Special report
Tools facilitating travel within the EU
during the COVID-19 pandemic
Relevant initiatives with impact ranging from
success to limited use
EN
20
23
01
2
Contents
Paragraph
Executive summary I-VIII
Introduction
01-12
Audit scope and approach
13-18
Observations
19-74
The Commission developed suitable technological solutions but
these were not always taken up by Member States
19-58
The Commission quickly mobilised EU funds for the tools 21-27
The Commission developed the contact-tracing gateway and the EU Digital
COVID Certificate system in good time, but for passenger locator forms
national solutions were available earlier than the EU ones 28-35
When developing some of the tools, the Commission did not manage to
overcome certain Member States’ reservations 36-40
The Commission addressed data protection concerns and applied good IT
security practices 41-58
The impact of the EU tools on facilitating travel during the
COVID-19 pandemic was uneven
59-74
The EU passenger locator form tools and the contact-tracing gateway did not
have the intended impact because of their limited use in Member States 61-68
The Member States used the EU Digital COVID Certificate extensively, which
facilitated travel 69-74
Conclusions and recommendations 75-85
Annexes
Annex I – Description of the EU tools facilitating safe travels
during the COVID-19 pandemic
Annex II – Uptake of the contact tracing applications in the EU
Glossary
4
Executive summary
I Following the detection of the first COVID-19 cases in the EU, in March 2020
Member States started to impose travel bans and other restrictions on free movement
of citizens. To facilitate travel and to help trace COVID-19 cases, the Commission
developed four tools:
— the European Federation Gateway Service – a gateway for ensuring EU-wide
interoperability between national contact-tracing applications;
— the EU digital Passenger Locator Form – a tool replacing paper forms used to
collect contact-tracing information during travel;
— the EU Digital COVID Certificate – a certificate confirming vaccination against
COVID-19, recovery or a negative test;
— the platform for exchanging passenger locator forms – a solution for national
authorities in different Member States to exchange contact-tracing data.
II The objective of our audit was to assess whether the Commission had developed
effective tools to facilitate travel within the EU during the COVID-19 pandemic. Our
aim was therefore to identify examples of good practice and areas for improvement in
the way the Commission develops IT tools to facilitate free movement during a health
crisis. This audit complements our special report 13/2022, which assesses whether the
Commission took effective action to protect peoples’ right of free movement during
the COVID-19 pandemic.
III Overall, we conclude that, despite its limited competence in public health policy,
the Commission moved fast to propose suitable technological solutions to facilitate
travel within the EU during the COVID-19 pandemic. However, the Members’ States
use of these tools varied significantly, so the tools’ impact in facilitating travel was
uneven.
IV The Commission swiftly mobilised €71 million for the development of the tools by
combining several funding sources and using existing framework contracts instead of
public tender procedures. The contact-tracing gateway became available shortly after
the pandemic started and the EU Digital COVID Certificate when vaccination efforts
were being stepped up across the continent. The technical and legislative work on
those tools was fast. However, several Member States had already developed their
5
own digital passenger locator forms before the EU’s solution for passenger locator
forms became available.
V The Commission took data protection requirements and IT security good practices
into account when designing the tools. However, the Commission does not have the
authority to verify that the countries using the EU Digital COVID Certificate tool
complied with IT security requirements.
VI The EU Digital COVID Certificate was effective in facilitating travel and improved
information sharing and coordination in relation to travel restrictions. Member States
and many non-EU countries used the EU Digital COVID Certificate system extensively,
with more than 1.7 billion certificates having been issued in EU and European
Economic Area (EEA) states by March 2022. Furthermore, within one month of the EU
Digital COVID Certificate Regulation entering into force, Member States had
harmonised their travel restrictions considerably. We found, however, that the
arrangements for countries to inform each other about incidents requiring an urgent
response (e.g. fraudulent certificates) were time-consuming due to difficulties
identifying the right counterparts in other countries.
VII The other tools we examined did not have the intended impact because their use
was limited. The EU digital passenger locator form was used by only four Member
States, while other countries continued to rely on national solutions. The overall use of
the platform for exchanging the forms and the contact-tracing gateway remained
limited.
VIII On the basis of these conclusions, we recommend that the Commission:
— analyse and address the reasons for the low uptake of EU digital passenger
locator forms;
— streamline communication on incidents linked to the EU Digital COVID Certificate;
— prepare relevant EU tools for future crises.
6
Introduction
01 Free movement of persons refers to the right of EU citizens and their family
members to move and reside freely within the territory of the Member States. It is one
of the four fundamental freedoms of the EU (together with the free movement of
goods, services and capital), and has been at the heart of the European project since
its inception
1
. The Free Movement Directive
2
lays down the applicable conditions and
limitations.
02 Protecting public health is a national competence
3
. The European Commission
therefore plays a limited role in health policy, mostly focusing on coordination
4
. It can
support and supplement the actions of the Member States, which have substantial
powers to determine their own health policies
5
.
03 Following the detection of the first COVID-19 cases, Member States in
March 2020 started imposing border controls and restrictions on free movement of
citizens in an attempt to limit the spread of the pandemic. However, the Commission
was responsible for monitoring whether these restrictions complied with EU legislation
on freedom of movement. To limit the impact of COVID-19-related measures on free
movement, the Commission took various initiatives with the aim of supporting
coordination among the Member States.
04 The Commission also developed the following tools to facilitate travel and to help
trace positive COVID-19 cases (see Annex I for the detailed description of the tools):
o a contact-tracing gateway: the European Federation Gateway Service (EFGS);
o the digital passenger locator form (EU dPLF);
o the EU Digital COVID Certificate (EU DCC);
o a platform for exchanging passenger locator forms (ePLF).
1
Article 20(2)(a) and Article 21(1) of the Treaty on the Functioning of the EU.
2
Directive 2004/38/EC.
3
Article 168(7) of the Treaty on the Functioning of the EU.
4
Article 17 of the Treaty on European Union (TEU).
5
Articles 4(2)(k), 6(a) and 168 of the TFEU.
7
05 Contact-tracing applications, which anonymously inform users that they may
have been in contact with an infected person, were one of the first tools made
available. The Commission developed the link between different Member States’
contact-tracing applications, thus extending their benefits to include facilitating travel
within the EU.
06 During the pandemic, in order to facilitate contact tracing during travel,
passengers were requested to provide contact and location details through passenger
locator forms that were sent to the relevant national authorities. In the event of a
positive test, authorities used those forms to contact passengers who were seated
near that person and warn them to take a COVID-19 test and precautionary measures.
The Commission developed the EU digital passenger locator form to simplify the use of
national forms during cross-border health crises such as COVID-19. The EU’s third
health programme (2014-2020) included a joint action known as ‘EU Healthy
Gateways’, which, before the outbreak of the COVID-19 pandemic, had already started
developing paper-based forms for maritime and ground transport using international
templates. The ‘EU Healthy Gateways’ joint action was later used to support the
digitisation of passenger locator forms.
