I. Shared Management: Protecting Funds from Deficiencies in Management and Control Systems

Article 317(1) of the Treaty on the Functioning of the European Union assigns to the European Commission the responsibility to “implement the budget,” “in cooperation” with the Member States. This responsibility is to be exercised in accordance with regulations adopted under article 322(1) TFEU. Prominent amongst them, the Financial Regulation^{Footnote 6} distinguishes between different “methods of implementation” of the EU budget.^{Footnote 7} In a nutshell, these methods entrust budget implementation tasks to the Commission directly (direct management),^{Footnote 8} allow for the sharing of these tasks with Member States (shared management),^{Footnote 9} or to entrust them to other persons or entities (indirect management).^{Footnote 10} However funds are managed, EU law provides for measures to be taken for the protection of the financial interests of the European Union. For instance, article 325 TFEU is the legal basis for the adoption of measures to “counter fraud and any other illegal activities affecting the financial interests of the Union,” those measures being “such as to afford effective protection in the Member States, and in all the Union’s institutions, bodies, offices and agencies.”^{Footnote 11} Yet, it is arguably with regards to EU funds in shared management that the systemic criterion is the most explicitly^{Footnote 12} defined in relation to the protection of the financial interests of the Union.

The Common Provisions Regulation^{Footnote 13} provides for common legal provisions on eight funds in shared management, including 392 billion euros of funding for Cohesion policy over the 2021-2027 period.^{Footnote 14} The document makes explicit references to the systemic criterion in relation to “systemic irregularities” affecting these funds. For clarity’s sake, it is worth explaining first how particular “irregularities” are defined in wider EU budgetary law, before looking at their systemic variant.

“Irregularities” refer to “any breach of applicable law, resulting from an act or omission by an economic operator, which has, or would have, the effect of prejudicing the budget of the Union.”^{Footnote 15}

The prejudice inflicted on the budget may derive from a reduction or loss of “revenue accruing from own resources collected directly on behalf of the [Union],”^{Footnote 16} or by charging an “unjustified item of expenditure” to that budget.^{Footnote 17} As confirmed by the Court, the concept of irregularity in this context is thus composed of three cumulative elements. In the first place, the existence of an infringement of EU law, which covers “not only breaches of a provision of EU law as such,” but which may also cover breaches of the “provisions of national law which are applicable to operations supported by” an EU Fund, for instance in relation to Structural Funds.^{Footnote 18} In the second place, the breach of law must be the result of “an act or omission by an economic operator.” While this encompasses the actions or omissions of “any natural or legal person, or other entity involved in the implementation of the Funds,” it is specified that Member States themselves are not considered as economic operators when they are exercising their “prerogatives as a public authority.”^{Footnote 19} In the third place, the breach of applicable law by an economic operator constitutes an irregularity for our purposes where it has, “or would have,” the “effect of prejudicing the budget of the Union.” The Court has interpreted this provision as meaning that it is not necessary to establish “the existence of a specific financial impact” it is “sufficient that the possibility of an impact on the budget of the funds concerned is not excluded.”^{Footnote 20} The notions of risk or of “probability of occurrence” are therefore built in the way EU law construes the concept of irregularity in relation to EU funds.

Given the definition above, it might appear somewhat surprising that “systemic irregularities” are not presented as a simple derivation of particular irregularities—such as an amped up, more frequent, persistent, wide ranging or more serious variant of irregularities. Instead, the conceptual construction of systemic irregularities really changes the focus from looking at the conduct of economic operators, to assessing how well Member States have set up “management and control systems” to detect, prevent and remedy particular irregularities in relation to EU funds. In the vocabulary of the Common Provisions Regulation, a “systemic irregularity” means “any irregularity, which may be of a recurring nature, with a high probability of occurrence in similar types of operations, which results from a serious deficiency [ … ].”^{Footnote 21}

Thus, irregularities are not systemic in themselves, but in that they are the symptoms of a problem—a “serious deficiency.” A serious deficiency arises where Member States fail to guarantee sufficiently “the effective functioning of the management and control system of a [funding] programme” and where “significant improvements in the management and control systems are required” in line with applicable EU legislation.^{Footnote 22} It is not essentially^{Footnote 23} because irregularities are recurrent that they are systemic; rather, irregularities become systemic when the management and control systems which are supposed to prevent them are flawed to the point where irregularities have a “high probability of occurrence” in similar situations.^{Footnote 24}

A similar approach characterizes the protection of funds for the Common Agricultural policy, totalizing 373.8 bn euros for the 2021-2027 period—99.1% of which is implemented under the principle of shared management with Member States.^{Footnote 25} Regulation 2021/2116 on the financing, management and monitoring of the common agricultural policy^{Footnote 26} provides that Member States “shall adopt all laws, regulations and administrative provisions and take any other measures necessary to ensure effective protection of the financial interests of the Union.”^{Footnote 27} To that end, Member States, “shall set up efficient management and control systems in order to ensure compliance with the Union legislation governing Union interventions. Member States shall take the actions necessary to ensure the proper functioning of their management and control systems and the legality and regularity of expenditure declared to the Commission.”^{Footnote 28}

The national bodies constituting these management and control systems form part of the “governance systems” set up in Member States to manage agricultural funds. The applicable legislation defines “serious deficiencies in the proper functioning of the governance systems” as amounting to “the existence of a systemic weakness, taking into account its recurrence, gravity and compromising effect on the correct declaration of expenditure, the reporting on performance, or the respect of Union law.”^{Footnote 29} Thus, following a similar approach to that taken in the Common Provisions Regulation, the systemic criterion refers in the context of the Common Agricultural Policy to weaknesses in the (control and management or governance) systems set up for the protection of the financial interests of the EU. As will be seen, this approach is also dominant in other major documents laying down protections for the EU budget.

