EUR-Lex Access to European Union law

Back to EUR-Lex homepage

This document is an excerpt from the EUR-Lex website

Document C:2023:263:FULL

Official Journal of the European Union, C 263, 26 July 2023


Display all documents published in this Official Journal
 

ISSN 1977-091X

Official Journal

of the European Union

C 263

European flag  

English edition

Information and Notices

Volume 66
26 July 2023


Contents

page

 

II   Information

 

INFORMATION FROM EUROPEAN UNION INSTITUTIONS, BODIES, OFFICES AND AGENCIES

 

European Commission

2023/C 263/01

Communication from the commission – Towards a Common European Tourism Data Space: boosting data sharing and innovation across the tourism ecosystem

1


 

IV   Notices

 

NOTICES FROM EUROPEAN UNION INSTITUTIONS, BODIES, OFFICES AND AGENCIES

 

Council

2023/C 263/02

Notification by the European Union made in accordance with the Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part

14

 

European Commission

2023/C 263/03

Euro exchange rates – 25 July 2023

15

 

European External Action Service

2023/C 263/04

Decision of the High Representative of the Union for Foreign Affairs and Security Policy of 19 June 2023 on the security rules for the European External Action Service

16

 

NOTICES FROM MEMBER STATES

2023/C 263/05

List of natural mineral waters recognised by Member States, United Kingdom (Northern Ireland) and EEA countries

74


 

V   Announcements

 

PROCEDURES RELATING TO THE IMPLEMENTATION OF COMPETITION POLICY

 

European Commission

2023/C 263/06

Prior notification of a concentration (Case M.11100 – MUTARES / WALOR INTERNATIONAL) – Candidate case for simplified procedure ( 1 )

153

 

OTHER ACTS

 

European Commission

2023/C 263/07

Publication of an approved standard amendment to a product specification of a protected designation of origin or protected geographical indications in the sector of agricultural products and foodstuffs, as referred to in Article 6b(2) and (3) of Commission Delegated Regulation (EU) No 664/2014

155


 


 

(1)   Text with EEA relevance.

EN

 


II Information

INFORMATION FROM EUROPEAN UNION INSTITUTIONS, BODIES, OFFICES AND AGENCIES

European Commission

26.7.2023   

EN

Official Journal of the European Union

C 263/1


COMMUNICATION FROM THE COMMISSION

Towards a Common European Tourism Data Space: boosting data sharing and innovation across the tourism ecosystem

(2023/C 263/01)

TABLE OF CONTENTS

1.

INTRODUCTION 2

1.1.

A data space serving all stakeholders in the tourism ecosystem 2

1.2.

The challenges of sharing tourism-related information 4

1.3.

Objective of the common European data space for tourism 5

2.

KEY ENABLERS FOR THE COMMON EUROPEAN DATA SPACE FOR TOURISM 7

2.1.

Governance 7

2.2.

Semantics for interoperability 8

2.3.

Technical standards for interoperability 9

2.4.

The role of the private sector 9

2.5.

Support for SMEs in the transition towards a data space 10

2.6.

Support for destinations in the transition towards a data space 10

2.7.

Testing a use case for the tourism data space 11

3.

NEXT STEPS TOWARDS THE COMMON EUROPEAN TOURISM DATA SPACE 12

4.

CONCLUSION 13

1.   INTRODUCTION

This Communication presents the journey towards the common European data space for tourism, which involves all stakeholders in the tourism ecosystem: Member States, local and regional authorities, and the private sector as well as the EU institutions.

The data space provides the tourism ecosystem with a key tool in supporting its transition towards more sustainability and deeper digitalisation, as foreseen in the Transition Pathway for Tourism (1) (2022), and in full alignment with the European strategy for data (2020) (2).

The European strategy for data introduced common European data spaces in key economic sectors and domains of public interest (3) as essential policy developments to empower both public and private sectors with the value of data, for the benefit of the European economy and society. The Council Conclusions of 25 March 2021 (4) supported the development of the data spaces. By combining legislative, policy and funding measures, the data strategy aims at creating a single European data space, a genuine single market for data where information can flow across sectors and borders and be shared and used to boost innovation.

In line with this, in June 2022 the Communication from the Commission on the Conference on the Future of the EU mentioned both the tourism and the mobility data spaces as ‘new areas of action to consider’ for the EU to embrace a digital transformation.

Tourism is particularly sensitive to the opportunities of a European single market for data because it is a sector thriving on users’ experiences, which are varied and constantly evolving. As a result, it is a versatile sector when it comes to data, both generated and shared. Private and public actors alike understand that information is key and are showing a great interest in data, but with varying degrees of maturity, understanding and skills to untap the potential of information, which is highly diverse, fragmented, and often dormant in silos. A common European data space will provide the ecosystem with more quality data to be shared, used and accessed by more stakeholders, which will feed into innovative services and solutions.

In the tourism sector there is reluctance on behalf of business and destinations to share data without a guarantee of reciprocity and an understanding on how data might be reused, by whom and for which purpose. The administrative burdens associated with new practices also weigh heavily on small organisations. The common European data space for tourism does not aim at regulating data sharing in the sector. It also does not set obligations for data providers or users to collect specific data. The common European data space for tourism aims at increasing data sharing and reuse in the sector by shaping a data governance model, based on the respect of existing EU and national legislation on data, which will increase fairness by making sure that all the stakeholders involved benefit from the new value created by more data being shared and used. Furthermore, thanks to the development of technical and interoperable infrastructures, this data space will benefit from data being shared in other data spaces.

The Transition Pathway for Tourism introduced the need for a ‘technical implementation for tourism data space’ (Topic 14). Endorsed by the Council Conclusions of 1 December 2022, where Member States set out a European Agenda for Tourism 2030 (5), the Transition Pathway for Tourism is currently in its co-implementation phase, and this Communication details how it means to progress towards a data space for tourism.

1.1.   A data space serving all stakeholders in the tourism ecosystem

By growing organically, in small steps proportionate to the voluntary involvement and the needs of the tourism stakeholders, the common European data space for tourism will allow datasets to be shared with broader audiences, and will allow users (such as business intermediaries, destination managers, tourism service providers, and innovative data analysis SMEs) to access information from more diverse sources. The European Commission supports Member States and all stakeholders in the development of a common European data space that serves all parties, which is the responsibility of the tourism ecosystem as a whole.

Public authorities in Member States, at national and local level, will be affected positively by the interoperability framework set up by a common European data space for tourism, as demonstrated by their request to the European Commission (6) for a tool to monitor the green and digital transitions and resilience of the tourism ecosystem, and which resulted in the EU Tourism Dashboard developed by the Joint Research Centre of the European Commission. In several instances, Member States (Austria, Italy, Spain, Slovenia, Greece) are also developing their own national data spaces. The Commission welcomes these initiatives and looks to building synergies among them to develop EU standards and models for data sharing, in full respect of existing EU and national legislation and EU principles (see 2.1).

The data space for tourism needs to support SMEs. SMEs account for almost all enterprises in tourism (99,9 %); 91 % of these SMEs are micro-enterprises (7). Small stakeholders, such as restaurants and family hotels for example, lack the time, skills and resources to search and access data useful for tourism strategy and management, in particular when it is created by different providers, presented and governed in various manners. A single reference point for data availability can help businesses, such as hotels and restaurants, or travel operators, improve and innovate their services based on updated, high quality information, particularly if it is accompanied by support measures (see 2.5) or services. An example of how this can play out is outlined in the box below.

SMEs and larger companies providing data analytics services to business and other actors have an immediate interest in relying on an organised pool for data sharing and accessing information from different sources and sectors. Similarly, SMEs specialising in AI tools would benefit by untapping new tools to personalise tourism services based on available offer and other types of information. The tourism data space will directly support their data-based services.

The same challenges are shared by Destination Management Organisations (DMOs). The role of DMOs (who can be private bodies, or national, regional, or local authorities) is progressively evolving from a marketing role towards that of management and planning of sustainable offers for travellers, with lasting economic and social benefits also for the resident community at large. Fulfilling this role requires a wealth of information, such as data from transport companies, urban services and cultural departments, public and private organisers of events, even information on the tourism offer and on the political priorities of regional authorities and neighbouring regions, to name but a few examples.

In their role, DMOs may also be data collector and holders; as such, a common European data space for tourism, on the basis of existing and upcoming EU legislation on data (see 1.3), can support them in making a better, and more interoperable use of the data they collect, and not just in gaining access to more information. As an example, DMOs and public authorities across the EU could make available key monitoring information on tourism on local level thereby showcasing key features of the destination, and their progress on the green and digital transition.

Concrete example of the benefits provided by data sharing to business and DMOs

A small agency, or tour operator, may need to prepare an offer for potential customers based on the accommodation capacity of a territory, which may include cities, and more remote rural destinations. Across regions or between municipalities, however, different destinations, even of a similar size, define accommodation capacity in different ways. One defines it as number of nights, the other as number of beds. One may include short-term rentals options, the other may only provide hotel information. Or, they may have different definitions of points of interest or events of interest, based on the choice and strategy of local DMOs. By offering meta-data descriptions, ideally based on existing harmonised concepts and definitions, taxonomies and classifications and geospatial disaggregation already applied in official statistics, a data space could ensure that the same definition is adopted by all data sets and sources, so the travel agent connected, or relying on external support for data analysis, can estimate their offer accurately.

As natural partners to a data space, national and Union level statistical bodies play a pivotal role, making official statistics available free of charge, supporting the interoperability within and across statistical domains, and enabling the reuse of the existing data for the production of innovative or enhanced official statistics, possibly supporting regulatory reporting needs.

A better, more personalised, and more sustainable tourism offer, accompanied by consistent support policy measures at national, regional and local level, is key for Europe to remain the most visited tourism destination in the world in an innovative and sustainable manner, and, as explained below in more details, the tourism data space can facilitate this outcome. Data can help identify, measure and improve the impact of tourism on sustainability. Examples include data on hotels’ energy consumption, renewable energy certificates, water consumption and wastewater processing. Or, agro-food traceability tools can support local supply chains, thereby lowering the environmental impact of the restoration sector while supporting rural tourism. Another example of the benefits of sharing data across domains and sectors is the interoperability between the European tourism data space and European health data space. Sharing electronic health data can be extremely helpful for both the traveller and the host country to plan and propose adequate healthcare support.

As such, the benefits provided by enhanced data sharing would impact the market as a whole, including large platforms which are the primary data holders of tourism-related commercial data.

1.2.   The challenges of sharing tourism-related information

The tourism sector faces three specific challenges regarding data sharing, which need to be tackled by the key enablers of the common European data space for tourism (see paragraph 2):

1.   Interoperability of data

Designing, managing, and offering a tourism experience, for decision-making or innovation purposes, requires a variety of non-personal data. A distinctive feature of the tourism sector is that any data domain could potentially be useful to set up a tourism experience (i.e. mobility, energy, environment, cultural heritage, urban planning, health, etc), albeit with key sets of non-personal data being of particular interest to operators. Extensive consultations of stakeholders carried out by the European Commission between 2021 and 2023 have identified datasets particularly relevant for the operators (depending on the use case and the purpose of data collection): accommodation availability and demand; travelling opportunities and demand; environmental and social impact of tourism; and offer and market trends. The key challenge is therefore to share and compare information from different sources, avoiding overlaps and duplicates to the best possible extent, within a framework of interoperability that is shared with other sectoral data. If possible, standards could be explored that are already in use and spread across stakeholders (see 2.3).

2.   Access to data

The EU tourism ecosystem does not count on a common market platform: offers are modelled and catalogued both by private operators and by public authorities at national, regional and local levels creating a diverse, rich, and multilingual landscape, and bookings are managed both through platforms (large and small) and independently by providers. While the common EU tourism data space does not act as a market operator (i.e. it will not allow nor centralise bookings), it may offer operators searchability tools for information (see 2.2).

3.   Provision of data by public and private stakeholders

Data can be open (such as schedules, traffic, and weather information, as an example, or data extracted from web browsing), but it can also be private, commercial, and sensitive. To the extent personal data are shared, all stakeholders must comply with the General Data Protection Regulation (GDPR) (8). As regards commercial data, which comprises the bulk of information related to bookings, travelling, web searches and payments, it is held by a small number of large actors, who need to be included in the discussion about rules governing data access within the data space.

The principle of the value of data should be balanced by a governance model that gives immediate access to data to the best possible extent. This requires the joint effort of all stakeholders, with the provision that the tourism data space should not be used as a marketplace for advertising samples of privately held packages. The primary goal of the data space is to support all stakeholders in the ecosystem in a fair and inclusive manner.

The potential of an effective space for data flow is directly related to the participation of as many stakeholders as possible, not only as users, but also as data providers. As such, incentives could be explored for large private operators to share their information, or parts of it, on the common European data space. As an example, beyond the principle of data altruism (9) as defined in the Data Governance Act, these incentives can take the form of agreed access conditions: different sharing schemes and models, limited or applicable to given data sets, which can change over time; given days of the week, quarters, or other time period; and/or available for a fee or as a combination of open and pay-for non-personal data. This is work-in-progress, which needs to count on both a concerted effort, and the shared understanding that a balance must be found between transparency of rules, and respect of commercial interests (10). However, in line with the proposal for the Data Act, this should not affect the access to and use of information in the data space for the production of official statistics.

Additionally, producing data streams is time and resource consuming. SMEs and smaller DMOs, as well as public authorities, would find it cumbersome to adopt interoperability standards for data sets already in place. As such, solutions need to be explored to lighten the administrative burden on smaller public and private operators.

1.3.   Objective of the common European data space for tourism

The objective of the data space for tourism is to combine technical standards for interoperability with a governance structure which invites and allows public and private stakeholders to join efforts to increase data sharing across data domains, as well as across sectoral data spaces, and data use in the sector. This, in turn, may greatly benefit the tourism ecosystem and support specific objectives, such as:

fostering innovation in the sector for business and for DMOs in creating, improving and personalizing services and offers, through access to more quality information, which is not only shared but also easier to find;

supporting public authorities in making decisions for the sustainability of their tourism offer, marketing and management based on a variety of relevant data;

supporting specialised companies in providing better services to the market in terms of data analysis, indexes, and market trends;

allowing SMEs or small DMOs to share their data and information related to services and offer to an EU-wide data sharing framework;

improving the availability of data sources for producing statistical information for policy makers, for businesses or for public interest, fostering integrating with and enhancing of existing official statistics.

Following the adoption of the European Strategy for data, the European Commission set out key design principles and features for all common sectoral data spaces in the Staff Working Document on Common European Data Spaces (2022) (11): data control, respect of EU rules and values, technical data infrastructure, governance, interoperability, and openness.

The Data Governance Act (12) and the proposal for the Data Act (13) (adopted by the European Commission in February 2022) support these design principles by elaborating on a set of EU common approaches to establish trust and ensuring fairness among stakeholders as regards the effectiveness of sharing data.

The Data Governance Act aims to foster the availability of data for use by increasing trust in data intermediaries and by strengthening data-sharing mechanisms across the EU, and, among others, also sets the goal to create EU-wide common, interoperable data spaces in strategic sectors aimed at overcoming legal and technical barriers to data sharing.

The proposal for the Data Act aims to ensure a fair allocation of value in the data economy and to facilitate the use of and access to data generated by connected objects, especially when contributing to the data generation. The Data Act foresees dedicated tools to facilitate interoperability, including within and between data spaces. It sets out essential requirements concerning various elements relevant for the data spaces, including a mandate to ask standardisation organisations to develop harmonized standards.

The General Data Protection Regulation lays down rules relating to the protection of natural persons with regards to the processing of personal data and rules relating the free movement of personal data. The GDPR provides for general conditions that must be respected when personal data are collected, shared and re-used.

In addition, further to the Directive on open data and the re-use of public sector information (14), the European Commission laid down a list of specific high-value datasets (HVDs) and the arrangements for their publication and re-use (15). Some of this data (geospatial, Earth observation and environment, meteorological, mobility) can be relevant for developing or monitoring tourism services and policies.

