Report on Commission checks on Recovery and Resilience Facility (RRF) (2024)

Executive summary

I The Recovery and Resilience Facility (RRF) is the main instrument of NextGenerationEU and was set up to provide large-scale financial support for public investments and reforms in the Member States. It was funded with €723.8billion (at current prices) for loans (€385.8billion) and grants (€338billion) for that purpose. Funding of such reforms and investments in the Member States began at the start of the pandemic in February2020 and will continue until 31December2026. The RRF Regulation entered into force on 19February2021.

II The RRF follows a spending model that differs from that of other EU spending programmes. Payments are made to Member States when underlying milestones and targets have been satisfactorily fulfilled based on the Commission’s assessment. While not a condition for making such payments, Member States’ RRF-funded investment projects nonetheless have to comply with EU and national rules, e.g. on procurement, or provisions defining eligible reimbursable costs.

III We carried out this audit in view of the significant number of RRF disbursem*nts yet to be made during the facility’s operation up to the end of2026. The objective of our audit was to assess and contribute to ensuring the adequacy of the design of the Commission’s control system for the RRF. In this regard, we looked at how the system was set up to ensure the fulfilment of milestones and targets and the protection of the financial interests of the Union as at the end of April2022. We have complemented the evidence obtained from our examination of the Commission procedures with relevant observations made in our statement of assurance audit of the regularity of 2021RRF expenditure.

IV We conclude that, in a relatively short time, the Commission has designed a control system that provides for an extensive process for verifying the fulfilment of milestones and targets. However that control system provides only limited verified information at EU level that RRF-funded investment projects comply with EU and national rules. The lack of such verified information impacts the assurance the Commission can provide and results in an EU-level accountability gap.

V With regard to ensuring the fulfilment of milestones and targets, we found the procedures to be extensive. Exante checks for the preliminary assessment are complemented by additional on the spot audits. However, the various stages in the preliminary assessment were insufficiently specified and not fully documented. We also note that there is no method yet on how to quantify the impact of not fulfilling a milestone or target and no guidance addressing the risk associated with not identifying the reversal of a measure for which a milestone or target was previously fulfilled.

VI With regard to the protection of the financial interests of the Union, we note that the Commission has planned systems audits in each Member State. These audits will focus on Member States’ control systems relating to fraud, corruption, conflicts of interests and double funding. However, they will not cover whether Member States adequately check the compliance of RRF-funded investment projects with EU and national rules. As a consequence, there is limited verified information at EU level on RRF-funded investment projects’ compliance with these rules. The lack of such verified information impacts the assurance that the Commission can provide in this regard. The responsibility that the Commission assumes in terms of protecting the financial interests of the Union does not go beyond ensuring that the Commission recovers any amount due in the event of fraud, corruption and conflict of interest, where the Member State failed to do so or in the event of an established serious breach of the financing agreement. We also noted that the Irregularity Management System does not contain centralised and standardised information on fraud related to the RRF and that the different levels of flat rate corrections to be applied in the event of a deficiency in Member States’ control systems are insufficiently defined.

VII We recommend that the Commission:

• improve the procedures for exante verifications;
• draw up guidance on the reversal of a measure related to a previously fulfilled milestone or target;
• address the EU-level assurance gap regarding the compliance of RRF-funded investment projects with EU and national rules;
• align reporting on RRF-related fraud;
• develop internal guidance regarding corrections, as provided for in the financing agreements.

Introduction

The RRF in brief

01 NextGenerationEU (NGEU) is the EU’s temporary fund aimed at supporting Member States in reducing the socio-economic impact of the COVID-19 pandemic and getting back on track towards sustainable growth. The Recovery and Resilience Facility (RRF) is the main instrument under which NGEU funds will be distributed. It provides large-scale financial support for reforms and investments, with the aim of accelerating Member States’ economic recovery from the consequences of the COVID-19 pandemic and making them more resilient.

02 The RRF was established by Regulation (EU)2021/241 (the “Regulation”) that entered into force on 19February2021. It supports reforms and investment projects in Member States from the start of the pandemic in February2020, and will continue to do so until 31December2026. The RRF was funded with €723.8billion (at current prices) for loans (€385.8billion) and grants (€338billion) for that purpose.

03 The RRF follows a special spending model. The Commission implements the RRF in direct management with the Member States as beneficiaries1. The condition for payment to the Member States from the facility is the satisfactory fulfilment of predefined milestones or targets through the implementation of reforms and investment projects2.

04 The legality and regularity (regularity) of spending under other EU programmes depends mainly on the eligibility of the beneficiary, project and costs claimed. The eligibility of such funding is often governed by conditions regarding the costs that may be incurred and claimed, which may also be required to be identifiable and verifiable. The eligibility conditions for this type of funding also include EU rules ensuring the effective functioning of the single market (i.e. public procurement and state aid rules) and compliance with national rules.

05 While the eligibility of the beneficiary, project and costs for implementing RRF-funded investment projects is not a condition in the Commission’s assessment when it makes the payment from the RRF to the Member State, the Regulation covers this aspect through the protection of the financial interests of the Union, which the Member States together with the Commission should ensure in line with their respective responsibilities. The Regulation in this regard provides that measures that support the RRF are to comply with the applicable Union and national law, in particular regarding the prevention, detection and correction of fraud, corruption and conflict of interest and also ensure that there are no serious breaches of the obligations laid down in the Financing Agreement, particularly as regards double funding. To this end, Member States must operate an effective and efficient internal control system and recover amounts wrongly paid or incorrectly used3. Should Member States fail to recover any unduly paid amount in cases of fraud, corruption or conflict of interest, the Commission may recover the corresponding amount4.

Implementation of the RRF

06 The fact that the RRF’s delivery model differs from that of other EU spending programmes means that its implementation is also subject to a special process, which is outlined in Figure1 and described in more detail below.

Source: ECA.