II. The Conditionality Regulation: the Rule of Law as an Overarching Control System

As its full name makes clear, the Conditionality Regulation is meant “for the protection of the EU budget” by the setting up of “a general regime of conditionality.”^{Footnote 30} It applies to the whole EU budget, including Recovery Funds,^{Footnote 31} which in legal terms exist alongside the traditional seven year budget laid down in the EU Multi-annual Financial Framework.^{Footnote 32} Remarkably, the name previously given to this Regulation employed a vocabulary revolving around the systemic criterion. In the legislative proposal submitted by the European Commission two years and a half before its final adoption (“the legislative proposal”), the document had a different title: Regulation “on the protection of the Union’s budget in case of generalized deficiencies as regards the rule of law in the Member States.”^{Footnote 33} In its designation as well as in the rest of the document, mentions of “generalized deficiencies as regards the rule of law” have been erased and replaced by the more particular reference to “breaches of the principles of the rule of law.”^{Footnote 34}

Such changes hint that one important issue in the heated^{Footnote 35} negotiations of the Conditionality Regulation concerned the extent to which the document would employ terms associated with the systemic criterion and its lexical register. This translated in a back-and-forth in the document itself. For instance, a concession to drop the reference to “generalized deficiencies” in favor of “breaches of the principles of the rule of law” only led to more detailed periphrases to keep the original idea, if not the formulation, in the Regulation. The Preamble to the Regulation now provides that, while “individual breaches of the principles of the rule of law” can “seriously harm the financial interests of the Union,” such is “even more” the case “for breaches that are widespread or due to recurrent practices or omissions by public authorities, or to general measures adopted by such authorities.”^{Footnote 36} At the same time, it is only in the Preamble that such terms are employed, not in the articles of the Regulation themselves. If “systemic” vocabulary remains present in the document, it is so in a legally convoluted way.

Equally contentious stances over the systemic criterion have been taken at the point of application of the Conditionality Regulation by the Commission to Hungary. In the Fall of 2022, the Commission issued a proposal for a Council Implementing Decision “on measures for the protection of the Union budget against breaches of the principles of the rule of law in Hungary.”^{Footnote 37} The proposed measures provide for the suspension of a substantial amount of Cohesion funds and for a prohibition from entering into legal commitments—leading to the benefit of EU funds—with specific types of actors in Hungary,^{Footnote 38} notably preventing a number of its universities from benefitting from Horizon Europe or ERASUMS+ funding.^{Footnote 39} The Implementing Decision was adopted by the Council on December 15, 2022. Remarkably, the systemic criterion constitutes a key component of the dispute between Hungary and the Commission over how the Conditionality Regulation is to be interpreted and applied. Indeed, the Commission placed the systemic criterion at the very heart of its case against Hungary, “In light of all the foregoing, the Commission considers that the issues identified [ … ] constitute systemic breaches of the principles of the rule of law within the meaning of Article 2(a) of the Conditionality Regulation [ … ].”^{Footnote 40} It is worth noting that article 2(a) of the Conditionality Regulation does not define by itself what a “systemic” breach of the rule of law is. Contesting the Commission’s findings, took the line that “the weaknesses in public procurement” noted by the Commission “were not of a systemic nature.”^{Footnote 41}

Whereas the above suggests that the systemic criterion is both important and contentious with regards to the negotiation, adoption and application of the Conditionality Regulation, the precise meaning of this criterion is not immediately obvious. Contrary to what was seen with structural and agricultural funds, there is no clear and explicit legislative definition of that criterion. At first sight, the vocabulary employed in both the first and final versions of the Conditionality Regulation suggests a meaning of this criterion along the lines of “generalized” or “general and persistent” breaches of EU law, rather than one falling within the conceptual category of “system deficiencies” found in sectoral funds.^{Footnote 42} As has been noted, the initial title of the Regulation mentioned “generalized deficiencies,” whereas Paragraph 15 of its Preamble in the adopted text makes clear that the mechanism shall also target “widespread” breaches of law, “recurrent practices or omissions” and “general measures.” However, it is argued in the present article that both the object and rationale of the Regulation clearly point towards a use of the systemic criterion in the sense of system deficiencies.