The Interoperable Europe Policy fosters interoperability of data within and across data spaces, by encouraging legal, operational and technical/semantic alignments, through the use of for example reference architectures, semantic tools, data models and APIs. Several of these solutions will also become part of the Data Spaces Support Centre’s toolbox and will also be discussed in the European Data Innovation Board (see below). The proposal for the Interoperable Europe Act (16) will strengthen interoperability by further encouraging the use of these interoperability solutions, which should help the tourism data space benefit from data coming from different sources.

This architecture, under which data sharing is shaped, provides essential support to the tourism sector as it lays out clear rules for both EU and non-EU data providers and operators. Data sharing is also the object of a number of key sectoral legislative initiatives with a clear and strong impact on the tourism sector.

The proposed Regulation on short-term accommodation rentals (STR) (17) allows competent authorities to share STR activity data with ‘entities or persons carrying out scientific research, analytical activities or developing new business models’.

In the EU-wide Multimodal Travel Information Services (MMTIS) Delegated Regulation (18) make information data accessible on National Access Points. This obligation applies for scheduled transport in all modes (urban public transport, rail, air, ferries) as well as alternative modes (such as car sharing, rental pooling), and individual means of transport, such as cycling. Data should only be made accessible when it exists in a digital format. The data in scope of the obligation include: information data on timetables, standard prices, location of stations (access nodes) and certain infrastructure data (including for cycling).

As regards data to develop services that can facilitate booking and payment, the new initiative on Multimodal Digital Mobility Services (MDMS) (19) will create sharing obligations which, as is the case with MMTIS, will translate into the tourism data space. The proposal will look at obligations for certain operators to enter into agreement with third parties. This is to ensure that online ticket services can facilitate multimodality, by enabling passengers to compare and access offers in an easy and transparent way.

The EU Regulation on platform-to-business relations (P2B Regulation) (20) aims to ensure a fair, transparent and predictable treatment of business users by online intermediation services.

The common European data space for tourism aims at incorporating these requirements and principles, to avoid fragmented implementation by stakeholders. The added value of a common European data space for tourism will also lie in the support from the European Commission and other bodies. While a one-size fits all approach cannot meet the specific needs of each vertical sector or domain, it will, however, be key to identify cross-sector commonalities and to develop, where possible, common concepts, models and building blocks that can be used across various sectors or domains. As mentioned, commonalities and synergies are particularly relevant for the tourism sector. The European Data Innovation Board (EDIB), established by the Data Governance Act, will issue guidelines, identify the relevant standards and interoperability requirements for cross-sector data sharing. The Data Space Support Centre (DSSC), a project funded by the Digital Europe Programme (DEP), will cooperate with EDIB on the work on the common European data spaces and will be tasked with coordinating all relevant actions on those.

2.   KEY ENABLERS FOR THE COMMON EUROPEAN DATA SPACE FOR TOURISM

In a complex ecosystem such as tourism, where useful information comes from different domains and sectors, and the economic actors are almost exclusively SMEs, with vast data domains held by few large platforms, enabling data sharing requires the combination and the balance of a number of factors.

This challenge is being addressed by two Coordination and Support Actions (CSA) funded under DEP in 2022 (21). The CSAs gather two public-private consortia with the objective of providing the European Commission with an updated map of relevant public and private initiatives, an in-depth analysis of the key enablers of a data space for tourism, and, importantly, a blueprint for its deployment. Working in synergy, the two CSAs run from November 2022 to November 2023, and will set the ground for the work on the tourism data space building on the existing framework for European statistics on tourism. They will add substantial information to all aspects related to the context and the governance of the common European tourism data space, and the following steps for its development.

By supporting this work and earmarking an additional EUR 8 million in the 2023-2024 DEP Work Programme, the European Commission is committed to working in partnership with public and private actors of the tourism ecosystem to gather from them the needs of the market and the sector, both in terms of data sharing framework, and of the pace with which to put it in place.

2.1.   Governance

The governance of the tourism data space will determine how the key enablers for interoperability will be implemented and interact with each other, with the objective of ensuring that data is accessed, shared and used in a lawful, fair, transparent, proportionate and non-discriminatory way. To model it, the two Coordination and Support Actions funded by DEP will take into account the existing guidelines both at EU and national level, from public and private actors. This will be done within the remit of both the European Strategy for data, and of the Transition Pathway for Tourism.

In 2022, the European Commission set out key design principles and features for all common sectoral data spaces: (22) data control, respect of EU rules and values, technical data infrastructure, governance, interoperability, openness and cybersecurity (23). Additionally, the Code of Conduct on data sharing in tourism (2023), elaborated by private stakeholders with the support of the European Commission (see 2.4), sets out a list of specific principles to take into account in a data sharing agreement: data usage rights, value of data and remuneration, intellectual property, transparency principles with security, liability, privacy and data protection (24) and ethics.

The Transition Pathway for Tourism identifies actions at EU, national and regional level to support data sharing in the sector:

Build trust between relevant tourism stakeholders and provide strategic support on how to effectively use mutually beneficial data sharing partnerships in the tourism industry. [Topics 9, 14, 15]

Support tourism businesses to innovate, improve and expand their services and authorities/destinations manage tourism flows better, based on more easily available tourism-relevant data from diverse sources. [Topics 10, 14, 15, 16]

Facilitate the research and innovation in the tourism ecosystem towards more environmentally friendly services, by making data available for different types of actors, including consumers. [Topics 13, 15, 26]

The informal Commission expert group Together for EU Tourism (T4T) (25), comprising experts from the public and private sector, assists the Commission in implementing these actions, namely, in the preparation of policy initiatives, in supporting the cooperation of all stakeholders in the ecosystem as regards the implementation of legislation, actions, programmes and policies, and in bringing about an exchange of good practices. In particular, the subgroup working on the digital transition of the tourism sector will monitor and support the implementation of all actions related to data sharing and the digitalisation of the sector, contributing to the stocktaking exercise on an annual basis.

At the same time, given that competence for tourism policy and management lies at national level, and in some Member States at regional level, or both, the European Commission, national and regional governments as well as private stakeholders need to jointly work to support its development. The new implementing instrument called European Digital Infrastructure Consortia (EDIC) could provide the solution for deploying and operating the Common European tourism data space. Based on the new opportunities provided by the Digital Decade Policy Programme 2030 (26), Member States could also explore the potential of setting up an EDIC for the creation and management of the common European tourism data space.

2.2.   Semantics for interoperability

Common data models and vocabularies are needed to achieve minimal interoperability. Administrations and agencies on a national, regional, and local level, who aggregate and build services around tourism data, are all facing the same challenges, while seeing the same opportunities in regard to semantics. National statistics institutes and Eurostat have commonly agreed definitions for official statistics. However, the adoption of these definitions by other tourism stakeholders is not an automatism.

Expressing ‘capacity’ of accommodation is an example, as it might be described by how many individuals a hotel can host, whereas another provider interprets the figure in regard to how many beds are offered. This example highlights the need to clarify the definitions and boundaries of key concepts commonly used by the tourism sector, to support any data sharing initiative of private and public actors. Not only should models and definitions aligned; as a user-oriented service, tourism needs to use definitions respectful of multilingualism requirements in the EU: while content is provided in the user’s language, meta-data and classification, helpful to find content, need to be adapted to the user’s language to provide better user experience and avoid discrimination.

As such, common data model(s) at European level, like, for example, existing data models to share information about passenger transport, would be highly valuable. The exact scope of the model(s) is to be defined by the preparatory work in 2023 (see paragraph 3), but the approach should be pragmatic and build upon existing specifications (27). The creation of guidelines and support on how to implement this model to guarantee the compliance of various actors at different levels is also key. The role of the Data Space Support Centre will be of the essence in this sense.

2.3.   Technical standards for interoperability

The Data Space Support Centre is working towards identifying common technical standards, taking into account the existing initiatives and regulatory framework and the work of standardisation development organisations. All data spaces will also benefit from Simpl, the middleware that will enable cloud-to-edge federations and support all major data initiatives funded by the European Commission, which is in the process of being launched (28).

To note that the Data Act will empower the Commission to intervene where lack of standards will be identified. The Communication from the Commission An EU Strategy on Standardisation: setting global standards in support of a resilient, green and digital EU single market (29) emphasises the direct relation between the success of European actors in standardisation at international level and Europe’s competitiveness, technological sovereignty, and protection of EU values. One of the priority areas identified is ‘data standards enhancing data interoperability, data sharing and data re-use in support of the Common European Data Spaces’.

The European Statistical System, the partnership between Eurostat and national statistical authorities, developed and maintain a systematic framework for the development, production and dissemination of European statistics on tourism, laid down in Regulation (EU) 692/2011 (30). Because of the use of joint classification, taxonomies across statistical domains, guaranteeing semantic interoperability, data on capacity and occupancy of tourist accommodation or data on characteristics of tourism trips can be combined with other areas of statistics, creating meaningful indicators. Additionally, a set of technical standards for sharing accommodation data with the private sector, namely with international online platforms, has already been set up by Eurostat (31).

2.4.   The role of the private sector

The common European data space for tourism will be born into a thriving market for services. Businesses and data intermediaries provide a crucial service to the EU tourism ecosystem and show great interest in a common European data space. Some platforms are already sharing sets of their accommodation data with Eurostat, on a voluntary and regular basis, for the purpose of producing European statistics.

The private sector is working towards non-personal data sharing agreements which can generate privately-owned data spaces in the tourism sector. The European Commission welcomes these initiatives and commits to support them with the objective to ensure that synergies are drawn between them and the common EU tourism data space. The online stakeholder support platform for tourism of the European Commission, operational in 2024, will be instrumental to this effort (see paragraph 3).

Developed by a group of stakeholders at EU level and adopted in March 2023, the Code of Conduct for data sharing in tourism (32) aims at supporting trust between stakeholders – mostly SMEs – wishing to draw contractual agreements to share information, as well as providing general guidance, with examples and a checklist for stakeholders interested in sharing data, on how to build mutually beneficial data sharing relationships in tourism. The European Commission invites European tourism actors to publicly commit to the guidelines.

The private sector can also play a key role in complementing the common EU tourism data space, principally by providing SMEs and destinations with user-friendly tools. These can take the form of a platform, an app, or pay-for analytics and business support services, bridging the gap between the framework for interoperability set out at EU level, and the need for immediate, uncomplicated use and re-use of data.

2.5.   Support for SMEs in the transition towards a data space

As announced in the Communication ‘The SME Strategy for a Sustainable and Digital Europe’ (33) and in line with the EU strategy for data, the European Commission provides support to SMEs across sectors through the Digital Innovation Hubs and the European Enterprise Network (EEN), working in synergy.

European Digital Innovation Hubs (EDIH) (34) are one-stop-shops supporting companies and public sector organisations in responding to digital challenges and becoming more competitive. The EDIHs provide access to technical expertise and give SMEs the opportunity to test solutions before an investment needs to be made. EDIHs provide financing advice, training and skills development in a user-friendly and targeted manner. Some EDIHs are specialised on tourism, but through the network all of them have the ability to help SMEs make use of infrastructures and initiatives like the common European data spaces.

The Enterprise Europe Network Sector Group Tourism (SGT) is composed by 61 members from 23 different countries, collaborating on a steady basis to support the tourism ecosystems in their territories. The objective of the SGT is to support and increase the SMEs competitiveness and resilience by providing high quality advice and supporting their internationalisation. The focus is on EU funding possibilities, technology transfer and business opportunities supported by specific targeted communication and promotion activities. Digitalisation is one of its focus activities, and within this broad spectrum the SGT supports ambitious growth-oriented SMEs access information and make the best possible use of it.

2.6.   Support for destinations in the transition towards a data space

Destinations (as cities, rural communities or broader territories) are complex players who need to integrate tourism management into their urban and local planning, to ensure that the impact of tourist flows is not only beneficial to residents, but also sustainable for both the community and the environment. Several initiatives carried out by the Commission can have a positive impact on the availability of useful information for tourism management and development, and the Commission will ensure that synergies are maintained across networks for the digital transition of the public sector to be consistent. The stakeholder collaboration platform, which the Commission will launch in 2024 to support the co-implementation of the Tourism Transition Pathway, will offer a single entry point for all information useful to tourism stakeholders as regards EU and national policies and measures, as well as for the exchange of good practices.

By the same token, these avenues of direct cooperation across destinations and between destinations and the Commission will guarantee that local specificities and requirements be taken into account in the development of the common EU tourism data space:

The Minimal Interoperability Mechanisms developed by and for cities and communities in the living-in.eu movement (35) can provide important support to the common European data space for tourism, as they tackle interoperability solutions for these ecosystems;

Intelligent Cities Challenge (36) is a European Commission initiative supporting European cities towards the green and digital transition of their local economies, based on networking, exchange of good practices, experts support and the activation of the private sector.

The Urban Agenda for the EU (37) will also earmark funds to support tourism in urban destinations, with a particular focus on the sustainability of the offer. A new partnership on sustainable tourism under the Urban Agenda for the EU (38), launched in December 2022, can also propose concrete actions on improving digital services of urban destinations.

The official portal of EU data (39) gathers all public information regarding EU laws, publications, procurement notices, and any other form of open data. It is a database which can be of support to all sectoral data spaces.

The Tourism Flagship (40) under the Technical Support Instrument 2022 edition (41) is supporting 7 Member States (42) in strengthening their tourism statistics and data framework, by building capacities on data sharing and integration, by closing the implementation gap of the Tourism Satellite Account statistical framework, including guidance to enable the use of alternative data sources, by integrating sustainability indicators into tourism statistics for improved management of destinations, and by promoting digitalisation of tourism SMEs.

An EU Competence Centre to support data management in tourism destinations is also under development. The knowledge hub will support destinations in developing and implementing data-driven management as well as data-sharing competences and strategies. The EU Competence Centre should be operational in 2024.

2.7.   Testing a use case for the tourism data space

In light of the need to establish a trustworthy environment for data sharing among all the parties involved, and in consideration of the importance of testing the enablers for interoperability to transform them into the building blocks of the tourism data space, the European Commission, in cooperation with Member States and private stakeholders, sets up a test action aiming to prepare the ground for the tourism data space.

The action should apply the key enablers (technical standards and governance model) identified by the preparatory actions funded under DEP, aligning them with the technical standards developed by Eurostat for accommodation data: it will showcase the value of the tourism data space for the sector by applying and testing the interoperability standards and the business model for sharing data identified by the Coordination and Support Actions. The test action is set up on a purely voluntary basis and represents a practical example of the preparation of the tourism data space.

Public authorities, both at national and regional level, Eurostat, and relevant European Commission services will be involved, together with private partners specialised in data management, in ensuring that the approach will serve the preparatory work of the common European data space for tourism as well as of the framework for data sharing envisaged by the Short-Term Rentals Regulation proposal.

The Commission aims at ensuring that the approach is realistic and inclusive, and the exercise useful to EU stakeholders – both those participating in the action, as well as SMEs and DMOs. As such, the test will focus on a use case of interaction between different data domains, including short term rental and accommodation.

By its expected completion (Q1 2025), the initiative will have integrated the outcomes of the Coordination and Support Actions preparing the tourism data space, for a solid first step towards a fully-fledged common European data space for tourism.

3.   NEXT STEPS TOWARDS THE COMMON EUROPEAN TOURISM DATA SPACE

Phase 1: now until Q4 2023

The two Coordination and Support Actions (CSA) funded under DEP in 2022 will provide the Commission with an updated map of relevant public and private initiatives, an in-depth analysis of the key enablers of a data space for tourism, with recommendations for a governance model and technical standards, and a blueprint for the deployment of the data space.

At the same time, the European Commission will gather, on a voluntary basis, a working group to test a use case as a first application of the findings from the CSAs. In this first phase, the working group will set the focus of the experimentation, including the specific need for use and re-use of data, and its working methodology.

Building on the initiatives at national level, and in synergy with the work of the Data Space Support Centre, discussions should start between the European Commission and the Member States on the possibility to set up an EDIC to manage the common European data space for tourism.

The EU Competence Centre to support data management in tourism destinations should be launched by a consortium of public and private stakeholders, with a competence on data analytics, to provide support to destinations in developing and implementing data-driven management as well as data-sharing strategies within the framework of the development of a common European data space for tourism.