07 The Commission also developed the EU Digital COVID Certificate, which provided
verifiable and mutually accepted proof that the holder had been vaccinated against,
recently tested negative for or recovered from COVID-19 Member States are obliged to
accept these certificates when they decide, during the COVID-19 pandemic, to require
travellers to provide proof of vaccination, a negative test result or recovery.
08 The last tool developed by the Commission was a platform for Member States to
exchange passenger locator forms. The platform enabled contact-tracing teams to
exchange forms electronically with one another directly, thus reducing the time taken
to inform travellers at risk.
09 The development of the tools involved several Commission departments. The
Directorate-General for Health and Food Safety, together with the Directorate-General
for Communications Networks, Content and Technology, were system owners of the
contact-tracing gateway. These two directorates-general also led the development of
the EU Digital COVID Certificate together with the Directorate-General for Justice and
Consumers and the Directorate-General for Migration and Home Affairs. In addition,
the Directorate-General for Informatics provided the necessary IT infrastructure.
8
10 The Member States were involved in the development of these tools mainly
through the eHealth Network (see Box 1). EU agencies such as the European Centre for
Disease Prevention and Control or the European Medicines Agency also contributed.
The development of the passenger locator tools was coordinated by the Member
States, as a joint action financed under the third EU Health Programme, the European
Union Aviation Safety Agency and the Directorate-General for Mobility and Transport.
Box 1
The eHealth Network
The 2011 directive on the application of patients’ rights in cross-border
healthcare
6
introduced the concept of the eHealth Network, “a voluntary network
connecting national authorities responsible for eHealth designated by the
Member States”. The eHealth Network carries out its work through specific task
forces and groups. The Commission co-chairs the meetings and provides
secretarial services to the network. It played a crucial role in developing the EU’s
tools to facilitate travel and provided a forum for collecting input directly from the
Member States. By June 2020, the eHealth Network had held more than 30
meetings relating to the COVID-19 pandemic. The eHealth Network held
96 meetings in 2020 and 285 in 2021.
11 The purpose of the EU tools was unique, meaning there were no other existing
systems suitable for comparison at the time of their development. For the EU tools
described above to be as effective as possible in facilitating travel during the COVID-19
pandemic, it was important that all Member States should adopt them so that their
use of health data to manage travel in the EU would be consistent and their travel
restrictions coordinated.
12 In addition to providing €71 million to support the development of the IT tools,
the Commission made €100 million available to the Member States to help them bear
the financial burden of COVID-19 testing. Increased testing and vaccination in turn
increased the number of EU Digital COVID- Certificates issued. Cross-border travel
within the EU may involve some or all of these tools, as described in Figure 1.
6
Directive 2011/24/EU on the application of patients’ rights in cross-border healthcare.
9
Figure 1 – Use of the EU tools for travel by plane between Member States
Source: ECA.
Download of
contact-tracing
app
Vaccination
EU digital
COVID-19
certificate
Competent
authority in
country of origin
National
backend
Other
countries’
backends
EU digital
certificates
gateway
EU COVID-19 certificate
and passenger locator
form verified
Public keys
Exposed people
are warned
Fill in passenger
locator form
Data
QR code
EU digital passenger
locator form
Contact
-tracing
app
exchanges keys with
nearby travellers
Other countries’
backends
EU contact-
tracing
gateway
National
backend
Keys from the past
14 days are shared
Positive COVID-19 test
at destination
Self-declaration in
the tracing app
EU digital
passenger
locator form
Exchange of
passenger
locator forms
Notification to
other countries
concerned
Physical action
Data flow
EU systems
BEFORE travelling AT the airport AFTER travelling
10
Audit scope and approach
13 This audit complements our previous special report
7
, which assessed whether the
Commission had taken effective action to protect the right of free movement of
persons during the COVID-19 pandemic. The first report covered the Commission’s
scrutiny of internal Schengen border controls, related travel restrictions and
coordination efforts at EU level.
14 The objective of this second audit was to assess whether the Commission had
developed effective tools to facilitate travel within the EU during the COVID-19 crisis.
With this audit, we aimed to identify examples of good practice and areas for
improvement in the way the Commission develops IT tools to facilitate free movement
during health crises. To answer the main audit question, we asked the following two
sub-questions:
o Did the Commission properly develop the EU tools to facilitate travel?
o Did the Member States make extensive use of the EU tools and did this lead to
better coordination and sharing of information on their travel restrictions?
15 This audit covers the period between October 2020 and June 2022 and focuses
on the four EU tools listed in paragraph 04, including the related EU funding. It does
not cover EU funding for COVID-19 vaccination, which we previously assessed in our
special report on the EU’s COVID-19 vaccine procurement
8
.
16 We carried out the audit through desk reviews, written questionnaires and
interviews with relevant stakeholders. We reviewed and analysed:
o relevant EU legislation, to identify the key regulatory requirements and the
responsibilities of the different actors;
o internal Commission documents relating to the technical development and legal
adoption of the EU Digital COVID Certificate, the European Federation Gateway
Service, the digital Passenger Locator Form (EU dPLF) and a platform for
exchanging passenger locator forms (ePLF);
7
Special report 13/2022.
8
Special report 19/2022.
11
o Commission publications relating to travel in the context of the COVID-19
pandemic, such as guidance, communications, proposals for recommendation or
proposals for legislative acts;
o the tools’ technical specifications, security and risk assessments, penetration test
reports and IT security plans, to enable our IT experts to verify whether the tools
meet security requirements.
17 To obtain evidence, confirm facts and corroborate data collected from other
sources, we conducted audit interviews with:
o the Commission Directorates-General for Justice and Consumers, Mobility and
Transport, Health and Food Safety and Communications Networks, Content and
Technology;
o the European Centre for Disease Prevention and Control, whose responsibilities
include COVID-19 risk maps and guidance;
o health authorities in Member States and non-EU countries;
o representatives of airlines, the travel industry and consumer associations.
18 We also conducted a survey to collect feedback on the use of such tools in each
Member State. Out of the 27 Member State delegates that make up the Council’s
Integrated Political Crisis Response mechanism, 13 replied to our survey. This
represents a 48 % response rate. We used this survey to support our analysis and
corroborate our observations.
12
Observations
The Commission developed suitable technological solutions but
these were not always taken up by Member States
19 This section examines whether the Commission properly developed the tools to
facilitate travel during the COVID-19 pandemic, and particularly whether it:
(1) mobilised EU funds quickly after the start of the pandemic;
(2) delivered the tools in a timely manner;
(3) considered the Member States’ needs and willingness to use the tools; and
(4) took into account IT security and privacy concerns in relation to sensitive health
data.
20 We examined whether the Commission’s choice of funding sources and service
providers had enabled it to start work on developing the tools immediately after the
pandemic started. We also examined the consultation process to assess whether the
tools were aligned with the Member States’ priorities. Finally, we assessed whether
the tools followed best practice concerning the protection of personal data and IT
security.
