Special report
01 2023

Tools facilitating travel within the EU during the COVID‑19 pandemic Relevant initiatives with impact ranging from success to limited use

About the report:The objective of our audit was to assess whether the Commission had developed effective tools to facilitate travel within the EU during the COVID‑19 pandemic. Overall, we conclude that, despite its limited competence in public health policy, the Commission moved fast to propose suitable technological solutions to facilitate travel. However, the Members’ States use of these tools varied significantly, so the tools’ impact in facilitating travel within the EU was uneven, ranging from success in some cases to limited use in others. Our recommendations focus on the need to analyse and address the reasons for the low uptake of certain tools, streamline communication on incidents relating to the EU Digital COVID Certificate and prepare relevant EU tools for future crises.

ECA special report pursuant to Article 287(4), second subparagraph, TFEU.

This publication is available in 24 languages and in the following format:
PDF
PDF Special report: Facilitating travel during the pandemic

Executive summary

I Following the detection of the first COVID‑19 cases in the EU, in March 2020 Member States started to impose travel bans and other restrictions on free movement of citizens. To facilitate travel and to help trace COVID‑19 cases, the Commission developed four tools:

  • the European Federation Gateway Service – a gateway for ensuring EU-wide interoperability between national contact-tracing applications;
  • the EU digital Passenger Locator Form – a tool replacing paper forms used to collect contact-tracing information during travel;
  • the EU Digital COVID Certificate – a certificate confirming vaccination against COVID‑19, recovery or a negative test;
  • the platform for exchanging passenger locator forms – a solution for national authorities in different Member States to exchange contact-tracing data.

II The objective of our audit was to assess whether the Commission had developed effective tools to facilitate travel within the EU during the COVID‑19 pandemic. Our aim was therefore to identify examples of good practice and areas for improvement in the way the Commission develops IT tools to facilitate free movement during a health crisis. This audit complements our special report 13/2022, which assesses whether the Commission took effective action to protect peoples’ right of free movement during the COVID‑19 pandemic.

III Overall, we conclude that, despite its limited competence in public health policy, the Commission moved fast to propose suitable technological solutions to facilitate travel within the EU during the COVID‑19 pandemic. However, the Members’ States use of these tools varied significantly, so the tools’ impact in facilitating travel was uneven.

IV The Commission swiftly mobilised €71 million for the development of the tools by combining several funding sources and using existing framework contracts instead of public tender procedures. The contact-tracing gateway became available shortly after the pandemic started and the EU Digital COVID Certificate when vaccination efforts were being stepped up across the continent. The technical and legislative work on those tools was fast. However, several Member States had already developed their own digital passenger locator forms before the EU’s solution for passenger locator forms became available.

V The Commission took data protection requirements and IT security good practices into account when designing the tools. However, the Commission does not have the authority to verify that the countries using the EU Digital COVID Certificate tool complied with IT security requirements.

VI The EU Digital COVID Certificate was effective in facilitating travel and improved information sharing and coordination in relation to travel restrictions. Member States and many non-EU countries used the EU Digital COVID Certificate system extensively, with more than 1.7 billion certificates having been issued in EU and European Economic Area (EEA) states by March 2022. Furthermore, within one month of the EU Digital COVID Certificate Regulation entering into force, Member States had harmonised their travel restrictions considerably. We found, however, that the arrangements for countries to inform each other about incidents requiring an urgent response (e.g. fraudulent certificates) were time-consuming due to difficulties identifying the right counterparts in other countries.

VII The other tools we examined did not have the intended impact because their use was limited. The EU digital passenger locator form was used by only four Member States, while other countries continued to rely on national solutions. The overall use of the platform for exchanging the forms and the contact-tracing gateway remained limited.

VIII On the basis of these conclusions, we recommend that the Commission:

  • analyse and address the reasons for the low uptake of EU digital passenger locator forms;
  • streamline communication on incidents linked to the EU Digital COVID Certificate;
  • prepare relevant EU tools for future crises.

Introduction

01 Free movement of persons refers to the right of EU citizens and their family members to move and reside freely within the territory of the Member States. It is one of the four fundamental freedoms of the EU (together with the free movement of goods, services and capital), and has been at the heart of the European project since its inception1. The Free Movement Directive2 lays down the applicable conditions and limitations.

02 Protecting public health is a national competence3. The European Commission therefore plays a limited role in health policy, mostly focusing on coordination4. It can support and supplement the actions of the Member States, which have substantial powers to determine their own health policies5.

03 Following the detection of the first COVID‑19 cases, Member States in March 2020 started imposing border controls and restrictions on free movement of citizens in an attempt to limit the spread of the pandemic. However, the Commission was responsible for monitoring whether these restrictions complied with EU legislation on freedom of movement. To limit the impact of COVID‑19-related measures on free movement, the Commission took various initiatives with the aim of supporting coordination among the Member States.

04 The Commission also developed the following tools to facilitate travel and to help trace positive COVID‑19 cases (see Annex I for the detailed description of the tools):

  • a contact-tracing gateway: the European Federation Gateway Service (EFGS);
  • the digital passenger locator form (EU dPLF);
  • the EU Digital COVID Certificate (EU DCC);
  • a platform for exchanging passenger locator forms (ePLF).

05 Contact-tracing applications, which anonymously inform users that they may have been in contact with an infected person, were one of the first tools made available. The Commission developed the link between different Member States’ contact-tracing applications, thus extending their benefits to include facilitating travel within the EU.

06 During the pandemic, in order to facilitate contact tracing during travel, passengers were requested to provide contact and location details through passenger locator forms that were sent to the relevant national authorities. In the event of a positive test, authorities used those forms to contact passengers who were seated near that person and warn them to take a COVID‑19 test and precautionary measures. The Commission developed the EU digital passenger locator form to simplify the use of national forms during cross-border health crises such as COVID‑19. The EU’s third health programme (2014-2020) included a joint action known as ‘EU Healthy Gateways’, which, before the outbreak of the COVID‑19 pandemic, had already started developing paper-based forms for maritime and ground transport using international templates. The ‘EU Healthy Gateways’ joint action was later used to support the digitisation of passenger locator forms.

07 The Commission also developed the EU Digital COVID Certificate, which provided verifiable and mutually accepted proof that the holder had been vaccinated against, recently tested negative for or recovered from COVID‑19 Member States are obliged to accept these certificates when they decide, during the COVID-19 pandemic, to require travellers to provide proof of vaccination, a negative test result or recovery.