Stakeholders have a number of tools at their disposal to engage with the process of building a data space tailored to the requirements of the industry, as described above. Industry organisations should begin promoting the opportunities and uses of a tourism data space among their members, as well as the principles laid out in the Code of Conduct for data sharing in tourism.

Phase 2: Q1 2024 until Q1 2025

The use case working group set up by the European Commission will aim to apply the deliverables of the CSAs to the use case selected in phase 1, aligning them with the technical specifications developed by Eurostat in their agreement for sharing accommodation data with the private sector.

Member States can contribute by exploring the possibility of setting up an EDIC for the management of the common European data space for tourism. A follow-up action to the CSAs should be operational under DEP, aiming at building the infrastructure of the common European data space for tourism (36 months).

To further advance the co-implementation of the Tourism Transition Pathway, the European Commission will launch a stakeholder collaboration platform as a user-friendly entry point for the stakeholders to access actively updated information and links to official and community resources relevant for the transition pathway actions; to find constantly updated knowledge on ongoing projects, activities and events relevant for the transition pathway actions; to provide means to connect with and work together with the members of the stakeholder community, and to search or be alerted about topical current funding and learning opportunities or other developments. The platform will pool and update the mapping of initiatives related to data-sharing in tourism.

Stakeholders are encouraged to actively engage with the platform, as well as with the initiatives that the informal Commission expert group T4T will offer to organise, as related to data sharing and management.

Phase 3: 2025 and beyond

In the future, the tourism ecosystem in Europe should count on a deeper understanding of the opportunities offered by data sharing. The ongoing initiatives and the short-term actions foreseen at Commission level and from the industry provide an opportunity to interested stakeholders to engage in the deployment of the tourism data space.

Additionally, an EDIC of Member States could be a solution for the management of the common European data space for tourism. Preparatory and deployment work under DEP is expected to have advanced enough for an infrastructure to be designed, which, in cooperation with the Data Spaces Support Centre, may define unique identifiers for tourism items at aggregated level, agree on common key meta-data elements (semantic rules), and integrate technical interoperability rules in a consistent manner with other EU level data spaces.

Additional funding under DEP will be made available for the period 2025-2027. The amount of such additional funding should be in line with the progress made and further funding needs.

4.   CONCLUSION

The European Commission is fully committed to support a space where tourism-related data flows in full respect of EU principles of fairness, accessibility, security and privacy. This will align first and foremost with the EU strategy for data. It will also be in line with the upskilling and re-skilling efforts carried forth in the Pact for Skills (43).

The data space will not be born in a vacuum: it will occupy a gap in the data market for tourism where access needs to be increased, made more consistent and particularly supported for SMEs and destinations, which are the breathing force of an ecosystem key to the EU economy, for boosting re-use of data and generate innovative services and economic value.

This approach towards building a common European data space for tourism needs to be both progressive and solid. It aims at setting up a framework, which meets the needs of the ecosystem and the market and is also anchored into the broader interoperability framework of sectoral data spaces at EU level. For this ambition to come to fruition, the European Commission encourages all relevant actors to engage in data sharing within the common European data space for tourism, not only to improve the wealth of data that it can provide, but also to shape it together for the benefit of all.


(1)  Transition pathway for tourism published today (europa.eu)

(2)  COM(2020) 66 final.

(3)  The European data strategy of February 2020 announced the creation of data spaces in 10 strategic fields: health, agriculture, manufacturing, energy, mobility, financial, public administration, skills, the European Open Science Cloud and the crosscutting key priority of meeting the Green Deal objectives.

(4)  250321-vtc-euco-statement-en.pdf (europa.eu)

(5)  Competitiveness Council (Internal market and industry) - Concilium (europa.eu)

(6)  https://www.consilium.europa.eu/media/49960/st08881-en21.pdf

(7)  Annual Report on European SMEs, 20 June 2022.

(8)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).

(9)  Data altruism policy is related to voluntary sharing of data, under no compensation whatsoever, for objective of general interest, for the common good.

(10)  The Horizon Europe programme includes an obligation for project beneficiaries to openly share data underpinning the research results. This allows for the possibility for the project beneficiaries to define publishable and confidential data for legitimate commercial interests; lessons could be learnt on how these beneficiaries have been incentivised to share data openly, and how their commercial rights are respected. Overall, with international interoperability agreements and practices already in place, scientific data sharing could provide useful learnings for the development of industrial ecosystem data spaces.

(11)  Staff working document on data spaces | Shaping Europe’s digital future (europa.eu)

(12)  Regulation (EU) 2022/868 of the European Parliament and of the Council of 30 May 2022 on European data governance and amending Regulation (EU) 2018/1724 (Data Governance Act) (OJ L 152, 3.6.2022, p. 1).

(13)  https://ec.europa.eu/commission/presscorner/detail/en/ip_22_1113

(14)  Directive (EU) 2019/1024 of the European Parliament and of the Council of 20 June 2019 on open data and the re-use of public sector information (OJ L 172, 26.6.2019, p. 56).

(15)  Commission Implementing Regulation (EU) 2023/138 of 21 December 2022 laying down a list of specific high-value datasets and the arrangements for their publication and re-use (OJ L 19, 20.1.2023, p. 43).

(16)  COM/2022/720 final EUR-Lex - 52022PC0720 - EN - EUR-Lex (europa.eu)

(17)  COM_2022_571_1_EN_ACT_part1_v7.pdf (europa.eu).

(18)  Commission Delegated Regulation (EU) 2017/1926 of 31 May 2017 supplementing Directive 2010/40/EU of the European Parliament and of the Council with regard to the provision of EU-wide multimodal travel information services (OJ L 272, 21.10.2017, p. 1). The Delegated Regulation is under revision to extend this obligation to real time information (for all modes of transport) e.g. real time information on disruption of a train.

(19)  https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/13133-Multimodal-digital-mobility-services

(20)  Regulation (EU) 2019/1150 of the European Parliament and of the Council of 20 June 2019 on promoting fairness and transparency for business users of online intermediation services (OJ L 186, 11.7.2019, p. 57). ). This applies, as an example, to changes to terms and conditions, data access, how rankings are organised, the grounds for suspension or termination of the use of a platform and the reasons for using price parity clauses.

(21)  DATES – European Tourism Data Space (tourismdataspace-csa.eu) and Home - Data Space for Tourism (DSFT) (modul.ac.at)

(22)  Staff working document on data spaces | Shaping Europe’s digital future (europa.eu)

(23)  In line with the Declaration on European Digital Rights and Principles | Shaping Europe’s digital future (europa.eu)

(24)  For the purpose of specifying the application of the GDPR to the tourism sector, future privacy and data protection Codes of Conduct must be developed in line with Article 40 of the GDPR.

(25)  Register of Commission expert groups and other similar entities (europa.eu)

(26)  Decision (EU) 2022/2481 of the European Parliament and of the Council of 14 December 2022 establishing the Digital Decade Policy Programme 2030 (OJ L 323, 19.12.2022, p. 4).

(27)  Such as the lessons learned on how to build specifications for the common EU Green Deal data space prepared by the Joint Research Centre: https://publications.jrc.ec.europa.eu/repository/handle/JRC126319 which, to a large extent, are valid also for the tourism data space.

(28)  Simpl: cloud-to-edge federations and data spaces made simple | Shaping Europe’s digital future (europa.eu)

(29)  COM/2022/31 final EUR-Lex - 52022DC0031 - EN - EUR-Lex (europa.eu)

(30)  Regulation (EU) No 692/2011 of the European Parliament and of the Council of 6 July 2011 concerning European statistics on tourism and repealing Council Directive 95/57/EC (OJ L 192, 22.7.2011, p. 17).

(31)  Also, the Regulation (EC) No 223/2009 (as amended), defining the current modalities for European Statistical system, is under revision, and aims at better integrating privately held data.

(32)  Key European tourism stakeholders co-sign a Code of Conduct on data sharing in tourism - ETC Corporate - ETC Corporate (etc-corporate.org)

(33)  Communication COM/2020/103: An SME Strategy for a sustainable and digital Europe | Knowledge for policy (europa.eu)

(34)  Information for SMEs | European Digital Innovation Hubs Network (europa.eu)

(35)  Join us in building the European way of Digital Transformation for 300 million Europeans | Living in EU (living-in.eu)

(36)  Home | Intelligent Cities Challenge

(37)  Inforegio - The Urban Agenda for the EU (europa.eu)

(38)  Sustainable Tourism | EUI (urban-initiative.eu)

(39)  The official portal for European data | data.europa.eu

(40)  Technical Support Instrument 2022: ‘Support the tourism ecosystem: towards a more sustainable, resilient and digital tourism’

(41)  Technical Support Instrument (TSI) (europa.eu)

(42)  Italy, Croatia, Spain, Slovenia, Portugal, Malta and Greece.

(43)  Homepage of Pact for skills (europa.eu)


IV Notices

NOTICES FROM EUROPEAN UNION INSTITUTIONS, BODIES, OFFICES AND AGENCIES

Council

26.7.2023   

EN

Official Journal of the European Union

C 263/14


Notification by the European Union made in accordance with the Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part

(2023/C 263/02)

The European Union hereby notifies the United Kingdom and the Specialised Committee on Law Enforcement and Judicial Cooperation of the following in relation to the Trade and Cooperation Agreement between the European Union and the European Atomic Energy Community, of the one part, and the United Kingdom of Great Britain and Northern Ireland, of the other part (the 'Trade and Cooperation Agreement').

I.   NOTIFICATIONS UNDER THE TRADE AND COOPERATION AGREEMENT

1.   Partial withdrawal of a notification under Article 690(4) of the Trade and Cooperation Agreement

The European Union partially withdraws, on behalf of Poland, the notification made by Poland in relation to previous Article LAW.SURR.83(2), now Article 603(2) of the Trade and Cooperation Agreement, that its nationals would not be surrendered by Poland (1).

Poland conditions the surrender of its nationals as follows:

From August 3, 2023, a Polish national may be surrendered to the United Kingdom of Great Britain and Northern Ireland on the basis of an arrest warrant referred to in the Trade and Cooperation Agreement, provided that the act referred to in the arrest warrant was committed outside the territory of the Republic of Poland and outside a Polish ship or aircraft and this act constituted an offence under the law in force in the Republic of Poland or would have constituted an offence under the law in force in the Republic of Poland if it had been committed within the territory of the Republic of Poland, both at the time of its commitment at the time of the filling of the arrest warrant.

Surrender of a Polish national will not be authorised if the arrest warrant has been issued against a person who is suspected of the commission of a crime for political reasons but without the use of force or if the execution of the arrest warrant would violate rights and freedoms of persons and citizens.


(1)  ST 6076/1/21 REV 1.


European Commission

26.7.2023   

EN

Official Journal of the European Union

C 263/15


Euro exchange rates (1)

25 July 2023

(2023/C 263/03)

1 euro =


 

Currency

Exchange rate

USD

US dollar

1,1051

JPY

Japanese yen

156,18

DKK

Danish krone

7,4515

GBP

Pound sterling

0,86148

SEK

Swedish krona

11,4950

CHF

Swiss franc

0,9598

ISK

Iceland króna

145,70

NOK

Norwegian krone

11,1605

BGN

Bulgarian lev

1,9558

CZK

Czech koruna

24,047

HUF

Hungarian forint

378,33

PLN

Polish zloty

4,4263

RON

Romanian leu

4,9223

TRY

Turkish lira

29,7848

AUD

Australian dollar

1,6328

CAD

Canadian dollar

1,4562

HKD

Hong Kong dollar

8,6336

NZD

New Zealand dollar

1,7785

SGD

Singapore dollar

1,4677

KRW

South Korean won

1 409,63

ZAR

South African rand

19,4256

CNY

Chinese yuan renminbi

7,8915

IDR

Indonesian rupiah

16 607,03

MYR

Malaysian ringgit

5,0420

PHP

Philippine peso

60,271

RUB

Russian rouble

 

THB

Thai baht

38,115

BRL

Brazilian real

5,2178

MXN

Mexican peso

18,5746

INR

Indian rupee

90,4445


(1)  Source: reference exchange rate published by the ECB.


European External Action Service

26.7.2023   

EN

Official Journal of the European Union

C 263/16


DECISION OF THE HIGH REPRESENTATIVE OF THE UNION FOR FOREIGN AFFAIRS AND SECURITY POLICY

of 19 June 2023

on the security rules for the European External Action Service

(2023/C 263/04)

THE HIGH REPRESENTATIVE OF THE UNION FOR FOREIGN AFFAIRS AND SECURITY POLICY,

Having regard to the Council Decision 2010/427/EU of 26 July 2010 establishing the organisation and functioning of the European External Action Service (1) (hereinafter ‘Council Decision 2010/427/EU’), and in particular Article 10(1) thereof,

Whereas:

(1)

The European External Action Service (hereinafter ‘EEAS’), as a functionally autonomous body of the European Union (EU), is to have security rules, as provided for in Article 10(1) of the Council Decision 2010/427/EU.

(2)

The High Representative of the Union for Foreign Affairs and Security Policy (hereinafter ‘High Representative’ or ‘HR’) is to decide on security rules for the EEAS covering all aspects of security regarding the functioning of the EEAS, so that it can manage effectively the risks to staff placed under its responsibility, to its physical assets, information, and visitors, and fulfil its duty of care and responsibilities in this regard.

(3)

In particular, a level of protection should be afforded to staff placed under the responsibility of the EEAS, to EEAS physical assets, including communication and information systems, information, and visitors, which is in line with the best practice in the Council, the Commission, the Member States and, as appropriate, in international organisations.

(4)

The security rules for the EEAS should help achieve a more coherent comprehensive general framework within the EU for protecting EU Classified Information (hereinafter referred to as ‘EUCI’), building on, and maintaining as much coherence as possible with, the Council of the European Union (hereinafter referred to as ‘the Council’) security rules and the European Commission security provisions.

(5)

The EEAS, the Council and the Commission are committed to applying equivalent security standards for protecting EUCI.

(6)

This Decision is without prejudice to Articles 15 and 16 of the Treaty on the Functioning of the European Union (TFEU) and to instruments implementing them;

(7)

It is necessary to establish the organisation of security in the EEAS and the allocation of security tasks within the EEAS structures.

(8)

The High Representative should draw on relevant expertise in the Member States, in the General Secretariat of the Council and in the Commission as necessary.

(9)

The High Representative should take all appropriate measures necessary to implement these rules with the support of the Member States, the General Secretariat of the Council and the Commission.

(10)

While the Secretary-General of the EEAS is the Security Authority of the EEAS, it is appropriate to review the security rules of the EEAS notably to take into account the establishment of the Crisis Response Centre and, for that purpose, to repeal and replace the Decision ADMIN(2017) 10 of the High Representative of the Union for Foreign Affairs and Security Policy of 19 September 2017 (2).

(11)

In accordance with Article 15 (4) (a) of the Decision ADMIN(2017) 10 of the High Representative of the Union for Foreign Affairs and Security Policy of 19 September 2017 on the security rules for the European External Action Service, the EEAS Security Committee has been consulted on the envisaged amendments to the security rules of the EEAS.

HAS ADOPTED THIS DECISION:

Article 1

Purpose and scope

This Decision lays down the security rules for the European External Action Service (hereinafter ‘EEAS security rules’).

Pursuant to Article 10(1) of Council Decision 2010/427/EU, it shall apply to all EEAS staff and all staff in Union Delegations, regardless of their administrative status or origin, and it shall establish the general regulatory framework for managing effectively the risks to staff placed under the responsibility of the EEAS as referred to in Article 2, to EEAS premises, physical assets, information, and visitors.

Article 2

Definitions

For the purpose of this decision, the following definitions apply:

(a)

‘EEAS staff’ means EEAS officials and other servants of the European Union, including personnel from the diplomatic services of the Member States employed as temporary agents, and seconded national experts, as defined in Article 6 (2) and (3) of Council Decision 2010/427/EU, respectively.

(b)

‘Staff placed under the responsibility of the EEAS’ means the EEAS staff at Headquarters and in Union Delegations and all other staff in Union Delegations, regardless of their administrative status or origin, as well as, in the context of this decision, the High Representative and, as appropriate, other staff resident in EEAS Headquarters premises.