The Commission quickly mobilised EU funds for the tools
21 The Commission mobilised EU funding from different sources, such as the
Emergency Support Instrument and the Digital Europe programme. The EU allocated
€71 million for the development of the tools. Figure 2 provides a visual overview of EU
funding for the tools.
Figure 2 – Overview of EU funding by tool
Source: ECA.
Total EU funding
allocated:
€71 million
EU dPLF ePLF EFGS EU DCC
1.3
2.9 16.8 50.0
13
22 EU funding for the EU Digital COVID Certificate totalled €50 million (with
€43 million from the Emergency Support Instrument and an additional €7 million from
the Digital Europe Programme). As of March 2022, 77 % of this budget had been
allocated to developing and adapting national solutions and connecting them to the EU
Digital COVID Certificate gateway: €21.9 million was committed to a private contractor
and €16.7 million was paid in grants to the Member States.
23 EU funding for the contact-tracing gateway totalled approximately €16.8 million
(with €13 million from the Emergency Support Instrument). The Commission justified
this funding based on the need “to facilitate the exchange of data between countries,
enabling national applications to notify users that have been exposed to a user using a
different national application and who tested positive for COVID-19”.
24 The platform for exchanging passenger locator forms and the EU digital
passenger form required much less EU funding: the exchange platform was allocated
around €2.9 million (mostly from the Emergency Support Instrument) and the digital
forms €1.3 million (with funding from the EU Health Programmes). The funding
allocated to the exchange platform was used to finance a pilot project to test the
platform’s feasibility, and to scale it up to cover more Member States and transport
modes. The funding for the digital version of the passenger locator forms was used for
development, cloud hosting and transferring the tool to the European Commission’s IT
environment.
25 In addition, following the launch of the EU Digital COVID Certificate, the EU made
€100 million available to support COVID-19 testing in the Member States
9
. This funding
followed the political agreement of 20 May 2021 between the European Parliament
and the Council on the EU Digital COVID Certificate Regulation. Member States used
the vast majority (90 %) of this allocation, which made it possible to issue additional
certificates based on testing to facilitate travel.
26 We found that the Commission had mobilised this funding quickly and taken a
pragmatic approach to developing the tools that reflected the need to deliver them
quickly. The tools were developed under time constraints, without requesting offers
from different contractors. Rather than using competitive tenders to procure licences
and develop the contact-tracing gateway, the EU Digital COVID Certificate and the
platform for exchanging passenger locator forms, the Commission used framework
contracts that it had already signed with an IT service provider on 30 October 2019 and
9
Commission's statement of 15 June 2021.
14
on 24 February 2020. Framework contracts establish the general terms of a
commercial relationship and provide a basis for the signing of specific contracts for
individual deliveries. For the EU digital passenger locator forms, the first funding was
mobilised in July 2020, under the ‘EU Healthy Gateways’ joint action, by reallocating
funds from activities that were not possible due to the pandemic.
27 In the case of the EU Digital COVID Certificate, the Commission selected the
supplier using a framework contract awarded through a negotiated procedure that
was launched in 2019 without publishing a contract notice. According to the
Commission, the supplier selected had experience in developing the contact-tracing
gateway and was the only one with the necessary expertise in the software to be used
for the EU Digital COVID Certificate.
The Commission developed the contact-tracing gateway and the EU
Digital COVID Certificate system in good time, but for passenger locator
forms national solutions were available earlier than the EU ones
28 When the World Health Organization declared COVID-19 a pandemic in
March 2020, Member States started imposing restrictions on free movement
10
and the
Commission started to issue guidelines to facilitate coordination among them
11
. The
contact-tracing gateway started functioning seven months after the declaration of the
pandemic, and the EU Digital Certificate and the passenger locator form became
operational 15 months from this date. Figure 3 provides the timeline for the design
and implementation of the tools. Taking into account the legal and technical
requirements of these tools described below, we consider that the contact-tracing
gateway and EU Digital COVID Certificate were developed in a timely manner, but not
the tools relating to passenger locator forms.
10
Figure 4 of Special Report 13/2022.
11
Guidelines for border management measures to protect health and ensure the availability
of goods and essential services, C(2020) 1753 final, OJ C 86I, 16.3.2020.
15
Figure 3 – Timeline for the design and implementation of the EU tools
Source: ECA.
Contact-
tracing
gateway
EU digital
COVID-19
certificate
EU digital
passenger
locator form
Exchange of
passenger
locator forms
COVID-19
epidemic
milestones
15/07
Commission
Implementing
Decision
2020/1023
19/10
Official go-live
with 3 Member
States
15/07
19 Member States
connected
10/12
The Council's call
for a coordinated
approach to
vaccination
certificates
8 weeks
development
12 weeks
development
5 weeks’
development
22/04
Publication of the
technical specifications
17/03
Proposal for
a EU digital
COVID
-19 Certificates
Regulation
COM(2021) 130
01/06
Go-live with 7 Member
States
01/07
EU Digital COVID-19 Certificate
Regulation 2021/953
Legal milestones
First use of the tools (in production)
21/03
Establishment of a
revocation mechanism
with Implementing
Decision 2022/483
June
Establishment of
working group on
digital passenger
locator forms
13/10
Council Recommendation
(EU) 2020/1475 includes
reference to a common
passenger locator form
12/02
Start of pilot testing
with 3 Member
States
23/05
Go-live (Italy)
27/05
Commission
Implementing Decision
EU 2021/ 858
22/07
Connection of the first
2 Member States
18/12
Pilot test with 2
Member States
24/01
First COVID-19
case in the EU
11/03
World Health Organisaion declares
COVID-19 a global pandemic
21/12
First vaccine authorised
in the EU
27/07
70 % of EU adults has at least
one dose of vaccine
14/07
All 27 Member States
connected
2020 2021 2022
16
29 The first tool developed was the contact-tracing gateway, an EU-wide system to
ensure interoperability between national contact-tracing applications. On
13 May 2020, the Commission issued a set of guidelines and recommendations to help
gradually lift the travel restrictions
12
imposed by the Member States. The guidelines
encouraged the use of technology for that purpose. The gateway became operational
in October 2020, five months after the Commission released the guidelines.
30 At the end of April 2020 , just one month after the first restrictions were
imposed, the ‘EU Healthy Gateways’ joint action made a proposal to the Commission
to digitise passenger locator forms. However, the discussions between the Commission
and the Member States took several months and the proposal was accepted in
August 2020. The Council recommended
13
developing a common EU digital passenger
locator form in October 2020. By this time, several Member States were already at an
advanced stage in developing their own national solutions (see Table 1).
31 Following the Council’s recommendation, the Commission started work on the
platform for exchanging passenger locator forms in November 2020. However, the
Commission implementing decision
14
governing the exchange of forms was only
adopted on 27 May 2021. The Member States were only able to start actually
exchanging digital forms on the platform in July 2021.
