Accept Refuse

EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Document 32019D1765

Commission Implementing Decision 2019/1765 of 22 October 2019 providing the rules for the establishment, the management and the functioning of the network of national authorities responsible for eHealth, and repealing Implementing Decision 2011/890/EU (notified under document C(2019) 7460) (Text with EEA relevance)

C/2019/7460

OJ L 270, 24.10.2019, p. 83–93 (BG, ES, CS, DA, DE, ET, EL, EN, FR, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

ELI: http://data.europa.eu/eli/dec_impl/2019/1765/oj

24.10.2019   

EN

Official Journal of the European Union

L 270/83


COMMISSION IMPLEMENTING DECISION 2019/1765

of 22 October 2019

providing the rules for the establishment, the management and the functioning of the network of national authorities responsible for eHealth, and repealing Implementing Decision 2011/890/EU

(notified under document C(2019) 7460)

(Text with EEA relevance)

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Directive 2011/24/EU of the European Parliament and of the Council of 9 March 2011 on the application of patients’ rights in cross-border healthcare (1), and in particular Article 14(3) thereof,

Whereas:

(1)

Article 14 of Directive 2011/24/EU assigned the Union to support and facilitate cooperation and the exchange of information among Member States working within a voluntary network connecting national authorities responsible for eHealth (the ‘eHealth Network’) designated by the Member States.

(2)

Commission Implementing Decision 2011/890/EU (2) provides rules for the establishment, the management and the functioning of the eHealth Network.

(3)

That decision does not at the moment provide appropriate rules with regard to certain aspects necessary for the sufficiently transparent functioning of the eHealth Network, in particular, on the role of the eHealth Network and the Commission in relation to the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services, and the new requirements on data protection under Regulation (EU) 2016/679 of the European Parliament and of the Council (the ‘General Data Protection Regulation’) (3), and Regulation (EU) 2018/1725 of the European Parliament and of the Council (4).

(4)

The transparent management of the eHealth Network should be ensured by laying down rules on becoming a member of the eHealth Network and withdrawing from it. Participation in the eHealth Network being voluntary, the Member States should be able to join at any time. For organisational purposes, the Member States wishing to participate should inform the Commission of this intention in advance.

(5)

Electronic communication is a suitable means for rapid and reliable exchange of data between Member States participating in the eHealth Network. In this area, significant developments took place. In particular, in order to facilitate the interoperability of European eHealth systems, the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services was developed by those Member States participating in the eHealth Network which decided to advance their cooperation in this area with the support of the Commission, as an IT tool for the exchange of health data under the Connecting Europe Facility programme (5). These developments should be reflected in this Decision. Moreover, as stressed in the Commission Communication of 25 April 2018 on enabling the digital transformation of health and care in the Digital Single Market, empowering citizens and building a healthier society (6), the respective role of the participating Member States and of the Commission in relation to the functioning of the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services should be clarified.

(6)

The role of the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services should be to facilitate the cross-border exchange of health data between the Member States participating in the eHealth Network as recognised in the 2017 Council Conclusions on Health in the Digital Society (7) such as patient data contained in ePrescriptions and Patient Summaries and eventually more comprehensive electronic health records, as well as to develop other use cases and health information domains.

(7)

The eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services is composed of core services and generic services as provided for in Regulation (EU) No 283/2014 of the European Parliament of the Council (8). The core services are developed, deployed and maintained by the European Commission. Together with the generic services, they should enable and support trans-European connectivity. The generic services are developed, deployed and maintained by the National Contact Points for eHealth, designated by each Member State. The National Contact Points for eHealth, using the generic services, link the national infrastructure with the National Contact Points for eHealth from another Member State through the core service platforms.

(8)

In order to improve cross-border exchange of health data and achieve technical, semantic, and organisational interoperability between national eHealth systems, the eHealth Network should in the context of eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services, play the leading role in the elaboration and coordination of the necessary common requirements and specifications.