07 In order to benefit from the RRF, Member States are required to draw up national recovery and resilience plans (RRPs) that meet the conditions laid down in the Regulation5. RRPs should comprise a coherent package of public investments and reforms grouped into measures which in turn are grouped into thematic components. Member States must set milestones and targets for each investment project and reform and provide details of the associated baseline.

08 Member States must also design appropriate management and control systems. They can either use existing national management and control systems or set up systems specifically for the RRF.

09 Payments under the RRF are conditional upon Member States satisfactorily fulfilling the milestones and targets set out in the Annexes to the Council implementing decisions approving their RRPs. A further element to be considered is that targets or milestones that have previously been satisfactorily fulfilled by the Member State should not have been reversed. Member States may request disbursem*nts up to twice a year, if they provide sufficient evidence that the related milestones and targets have been met satisfactorily6.

10 Member States must submit the following documents with each payment request in order to receive payments under the RRF:

• information and evidence confirming the fulfilment of the milestones and targets set out in the Annex to the Council implementing decision;
• a summary of the audits carried out by the Member State’s authorities, including details of any weaknesses identified and corrective action taken7;
• a management declaration8 to the effect that:
  • the funds were used for their intended purpose;
  • the information submitted with the request for payment is complete, accurate and reliable;
  • the control systems put in place provide the necessary assurance that the funds were managed in accordance with all applicable rules, in particular the rules aimed at preventing:
    • conflicts of interest, fraud, corruption and
    • double funding.

11 The Commission’s assessment is a two-step process. The Commission first assesses payment requests on the basis of the data and information provided by the Member State. The purpose of this preliminary assessment is to ensure that the milestones and targets have been satisfactorily fulfilled9.

12 Based on this work, the Commission submits the preliminary assessment to the Council’s Economic and Financial Committee (EFC) for its opinion. Following the EFC opinion, the Commission then adopts a decision on the payment, which must first be presented to a comitology committee of Member State representatives as part of the examination procedure. Lastly, the Commission adopts an implementing decision authorising the payment, and the funds are then disbursed.

The Commission’s RRF control framework

13 The special RRF delivery model and the amount of EU funds provided under the facility call for a dedicated control framework at Commission and Member State level that ensures the fulfilment of milestones and targets and that the financial interests of the Union are protected.

14 The control framework that the Commission has set up for this purpose is outlined in the Directorate-General (DG) for Economic and Financial Affairs (ECFIN) 2021annual activity report (AAR) and includes:

• the assessment of the RRPs submitted by Member States as regards their relevance, effectiveness, efficiency and coherence before any payment is made. This assessment also provides for checking the appropriateness of the Member States’ control systems as outlined in their RRPs;
• the two part control system that provides for exante verifications of Member States’ payment requests and complementary expost audits after a payment has been made. It also provides for system audits that focus on the protection of the financial interests of the Union. Figure2 outlines the Commission’s control system with these two elements that follow the RRP assessment.

Source: ECA.

15 We assessed the Commission’s RRP assessment in a previous audit and presented the results in special report21/202210. The subject of this audit and report is the design of the two elements of the Commission’s control system set out in Figure2.

Our work on the RRF

16 This audit is part of a series of audits and reviews of the RRF. We provide more information on the work we have done to date and the results of that work with a focus on control related matters in Box1.

Audit scope and approach

17 The objective of this audit was to assess the design of the Commission’s control system for the RRF. To this end, we examined the Commission’s control system with regard to ensuring:

• payments to Member States are made for having fulfilled the predefined milestones and/or targets; and
• that the financial interests of the Union are protected.

18 We first examined the Commission’s RRF control system from a conceptual, more general point of view. The objective of this work was to find out what the control system covers and how it ensures that milestones and targets are satisfactorily fulfilled and the Union’s financial interests are protected. We included the Commission’s initial assessment of the control systems outlined in Member States’ RRPs in this examination as it is part of the control framework. We completed our assessment of the design of the Commission’s control system with a detailed analysis of the work planned and procedures defined for its two elements. The objective of this analysis was to identify potential weaknesses in the procedures and audits that belong to the Commission’s control system.

19 To obtain the evidence required to support our observations, conclusions and recommendations, we:

• conducted interviews and meetings with representatives from the Commission’s DGECFIN and Recovery and Resilience Task Force (SGRECOVER);
• examined the Commission’s procedures and other relevant documents, such as financing agreements and operational arrangements;
• analysed the Commission’s procedures for exante verifications and expost audits, as well as the audit strategy, sampling guidance, internal checklists and guidelines;
• consulted the DGECFIN 2021 AAR.

20 We have complemented the evidence obtained through this audit with observations from our statement of assurance audit of the regularity of 2021RRF expenditure15. The statement of assurance audit covered the satisfactory fulfilment of all 52milestones underlying the only payment the Commission made to a Member State (Spain) in2021. We also reviewed the Commission’s preliminary assessment of four selected targets underlying the payment made to France in March2022.

21 We carried out the audit during the early phase of the RRF’s implementation, when the first payment had been made, but prior to the disbursem*nt of a significant number of payments. The audit therefore focused on the design of the RRF control system as at end of April2022 and not on its actual operation.

22 Furthermore, we did not cover the design or effectiveness of Member States’ RRF control systems in this audit, but plan to do so in the future.

23 With this audit and our recommendations, we aim to contribute to ensuring that the Commission has an adequate control system in place for both the condition for payment and the effective protection of the financial interest of the Union in view of the significant number of RRF disbursem*nts yet to be made in the course of the facility’s operation up to the end of2026.

Observations

There is an assurance and accountability gap at EU level in protecting the financial interests of the Union

24 In this section of the report we examine the Commission’s RRF control system from a conceptual and more general point of view and whether and how it contributes to ensuring the satisfactory fulfilment of milestones and targets and protection of the Union’s financial interest. For this purpose, we also take account of the Commission’s assessment of Member States’ control systems as outlined in their RRPs as it is the first element of the RRF control framework16. Our observations have implications for assurance and accountability which we outline in the paragraphs below.