08 The last tool developed by the Commission was a platform for Member States to exchange passenger locator forms. The platform enabled contact-tracing teams to exchange forms electronically with one another directly, thus reducing the time taken to inform travellers at risk.

09 The development of the tools involved several Commission departments. The Directorate-General for Health and Food Safety, together with the Directorate-General for Communications Networks, Content and Technology, were system owners of the contact-tracing gateway. These two directorates-general also led the development of the EU Digital COVID Certificate together with the Directorate-General for Justice and Consumers and the Directorate-General for Migration and Home Affairs. In addition, the Directorate-General for Informatics provided the necessary IT infrastructure.

10 The Member States were involved in the development of these tools mainly through the eHealth Network (see Box 1). EU agencies such as the European Centre for Disease Prevention and Control or the European Medicines Agency also contributed. The development of the passenger locator tools was coordinated by the Member States, as a joint action financed under the third EU Health Programme, the European Union Aviation Safety Agency and the Directorate-General for Mobility and Transport.

Box 1

The eHealth Network

The 2011 directive on the application of patients’ rights in cross-border healthcare6 introduced the concept of the eHealth Network, “a voluntary network connecting national authorities responsible for eHealth designated by the Member States”. The eHealth Network carries out its work through specific task forces and groups. The Commission co-chairs the meetings and provides secretarial services to the network. It played a crucial role in developing the EU’s tools to facilitate travel and provided a forum for collecting input directly from the Member States. By June 2020, the eHealth Network had held more than 30 meetings relating to the COVID‑19 pandemic. The eHealth Network held 96 meetings in 2020 and 285 in 2021.

11 The purpose of the EU tools was unique, meaning there were no other existing systems suitable for comparison at the time of their development. For the EU tools described above to be as effective as possible in facilitating travel during the COVID‑19 pandemic, it was important that all Member States should adopt them so that their use of health data to manage travel in the EU would be consistent and their travel restrictions coordinated.

12 In addition to providing €71 million to support the development of the IT tools, the Commission made €100 million available to the Member States to help them bear the financial burden of COVID‑19 testing. Increased testing and vaccination in turn increased the number of EU Digital COVID‑ Certificates issued. Cross-border travel within the EU may involve some or all of these tools, as described in Figure 1.

Figure 1 – Use of the EU tools for travel by plane between Member States

Source: ECA.

Audit scope and approach

13 This audit complements our previous special report7, which assessed whether the Commission had taken effective action to protect the right of free movement of persons during the COVID‑19 pandemic. The first report covered the Commission’s scrutiny of internal Schengen border controls, related travel restrictions and coordination efforts at EU level.

14 The objective of this second audit was to assess whether the Commission had developed effective tools to facilitate travel within the EU during the COVID‑19 crisis. With this audit, we aimed to identify examples of good practice and areas for improvement in the way the Commission develops IT tools to facilitate free movement during health crises. To answer the main audit question, we asked the following two sub-questions:

  • Did the Commission properly develop the EU tools to facilitate travel?
  • Did the Member States make extensive use of the EU tools and did this lead to better coordination and sharing of information on their travel restrictions?

15 This audit covers the period between October 2020 and June 2022 and focuses on the four EU tools listed in paragraph 04, including the related EU funding. It does not cover EU funding for COVID‑19 vaccination, which we previously assessed in our special report on the EU’s COVID‑19 vaccine procurement8.

16 We carried out the audit through desk reviews, written questionnaires and interviews with relevant stakeholders. We reviewed and analysed:

  • relevant EU legislation, to identify the key regulatory requirements and the responsibilities of the different actors;
  • internal Commission documents relating to the technical development and legal adoption of the EU Digital COVID Certificate, the European Federation Gateway Service, the digital Passenger Locator Form (EU dPLF) and a platform for exchanging passenger locator forms (ePLF);
  • Commission publications relating to travel in the context of the COVID‑19 pandemic, such as guidance, communications, proposals for recommendation or proposals for legislative acts;
  • the tools’ technical specifications, security and risk assessments, penetration test reports and IT security plans, to enable our IT experts to verify whether the tools meet security requirements.

17 To obtain evidence, confirm facts and corroborate data collected from other sources, we conducted audit interviews with:

  • the Commission Directorates-General for Justice and Consumers, Mobility and Transport, Health and Food Safety and Communications Networks, Content and Technology;
  • the European Centre for Disease Prevention and Control, whose responsibilities include COVID‑19 risk maps and guidance;
  • health authorities in Member States and non-EU countries;
  • representatives of airlines, the travel industry and consumer associations.

18 We also conducted a survey to collect feedback on the use of such tools in each Member State. Out of the 27 Member State delegates that make up the Council’s Integrated Political Crisis Response mechanism, 13 replied to our survey. This represents a 48 % response rate. We used this survey to support our analysis and corroborate our observations.

Observations

The Commission developed suitable technological solutions but these were not always taken up by Member States

19 This section examines whether the Commission properly developed the tools to facilitate travel during the COVID‑19 pandemic, and particularly whether it:

  1. mobilised EU funds quickly after the start of the pandemic;
  2. delivered the tools in a timely manner;
  3. considered the Member States’ needs and willingness to use the tools; and
  4. took into account IT security and privacy concerns in relation to sensitive health data.

20 We examined whether the Commission’s choice of funding sources and service providers had enabled it to start work on developing the tools immediately after the pandemic started. We also examined the consultation process to assess whether the tools were aligned with the Member States’ priorities. Finally, we assessed whether the tools followed best practice concerning the protection of personal data and IT security.

The Commission quickly mobilised EU funds for the tools

21 The Commission mobilised EU funding from different sources, such as the Emergency Support Instrument and the Digital Europe programme. The EU allocated €71 million for the development of the tools. Figure 2 provides a visual overview of EU funding for the tools.

Figure 2 – Overview of EU funding by tool

Source: ECA.

22 EU funding for the EU Digital COVID Certificate totalled €50 million (with €43 million from the Emergency Support Instrument and an additional €7 million from the Digital Europe Programme). As of March 2022, 77 % of this budget had been allocated to developing and adapting national solutions and connecting them to the EU Digital COVID Certificate gateway: €21.9 million was committed to a private contractor and €16.7 million was paid in grants to the Member States.