Indeed, the object of the Conditionality Regulation is not simply to protect the EU budget, but to do so in situations where that budget is put at risk due to the breach of the legal principles of the rule of law in a Member State. The underlying rationale is that without proper respect for the rule of law, there is a risk that “cases of fraud, including tax fraud, tax evasion, corruption, conflict of interest or other breaches of the law” will not be “effectively pursued by investigative and prosecution services,” whereas “arbitrary or unlawful decisions of public authorities, including law-enforcement authorities” may escape judicial review if courts lack independence.^{Footnote 43} The Conditionality Regulation is about protecting the EU budget in cases where the structures and practices of the State itself would put it at risk. It is implied that such structures and practices, if well–functioning and abiding by the rule of law, contribute to protecting the budget in a way akin to an overarching control system.

Thus, the Conditionality Regulation obeys a rationale which is similar to that of sectoral funds in that it relies on an understanding of systemic breaches as meaning deficiencies in the system creating risks for the financial interests of the European Union. One may even advance that management and control systems for the protection of sectoral funds are really particular systems, compared to the higher order nature of the rule of law requirements for the protection of the EU Budget under the Conditionality Regulation, which target the institutional structures and functioning of the State itself.

Indeed, even though the Member States themselves are responsible for the well-functioning of management and control systems in relation to sectoral funds^{Footnote 44}, these systems exist specifically in relation to EU funding programmes. The Financial Regulation provides that it is “[i]n accordance with the criteria and procedures laid down in sector-specific rules” that “Member States shall, at the appropriate level, designate bodies to be responsible for the management and control of Union funds.”^{Footnote 45} These bodies are referred to as “programme authorities” in the Common Provisions Regulation—a management authority and a control authority.^{Footnote 46} If Member States are free to make these authorities responsible for more than one programme,^{Footnote 47} the institutional make-up of the management and control systems remains functionally attached to the implementation needs of EU funding programmes specifically.

By contrast, the Conditionality Regulation does not specifically target programme–specific authorities but whole branches of government such as “executive powers”^{Footnote 48} or “the judiciary,”^{Footnote 49} also referring to “law-enforcement authorities”^{Footnote 50}, “public authorities”^{Footnote 51} or “government entit[ies].”^{Footnote 52} The Conditionality Regulation targets the very functioning of the State in situations in which the financial interests of the EU are at stake. In that sense, it arguably presents a stronger “systemic” quality than any other piece of budgetary legislation, even without mentioning the term itself in its preamble or articles. It gives a more fundamental constitutional and administrative legal dimensions to the concerns of the protection of the EU budget. In comparison, the management and control systems linked to funding programmes appear akin to sub–systems, themselves dependent on the correct observance of the principles of the rule of law as legal requirements bearing on the overarching system of the State architecture and practice wherever the protection of the EU budget is concerned.

III. The Recovery and Resilience Facility: Effective Control Systems as a Condition for Funding

The Recovery and Resilience Facility (RRF) provides for 672.5 billions of euros in grants and loans (in 2018 prices)^{Footnote 53} with the original purpose of “tackl[ing] the adverse effects and consequences of the COVID-19 crisis in the Union.”^{Footnote 54} Later amendments under the RePOWER EU initiative allowed for the use of RRF funding to also tackle the energy crisis which accompanied Russia’s war against Ukraine.^{Footnote 55} The RRF Regulation lays down a legal obligation on Member States being granted or borrowing RRF funds to “take all the appropriate measures to protect the financial interests of the Union.“^{Footnote 56} Member states are to “ensure that the use of funds in relation to measures supported by the Facility complies with the applicable Union and national law, in particular regarding the prevention, detection and correction of fraud, corruption and conflicts of interests.”^{Footnote 57} Mirroring the approach taken for the protection of Agricultural or Cohesion funds, the RRF Regulation foresees that, “[t]o this effect, Member States shall provide an effective and efficient internal control system and the recovery of amounts wrongly paid or incorrectly used.”^{Footnote 58} In so doing, “Member States may rely on their regular national budget management systems.”

In addition, and importantly, the RRF Regulation introduces conditionality provisions^{Footnote 59} allowing EU institutions to wield a strong influence on the features and functioning of the national institutions and procedures meant to deal with and protect the financial interests of the Union—including higher order protections related to the rule of law.

This is made possible by making access to RRF funds conditional upon the adoption and implementation of reforms for the purpose of that protection. In order to benefit from RRF funding, Member States must submit national Recovery & Resilience Plans to the Commission for assessment.^{Footnote 60} Through these Plans, Member States commit to adopting reforms and making investments, with related targets and milestones, in line with the conditions and objectives of the RRF Regulation.^{Footnote 61} When the Commission makes a positive assessment of a Plan, it issues a recommendation to the Council for it to adopt the Plan through an Implementing Decision,^{Footnote 62} paving the way for the disbursement of funding in step with the fulfillment of the conditions listed in the Plan.^{Footnote 63}

These criteria are to be applied in accordance with Annex V to the RRF Regulation.^{Footnote 65} Point 2.10 of that annex specifies key requirements for the appropriateness of the arrangements provided for by Member States. These requirements are cumulative, as indicated by the repeated use of the coordinative conjunction “and”:

These requirements help us understand what constitute adequate control systems under the RRF Regulation. However, they are not very precisely defined: For instance, it is not specified exactly what makes an arrangement “adequate” or what counts as “robust” processes and structures. Nevertheless, these concepts can be clarified by looking at other instruments and case–law pertaining to the protection of EU funds, including the Conditionality Regulation.^{Footnote 67} Moreover, once the Council has endorsed a National Recovery Plan through an Implementing Decision, the Commission and the Member State shall flesh out latter’s precise obligations in dedicated agreements.^{Footnote 68}

This short overview shows that all of the budgetary instruments included in the present analysis foresee that certain systems must be in place to ensure the protection of the financial interests of the EU. The precise definition of these systems may vary: “[M]anagement and control systems” (or equivalent) defined in sectoral legislation; principles of the rule of law of relevance for the protection of the financial interests of the EU; key features of control systems defined in pre–agreed Plans, the fulfillment of which is set as a condition for access to funding.

Moreover, it should be underlined that the imposition of conditions is not specific to the RRF. Indeed, Article 15 of the Common Provisions Regulation, read together with its Annexes III and IV, provides for “enabling conditions” concerning in particular the “effective monitoring mechanisms of the public procurement market” and the “effective application and implementation of the Charter of Fundamental Rights.” In case these conditions are not fulfilled, the Commission is to refuse reimbursement of the related expenditure declared by the Member State.

The scope of these conditions is itself narrower than that of conditions relating to the respect for the principles of the rule of law under the Conditionality Regulation—which concerns the overarching system of the State. They do not allow for preventive “suspension of approval of one or more programmes, as well as the suspension of commitments under shared management”^{Footnote 69}—nor for suspension of funding on the scale of the RRF. Yet, as will be seen, even more important differences between these instruments concern the ways in which such suspensions and other financial consequences are calculated—or not—on the basis of different levels of seriousness of system deficiencies in the protection of the EU budget.

I. Sectoral Instruments: a Gradation of Deficiencies Linked to Different Levels of Financial Corrections

It has long been accepted in EU budgetary law that systemic deficiencies can be graded on a scale—they do not constitute a simple, qualitative–only category. Building on pre–existing practice, a “Commission interdepartmental working party”^{Footnote 70} issued in 1993 a Report^{Footnote 71} (the Belle Group Report), which was endorsed by the Commission and which addressed the issue of which “financial consequences” should derive from (inter alia) “investigations identifying deficiencies in the control processes of a Member State”^{Footnote 72} in relation to what was then the European Agricultural Guidance and Guarantee Fund (EAGGF).^{Footnote 73} In cases in which it would prove too difficult to arrive at a straightforward calculation of the costs incurred to the EU budget proves in relation to deficiencies, the Report developed criteria to determine different flat rates of financial correction^{Footnote 74} to be imposed, in relation to the level of risk that deficiencies cause to the EU budget:

As noted by Advocate General Léger, “the report also states that it is possible to refuse the whole of the expenditure and that, therefore, a higher rate of correction may be held appropriate in exceptional circumstances” ^{Footnote 76}—adding a higher possible rate of correction to the first three.

This approach has generally survived since then in relation to agricultural funds, although with new specifications.^{Footnote 77} For our purposes, this approach makes clear that deficiencies can be graded on a scale (“limited to parts of the control system of lesser importance;” “relates to important elements of the control system;” “relates to the whole or fundamental elements of the control system”…). This gradation is used to calculate the level of financial correction to be imposed on the Member States concerned – how much of the funds will have to be withheld from them in relation to unlawful expenditure. In this regard, full withdrawal from a funding programme is now reserved for the most extreme situations^{Footnote 78}—although a lower threshold was accepted in the past for full withdrawal.^{Footnote 79}

A similar approach has been followed regarding funds governed by the Common Provisions Regulation, which also distinguishes between several levels of seriousness to qualify systemic deficiencies. Just like for agricultural funds, these different levels of seriousness reflect a graded level of estimated risk for the EU budget. The risk to the “legality and regularity” of expenditure is highest where a “serious deficiency(ies) is so fundamental, frequent or widespread that it represents a complete failure of the system.” The next three levels of failure, in decreasing order, represent respectively an “extremely serious failure of the system;” a “system not fully functioning” or doing so “poorly” and “infrequently” in light of EU legal requirements; and a “system not functioning consistently.”^{Footnote 80} Like for agricultural funds, the severity of the deficiency is assessed in relation to the level of risk it poses—itself graded on a scale—to the expenditure concerned in a given system. Thus, “the legality and regularity of all of expenditure concerned” is put at risk where the serious deficiency is “complete,” whereas a “very high,” “high and “significant” proportions of the expenditure are respectively put at risk by the next three levels of severity of the deficiency.^{Footnote 81} The Common Provisions Regulation provides for a gradation system in its Annex XXV to identify the proportion of EU funding to be withheld in relation to the levels of severity of deficiencies in the management and control systems for a specific funding programme. Thus, flat-rate corrections of 100%, 25%, 10% and 5% are respectively attached to levels of deficiency evaluated as “complete,” “very high,” “high and “significant.”^{Footnote 82}