12
Communications from the Commission C(2020) 3250, C(2020) 3251 and C(2020) 3139.
13
Council Recommendation (EU) 2020/1475.
14
Commission Implementing Decision (EU) 2021/858.
17
Table 1 – Examples of electronic passenger locator forms used in the
Member States
Country Date of introduction
National solution - Spain July 2020
National solution - Greece July 2020
National solution - Ireland August 2020
EU tool - Italy May 2021
EU tool - Malta July 2021
EU tool - Slovenia August 2021
EU tool - France December 2021
Note: Countries adopting the EU digital passenger locator form solutions are marked in bold.
Source: ECA.
32 The EU Digital COVID Certificate was the fourth tool developed by the
Commission. Work on it started later than it did on the other tools, as it was closely
linked with the EU’s vaccination process. Discussions on a COVID-19 vaccination
certificate had been ongoing between the Commission and the Member States since
November 2020 in the eHealth Network
15
(see Box 1 ), where Estonia presented the
first pilot of a digitally verifiable vaccination certificate.
33 On 21 December 2020, the European Medicines Agency recommended the first
vaccine for authorisation, and a few days later the first vaccinations began across the
EU. One month later, on 28 January 2021, EU countries adopted basic guidelines for an
interoperable proof of vaccination for medical purposes
16
, a unique certificate
identifier and the principles of a trust framework.
34 The political agreement of 20 May 2021 between the European Parliament and
the Council on the EU Digital COVID Certificate Regulation set the end of June as the
deadline to implement the scheme. The Commission therefore had to work on the
technical development in parallel with the legislative work on the regulation
17
. When
designing the technical architecture, it took stock of previous experience with the
15
eHealth and COVID-19, European Commission website.
16
eHealth Network , “Guidelines on verifiable vaccination certificates - basic interoperability
elements”, 12.3.2021.
17
Regulation (EU) 2021/953
18
contact-tracing gateway, which allowed it to fast-track the tool’s development. On
17 March 2021, the Commission finalised its legislative proposal
18
. Seven countries
started using the EU Digital COVID Certificate on 1 June 2021, one month before the
Regulation entered into force, allowing EU citizens and residents to have their
certificates issued, verified and accepted throughout the EU. By 1 July, all EU/EEA
Member States (except for Ireland, which joined on 14 July 2021 after suffering a
cyber-attack on its national health service in May 2021) were connected to the EU
Digital COVID Certificate gateway.
35 The European Parliament and the Council adopted the regulation on
14 June 2021, less than three months after the initial proposal
19
. This was very fast,
considering that the average length of the legislative procedure for EU laws adopted
on first reading is just below 18 months
20
. This meant the EU Digital COVID Certificate
could be launched just as the summer holiday period was starting and when
vaccination efforts were being stepped up across the continent: on 10 July 2021, the
EU received sufficient vaccines to vaccinate 71 % of its adult population.
When developing some of the tools, the Commission did not manage to
overcome certain Member States’ reservations
36 The need to deliver the tools quickly and facilitate travel during the COVID-19
pandemic prompted the Commission to start developing them without conducting
impact assessments beforehand. Such assessments are used to determine the likely
effects of public policy and whether there is a need for EU action. The EU’s Better
Regulation guidelines
21
require the Commission, under normal circumstances, to
conduct a policy impact assessment before any new regulation. However, they also
recognise that in extraordinary circumstances, such as an emergency requiring a rapid
response, it may not be possible or appropriate to follow all the steps they prescribe.
37 Even though it did not carry out an impact assessment, the Commission
consulted the Member States on the contact-tracing gateway and the digital
certification through working groups. As early as December 2020, a technical subgroup
within the eHealth Network analysed options for supporting digital vaccination
18
Proposal for a regulation COM(2021) 130.
19
Procedure 2021/0068/COD.
20
Activity Report "Development and Trends of the Ordinary legislative Procedure", European
Parliament.
21
Better Regulations Guidelines, SWD(2017) 350, 7 July 2017.
19
certificates and facilitating the sharing of this information among Member States. The
Commission did not conduct such detailed consultations before proceeding with the
development of the other tools. Our survey confirmed that not all Member States
were interested in using all the EU tools we examined.
38 According to our survey, nearly half of the 11 Member States that reported not
having used the passenger locator form tools were reluctant to do so due to data
protection and other legal concerns. Three Member States pointed out that they had
already developed their own national passenger locator forms, customised to their
individual needs, and they saw no benefit in switching over to the EU solutions.
39 Furthermore, in the ‘Healthy Gateways’ consultations that took place in
October 2021 and March 2022, Member States’ views on the usefulness of the
passenger locator form tools were divided. Five EU Member States were using at least
one of the tools and 10 expressed interest in doing so, but 12 stated that they were
unlikely to do so, including two (Denmark and Sweden) that stated that they were not
interested in using them.
40 In the case of the contact-tracing gateway, Member States did not all join when
the solution became available in September 2020. Member States joined gradually,
depending on whether they wished to do so and whether their applications were
ready. By mid-November 2020, six Member States had connected their applications.
Others followed progressively until July 2021, by which time 19 Member States were
connected.
The Commission addressed data protection concerns and applied good IT
security practices
41 Two important risks that must be addressed when developing tools for managing
health data
22
are:
(1) Data protection: health data is highly sensitive and is recognised by the EU’s
General Data Protection Regulation as a special category of data
23
. Therefore, the
tools used to manage such data must include specific safeguards and controls to
protect information stored and sent. We examined the data protection impact
22
ENISA, Taking Care of Health Data.
23
Regulation (EU) 2016/679 of the European Parliament and of the Council.
20
assessments for the tools and whether the processes in place minimised the
handling of personal data.
(2) IT security: the digitalisation of health services and access to digital health records
increase the risk of cybersecurity incidents, since it provides potential new access
points for cyber criminals. Therefore, we assessed whether the tools had been
developed and were operated in accordance with good security practices
24
.
42 From a data protection perspective, the participating Member States are ‘joint
data controllers’ (within the meaning of the General Data Protection Regulation) for
EU-wide applications, such as the contact-tracing gateway and some specific features
of the EU Digital COVID Certificate. They share responsibility for deciding how and for
which purposes personal data are processed, and for putting in place appropriate
controls. They each need to prepare data protection impact assessments to identify
and mitigate risks arising from the use of such applications to process personal data.
The Commission, which acts as the ‘data processor’ on their behalf, assisted Member
States in preparing their data protection impact assessments for the EU tools covered
by this report by providing supporting documentation and templates
25
. The use of
these templates was voluntary and the Commission was not responsible for
monitoring whether or not Member States used them.
43 The EU Digital COVID Certificate and the contact-tracing gateway both adopted a
technical architecture that minimised the collection of personal data via the EU central
gateways. In the case of the EU Digital COVID Certificate, personal data from EU
citizens remained in the national systems, under the responsibility of their respective
Member States. The central gateway received only the cryptographic information (and
later the revocation lists) needed for national authorities to verify the validity of
certificates. In the case of the contact tracing gateway, it processed only
pseudonymous personal data, in the form of random identifiers, known as ‘keys’,
generated by the contact-tracing applications. This approach reduced data protection
risks considerably.