(c)

‘Eligible dependants’ means the members of the family of the staff member placed under the responsibility of the EEAS in Union Delegations forming part of their respective household as notified to the Ministry for Foreign Affairs of the receiving State, and actually residing with him/her at the place of employment at the time of the country evacuation.

(d)

‘EEAS premises’ means all EEAS establishments, including buildings, offices, rooms and other areas, as well as areas housing communication and information systems (including those handling EUCI), where the EEAS conducts permanent or temporary activities.

(e)

‘EEAS security interests’ means the staff placed under the responsibility of the EEAS, EEAS premises, dependants, physical assets, including communication and information systems, information, and visitors.

(f)

‘EUCI’ means any information or material designated by an EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States.

(g)

‘Union Delegation’ means delegations to third countries and international organisations and EU offices as referred to in Article 1(4) of Council Decision 2010/427/EU and in accordance with Article 5 of Council Decision 2010/427/EU.

Other definitions for the purpose of the present Decision are set out in the relevant Annexes and inAppendix A.

Article 3

Duty of care

1.   The EEAS security rules shall aim at fulfilling the duty of care of the EEAS and its responsibilities in this regard.

2.   The EEAS duty of care comprises due diligence in taking all reasonable steps to implement security measures to prevent reasonably foreseeable harm to EEAS security interests.

It encompasses both security and safety components, including those resulting from emergency situations or crises, whatever their nature.

3.   Taking into account the duty of care of Member States, EU institutions or bodies and other parties with staff in Union Delegations and/or in Union Delegation premises and the duty of care of the EEAS in relation to Union Delegations which are hosted in above mentioned other parties’ premises, the EEAS shall enter into administrative arrangements with each of the above entities that shall address the respective roles and responsibilities, tasks and cooperation mechanisms.

Article 4

Physical and infrastructure security

1.   The EEAS shall put in place all appropriate physical security measures (whether permanent or temporary), including access control arrangements, in all EEAS premises, for the protection of EEAS security interests. Such measures shall be taken into account in the design and the planning of new premises or before leasing existing premises.

2.   Special obligations or restrictions can be imposed on staff placed under the responsibility of the EEAS and on dependants, for security reasons, for a specific period and in specific areas.

3.   The measures referred to in paragraphs 1 and 2 shall be commensurate with the assessed risk.

Article 5

Alert states and crisis situations

1.   The EEAS Security Authority as defined in Article 13(1), Section 1, shall be responsible for defining the alert state levels and for putting in place appropriate alert state measures in anticipation of or in response to threats and incidents affecting security at the EEAS.

2.   The alert state measures referred to in paragraph 1 shall be commensurate with the level of threat to security. The alert state levels shall be defined by the EEAS Security Authority in close cooperation with the competent services of other Union institutions, agencies and bodies, and of the Member State(s) hosting EEAS premises.

3.   The EEAS Security Authority shall be the point of contact for alert states and for the response to a crisis. He/she may sub–delegate the related tasks, respectively to the Director General for Resource Management, as referred to in Article 4(3) (a), second indent, of Council Decision 2010/427/EU, for EEAS Headquarters, and to the Director of the Crisis Response Centre (CRC) for Union Delegations.

Article 6

The protection of classified information

1.   The protection of EUCI shall be governed by the requirements laid down in this decision, and in particular in Annex A. The holder of any item of EUCI shall be responsible for protecting it accordingly.

2.   The EEAS shall ensure that access to classified information is only granted to individuals who meet the conditions set out in Article 5 of Annex A.

3.   The conditions under which local agents may have access to EUCI shall also be laid down by the High Representative, in accordance with the rules for protecting EUCI laid down in Annex A to this decision.

4.   The EEAS shall ensure the management of the security clearance status of all staff placed under the responsibility of the EEAS and of EEAS contractors.

5.   Where Member States introduce classified information bearing a national security classification marking into the structures or networks of the EEAS, the EEAS shall protect that information in accordance with the requirements applicable to EUCI at the equivalent level, as set out in the table of equivalence of security classifications contained in Appendix B to this decision.

6.   Areas in the EEAS, in which information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above, or classified at an equivalent level, is stored, shall be established as Secured Areas in accordance with the rules pursuant to Annex AII to this decision, and shall be approved by the EEAS Security Authority.

7.   Procedures for performing High Representative responsibilities in the framework of agreements or administrative arrangements for the exchange of EUCI with third States or international organisations are described in Annexes A and A VI of this Decision.

8.   The Secretary General shall determine the conditions under which the EEAS may share EUCI held by it with other Union institutions, bodies, offices or agencies. An appropriate framework will be put in place to that effect, including by entering into inter-institutional agreements or other arrangements where necessary for that purpose.

9.   Any such framework shall ensure that EUCI is given protection appropriate to its classification level and according to basic principles and minimum standards which shall be equivalent to those laid down in this Decision.

Article 7

Security incidents, emergencies and crisis response

1.   In order to ensure a timely and effective response to security incidents, the EEAS shall establish a process for reporting such incidents and emergencies, which shall be operational twenty-four hours a day, seven days a week and cover any kind of security incidents or threats to the EEAS security interests (e.g. accidents, conflict, malicious acts, criminal acts, kidnap and hostage situations, medical emergencies, communication and information systems incidents, cyber-attacks, etc.).

2.   Emergency liaison channels shall be established between the EEAS Headquarters, the Union Delegations, the Council, the Commission, the EU Special Representatives and Member States, to support them in providing a response to crises, security incidents and emergencies involving personnel and their consequences, including contingency planning.

3.   This response to security incidents/emergencies/crises shall include, inter alia:

procedures for effectively supporting the decision-making process in relation to threats, security incidents and emergencies involving personnel, including decisions relating to the extraction or the suspension of a mission; and

a policy and procedures for personnel recovery - e.g. in the case of missing personnel or kidnap and hostage situations - taking into account the particular responsibilities of the Member States, of the EU Institutions and of the EEAS in this regard. The need for specific capabilities, within the management of such operations in this regard, shall be considered taking into account the resources that could be provided by the Member States.

4.   The EEAS shall put in place appropriate procedures for reporting security incidents in Union Delegations. When appropriate, the Member States, the Commission, any other relevant authority, as well as the relevant Security Committees shall be informed.

5.   The incident, emergency and crisis response processes should be regularly exercised and reviewed.

Article 8

Security of communication and information systems

1.   The EEAS shall protect information handled in Communication and Information Systems (CIS) as defined in Appendix A of this Decision against threats to confidentiality, integrity, availability, authenticity and non- repudiation.

2.   Rules, security guidelines and a security programme for protecting all CIS owned or operated by EEAS shall be approved by the EEAS Security Authority.

3.   The rules, the policy and the programme shall be in conformity and their implementation closely coordinated with those of the Council and the Commission, and, where appropriate, with the security policies applied by the Member States.

4.   All CIS handling classified information shall undergo an accreditation process. The EEAS shall apply a system for managing security accreditation in consultation with the General Secretariat of the Council and the Commission.

5.   Where the protection of EUCI handled by the EEAS is provided by cryptographic products, such products shall be approved by the EEAS Crypto Approval Authority on a recommendation by the Council Security Committee.

6.   The EEAS Security Authority shall, to the extent necessary, establish the following information assurance functions:

(a)

an Information Assurance Authority (IAA);

(b)

a TEMPEST Authority (TA);

(c)

a Crypto Approval Authority (CAA);

(d)

a Crypto Distribution Authority (CDA).

7.   For each system, the EEAS Security Authority shall establish the following functions:

(a)

a Security Accreditation Authority (SAA);

(b)

an Information Assurance Operational Authority (IAOA).

8.   Provisions for implementing this Article as regards the protection of EUCI are set out in Annex A and A IV.

Article 9

Security breaches and compromise of classified information

1.   A breach of security occurs as the result of an act or omission that is contrary to the security rules laid down in this Decision and/or to the security policies or guidelines setting out any measures necessary for its implementation, as approved in accordance with Article 21(1).

2.   A compromise of classified information occurs when it has wholly or in part been disclosed to unauthorised persons or entities.

3.   Any breach or suspected breach of security, and any compromise or suspected compromise of classified information shall be reported immediately to the Director for HQ security and EEAS information security, who shall take appropriate measures as set out in Annex A, Article 11.

4.   Any individual who is responsible for a breach of the security rules laid down in this Decision, or for compromising classified information, may be liable to disciplinary and/or legal action, in accordance with the applicable laws, rules and regulations, as set out in Article 11(3) of Annex A.

Article 10

Investigation of security incidents, breaches and/or compromises and corrective actions

1.   Without prejudice to Article 86 and Annex IX of the Staff Regulations (3), security investigations may be initiated and conducted by the Directorate responsible for HQ security and EEAS information security:

(a)

in case of potential leakage, mishandling or compromise of EUCI, Euratom Classified Information or sensitive non-classified information;

(b)

to counter hostile intelligence service attacks against the EEAS and its staff;

(c)

to counter terrorist attacks against the EEAS and its staff;

(d)

in case of cyber-incidents;

(e)

in case of other incidents that affect or may affect general security at the EEAS, including suspected criminal offences;

2.   The EEAS Security Authority, assisted by the Directorate responsible for HQ security assisted by and EEAS information security, by the Directorate responsible for the Crisis Response Centre (CRC), and by experts from Member States and/or from other EU institutions as appropriate, shall implement any necessary corrective actions resulting from investigations, when and as appropriate.

Only staff authorised on the basis of a nominative mandate conferred on them by the EEAS Security Authority, given their current duties, may be entrusted with the power to conduct and coordinate security investigations in the EEAS.

3.   Investigators shall have access to all information necessary for the conduct of such investigations and shall receive the full support of all EEAS services and staff in this regard.

Investigators may take appropriate actions to safeguard the trail of evidence in a manner that is proportionate to the seriousness of the matter under investigation.

4.   Where access to information relates to personal data, including those contained in communication and information systems, such access shall be processed in accordance with Regulation (EU) 2018/1725 (4).

5.   Where it is necessary to establish an investigative database that will contain personal data, the European Data Protection Supervisor (EDPS) shall be notified in accordance with the aforementioned regulation.

Article 11

Security risk management

1.   In order to determine the protective security needs of the EEAS, the Directorate responsible for HQ security and EEAS information security and the Directorate responsible for the Crisis Response Centre (CRC) shall develop and maintain updated, in close cooperation with the Security Directorate of the Directorate General for Human Resources and Security of the Commission and, where appropriate, with the Security Office of the General Secretariat of the Council, a comprehensive security risk assessment methodology.

2.   Risks to EEAS security interests shall be managed as a process. This process shall be aimed at determining known security risks, at defining security measures to mitigate such risks to an acceptable level and at applying measures in line with the concept of defence in depth. The effectiveness of such measures, and the level of risk, shall be continuously evaluated.

3.   The roles, responsibilities and tasks laid down in this Decision are without prejudice to the responsibility of each member of staff placed under the responsibility of the EEAS; in particular EU staff on mission in third countries must exercise common sense and good judgement with regard to their own safety and security, and comply with all applicable security rules, regulations, procedures and instructions.

4.   In order to prevent and control risks to security, mandated staff may carry out background checks of persons falling under the scope of this Decision, so as to determine whether giving such persons access to EEAS premises or information presents a threat to security. For that purpose, and in compliance with Regulation (EU) 2018/1725, the mandated staff concerned may: (a) use any source of information available to the EEAS, taking into account the reliability of the source of information; (b) access the personnel file or data the EEAS holds with regard to individuals it employs or intends to employ, or for contractors’ staff when duly justified.

5.   The EEAS shall take all reasonable measures to ensure its security interests are protected, and to prevent reasonably foreseeable damage thereto.

6.   Security measures in the EEAS for protecting EUCI throughout its life cycle shall be commensurate in particular with its security classification level, with the form and volume of the information or material, with the location and construction of facilities housing EUCI and with the threat, including the locally assessed threat, of malicious and/or criminal activities, including espionage, sabotage and terrorism.

Article 12

Security awareness and training

1.   The EEAS Security Authority shall ensure that appropriate security awareness and training programmes are drawn up by the Directorate responsible for HQ security and EEAS information security. Staff in the HQ shall receive the necessary security awareness briefings and training, to be delivered by the Security Awareness teams of the Directorate responsible for HQ security and EEAS information security. Staff in the Union Delegations, as well as, where appropriate, their eligible dependants, will receive, the necessary security awareness briefings and training commensurate with the risks in their place of work or residence, to be delivered by the Security Management Teams in coordination with the Directorate responsible for the Crisis Response Centre (CRC).

2.   Before being granted access to EUCI and at regular intervals thereafter, staff shall be briefed on and acknowledge their responsibilities to protect EUCI in accordance with the rules pursuant to Article 6.

Article 13

Organisation of security in the EEAS

Section 1.     General provisions

1.   The Secretary General shall be the Security Authority of the EEAS. In that capacity, the Secretary General shall ensure that:

(a)

security measures are coordinated as necessary with the competent authorities of the Member States, the General Secretariat of the Council and the Commission, and, as appropriate, of third States or international organisations, on all security matters relevant for the EEAS’ activities, including on the nature of risks to the EEAS security interests and the means of protection against them;

(b)

security aspects are fully taken into account from the outset for all EEAS activities;

(c)

access to classified information is only granted to individuals who meet the conditions set out in Article 5 of Annex A;

(d)

appropriate measures are taken to manage the security clearance status of all staff placed under the responsibility of the EEAS and of EEAS contractors;

(e)

a registry system is established in order to ensure that information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above is handled in accordance with this Decision within the EEAS, and when released to EU Member States, EU Institutions, bodies or agencies or other authorised recipients. A separate record shall be kept of all EUCI released by the EEAS to third States or international organisations, and of all classified information received from third States or international organisations;

(f)

security inspections referred to in Article 16 are undertaken;

(g)

investigations are conducted into any actual or suspected breach of security, as well as into any actual or suspected compromise or loss of classified information held by or originated in the EEAS, and that the relevant security authorities are requested to assist in such investigations;

(h)

appropriate incident and consequence management plans and mechanisms are established, in order to provide a timely and effective response to security incidents;

(i)

appropriate measures are taken in the event of failure by individuals to comply with this Decision;

(j)

appropriate physical and organisational measures are in place for the protection of the EEAS security interests.

In this regard, the EEAS Security Authority:

sets the security category of the Union Delegations, in consultation with the Commission,

sets a crisis response mechanism and defines its tasks and responsibilities;

decides, after consulting the HR where appropriate, when Union Delegation staff should be evacuated if the security situation requires it,

decides on the measures to be applied for the protection of eligible dependants, when appropriate, taking into account arrangements with EU institutions as referred to in Article 3(3);

approves the crypto communication policy, in particular the programme of installation of cryptographic products and mechanism.

2.   In line with Article 10(3) of the Council Decision 2010/427/EU, the EEAS Security Authority shall be assisted in these tasks jointly by:

(i)

the Director General for Resource Management who is assisted by the Director for HQ security and EEAS information security,

(ii)

the Director of the Crisis Response Centre (CRC),

and, as appropriate, by the Deputy Secretary-General for Peace, Security and Defence, in order to ensure consistency with security measures to be taken for CSDP missions and operations.

3.   The Secretary-General as EEAS Security Authority may sub-delegate his/her tasks, as appropriate.

4.   Each Head of Department/Division shall be responsible for ensuring the implementation of those rules, as well as of security Guidelines as referred to in Article 21 of this Decision and any other procedures or measures aiming at protecting EUCI within his /her Department/Division.

Whilst remaining responsible as mentioned above, each Head of Department/Division shall designate staff for a Departmental Security Coordinator function. The number of staff with such function shall be proportionate to the amount of EUCI handled by that Department/Division.