The Commission’s assessment of the control arrangements was comprehensive, but partly based on systems not yet in place

25 To benefit from support under the RRF, Member States submitted their draft national RRPs to the Commission. The Commission assessed these plans on the basis of 11criteria stipulated in the Regulation. One of these criteria provides for appropriate Member States’ control systems and arrangements that prevent, detect and correct corruption, fraud, irregularities, conflict of interest and double funding.

26 We checked in special report21/2022 whether the Commission had assessed the Member States’ control arrangements, in particular the clarity of their structures, the roles and responsibilities of their different bodies, the systems and processes planned and the capacity required.

27 We concluded overall that the Commission’s assessment of recovery and resilience plans was appropriate given the complexity of the process and the time constraints. More specifically with regard to the control systems, we found that the Commission’s assessment of the control arrangements proposed by Member States correctly identified gaps and deficiencies requiring additional measures. However, the assessment was to some extent based on the description of systems which were yet to be set up. It therefore needs to be confirmed through additional work on the spot. Furthermore the Commission introduced additional milestones for 16Member States, where these gaps or deficiencies require additional measures to be implemented before the first payment17. Not having a fully functional control system in place implies the risk that the financial interests of the EU are not sufficiently protected until these milestones are fulfilled.

Exante verifications and expost audits assess the fulfilment of milestones and targets

28 The Commission’s exante verifications of Member States’ payment requests and the related expost audits focus on the condition for payment and the evidence of satisfactory fulfilment of milestones and targets submitted by Member States. The verifications and expost audits related to the milestones and targets do not cover failure to comply with EU and national rules (paragraph 09).

29 For example, in a situation where an RRF-funded investment project does not comply with EU and national rules, such as those on procurement, state aid, or eligibility rules for costs or projects, this will not affect the outcome of the Commission’s preliminary assessment of the satisfactory fulfilment of the target concerned. As long as the target has been fulfilled in accordance with the description in the Annex to the Council implementing decision, the Commission is obliged to make the payment to the Member State concerned18.

30 Furthermore we note that the Regulation provides for horizontal principles to be respected19. These principles provide that support from the RRF shall not, unless in duly justified cases, substitute recurring national expenditure and shall respect both the principle of additionality of Union funding as referred in article9 of the Regulation and of “do no significant harm” (DNSH). As the Regulation does not consider compliance with these principles to constitute a condition for payment20, the Commission exante verifications do not cover these principles, unless compliance is compulsory based on the Council implementing decision, as may be the case for the DNSH. This principle was checked when the Commission assessed the RRPs. With regard to compliance with the DNSH principle, we noted in our previous audit that the Commission’s assessment led to the result that adopted recovery and resilience plans included only measures that complied with the DNSH principle, as observed for the measures in our sample. However, measures to mitigate the environmental impact have not been systematically included in form of a milestone or target in the RRPs and that measures incompliant with that principle may be financed outside the facility21.

31 In special report21/2022 we also noted that the milestones and targets are generally limited to measure output rather than impact22. The RRP assessment and payment to Member States are therefore inherently unconditional of the impact of reforms and investments.

Lack of information results in an assurance and accountability gap at EU level in protecting the financial interest of the Union

32 Member States together with the Commission should ensure that the financial interests of the Union are effectively protected in line with their respective responsibilities23. Member States in this context “shall take all the appropriate measures to protect the financial interests of the Union and to ensure that the use of funds in relation to measures supported by the Facility complies with the applicable Union and national law, in particular regarding the prevention, detection and correction of fraud, corruption and conflicts of interests”24. This obligation is also spelled out in the financing agreements signed with Member States. Should Member States fail to recover any unduly paid amount in cases of fraud, corruption or conflict of interest or seriously breach obligations under the financing agreement, such as double-funding, the Commission may recover the corresponding amount.

33 The Commission in this context has defined in the 2021 DGECFIN AAR its “residual responsibility” in protecting the financial interest of the Union which implies that “Member States are solely responsible to check that the RRF financing has been properly used in accordance with all applicable national and EU regulations”. The Commission responsibility is limited to the three serious irregularities, fraud, corruption, conflict of interest and the obligations under the financing agreement, notably double funding25. The audit strategy for the RRF accordingly provides that the Commission will not conduct audits checking compliance with EU and national rules26. The focus of the Commission’s systems audits is on the Member States’ systems for preventing, detecting and rectifying these three serious irregularities and double funding.

34 Our experience shows that non-compliance with EU and national rules, such as procurement, state aid and eligibility rules are prevalent in other EU spending programmes27 and therefore constitutes a significant risk. However, we note that compliance with such rules is not covered by the Commission’s systems audits and there is only little guidance for Member States in this regard.

35 As a consequence, there is limited verified information at EU level on whether and how Member States’ systems adequately cover the significant risk that RRF-funded investment projects do not comply with EU and national rules. This affects the completeness of the assurance that the Commission can provide. It does not cover the compliance of RRF-funded investment projects with EU and national rules.

36 The responsibility that the Commission assumes in terms of protecting the financial interest of the Union is reflected in the declaration of assurance in theDGECFIN 2021AAR. The declaration does not go beyond the specific aspect defined in Article22(5) of the Regulation. The Commission provides assurance that it will recover any amount due to the Union budget in the event of fraud, corruption and conflict of interest, where the Member State failed to do so or in the event of an established serious breach of the Financing agreement. This results in an accountability gap at EU level.

For verifying the fulfilment of milestones and targets, the Commission has designed an extensive process

37 The Commission’s control system must ensure that RRF payments are based on the satisfactory fulfilment of predefined milestones and targets28. It must also ensure that previously fulfilled milestones and targets are not reversed.

38 To this end, it has set up a process that provides for exante verifications before a Member State is paid. They are based mostly on a desk review of the Members State’s evidence that milestones and targets have been fulfilled satisfactorily. The Commission performs expost audits after a Member State has received payment.

39 We reviewed the Commission’s procedures and documentation in order to assess whether the design of the Commission’s exante verifications and expost audits is such as to correctly assess the fulfilment of milestones and targets. As part of our 2021RRF statement of assurance audit, we also examined how the Commission carries out its exante verifications in practice, in order to identify potential weaknesses in its procedures.