44 The EU Digital COVID Certificate Regulation did not prescribe a standard process
for revoking certificates if, for example, they were found to be fraudulent. Participating
countries were free to implement the technical solution of their choice. The
24
ISACA, Certified Information System Auditor review manual, 2019;
International Organization for Standardization / International Electrotechnical Commission
standards 27001.
25
Draft Data Protection Risk Assessment (DPRA-DRAFT).
21
Commission was not responsible for assessing the soundness of these solutions from a
data protection perspective.
45 To ensure that a revoked certificate could be identified in other countries,
Member States would have had to bilaterally exchange information in the form of
revocation lists. One concern raised during our audit was that such bilateral exchange,
involving different actors and revocation solutions was inefficient, especially as the
number of new certificates was growing.
46 In order to address those concerns, on 30 March 2022, eight months after the
introduction of the EU Digital COVID Certificate, the Commission published technical
specifications and rules to establish a more efficient mechanism for exchanging
revocation lists through the central gateway. The specifications also recommended
three technologies for distributing revocation lists from national databases to the
applications used to verify certificates. If correctly applied, these proposed solutions
can be deemed to preserve privacy, although one of them (bloom filters) took privacy
concerns into account much better than the other two
26
. Nevertheless, the use of
these solutions was voluntary and the Commission did not have the competence to
monitor whether Member States applied them.
47 IT security risks can be addressed and mitigated with a structured IT security
framework
27
. This usually comprises several elements, such as governance
arrangements, security policies, requirements and standards. It also includes good
practices such as actively searching for weaknesses (‘vulnerability scans’) and actively
testing defences (‘penetration tests’).
48 The Commission has its own IT security framework
28
that applies to all the
information systems hosted in its data centres, including the contact-tracing and the
EU Digital COVID Certificate gateways. The framework follows international
standards
29
. It requires the Commission to conduct a risk assessment for each IT
26
eHealth Network, “EU DCC Revocation - B2A Communication between the Backend and the
Applications”, section 4.6.3.
27
ISACA, Certified Information System Auditor review manual, 2019.
28
Commission Decision (EU) 2017/46 on the security of communication and information
systems in the European Commission, and implementing rules C(2017) 8841 final.
29
International Organization for Standardization / International Electrotechnical Commission
standards 27001, 27002, 27005 and 27035.
22
system, address relevant risks with an IT security plan, and apply a set of formal
security policies and standards.
49 The Commission took reasonable steps to ensure IT security in relation to the
contact-tracing gateway. A specialist company carried out a security evaluation of the
gateway’s design and source code when the system went live (October 2020) and did
not find any relevant weaknesses. Three ethical hacking exercises were conducted to
gather further assurance on the gateway’s security.
50 The Commission also defined minimum security requirements for national
contact-tracing applications connecting to the contact-tracing gateway’s exchange
platform. Our analysis of this security architecture and survey responses from Member
States found that the technical process of connecting national systems to the EU
gateway (‘on-boarding’) had been structured and addressed IT security aspects.
51 As regards the EU Digital COVID Certificate, the Directorate-General for
Informatics performed vulnerability assessments of the gateway and an independent
contractor performed additional penetration tests. The tests confirmed that the
central gateway was designed in a way that guarantees a high level of security. Most of
the issues found concerned the infrastructure rather than the source code. The
vulnerabilities identified were followed up. The consultants performing the
penetration tests on the gateway recommended performing a full audit on more
components, including those that may be used at national level, such as the certificate
issuance service or mobile applications. This additional audit concluded in April 2022
and did not call the tool’s security architecture into question.
52 Member States and non-EU countries participating in the EU Digital COVID
Certificate framework scheme generated the certificates in their national systems. If
the national systems had been compromised and unauthorised parties obtained
access, then malicious users could have issued valid but fraudulent certificates. The
widespread circulation of these certificates could have impacted freedom of
movement by undermining trust in the EU Digital COVID Certificate, thus increasing
the risk of Member States re-introducing additional restrictions. Therefore, it was
important to make sure national systems included adequate security controls.
53 For security controls in participating states’ systems, the Commission also relied
on self-assessment questionnaires filled in by the countries but did not have the
authority to verify their actual compliance (for example by reviewing reports on
vulnerability scans, audit reports, action plans or international certifications). This
limited assurance regarding the security posture of the national systems.
23
54 Our interviews confirmed that one IT security incident had occurred in a non-EU
country. The country’s national solution had a vulnerability, allowing unauthorised
users to access the application and generate unlawful certificates at national level,
until the incident was detected and resolved. According to the incident report from the
country affected, this affected only a handful of certificates.
55 There are no technical solutions capable of mitigating all risks and, for example,
even state-of-the-art security controls cannot prevent authorised staff with legitimate
access to national systems from abusing their powers to generate fraudulent
certificates.
56 Reporting and tackling incidents such as fraudulent certificates therefore requires
quick information sharing between competent authorities. The Member States and
non-EU countries we consulted told us that reporting such issues took time due to
difficulties identifying the right counterparts in other countries.
57 For the EU digital passenger locator forms and exchange platform, the following
recommended IT security practices
30
were applied: two-factor authentication, secure
communication protocols, web application firewalls and physical access security
controls. The contractor also performed an IT risk assessment and established a
structured procedure for on-boarding countries to the system.
58 However, the first penetration test of that system took place only in March 2022,
one year after the first country had been connected. Following the test, the external
service provider developed an implementation plan to address the findings. This
means that the system was operating for one year with undetected vulnerabilities.
The impact of the EU tools on facilitating travel during the
COVID-19 pandemic was uneven
59 This section examines whether the EU tools facilitated travel in the EU during the
initial years of the COVID-19 pandemic. In particular, we assessed whether the tools:
(1) were used extensively by the Member States, since this is necessary in order for
them to be effective; and
30
International Organization for Standardization / International Electrotechnical Commission
standards 27001.
24
(2) improved coordination and information sharing among Member States in relation
to their imposition of travel restrictions, thereby addressing two issues previously
found to be undermining travel within the EU
31
.
60 We compiled and analysed the data on the use of the tools by the Member
States. We also compared the travel restrictions imposed by the Member States
before and after the introduction of the EU Digital COVID Certificate.
The EU passenger locator form tools and the contact-tracing gateway did
not have the intended impact because of their limited use in Member
States
61 The EU tools needed to be widely used if they were to achieve their intended
impact. Table 2 summarises the use of the tools by each Member State. It shows that
the EU Digital COVID Certificate was the only tool used in all Member States.
31
Special report 13/2022, paragraphs 69-75.
