Terrorist Threats Linked to the Implementation of ETIAS and EES

The European Travel Information and Authorization System (ETIAS), and entry-exit system, (EES) are two new initiatives of the EU to enhance border security and facilitate travel for visa-exempt third-country nationals. However, they also pose some potential terrorist risks or threats. ETIAS is an electronic travel authorization system that is expected to be implemented in the European Union by 2025. ETIAS will introduce a level of scrutiny on travellers originating from countries that are visa-free, which did not exist before. It is designed to strengthen security measures and enhance border control within the Schengen area. The EES was conceived to speed up the process of intaking visa-free travellers through immigration gates which will be progressively automated. These Two systems could inadvertently introduce new risks related to terrorism, extremism, and returning terrorist fighters.

The ETIAS regulation and linked implementing and delegating acts offer adequate safeguards against the potential terrorist risks or threats of the systems, as they are based on the principles of necessity, proportionality, and respect for fundamental rights, and they comply with the Charter of Fundamental Rights and the EU data protection rules. The regulation and acts also provide for the establishment of an ETIAS watchlist, managed by Europol and the 27 EU Member States, a screening rules database, and a specific risk indicator, to enable the identification and assessment of applicants who pose a security, illegal immigration, or high epidemic risk, including those who are suspected of being involved in terrorist activities. The ETIAS regulation and acts ensure the transparency and accountability of the systems, by granting the applicants the right to access, rectify, or erase their personal data, and the right to lodge a complaint or seek judicial redress in case of any breach of their rights.

If on one side the implementation of ETIAS aims to improve security, no system is entirely immune to risks or potential unintended consequences. The primary purpose of ETIAS is to identify individuals who may pose a security risk or have criminal backgrounds before they initiate their journeys to the Schengen area.

It is possible though, that ETIAS will also introduce a false sense of security leading to potential neglect of other security measures, for example at the borders. The chain is only as strong as its weakest link and, if, at any point of the security network, any link relies on the overarching reach of the ETIAS system, becoming more lenient under this conviction, the whole system will fail. In this context, it is important to note that an ETIAS authorisation is not an absolute guarantee for entry in the Schengen area. The border guards at the border crossing point will keep high discretionary powers, allowing ETIAS travellers or denying entry based on a number of reasons ranging from documental irregularities to outcome of secondary checks, or interviews, or any other behaviour displayed at the border. The whole ETIAS concept is reliant on travelers to truthfully self-declare their personal information and travel intentions. Relying on self-reported application data raises risks of inaccurate or falsified information being used. Verifying applicant identities and data would need robust safeguards. Individuals with malicious intent may misrepresent themselves or their intentions to gain entry to the EU/Schengen area. This could allow terrorists, extremists, or returning foreign fighters to evade detection.

If authorities become overly reliant on the system, they may overlook other critical intelligence or surveillance measures needed to detect and prevent transit of undesired individuals, willing to commit crimes or take part in terrorist activities.

The implementation of ETIAS may lead to increased scrutiny and security measures at the borders and airports. As a result, terrorists might attempt to exploit alternative routes or methods of entry that are less well-monitored, such as maritime routes or smaller airports with less stringent security measures. Should the ETIAS system prove effective in filtering out non desirable Individuals from ETIAS or non-ETIAS countries, these may attempt to join the constant irregular migration flows to a greater extent, trying to represent themselves as refugee or economic migrant.

In addition, ETIAS implementation follows a smooth path with land transportation being perceived as low priority if compared with the bulk of travellers arriving at the EU border by plane. ETIAS will first be implemented for carriers operating by air and sea and only later, by land. This may offer a window of opportunity to use these means.

Tactics and targets may shift. If the implementation of ETIAS makes it more challenging for terrorists to enter the Schengen area, they might shift their focus towards other targets or tactics. This could include directing their efforts towards countries outside the Schengen area or choosing alternative methods of attack, such as radicalizing individuals of whom they are aware that they have used ETIAS and already present within the EU.