Departmental Security Coordinators shall, when and as appropriate, assist and support their Head of Department/Division in performing tasks related to security, such as:

(a)

developing any additional security requirements appropriate to the specific needs of the department/division in consultation with the Directorate responsible for HQ security and EEAS information security;

(b)

complement the periodic security briefings delivered by the Directorate responsible for HQ security and EEAS information security to the members of their Department/Division with information on additional security requirement as referred in point (a);

(c)

ensuring that the need-to-know principle is respected in their Department/Division;

(d)

maintaining up-to-date a list of safe codes and keys, where applicable;

(e)

ensuring, where applicable, that security procedures and security measures are up to date and effective;

(f)

reporting any breaches of security and/or compromise of EUCI both to their Director and to the Directorate responsible for HQ security and EEAS information security;

(g)

debriefing staff who cease to be employed by the EEAS;

(h)

providing regular reports through their hierarchy on Department/Division’s security matters;

(i)

liaising with the Directorate responsible for HQ security and EEAS information security on any security issues .

Any activity or issue that might have an impact on security shall be notified to the Directorate responsible for HQ security and EEAS information security in a timely manner.

Section 2.     Directorate responsible for HQ security and EEAS information security

1.   The Directorate responsible for HQ security and EEAS information security shall be placed administratively within the Directorate General for Resource Management. It shall:

(a)

Fulfil the duty of care responsibilities of the EEAS at the EEAS Headquarters, and be responsible for all security matters at the EEAS Headquarters, including with regard to Communication and Information Systems (CIS) and information security for Union Delegations;

(b)

manage, coordinate, supervise and/or implement all security measures in all EEAS Headquarters premises;

(c)

ensure coherence and consistency with this decision and with implementing provisions of any activity which may have an impact on protecting EEAS security interests;

(d)

support the activities of the EEAS Security Accreditation Authority by carrying out physical security assessments of the General Security Environment (GSE)/Local Security Environment (LSE) of communication and information systems handling EUCI, and of all EEAS premises to be authorised for handling and storing EUCI.

The Directorate responsible for HQ security and EEAS information security shall be assisted by the relevant services of the Member States, in accordance with Article 10(3) of Council Decision 2010/427/EU.

2.   The Director for HQ security and EEAS information security shall be responsible for:

(a)

ensuring the overall protection of the EEAS security interests in the area of responsibility of the Directorate responsible for HQ security and EEAS information security;

(b)

drafting, reviewing and updating of the security rules, as well as co-ordinating security measures with the Director of the Crisis Response Centre (CRC), the competent authorities of the Member States and, as appropriate, the competent authorities of third States and international organisations linked to the EU by security agreements and/or arrangements;

(c)

being the principal adviser of the HR, of the EEAS Security Authority and of the Deputy Secretary-General for Peace Security and Defence on all matters related to security at the Headquarters, and to EEAS information security;

(d)

managing the security clearance status of all staff placed under the responsibility of the EEAS and of EEAS contractors;

(e)

chairing the EEAS Security Committee in National Security Authorities (NSA) formation, as set out in Article 15(1) of this Decision, upon instruction by the EEAS security authority, and supporting its proceedings;

(f)

liaising with any partners or authorities other than those under (b) above on security matters in the area of responsibility of the Directorate responsible for HQ security and EEAS information security;

(g)

prioritising and making proposals for the management of the budget for security in Headquarters and in Union Delegations, the latter in coordination with the Director of the Crisis Response Centre (CRC).

(h)

ensuring that security breaches and compromises referred to in Article 9 of this Decision are recorded and investigations are launched and undertaken where and when necessary;

(i)

meeting regularly, and whenever necessary, to discuss areas of common interest with the Director of Security of the General Secretariat of the Council and the Director of the Security Directorate of the Directorate General for Human Resources and Security of the Commission.

3.   The Directorate responsible for HQ security and EEAS information security shall establish contacts and maintain close cooperation in its area of responsibility with:

the National Security Authorities (NSAs) and/or the other competent security authorities of Member States, to elicit their assistance in regard to the information it needs to assess such dangers and threats as may face the EEAS, its staff, its activities, its assets and resources and its classified information at its usual place of business;

the competent security authorities of the third States with whom the EU has concluded a Security of Information Agreement, or on the territory of which the Union deploys a CSDP mission or operation; the Security Office of the General Secretariat of the Council and the Security Directorate of the Directorate General for Human Resources and Security of the Commission, and, where appropriate the security departments of the other EU institutions, bodies and agencies;

the security department of international organisations with whom the EU has concluded a Security of Information Agreement, and;

the Member States' NSAs, regarding any matter relating to the protection of EUCI, including Personnel Security Clearances (PSCs).

Section 3.     Directorate responsible for the Crisis Response Centre (CRC)

1.   The Directorate responsible for the Crisis Response Centre (CRC) shall:

(a)

Fulfil the duty of care responsibilities of the EEAS in Union Delegations;

(b)

ensure the security of staff placed under the responsibility of the EEAS in the Union Delegations on daily basis, propose measures to be adopted in case of crisis to ensure the business continuity at the Union Delegations and implement the evacuation procedures in close coordination with the Coordination Division in the Directorate General for Resource Management;

(c)

manage, coordinate, supervise and/or implement all security measures in the EEAS premises within the Union Delegations;

(d)

ensure coherence and consistency with this Decision and with implementing provisions of any EEAS activity which may have an impact on the EEAS security interests in the area of responsibility of the CRC;

(e)

support the activities of the EEAS Security Accreditation Authority in carrying out the physical security assessments of the Union Delegations premises to be authorised for handling and storing EUCI;

2.   The Director for the Crisis Response Centre (CRC) shall be responsible for:

(a)

ensuring the overall protection of the EEAS security interests in the area of responsibility of the Directorate responsible for the Crisis Response Centre (CRC);

(b)

coordinating security measures and procedures with the competent authorities of the Host States and, as appropriate, with relevant international organisations;

(c)

ensuring the activation and management of the EEAS Crisis Response Mechanism;

(d)

designing and managing EEAS’ deployability capability (Deployable Support Team, including the necessary equipment) and ensuring its readiness at all times;

(e)

being the principal adviser of the HR, of the EEAS Security Authority and of the Deputy Secretary-General for Peace Security and Defence on all matters related to the security of Union Delegations and on the response to crisis affecting them;

(f)

chairing the EEAS Security Committee in Ministers of Foreign Affairs (MFA) formation , as set out in Article 15(1) of this Decision, upon instruction by the EEAS Security Authority, and supporting its proceedings.

(g)

liaising with any partners or authorities other than those under (b) above on security matters, in the area of responsibility the Directorate responsible for the Crisis Response Centre (CRC);

(h)

contributing to prioritising and making proposals for the management of the budget for security in Union Delegations as coordinated by the Director for HQ security and EEAS information security.

(i)

ensuring that security breaches and compromises in the area of responsibility the Directorate responsible for the Crisis Response Centre (CRC) are notified to the Directorate responsible for HQ security and EEAS information security for appropriate follow up;

3.   The Directorate responsible for the Crisis Response Centre (CRC) shall establish contacts and maintain close cooperation in its area of responsibility with:

the relevant Departments in the Ministries of Foreign Affairs of the Member States;

to the extent necessary, the competent security authorities of the Host States on the territory of which the EU Delegations are established, regarding EEAS security interests;

the Security Office of the General Secretariat of the Council and the Security Directorate of the Directorate General for Human Resources and Security of the Commission, and, where appropriate the security departments of the other EU institutions, bodies and agencies, within its area of responsibility;

the security departments of international organisations, with a view to any useful co-ordination, within its area of responsibility.

Section 4.     Union Delegations

1.   Each Head of Delegation shall be responsible for locally implementing and managing all measures relating to the protection of EEAS security interests within the Union Delegations’ premises and competence.

Under the guidance of the Crisis Response Centre (CRC) and in consultation with the competent authorities of the Host State when necessary, he/she shall take all reasonably practicable measures to ensure that appropriate physical and organisational measures are in place to fulfil his/her duty of care responsibilities.

The Head of Delegation shall draw up security procedures for the protection of the eligible dependants as defined in Article 2(c), when appropriate, taking into account any administrative arrangement, as referred to in Article 3(3).

The Head of Delegation shall report on all duty of care related issues within his/her remit to the Director of the Crisis Response Centre (CRC), and to the Director of the Directorate responsible for HQ security and EEAS information security regarding other security matters.

He/she shall be assisted by the Directorate responsible for the Crisis Response Centre (CRC), by the Union Delegation’s Security Management Team which is composed of staff exercising security tasks and functions, and by security staff where necessary. The Directorate responsible for HQ security and EEAS information security shall provide assistance within its area of responsibility.

The Union Delegation shall establish regular contacts and maintain close cooperation in security matters with Member States’ diplomatic missions.

2.   In addition, the Head of Delegation shall:

establish, in coordination with the Crisis Response Centre (CRC), detailed Union Delegation security and contingency plans, on the basis of generic standard operating procedures;

operate an effective 24/7 system for managing security incidents and emergencies within the Union Delegation scope of operation;

ensure that all staff deployed in the Union Delegation are covered by insurance as required by the conditions in the area;

ensure that security is part of the Union Delegation induction training to be given to all staff deployed in the Union Delegation upon arriving in the Union Delegation; and

ensure that any recommendations made following security assessments are implemented, and provide written reports at regular intervals on their implementation to the Director of the Crisis Response Centre (CRC) and to the Director for HQ security and EEAS information security.

3.   Whilst remaining both responsible and accountable for safeguarding the security management as well as for ensuring corporate resilience, the Head of Delegation may delegate the execution of his/her security tasks to the Delegation Security Coordinator (‘DSC’), being the Deputy Head of Delegation or, where none is appointed, an appropriate alternate.

In particular, the following responsibilities may be delegated:

coordination of security functions in the Union Delegation;

liaising on security issues with competent authorities of the host State and the appropriate counterparts in the Member States embassies and diplomatic missions;

implementation of appropriate security management procedures related to the EEAS Security interests, including the protection of EUCI;

ensuring compliance with security rules and instructions;

briefing staff about the security rules that are applicable to them, and on the particular risks in the host State;

submitting requests to the Directorate responsible for HQ security and EEAS information security for security clearances and regarding those positions which require a Personnel Security Clearance (PSC); and

keeping the Head of Delegation, the Regional Security Officer (RSO) and the Directorate responsible for the Crisis Response Centre (CRC) continuously informed with regard to incidents or security related developments in the area which have a bearing on the protection of EEAS security interests.

4.   The Head of Delegation may delegate security tasks of an administrative or technical character to the Head of Administration and other members of the Union Delegation’s staff.

5.   The Union Delegation shall be assisted by an RSO. The RSOs shall undertake the roles defined below in the Union Delegations within each of their respective geographical areas of responsibility.

In certain circumstances, where the prevailing security situation dictates, a dedicated RSO may be assigned to a specific Union Delegation as full time resident.

An RSO may be required to relocate to an area outside his/her present area of responsibility, including the Headquarters, or even take up a residential post according to the relevant security situation in any country, and as required by the Directorate responsible for the Crisis Response Centre (CRC).

6.   The RSOs shall be under the direct operational control of the EEAS Headquarters service in charge of Field Security, but under the shared administrative control of the Head of Delegation of their place of employment and the Headquarters service in charge of Field Security. They shall advise and assist the Head of Delegation and the Union Delegation’s staff in arranging and implementing all physical, organisational and procedural measures related to the security of the Union Delegation.

7.   RSOs provide the Head of Delegation and Union Delegation staff with advice and support. Where appropriate, in particular where an RSO is a full time resident, he or/she should assist a Union Delegation in security management and implementation, including the preparation of security contracts, the management of accreditations and clearances.

Article 14

CSDP Operations and EU Special Representatives

The Director for HQ security and EEAS information security and the Director of the Crisis Response Centre (CRC) advise, within the respective areas of responsibility of their Directorates and where necessary, the Managing Director for the Common Security and Defence Policy (CSDP), the Director General of the EU Military Staff (EUMS), also in his/her capacity as Director of the Military Planning and Conduct Capability (MPCC), and the Managing Director for Civilian Planning and Conduct Capability (CPCC), on security aspects of the planning and conduct of CSDP missions and operations, and the EU Special Representatives on security aspects of their mandate, complementary to the specific provisions existing in this regard in the relevant policies adopted by the Council.

Article 15

The EEAS Security Committee

1.   An EEAS Security Committee is hereby established.

It shall be chaired by the EEAS Security Authority or a designated delegate, and shall meet as instructed by the Chair or at the request of any of its members. The Directorate responsible for HQ security and EEAS information security and the Directorate responsible for the Crisis Response Centre (CRC) shall, within their respective areas of responsibility, support the Chair in this function and provide administrative assistance, as necessary, to the Committee proceedings.

2.   The EEAS Security Committee shall be composed of representatives of:

each Member State;

the Security Office of the General Secretariat of the Council;

the Security Directorate of the Directorate General for Human Resources and Security of the Commission.

A Member State delegation to the EEAS Security Committee may consist of members of:

the National Security Authority (NSA) and/or the Designated Security Authority (DSA),

the Departments in charge of security in the Ministries of Foreign Affairs (MFA).

3.   The Committee’s representatives may be accompanied and advised by experts as they deem necessary. Representatives of other EU Institutions, agencies or bodies may be invited to attend when issues relevant to their security are discussed.

4.   Without prejudice to paragraph 5 below, the EEAS Security Committee shall assist the EEAS, by means of consultation, on all security issues relevant to EEAS activities, to Headquarters and Union Delegations.

In particular, without prejudice to paragraph 5 below, the EEAS Security Committee:

(a)

shall be consulted on:

security policies, guidelines, concepts or other methodology documents related to security, in particular as regards the protection of classified information and the measures to be taken in the event of a failure by EEAS staff to comply with the security rules;

technical security aspects which may influence the HR decision to submit a recommendation to the Council for the opening of negotiations for security of information agreements referred to in Article 10,1(a) of Annex A;

any amendments to this decision.

(b)

may be consulted or informed, as appropriate, on issues relating to the security of staff and assets within EEAS Headquarters and Union Delegations, without prejudice to Article 3(3);

(c)

shall be informed of any compromises or losses of EUCI occurred within the EEAS.

5.   Any change to the rules relating to the protection of EUCI contained in this decision and its Annex A shall require the unanimous favourable opinion of the Member States as represented in the EEAS Security Committee. Such unanimous favourable opinion shall also be required before:

entering into negotiations of administrative arrangements as referred to in Article 10(1)(b) of Annex A;

releasing classified information in the exceptional circumstances referred to in Paragraphs 9, 11 and 12 of Annex A VI

assuming the information originator's responsibility in the circumstances referred to in Article 10(6), last sentence, of Annex A.

When a unanimous favourable opinion is required, this condition will be met when no objections are expressed by Member States delegations during the Committee proceedings.

6.   The EEAS Security Committee shall take full account of security policies and guidelines in force in the Council and the Commission.

7.   The EEAS Security Committee receives the list of annual EEAS inspections, and the inspection reports, once finalised.

8.   Organisation of the meetings:

The EEAS Security Committee shall meet at least twice a year. Additional meetings, either in its fully fledged configuration or in NSA/DSA or in MFA security format, can be arranged by the Chair or requested by the members of the Committee.

The EEAS Security Committee shall organise its activities in such a way that it can make recommendations on specific areas of security. It may establish other expert sub-areas as necessary. It shall draw up terms of reference for such expert sub-areas and receive reports from them on their activities.

The Directorate responsible for HQ security and EEAS information security and the Directorate responsible for the Crisis Response Centre (CRC) shall each be responsible for preparing items for discussion under their respective areas of responsibility. The Chair shall draw up the provisional agenda for each meeting. The members of the Committee may propose additional items for discussion.

Article 16

Security inspections

1.   The EEAS Security Authority shall ensure that security inspections are undertaken, on a regular basis, within the EEAS Headquarters and within Union Delegations in order to assess the adequacy of the implementation of security measures and to verify their compliance with this Decision. The Directorate responsible for HQ security and EEAS information security, in cooperation with the Directorate responsible for the Crisis Response Centre (CRC), may, where appropriate, designate contributing experts to participate in security inspections to EU agencies and bodies established under Title V, Chapter 2 of the TEU.

2.   EEAS security inspections are conducted under the authority of the Directorate responsible for HQ security and EEAS information security, with the support of the EEAS Crisis Response Centre (CRC) when appropriate, and, in the context of the arrangements referred to in Article 3(3), with the support of security experts representing other EU Institutions or Member States.