The process for exante verifications of the fulfilment of milestones and targets is extensive, but issues remain

Exante verification of the fulfilment of milestones and targets provides for an extensive assessment process

40 The Regulation requires the Commission to assess whether the relevant milestones and targets set out in the relevant Council implementing decision have been fulfilled satisfactorily29. The exante checks the Commission has prescribed for RRF payments should enable it to verify that a Member State’s payment request is supported by evidence of satisfactory fulfilment of the milestones and targets concerned and the checks should be well documented.

41 Once the relevant agreed milestones and targets have been met, Member States submit a duly justified payment request to the Commission for assessment (paragraph 10). The Commission verifies the evidence submitted by Member States as part of its preliminary assessment of whether the milestones and targets underlying the payment request have been fulfilled satisfactorily.

42 The Commission’s preliminary assessment process involves a number of actors. The main actors are the geographical desks of DGsECFIN and SGRECOVER, which have the lead role in the exante verification and assessment of payment requests. Upon submission of the Member States’ payment requests, the geographical desks are responsible for conducting a desk review and assessing the evidence accompanying the payment request.

43 The preliminary assessment process involves various elements:

• The geographical desks continuously interact with Member States’ authorities on the progress and fulfilment of milestones and targets up to the time of submission of payment requests, as well as thereafter.
• Several of DGECFIN’s horizontal units are involved in the assessment, e.g. its legal unit is responsible for reviewing the preliminary assessment to ensure that it is legally sound and correct.
• The Commission first conducts informal technical and then formal inter-service consultations with the relevant DGs and services, the objective of which is to bring to bear the greater expertise that other Commission departments dealing directly and daily with the relevant policy areas have with regard to the achievement of a specific milestone or target.

44 Based on the exante assessment process described above and our discussions with Commission services, we consider that the Commission has designed extensive exante verifications for assessing the fulfilment of milestones and targets. However, we found some weaknesses related to the clarity of the process and the documentation of the assessment, which we describe in the paragraphs that follow.

The various stages in the assessment process are not sufficiently specified or documented

45 The Financial Regulation states that effective internal control is to be based on best international practices and include, in particular, adequate audit trails30. The audit trail should provide a clear understanding of its purpose, source, and the conclusions reached.

46 The Commission chose to use a process calendar to guide the process for each payment request, which summarises the steps to be undertaken, the responsible actors, and the timetable to be followed by the teams involved in the preliminary assessment.

47 The assessment of each milestone or target is documented and summarised in an “assessment fiche”. This includes a register with the information collected and records the Commission’s analysis for the preliminary assessment of the milestones and targets.

48 While the assessment fiche and process calendar both include relevant information on the assessment process, the scope of the various actors’ contribution to the different stages of the assessment process, giving rise to the preliminary assessment, is not sufficiently specified and documented. It may therefore not always provide sufficient evidence that a milestone or target has been properly assessed and documented with the level of detail required.

Lack of clarity regarding the scope of the technical consultation of the relevant DGs and services

49 While responsibility for assessing the fulfilment of milestones and targets lies with SGRECOVER and DGECFIN, the relevant DGs and services may be asked in the course of exante verifications to provide technical input for the assessment.

50 When technical input is sought from policy officers in the DGs and services, they are asked in particular to state whether there is any reason why a particular milestone or target cannot be assessed as having been fulfilled satisfactorily. At the end of the preliminary assessment process, and to conclude the consultation process, the DGs and services are given further opportunity to express their views on the overall assessment during a formal inter-service consultation.

51 While we consider the consultation with experts to be an important element of the assessment process, neither its scope nor the role of the DGs and services consulted during this process have been clearly defined (paragraph 47). Furthermore, the documentation of technical consultations did not always provide a clear understanding of the elements/aspects of the milestone or target on which the DGs consulted had expressed their views, or of how they had reached those views. In the absence of a clear record of the nature of the technical consultation and the assessment decision reached, it is unclear what the consultation has actually covered. Box2 provides an example from our 2021statement of assurance audit.

Incomplete documentation of the assessment

52 The Commission bases its assessment regarding the satisfactory fulfilment of milestones or targets on the relevant elements in their description and the description of the related measure, both of which are set out in the related Council implementing decision, and takes into account the operational arrangements.

53 In our 2021annual report, we found that the description of a measure in the Annex to the Council implementing decision was not always aligned with the relevant milestone and/or target. It was therefore ambiguous and open to interpretation as regards elements that were relevant to the assessment32. However, we found no justification as to why the Commission considered that certain elements defined in the description of the measure were irrelevant to the assessment. We also found that the Commission’s guidance for assessing the satisfactory fulfilment of milestones and targets did not provide for such justification and therefore did not explicitly require its documentation. The lack of clear guidance and documentation in such situations made it difficult, if not impossible, for a third person not involved in negotiating the RRP, or who had no prior knowledge of the process, to understand and follow the Commission’s reasoning.

No method in place yet for suspension of payment

54 The amount paid to a Member State following the submission of a payment request is not necessarily based on the estimated costs for achieving the milestones and targets included in the payment request, but rather a result of the negotiations with the Member State in question. These negotiations take into account the proportion of milestones and targets as well as their relative importance33. When the Commission establishes that milestones or targets have not been fulfilled satisfactorily, the Regulation provides that “the payment of all or part of the financial contribution and, where applicable, of the loan shall be suspended”34. Suspensions may not be lifted unless Member States provide the Commission with evidence of satisfactory fulfilment of the milestones or targets within six months, failing which the Commission is required to reduce proportionately the amount of the financial contribution, or loan (if applicable). We reported in our 2021annual report that the Commission had not developed a methodology for determining the amount to be suspended35.

55 While the methodology would not influence the exante assessment of milestones and targets, its absence means that an important element of the RRF control system ensuring the regularity of RRF payments is missing. The absence of such a methodology also reduces the transparency of the RRF arrangements vis-à-vis Member States and other stakeholders, because the criteria for calculating the financial impact of failure to achieve the milestones and targets are uncertain. We refer in this context to recommendation10.2 in our 2021annual report.