(9)

The eHealth Network is already carrying out several activities in e-health area, which are spelled out in its Multiannual Work Programme and are aimed mainly at providing guidance, sharing good practices or finding common ways of working together. Among these activities are, for instance: working to enable citizens to take an active role in the management of their own health data, including in the area of e-health, m-health and telemedicine, as well as patients’ access, use and share of their own health data and digital health literacy of patients. Other activities of the Network are related to the innovative use of health data, including Big Data, Artificial Intelligence, developing knowledge on healthcare policy, including the provision, in cooperation with the concerned parties at national and EU level, of guidance on health promotion, disease prevention and improved delivery of healthcare through better use of health data. The Network supports Member States to enable sharing and using health and medical data for public health and research. In line with Article 14(2)(c) of Directive 2011/24/EU, it also supports Member States in developing electronic identification means and authentication to facilitate transferability of data in cross-border healthcare, in particular as regards eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services, taking into account the eIDAS framework and other ongoing actions at Union level.

(10)

The eHealth Network is also working on enhancing the continuity of care by improving the uptake of cross-border e-health services, developing new use cases and health information domains in addition to patient summary and e-prescriptions, as well as overcoming implementation challenges, related to interoperability, data protection, data security or e-skills for healthcare professionals. It also facilitates greater interoperability of the national information and communications technology systems and cross-border transferability of electronic health data in cross-border healthcare by providing guidance on which requirements and specifications should be used to achieve technical, semantic and organisational interoperability between national digital healthcare systems. The Network is working to foster stronger cooperation with regard to the development and sharing of good practices concerning national digital health strategies, with the view of building convergence for an e-health interoperable system.

(11)

When preparing guidance concerning security aspects of data exchange, the eHealth Network should benefit from the expertise of the Network and Information Security (NIS) Cooperation Group established under Article 11 of Directive (EU) 2016/1148 of the European Parliament and of the Council (9), and the European Union Agency for Network and Information Security (ENISA).

(12)

The eHealth Network is also promoting the exchange of views among its Members on national strategic challenges with regard to new technologies and data usages and it should promote discussions with other relevant Union fora (such as the Steering Group on Health Promotion, Disease Prevention and Management of Non-Communicable Diseases or Board of Member States for European Reference Networks) on priorities, strategic orientations and their implementation.

(13)

On 6 February 2019, the Commission adopted a Recommendation on a European Electronic Health Record exchange format (10) (the ‘Commission Recommendation’). In order to support the take-up, further development and to facilitate the use of the European Electronic Health Record exchange format, the eHealth Network, working together with the Commission, stakeholders, clinicians, patients’ representatives, and the relevant authorities, is expected to develop guidance, further support the development and the monitoring of the electronic health records exchange format and support the Member States in ensuring the privacy and security of data exchange. In order to strengthen the interoperability, the Network developed investment guidelines (11), which recommend to take account of the standards and specifications referred to in the Commission Recommendation in particular for the purpose of procurement procedures.

(14)

Since eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services is an important element of the Network’s functioning, the role of the eHealth Network in the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services and in other shared European eHealth services should be clarified in order to ensure transparent functioning of the Network.

(15)

In order to ensure the effective exchange of health data among Member States, the eHealth Network should be able to work towards enabling Member States to such exchange. In particular, based on fulfilment of predefined requirements and tests provided by and of audits carried by the Commission and, if possible, other experts, the eHealth Network should have a possibility to agree on the organisational, semantic and technical readiness of candidate Member States to exchange validated comprehensive electronic health data for the adopted use cases through their respective National Contact Point for eHealth and their continued compliance in that respect.

(16)

For an effective and transparent functioning of the Network, rules should be laid down on the adoption of the Rules of Procedure and multiannual work programme, as well as the creation of subgroups in order to ensure the effective functioning of the eHealth Network. The Rules of Procedure should specify the procedure for the decisions concerning the exchange of personal data through the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services, as described above.

(17)

Interested Members of the eHealth Network may advance their cooperation in areas covered by the tasks of the Network. Such cooperation is Member State driven and voluntary in nature. This is the case for the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services and may also be the case for other shared European eHealth Services developed in the framework of the eHealth Network. Where Member States choose to advance their cooperation, they should agree on and commit to the rules of that cooperation.

(18)

In order to further ensure the transparent functioning of the eHealth Network, its relation with the Commission should be set out, in particular in relation to the tasks of the eHealth Network and the Commission’s role in the cross-border exchange of health data through the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services.