II. Different Levels of Risks Attached to Systemic Breaches of the Principles of the Rule of Law

Now turning to risks for the EU budget related to rule of law concerns, it is noticeable that, in its proposal for a Council Implementing Decision for the application of the Conditionality Regulation against Hungary, the Commission appears to approach the application of that Regulation with a similar perspective as that which is followed in sectoral instruments. The Commission evaluates as “very significant” the “potential impact” of the breaches of the principles of the rule of law “on the sound financial management of the Union budget and on the financial interests of the Union.” Looking at public procurement in particular, the Commission states that “in principle, some public procurement procedures may not be affected by those systemic breaches.”^{Footnote 83} As a consequence, the Commission notably proposed to the Council that 65%^{Footnote 84}—not 100%^{Footnote 85}—of EU funding be suspended for “cohesion policy programmes 2021-2027 that are expected to be implemented mainly through public procurement.” The Council lowered that amount to 55%, to take into account “the number and significance of remedial measures that have been satisfactorily implemented by Hungary to address the identified breaches of the principles of the rule of law.”^{Footnote 86}

Thus, the breaches of the rule of law at stake have not given rise to a “complete”—or equivalent—failure of the Member State to guarantee the sound financial management of the Union budget and the protection of the financial interests of the Union. This suggests that, for the Commission, system deficiencies in Hungary still stand in a category below the highest possible level of severity in putting the EU budget at risk.

Furthermore, these deficiencies may slide further down the scale of severity if the Member State adopts and implements appropriate measures to remedy these breaches—as Hungary has promised to do.^{Footnote 87} Indeed, article 7 of the Conditionality lays down a path for the gradual lifting of measures restricting Member States’ access to EU funding, accompanying progress in remedying deficiencies.^{Footnote 88}

It should be noted, however, that such a gradation system has not been formalized in the Conditionality Regulation as clearly as in sectoral instruments. No set thresholds or flat rates have been set for suspensions of budgetary commitments in Member States engaging in systemic breaches of the principles of the rule of law. In fact, it would appear more difficult to do so for such breaches than in relation to deficiencies in the management and control systems in place for sectoral EU funding programmes. Whereas the latter can be assessed on the basis of a relatively smaller number of criteria and parameters, breaches to the principles of the rule of law concern incomparably more elaborate and wide-ranging national institutional systems.

Moreover, breaches of the principles of the rule of law may affect “the Union budget as a whole,” which also means that they may have differentiated impacts in different areas of involvement of the EU budget. For instance, the Commission has so far mainly put the focus on risks concerning public procurement, as well as the role of specific public actors, as being particularly prominent in relation to the breaches of the rule of law observed in Hungary.

Virtually, different proportions of EU funds may have to be withheld in different programmes, for the same breaches of the principles of the rule of law.

Also, as will become apparent in the next subsection (III), the mechanism for the gradual lifting of financial consequences in the Conditionality Regulation should be contrasted with the conditionality mechanism at play in the RRF Regulation, even though the remedial measures promised by Hungary under the Conditionality Regulation are explicitly^{Footnote 89} put in parallel with the milestones which have to be fulfilled by the same Member State under the RRF Regulation with regards to the protection of the financial interests of the EU.

III. Conditionality and the Potential for the Gradation of System Deficiencies Under the RRF

In principle, the general construction of the Recovery and Resilience Facility would allow for gradation in assessing different levels of system deficiencies concerning the protection of the EU Budget, giving rise to a similarly staged approach to financial consequences. However, it is noteworthy that this route has not been made as available by the RRF Regulation as extensively it could have, and not used as much as was available. As a result, the RRF has set up a powerful conditionality mechanism allowing in some cases for all funding to be withheld until requirements related to the protection of the EU budget are met.

Section B(III) of the present article has already described how Member States must be awarded a positive assessment of their Plans by the Commission in order to be entitled to receive funding under the RRF, while annex V of the RRF Regulation provides guidelines on the criteria to be used for that assessment. The level of satisfaction of these criteria can in most cases be graded on scale, such as: “[T]o a large extent,” “to a medium extent” or “to a small extent”—or equivalent formulations.^{Footnote 90} However, and remarkably, gradation is not made available with regards to the arrangements set up by Member States to set up efficient control systems for the protection of RRF funds: The only two possible answers to choose from are “adequate arrangements” or “insufficient arrangements.”^{Footnote 91} Should the latter apply, the Commission would have to draw the conclusion that “the recovery and resilience plan does not comply satisfactorily with the criteria set out in Article 19(3)” of the Regulation, meaning that “no financial contribution shall be allocated to the Member State concerned.”^{Footnote 92}

Therefore, RRF funding should not be unlocked at all in situations in which such the systems provided for in the Plans would be inadequate. By design, no place is left for gradation in the levels of seriousness of the deficiency of these systems. This is relatively unsurprising, given that what is at stake are the objectives laid out in National Recovery Plans regarding protection systems, and not only their actual state in Member States.

Where these Plans fulfill the necessary criteria and are assessed positively, other safeguards gear into place, allowing for the Commission to reduce and recover funding under the RRF should the systems in place for the protection of the financial interests of the Union be lacking.

