European Union: European Data Protection Board released recommendations on calculating audit cycle in EU Large-Scale IT Systems

On 3 October 2025, the European Data Protection Board (EDPB) adopted the recommendations on calculating the audit cycle in EU Large-Scale IT Systems, which set out guidance for Supervisory Authorities and Schengen evaluation teams on the application of the audit frequency requirements established in EU regulations governing the Schengen Information System (SIS), the Visa Information System (VIS), the interoperability framework, the Entry/Exit System (EES) and the European Travel Information and Authorisation System (ETIAS). The recommendations specify that SIS, VIS, and interoperability audits must be conducted at least once every four calendar years, while EES and ETIAS audits must be conducted at least once every three calendar years, and state that non-compliance arises if a full cycle elapses without a completed audit. The recommendations further state that the audit cycle shall be calculated in years in accordance with Article 3(2)(c) of Council Regulation (EEC, Euratom) No 1182/71 on the rules applicable to periods, dates and time limits in EU legal acts, and that the date of completion of the previous audit, defined either as the final day of the on-site visit or the date of the audit report, marks the starting point for the next audit cycle.