(19)

Processing of personal data of patients, representatives of Member States, experts and observers participating in the eHealth Network, which is done under the responsibility of the Member States or other public organisations or bodies in the Member States, should be carried out in accordance with the General Data Protection Regulation and Directive 2002/58/EC of the European Parliament and of the Council (12). Personal data of representatives of national authorities responsible for eHealth, other representatives of Member States, experts and observers participating in the eHealth Network shall be processed by the Commission in accordance with the Regulation (EU) 2018/1725. Processing of personal data for the purpose of managing and ensuring the security of the core services of the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services done under the responsibility of the Commission should comply with Regulation (EU) 2018/1725.

(20)

The Member States, represented by the relevant National Authorities or other designated bodies, determine together the purpose and means of processing of personal data through the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services and are therefore controllers. The respective responsibilities between controllers should be defined in a separate arrangement. The Commission, as provider of technical and organisational solutions of the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services, processes encrypted patients’ personal data on behalf of the Member States between the national Contact Points for eHealth and is therefore a processor. According to Article 28 of the General Data Protection Regulation and Article 29 of the Regulation (EU) 2018/1725, the processing by a processor shall be governed by a contract or a legal act under Union or Member State law that is binding on the processor with regard to the controller and that specifies the processing. This Decision sets rules governing the processing by the Commission as a processor.

(21)

In order to ensure equal access rights on the basis of the General Data Protection Regulation and Regulation (EU) 2018/1725, the Commission should be regarded as the controller of personal data relating to the management of access rights to the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services’ core services.

(22)

In order to make reimbursement procedures transparent, rules on the expenses of participants in the activities of the eHealth Network should be set.

(23)

Implementing Decision 2011/890/EU should therefore be repealed and replaced by this Decision for reasons of legal certainty and clarity.

(24)

The measures provided for in this Decision are in accordance with the opinion of the Committee set up under Article 16 of Directive 2011/24/EU,

HAS ADOPTED THIS DECISION:

Article 1

Subject matter

This Decision provides the necessary rules for the establishment, the management and the functioning of the eHealth Network of national authorities responsible for eHealth, as provided for by Article 14 of Directive 2011/24/EU.

Article 2

Definitions

1.   For the purposes of this Decision:

(a)

‘eHealth Network’ means the voluntary network connecting national authorities responsible for eHealth designated by the Member States and pursuing the objectives laid down in Article 14 of Directive 2011/24/EU;

(b)

‘National Contact Points for eHealth’ means organisational and technical gateways for the provision of Cross-Border eHealth Information Services under the responsibility of the Member States;

(c)

‘Cross-Border eHealth Information Services’ means existing services that are processed via National Contact Points for eHealth and through a core service platform developed by the Commission for the purpose of cross-border healthcare;

(d)

‘eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services’ means the infrastructure that enables the provision of Cross-Border eHealth Information Services via National Contact Points for eHealth and the European core service platform. This infrastructure includes both generic services, as defined in Article 2(2)(e) of Regulation (EU) No 283/2014, developed by the Member States and a core service platform, as defined in Article 2(2)(d) therein, developed by the Commission;

(e)

‘other shared European eHealth Services’ means digital services that may be developed in the framework of the eHealth Network and shared between Member States;

(f)

‘governance model’ means a set of rules concerning the designation of bodies participating in decision-making processes concerning the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services or other shared European eHealth Services developed in the framework of the eHealth Network, as well as description of those processes.

2.   The definitions in points (1), (2), (7) and (8) of Article 4 of Regulation (EU) 2016/679 shall apply accordingly.

Article 3

Membership of the eHealth Network

1.   Members of the eHealth Network shall be Member States’ authorities responsible for eHealth, designated by those Member States participating in the eHealth Network.

2.   Member States wishing to participate in the eHealth Network shall notify the Commission in writing of:

(a)

the decision to participate in the eHealth Network;

(b)

the national authority responsible for eHealth which will become a Member of the eHealth Network, as well as the name of the representative and that of his/her alternate.

3.   Members shall notify the Commission in writing of the following:

(a)

their decision to withdraw from the eHealth Network;

(b)

any change in the information referred to in point (b) of paragraph 2.