23 EU funding for the contact-tracing gateway totalled approximately €16.8 million (with €13 million from the Emergency Support Instrument). The Commission justified this funding based on the need “to facilitate the exchange of data between countries, enabling national applications to notify users that have been exposed to a user using a different national application and who tested positive for COVID‑19”.

24 The platform for exchanging passenger locator forms and the EU digital passenger form required much less EU funding: the exchange platform was allocated around €2.9 million (mostly from the Emergency Support Instrument) and the digital forms €1.3 million (with funding from the EU Health Programmes). The funding allocated to the exchange platform was used to finance a pilot project to test the platform’s feasibility, and to scale it up to cover more Member States and transport modes. The funding for the digital version of the passenger locator forms was used for development, cloud hosting and transferring the tool to the European Commission’s IT environment.

25 In addition, following the launch of the EU Digital COVID Certificate, the EU made €100 million available to support COVID‑19 testing in the Member States9. This funding followed the political agreement of 20 May 2021 between the European Parliament and the Council on the EU Digital COVID Certificate Regulation. Member States used the vast majority (90 %) of this allocation, which made it possible to issue additional certificates based on testing to facilitate travel.

26 We found that the Commission had mobilised this funding quickly and taken a pragmatic approach to developing the tools that reflected the need to deliver them quickly. The tools were developed under time constraints, without requesting offers from different contractors. Rather than using competitive tenders to procure licences and develop the contact-tracing gateway, the EU Digital COVID Certificate and the platform for exchanging passenger locator forms, the Commission used framework contracts that it had already signed with an IT service provider on 30 October 2019 and on 24 February 2020. Framework contracts establish the general terms of a commercial relationship and provide a basis for the signing of specific contracts for individual deliveries. For the EU digital passenger locator forms, the first funding was mobilised in July 2020, under the ‘EU Healthy Gateways’ joint action, by reallocating funds from activities that were not possible due to the pandemic.

27 In the case of the EU Digital COVID Certificate, the Commission selected the supplier using a framework contract awarded through a negotiated procedure that was launched in 2019 without publishing a contract notice. According to the Commission, the supplier selected had experience in developing the contact-tracing gateway and was the only one with the necessary expertise in the software to be used for the EU Digital COVID Certificate.

The Commission developed the contact-tracing gateway and the EU Digital COVID Certificate system in good time, but for passenger locator forms national solutions were available earlier than the EU ones

28 When the World Health Organization declared COVID‑19 a pandemic in March 2020, Member States started imposing restrictions on free movement10 and the Commission started to issue guidelines to facilitate coordination among them11. The contact-tracing gateway started functioning seven months after the declaration of the pandemic, and the EU Digital Certificate and the passenger locator form became operational 15 months from this date. Figure 3 provides the timeline for the design and implementation of the tools. Taking into account the legal and technical requirements of these tools described below, we consider that the contact-tracing gateway and EU Digital COVID Certificate were developed in a timely manner, but not the tools relating to passenger locator forms.

Figure 3 – Timeline for the design and implementation of the EU tools

Source: ECA.

29 The first tool developed was the contact-tracing gateway, an EU-wide system to ensure interoperability between national contact-tracing applications. On 13 May 2020, the Commission issued a set of guidelines and recommendations to help gradually lift the travel restrictions12 imposed by the Member States. The guidelines encouraged the use of technology for that purpose. The gateway became operational in October 2020, five months after the Commission released the guidelines.

30 At the end of April 2020 , just one month after the first restrictions were imposed, the ‘EU Healthy Gateways’ joint action made a proposal to the Commission to digitise passenger locator forms. However, the discussions between the Commission and the Member States took several months and the proposal was accepted in August 2020. The Council recommended13 developing a common EU digital passenger locator form in October 2020. By this time, several Member States were already at an advanced stage in developing their own national solutions (see Table 1).

31 Following the Council’s recommendation, the Commission started work on the platform for exchanging passenger locator forms in November 2020. However, the Commission implementing decision14 governing the exchange of forms was only adopted on 27 May 2021. The Member States were only able to start actually exchanging digital forms on the platform in July 2021.

Table 1 – Examples of electronic passenger locator forms used in the Member States

Country Date of introduction
National solution - Spain July 2020
National solution - Greece July 2020
National solution - Ireland August 2020
EU tool - Italy May 2021
EU tool - Malta July 2021
EU tool - Slovenia August 2021
EU tool - France December 2021

Note: Countries adopting the EU digital passenger locator form solutions are marked in bold.

Source: ECA.

32 The EU Digital COVID Certificate was the fourth tool developed by the Commission. Work on it started later than it did on the other tools, as it was closely linked with the EU’s vaccination process. Discussions on a COVID‑19 vaccination certificate had been ongoing between the Commission and the Member States since November 2020 in the eHealth Network15 (see Box 1 ), where Estonia presented the first pilot of a digitally verifiable vaccination certificate.

33 On 21 December 2020, the European Medicines Agency recommended the first vaccine for authorisation, and a few days later the first vaccinations began across the EU. One month later, on 28 January 2021, EU countries adopted basic guidelines for an interoperable proof of vaccination for medical purposes16, a unique certificate identifier and the principles of a trust framework.

34 The political agreement of 20 May 2021 between the European Parliament and the Council on the EU Digital COVID Certificate Regulation set the end of June as the deadline to implement the scheme. The Commission therefore had to work on the technical development in parallel with the legislative work on the regulation17. When designing the technical architecture, it took stock of previous experience with the contact-tracing gateway, which allowed it to fast-track the tool’s development. On 17 March 2021, the Commission finalised its legislative proposal18. Seven countries started using the EU Digital COVID Certificate on 1 June 2021, one month before the Regulation entered into force, allowing EU citizens and residents to have their certificates issued, verified and accepted throughout the EU. By 1 July, all EU/EEA Member States (except for Ireland, which joined on 14 July 2021 after suffering a cyber-attack on its national health service in May 2021) were connected to the EU Digital COVID Certificate gateway.

35 The European Parliament and the Council adopted the regulation on 14 June 2021, less than three months after the initial proposal19. This was very fast, considering that the average length of the legislative procedure for EU laws adopted on first reading is just below 18 months20. This meant the EU Digital COVID Certificate could be launched just as the summer holiday period was starting and when vaccination efforts were being stepped up across the continent: on 10 July 2021, the EU received sufficient vaccines to vaccinate 71 % of its adult population.

