verified_user
Standardful
Homechevron_rightStandardschevron_rightEU Entry/Exit System (EES)
ActiveInternational Standardupdate Standard Updated: April 2026fact_check Fact checked: Jun 28, 2026

EU Entry/Exit System (EES)

Regulation (EU) 2017/2226 — Biometric Records of Non-EU Short-Stay Travellers

apartmentPublishing Organization:European Union

Standard Introduction

EU Entry/Exit System (EES) is an active standard published by European Union. It is commonly used across Government, Logistics & Transportation, Services, Aerospace & Defense and applies in European Union, European Economic Area.

Use this page to review the official documentation, current status, and the certification or assessment bodies most commonly associated with EU Entry/Exit System (EES).

Implementation Roadmap

1
Phase 1schedule Duration: 3-6 weeks

Define Schengen border entry and exit data governance scope

Identify the products, services, systems, entities, jurisdictions, teams, vendors, and stakeholders covered by EU Entry/Exit System (EES). Confirm owners, boundaries, applicable obligations, documentation, and evidence expectations for short-stay non-EU traveller registration, travel document data, biometric capture, entry and exit records, refusal records, border workflows, carrier interfaces, data protection, system availability, and law-enforcement access controls.

2
Phase 2schedule Duration: 4-10 weeks

Assess obligations and gaps

Compare current practices with the expected Schengen border entry and exit data governance approach. Review border workflow readiness, biometric capture quality, traveller notices, data minimization, access control, logging, retention, interoperability testing, incident response, staff training, carrier coordination, and data-protection impact controls, then prioritize gaps by legal exposure, safety or rights impact, customer commitments, operational dependency, reporting deadlines, and audit readiness.

3
Phase 3schedule Duration: 8-24 weeks

Implement controls and evidence

Deploy required procedures, technical controls, review gates, training, supplier workflows, reporting paths, and operational records. Maintain process maps, DPIAs, access logs, training records, biometric quality checks, system test results, incident logs, retention records, carrier interface tests, data-protection notices, and operational readiness reports as traceable evidence.

4
Phase 4schedule Duration: Ongoing

Review, report, and improve

Run management reviews, internal checks, independent assessments where applicable, corrective actions, and change reviews. Refresh the program when products, vendors, laws, incidents, reporting cycles, or stakeholder expectations change.

Compliance Checklist

0 / 12

checklist Scope and accountability

checklist Controls and records

checklist Monitoring and assurance

Frequently Asked Questions

Who needs EU Entry/Exit System (EES)?

expand_more

EU Entry/Exit System (EES) is most relevant to border authorities, carriers, airport and port operators, travel operators, and technology providers supporting Schengen external border processing. The exact scope depends on products, services, jurisdictions, reporting duties, customer commitments, and the organization's role in the relevant ecosystem.

Is EU Entry/Exit System (EES) certifiable?

expand_more

EES is an EU border-management IT system under Regulation (EU) 2017/2226, not a certification standard. Organizations support compliance through operational, data-protection, security, and interoperability controls.

What should implementation focus on first?

expand_more

Start by defining scope, obligations, accountable owners, and the evidence expected by regulators, customers, auditors, or governance bodies. Then perform a gap assessment against current controls and prioritize remediation by risk and deadline.

What evidence is useful for EU Entry/Exit System (EES)?

expand_more

Useful evidence includes process maps, DPIAs, access logs, training records, biometric quality checks, system test results, incident logs, retention records, carrier interface tests, data-protection notices, and operational readiness reports. Evidence should be version-controlled, attributable to owners, linked to obligations and controls, and retained for the required review or audit period.

How often should the program be reviewed?

expand_more

Review it at planned intervals and whenever laws, products, vendors, incidents, reporting cycles, customer commitments, or assurance expectations change. Higher-risk obligations should have more frequent monitoring and management reporting.

Official Documentation

View All

Related Categories