Noted. on EES

Noted.

10 June 2025

Impact of EES and ETIAS on the Identity Industry

Background

The United Nations World Tourism Organization (UNWTO) estimated that the number of international tourist arrivals have reached a 56-fold increase over the last 70 years. The UNWTO states that Europe accounts for 50% of the world’s tourist arrivals, making it the most visited region in the world before the Covid-19 crisis.

The Schengen Area is a border-free zone currently consisting of 29 countries[1] and remains one of the European Union (EU)’s great success stories. The area guarantees freedom to travel without border controls at its internal borders as well as harmonised rules for external border checks. Borderless travel between 25 EU and four non-EU states (Iceland, Lichtenstein, Norway, and Switzerland) has transformed the offer of multi-country itineraries enjoyed by long-haul visitors in particular. There are also visa and document requirements for non-EU citizens visiting the Schengen Area for short-term tourism, family visits, business, or other purposes.

EES and ETIAS explained

To ensure consistent and reliable border control across the Schengen Area, the EU developed the Entry/Exit System (EES), a standardised digital system for registering non-EU travellers using biometric data. Originally set to launch in 2021, the EES faced delays due to technical and contractor challenges and is now scheduled for phased rollout starting in October 2025, alongside new tools for biometric checks.

The EES, along with the upcoming European Travel Information and Authorisation System (ETIAS), is part of a broader strategy to strengthen the Schengen Area. These systems support the European Security Union and aim to enhance border management, combat cross-border crime, and contribute to the goals of the European agendas on Security and Migration.

The European agency eu-LISA is in charge of developing and managing the system, which supports EU border control, law enforcement, migration & asylum, and future judicial cooperation. For the shared Biometric Matching System (sBMS), eu-LISA selected Idemia[i] as the lead contractor.

EES

The Entry/Exit System (EES) is a new European Union automated IT border control system, impacting how both travellers and authorities manage border crossings and is part of the EU's broader effort to modernise and strengthen its external borders. The system will be used for registering third-country nationals (TCNs), both short-stay visa holders and visa exempt travellers, each time they cross an EU external border. It will enable a wider use of automated border control checks and self-service systems, which are quicker and more comfortable for the traveller. They will also help border agents flag security and compliance risks for those entering and exiting.

Who is affected?

Non-EU nationals travelling for a short stay to a European country using the EES.

Exemptions apply: see To whom does the EES not apply?

Travellers will be required to submit fingerprint and face biometrics on their first crossing of Schengen borders. These will be stored with additional personal data in the central EES system for up to 5 years; subsequent EES crossings will only require a face or fingerprints biometric verification against enrolled biometric data. Self-service kiosks assist with the acquisition of biometric data during initial registration or upon re-entry, thereby reducing the workload at border control counters.

The EES will replace manual passport stamping, track entry refusals, and help prevent irregular migration. It will enhance security, streamline travel for legitimate third-country nationals, and improve the identification of overstayers—those who exceed the 90-day limit for short stays in the Schengen Area. The system will also more effectively detect document and identity fraud, while enabling real-time information sharing to ensure EU border authorities have accurate data when needed.

The future EU-EES will comprise of:

Central Systems for the overall management including a computerised central database of biometric and alphanumeric data owned and managed by eu-LISA
A National Uniform Interface and a Secure Communication Channel through which each country will exchange traveller movement information with the Central System, including the information systems already deployed (SIS, VIS, EURODAC etc.)
A web portal for third country nationals (TCNs) to check their allowed duration of stay in the Schengen Area at any time
An interface for carriers to verify whether the number of entries authorised by a visa

Biometric information will not be stored directly in the EU-EES Central System, but in a European automated matching system: the Shared Biometric Matching System (sBMS). This system will securely store the biometric information and will oversee travellers’ authentication and identification for all European border crossing points using its biometric search and matching capabilities.

Conditions for collecting and storing personal data in the EES are set out in Regulation (EU) 2017/2226 establishing the Entry/Exit System.

Soft Opening planned in October 2025

Rather than implementing the Entry/Exit System (EES) simultaneously at all external EU borders, the so-called "big bang" approach, a gradual rollout is now scheduled to begin in October 2025. This phased introduction will allow Member States to connect their border control points to the EES over several months.

During this period, initial traveller registration may be conducted temporarily without collecting biometric data. This soft launch will give national border authorities the flexibility to address any unforeseen issues with border control systems, national interfaces, or the central EES system, helping to minimise disruptions to the overall travel process.

Key challenges

Privacy and data security: both companies and governments are focusing on ensuring that the vast amount of biometric data collected is securely stored and protected from potential cyber threats.
Operational delays: travel infrastructures and especially airports, seaports and border authorities will need to adapt their control procedures. There is concern about potential delays at border crossings, particularly during the initial phase of implementation. Efforts are being made to streamline processes to minimise these delays.