When developing some of the tools, the Commission did not manage to overcome certain Member States’ reservations

36 The need to deliver the tools quickly and facilitate travel during the COVID‑19 pandemic prompted the Commission to start developing them without conducting impact assessments beforehand. Such assessments are used to determine the likely effects of public policy and whether there is a need for EU action. The EU’s Better Regulation guidelines21 require the Commission, under normal circumstances, to conduct a policy impact assessment before any new regulation. However, they also recognise that in extraordinary circumstances, such as an emergency requiring a rapid response, it may not be possible or appropriate to follow all the steps they prescribe.

37 Even though it did not carry out an impact assessment, the Commission consulted the Member States on the contact-tracing gateway and the digital certification through working groups. As early as December 2020, a technical subgroup within the eHealth Network analysed options for supporting digital vaccination certificates and facilitating the sharing of this information among Member States. The Commission did not conduct such detailed consultations before proceeding with the development of the other tools. Our survey confirmed that not all Member States were interested in using all the EU tools we examined.

38 According to our survey, nearly half of the 11 Member States that reported not having used the passenger locator form tools were reluctant to do so due to data protection and other legal concerns. Three Member States pointed out that they had already developed their own national passenger locator forms, customised to their individual needs, and they saw no benefit in switching over to the EU solutions.

39 Furthermore, in the ‘Healthy Gateways’ consultations that took place in October 2021 and March 2022, Member States’ views on the usefulness of the passenger locator form tools were divided. Five EU Member States were using at least one of the tools and 10 expressed interest in doing so, but 12 stated that they were unlikely to do so, including two (Denmark and Sweden) that stated that they were not interested in using them.

40 In the case of the contact-tracing gateway, Member States did not all join when the solution became available in September 2020. Member States joined gradually, depending on whether they wished to do so and whether their applications were ready. By mid-November 2020, six Member States had connected their applications. Others followed progressively until July 2021, by which time 19 Member States were connected.

The Commission addressed data protection concerns and applied good IT security practices

41 Two important risks that must be addressed when developing tools for managing health data22 are:

  1. Data protection: health data is highly sensitive and is recognised by the EU’s General Data Protection Regulation as a special category of data23. Therefore, the tools used to manage such data must include specific safeguards and controls to protect information stored and sent. We examined the data protection impact assessments for the tools and whether the processes in place minimised the handling of personal data.
  2. IT security: the digitalisation of health services and access to digital health records increase the risk of cybersecurity incidents, since it provides potential new access points for cyber criminals. Therefore, we assessed whether the tools had been developed and were operated in accordance with good security practices24.

42 From a data protection perspective, the participating Member States are ‘joint data controllers’ (within the meaning of the General Data Protection Regulation) for EU-wide applications, such as the contact-tracing gateway and some specific features of the EU Digital COVID Certificate. They share responsibility for deciding how and for which purposes personal data are processed, and for putting in place appropriate controls. They each need to prepare data protection impact assessments to identify and mitigate risks arising from the use of such applications to process personal data. The Commission, which acts as the ‘data processor’ on their behalf, assisted Member States in preparing their data protection impact assessments for the EU tools covered by this report by providing supporting documentation and templates25. The use of these templates was voluntary and the Commission was not responsible for monitoring whether or not Member States used them.

43 The EU Digital COVID Certificate and the contact-tracing gateway both adopted a technical architecture that minimised the collection of personal data via the EU central gateways. In the case of the EU Digital COVID Certificate, personal data from EU citizens remained in the national systems, under the responsibility of their respective Member States. The central gateway received only the cryptographic information (and later the revocation lists) needed for national authorities to verify the validity of certificates. In the case of the contact tracing gateway, it processed only pseudonymous personal data, in the form of random identifiers, known as ‘keys’, generated by the contact-tracing applications. This approach reduced data protection risks considerably.

44 The EU Digital COVID Certificate Regulation did not prescribe a standard process for revoking certificates if, for example, they were found to be fraudulent. Participating countries were free to implement the technical solution of their choice. The Commission was not responsible for assessing the soundness of these solutions from a data protection perspective.

45 To ensure that a revoked certificate could be identified in other countries, Member States would have had to bilaterally exchange information in the form of revocation lists. One concern raised during our audit was that such bilateral exchange, involving different actors and revocation solutions was inefficient, especially as the number of new certificates was growing.

46 In order to address those concerns, on 30 March 2022, eight months after the introduction of the EU Digital COVID Certificate, the Commission published technical specifications and rules to establish a more efficient mechanism for exchanging revocation lists through the central gateway. The specifications also recommended three technologies for distributing revocation lists from national databases to the applications used to verify certificates. If correctly applied, these proposed solutions can be deemed to preserve privacy, although one of them (bloom filters) took privacy concerns into account much better than the other two26. Nevertheless, the use of these solutions was voluntary and the Commission did not have the competence to monitor whether Member States applied them.

47 IT security risks can be addressed and mitigated with a structured IT security framework27. This usually comprises several elements, such as governance arrangements, security policies, requirements and standards. It also includes good practices such as actively searching for weaknesses (‘vulnerability scans’) and actively testing defences (‘penetration tests’).

48 The Commission has its own IT security framework28 that applies to all the information systems hosted in its data centres, including the contact-tracing and the EU Digital COVID Certificate gateways. The framework follows international standards29. It requires the Commission to conduct a risk assessment for each IT system, address relevant risks with an IT security plan, and apply a set of formal security policies and standards.

49 The Commission took reasonable steps to ensure IT security in relation to the contact-tracing gateway. A specialist company carried out a security evaluation of the gateway’s design and source code when the system went live (October 2020) and did not find any relevant weaknesses. Three ethical hacking exercises were conducted to gather further assurance on the gateway’s security.

50 The Commission also defined minimum security requirements for national contact-tracing applications connecting to the contact-tracing gateway’s exchange platform. Our analysis of this security architecture and survey responses from Member States found that the technical process of connecting national systems to the EU gateway (‘on-boarding’) had been structured and addressed IT security aspects.

51 As regards the EU Digital COVID Certificate, the Directorate-General for Informatics performed vulnerability assessments of the gateway and an independent contractor performed additional penetration tests. The tests confirmed that the central gateway was designed in a way that guarantees a high level of security. Most of the issues found concerned the infrastructure rather than the source code. The vulnerabilities identified were followed up. The consultants performing the penetration tests on the gateway recommended performing a full audit on more components, including those that may be used at national level, such as the certificate issuance service or mobile applications. This additional audit concluded in April 2022 and did not call the tool’s security architecture into question.