Expost audits could help ensure that the data declared on the fulfilment of milestones and targets is accurate

56 While the Commission’s exante verifications are primarily based on documentary reviews, expost audits allow the Commission to examine the situation on the spot. Expost audits are provided for in the Financial Regulation36 and the financing agreements signed with Member States. Their objective is to detect and correct any milestone or target not fulfilled that may come only to light after payments have been made. These audits should be based on all the relevant information, clear and well-designed procedures and adequate risk assessment.

57 We assessed whether the design of the Commission’s expost audits is appropriate to achieving this objective. We could not test the practical implementation of the Commission’s expost audits (paragraph 21).

58 With regard to the fulfilment of milestones and targets, the Commission carries out risk-based expost audits on milestones and targets that complement its exante verifications. In addition, the Commission carries out system audits on milestones and targets, which focus on data collection and reporting on milestones and targets in the Member States.

59 The system audits on milestones and targets aim to assess the data management and IT or other systems to store, collect, aggregate and report on milestones and targets as well as to verify the reliability of reported data on achieved milestones and targets, including their aggregation.

60 The audits on milestones and targets are risk-based and cover all the milestones and targets identified as “high risk” in the Commission’s risk assessment, and, depending on the resources available, as many as possible of those classified as “medium risk”. This to confirm on the spot the information that Member States reported to the Commission at theexante verification stage.

61 The Commission selects the Member State authorities, milestones and targets to be audited on the basis of both a global risk assessment, and a payment request risk assessment. The initial selection of the Member States to be audited is also driven by their preparedness, and the timing of the payment requests submitted.

62 The risk assessments are based on a number of factors, including:

• the complexity of the national control systems;
• the audits performed by Member States;
• the risk of RRP measures being co-financed by other EU funds; and
• the types of final recipient.

63 The objective of the audits on milestones and targets is to provide expost additional assurance on their satisfactory fulfilment, while the objective of the systems audits relating to milestones and targets is to ensure that the national systems for collecting and storing information for reporting on milestones and targets are adequate and reliable.

64 DGECFIN’s “Enquiry planning memorandum” provides detailed guidance on these audits on milestones and targets and system audits, as well as a number of templates to be used in those audits.

65 Following our review of the planning documents for expost audits, we consider them well-developed overall in terms of work and documentation planned, but their effective implementation can only be assessed at a later stage. The initial planning of the audit work for2022 and2023 also indicates extensive coverage. Audits were planned in 20Member States, with20audits covering data management and IT systems and seven audits to verify the reliability of reported data.

Lack of guidance increases the risk of not identifying the reversal of measures for previously fulfilled milestones and targets

66 For a milestone or target that has been fulfilled and paid for to be meaningful and effective, it should not be reversed at a later stage. The Regulation takes account of this risk and provides that “The satisfactory fulfilment of milestones and targets shall presuppose that measures related to previously satisfactorily fulfilled milestones and targets have not been reversed by the Member State concerned”37. According to the financing agreements, a Member State’s request for payment should confirm that this is indeed the case.

67 The Member States’ confirmatory declaration is a key component of control for the reversal of measures related to previously fulfilled milestones or targets. Furthermore, according to the Commission, because the geographical desks continuously monitor and hold discussions with Member States’ authorities, they are also able to identify milestones and targets that have been reversed.

68 Reversal can only take place once a milestone or target is assessed as having been fulfilled satisfactorily and thus cannot be verified by exante procedures. Review work on the reversal of measures related to previously fulfilled milestones must therefore be carried out expost.

69 To date, the Commission has not developed any guidance as to the exact nature of a reversal of a measure related to a previously fulfilled milestone or target, the circ*mstances in which such a reversal is deemed to have occurred or how the Commission’s services and Member States’ authorities should monitor this. The absence of such guidance increases the risk that Member States and the Commission may not appropriately and consistently identify all milestones and targets that have been reversed.

70 The Commission has also not yet provided guidance on the impact of the reversal of a measure related to a previously fulfilled milestone or target on a past or current payment request.

Commission controls could support its assessment of Member States’ systems, but procedures for reporting on fraud and correcting weaknesses have limitations

Planned Commission audits could enable assessing Member States’ control systems related to fraud, corruption, conflict of interest and double funding

71 Protecting the financial interest of the Union means that the implementation of the RRF must comply with the applicable Union and national law, particularly as regards the prevention, detection and correction of fraud, corruption, and conflict of interest. This also applies to the risk of double funding.

72 The Commission refers to its role in protecting the EU’s financial interests as that of bearing residual responsibility, which it limits to ensuring that Member States have adequate systems in place, and intervening where Member States fail to meet their control obligations with regard to the prevention, detection and correction of fraud, corruption, and conflict of interests, as well as double funding (paragraph 33).

73 The audits the Commission has planned, reflect this limitation and will focus on Member States’ control systems for the prevention, detection and correction of fraud, corruption, conflict of interest and double funding. These audits should be based on all the relevant information, clear and well-designed procedures and adequate risk assessment. We have reviewed the Commission’s procedure and planning documents for these audits.

74 The Commission has defined its audit work related to protecting the financial interests of the Union in its audit strategy.

75 The audit strategy for the RRF provides that the Commission is to carry out at least one separate system’s audit per Member State in the course of the RRF’s implementation. The objective of these audits is to provide the Commission with assurance that the Member States’ control systems are able to prevent, detect and correct cases of fraud, corruption, conflict of interest, and double funding. According to the initial planning of the audit work for2022 and2023, 21audits on protection of EU’s financial interest were planned.

76 The systems audits dealing with fraud, corruption, conflicts of interest, and double funding could enable the Commission to assess Member States’ systems in place for this purpose, but the effectiveness of such audits can only be assessed at a later stage. In addition, we found limitations affecting individual elements of the Commission’s control system on which we report in the following paragraphs.