4.   The Commission shall make available to the public the list of Members participating in the eHealth Network.

Article 4

Activities of the eHealth Network

1.   In pursuing the objective referred to in Article 14(2)(a) of Directive 2011/24/EU the eHealth Network may, in particular:

(a)

facilitate greater interoperability of the national information and communications technology systems and cross-border transferability of electronic health data in cross-border healthcare;

(b)

provide guidance to Member States, in cooperation with other competent supervisory authorities, in relation to sharing health data between Member States and empowering citizens to access and share their own health data;

(c)

provide guidance to Member States and facilitate the exchange of good practices concerning the development of different digital health services, such as telemedicine, m-health, or new technologies in the area of big data and artificial intelligence, taking into consideration ongoing actions at EU level;

(d)

provide guidance to Member States as regards supporting health promotion, disease prevention and improved delivery of healthcare through better use of health data and by improving digital skills of patients and healthcare professionals;

(e)

provide guidance to Member States and facilitate voluntary exchange of best practices on the investments in digital infrastructure;

(f)

provide guidance, in collaboration with other relevant bodies and stakeholders, to Member States on the necessary use cases for clinical interoperability and the tools for achieving it;

(g)

provide guidance to the Members on security of the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services or other shared European eHealth Services developed in the framework of the eHealth Network, taking into account legislation and documents elaborated at Union level in particular in the area of security, as well as recommendations in the field of cybersecurity, working in close cooperation with the Network and Information Security Cooperation Group and with the European Union Agency for Network and Information Security and with national authorities, where relevant.

2.   In drawing up the guidelines on effective methods for enabling the use of medical information for public health and research referred to in Article 14(2)(b)(ii) of Directive 2011/24/EU, the eHealth Network shall take into account the guidelines adopted by and, where appropriate, consult with the European Data Protection Board. These guidelines may also address information exchanged through the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services or other shared European eHealth Services.

Article 5

Functioning of the eHealth Network

1.   The eHealth Network shall establish its own Rules of Procedure, by simple majority of its Members.

2.   The eHealth Network shall adopt a multiannual work programme and an evaluation instrument on the implementation of such programme.

3.   To accomplish its tasks, the eHealth Network may set up permanent subgroups in relation to specific tasks, in particular related to the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services or the other shared European eHealth Services developed in the framework of the eHealth Network.

4.   The eHealth Network may also set up temporary sub-groups, including with experts to examine specific questions on the basis of terms of reference defined by the eHealth Network itself. Such sub-groups shall be disbanded as soon as their mandate is fulfilled.

5.   When Members of the eHealth Network decide to advance their cooperation in some areas covered by the tasks of the eHealth Network, they should agree on and commit to the rules of the advanced cooperation.

6.   In pursuing its objectives, the eHealth Network shall work in close cooperation with the Joint Actions supporting the activities of the eHealth Network where such joint actions exist, with stakeholders or other concerned bodies or supporting mechanisms and shall take into account the results achieved in the framework of those activities.

7.   The eHealth Network shall elaborate, together with the Commission, the governance models of the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services and participate in that governance by:

(i)

agreeing on the priorities of the eHealth Digital Service Infrastructure, and overseeing their operation;

(ii)

drawing up guidelines and requirements for the operation, including the selection of the standards used for the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services;

(iii)

agreeing whether the Members of the eHealth Network should be allowed to start and continue exchanging electronic health data through the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services via their National Contact Points for eHealth, based on their compliance with the requirements established by the eHealth Network, as evaluated in tests provided and audits carried out by the Commission;

(iv)

endorsing the annual work plan for the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services.

8.   The eHealth Network may elaborate, together with the Commission, the governance models of other shared European eHealth Services developed in the framework of the eHealth Network and participate in their governance. The Network may also set the priorities, together with the Commission, and draw up guidelines for the operation of such shared European eHealth Services.

9.   The Rules of Procedure may envisage that countries, other than Member States, applying Directive 2011/24/EU, may participate in the meetings of the eHealth Network as observers.

10.   Members of the eHealth Network and their representatives, as well as invited experts and observers, shall comply with the obligations of professional secrecy as laid down by Article 339 of the Treaty, as well as with the Commission’s rules on security regarding the protection of EU classified information, as laid down in Commission Decision (EU, Euratom) 2015/444 (13). Should they fail to respect these obligations, the Chair of the eHealth Network may take all appropriate measures as provided for in the Rules of Procedure.