52 Member States and non-EU countries participating in the EU Digital COVID Certificate framework scheme generated the certificates in their national systems. If the national systems had been compromised and unauthorised parties obtained access, then malicious users could have issued valid but fraudulent certificates. The widespread circulation of these certificates could have impacted freedom of movement by undermining trust in the EU Digital COVID Certificate, thus increasing the risk of Member States re-introducing additional restrictions. Therefore, it was important to make sure national systems included adequate security controls.

53 For security controls in participating states’ systems, the Commission also relied on self-assessment questionnaires filled in by the countries but did not have the authority to verify their actual compliance (for example by reviewing reports on vulnerability scans, audit reports, action plans or international certifications). This limited assurance regarding the security posture of the national systems.

54 Our interviews confirmed that one IT security incident had occurred in a non-EU country. The country’s national solution had a vulnerability, allowing unauthorised users to access the application and generate unlawful certificates at national level, until the incident was detected and resolved. According to the incident report from the country affected, this affected only a handful of certificates.

55 There are no technical solutions capable of mitigating all risks and, for example, even state-of-the-art security controls cannot prevent authorised staff with legitimate access to national systems from abusing their powers to generate fraudulent certificates.

56 Reporting and tackling incidents such as fraudulent certificates therefore requires quick information sharing between competent authorities. The Member States and non-EU countries we consulted told us that reporting such issues took time due to difficulties identifying the right counterparts in other countries.

57 For the EU digital passenger locator forms and exchange platform, the following recommended IT security practices30 were applied: two-factor authentication, secure communication protocols, web application firewalls and physical access security controls. The contractor also performed an IT risk assessment and established a structured procedure for on-boarding countries to the system.

58 However, the first penetration test of that system took place only in March 2022, one year after the first country had been connected. Following the test, the external service provider developed an implementation plan to address the findings. This means that the system was operating for one year with undetected vulnerabilities.

The impact of the EU tools on facilitating travel during the COVID‑19 pandemic was uneven

59 This section examines whether the EU tools facilitated travel in the EU during the initial years of the COVID‑19 pandemic. In particular, we assessed whether the tools:

  1. were used extensively by the Member States, since this is necessary in order for them to be effective; and
  2. improved coordination and information sharing among Member States in relation to their imposition of travel restrictions, thereby addressing two issues previously found to be undermining travel within the EU31.

60 We compiled and analysed the data on the use of the tools by the Member States. We also compared the travel restrictions imposed by the Member States before and after the introduction of the EU Digital COVID Certificate.

The EU passenger locator form tools and the contact-tracing gateway did not have the intended impact because of their limited use in Member States

61 The EU tools needed to be widely used if they were to achieve their intended impact. Table 2 summarises the use of the tools by each Member State. It shows that the EU Digital COVID Certificate was the only tool used in all Member States.

Table 2 – Use in the Member States of the EU tools developed to support free movement

  Contact-tracing gateway EU digital passenger locator form EU Digital COVID Certificate Exchange of Passenger Locator Forms
Belgium        
Bulgaria        
Czech Republic        
Denmark        
Germany        
Estonia        
Ireland        
Greece        
Spain        
France        
Croatia        
Italy        
Cyprus        
Latvia        
Lithuania        
Luxembourg        
Hungary        
Malta        
Netherlands        
Austria        
Poland        
Portugal        
Romania        
Slovenia        
Slovakia        
Finland        
Sweden        

Source: ECA.

62 The EU digital passenger locator forms and exchange platform were not used sufficiently by the Member States to have a meaningful impact in containing the spread of COVID‑19 and facilitating safe travel.

63 The EU digital passenger locator form32 was used by only four Member States, while 17 other Member States continued to rely on national solutions. Out of almost 27 million forms issued by February 2022, 91.6 % (24.7 million) were Italian.

64 Similarly, the use of the exchange platform was very limited. While, in theory, the tool could be used to exchange information from any national platform, it was mostly adopted by those countries that were also using the EU forms. The overall use of the platform remained insignificant, with only three forms exchanged in 2021 and 253 in the first two months of 2022. All but one of these 256 forms were from Spain.

65 The uptake of contact-tracing applications varied significantly across Member States. Some Member States did not adopt any contact-tracing application at all. In those that did, the actual uptake among the population was limited. Downloads of all contact-tracing applications by EU citizens totalled 74 million (as of October 2021). However, there are no statistics at EU level on how many people were actually using them.

66 The total number of confirmed COVID‑19 cases was over 522 million33 by 22 May 2022, by which date 55 million keys had been uploaded. The data from the contact-tracing gateway shows uneven use of contact-tracing tools among the Member States, with 83 % of keys having been uploaded by users from Germany alone (see Annex II).

67 Overall, the tools examined were developed to address emerging needs, which made it more difficult to create synergies between them consistently. For example, despite being intrinsically linked, the EU digital passenger locator form and the platform for exchanging such forms were developed separately (by the ‘EU Healthy Gateways’ joint action and European Union Aviation Safety Agency, respectively). Similarly, the guidelines for combining the EU Digital COVID Certificate and passenger locator forms were made available at EU level after their respective roll-outs and have so far not been implemented.

68 As the tools were designed to operate in the short term, there are no flexible procedures in place to use them in the longer term or re-activate them quickly in case they are needed in the future. For example, the current legal basis for the EU Digital COVID Certificate expires in June 2023 and would need to be renewed by the European Parliament and the Council based on a proposal from the Commission. During our audit, the Commission pointed out that it would be extremely difficult, both legally and technically, to re-establish the certification at short notice.

The Member States used the EU Digital COVID Certificate extensively, which facilitated travel

69 The EU gateway for EU Digital Certificate went live on 1 June 2021, with seven Member States connected. Within one and a half months, all 27 EU Member States were connected. The solution proposed by the Commission also attracted a lot of interest outside the EU. As of July 2022, 45 non-EU countries and territories had adopted the EU framework for EU Digital COVID Certificate.

70 Member States had issued 585 million certificates by 13 October 2021. Five months later, 1.7 billion certificates had been issued, most of them (1.1 billion) based on vaccination. This number is higher than the EU population because one person could have multiple certificates (for example, someone might obtain two testing certificates before being vaccinated). One EU Digital COVID Certificate was created after each vaccine dose, recovery or test. In addition to facilitating travel, the EU Digital COVID Certificate were used in the Member States to control access to public spaces such as restaurants or theatres. A breakdown of these 1.7 billion EU Digital COVID Certificate by Member State is provided in Figure 4.

