a favourable opinion of the Commission. eu-LISA shall also implement any necessary adaptations to the interoperability components deriving from the establishment of the router as provided for by this Regulation.

6.   eu-LISA shall develop and implement the router as soon as possible after the adoption by the Commission of the measures provided for in Article 37(6). That development shall consist of the elaboration and implementation of the technical specifications, testing and overall project management and coordination.

7.   During the design and development phase, the Programme Management Board referred to in Article 54 of Regulation (EU) 2019/817 and in Article 54 of Regulation (EU) 2019/818 shall meet regularly. It shall ensure the adequate management of the design and development phase of the router.

Every month, the Programme Management Board shall submit written reports on the progress of the project to eu-LISA’s Management Board. The Programme Management Board shall not have decision-making powers or any mandate to represent the members of eu-LISA’s Management Board.

The Interoperability Advisory Group referred to in Article 78 shall meet regularly until the start of operations of the router. It shall report after each meeting to the Programme Management Board. It shall provide technical expertise to support the tasks of the Programme Management Board and shall follow up on the state of preparation of the Member States.

1.   Following the start of operations of the router, eu-LISA shall be responsible for the technical management of the central infrastructure of the router, including its maintenance and technological developments. In cooperation with Member States, it shall ensure that the best available technology is used, subject to a cost-benefit analysis. eu-LISA shall also be responsible for the technical management of the necessary communication infrastructure.

Technical management of the router shall consist of all the tasks and technical solutions necessary to keep the router functioning and providing uninterrupted services to Member States and to Europol 24 hours a day, 7 days a week in accordance with this Regulation. It shall include the maintenance work and technical developments necessary to ensure that the router functions at a satisfactory level of technical quality, in particular as regards availability and the response time for submitting requests to the national databases and Europol data in accordance with the technical specifications.

The router shall be developed and managed in such a way as to ensure swift, efficient and controlled access, full and uninterrupted availability, and a response time in line with the operational needs of the Member States’ competent authorities and Europol.

2.   Without prejudice to Article 17 of the Staff Regulations of Officials of the European Union, laid down in Council Regulation (EEC, Euratom, ECSC) No 259/68 (18), eu-LISA shall apply appropriate rules of professional secrecy or other equivalent duties of confidentiality to its staff required to work with data stored in the router. That obligation shall also apply after such staff leave office or employment or after the termination of their activities.

eu-LISA shall not have access to any of the personal data processed through the router.

3.   eu-LISA shall perform tasks related to the provision of training on the technical use of the router.

1.   In Decision 2008/615/JHA, Article 1, point (a), Articles 2 to 6 and Sections 2 and 3 of Chapter 2 are replaced with regard to the Member States bound by this Regulation from the date of application of the provisions of this Regulation related to the router set out in Article 75(1). Therefore, Article 1, point (a), Articles 2 to 6 and Sections 2 and 3 of Chapter 2 of Decision 2008/615/JHA are deleted from the date of application of the provisions of this Regulation related to the router set out in Article 75(1).

2.   In Decision 2008/616/JHA, Chapters 2 to 5 and Articles 18, 20 and 21 are replaced with regard to the Member States bound by this Regulation from the date of application of the provisions of this Regulation related to the router set out in Article 75(1). Therefore, Chapters 2 to 5 and Articles 18, 20 and 21 of Decision 2008/616/JHA are deleted from the date of application of the provisions of this Regulation related to the router set out in Article 75(1).

1.   Where needed, the duly authorised staff of the Member States’ competent authorities, the Commission, eu-LISA and Europol shall have access to the following data related to the router, solely for the purposes of reporting and statistics:

It shall not be possible to identify individuals from the data set out in the first subparagraph.

2.   The duly authorised staff of the Member States’ competent authorities, the Commission and Europol shall have access to the following data related to Eucaris, solely for the purposes of reporting and statistics:

It shall not be possible to identify individuals from the data set out in the first subparagraph.

3.   The duly authorised staff of the Member States’ competent authorities, the Commission and Europol shall have access to the following data related to EPRIS, solely for the purposes of reporting and statistics:

It shall not be possible to identify individuals from the data set out in the first subparagraph.