3.   The EEAS may draw, as necessary, on expertise in the Member States, in the General Secretariat of the Council and in the Commission.

Where necessary, relevant security experts based in Member State Missions in the third States and/or representatives of the diplomatic security departments of the Member States may be invited to participate in the security inspection of the Union Delegation.

4.   Provisions for implementing this Article as regards the protection of EUCI are set out in Annex A III.

Article 17

Assessment visits

Assessment visits shall be arranged to ascertain the effectiveness of the security measures in place in a third State or international organisation for protecting EUCI exchanged under an administrative arrangement as referred to in Article 10(1)(b) of Annex A.

The Directorate responsible for HQ security and EEAS information security may designate contributing experts to participate in assessment visits to third States or international organisations with which the EU has concluded a Security of Information Agreement as referred to in Article 10(1)(a) of Annex A.

Article 18

Business continuity planning

The Directorate responsible for HQ security and EEAS information security and the Directorate responsible for the Crisis Response Centre (CRC) shall assist the EEAS Security Authority in managing the security-related aspects of EEAS business continuity processes as part of the overall Business Continuity Planning of the EEAS.

Article 19

Travel advice for missions outside the EU

The Directorate responsible for the Crisis Response Centre (CRC) shall ensure the availability of travel advice regarding missions of staff placed under the responsibility of the EEAS outside the EU, drawing upon the resources of all relevant services of the EEAS - in particular the INTCEN, the counter intelligence cell of the Directorate General for Resource Management, the geographical departments and the Union Delegations.

The Directorate responsible for the Crisis Response Centre (CRC) shall provide, on request, and drawing upon aforementioned resources, specific travel advice regarding missions by staff placed under the responsibility of the EEAS to third States presenting a high risk or an increased risk level.

Article 20

Health and Safety

The EEAS security rules complement the EEAS rules for the protection of health and safety, as adopted by the High Representative.

Article 21

Implementation and review

1.   The EEAS Security Authority shall, after consultation with the EEAS Security Committee as appropriate, approve security Guidelines setting out any measures necessary to implement these rules in the EEAS, and shall build up the necessary capacity covering all aspects of security, in close cooperation with the Member States’ competent security authorities and with the support of the relevant services of the EU Institutions.

2.   In accordance with article 4(5) of Council Decision 2010/427/EU and as necessary, the EEAS may conclude service-level arrangements with the relevant services of the General Secretariat of the Council and of the Commission.

3.   The HR shall ensure overall consistency in the application of this Decision, and shall keep these security rules under review.

4.   The EEAS security rules are to be implemented in close cooperation with the Member States’ competent security authorities.

5.   EEAS shall ensure that all aspects of the security process are taken into account within the EEAS crisis response system.

6.   The Secretary General, as Security Authority, the Director of the Directorate responsible for HQ security and EEAS information security and the Director of the Crisis Response Centre (CRC) shall ensure implementation of this decision.

Article 22

Replacement of previous decisions

This decision shall repeal and replace the Decision ADMIN (2017)10 of the High Representative of the Union for Foreign Affairs and Security Policy of 19 September 2017 on the security rules for the European External Action Service (5).

Article 23

Final provisions

This decision shall enter into force on the date of its signature.

It shall be published in the Official Journal of the European Union.

The EEAS Security Authority shall duly and timely inform all staff falling within the scope of this decision and its annexes, on the content, entry into force and any subsequent modifications thereof.

Done at Brussels, 19 June 2023.

Josep BORRELL FONTELLES

High Representative

of the Unionfor Foreign Affairs and Security Policy


(1)  OJ L 201, 3.8.2010, p. 30.

(2)  OJ C 126, 10.4.2018, p. 1.

(3)  Staff regulations of Officials of the European Union and the Conditions of Employment of Other Servants of the European Union, hereinafter referred to as ‘the Staff Regulations’

(4)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data (OJ L 295, 21.11.2018, p. 39).

(5)  OJ C 126 10.4.2018, p. 1.


ANNEX A

PRINCIPLES AND STANDARDS FOR PROTECTING EUCI

Article 1

Purpose, scope and definitions

1.   This Annex sets out the basic principles and minimum standards of security for protecting EUCI.

2.   These basic principles and minimum standards shall apply to the EEAS and to Staff placed under the responsibility of the EEAS as referred to and defined respectively in Articles 1 and 2 of this Decision.

Article 2

Definition of EUCI, security classifications and markings

1.   ‘EU classified information’ (EUCI) means any information or material designated by an EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States.

2.   EUCI shall be classified at one of the following levels:

(a)

TRES SECRET UE/EU TOP SECRET: information and material the unauthorised disclosure of which could cause exceptionally grave prejudice to the essential interests of the European Union or of one or more of the Member States.

(b)

SECRET UE/EU SECRET: information and material the unauthorised disclosure of which could seriously harm the essential interests of the European Union or of one or more of the Member States.

(c)

CONFIDENTIEL UE/EU CONFIDENTIAL: information and material the unauthorised disclosure of which could harm the essential interests of the European Union or of one or more of the Member States.

(d)

RESTREINT UE/EU RESTRICTED: information and material the unauthorised disclosure of which could be disadvantageous to the interests of the European Union or of one or more of the Member States.

3.   EUCI shall bear a security classification marking in accordance with paragraph 2. It may bear additional markings to designate the field of activity to which it relates, identify the originator, limit distribution, restrict use or indicate releasability.

Article 3

Classification management

1.   The EEAS shall ensure that EUCI is appropriately classified, clearly identified as classified information and retains its classification level for only as long as necessary.

2.   EUCI shall not be downgraded or declassified nor shall any of the markings referred to in Article 2(3) be modified or removed without the prior written consent of the originator.

3.   The EEAS Security Authority shall approve, after consulting the EEAS Security Committee pursuant to article 15(5) of this Decision, security Guidelines on creating EUCI which shall include a practical classification guide.

Article 4

Protection of classified information

1.   EUCI shall be protected in accordance with this Decision.

2.   The holder of any item of EUCI shall be responsible for protecting it in accordance with this Decision.

3.   Where Member States introduce classified information bearing a national security classification marking into the structures or networks of the EEAS, the EEAS shall protect that information in accordance with the requirements applicable to EUCI at the equivalent level as set out in the table of equivalence of security classifications contained in Appendix B.

The EEAS shall establish appropriate procedures to maintain accurate records as to the originator of the

classified information EEAS receives; and

source material included in classified information originated by the EEAS.

The EEAS Security Committee shall be informed of these procedures.

4.   Large quantities or a compilation of EUCI may warrant a level of protection corresponding to a higher classification than that of its components.

Article 5

Personnel security for handling EU classified information

1.   Personnel security is the application of measures to ensure that access to EUCI is granted only to individuals who have:

a need-to-know;

for access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above, been security cleared to the relevant level, or are otherwise duly authorised by virtue of their functions in accordance with national laws and regulations; and

been briefed on their responsibilities.

2.   Personnel Security Clearance (PSC) procedures shall determine whether an individual, taking into account his loyalty, trustworthiness and reliability, may be authorised to access EUCI.

3.   All individuals shall be briefed on and acknowledge in writing their responsibilities to protect EUCI in accordance with this Decision before being granted access to EUCI, and at regular intervals thereafter.

4.   Provisions for implementing this Article are set out in Annex A I.

Article 6

Physical security of EU classified information

1.   Physical security is the application of physical and technical protective measures to deter unauthorised access to EUCI.

2.   Physical security measures shall be designed to deny surreptitious or forced entry by an intruder, to deter, impede and detect unauthorised actions and to allow for differentiation in personnel in their access to EUCI on a need-to-know basis. Such measures shall be determined based on a risk management process.

3.   Physical security measures shall be put in place for all premises, buildings, offices, rooms and other areas in which EUCI is handled or stored, including areas housing communication and information systems as defined in Appendix A to this Decision.

4.   Areas in which EUCI classified CONFIDENTIEL UE/EU CONFIDENTIAL or above is stored shall be established as Secured Areas in accordance with Annex A II and approved by the EEAS Security Authority.

5.   Only approved equipment or devices shall be used for protecting EUCI at the level CONFIDENTIEL UE/EU CONFIDENTIAL or above.

6.   Provisions for implementing this Article are set out in Annex A II.

Article 7

Management of classified information

1.   The management of classified information is the application of administrative measures for controlling EUCI throughout its life-cycle to supplement the measures provided for in Articles 5, 6 and 8 and thereby help deter, detect and recover from deliberate or accidental compromise or loss of such information. Such measures relate in particular to the creation, registration, copying, translation, carriage, handling, storage and destruction of EUCI.

2.   Information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above shall be registered for security purposes prior to distribution and on receipt. The competent authorities in the EEAS shall establish a registry system for this purpose. Information classified TRES SECRET UE/EU TOP SECRET shall be registered in designated registries.

3.   Services and premises where EUCI is handled or stored shall be subject to regular inspection by the EEAS Security Authority.

4.   EUCI shall be conveyed between services and premises outside physically protected areas as follows:

(a)

as a general rule, EUCI shall be transmitted by electronic means protected by cryptographic products approved in accordance with Article 7(5) of this Decision and according to clearly defined Security Operational Procedures (SecOPs);

(b)

when the means referred to in point (a) are not used, EUCI shall be carried either:

(i)

on electronic media (e.g. USB sticks, CDs, hard drives) protected by cryptographic products approved in accordance with Article 8(5) of this Decision; or

(ii)

in all other cases, as prescribed by the EEAS Security Authority in accordance with the relevant protective measures laid down in Annex A III, Section V.

5.   Provisions for implementing this Article are set out in Annex A III.

Article 8

Protection of EUCI handled in communication and information systems

1.   Information Assurance (IA) in the field of communication and information systems is the confidence that such systems will protect the information they handle and will function as they need to, when they need to, under the control of legitimate users. Effective IA shall ensure appropriate levels of confidentiality, integrity, availability, non-repudiation and authenticity. IA shall be based on a risk management process.

2.   CIS shall handle EUCI in accordance with the concept of IA.

3.   All CIS handling EUCI shall undergo an accreditation process. Accreditation shall aim at obtaining assurance that all appropriate security measures have been implemented and that a sufficient level of protection of the EUCI and of the CIS has been achieved in accordance with this Decision. The accreditation statement shall determine the maximum classification level of the information that may be handled in a CIS as well as the corresponding terms and conditions.

4.   CIS handling information classified CONFIDENTIEL UE/EU CONFIDENTIAL and above shall be protected in such a way that the information cannot be compromised by unintentional electromagnetic emanations (‘TEMPEST security measures’).

5.   Where the protection of EUCI is provided by cryptographic products, such products shall be approved in accordance with Article 8(5) of this Decision.

6.   During transmission of EUCI by electronic means, approved cryptographic products shall be used. Notwithstanding this requirement, specific procedures may be applied under emergency circumstances or specific technical configurations as specified in Annex A IV.

7.   Pursuant to Article 8(6) of this Decision, the following IA functions will be established to the extent necessary:

(a)

an IA Authority (IAA);

(b)

a TEMPEST Authority (TA);

(c)

a Crypto Approval Authority (CAA);

(d)

a Crypto Distribution Authority (CDA).

8.   Pursuant to Article 8(7) of this Decision, for each system shall be established:

(a)

a Security Accreditation Authority (SAA);

(b)

an IA Operational Authority (IAOA).

9.   Provisions for implementing this Article are set out in Annex A IV.

Article 9

Industrial security

1.   Industrial security is the application of measures to ensure the protection of EUCI by contractors or subcontractors in pre-contract negotiations and throughout the life-cycle of classified contracts. As a general rule, such contracts shall not involve access to information classified TRES SECRET UE/EU TOP SECRET.

2.   The EEAS may entrust by contract tasks involving or entailing access to or the handling or storage of EUCI by industrial or other entities registered in a Member State, or in a third State with which a security of information agreement or an administrative arrangement referred to in Article 10(1) of Annex A has been concluded.

3.   The EEAS, as contracting authority, shall ensure that the minimum standards on industrial security set out in this Decision, and referred to in the contract, are complied with when awarding classified contracts to industrial or other entities. It shall ensure compliance with such minimum standards through the relevant NSA/DSA.

4.   Contractors or subcontractors registered in a Member State and participating in classified contracts or sub-contracts which are required to handle and store information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET within their facilities, either in the performance of such contracts or during the pre-contractual stage, shall hold a Facility Security Clearance (FSC) at the relevant classification level, granted by the NSA, DSA or any other competent security authority of the said Member State.

5.   Contractor or subcontractor personnel who, for the performance of a classified contract, require access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET shall hold a PSC granted by the respective National Security Authority (NSA), Designated Security Authority (DSA) or any other competent security authority in accordance with national laws and regulations and the minimum standards laid down in Annex A I.

6.   Provisions for implementing this Article are set out in Annex A V.

Article 10

Exchange of classified information with third States and International Organisations

1.   The EEAS can only exchange EUCI with a third State or international organisation where:

(a)

a security of information agreement between the EU and that third State or international organisation, concluded in accordance with Article 37 TEU and Article 218 TFEU, is in force; or

(b)

an administrative arrangement between the HR and the competent security authorities of that third State or international organisation, for the exchange of information classified, in principle, no higher than RESTREINT UE/EU RESTRICTED, concluded in accordance with the procedure set out in Article 15(5) of this Decision, has taken effect; or

(c)

a framework or ad-hoc participation agreement between the EU and that third State in the context of a CSDP crisis management operation, concluded in accordance with Article 37 TEU and Article 218 TFEU, is applicable,

and the conditions set out in that instrument have been met.

Exceptions to the general rule above are set out in Annex A VI, Section V.

2.   Administrative arrangements referred to in paragraph 1(b) shall contain provisions to ensure that when third States or international organisations receive EUCI, such information is given protection appropriate to its classification level and according to minimum standards which are no less stringent than those laid down in this Decision.

Information exchanged on the basis of agreements referred to in paragraph 1(c) shall be limited to information concerning CSDP operations in which the third state in question participates on the basis of these agreements and in accordance with their provisions.

3.   If a security of information agreement is subsequently concluded between the Union and a contributing third State or international organisation, the security of information agreement shall supersede the provision on exchange of classified information laid down in any framework participation agreement, ad hoc participation agreement or ad hoc administrative arrangement as far as the exchange and handling of EUCI is concerned.

4.   EUCI generated for the purpose of a CSDP operation may be disclosed to personnel seconded to that operation by third States or international organisations in accordance with paragraphs 1-3 and Annex AVI. When authorising access to EUCI in premises or in CIS of a CSDP operation by such personnel, measures shall be applied (including recording of EUCI disclosed) to mitigate the risk of loss or compromise. Such measures shall be defined in relevant planning or mission documents.

5.   Assessment visits to third States or international organisations, as referred to in Article 17 of this Decision shall be arranged to ascertain the effectiveness of the security measures in place for protecting any EUCI exchanged.

6.   The decision to release EUCI held by the EEAS to a third State or international organisation shall be taken on a case-by-case basis, according to the nature and content of such information, the recipient’s need-to-know and the measure of advantage to the EU.

The EEAS shall seek the written consent of any entity which has provided classified information as source material for EUCI which the EEAS has originated, to establish that there are no objections to release.

If the originator of the classified information for which release is desired is not the EEAS, the EEAS shall first seek the originator’s written consent to release.

If, however, the EEAS cannot establish the originator, the EEAS security authority shall assume the originator’s responsibility after having obtained the unanimous favourable opinion of the Member States as represented in the EEAS Security Committee.

7.   Provisions for implementing this Article are set out in Annex A VI.

Article 11

Breaches of security and compromise of classified information

1.   Any breach or suspected breach of security, and any compromise or suspected compromise of classified information shall be reported immediately to the Directorate responsible for HQ security and EEAS information security, which shall inform, as appropriate, the Member State(s) concerned, or any other entity concerned.