Figure 4 – Total EU Digital COVID Certificates generated by Member States (as of March 2022)

Source: ECA, based on data from the Commission.

71 The tools covered by this report were aimed at facilitating safe travel. Many Member States had decided, because of the pandemic, to introduce a variety of travel restrictions. In our special report on free movement in the EU during the COVID‑19 pandemic34, we concluded that as of June 2021 Member States still had many uncoordinated travel restrictions in place, including PCR testing, quarantine requirements and entry bans.

72 Indeed, until the EU Digital COVID Certificate entered into force, entry restrictions for travellers were based on the health risk in the geographical area they were travelling from. This changed in July 2021 with the introduction of the EU Digital COVID Certificate Regulation, after which restrictions soon gradually started applying to individuals rather than geographical areas and were based predominantly on the possession of a valid certificate.

73 In addition to this shift in the nature of travel restrictions, the EU Digital COVID Certificate Regulation also introduced a new formal mechanism to improve information sharing on such restrictions. Since the regulation entered into force, the Member States have had to inform the Commission and the other Member States if they intend to introduce new restrictions. Such notifications must include the reasons for and the scope and duration of the additional restrictions. By March 2022, 13 Member States had submitted information pursuant to this provision.

74 In July 2021, the Commission’s consultation on travel restrictions revealed that all Member States (except Greece, Hungary and Italy, which only replied later) had lifted their restrictions for EU Digital COVID Certificate holders. Figure 5 shows the differences in travel restrictions before and right after the introduction of the certification system (June and July 2021). Twelve out of 13 respondents to our survey agreed that the EU Digital COVID Certificate had helped to coordinate travel restrictions between the Member States.

Figure 5 – Simplified overview of entry restrictions applied by the 27 EU Member States

Source: ECA, based on information from the Commission.

Conclusions and recommendations

75 We conclude that, despite its limited competence in public health policy, the Commission moved fast to propose suitable technological solutions to facilitate travel within the EU during the COVID‑19 pandemic. However, the impact of some of these tools depends on the willingness of Member States to use them. While the EU Digital COVID Certificate gained strong support and was effective in facilitating travel, the impact of the other tools was modest due to their limited use.

76 The Commission swiftly mobilised €71 million for the development of the tools by combining several funding sources and using existing framework contracts instead of public tender procedures. The purpose of the tools was unique, meaning there are no other existing systems suitable for comparison (paragraphs 21-27).

77 The Commission delivered the contact-tracing gateway and the EU Digital COVID Certificate in good time. The contact-tracing gateway, designed to ensure interoperability between contact-tracing applications, went live in October 2020, seven months after the World Health Organization had declared COVID‑19 to be a pandemic. The technical development of the EU Digital COVID Certificate benefited from previous experience with the contact-tracing gateway and was completed before the Member States had finished implementing their vaccination plans. The legislative process to adopt the EU Digital COVID Certificate was also much faster than usual (paragraphs 28-35).

78 The Commission did not manage to overcome some Member States’ reservations about using the EU solutions for passenger locator forms, which were delivered after several Member States had already developed their own tools. This resulted in the EU solutions only being used by five Member States (paragraphs 36-40).

Recommendation 1 – Address the reasons for the low uptake of EU digital passenger locator forms

The Commission should address the reasons behind the low use of the EU digital passenger locator form and exchange platform and promote increased uptake of these tools by the Member States during the future phases of the COVID‑19 pandemic.

Target implementation date: December 2023

79 Overall, the Commission took data protection requirements and IT security good practices into account when designing the tools. The EU tools minimise the use of personal data (paragraphs 42-43). Security risks assessments and penetration tests were generally carried out systematically – the only exception was some delayed security tests for the EU digital passenger locator form, which meant that the tool was operating for one year with undetected vulnerabilities (paragraphs 47-51 and 57-58).

80 Concerning the EU Digital COVID Certificate, participating countries had to exchange lists of fraudulent certificates bilaterally using different communication channels. This approach makes the blocking of fraudulent certificates less efficient. By March 2022, the Commission had proposed viable solutions to address this issue, but these are voluntary (paragraphs 44-46). Furthermore, the arrangements for countries to inform each other about incidents requiring an urgent response (e.g. fraudulent certificates) is time-consuming (paragraphs 55-56).

Recommendation 2 – Streamline communication on incidents linked to the EU Digital COVID Certificate

The Commission should facilitate direct communication between official contact persons for each country participating in the EU Digital COVID Certificate scheme to streamline communication in the event of emergencies linked to the certificates.

Target implementation date: June 2023

81 Since the codes used in the EU Digital COVID Certificate were generated by participating countries’ national systems, it was important for these systems to include adequate security controls. The Commission relied on IT security self-assessments by participating countries, as it does not have the authority to verify their actual compliance with security requirements. This limits the assurance regarding the security posture of the national systems (paragraphs 52-54).

82 The EU passenger locator forms and the contact-tracing gateway did not have the intended impact because their use was limited. The EU digital passenger locator form was used by only four Member States, while other countries continued to rely on national solutions. The overall use of the platform for exchanging passenger locator forms has remained insignificant: only three were exchanged in 2021 and 253 in the first two months of 2022. The use of the contact-tracing gateway was constrained by Member States’ limited adoption of contact-tracing applications, and the vast majority of traffic was generated by one country alone (paragraphs 61-67).

83 The tools we examined were developed to address emerging needs and work independently of one another. This, combined with the variety of national passenger locator form solutions, made it more difficult to ensure even adoption of the EU tools. The tools were also designed to operate in the short term in response to the health crisis. There are no specific procedures in place to use them in the longer term, or to re-activate them quickly in case they are needed in the future. The current legal basis for the EU Digital COVID Certificate expires in June 2023 and would need to be renewed through the standard EU legislative procedure (paragraph 68).

84 We found that the EU Digital COVID Certificate had been effective in facilitating travel during the COVID‑19 pandemic. Member States and several non-EU countries used the certificates extensively, with more than 1.7 billion EU Digital COVID Certificates having been issued in EU/EEA countries by March 2022. Furthermore, we found that within one month of the EU Digital COVID Certificate Regulation entering into force, Member States had harmonised their travel restrictions considerably. More concretely, all Member States had removed travel restrictions for EU citizens holding the EU Digital COVID Certificate by virtue of having been fully vaccinated or recently tested negative for or recovered from COVID‑19.