Overall, the preparation for the EES involves significant investment in technology, training, and public communication to ensure a smooth transition to this new border management system. The traveller experience is central to the solution, but it is also necessary to consider the needs of the other stakeholders: border control authorities and facility operators such as airports.

ETIAS

About six months after the full implementation of the EES, the European Travel Information and Authorisation System (ETIAS) will be introduced. Similar to the Australian ETA and US ESTA, ETIAS is a travel authorisation for non-EU citizens who do not need a visa to enter the Schengen Area.

Under the ‘90-day rule,’ non-EU nationals can stay up to 90 days within a 180-day period in Schengen countries without a visa. However, after ETIAS is implemented, they will need to apply for a €7 travel authorisation. This change adds a mandatory application process but does not alter the 90-day stay limit. It is hoped that the visa waiver will help improve the detection of human trafficking, particularly in the case of minors, and help tackle cross-border criminal activity.

How long does it take to apply for the ETIAS visa waiver?

The process will be mostly automated and should take no more than 10 minutes to complete. An applicant will need to provide passport details, travel information, and answer basic security questions. The visa waiver will be issued within minutes of payment, but travellers are advised to apply at least 72 hours before they need it, just in case of any delays.

Once the application has been approved, the electronic travel authorisation will be electronically linked to the traveller’s passport and will last for three years for an unlimited number of entries. After three years, the ETIAS visa waiver process will need to be repeated for further travel in the EU.

What steps should those in the affected sectors take?

To keep pace with evolving digital regulations, businesses in impacted sectors must adjust to the growing digitisation of processes—particularly in areas like border management. Entry bans can significantly disrupt both travel and business operations, making proactive planning essential.

Frequent travellers to the Schengen Area should remain informed about changing requirements, such as the ETIAS application and rules for tracking travel days in ETIAS-participating countries. Accurately calculating these days and understanding related obligations is critical.

Ensuring that data submitted to authorities matches the traveller’s actual information is vital. While access to this data is currently limited to immigration, visa, law enforcement, and border control agencies, other bodies, such as tax and social security authorities, may be granted access in the future. Leveraging technology to track travel dates, organise important documents, and set alerts for document expirations can enhance compliance and minimise potential risks.

Technology must be precise, and it is essential to establish how to measure biometric quality. However, accuracy and quality are not the only critical factors. We must also prioritise data protection, compliance with regulations, and the safeguards in place. Equally important are the procedures to follow, as well as training that demonstrates how the technology works—clarifying what it can and cannot do, and what it is permitted to do.

It is important to find a balance between the rapid pace of technological advancement and the time needed to fully understand and adapt to these changes and associated risks. We must ensure there's sufficient time to regulate what needs to be regulated.

Javier Galbally, R&I Engineer, eu-LISA

For the foreseeable future, physical ID documents are here to stay. They incorporate various security features, like watermarks and holographic images, which currently do not yet have a counterpart in the virtual world. Moreover, there is still a lack of national IT infrastructures to support the widespread adoption of digital identities, as well as a lack of international standards for their global implementation. As a result, the passport—our primary identity document—will continue to exist in its current form for the time being.

The future could be biometric

The European Union's pilot project for biometric corridors at airports offers a glimpse into a future without physical passports. In this scenario, passengers check in online before arriving at the airport. Instead of presenting their passport at a traditional border checkpoint, they walk through a biometric corridor, where advanced camera systems verify their identity by matching their pre-registered passport and biometric data with the information stored in a database and passenger manifest.

Ideally, the process is seamless, enabling travellers to pass through security without even realising a check is taking place. All relevant passenger information is sent directly to the border authorities at the destination, eliminating the need for additional checks upon arrival and ensuring a smoother, more efficient and enjoyable travel experience.

[1] 29 Countries are in the Schengen Area – Austria, Belgium, Bulgaria, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden, Switzerland.

Sources

[i] Idemia’s five key recommendations for effective border control

Optimise border guard efficiency: implement self-service desks, automated biometric eGates, and operational supervision tools to enable border guards to focus on high-value tasks
Ensure reliable biometric data: collect and verify biometric data in diverse border environments by working only with top-tier, NIST-certified suppliers.
Leverage data for risk analysis: use Advanced Passenger Information (API) and Passenger Name Record (PNR) data to analyse travel risks ahead of arrival. Integrating this with visa, ETIAS, and national interest lists enhances border security insights.
Tailor solutions to border needs: adapt solutions to each border's unique requirements, considering differences between air, land, and sea borders. Member States must deploy varied verification equipment to meet specific demands.
Guarantee data security and privacy: ensure GDPR-compliant systems that secure biometric and personal data throughout its lifecycle, including robust access controls, user privilege management, and encryption.