
Article 1 

1. Applicants for an ETIAS travel authorisation, travel authorisation holders, persons whose ETIAS travel authorisation was refused, revoked or annulled or persons whose ETIAS travel authorisation has expired and have given their consent to retain their data in accordance with Article 54(2) of Regulation (EU) 2018/1240 (further referred to as ‘applicant’) shall have access to the verification tool.
2. The verification tool shall be accessible via:
(a) the dedicated public website;
(b) the app for mobile devices referred to in Article 16 of Regulation (EU) 2018/1240;
(c) a link provided through the ETIAS email service referred to in point (f) of Article 6(2) of Regulation (EU) 2018/1240. This link shall be sent when the applicant is notified of acknowledgment of the submission of an application or of the issue, revocation or annulment of a travel authorisation, in accordance with Articles 19(5), 38(1)(a), 42(a) and 44(6)(a) of Regulation (EU) 2018/1240.
Article 2 

1. In order to connect to the verification tool, two-factor authentication shall be used.
2. The first authentication shall consist of entering the following data:
(a) travel document number;
(b) country of issue of the travel document to be selected from a predetermined list;
(c) email address.
3. The data submitted by the applicant shall be the same as the one provided by them in their application form.
4. The second authentication shall consist of a unique code to be entered into the verification tool to confirm authentication.
5. Upon submission of the information in paragraph 2, the unique code shall be automatically generated and sent to the applicant through the email service referred to in point (f) of Article 6(2) of Regulation (EU) 2018/1240.
6. The unique code shall expire after a short period of time. Sending a new unique code shall invalidate unique codes previously sent to the same applicant.
7. The unique code shall be sent to the same email address provided in the submitted application.
8. The unique code shall be usable only once.
Article 3 

1. Upon authentication for access to the tool, applicants shall view the status of the applications or travel authorisations linked to their travel document number.
2. The verification tool shall provide one of the following status categories per each application or travel authorisation linked to the travel document number:
(a) ‘submitted’;
(b) ‘valid’;
(c) ‘refused’;
(d) ‘annulled’;
(e) ‘revoked’;
(f) ‘expired’.
3. For all valid travel authorisations, the verification tool shall provide the end date of the travel authorisation validity period.
4. In case of limited territorial validity, the applicant shall be informed about the Member State(s) for which the travel authorisation is valid. This information shall be displayed in a prominent place in the verification tool.
5. A disclaimer shall be shown in the verification tool indicating that a valid travel authorisation shall not confer an automatic right of entry or stay as specified in Article 36(6) of Regulation (EU) 2018/1240. This disclaimer shall also invite applicants to consult the Entry/Exit System (EES) web service referred to in Article 13 of Regulation (EU) 2017/2226, which shall be clearly indicated, in order to gain further information on the remaining period of authorised stay.
Article 4 

1. The verification tool shall make use of a separate read-only database updated within a few minutes via a one-way extraction of the minimum subset of data stored in ETIAS necessary to implement the provisions of Articles 2 and 3 of this Decision.
2. eu-LISA shall be responsible for the security of the verification tool, for the security of the personal data it contains and for the process of extracting the personal data into the separate read-only database.
Article 5 
The message format and the protocols to be implemented shall be included in the technical specifications referred to in Article 73(3) of Regulation (EU) 2018/1240.
Article 6 

1. The verification tool shall be designed and implemented to ensure the confidentiality, integrity and availability of processed data and to ensure non-repudiation of transactions. The technical and organisational implementation of it shall meet the requirements of the ETIAS security plan referred in Article 59(3) of Regulation (EU) 2018/1240 and of the rules on data protection and security applicable to the public website and the app for mobile devices referred to in Article 16(10) of Regulation (EU) 2018/1240.
2. The verification tool shall be designed in a way that precludes unlawful access to the verification tool. For this purpose, the verification tool shall limit the number of attempts to access the tool with the same travel document and unique code. The tool shall also include measures to protect against non-human behaviour.
3. The verification tool shall also include time-out measures after some minutes of inactivity.
4. Additional details concerning the confidentiality, integrity and availability of processed data shall be subject of the technical specifications referred to in Article 73(3) of Regulation (EU) 2018/1240.
Article 7 

1. The verification tool shall keep activity logs, including:
(a) authentication data, including whether the authentication was successful or not;
(b) date and time of access.
2. Activity logs of the tool shall be copied to the Central System. They shall be stored for no longer than one year after the end of the retention period of the application file, unless they are required for monitoring procedures which have already begun. After that period, they shall be automatically erased.Such logs can only be used for the purpose of Article 69(4) of Regulation (EU) 2018/1240.
Article 8 
This Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
Done at Brussels, 22 February 2019.
For the Commission
The President
Jean-Claude JUNCKER