85 In addition, the EU Digital COVID Certificate improved information sharing and coordination in relation to travel restrictions, as the applicable regulation requires Member States to report and justify the introduction of travel restrictions (paragraphs 69-74).

Recommendation 3 – Prepare relevant EU tools for future crises

The Commission should:

  1. identify those EU tools created during the COVID‑19 pandemic that have been most useful to citizens and the Member States and prepare procedures for reactivating them quickly in the event of future emergencies;
  2. through synergies or simplifications, make the EU tools used to facilitate cross-border contact tracing during crises easier for EU citizens to access;
  3. together with Member States, analyse the need for any additional tools to address potential future crises.

Target implementation date: September 2023 for recommendations (a) and (c), and September 2024 for recommendation (b)

This report was adopted by Chamber III, headed by Mrs Bettina Jakobsen, Member of the Court of Auditors, in Luxembourg on 22 November 2022.

 

For the Court of Auditors

Tony Murphy
President

Annexes

Annex I – Description of the EU tools facilitating safe travels during the COVID‑19 pandemic

European Federation Gateway Service

European Federation Gateway Service is a system that allows interoperability between the national contact tracing applications. The national contact tracing applications were developed to inform citizens about potential risk contact and help breaking transmission chains of COVID‑19.

A contact-tracing application continuously record contacts with nearby users of the contact tracing applications. It generates a key (an identifier) for its user every 15 minutes in order to protect privacy. The application uses Bluetooth to detect other smartphones in proximity and exchange keys. Every encounter with another user results in the exchange of keys between users. These keys are stored on both users’ phones.

When a user tests positive for COVID‑19, he/she declares it in the application, which sends all the user’s keys from the past 14 days to his/her country’s national backend server. The server sends the infected user’s keys to all other users’ applications, where they are compared with the keys stored on the phone. If there is a match, the user has been in proximity with the infected person and is therefore warned.

The majority of Member States have adopted this decentralised approach where the combination of the keys of infected people are sent to the users’ applications and the comparison is done on the users’ phone. A few Member States have chosen a more centralised approach, where the comparison of keys and matching with the users’ devices is done in the central national servers.

National contact-tracing platforms adopting the decentralised approach and compatible technological building blocks can exchange anonymised keys of infected people with one another via the EU contact-tracing gateway. Therefore, the contact-tracing gateway allows a traveller to use his/her national contact-tracing application during the travels in another countries connected to the EU gateway.

Digital passenger locator form

Public health authorities use passenger locator forms to facilitate contact tracing when travellers are exposed to an infectious disease during their travel by plane, train, ship or bus. The World Health Organization and the International Civil Aviation Organisation had already started developing these forms during previous disease outbreaks (notably Ebola).

Traditionally, countries requiring the completion of passenger locator forms often used paper-based forms. However, paper forms have significant limitations – they can be difficult to read and the data they contain must be manually entered into computer systems for automated processing. These limitations prompted many countries to develop electronic versions. The EU digital passenger locator form is a web application that was developed to simplify the use of passenger locator forms during cross-border health threats, such as COVID‑19.

The traveller fills in the form on line with the details of their travel and receive a unique Quick Response(QR) code. This code can be scanned by the competent authorities in the destination countries to verify that passengers provided required information. Its digital format aims to ease and speed up data collection and data exchange between stakeholders, with the goal of making contact tracing more efficient and effective.

Exchange of Passenger Locator Forms

When a traveller is tested positive for COVID‑19, the PLF data collected by one country may need to be securely provided to other affected countries for the sole purpose of COVID‑19 contact tracing. Due to the limitation of the existing European system to exchange health information (Early Warning and Response System), the Commission decided to develop a dedicated platform for exchanging PLF data between different national systems.

The PLF exchange platform allows securely encrypted data transmission between competent national authorities and does not store any data. Member State authorities can either connect through the EU or national digital passenger locator forms systems.

EU Digital COVID Certificate

The EU Digital COVID Certificate is a proof that a person has been vaccinated against, tested negative for or recovered from COVID‑19. Those certificates are issued by the competent national authorities.

The certificates can be delivered in both paper and electronic forms. In both cases, they contain a QR code, that protects them against falsification. The security of the solution is based on the use of public and private cryptographic keys. There are two keys: private, used to digitally sign the QR code and public, which allows the digital signature to be verified.

Each issuing authority has its own private key and corresponding public key. The private keys are stored securely and the public keys (are shared in the central national database. The authority makes its issuance system available to relevant healthcare actors (e.g. hospitals and testing centres) upon authorization, enabling them to digitally sign the certificates.

The applications used to verify the authenticity of the EU Digital COVID Certificate obtain the public keys from the national databases. The national databases exchange public keys with other countries through the EU Digital COVID Certificate gateway. Therefore, the gateway allows mutual verification of the certificates across different countries.

Annex II – Uptake of the contact tracing applications in the EU

The adoption of contact tracing applications was not uniform across the EU. Only in two Member States the number of downloads of the contact tracing applications was above 50 % of population. The figure below shows the different situation in Member States which were using decentralized contact tracing applications.

Number of contact-tracing applications downloads as a percentage of population

Source: ECA, based on publicly available data from the Commission and selected Member States.

Downloading the application does not necessary mean that the contact tracing is actually being used, as it requires the applications to be active and the citizens voluntarily declaring their positive COVID‑19 tests. Whenever the users declare themselves positive, the relevant keys are uploaded in the contact-tracing gateway. The data from the gateway shows that the use of the contact tracing varied across the Member States. The number of keys uploaded to the gateway shows that overwhelming majority of them were coming from one country.

Share of total key uploads to the EU contact-tracing gateway

Source: ECA, based on publicly available EFGS data (October 2020 – May 2022).

Glossary

Border control: Checks and surveillance carried out at a border on those crossing or intending to cross.

Data controller: Within the meaning of the EU General Data Protection Regulation, person or organisation that determines, how and for which purposes personal data should be processed.

Penetration test: Method for assessing the security of an IT system by attempting to breach its security safeguards with the tools and techniques typically used by adversaries.

Schengen area: Group of 26 European countries that have abolished passport and immigration controls at their common borders.

Vulnerability scan: Process of inspecting network devices, computer systems and applications to identify any issues and weak points.