For this purpose, the proposal made by the Commission for a Council Implementing Decision under the RRF Regulation shall notably lay down “the arrangements and timetable for monitoring and implementation of the recovery and resilience plan including, where relevant, measures necessary for complying with Article 22”^{Footnote 93} on the protection of the financial interests of the Union. Agreements concluded with the Commission integrate these obligations and find their bite in the link make with (continued) access to RRF funding. Indeed, under article 22(5), the agreements

In addition, the milestones and targets agreed between Member States and EU institutions as a condition for continued access to RRF funding may themselves include provisions relating to the protection of the financial interests of the EU. In principle, a conditionality mechanism could allow for the fulfillment of milestones and target in stages, over time—which could have led to remedying system deficiencies over time. However, a more radical approach has been chosen in the implementation of the RRF Regulation. Most prominently, the Council Implementing Decision endorsing Hungary’s National Recovery Plan makes clear that access to RRF funding will be conditional upon the fulfilment of milestones meant to “ensure the protection of the financial interests of the Union and the establishment of an adequate control system, before any payment under the Facility is authorized by the Commission.”^{Footnote 94} In the case of the Polish National Recovery Plan, the Council Implementing Decision endorsing it provides that no funding under the RRF will be unlocked until milestones are fulfilled to guarantee an effective judicial protection in Poland, “[t]aking into account that effective judicial protection is a prerequisite for the functioning of an internal control system.”^{Footnote 95}

Thus, the RRF provides for a mix of all–or–nothing and gradual approaches to the financial consequences attached to system deficiencies. At the assessment stage, all RRF funding may be denied to Member States if their Plans do not respect requirements relating to the protection of the EU budget. After that, it is again possible to suspend access to all RRF funding until specific milestones or targets are reached relating to the improvement of the systems in place for protection of the EU Budget—although a more gradual approach to such milestones could arguably have been designed as well. Finally, continued system deficiencies may lead the Commission to engage in a proportionate reduction of support under the RRF, to recover amounts due to the EU budget or ask for an early repayment of loans. This mix of approaches followed in the implementation of the RRF Regulation raises question, especially when compared to the approaches followed in the Conditionality Regulation and in relation to sectoral funds. When—and why—is it justified to withhold funding from Member States in proportion to a graduated level of risk, or to do so in relative disconnection to an estimated level of risk?

I. Keeping the EU Budget Out of Harm’s Way by Reducing its Exposure to Risk

Looking more precisely at how and in proportion of what financial consequences are calculated in cases of system deficiencies can give precious indications as to which rationale applies to them. In relation to sectoral funds, we have seen that financial corrections can be imposed on Member States when deficient management and control systems put at risk the financial interests of the EU. Different means of calculation are made available under EU law to determine the amount of a financial correction. In some cases, where the irregularities are known and quantifiable, it is possible to track down what part of the expenditure is irregular and to calculate the correction accordingly. However, this may prove too difficult to do in certain instances, either because of the nature of the irregularity or simply because the administrative and investigative powers of the Commission are too limited.^{Footnote 96} To ensure the protection of the EU budget, the Commission may thus analyze a smaller sample of Member State practices in relation to sectoral funding and extrapolate the probable amount of overall funding in the area affected by irregularities.^{Footnote 97} In such cases, a clear link exists between the amount of funding affected by irregularities and the amount of the financial correction.

However, where the control systems supposed to catch irregularities are deficient, it may appear impossible to determine how much funding corresponds to irregular expenditure and, therefore, how important the financial correction should be. In such cases, EU law and practice have produced an approach whereby the financial correction is linked to the level of risk posed to the EU budget,^{Footnote 98} rather than on the amount of expenditure found to be irregular. That level of risk is in turn associated with a level of seriousness of the system deficiency from which it emanates—allowing for a calculation of the financial correction with regards to the level of seriousness of the system deficiency,^{Footnote 99} and not directly to an (unknown) number of expanses likely to have been spent irregularly. As we know, each level of seriousness is supposed to acts as a proxy to different amount of risk caused by the deficiency to the EU budget, leading to different levels of financial correction.^{Footnote 100}

Thus, the above suggests that reducing the exposure of the EU budget to risk is a clear rationale for withholding funding from Member States in relation to sectoral instruments where system deficiencies are spotted. Importantly, the review of the proportionality of financial corrections will normally be conducted in relation to that risk: It would be disproportionate to impose a financial correction of a magnitude exceeding that which corresponds to the applicable level of seriousness of a system deficiency^{Footnote 101}—itself signaling a different level of risk posed to the EU budget.

