
Article 1 

1. The secure account service shall be accessible via:
(a) the dedicated public website referred to in Article 16 of Regulation (EU) 2018/1240;
(b) the app for mobile devices referred to in Article 16 of Regulation (EU) 2018/1240;
(c) a link provided through the ETIAS email service referred to in point (f) of Article 6(2) of Regulation (EU) 2018/1240.
2. The secure account service shall be accessible until:
(a) final submission of additional information or documentation confirmed by the ETIAS applicant; or
(b) until expiry of the time limit, referred to in Article 27(2) of Regulation (EU) 2018/1240; or
(c) until expiry of the duration set by the ETIAS National Unit pursuant to Article 44 of Regulation (EU) 2018/1240.
Article 2 

1. In order to connect to the secure account service, two-factor authentication shall be used.
2. The first authentication shall consist of entering the following data:
(a) application number;
(b) travel document number.
3. Where the applicant does not provide his or her application number, the first authentication shall consist of entering following data:
(a) travel document number;
(b) country of issue of the travel document to be selected from a predetermined list;
(c) date of issue and of expiry of the travel document; and
(d) first names of both parents.
4. The application number shall be the same as the one provided to applicants via the ETIAS email service on submission of their application. The other data, referred to in paragraph 2 or paragraph 3, submitted by the applicant shall also be the same as those provided by applicants at the time of the submission of their application.
5. The second authentication shall consist of a unique code to be entered into the secure account service to confirm authentication.
6. Upon submission of the information in paragraph 2 or paragraph 3, the unique code referred to in paragraph 4 shall be automatically generated and sent to the applicant through the email service referred to in point (f) of Article 6(2) of Regulation (EU) 2018/1240.
7. The unique code shall be sent to the same email address provided in the submitted application.
8. The unique code shall expire after a short period of time. Sending a new unique code shall invalidate unique codes previously sent to the same applicant.
9. The unique code shall be usable only once.
Article 3 

1. For the purpose of Article 27 of Regulation (EU) 2018/1240, ETIAS applicants shall submit additional information or documentation, in one of the following formats:
(a) Portable Document Format (PDF);
(b) Joint Photographic Experts Group (JPEG); or
(c) Portable Network Graphics (PNG).
2. The secure account service shall accept a final upload of a maximum of 20 files and a final size of submission not exceeding 50 MB.
3. ETIAS applicants shall be able to save their progress and resume their submission of additional information or documentation in the secure account service within the time limit referred to in Article 27(2) of Regulation (EU) 2018/1240 or the time limit allocated by the ETIAS National Unit where the provisions of Article 44 of that Regulation are applied. The secure account service shall allow applicants to clearly indicate whether the submission is final or not. The secure account service shall allow applicants to verify that the documents are uploaded correctly before confirming submission.
4. Applicants shall be allowed to delete documents uploaded before the final submission within the allocated time, referred to in Article 27(2) of Regulation (EU) 2018/1240 or the time allocated by the ETIAS National Unit where the provisions of Article 44 of that Regulation are applied.
5. Applicants shall be asked to confirm their submission through the ticking of an appropriate box in the secure account service.
Article 4 

1. Upon final submission of the additional information and/or documentation:
(a) a read-only version of the submitted additional information and/or documentation shall be available accompanied by the reference ‘submitted’;
(b) the applicant shall, via the ETIAS email service, receive an email confirming submission of additional information and/or documentation, including the names and formats of the uploaded documents, the time stamp of final submission and an alphanumeric value of a fixed length that uniquely identifies data (‘hash values’) for the submitted files.
2. After submission of the additional information and/or documentation, applicants shall no longer have access to the secure account service.
3. The secure account service shall have a built-in technical solution to help guarantee that every document stored in the application file is the same as the one uploaded by the applicant in the secure account service.
Article 5 

1. Following a request for additional information or documentation by an ETIAS National Unit, pursuant to Articles 27 or 44 of Regulation (EU) 2018/1240, the ETIAS Central System shall immediately inform the secure account service of such request via the secure web service, referred to in point (l) of Article 6(2) of Regulation (EU) 2018/1240.
2. Upon submission of additional information or documentation by the applicant, the secure account service shall:
(a) calculate hash values of the submitted files; and
(b) transmit the additional information or documentation to the ETIAS Central System through the secure web service.
3. The secure web service shall conduct the necessary verification processes to ensure that the documents are safe and secure prior to transmitting them to the ETIAS Central System.
4. The ETIAS Central System shall record and store the additional information and/or documentation on the application file in accordance with Articles 27(9) and 44(3) of Regulation (EU) 2018/1240.
Article 6 
The message format and the protocols to be implemented shall be included in the technical specifications referred to in Article 73(3) of Regulation (EU) 2018/1240.
Article 7 

1. The secure account service shall be designed and implemented in a way that precludes unlawful access to it. For this purpose, the secure account service shall limit the number of attempts to access the secure account service with the same travel document, application number or unique code. The secure account service shall also include measures to protect against non-human behaviour.
2. The secure account service shall include time-out measures after some minutes of inactivity.
3. Additional details concerning the confidentiality, integrity and availability of processed data shall be subject of the technical specifications referred to in Article 73(3) of Regulation (EU) 2018/1240.
Article 8 

1. The secure account service shall keep activity logs containing:
(a) authentication data including whether the authentication was successful or not;
(b) the date and time the unique code was sent;
(c) date and time of access;
(d) number of documents uploaded;
(e) verification of safety and security of the documents.
2. In addition, for each document, the following logs shall be kept:
(a) date and time of uploaded document(s);
(b) document name(s);
(c) size of document(s);
(d) hash values of the documents uploaded.
3. Activity and document logs of the secure account service shall be copied to the Central System. They shall be stored for no longer than one year after the end of the retention period of the application file, unless they are required for monitoring procedures which have already begun. After that period, they shall be automatically erased.Such logs can only be used for the purpose of Article 69(4) of Regulation (EU) 2018/1240.
Article 9 
This Decision shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
Done at Brussels, 26 February 2019.
For the Commission
The President
Jean-Claude JUNCKER