Audit team

The ECA’s special reports set out the results of its audits of EU policies and programmes, or of management-related topics from specific budgetary areas. The ECA selects and designs these audit tasks to be of maximum impact by considering the risks to performance or compliance, the level of income or spending involved, forthcoming developments and political and public interest.

This performance audit was carried out by Audit Chamber III External action, security and justice, headed by ECA Member Bettina Jakobsen. The audit was led by ECA Member Baudilio Tomé Muguruza, supported by Daniel Costa De Magalhães, Head of Private Office and Ignacio García de Parada Miranda, Private Office Attaché; Alejandro Ballester Gallardo, Principal Manager; Piotr Senator, Head of Task; João Coelho, Mirko Iaconisi, Ioanna Topa and Andrej Minarovic, Auditors. Michael Pyper provided linguistic support.

From left to right: Daniel Costa De Magalhães, Andrej Minarovic, Ignacio García de Parada Miranda, João Coelho, Ioanna Topa, Piotr Senator, Baudilio Tomé Muguruza, Mirko Iaconisi and Michael Pyper.

Endnotes

1 Article 20(2)(a) and Article 21(1) ofthe Treaty on the Functioning of the EU.

2 Directive 2004/38/EC.

3 Article 168(7) of the Treaty on the Functioning of the EU.

4 Article 17 of the Treaty on European Union (TEU).

5 Articles 4(2)(k), 6(a) and 168 of the TFEU.

6 Directive 2011/24/EU on the application of patients’ rights in cross-border healthcare.

7 Special report 13/2022.

8 Special report 19/2022.

9 Commission's statement of 15 June 2021.

10 Figure 4 of Special Report 13/2022.

11 Guidelines for border management measures to protect health and ensure the availability of goods and essential services, C(2020) 1753 final, OJ C 86I, 16.3.2020.

12 Communications from the Commission C(2020) 3250, C(2020) 3251 and C(2020) 3139.

13 Council Recommendation (EU) 2020/1475.

14 Commission Implementing Decision (EU) 2021/858.

15 eHealth and COVID-19, European Commission website.

16 eHealth Network , “Guidelines on verifiable vaccination certificates - basic interoperability elements”, 12.3.2021.

17 Regulation (EU) 2021/953

18 Proposal for a regulation COM(2021) 130.

19 Procedure 2021/0068/COD.

20 Activity Report "Development and Trends of the Ordinary legislative Procedure", European Parliament.

21 Better Regulations Guidelines, SWD(2017) 350, 7 July 2017.

22 ENISA, Taking Care of Health Data.

23 Regulation (EU) 2016/679 of the European Parliament and of the Council.

24 ISACA, Certified Information System Auditor review manual, 2019; International Organization for Standardization / International Electrotechnical Commission standards 27001.

25 Draft Data Protection Risk Assessment (DPRA-DRAFT).

26 eHealth Network, “EU DCC Revocation - B2A Communication between the Backend and the Applications”, section 4.6.3.

27 ISACA, Certified Information System Auditor review manual, 2019.

28 Commission Decision (EU) 2017/46 on the security of communication and information systems in the European Commission, and implementing rules C(2017) 8841 final.

29 International Organization for Standardization / International Electrotechnical Commission standards 27001, 27002, 27005 and 27035.

30 International Organization for Standardization / International Electrotechnical Commission standards 27001.

31 Special report 13/2022, paragraphs 69-75.

32 EU digital Passenger Locator Form.

33 Weekly epidemiological update on COVID‑19 – 25 May 2022, World Health Organisation.

34 Special report 13/2022.

Contact

EUROPEAN COURT OF AUDITORS
12, rue Alcide De Gasperi
1615 Luxembourg
LUXEMBOURG

Tel. +352 4398-1
Enquiries: eca.europa.eu/en/Pages/ContactForm.aspx
Website: eca.europa.eu
Twitter: @EUAuditors

More information on the European Union is available on the internet (https://europa.eu).

Luxembourg: Publications Office of the European Union, 2023

PDF ISBN 978-92-847-9207-8 ISSN 1977-5679 doi:10.2865/62115 QJ-AB-22-027-EN-N
HTML ISBN 978-92-847-9224-5 ISSN 1977-5679 doi:10.2865/8135 QJ-AB-22-027-EN-Q

COPYRIGHT

© European Union, 2023

The reuse policy of the European Court of Auditors (ECA) is set out in ECA Decision No 6-2019 on the open data policy and the reuse of documents.

Unless otherwise indicated (e.g. in individual copyright notices), ECA content owned by the EU is licensed under the Creative Commons Attribution 4.0 International (CC BY 4.0) licence. As a general rule, therefore, reuse is authorised provided appropriate credit is given and any changes are indicated. Those reusing ECA content must not distort the original meaning or message. The ECA shall not be liable for any consequences of reuse.

Additional permission must be obtained if specific content depicts identifiable private individuals, e.g. in pictures of ECA staff, or includes third-party works.

Where such permission is obtained, it shall cancel and replace the above-mentioned general permission and shall clearly state any restrictions on use.

To use or reproduce content that is not owned by the EU, it may be necessary to seek permission directly from the copyright holders.

Software or documents covered by industrial property rights, such as patents, trademarks, registered designs, logos and names, are excluded from the ECA’s reuse policy.

The European Union’s family of institutional websites, within the europa.eu domain, provides links to third-party sites. Since the ECA has no control over these, you are encouraged to review their privacy and copyright policies.

Use of the ECA logo

The ECA logo must not be used without the ECA’s prior consent.

GETTING IN TOUCH WITH THE EU

In person
All over the European Union there are hundreds of Europe Direct centres. You can find the address of the centre nearest you online (european-union.europa.eu/contact-eu/meet-us_en).

On the phone or in writing
Europe Direct is a service that answers your questions about the European Union. You can contact this service:

FINDING INFORMATION ABOUT THE EU

Online
Information about the European Union in all the official languages of the EU is available on the Europa website (european-union.europa.eu).

EU publications
You can view or order EU publications at op.europa.eu/en/publications. Multiple copies of free publications can be obtained by contacting Europe Direct or your local documentation centre (european-union.europa.eu/contact-eu/meet-us_en).

EU law and related documents
For access to legal information from the EU, including all EU law since 1951 in all the official language versions, go to EUR-Lex (eur-lex.europa.eu).

EU open data
The portal data.europa.eu provides access to open datasets from the EU institutions, bodies and agencies. These can be downloaded and reused for free, for both commercial and non-commercial purposes. The portal also provides access to a wealth of datasets from European countries.