A similar rationale appears to be at play with the Conditionality Regulation. Article 4(1) of that Regulation provides that a negative impact or “risk” posed to the financial interests of the Union may justify triggering measures for the protection of the EU budget.^{Footnote 102} As stated in Article 5(3), the proportionality of measures adopted under the Conditionality Regulation is to be determined, notably, “in light of the actual or potential impact of the breaches of the principles of the rule of law on the sound financial management of the Union budget or the financial interests of the Union.” Moreover, the calculation of the proportion of funding to be suspended in Hungary under the Conditionality Regulation is clearly tied to the risk for the budget created by deficiencies in (inter alia) public procurement procedures.^{Footnote 103}

A connection is thus made between the importance of the financial consequence and the level of risk to the EU budget, the former increasing or decreasing in line with the variations of the latter. In the case of Hungary, in accordance with Article 7 of the Conditionality Regulation, the amount of funding to be suspended will likely be adapted in line with the number and importance of remedial measures adopted in Hungary. Indeed, Council seems to have endorsed this approach when it lowered to 55% the initial estimation by the Commission of 65% of risk for funding engaged in the programmes concerned in Hungary, for the reason that a number of remedial measures had already been adopted by that Member State. Note that it is not automatic in EU budgetary law that the formal adoption of remedial measures should necessarily entail an automatic lowering of risk, at least until such measures are implemented and have produced an “impact.”^{Footnote 104}

II. Inducing Compliance with EU Requirements to Correct System Deficiencies

The second rationale at play has to do with inducing compliance rather than just avoiding risk. Indeed, financial consequences can also be seen as a means to an end: That of inciting Member States to improve deficient systems for the protection of the EU budget. The ultimate aim remains the same: Protecting the EU budget, this time by making sure that deficient systems are improved before EU funds are exposed to them. Yet, the legal construction and calculation of financial consequences follows a different path, whereby the amounts of EU funding which can be withheld are not solely connected to the level of risk to which they are or would be actually exposed, but also to the level of compliance of Member States with requirements to lower risk.

This rationale can be observed most clearly in the way conditionality mechanisms function under the RRF Regulation. When milestones are agreed upon to improve protection systems and, ultimately, to protect the EU budget from risk, these milestones certainly are formulated with a view to being fulfilled. They establish an incentive structure whereby requirements must be met for RRF funding to become available.

The compliance pull of such a conditionality mechanism is all the greater where all RRF funding is withheld from Member States such as Hungary or Poland for as long as milestones relating to the protection of the EU budget are not met. Such situations of maximum “leverage”^{Footnote 105} show in stark terms that the financial consequences for Member States of having deficient systems are really calculated in relation to their compliance with the conditions imposed, and not necessarily only in proportion with a level of risk posed to the EU budget by their system deficiencies. The difference with the first rationale is made more evident on this point when it appears that the fulfillment of overlapping “remedial measures” under the Conditionality Regulation can lead to the downward recalculation of financial consequences. Compliance with the requirement to fulfill all the relevant milestones under the RRF is the condition made for the lifting of financial consequences, whereas the lowering of risk through the adoption of remedial measures under the Conditionality Regulation appears in itself sufficient to lower risk and, connectedly, the amount of equivalent financial consequences.

Such a difference in the approach to the calculation of financial consequences is made possible by the legal construction of milestones under the RRF. Their rationale is not the same as that of financial corrections: It consists in meeting pre-agreed conditions to accessing RRF funding. As long as these conditions are not met—and in so far as these conditions are compatible with EU law—no part of the RRF funding may be made available.

Conditionality provisions have not been designed to function in the same way as financial corrections with regards to decisions on the financial consequences flowing from the existence of system deficiencies or irregularities in a Member State. It is telling in this regard that it is only with regards to decisions “on the amount of the recovery and reduction, or the amount to be repaid early” of RRF funding that the application of the principle of proportionality is explicitly mentioned in the RRF Regulation^{Footnote 106}—not with regards to the withholding of funding for as long as pre-established conditions are not met.

Conditionality is arguably not the only mechanism through which this second rationale manifests itself. Under the Common Provisions Regulation, the Commission “may suspend all or part of payments, except for pre-financing,” notably where Member States have “failed to take the necessary action to remedy”^{Footnote 107} a situation in which “there is evidence to suggest a serious deficiency [of management and control systems] for which corrective measures have not been taken.”^{Footnote 108} In the calculation of flat-rates for financial corrections (5%, 10%, 25%, 100%) in relation to the level of risk posed by serious deficiencies, the same Regulation provides that:

Normally, the mention in this excerpt of the “same serious deficiency” would suggest that the level of risk it entails for the EU budget is equivalent from one accounting year to the next. It is at least not clear from the formulation above why the “persistence” of a serious deficiency would have an immediate impact on such a level of risk. However, this provision enables the Commission to increase the level of the flat–rate correction in case of persisting non–compliance with the obligation to correct system deficiencies. What is created is therefore a strong incentive structure for Member States to make changes to their management and control systems in order to avoid the imposition of the higher rate of financial correction and fully benefit from EU funds. However, can and should such an incentive mechanism be explicitly acknowledged as such in EU legal discourse? The first rationale is rooted in a simple and convincing calculation of financial consequences in proportion to risk; can the second rationale benefit from an equally strong justification?