4.   eu-LISA shall store the data set out in paragraph 1 of this Article in the central repository for reporting and statistics established by Article 39 of Regulation (EU) 2019/818. Europol shall store the data set out in paragraph 3. Those data shall allow the Member States’ competent authorities, the Commission, eu-LISA and Europol to obtain customisable reports and statistics to enhance the efficiency of law enforcement cooperation.

1.   Costs incurred in connection with the establishment and operation of the router and EPRIS shall be borne by the general budget of the Union.

2.   Costs incurred in connection with the integration of existing national infrastructure and its connection to the router and EPRIS and costs incurred in connection with the establishment of national facial image databases and national police record indexes for the prevention, detection and investigation of criminal offences shall be borne by the general budget of the Union.

The following costs shall be excluded:

3.   Each Member State shall bear the costs arising from the administration, use and maintenance of Eucaris.

4.   Each Member State shall bear the costs arising from the administration, use and maintenance of their connections to the router and EPRIS.

1.   Member States shall notify eu-LISA of the competent authorities referred to in Article 36. Those authorities may use or have access to the router.

2.   eu-LISA shall notify the Commission of the successful completion of the test referred to in Article 75(1), point (b).

3.   Europol shall notify the Commission of the successful completion of the test referred to in Article 75(3), point (b).

4.   Each Member State shall notify the other Member States, the Commission, eu-LISA and Europol of the content of its national DNA databases and the conditions for automated searches to which Articles 5 and 6 apply.

5.   Each Member State shall inform the other Member States, the Commission, eu-LISA and Europol of the content of its national dactyloscopic databases and the conditions for automated searches to which Articles 10 and 11 apply.

6.   Each Member State shall inform the other Member States, the Commission, eu-LISA and Europol of the content of its national facial image databases and the conditions for automated searches to which Articles 19 and 20 apply.

7.   Member States participating in automated exchanges of police records pursuant to Articles 25 and 26 shall notify the other Member States, the Commission and Europol of the content of their national police record indexes and of the national databases used for the establishment of those indexes and the conditions for automated searches.

8.   Member States shall notify the Commission, eu-LISA and Europol of their national contact point designated pursuant to Article 30. The Commission shall compile a list of the national contact points notified to it and make it available to all Member States.

1.   The Commission shall determine the date from which the Member States and Europol can start using the router by means of an implementing act once the following conditions have been met:

The Commission shall determine, by means of the implementing act referred to in the first subparagraph, the date from which the Member States and Europol are to start using the router. That date shall be one year after the date determined in accordance with the first subparagraph.

The Commission may postpone the date from which the Member States and Europol are to start using the router by one year at most where an assessment of the implementation of the router has shown that such a postponement is necessary.

2.   Member States shall ensure, two years after the start of operations of the router, the availability of facial images as referred to in Article 19 for the purposes of automated searching of facial images as referred to in Article 20.

3.   The Commission shall determine the date from which the Member States and Europol are to start using EPRIS by means of an implementing act once the following conditions have been met:

4.   The Commission shall determine the date from which Europol is to make available third country-sourced biometric data to Member States in accordance with Article 48 by means of an implementing act once the following conditions have been met:

5.   The Commission shall determine the date from which Europol is to have access to data stored in Member States’ databases in accordance with Article 49 by means of an implementing act once the following conditions have been met:

6.   The implementing acts referred to in this Article shall be adopted in accordance with the examination procedure referred to in Article 77(2).

1.   Member States and the Union agencies shall start applying Articles 19 to 22, Article 47 and Article 49(6) from the date determined in accordance with Article 75(1), first subparagraph, with the exception of Member States which have not started using the router.

2.   Member States and the Union agencies shall start applying Articles 25 to 28 and Article 49(4) from the date determined in accordance with Article 75(3).

3.   Member States and the Union agencies shall start applying Article 48 from the date determined in accordance with Article 75(4).

4.   Member States and the Union agencies shall start applying Article 49(1), (2), (3), (5) and (7) from the date determined in accordance with Article 75(5).