Limited information on Member States’ audits may affect the added value of their management declarations and summaries

77 A Member State’s payment request has to be accompanied by a management declaration that is supported by a summary of the audits carried out at national level (paragraph 10), which DGECFIN reviews to identify information that could be relevant to the exante verifications of the fulfilment of milestones and targets or to its audits. Member States’ management declarations are required to provide assurance that funds were managed in accordance with all applicable EU and national rules, in particular those on the avoidance of conflicts of interest, fraud prevention, and corruption. Member States also need to confirm that irregularities identified during their audits have been corrected as appropriate, and the funds duly recovered from the final recipients. The Commission reviews these documents to check whether any systems weaknesses or individual cases of fraud, corruption or conflict of interest were identified and corrective action was taken to protect the financial interests of the Union. In the case of first payment requests, it also verifies whether control and audit milestones added during the RRP assessment have been fulfilled.

78 The added value of the management declarations and summaries of audits will depend on the scope and quality of national authorities’ audit work. The Commission issued “Guidance to Member States for the preparation of the summary of audits under the Recovery and Resilience Facility”, which defines the type of information the summaries are expected to contain, and explains the types of audits Member States’ authorities are expected to carry out. We note that there is no precise guidance on the coverage and design of such audits, as the Regulation provides no legal basis in this regard.

79 With regard to the four payment requests received in2021, the Commission noted that due to the short period between the approval of the plans and the submission of these payment requests, the scope of the audit work carried out by national authorities was in general limited38. The Commission’s information on the quality of the audit work that supports the summary of audits and what elements of the RRF the Member States’ audits will focus on during the lifecycle of the RRF is based on exchanges with national audit authorities and its assessment of their national audit strategies. The Commission informed us that they planned to take assurance from the national audit results only if their reliability had been confirmed by the Commission’s audit work.

Reporting on fraud and guidelines on correcting weaknesses in Member States’ systems are not fully developed

Reporting on fraud lacks a centralised and standardised approach

80 With regard to Cohesion funds, Member States’ authorities are obliged to report any fraudulent and non-fraudulent irregularities detected in the Irregularity Management System (IMS) to the Commission. The Commission uses this IMS information as one of the elements to inform its fraud risk assessment and anti-fraud strategy, which are important elements in the targeting of its audits and controls. In contrast with Member States’ obligation to report on “Cohesion” implementation, the obligation to report fraudulent and non-fraudulent irregularities detected in the implementation of the RRF to the Commission provides for reporting in the management declaration, but does not require using an integrated IT system.

81 Member States are required to report in the management declaration any cases of fraud, corruption and conflict of interest detected (and the remedial action taken). In contrast with the IMS system, it is unclear at what point the detection of a fraud case should be reported, whether there is a reporting threshold, and what standard information should be reported for each case and concerning the remedial measures taken. The lack of centralised and standardised information at Commission level on suspected fraud, conflicts of interest and corruption cases detected by Member States’ authorities makes it difficult to carry out a proper fraud risk assessment, which is key to effectively targeting expost audits concerning the protection of the financial interests of the Union.

82 Together with the Member States, the Commission is obliged to report annually to the European Parliament and the Council on measures taken to counter fraud and other illegal activities affecting the EU’s financial interests (the PIF report). A key element of this report is the annual information and data on fraud and irregularities affecting EU spending. In the absence at Commission level of centralised and standardised information on fraud and other illegal activities affecting RRF payments, there is a risk that the Commission’s annual PIF report will provide an incomplete picture.

Untrustworthy counterparties are currently neither reported nor excluded

83 Member States are currently not obliged to use the Commission’s Early Detection and Exclusion system (EDES) for measures under the RRF. This means that one of the tools available to protect the financial interests of the Union is not applicable to the RRF.

84 In our opinion on the proposed recast of the Financial Regulation, we welcome therefore the Commission’s proposal to ensure that adequate exclusion arrangements apply for spending programmes under direct management, such as the RRF, where Member States are the beneficiaries39.The key to the EDES’s effective operation will be the availability and reliability of information on potentially untrustworthy counterparties.

No internal guidance regarding corrections have been drawn up

85 The Regulation gives the Commission the right to intervene where it finds that a Member State’s system does not adequately protect the financial interests of the Union. It provides “to reduce proportionately the support under the Facility and recover any amount due to the Union budget or to ask for early repayment of the loan, in cases of fraud, corruption, and conflicts of interests affecting the financial interests of the Union that have not been corrected by the Member State, or a serious breach of an obligation resulting from such agreements”40.

86 The same article also provides that “When deciding on the amount of the recovery and reduction, or the amount to be repaid early, the Commission shall respect the principle of proportionality and shall take into account the seriousness of the fraud, corruption and conflict of interests affecting the financial interests of the Union, or of a breach of an obligation”.

87 While there are general provisions for the flat rate corrections in the financing agreements, the Commission has not yet developed internal guidance on the application of these flat rates. By way of example, we refer to the “Guidelines on the calculation of the financial corrections in the framework of the conformity and financial clearance of accounts procedures”.

88 The lack of internal guidance on the application of these flat rates reduces transparency and does not ensure consistency of the RRF arrangements vis-a-vis Member States and other stakeholders41.

Conclusions and recommendations

89 The RRF is a new delivery model where the Commission’s payment to the Member State is based on the fulfilment of milestones and targets. We conclude that, in a relatively short time, the Commission has designed a control system comprising a set of extensive ex ante verifications and complementing on the spot audits to assess whether milestones and targets have been fulfilled satisfactorily. However that control system provides limited verified information at EU level that RRF-funded investment projects comply with EU and national rules. The lack of such information impacts the assurance the Commission can provide on the protection of financial interests of the Union and results in an EU-level accountability gap.

90 We found that the exante verifications that the Commission performs to assess whether milestones and targets have been fulfilled are extensive. As reported in Chapter10 of our 2021annual report , we detected limitations in the documentation of the Commission assessment and that a method for (partial) suspension or reduction of payment is not yet available on which we made related recommendations10.1 and10.2. We also noted that the definition and documentation of the scope and objectives of the different stages of the preliminary assessment could be better, particularly as regards technical consultation with other DGs and services (paragraphs 40 to 55).

