(1)

Commission Regulation (EC) No 1663/95 (2) provides in particular for guidelines for criteria for accreditation of the paying agencies of the Member States.

(2)

The responsibility for checking the European Agricultural Guidance and Guarantee Fund (EAGGF) Guarantee Section expenditure lies in the first place with the Member States. In carrying out this task, Member States must ensure that a high level of security is attained in the paying agencies’ information systems. To this end, procedures for ensuring the security of information systems should be in place when a paying agency is first accredited and afterwards.

(3)

During the clearance of the accounts, the Commission is able to determine the total expenditure to be entered against the Guarantee Section in the general account only if it has satisfactory assurance that national controls are adequate and transparent, including those regarding the security of the paying agencies’ information systems. Provision should therefore be made for a security statement to be drawn up by the certifying bodies in the framework of the attestation on annual accounts on the basis of internationally accepted security standards.

(4)

A reasonable period of time should be afforded to Member States to adapt internal rules and procedures for providing a security statement for the paying agencies’ information systems.

(5)

Provision should be made for the paying agencies to send to the Commission the accounts and all related documents in an electronic format, in order to facilitate further analysis of that information.

(6)

The practice of delegating information systems management to third parties is becoming increasingly common and paying agencies should be allowed to provide for such delegations under the same conditions as the authorisation function and/or the technical service may be delegated.

(7)

Regulation (EC) No 1663/95 should therefore be amended accordingly.

(8)

The measures provided for in this Regulation are in accordance with the opinion of the Fund Committee.

1.

Article 1 is amended as follows:

2.

In Article 3(1), the following subparagraphs are added:

‘As of financial year 2008 at the latest, the certifying body shall further provide, before the date referred to in the third subparagraph, a statement as to the information systems security measures put in place by the paying agency. The statement shall be based on a version applicable in the financial year concerned of the chosen internationally accepted security standards referred to in point 6(vi) of the Annex to this Regulation, serving as the basis for the security measures, and shall indicate whether, for the financial year concerned, effective security measures were in place.

For the financial years preceding that for which the first statement on the security of the paying agency’s information systems is drawn up, the certifying body shall, in its report of its findings, include comments and provisional conclusions, using a scoring mechanism, as to the information systems security measures put in place by the paying agency. The report shall be based on a version applicable in the financial year concerned of the chosen internationally accepted security standards referred to in point 6(vi) of the Annex to the present Regulation, serving as the basis for the security measures, and shall indicate as to what extent, for the financial year concerned, effective security measures were in place’.

3.

Article 4(2) is replaced by the following:

4.

The Annex is amended in accordance with the Annex to this Regulation.