2.   Where it is known or where there are reasonable grounds to suspect that classified information has been compromised or lost, the Directorate responsible for HQ security and EEAS information security shall inform the NSA of the Member State(s) concerned and shall take all appropriate measures in accordance with the relevant laws and regulations to:

(a)

safeguard evidence;

(b)

ensure that the case is investigated by personnel not immediately concerned with the breach or compromise in order to establish the facts;

(c)

immediately inform the originator or any other entity concerned;

(d)

take appropriate measures to prevent a recurrence;

(e)

assess the potential damage caused to the interests of the EU or of the Member States; and

(f)

notify the appropriate authorities of the effects of the actual or suspected compromise and of the action taken.

3.   Any member of staff under the responsibility of the EEAS who is responsible for a breach of the security rules laid down in this Decision may be liable to disciplinary action in accordance with the applicable rules and regulations.

Any individual who is responsible for the compromise or loss of classified information shall be liable to disciplinary and/or legal action in accordance with the applicable laws, rules and regulations.

4.   Whilst an investigation into the breach and/or compromise is ongoing, the Head of the Directorate responsible for HQ security and EEAS information security may suspend the individual’s access to EUCI and to EEAS premises. The Security Directorate of the Directorate General for Human Resources and Security of the Commission, the Security Office of the General Secretariat of the Council or the NSA of the Member State(s) or other entity concerned shall be immediately informed of this decision.


ANNEX A I

PERSONNEL SECURITY

I.   INTRODUCTION

1.

This Annex sets out provisions for implementing Article 5 of Annex A. It lays down in particular the criteria that the EEAS shall apply for determining whether an individual, taking into account his loyalty, trustworthiness and reliability, may be authorised to have access to EUCI, and the investigative and administrative procedures to be followed to that effect.

2.

The ‘Personnel Security Clearance’ (PSC) for access to EUCI is a statement by a competent authority of a Member State which is made following completion of a security investigation conducted by the competent authorities of a Member State and which certifies that an individual may, provided his ‘need-to-know’ has been determined, be granted access to EUCI up to a specified level (CONFIDENTIEL UE/EU CONFIDENTIAL or above) until a specified date; the individual thus described is said to be ‘security cleared’.

3.

The ‘Personnel Security Clearance Certificate’ (PSCC) is a certificate issued by the EEAS Security authority establishing that an individual is security cleared, and which shows the level of EUCI to which that individual may be granted access, the date of validity of the relevant PSC and the date of the expiry of the certificate itself.

4.

The ‘Authorisation to access EUCI’ is an authorisation by the EEAS Security Authority which is taken in accordance with this Decision after a PSC has been issued by the competent authorities of a Member State, and which certifies that an individual may, provided his ‘need-to-know’ has been determined, be granted access to EUCI up to a specified level (CONFIDENTIEL UE/EU CONFIDENTIAL or above) until a specified date; the individual thus described is said to be ‘security cleared’.

II.   AUTHORISING ACCESS TO EUCI

5.

Access to information classified RESTREINT UE/EU RESTRICTED does not require a security clearance and is granted after:

(a)

the individual's statutory or contractual link to the EEAS has been established,

(b)

the individual's need-to-know has been determined,

(c)

he has been briefed on the security rules and procedures for protecting EUCI and has acknowledged in writing his responsibilities to protect EUCI in accordance with this Decision.

6.

An individual shall only be authorised to access information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above after:

(a)

the individual's statutory or contractual link to the EEAS has been established;

(b)

his need-to-know has been determined;

(c)

he has been granted a PSC to the relevant level or is otherwise duly authorised by virtue of his functions in accordance with national laws and regulations; and

(d)

he has been briefed on the security rules and procedures for protecting EUCI and has acknowledged in writing his responsibilities with regard to protecting such information.

7.

EEAS shall identify the positions in its structures which require access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above and therefore require a PSC to the relevant level, as referred to in paragraph 4 above.

8.

EEAS Staff shall declare whether they hold the citizenship of more than one country.

PSC request procedures in the EEAS

9.

For EEAS Staff, the EEAS Security Authority shall forward the completed personnel security questionnaire to the NSA of the Member State of which the individual is a national requesting that a security investigation be undertaken for the level of EUCI to which the individual will require access.

10.

Where an individual holds citizenship of more than one country, the vetting request will be addressed to the NSA of the country under whose nationality the person has been recruited.

11.

Where information relevant for a security investigation becomes known to the EEAS concerning an individual who has applied for a PSC, the EEAS, acting in accordance with the relevant rules and regulations, shall notify the relevant NSA thereof.

12.

Following completion of the security investigation, the relevant NSA shall notify the EEAS Directorate responsible for HQ security and EEAS information security of the outcome of such an investigation.

(a)

Where the security investigation results in an assurance that nothing adverse is known which would call into question the loyalty, trustworthiness and reliability of the individual, the EEAS Security Authority may grant the individual concerned an Authorisation to access EUCI up to the relevant level until a specified date;

(b)

The EEAS shall take all appropriate measures to ensure that conditions or restrictions imposed by the NSA are duly implemented. The NSA will be informed about the outcome.

(c)

Where the security investigation does not result in such an assurance, the EEAS Security Authority shall notify the individual concerned, who may ask to be heard by the EEAS Security Authority. The EEAS Security Authority may ask the competent NSA for any further clarification it can provide according to its national laws and regulations. If the outcome is confirmed, an Authorisation to access EUCI shall not be granted. In that case EEAS shall take all appropriate measures to ensure that the applicant will be denied any access to EUCI.

13.

The security investigation together with the results obtained, on which the EEAS Security Authority bases its decision on whether or not to grant an authorisation to access EUCI, shall be subject to the relevant laws and regulations in force in the Member State concerned, including those concerning appeals. The decisions of the EEAS Security Authority may be subject to appeals in the conditions foreseen in Article 90 and 91 of the Staff Regulations.

14.

The assurance on which a PSC is based, provided it remains valid, shall cover any assignment by the individual concerned within the EEAS, the General Secretariat of the Council or the Commission.

15.

The EEAS shall accept the authorisation for access to EUCI granted by any other European Union Institution, Body or Agency provided it remains valid. Authorisations shall cover any assignment by the individual concerned within the EEAS. The European Union Institution, Body or Agency in which the individual is taking up employment will notify the relevant NSA of the change of employer.

16.

If an individual’s period of service does not commence within 12 months of the notification of the outcome of the security investigation to the EEAS Security Authority, or if there is a break of 12 months or more in an individual’s service, during which time he has not been employed in the EEAS, in other EU Institutions, agencies or bodies, or in a position with a national administration of a Member State, which requires access to classified information, this outcome shall be referred to the relevant NSA for confirmation that it remains valid and appropriate.

17.

Where information becomes known to the EEAS concerning a security risk posed by an individual who holds a valid PSC, the EEAS, acting in accordance with the relevant rules and regulations, shall notify the relevant NSA thereof and may suspend access to EUCI or withdraw authorisation for access to EUCI. Where an NSA notifies the EEAS of withdrawal of an assurance given in accordance with paragraph 12(a) for an individual who holds a valid Authorisation to access EUCI, the EEAS Security Authority may ask for any clarification the NSA can provide according to its national laws and regulations. If the adverse information is confirmed, the aforementioned Authorisation shall be withdrawn and the individual shall be excluded from access to EUCI and from positions where such access is possible or where he might endanger security.

18.

Any decision to withdraw an Authorisation to access EUCI from an EEAS staff member and, where appropriate, the reasons for doing so shall be notified to the individual concerned, who may ask to be heard by the EEAS Security Authority. Information provided by an NSA shall be subject to the relevant laws and regulations in force in the Member State concerned, including those concerning appeals. The decisions of the EEAS Security Authority may be subject to appeals in the conditions foreseen in Article 90 and 91 of the Staff Regulations.

19.

National experts seconded to the EEAS for a position requiring access to classified information CONFIDENTIEL UE/EU CONFIDENTIAL or above shall present a valid PSC for access to EUCI to the relevant level to the EEAS Security Authority prior to taking up their assignment. The above process shall be managed by the sending Member State.

Records of PSCs

20.

A database on the security clearance status of all staff placed under the responsibility of the EEAS and of EEAS contractors’ personnel shall be maintained by the EEAS Directorate responsible for HQ security and EEAS information security. These records shall include the level of EUCI to which the individual may be granted access (CONFIDENTIEL UE/EU CONFIDENTIAL or above), the date the PSC was granted and its period of validity.

21.

Appropriate coordination procedures shall be put in place with Member States and other EU Institutions, agencies and bodies to ensure that the EEAS holds an accurate and comprehensive record of security clearance status of all Staff placed under the responsibility of the EEAS and of EEAS contractors’ personnel.

22.

The EEAS Security Authority may issue a Personnel Security Clearance Certificate (PSCC) showing the level of EUCI to which the individual may be granted access (CONFIDENTIEL UE/EU CONFIDENTIAL or above), the date of validity of the relevant PSC or Authorisation and the date of expiry of the certificate itself.

Exemptions from the PSC requirement

23.

Individuals duly authorised to access EUCI by virtue of their functions in accordance with national laws and regulations shall be briefed, as appropriate, by the Directorate responsible for HQ security and EEAS information security on their security obligations in respect of protecting EUCI.

III.   SECURITY EDUCATION AND AWARENESS

24.

Prior to being authorised to access EUCI, all individuals shall acknowledge in writing that they have understood their obligations in respect of protecting EUCI and the consequences if EUCI is compromised. A record of such a written acknowledgement shall be kept by the Directorate responsible for HQ security and EEAS information security.

25.

All individuals who are authorised to have access to, or required to handle EUCI, shall initially be made aware of, and periodically briefed on the threats to security and must report immediately to the appropriate Department/Delegation Security Coordinators and to the Directorate responsible for HQ security and EEAS information security any approach or activity that they consider suspicious or unusual.

26.

All individuals granted access to EUCI must be subject to ongoing personnel security measures (i.e. aftercare) for the duration that they handle EUCI. Ongoing personnel security is the responsibility of:

(a)

Individuals granted access to EUCI: Individuals are personally responsible for their own security conduct and must report immediately to the appropriate security authorities any approach or activity that they consider suspicious or unusual, and any changes in their personal circumstances that may have an impact on their PSC or Authorisation to access EUCI.

(b)

Line managers: They are responsible for the determination of the individual’s need to know and for ensuring that their staff are aware of the security measures and responsibilities to protect EUCI, for monitoring the security conduct of their staff and for either addressing any security matters of concern themselves, or reporting to the appropriate security authorities any adverse information that may have an impact on their staff's PSC or Authorisation to access EUCI.

(c)

Security actors of the EEAS security organisation as referred to in Article 12 of this decision: They are responsible for providing security awareness briefings to ensure staff in their area are periodically briefed, for fostering a strong security culture in their area of responsibility, for putting in place measures to monitor the security conduct of staff, and for reporting to the appropriate security authorities any adverse information that may have an impact on any individual's PSC.

(d)

EEAS and Member States: shall put in place the necessary channels to communicate information that may have an impact on any individual's PSC or Authorisation to access EUCI.

27.

All individuals who cease to be employed on duties requiring access to EUCI shall be made aware of, and where appropriate acknowledge in writing, their obligations in respect of the continued protection of EUCI.

IV.   EXCEPTIONAL CIRCUMSTANCES

28.

For reasons of urgency, where duly justified in the interests of the EEAS and pending completion of a full security investigation, the EEAS Security Authority may, after consulting the NSA of the Member State of which the individual is a national and subject to the outcome of preliminary checks to verify that no adverse information is known, grant a temporary authorisation for EEAS officials and other servants to access EUCI for a specific function. A full security investigation should be completed as soon as possible. Such temporary authorisations will be valid for a period not exceeding six months and shall not permit access to information classified TRES SECRET UE/EU TOP SECRET. All individuals who have been granted a temporary authorisation shall acknowledge in writing that they have understood their obligations in respect of protecting EUCI and the consequences if EUCI is compromised. A record of such a written acknowledgement shall be kept by the Directorate responsible for HQ security and EEAS information security.

29.

When an individual is to be assigned to a position that requires a PSC at one level higher than that currently possessed by the individual, the assignment may be made on a provisional basis, provided that:

(a)

the compelling need for access to EUCI at a higher level shall be justified, in writing, by the individual's respective Line Manager at the level of Director/Managing Director/Head of Delegation, as appropriate;

(b)

access shall be limited to specific items of EUCI in support of the assignment;

(c)

the individual holds a valid PSC;

(d)

action has been initiated to obtain authorisation for the level of access required for the position;

(e)

satisfactory checks have been made by the competent authority that the individual has not seriously or repeatedly infringed security regulations;

(f)

the assignment of the individual is approved by the competent EEAS authority;

(g)

the relevant NSA/DSA which issued the individual's PSC has been consulted and no objection has been received; and

(h)

a record of the exception, including a description of the information to which access was approved, is kept by the registry or subordinate registry responsible.

30.

The above procedure shall be used for one-time access to EUCI at one level higher than that to which the individual has been security cleared. Recourse to this procedure shall not be made on a recurring basis.

31.

In very exceptional circumstances, such as missions in hostile environments or during periods of mounting international tension when emergency measures require it, in particular for the purposes of saving lives, the HR, the EEAS Security Authority or the Director General for Resources Management, may grant, where possible in writing, access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET to individuals who do not possess the requisite PSC, provided that such permission is absolutely necessary. A record shall be kept by the Directorate responsible for HQ Security and EEAS Information Security of this permission describing the information to which access was approved.

32.

In the case of information classified TRES SECRET UE/EU TOP SECRET, this emergency access shall be confined to EU nationals who have been authorised access to either the national equivalent of TRES SECRET UE/EU TOP SECRET or information classified SECRET UE/EU SECRET.

33.

The EEAS Security Committee shall be informed of cases when recourse is made to the procedure set out in paragraphs 31 and 32.

34.

The EEAS Security Committee shall receive an annual report on recourse to the procedures set out in this section.

V.   ATTENDANCE AT MEETINGS IN THE EEAS HEADQUARTERS AND UNION DELEGATIONS.

35.

Individuals assigned to participate in meetings in the EEAS Headquarters and Union Delegations at which information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above is discussed may only do so upon confirmation of the individual’s PSC status. For Member States’ representatives, officials from the General Secretariat of the Council and the Commission, a PSCC or other proof of PSC shall be forwarded by the appropriate authorities to the Directorate responsible for HQ security and EEAS information security, the Union Delegation Security Coordinator, or exceptionally be presented by the person concerned. Where applicable, a consolidated list of names may be used, giving the relevant proof of PSC.

36.

Where a PSC for access to EUCI is withdrawn from an individual whose duties require attendance at meetings in the EEAS Headquarters or Union Delegation at which information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above is discussed, the Directorate responsible for HQ security and EEAS information security shall be informed by the competent authority thereof.

VI.   POTENTIAL ACCESS TO EUCI

37.

When individuals are to be employed in circumstances in which they may potentially have access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above, they shall be appropriately security cleared or escorted at all times.

38.

Couriers, guards and escorts shall be security cleared to the relevant level or otherwise appropriately investigated in accordance with national laws and regulations, be briefed at regular intervals on security procedures for protecting EUCI and on their duties for protecting such information entrusted to them or to which they may inadvertently have access.

ANNEX A II

PHYSICAL SECURITY OF EU CLASSIFIED INFORMATION

I.   INTRODUCTION

1.

This Annex sets out provisions for implementing Article 6 of Annex A. It lays down minimum requirements for the physical protection of premises, buildings, offices, rooms and other areas where EUCI is handled and stored, including areas housing CIS.

2.

Physical security measures shall be designed to prevent unauthorised access to EUCI by:

(a)

ensuring that EUCI is handled and stored in an appropriate manner;

(b)

allowing for segregation of personnel in terms of access to EUCI on the basis of their need-to-know and, where appropriate, their security clearance;

(c)

deterring, impeding and detecting unauthorised actions; and

(d)

denying or delaying surreptitious or forced entry by intruders.

II   PHYSICAL SECURITY REQUIREMENTS AND MEASURES

3.