Recommendation1–Improving procedures for exante verifications

Building on the experience it has gained so far, the Commission should further develop procedures, which ensure adequate documentation of its assessment and clarify the role and scope of technical consultation with other DGs and services.

Target implementation date: 2023

91 The Commission has planned extensive expost audits of the fulfilment of milestones and targets. The planning of the audit work for2022 also indicates an extensive coverage of the Member States. However, the adequacy of the expost planned audits can only be assessed in the future (paragraphs 56 to 65).

92 Successful implementation of the RRF is contingent on milestones or targets being fulfilled, and not subsequently reversed. We note that there is no guidance at present ensuring a consistent understanding on what constitutes reversal of a measure related to a previously fulfilled milestone or target, how the risk of such reversal is mitigated, and how it would impact past and current payments (paragraphs 66 to 70).

Recommendation2–Drawing up guidance on the reversal of a measure related to a previously fulfilled milestone or target

The Commission should develop guidance and procedures that address the reversal of a measure related to a previously fulfilled milestone and target to ensure consistent interpretation and implementation of it.

Target implementation date: 2023

93 The Commission developed planning documents for system audits through which it aims to cover each Member States control system for protecting the financial interest of the Union (paragraphs 71 to 76). However, we note that these audits will only cover Member States’ systems related to fraud, corruption, conflict of interest and double funding. In consequence, there is limited verified information at EU level on RRF-funded investment projects’ compliance with EU and national rules. The lack of such information impacts the assurance that the Commission can provide at EU level. The responsibility that the Commission assumes in terms of protecting the financial interest of the Union is reflected in the declaration of assurance in the DGECFIN annual activity report. It does not go beyond ensuring that the Commission recovers any amount due in the event of fraud, corruption, and conflict of interest, where the Member stated failed to do so or in the event of an established serious breach of the financing agreement (paragraphs 28to 36).

Recommendation3–Addressing the EU-level assurance gap on compliance with EU and national rules

The Commission should identify the measures required to address the assurance gap at EU level regarding RRF-funded investment projects’ compliance with EU and national rules.

Target implementation date: 2023

94 We consider that the real value of Member States’ management declarations and summaries of audits will largely depend on the scope and quality of these audits and note that there is no precise guidance on the coverage and design of such audits. The scope of the audit work carried out by national authorities in the first year was, in general, limited. The Commission’s information on the quality of the audit work is based on exchanges with national audit authorities and its assessment of their national audit strategies (paragraphs 77 to 79).

95 With regard to reporting on fraud in relation to the RRF (paragraphs 80 to 84), we noted the following:

• The lack of centralised and standardised information on fraud recorded in the Irregularity Management System means that the data available to support the planning and targeting systems audits are incomplete.
• At present, unreliable counterparties (final recipients) are neither reported in the Early Detection and Exclusion System nor excluded from receiving EU funding. However, the proposed amendments to the provisions of the Financial Regulation (recast) provide for this.

Recommendation4–Aligning reporting on RRF-related fraud

The Commission should align RRF related fraud reporting and record RRF related cases of fraud and other illegal activities in the Irregularity Management System.

Target implementation date: 2023

96 The financing agreements signed with Member States provide for different levels of flat rate corrections in the event that the Commission finds a deficiency in a Member State’s control system that constitutes a serious breach of its obligation to protect the financial interest of the Union as laid down in the financing agreement. However, the current definitions of the different levels insufficiently support a consistent application of such flat rates (paragraphs 85 to 88).

Recommendation5–Developing internal guidance on corrections

The Commission should develop internal guidance on the application of the flat-rate corrections laid down in the financing agreements in respect of weaknesses in Member States’ control systems for protecting the financial interests of the Union.

Target implementation date: 2023

This report was adopted by ChamberV, headed by Mr Jan Gregor, Member of the Court of Auditors, in Luxembourg at its meeting of 15February2023.

Abbreviations

DG: Directorate-General

DGECFIN: Directorate-General for Economic and Financial Affairs

DGEMPL: Directorate-General for Employment, Social Affairs & Inclusion

DNSH: “do no significant harm”

EDES: Early Detection and Exclusion system

EFC: Economic and Financial Committee

IMS: Irregularity Management System

NGEU: NextGenerationEU

PIF: Protection of financial interests

RRF: Recovery and Resilience Facility

RRP: Recovery and Resilience Plans

SGRECOVER: Recovery and Resilience Task Force within Secretariat-General of the Commission

Glossary

Economic and Financial Committee: A committee of the European Union set up to promote policy coordination among the Member States.

EDES: The system established by the Commission to reinforce the protection of the Union’s financial interests and to ensure sound financial management. The purpose of the EDES is the protection of the Union’s financial interests against unreliable persons and entities applying for EU funds or having concluded legal commitments with the Commission, other Union Institutions, bodies, offices or agencies.

Irregularity management system: Application that Member Statesuse to report irregularities, including suspected fraud, to OLAF.

NextGenerationEU: Funding package to help EU Member States recover from the economic and social impact of the COVID-19 pandemic.

Recovery and Resilience Facility: The EU’s financial support mechanism to mitigate the economic and social impact of the COVID-19 pandemic and green and digital transformation.

Recovery and resilience plan: Document setting out Member State’s intended reforms and investments under the Recovery and Resilience Facility.

Commission’s replies

https://www.eca.europa.eu/en/Pages/DocItem.aspx?did=63634

Timeline

https://www.eca.europa.eu/en/Pages/DocItem.aspx?did=63634

Audit team

The ECA’s special reports set out the results of its audits of EU policies and programmes, or of management-related topics from specific budgetary areas. The ECA selects and designs these audit tasks to be of maximum impact by considering the risks to performance or compliance, the level of income or spending involved, forthcoming developments and political and public interest.