1.   The Commission shall be assisted by a committee. That committee shall be a committee within the meaning of Regulation (EU) No 182/2011.

2.   Where reference is made to this paragraph, Article 5 of Regulation (EU) No 182/2011 shall apply. Where the committee delivers no opinion, the Commission shall not adopt the draft implementing act and Article 5(4), the third subparagraph, of Regulation (EU) No 182/2011 shall apply.

1.   eu-LISA shall ensure that procedures are in place to monitor the development of the router in light of objectives relating to planning and costs and to monitor its functioning in light of objectives relating to the technical output, cost-effectiveness, security and quality of service.

Europol shall ensure that procedures are in place to monitor the development of EPRIS in light of objectives relating to planning and costs and to monitor its functioning in light of objectives relating to the technical output, cost-effectiveness, security and quality of service.

2.   By 26 April 2025 and every year thereafter during the development phase of the router, eu-LISA shall submit a report to the European Parliament and to the Council on the state of play of the development of the router. Those reports shall contain detailed information about the costs incurred and information as to any risks which could impact the overall costs to be borne by the general budget of the Union pursuant to Article 73.

Once the development of the router is finalised, eu-LISA shall submit a report to the European Parliament and to the Council explaining in detail how the objectives, in particular relating to planning and costs, were achieved and justifying any divergences.

3.   By 26 April 2025 and every year thereafter during the development phase of EPRIS, Europol shall submit a report to the European Parliament and to the Council on the state of play of the development of EPRIS. Those reports shall contain detailed information about the costs incurred and information as to any risks which could impact the overall costs to be borne by the general budget of the Union pursuant to Article 73.

Once the development of EPRIS is finalised, Europol shall submit a report to the European Parliament and to the Council explaining in detail how the objectives, in particular relating to planning and costs, were achieved and justifying any divergences.

4.   For the purposes of technical maintenance, eu-LISA shall have access to the necessary information relating to the data processing operations performed in the router. For the purposes of technical maintenance, Europol shall have access to the necessary information relating to the data processing operations performed in EPRIS.

5.   Two years after the start of operations of the router and every two years thereafter, eu-LISA shall submit to the European Parliament, to the Council and to the Commission a report on the technical functioning, including the security, of the router.

6.   Two years after the start of operations of EPRIS and every two years thereafter, Europol shall submit to the European Parliament, to the Council and to the Commission a report on the technical functioning, including the security, of EPRIS.

7.   Three years after the start of operations of the router and EPRIS as referred to in Article 75 and every four years thereafter, the Commission shall produce a report on the overall evaluation of the Prüm II framework.

One year after the start of operations of the router and every two years thereafter, the Commission shall produce a report evaluating the use of facial images under this Regulation.

The reports referred to in the first and second subparagraphs shall include the following:

The Commission shall transmit those reports to the European Parliament, to the Council, to the European Data Protection Supervisor and to the European Union Agency for Fundamental Rights.

8.   In the reports referred to in the first subparagraph of paragraph 7, the Commission shall pay special attention to the following new categories of data: facial images and police records. The Commission shall include in such reports the use made by each Member State and Europol of those new categories of data and their impact, effectiveness and efficiency. In the reports referred to in the second subparagraph of paragraph 7, the Commission shall pay special attention to the risk of false matches and to data quality.

9.   The Member States and Europol shall provide eu-LISA and the Commission with the information necessary to draft the reports referred to in paragraphs 2 and 5. That information shall not jeopardise working methods or reveal the sources, staff members or investigations of the Member States’ competent authorities.

10.   The Member States shall provide the Commission and Europol with the information necessary to draft the reports referred to in paragraphs 3 and 6. That information shall not jeopardise working methods or reveals the sources, staff members or investigations of the Member States’ competent authorities.

11.   Without prejudice to confidentiality requirements, Member States, eu-LISA and Europol shall provide the Commission with the information necessary to produce the reports referred to in paragraph 7. Member States shall also provide the Commission with the number of confirmed matches against each Member State’s database per category and per type of data. That information shall not jeopardise working methods or reveal the sources, staff members or investigations of the Member States’ competent authorities.