Article 6

Relation between the eHealth Network and the Commission

1.   The Commission shall:

(a)

attend and co-chair the meetings of the eHealth Network together with the representative of the Members;

(b)

cooperate with and provide support to the eHealth Network in relation to its activities;

(c)

provide secretarial services for the eHealth Network;

(d)

develop, implement and maintain appropriate technical and organisational measures related to the core services of the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services;

(e)

support the eHealth Network in agreeing on the technical and organisational compliance of National Contact Points for eHealth with the requirements for the cross-border exchange of health data by providing and carrying out the necessary tests and audits. Experts from the Member States may assist Commission auditors.

2.   The Commission may attend the meetings of the eHealth Network sub-groups.

3.   The Commission may consult the eHealth Network on matters relating to eHealth at Union level and eHealth best practices exchange.

4.   The Commission shall make available to the public information on activities carried out by the eHealth Network.

Article 7

Data protection

1.   The Member States, represented by the relevant National Authorities or other designated bodies shall be regarded as controllers of personal data they process through the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services and shall clearly and transparently allocate the responsibilities between controllers.

2.   The Commission shall be regarded as data processor for patients’ personal data processed through the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services. In its capacity as processor, the Commission shall manage the core services of the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services and shall comply with the obligations of a processor laid down in the Annex to this Decision. The Commission shall not have access to patients’ personal data processed through the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services.

3.   The Commission shall be regarded as controller of the processing of personal data necessary to grant and manage access rights to the core services of eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services. Such data are contact details of users, including name, surname and email address and their affiliation.

Article 8

Expenses

1.   Participants in the activities of the eHealth Network shall not be remunerated by the Commission for their services.

2.   Travel and subsistence expenses incurred by participants in the activities of the eHealth Network shall be reimbursed by the Commission in accordance with the provisions in force within the Commission on reimbursement of expenses incurred by people from outside the Commission invited to attend meetings in an expert capacity. Those expenses shall be reimbursed within the limits of the available appropriations allocated under the annual procedure for the allocation of resources.

Article 9

Repeal

Implementing Decision 2011/890/EU is repealed. References to the repealed Decision shall be construed as references to this Decision.

Article 10

Addressees

This Decision is addressed to the Member States.

Done at Brussels, 22 October 2019.

For the Commission

Vytenis ANDRIUKAITIS

Member of the Commission


(1)  OJ L 88, 4.4.2011, p. 45.

(2)  Commission Implementing Decision 2011/890/EU of 22 December 2011 providing the rules for the establishment, the management and the functioning of the network of national responsible authorities on eHealth (OJ L 344, 28.12.2011, p. 48).

(3)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

(4)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39).

(5)  Regulation (EU) No 1316/2013 of the European Parliament and of the Council of 11 December 2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010 (OJ L 348, 20.12.2013, p. 129).

(6)  Communication from the Commission on enabling the digital transformation of health and care in the Digital Market; empowering citizens and building a healthier society, COM (2018) 233 final, p. 7.

(7)  Council conclusions on Health in the Digital Society making progress in data — driven innovation in the field of health, 2017/C 440/05, paragraph 30.

(8)  Regulation (EU) No 283/2014 of the European Parliament and of the Council of 11 March 2014 on guidelines for trans-European networks in the area of telecommunications infrastructure and repealing Decision No 1336/97/EC (OJ L 86, 21.3.2014, p. 14).

(9)  Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1).

(10)  Commission Recommendation (EU) 2019/243 of 6 February 2019 on a European Electronic Health Record exchange format (OJ L 39, 11.2.2019, p. 18).

(11)  https://ec.europa.eu/health/sites/health/files/ehealth/docs/ev_20190611_co922_en.pdf

(12)  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).

(13)  Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 on the security rules for protecting EU classified information (OJ L 72, 17.3.2015, p. 53).


ANNEX

Responsibilities of the Commission as data processor for the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services

The Commission shall:

1.

Set up and ensure a secure and reliable communication infrastructure that interconnects networks of the Members of the eHealth Network involved in eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services (‘Central Secure Communication Infrastructure’). To fulfil its obligations, the Commission may engage third parties. The Commissions shall ensure that the same data protection obligations as set out in this Decision apply to these third parties.

2.

Configure part of the Central Secure Communication Infrastructure so that the National Contact Points for eHealth may exchange information securely, reliably and efficiently.