25
Table 2 – Use in the Member States of the EU tools developed to support
free movement
Contact-
tracing
gateway
EU digital
passenger
locator form
EU Digital
COVID
Certificate
Exchange of
Passenger
Locator Forms
Belgium
●
●
Bulgaria
●
Czech
Republic
● ●
Denmark
●
●
Germany
●
●
Estonia
●
●
Ireland
●
●
Greece
●
Spain
●
●
●
France
●
●
●
Croatia
●
●
Italy
●
●
●
●
Cyprus
●
●
Latvia
●
●
Lithuania
●
●
Luxembourg
●
Hungary
●
Malta
●
●
●
●
Netherlands
●
●
Austria
●
●
Poland
●
●
Portugal
●
Romania
●
Slovenia
●
●
●
●
Slovakia
●
Finland
●
●
Sweden
●
Source: ECA.
26
62 The EU digital passenger locator forms and exchange platform were not used
sufficiently by the Member States to have a meaningful impact in containing the
spread of COVID-19 and facilitating safe travel.
63 The EU digital passenger locator form
32
was used by only four Member States,
while 17 other Member States continued to rely on national solutions. Out of almost
27 million forms issued by February 2022, 91.6 % (24.7 million) were Italian.
64 Similarly, the use of the exchange platform was very limited. While, in theory, the
tool could be used to exchange information from any national platform, it was mostly
adopted by those countries that were also using the EU forms. The overall use of the
platform remained insignificant, with only three forms exchanged in 2021 and 253 in
the first two months of 2022. All but one of these 256 forms were from Spain.
65 The uptake of contact-tracing applications varied significantly across Member
States. Some Member States did not adopt any contact-tracing application at all. In
those that did, the actual uptake among the population was limited. Downloads of all
contact-tracing applications by EU citizens totalled 74 million (as of October 2021).
However, there are no statistics at EU level on how many people were actually using
them.
66 The total number of confirmed COVID-19 cases was over 522 million
33
by
22 May 2022, by which date 55 million keys had been uploaded. The data from the
contact-tracing gateway shows uneven use of contact-tracing tools among the
Member States, with 83 % of keys having been uploaded by users from Germany alone
(see Annex II).
67 Overall, the tools examined were developed to address emerging needs, which
made it more difficult to create synergies between them consistently. For example,
despite being intrinsically linked, the EU digital passenger locator form and the
platform for exchanging such forms were developed separately (by the ‘EU Healthy
Gateways’ joint action and European Union Aviation Safety Agency, respectively).
Similarly, the guidelines for combining the EU Digital COVID Certificate and passenger
locator forms were made available at EU level after their respective roll-outs and have
so far not been implemented.
32
EU digital Passenger Locator Form.
33
Weekly epidemiological update on COVID-19 – 25 May 2022, World Health Organisation.
27
68 As the tools were designed to operate in the short term, there are no flexible
procedures in place to use them in the longer term or re-activate them quickly in case
they are needed in the future. For example, the current legal basis for the EU Digital
COVID Certificate expires in June 2023 and would need to be renewed by the European
Parliament and the Council based on a proposal from the Commission. During our
audit, the Commission pointed out that it would be extremely difficult, both legally and
technically, to re-establish the certification at short notice.
The Member States used the EU Digital COVID Certificate extensively,
which facilitated travel
69 The EU gateway for EU Digital Certificate went live on 1 June 2021, with
seven Member States connected. Within one and a half months, all 27 EU Member
States were connected. The solution proposed by the Commission also attracted a lot
of interest outside the EU. As of July 2022, 45 non-EU countries and territories had
adopted the EU framework for EU Digital COVID Certificate.
70 Member States had issued 585 million certificates by 13 October 2021. Five
months later, 1.7 billion certificates had been issued, most of them (1.1 billion) based
on vaccination. This number is higher than the EU population because one person
could have multiple certificates (for example, someone might obtain two testing
certificates before being vaccinated). One EU Digital COVID Certificate was created
after each vaccine dose, recovery or test. In addition to facilitating travel, the EU
Digital COVID Certificate were used in the Member States to control access to public
spaces such as restaurants or theatres. A breakdown of these 1.7 billion EU Digital
COVID Certificate by Member State is provided in Figure 4.
28
Figure 4 – Total EU Digital COVID Certificates generated by Member
States (as of March 2022)
Source: ECA, based on data from the Commission.
71 The tools covered by this report were aimed at facilitating safe travel. Many
Member States had decided, because of the pandemic, to introduce a variety of travel
restrictions. In our special report on free movement in the EU during the COVID-19
pandemic
34
, we concluded that as of June 2021 Member States still had many
uncoordinated travel restrictions in place, including PCR testing, quarantine
requirements and entry bans.
72 Indeed, until the EU Digital COVID Certificate entered into force, entry restrictions
for travellers were based on the health risk in the geographical area they were
travelling from. This changed in July 2021 with the introduction of the EU Digital COVID
Certificate Regulation, after which restrictions soon gradually started applying to
34
Special report 13/2022.
29
individuals rather than geographical areas and were based predominantly on the
possession of a valid certificate.
73 In addition to this shift in the nature of travel restrictions, the EU Digital COVID
Certificate Regulation also introduced a new formal mechanism to improve
information sharing on such restrictions. Since the regulation entered into force, the
Member States have had to inform the Commission and the other Member States if
they intend to introduce new restrictions. Such notifications must include the reasons
for and the scope and duration of the additional restrictions. By March 2022,
13 Member States had submitted information pursuant to this provision.
74 In July 2021, the Commission’s consultation on travel restrictions revealed that all
Member States (except Greece, Hungary and Italy, which only replied later) had lifted
their restrictions for EU Digital COVID Certificate holders. Figure 5 shows the
differences in travel restrictions before and right after the introduction of the
certification system (June and July 2021). Twelve out of 13 respondents to our survey
agreed that the EU Digital COVID Certificate had helped to coordinate travel
restrictions between the Member States.
Figure 5 – Simplified overview of entry restrictions applied by the 27 EU
Member States
Source: ECA, based on information from the Commission.
30
Conclusions and recommendations
75 We conclude that, despite its limited competence in public health policy, the
Commission moved fast to propose suitable technological solutions to facilitate travel
within the EU during the COVID-19 pandemic. However, the impact of some of these
tools depends on the willingness of Member States to use them. While the EU Digital
COVID Certificate gained strong support and was effective in facilitating travel, the
impact of the other tools was modest due to their limited use.
76 The Commission swiftly mobilised €71 million for the development of the tools by
combining several funding sources and using existing framework contracts instead of
public tender procedures. The purpose of the tools was unique, meaning there are no
other existing systems suitable for comparison (paragraphs 21-27).
77 The Commission delivered the contact-tracing gateway and the EU Digital COVID
Certificate in good time. The contact-tracing gateway, designed to ensure
interoperability between contact-tracing applications, went live in October 2020,
seven months after the World Health Organization had declared COVID-19 to be a
pandemic. The technical development of the EU Digital COVID Certificate benefited
from previous experience with the contact-tracing gateway and was completed before
the Member States had finished implementing their vaccination plans. The legislative
process to adopt the EU Digital COVID Certificate was also much faster than usual
(paragraphs 28-35).