III. Incentives or Sanctions-like Mechanisms? On the Legal Importance of Keeping the Protection of the EU Budget as Central Focus for Financial Consequences

The second rationale outlined in the previous subsection presents financial consequences as a means to induce compliance with requirements to lower the risk created for the EU budget because of system deficiencies. The incentivization for change through financial consequences is however not framed in terms of sanctions or penalties.^{Footnote 110} In the case of the Conditionality Regulation in particular, the aim of financial consequences is not and cannot be to set up a sanctions mechanism for the protection of the rule of law as such—because that Regulation is founded on a budgetary legal basis, rather than one which would be dedicated to the protection of the rule of law.^{Footnote 111} More generally, it is not fully clear whether legal provisions relating to the protection of the EU budget can be explicitly used as a means to inducing the compliance of Member States with requirements relating to that protection. At the same time, there would be drawbacks to not acknowledging that second rationale. Indeed, sticking to an official position which would only link financial consequences to the first rationale would put in legal jeopardy decisions imposing financial consequences which would not be strictly calculated in proportion to varying levels of risk.

One possible reason for the uneasiness in acknowledging fully the second rationale is that it arguably increases the resemblance between financial consequences and sanctions or penalties—which we have seen would cause legal difficulties at least in the case of the Conditionality Regulation. Certain provisions of EU budgetary law for the protection of the financial interests of the EU do appear to scout the demarcation line. For instance, the Financial Regulation foresees the exclusion of persons or entities identified as putting the budget at risk “from participating in award procedures governed by [that] Regulation or from being selected for implementing Union funds.”^{Footnote 112} Such exclusions, as well as the possible imposition of “financial penalties,” are explicitly designed to produce a “deterrent effect” on the persons or entities targeted.^{Footnote 113} Such a mention of a deterrent effect is however not incompatible with the ultimate aim of the measures to protect the financial interests of the Union.^{Footnote 114}

In some cases, incentives or deterrents based on limiting access to EU funding may serve other purposes than the protection of the EU budget. For instance, under the Common Provisions Regulation, Member States themselves may face the suspension of all or part of the commitments or payments foreseen for one or more of the programmes from which they benefit, “where the Council decides,” following a proposal from the Commission and in accordance with Article 126(8) or (11) TFEU, “that a Member State has not taken effective action to correct its excessive deficit.”^{Footnote 115} Here, the limitation of access to funding is used as a means to induce compliance with requirements under article 126 TFEU, which itself constitutes a clear sanction mechanism under the Economic and Monetary Union.

Yet, where the aim is to reduce system deficiencies for the protection of the EU budget, it is important to ascertain whether our second rationale for financial consequences can be sufficiently justified. The ultimate aim of the withholding of EU funding is not simply to obtain compliance with requirements, such as respecting the principles of the rule of law, but to do so in order to reduce to an acceptable level the risks to which the EU budget would otherwise be exposed in a Member State. It would be difficult to deny that withholding funding for as long as system deficiencies exist is in any case producing an incentive mechanism for remedying the deficiencies. What is at stake is really to know whether the calculation of the financial consequences can be lawfully done in such a way as to give added weight to that incentive mechanism, by increasing the amounts withheld from Member States presenting system deficiencies, rather than relying on a strict equation of proportionality between risk and financial consequence. If the answer were negative, the examples given in the previous subsection regarding the RRF and sectoral funds could become subject to difficult legal challenges.

One way to come to a positive answer on this question could be by underlying that the budget is part of what allows the EU to “attain its objectives and carry through its policies.”^{Footnote 116} Whereas the protection of the EU budget may warrant withholding funding from a Member State, engagement between EU institutions and Member States should be fostered,^{Footnote 117} in line with the principle of sincere cooperation, to make sure that such limitations can be ultimately overcome for EU funding to continue to serve its purpose. Where systemic deficiencies put the EU budget at risk, acknowledging the second rationale would mean that financial consequences may therefore be calculated in a way which would not only correspond to the exact level of risk posed to the budget, but also with a view to inducing compliance in Member States with requirements which would allow for a correction of the system deficiencies—and as a result, lower levels of risk to the EU budget.

A safer, hybrid justification—between our first and second rationale—can be formulated in favor of adding weight to financial consequences as an incentive for system improvements in Member States. Where system deficiencies have been notified to Member States and too little improvements have been made, and/or these deficiencies remain widespread, it could be argued that the persistent lack of compliance with requirements relating to the protection of the EU budget are in effect raising alarm as to the commitment of the Member State to that protection—and as to whether they can be “trust[ed]”^{Footnote 118} to ensure it. This would justify raising to higher levels the assessment of risk posed to the EU budget in relation to a system deficiency in that Member State. Thus, considerations relating to the general and persistent nature of system deficiencies could be used as a means to assess the level of risk they pose. Such a hybrid approach could be read into the Conditionality Regulation. Indeed, the vocabulary used in the Regulation concerning the “widespread” nature of breaches, “recurrent” practices or “general measures” actually do not define the systemic criterion in this context. Instead, they act as parameters for the evaluation of the seriousness of the system deficiency, which functions as a proxy for the level of risk it creates for the EU budget. According to such a reading, the importance financial consequences can be calculated in proportion to the level of risk, with the caveat that the level of compliance of the Member State with requirements on the protection of the EU budget—and the trust which can be placed in that Member State—becomes one important criterion in the risk assessment.