This performance audit was carried out by Audit ChamberV Financing and administration of the EU, headed by ECA Member Jan Gregor. The audit was led by ECA Member Tony Murphy, supported by Wolfgang Stolz, Head of Private Office and Brian Murphy and Peter Borsos, Private Office Attachés; Judit Oroszki, Principal Manager; Gediminas Macys, Head of Task; Kristina Kosor and Raymond Larkin, Auditors. Valérie Tempez provided the secretarial assistance.

From left to right: Peter Borsos, Judit Oroszki, Kristina Kosor, Tony Murphy, Brian Murphy, Gediminas Macys, Wolfgang Stolz, Raymond Larkin, Valérie Tempez.

Endnotes

1 Article8 and Article22(1) of the Regulation.

2 Article24(3) of the Regulation.

3 Article22(1) of the Regulation.

4 Article22(5) of the Regulation.

5 Article18(4) of the Regulation for the full set of conditions that RRPs must satisfy.

6 Article24 of the Regulation.

7 Article22 (2)(c) of the Regulation.

8 Idem.

9 Article24(3) of the Regulation.

10 Special report21/2022: The Commission’s assessment of national recovery and resilience plans –Overall appropriate but implementation risks remain.

11 Opinion06/2020 concerning the proposal for a regulation of the European Parliament and of the Council establishing a Recovery and Resilience Facility.

12 Special report21/2022.

13 2021annual report on the implementation of the EU budget for the 2021financial year, chapter10 –Recovery and resilience facility.

14 Review 01/2023: EU financing through cohesion policy and the Recovery and Resilience Facility: A comparative analysis.

15 Chapter10 of our 2021annual report.

16 Special report21/2022.

17 2021 DGECFIN AAR, AnnexXIV.

18 Article 24 (5) of the Regulation.

19 Article5 of the Regulation.

20 Article24 of the Regulation.

21 Paragraphs56-61 of special report21/2022.

22 ParagraphVIII of special report21/2022.

23 Paragraph 80 of Review 01/2023.

24 Article22(1) and recital54 of the Regulation.

25 2021 DGECFIN AAR, p.52.

26 The Commission’s audit strategy for the RRF, p.3.

27 Figure1.8 of our 2021annual report.

28 Article24(3) of the Regulation.

29 Article24(3) of the Regulation.

30 Article36(3) of Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council of 18July2018 on the financial rules applicable to the general budget of the Union.

31 Annex to the Council implementing decision.

32 Paragraphs10.24-10.26 of our 2021annual report.

33 Paragraph73 of our special report21/2022.

34 Article24(6) of the Regulation.

35 Paragraph 10.28 of our 2021annual report.

36 Article74(6) of the Financial Regulation.

37 Article24(3) of the Regulation.

38 2021 DGECFIN AAR, p.60.

39 Opinion06/2022 (pursuant to Article322(1), TFEU) concerning the proposal for a Regulation of the European Parliament and of the Council on the financial rules applicable to the general budget of the Union (recast).

40 Article22(5) of the Regulation.

41 Paragraph 106 of Review 01/2023.

Contact

EUROPEAN COURT OF AUDITORS
12, rue Alcide De Gasperi
1615 Luxembourg
LUXEMBOURG

Tel. +3524398-1
Enquiries: www.eca.europa.eu/en/contact
Website: eca.europa.eu
Twitter: @EUAuditors

More information on the European Union is available on the internet (https://europa.eu).

Luxembourg: Publications Office of the European Union, 2023

COPYRIGHT

© European Union, 2023

The reuse policy of the European Court of Auditors (ECA) is set out in ECA Decision No6-2019 on the open data policy and the reuse of documents.

Unless otherwise indicated (e.g. in individual copyright notices), ECA content owned by the EU is licensed under the Creative Commons Attribution 4.0 International (CCBY4.0) licence. As a general rule, therefore, reuse is authorised provided appropriate credit is given and any changes are indicated. Those reusing ECA content must not distort the original meaning or message. The ECA shall not be liable for any consequences of reuse.

Additional permission must be obtained if specific content depicts identifiable private individuals, e.g. in pictures of ECA staff, or includes third-party works.

Where such permission is obtained, it shall cancel and replace the above-mentioned general permission and shall clearly state any restrictions on use.

To use or reproduce content that is not owned by the EU, it may be necessary to seek permission directly from the copyright holders:

Figure 2 – Icons: the figures have been designed using resources from Flaticon.com. ©Freepik Company S.L. All rights reserved.

Software or documents covered by industrial property rights, such as patents, trademarks, registered designs, logos and names, are excluded from the ECA’s reuse policy.

The European Union’s family of institutional websites, within the europa.eu domain, provides links to third-party sites. Since the ECA has no control over these, you are encouraged to review their privacy and copyright policies.

Use of the ECA logo

The ECA logo must not be used without the ECA’s prior consent.

GETTING IN TOUCH WITH THE EU

In person
All over the European Union there are hundreds of Europe Direct centres. You can find the address of the centre nearest you online (european-union.europa.eu/contact-eu/meet-us_en).

On the phone or in writing
Europe Direct is a service that answers your questions about the European Union. You can contact this service:

• by freephone: 00 800 6 7 8 9 10 11 (certain operators may charge for these calls),
• at the following standard number: +32 22999696,
• via the following form: european-union.europa.eu/contact-eu/write-us_en.

FINDING INFORMATION ABOUT THE EU

Online
Information about the European Union in all the official languages of the EU is available on the Europa website (european-union.europa.eu).

EU publications
You can view or order EU publications at op.europa.eu/en/publications. Multiple copies of free publications can be obtained by contacting Europe Direct or your local documentation centre (european-union.europa.eu/contact-eu/meet-us_en).

EU law and related documents
For access to legal information from the EU, including all EU law since 1951 in all the official language versions, go to EUR-Lex (eur-lex.europa.eu).

EU open data
The portal data.europa.eu provides access to open datasets from the EU institutions, bodies and agencies. These can be downloaded and reused for free, for both commercial and non-commercial purposes. The portal also provides access to a wealth of datasets from European countries.