3.

The Commission shall process the personal data on documented instructions from the Controllers.

4.

Take all organisational, physical and logical security measures to maintain the Central Secure Communication Infrastructure. To this end, the Commission shall:

(a)

designate a responsible entity for the security management at the level of Central Secure Communication Infrastructure, communicate to the data controllers its contact information and ensure its availability to react to security threats;

(b)

assume the responsibility for the security of the Central Secure Communication Infrastructure;

(c)

ensure that all individuals that are granted access to Central Secure Communication Infrastructure are subject to contractual, professional or statutory obligation of confidentiality;

(d)

ensure that the personnel having access to classified information fulfil the corresponding criteria of clearance and confidentiality.

5.

Take all necessary security measures to avoid compromising the smooth operational functioning of the other’s domain. To this end, the Commission shall put in place the specific procedures related to the connection to the Central Secure Communication Infrastructure. This information includes:

(a)

risk assessment procedure, to identify and estimate potential threats to the system;

(b)

audit and review procedure to:

(i)

check the correspondence between the implemented security measures and the security policy in application;

(ii)

control on a regular basis the integrity of system files, security parameters and granted authorisations;

(iii)

monitor to detect security breaches and intrusions;

(iv)

implement changes to avoid existing security weaknesses and

(v)

define the conditions under which to authorise, including at the request of controllers, and contribute to the performance of independent audits, including inspections, and reviews on security measures.

(c)

change control procedure to document and measure the impact of a change before its implementation and keep the National Contact Points for eHealth informed of any changes that can affect the communication with and/or the security of the other national infrastructures;

(d)

maintenance and repair procedure to specify the rules and conditions to follow when maintenance and/or repair of equipment should be performed;

(e)

security incident procedure to define the reporting and escalation scheme, inform without delay the responsible national administration, as well as the European Data Protection Supervisor of any security breach and define a disciplinary process to deal with security breaches.

6.

Take physical and/or logical security measures for the facilities hosting the Central Secure Communication Infrastructure equipment and for the controls of logical data and security access. To this end, the Commission shall:

(a)

enforce physical security to establish distinctive security perimeters and allowing detection of breaches;

(b)

control access to the facilities and maintain a visitor register for tracing purposes;

(c)

Ensure that external people granted access to premises are escorted by duly authorised staff of its respective organisation;

(d)

ensure that equipment cannot be added, replaced or removed without prior authorisation of the designated responsible bodies;

(e)

control access from and to other network(s) interconnected to the Central Secure Communication Infrastructure;

(f)

ensure that individuals who access the Central Secure Communication

Infrastructure are identified and authenticated;

(g)

review the authorisation rights related to the access to the Central Secure Communication Infrastructure in case a security breach affecting this infrastructure;

(h)

keep the integrity of the transmitted information through the Central Secure Communication Infrastructure;

(i)

implement technical and organisational security measures to prevent unauthorized access to personal data;

(j)

implement, whenever necessary, measures to block unauthorised access to the Central Secure Communication Infrastructure from the domain of National Contact Points for eHealth (i.e.: Block a location/IP address).

7.

Take steps to protect its domain, including the severing of connections, in the event of substantial deviation from the principles and concepts for quality or security.

8.

Maintain a risk management plan related to its area of responsibility.

9.

Monitor — in real time — the performance of all the service components of its Central Secure Communication Infrastructure services, produce regular statistics and keep records.

10.

Provide support for all Central Secure Communication Infrastructure services in English 24/7 via phone, mail or Web Portal and accept calls from authorised callers: Central Secure Communication Infrastructure’s coordinators and their respective helpdesks, Project Officers and designated people from the Commission.

11.

Support the controllers by providing information concerning the Central Secure Communication Infrastructure of the eHealth Digital Service Infrastructure for Cross-Border eHealth Information Services, in order to implement the obligations in Articles 35 and 36 of the Regulation (EU) 2016/679.

12.

Ensure that data transported within the Central Secure Communication Infrastructure are encrypted.

13.

Take all relevant measures to prevent that the Central Secure Communication Infrastructure’s operators have unauthorised access to transported data.

14.

Take measures in order to facilitate the interoperability and the communication between the Central Secure Communication Infrastructure’s designated national competent administrations.


Top