Organised crime and terrorist organizations may attempt to exploit vulnerabilities or manipulate the ETIAS system itself. This could involve the use of stolen or forged documents, identity theft, or finding ways to circumvent the screening process, posing a potential risk to the security of the Schengen area.

ETIAS Screening rules are designed to mitigate risks and enhance security. They are continually evaluated and updated to address emerging threats. The effectiveness of ETIAS in countering terrorism will depend on its integration with other security measures, intelligence sharing among Schengen members, and the ability of authorities to adapt to evolving threats.

The misuse or abuse of the systems by malicious actors, such as hackers, identity thieves, or terrorists, who could access, alter, or delete the data stored in the systems, or use them to obtain false or fraudulent travel authorisations or documents, is a real threat. ETIAS relies heavily on the collection and processing of personal data from visa-exempt travelers. This data, which includes travel history, contact details, and biometric information, could be a valuable target for malicious actors, including terrorists and extremist groups. As with any large IT system, ETIAS could potentially have cybersecurity vulnerabilities that terrorists could attempt to exploit to access or alter data. Terrorist organisations could use them to recruit, radicalise, or mobilise their members or sympathisers, or to plan, prepare, or execute terrorist attacks in the EU or elsewhere. If the system's security measures were inadequate, this sensitive data could be compromised, leading to identity theft, targeted attacks, or the facilitation of illegal activities. ETIAS will count on robust cybersecurity measures to protect data from unauthorized access.

ETIAS is primarily designed to assess security risks based on known criminal records or associations with terrorist organizations. It will be less effective in identifying individuals who are radicalized or motivated to commit acts of violence based on extremist ideology. This could allow individuals who pose a threat to slip through the cracks.

ETIAS and EES will integrate with existing intelligence databases, including those managed by Europol, Interpol, and other EU systems that are relevant for migration and border management, security or asylum such as the visa information system, (VIS), Eurodac, the “fingerprint” database used to store asylum seekers data, the European criminal records systems for third countries’ nationals, (ECRIS-TCN), and the Schengen information system (SIS), to identify individuals with known extremist affiliations or travel to high-risk areas. Furthermore, ETIAS staff, as well as the border guards and law enforcement officers, that will deal with ETIAS, undergo thorough training and awareness-raising programs that aim to fully inform them of the legal, technical, and security constraint applicable to ETIAS, and which are also essential to ensure that the system is used fairly and equitably. The establishment of strict data protection and security standards, as well as oversight and audit mechanisms, contribute to this objective too. They ensure the lawful, proportionate, and secure processing of personal data in the systems, and to prevent unauthorised access, modification, or disclosure of the data.

Along with the systems interoperability, ETIAS will need an effective cooperation and coordination with third countries, including those who have already implemented a similar system such as Canada, the US, and Australia, and international organisations, such as Interpol, Europol, or the United Nations, to share information and best practices, and to support the prevention and counter terrorism at the global level.

Terrorists could attempt to use sophisticated hacking or spoofing techniques, such as phishing, malware, or deepfakes, to access, alter, or delete the data stored in the systems, or to create false or fraudulent travel authorisations or documents. Artificial intelligence could, for example, help during interviews, where, they could assume the identity of a non-EU citizen, legally authorised to travel to the Schengen area, allowing them to impersonate his or her features.

The probability of an impostor successfully obtaining an ETIAS travel authorisation and travelling to one of the EU countries may depend on several factors, such as the level of sophistication and resources of the impostor, and their ability to overcome the technical and legal challenges and obstacles posed by the systems. If the ETIAS system is deemed to be robust under the security, the data protection, legal perspectives, peripheral and dependent systems or hubs must adhere to the same standards. The level of efficiency and reliability of the ETIAS and EES systems, and their ability to detect and prevent any anomalies, errors, or breaches in the data processing and security, must be mirrored in the participating Schengen partners to the same degree. The level of cooperation and coordination among the EU Member States and other relevant authorities and stakeholders, including those in third countries benefiting from the ETIAS rules, international organisations, or private sector entities, must be of the same quality and speed as the one effective in the Schengen area. All partners must share information and best practices, and support the implementation and enforcement of the systems.