78 The Commission did not manage to overcome some Member States’ reservations
about using the EU solutions for passenger locator forms, which were delivered after
several Member States had already developed their own tools. This resulted in the EU
solutions only being used by five Member States (paragraphs 36-40).
Recommendation 1 – Address the reasons for the low uptake of
EU digital passenger locator forms
The Commission should address the reasons behind the low use of the EU digital
passenger locator form and exchange platform and promote increased uptake of these
tools by the Member States during the future phases of the COVID-19 pandemic.
Target implementation date: December 2023
31
79 Overall, the Commission took data protection requirements and IT security good
practices into account when designing the tools. The EU tools minimise the use of
personal data (paragraphs 42-43). Security risks assessments and penetration tests
were generally carried out systematically – the only exception was some delayed
security tests for the EU digital passenger locator form, which meant that the tool was
operating for one year with undetected vulnerabilities (paragraphs 47-51 and 57-58).
80 Concerning the EU Digital COVID Certificate, participating countries had to
exchange lists of fraudulent certificates bilaterally using different communication
channels. This approach makes the blocking of fraudulent certificates less efficient. By
March 2022, the Commission had proposed viable solutions to address this issue, but
these are voluntary (paragraphs 44-46). Furthermore, the arrangements for countries
to inform each other about incidents requiring an urgent response (e.g. fraudulent
certificates) is time-consuming (paragraphs 55-56).
Recommendation 2 – Streamline communication on incidents
linked to the EU Digital COVID Certificate
The Commission should facilitate direct communication between official contact
persons for each country participating in the EU Digital COVID Certificate scheme to
streamline communication in the event of emergencies linked to the certificates.
Target implementation date: June 2023
81 Since the codes used in the EU Digital COVID Certificate were generated by
participating countries’ national systems, it was important for these systems to include
adequate security controls. The Commission relied on IT security self-assessments by
participating countries, as it does not have the authority to verify their actual
compliance with security requirements. This limits the assurance regarding the security
posture of the national systems (paragraphs 52-54).
82 The EU passenger locator forms and the contact-tracing gateway did not have the
intended impact because their use was limited. The EU digital passenger locator form
was used by only four Member States, while other countries continued to rely on
national solutions. The overall use of the platform for exchanging passenger locator
forms has remained insignificant: only three were exchanged in 2021 and 253 in the
first two months of 2022. The use of the contact-tracing gateway was constrained by
Member States’ limited adoption of contact-tracing applications, and the vast majority
of traffic was generated by one country alone (paragraphs 61-67).
32
83 The tools we examined were developed to address emerging needs and work
independently of one another. This, combined with the variety of national passenger
locator form solutions, made it more difficult to ensure even adoption of the EU tools.
The tools were also designed to operate in the short term in response to the health
crisis. There are no specific procedures in place to use them in the longer term, or to
re-activate them quickly in case they are needed in the future. The current legal basis
for the EU Digital COVID Certificate expires in June 2023 and would need to be
renewed through the standard EU legislative procedure (paragraph 68).
84 We found that the EU Digital COVID Certificate had been effective in facilitating
travel during the COVID-19 pandemic. Member States and several non-EU countries
used the certificates extensively, with more than 1.7 billion EU Digital COVID
Certificates having been issued in EU/EEA countries by March 2022. Furthermore, we
found that within one month of the EU Digital COVID Certificate Regulation entering
into force, Member States had harmonised their travel restrictions considerably. More
concretely, all Member States had removed travel restrictions for EU citizens holding
the EU Digital COVID Certificate by virtue of having been fully vaccinated or recently
tested negative for or recovered from COVID-19.
85 In addition, the EU Digital COVID Certificate improved information sharing and
coordination in relation to travel restrictions, as the applicable regulation requires
Member States to report and justify the introduction of travel restrictions
(paragraphs 69-74).
Recommendation 3 – Prepare relevant EU tools for future crises
The Commission should:
(a) identify those EU tools created during the COVID-19 pandemic that have been
most useful to citizens and the Member States and prepare procedures for
reactivating them quickly in the event of future emergencies;
(b) through synergies or simplifications, make the EU tools used to facilitate cross-
border contact tracing during crises easier for EU citizens to access;
(c) together with Member States, analyse the need for any additional tools to
address potential future crises.
Target implementation date: September 2023 for recommendations (a) and (c), and
September 2024 for recommendation (b)
33
This report was adopted by Chamber III, headed by Mrs Bettina Jakobsen, Member of
the Court of Auditors, in Luxembourg on 22 November 2022.
For the Court of Auditors
Tony Murphy
President
34
Annexes
Annex I – Description of the EU tools facilitating safe travels
during the COVID-19 pandemic
European Federation Gateway Service
European Federation Gateway Service is a system that allows interoperability between
the national contact tracing applications. The national contact tracing applications
were developed to inform citizens about potential risk contact and help breaking
transmission chains of COVID-19.
A contact-tracing application continuously record contacts with nearby users of the
contact tracing applications. It generates a key (an identifier) for its user every
15 minutes in order to protect privacy. The application uses Bluetooth to detect other
smartphones in proximity and exchange keys. Every encounter with another user
results in the exchange of keys between users. These keys are stored on both users’
phones.
When a user tests positive for COVID-19, he/she declares it in the application, which
sends all the user’s keys from the past 14 days to his/her country’s national backend
server. The server sends the infected user’s keys to all other users’ applications, where
they are compared with the keys stored on the phone. If there is a match, the user has
been in proximity with the infected person and is therefore warned.
The majority of Member States have adopted this decentralised approach where the
combination of the keys of infected people are sent to the users’ applications and the
comparison is done on the users’ phone. A few Member States have chosen a more
centralised approach, where the comparison of keys and matching with the users’
devices is done in the central national servers.
National contact-tracing platforms adopting the decentralised approach and
compatible technological building blocks can exchange anonymised keys of infected
people with one another via the EU contact-tracing gateway. Therefore, the contact-
tracing gateway allows a traveller to use his/her national contact-tracing application
during the travels in another countries connected to the EU gateway.
35
Digital passenger locator form
Public health authorities use passenger locator forms to facilitate contact tracing when
travellers are exposed to an infectious disease during their travel by plane, train, ship
or bus. The World Health Organization and the International Civil Aviation Organisation
had already started developing these forms during previous disease outbreaks (notably
Ebola).
Traditionally, countries requiring the completion of passenger locator forms often used
paper-based forms. However, paper forms have significant limitations – they can be
difficult to read and the data they contain must be manually entered into computer
systems for automated processing. These limitations prompted many countries to
develop electronic versions. The EU digital passenger locator form is a web application
that was developed to simplify the use of passenger locator forms during cross-border
health threats, such as COVID-19.
The traveller fills in the form on line with the details of their travel and receive a
unique Quick Response(QR) code. This code can be scanned by the competent
authorities in the destination countries to verify that passengers provided required
information. Its digital format aims to ease and speed up data collection and data
exchange between stakeholders, with the goal of making contact tracing more efficient
and effective.
Exchange of Passenger Locator Forms
When a traveller is tested positive for COVID-19, the PLF data collected by one country
may need to be securely provided to other affected countries for the sole purpose of
COVID-19 contact tracing. Due to the limitation of the existing European system to
exchange health information (Early Warning and Response System), the Commission
decided to develop a dedicated platform for exchanging PLF data between different
national systems.
The PLF exchange platform allows securely encrypted data transmission between
competent national authorities and does not store any data. Member State authorities
can either connect through the EU or national digital passenger locator forms systems.
EU Digital COVID Certificate
The EU Digital COVID Certificate is a proof that a person has been vaccinated against,
tested negative for or recovered from COVID-19. Those certificates are issued by the
competent national authorities.
36
The certificates can be delivered in both paper and electronic forms. In both cases,
they contain a QR code, that protects them against falsification. The security of the
solution is based on the use of public and private cryptographic keys. There are two
keys: private, used to digitally sign the QR code and public, which allows the digital
signature to be verified.
Each issuing authority has its own private key and corresponding public key. The
private keys are stored securely and the public keys (are shared in the central national
database. The authority makes its issuance system available to relevant healthcare
actors (e.g. hospitals and testing centres) upon authorization, enabling them to
digitally sign the certificates.
The applications used to verify the authenticity of the EU Digital COVID Certificate
obtain the public keys from the national databases. The national databases exchange
public keys with other countries through the EU Digital COVID Certificate gateway.
Therefore, the gateway allows mutual verification of the certificates across different
countries.
37
Annex II – Uptake of the contact tracing applications in the EU
The adoption of contact tracing applications was not uniform across the EU. Only in
two Member States the number of downloads of the contact tracing applications was
above 50 % of population. The figure below shows the different situation in Member
States which were using decentralized contact tracing applications.
Number of contact-tracing applications downloads as a percentage of
population
Source: ECA, based on publicly available data from the Commission and selected Member States.
Downloading the application does not necessary mean that the contact tracing is
actually being used, as it requires the applications to be active and the citizens
voluntarily declaring their positive COVID-19 tests. Whenever the users declare
themselves positive, the relevant keys are uploaded in the contact-tracing gateway.
The data from the gateway shows that the use of the contact tracing varied across the
Member States. The number of keys uploaded to the gateway shows that
overwhelming majority of them were coming from one country.
Finland Ireland Denmark Germany
Netherlands
56 % 50 % 39 % 34 %
31 %
Belgium
Estonia
Malta Italy
Latvia
28 % 21 % 20 % 19 % 19 %
Slovenia Austria Spain Czech Republic Lithuania
19 % 17 % 16 % 15 % 11 %
Poland Cyprus Croatia
5 % 5 % 3 %
39
Glossary
Border control: Checks and surveillance carried out at a border on those crossing or
intending to cross.
Data controller: Within the meaning of the EU General Data Protection Regulation,
person or organisation that determines, how and for which purposes personal data
should be processed.
Penetration test: Method for assessing the security of an IT system by attempting to
breach its security safeguards with the tools and techniques typically used by
adversaries.
Schengen area: Group of 26 European countries that have abolished passport and
immigration controls at their common borders.
Vulnerability scan: Process of inspecting network devices, computer systems and
applications to identify any issues and weak points.
41
Audit team
The ECA’s special reports set out the results of its audits of EU policies and
programmes, or of management-related topics from specific budgetary areas. The ECA
selects and designs these audit tasks to be of maximum impact by considering the risks
to performance or compliance, the level of income or spending involved, forthcoming
developments and political and public interest.
This performance audit was carried out by Audit Chamber III External action, security
and justice, headed by ECA Member Bettina Jakobsen. The audit was led by ECA
Member Baudilio Tomé Muguruza, supported by Daniel Costa De Magalhães, Head of
Private Office and Ignacio García de Parada Miranda, Private Office Attaché;
Alejandro Ballester Gallardo, Principal Manager; Piotr Senator, Head of Task;
João Coelho, Mirko Iaconisi, Ioanna Topa and Andrej Minarovic, Auditors.
Michael Pyper provided linguistic support.
From left to right: Daniel Costa De Magalhães, Andrej Minarovic,
Ignacio García de Parada Miranda, João Coelho, Ioanna Topa, Piotr Senator,
Baudilio Tomé Muguruza, Mirko Iaconisi and Michael Pyper.
COPYRIGHT
© European Union, 2023
The reuse policy of the European Court of Auditors (ECA) is set out in ECA Decision
No 6-2019 on the open data policy and the reuse of documents.
Unless otherwise indicated (e.g. in individual copyright notices), ECA content owned by
the EU is licensed under the Creative Commons Attribution 4.0 International
(CC BY 4.0) licence. As a general rule, therefore, reuse is authorised provided
appropriate credit is given and any changes are indicated. Those reusing ECA content
must not distort the original meaning or message. The ECA shall not be liable for any
consequences of reuse.
Additional permission must be obtained if specific content depicts identifiable private
individuals, e.g. in pictures of ECA staff, or includes third-party works.
Where such permission is obtained, it shall cancel and replace the above-mentioned
general permission and shall clearly state any restrictions on use.
To use or reproduce content that is not owned by the EU, it may be necessary to seek
permission directly from the copyright holders.
Software or documents covered by industrial property rights, such as patents,
trademarks, registered designs, logos and names, are excluded from the ECA’s reuse
policy.
The European Union’s family of institutional websites, within the europa.eu domain,
provides links to third-party sites. Since the ECA has no control over these, you are
encouraged to review their privacy and copyright policies.
Use of the ECA logo
The ECA logo must not be used without the ECA’s prior consent.
PDF ISBN 978-92-847-9207-8 ISSN 1977-5679 doi:10.2865/62115 QJ-AB-22-027-EN-N
HTML ISBN 978-92-847-9224-5 ISSN 1977-5679 doi:10.2865/8135 QJ-AB-22-027-EN-Q
The objective of our audit was to assess whether the Commission
had developed effective tools to facilitate travel within the EU
during the COVID
-
19 pandemic. Overall, we conclude that,
despite its limited competence in public health policy, the
Commission moved fast to propose suitable technological
solutions to facilitate travel. However, the Members’ S
tates use of
these tools varied significantly, so the tools’ impact in facilitating
travel within the EU was uneven, ranging from success in some
cases to limited use in others. Our recommendations focus on the
need to analyse and address the reasons for the low uptake of
certain tools, streamline communication on incidents relating to
the EU Digital COVID Certificate and prepare relevant EU tools for
future crises.
ECA special report pursuant to Article 287(4), second
subparagraph, TFEU.