The EEAS shall apply a risk management process for protecting EUCI on their premises to ensure that a commensurate level of physical protection is afforded against the assessed risk. The risk management process shall take account of all relevant factors, in particular:

(a)

the classification level of EUCI;

(b)

the form and volume of EUCI, bearing in mind that large quantities or a compilation of EUCI may require more stringent protective measures to be applied;

(c)

the surrounding environment and structure of the buildings or areas housing EUCI;

(d)

the third country threat assessment as developed by INTCEN, the counter-intelligence cell of the Directorate responsible for HQ security and EEAS information security and on the basis in particular of Union Delegation reports, and

(e)

the assessed threat from intelligence services which target the EU or Member States and from sabotage, terrorist, subversive or other criminal activities.

4.

The EEAS Security Authority, applying the concept of defence in depth, shall determine the appropriate combination of physical security measures to be implemented. These can include one or more of the following:

(a)

a perimeter barrier: a physical barrier which defends the boundary of an area requiring protection;

(b)

Intrusion Detection Systems (IDS): an IDS may be used to enhance the level of security offered by a perimeter barrier, or in rooms and buildings in place of, or to assist, security staff;

(c)

access control: access control may be exercised over a site, a building or buildings on a site or to areas or rooms within a building. Control may be exercised by electronic or electro-mechanical means, by security personnel and/or a receptionist, or by any other physical means;

(d)

security personnel: trained, supervised and, where necessary, appropriately security cleared security personnel may be employed, inter alia, in order to deter individuals planning covert intrusion;

(e)

Closed Circuit Television (CCTV): CCTV may be used by security personnel in order to verify incidents and IDS alarms on large sites or at perimeters;

(f)

security lighting: security lighting may be used to deter a potential intruder, as well as to provide the illumination necessary for effective surveillance directly by security personnel or indirectly through a CCTV system; and

(g)

any other appropriate physical measures designed to deter or detect unauthorised access or prevent loss of or damage to EUCI.

5.

The Directorate responsible for HQ security and EEAS information security may conduct entry and exit searches to act as a deterrent to the unauthorised introduction of material or the unauthorised removal of EUCI from premises or buildings.

6.

When EUCI is at risk from overlooking, even accidentally, appropriate measures shall be taken to counter this risk.

7.

For new facilities, physical security requirements and their functional specifications shall be defined as part of the planning and design of the facilities. For existing facilities, physical security requirements shall be implemented to the maximum extent possible.

III.   EQUIPMENT FOR THE PHYSICAL PROTECTION OF EUCI

8.

When acquiring equipment (such as security containers, shredding machines, door locks, CCTV, electronic access control systems, IDS, alarm systems) for the physical protection of EUCI, the EEAS Security Authority shall ensure that the equipment meets approved technical standards and minimum requirements.

9.

The technical specifications of equipment to be used for the physical protection of EUCI shall be set out in security guidelines to be approved by the EEAS Security Committee.

10.

Security systems shall be inspected at regular intervals and equipment shall be maintained regularly. Maintenance work shall take account of the outcome of inspections to ensure that equipment continues to operate at optimum performance.

11.

The effectiveness of individual security measures and of the overall security system shall be re-evaluated during each inspection.

IV.   PHYSICALLY PROTECTED AREAS

12.

Two types of physically protected areas, or the national equivalents thereof, shall be established for the physical protection of EUCI:

(a)

Administrative Areas and

(b)

Secured Areas (including technically Secured Areas).

13.

The EEAS Security Authority shall establish that an area meets the requirements to be designated as an Administrative Area, a Secured Area or a technically Secured Area.

14.

For Administrative Areas:

(a)

a visibly defined perimeter shall be established which allows individuals and, where possible, vehicles to be checked;

(b)

unescorted access shall be granted only to individuals who are duly authorised, in HQ by the Directorate responsible for HQ security and EEAS information security, and, in Union Delegations by the Head of Delegation; and

(c)

all other individuals shall be escorted at all times or be subject to equivalent controls.

15.

For Secured Areas:

(a)

a visibly defined and protected perimeter shall be established through which all entry and exit are controlled by means of a pass or personal recognition system;

(b)

unescorted access shall be granted only to individuals who are security-cleared to the appropriate level and specifically authorised to enter the area on the basis of their need-to-know;

(c)

all other individuals shall be escorted at all times or be subject to equivalent controls.

16.

Where entry into a Secured Area constitutes, for all practical purposes, direct access to the classified information contained in it, the following additional requirements shall apply:

(a)

the level of highest security classification of the information normally held in the area shall be clearly indicated;

(b)

all visitors shall require specific authorisation to enter the area, shall be escorted at all times and shall be appropriately security cleared unless steps are taken to ensure that no access to EUCI is possible;

(c)

all electronic devices shall be left outside the area.

17.

Secured Areas protected against eavesdropping shall be designated technically Secured Areas. The following additional requirements shall apply:

(a)

such areas shall be IDS equipped, be locked when not occupied and be guarded when occupied. Any keys shall be controlled in accordance with Section VI of this Annex;

(b)

all persons and material entering such areas shall be controlled;

(c)

such areas shall be regularly physically and/or technically inspected as required by the Directorate responsible for HQ Security and EEAS information security. Such inspections shall also be conducted following any unauthorised entry or suspicion of such an entry; and

(d)

such areas shall be free of unauthorised communication lines, unauthorised telephones or other unauthorised communication devices and electrical or electronic equipment;

18.

Notwithstanding point (d) of paragraph 17, before being used in areas where meetings are held or work is being performed involving information classified SECRET UE/EU SECRET and above, and where the threat to EUCI is assessed as high, any communications devices and electrical or electronic equipment shall first be examined by the Technical Security Counter Measures (TSCM) team within the Directorate responsible for HQ security and EEAS information security to ensure that no intelligible information can be inadvertently or illicitly transmitted by such equipment beyond the perimeter of the Secured Area.

19.

Secured Areas which are not occupied by duty personnel on a 24-hour basis shall, where appropriate, be inspected at the end of normal working hours and at random intervals outside normal working hours, unless an IDS is in place.

20.

Secured Areas and technically Secured Areas may be set up temporarily within an Administrative Area for a classified meeting or any other similar purpose.

21.

Security Operating Procedures (SecOPs) shall be drawn up for each Secured Area stipulating:

(a)

the level of EUCI which may be handled and stored in the area;

(b)

the surveillance and protective measures to be maintained;

(c)

the individuals authorised to have unescorted access to the area by virtue of their need-to-know and security clearance;

(d)

where appropriate, the procedures for escorts or for protecting EUCI when authorising any other individuals to access the area;

(e)

any other relevant measures and procedures.

22.

Strong rooms, where needed, shall be constructed within Secured Areas. The walls, floors, ceilings, windows and lockable doors shall be approved by the EEAS Security Authority and afford protection equivalent to a security container approved for the storage of EUCI of the same classification level.

V.   PHYSICAL PROTECTIVE MEASURES FOR HANDLING AND STORING EUCI

23.

EUCI which is classified RESTREINT UE/EU RESTRICTED may be handled:

(a)

in a Secured Area,

(b)

in an Administrative Area provided the EUCI is protected from access by unauthorised individuals, or

(c)

outside a Secured Area or an Administrative Area provided the holder carries the EUCI in accordance with paragraphs 30 to 42 of Annex A III and has undertaken to comply with compensatory measures laid down in security instructions issued by the EEAS Security Authority, to ensure that EUCI is protected from access by unauthorised persons.

24.

EUCI which is classified RESTREINT UE/EU RESTRICTED shall be stored in suitable locked office furniture in an Administrative Area or a Secured Area. It may temporarily be stored outside a Secured Area or an Administrative Area provided the holder has undertaken to comply with compensatory measures laid down in security instructions issued by the EEAS Security Authority.

25.

EUCI which is classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET may be handled:

(a)

in a Secured Area;

(b)

in an Administrative Area provided the EUCI is protected from access by unauthorised individuals; or

(c)

outside a Secured Area or an Administrative Area provided the holder:

(i)

carries the EUCI in accordance with paragraphs 30 to 42 of Annex A III;

(ii)

has undertaken to comply with compensatory measures laid down in security instructions issued by the EEAS Security Authority, to ensure that EUCI is protected from access by unauthorised persons;

(iii)

keeps the EUCI at all times under his personal control; and

(iv)

in the case of documents in paper form, has notified the relevant registry of the fact.

26.

EUCI which is classified CONFIDENTIEL UE/EU CONFIDENTIAL and SECRET UE/EU SECRET shall be stored within a Secured Area, in a security container or strong room.

27.

EUCI which is classified TRES SECRET UE/EU TOP SECRET shall be handled in a Secured Area.

28.

EUCI which is classified TRES SECRET UE/EU TOP SECRET shall be stored in a Secured Area at the Headquarters under one of the following conditions:

(a)

in a security container that is in accordance with paragraph 8 with one or more of the following supplementary controls:

(i)

continuous protection or verification by cleared security staff or duty personnel;

(ii)

an approved IDS in combination with security response personnel;

or

(b)

in an IDS-equipped strong room in combination with security response personnel.

29.

Rules governing the carriage of EUCI outside physically protected areas are set out in Annex A III.

VI.   CONTROL OF KEYS AND COMBINATIONS USED FOR PROTECTING EUCI

30.

The EEAS Security Authority shall define procedures for managing keys and combination settings for offices, rooms, strong rooms and security containers within all EEAS premises. Such procedures shall protect against unauthorised access.

31.

Combination settings shall be committed to memory by the smallest possible number of individuals needing to know them. Combination settings for security containers and strong rooms storing EUCI shall be changed:

(a)

on receipt of a new container;

(b)

whenever there is a change in personnel knowing the combination;

(c)

whenever a compromise has occurred or is suspected;

(d)

when a lock has undergone maintenance or repair; and

(e)

at least every 12 months.


ANNEX A III

MANAGEMENT OF CLASSIFIED INFORMATION

I.   INTRODUCTION

1.

This Annex sets out provisions for implementing Article 7 of Annex A. It lays down the administrative measures for controlling EUCI throughout its life-cycle in order to help deter, detect and recover from deliberate or accidental compromise or loss of such information.

II.   CLASSIFICATION MANAGEMENT

Classifications and markings

2.

Information shall be classified where it requires protection with regard to its confidentiality.

3.

The originator of EUCI shall be responsible for determining the security classification level, applying the appropriate security classification marking, determining the dissemination of the information to the intended recipients, applying the appropriate releasability marking, in accordance with the relevant EEAS Guidelines on Creating and Handling EUCI.

4.

The classification level of EUCI shall be determined in accordance with Article 2(2) of Annex A and by reference to the security Guidelines to be approved in accordance with Article 3(3) of Annex A.

5.

Classified information of the Member States exchanged with the EEAS shall be afforded the same level of protection as EUCI bearing the equivalent classification. A table of equivalence can be found in Appendix B to this decision.

6.

The security classification and, where applicable, the date or specific event after which it may be downgraded or declassified, shall be clearly and correctly indicated, regardless of whether the EUCI is in paper, oral, electronic or any other form.

7.

Individual parts of a given document (i.e. pages, paragraphs, sections, annexes, appendices, attachments and enclosures) may require different classifications and shall be marked accordingly, including when stored in electronic form.

8.

To the extent possible, documents containing parts with different classification levels shall be structured so that parts with a different classification level may be easily identified and detached if necessary.

9.

The overall classification level of a document or file shall be at least as high as that of its most highly classified component. When information from various sources is collated, the final product shall be reviewed to determine its overall security classification level, since it may warrant a higher classification than its component parts.

10.

The classification of a letter or note covering enclosures shall be as high as the highest classification of its enclosures. The originator shall indicate clearly at which level it is classified when detached from its enclosures by means of an appropriate marking, e.g.:

CONFIDENTIEL UE/EU CONFIDENTIAL Without attachment(s) RESTREINT UE/EU RESTRICTED

Markings

11.

In addition to one of the security classification markings set out in Article 2(2) of Annex A, EUCI may bear additional markings, such as:

(a)

an identifier to designate the originator;

(b)

any caveats, code words or acronyms specifying the field of activity to which the document relates, a particular distribution on a need-to-know basis or restrictions on use;

(c)

releasability markings.

12.

Following a decision to release EUCI to a third State or International Organisation, the Directorate responsible for HQ security and EEAS information security shall forward the classified information concerned, which shall bear a releasability marking indicating the third State or international organisation to which it is to be released.

13.

A list of authorised markings will be adopted by the EEAS Security Authority.

Abbreviated classification markings

14.

Standardised abbreviated classification markings may be used to indicate the classification level of individual paragraphs of a text. Abbreviations shall not replace the full classification markings.

15.

The following standard abbreviations may be used within EU classified documents to indicate the classification level of sections or blocks of text of less than a single page:

TRES SECRET UE/EU TOP SECRET

TS-UE/EU-TS

SECRET UE/EU SECRET

S-UE/EU-S

CONFIDENTIEL UE/EU CONFIDENTIAL

C-UE/EU-C

RESTREINT UE/EU RESTRICTED

R-UE/EU-R

Creation of EUCI

16.

When creating an EU classified document:

(a)

each page shall be marked clearly with the classification level;

(b)

each page shall be numbered;

(c)

the document shall bear a reference number and a subject, which is not itself classified information, unless it is marked as such;

(d)

the document shall be dated;

(e)

documents classified CONFIDENTIEL UE/EU CONFIDENTIAL or above shall bear a copy number on every page, if they are to be distributed in several copies.

17.

Where it is not possible to apply paragraph 16 to EUCI, other appropriate measures shall be taken in accordance with security guidelines to be established pursuant to this Decision.

Downgrading and declassification of EUCI

18.

At the time of its creation, the originator shall indicate, where possible, and in particular for information classified RESTREINT UE/EU RESTRICTED, whether EUCI can be downgraded or declassified on a given date or following a specific event.

19.

The EEAS shall regularly review EUCI held by it to ascertain whether the classification level still applies. The EEAS shall establish a system to review the classification level of registered EUCI that it has originated no less frequently than every five years. Such a review shall not be necessary where the originator has indicated from the outset a specific time when the information will automatically be downgraded or declassified and the information has been marked accordingly.

III.   REGISTRATION OF EUCI FOR SECURITY PURPOSES

20.

A central registry shall be established in Headquarters. For every organisational entity within the EEAS in which EUCI is handled, a responsible registry shall be established, subordinated to the central registry, to ensure that EUCI is handled in accordance with this Decision. Registries shall be established as Secured Areas as defined in Annex A.

Each Union Delegation establishes its own EUCI registry.

The EEAS Security Authority shall designate a Chief Registry Officer for these registries.

21.

For the purposes of this Decision, registration for security purposes (hereinafter referred to as ‘registration’) means the application of procedures that record the life-cycle of information, including its dissemination and destruction. In the case of a CIS, registration procedures may be performed by processes within the CIS itself.

22.

All material classified CONFIDENTIEL UE/EU CONFIDENTIAL and above shall be registered when it arrives at or leaves an organisational entity including Union Delegations. Information classified TRES SECRET UE/EU TOP SECRET shall be registered in designated registries.

23.

The Central Registry shall be, in EEAS Headquarters, the main point of entry and exit for classified information exchanges with third States and international organisations. It shall keep a record of all these exchanges.

24.

The EEAS Security Authority shall approve security Guidelines on the registration of EUCI for security purposes, in accordance with article 14 of this Decision.

TRES SECRET UE/EU TOP SECRET registries

25.

The Central Registry shall be designated in the EEAS Headquarters to act as the central receiving and dispatching authority for information classified TRES SECRET UE/EU TOP SECRET. Where necessary, subordinate registries may be designated to handle such information for registration purposes.

26.

Such subordinate registries may not transmit TRES SECRET UE/EU TOP SECRET documents directly to other subordinate registries of the same central TRES SECRET UE/EU TOP SECRET registry or externally without the express written approval of the latter.

IV.   COPYING AND TRANSLATING EU CLASSIFIED DOCUMENTS

27.

TRES SECRET UE/EU TOP SECRET documents shall not be copied or translated without the prior written consent of the originator.

28.

Where the originator of documents classified SECRET UE/EU SECRET and below has not imposed caveats on their copying or translation, such documents may be copied or translated on instruction from the holder.

29.

The security measures applicable to the original document shall apply to copies and translations thereof. The copies of CONFIDENTIEL UE/EU CONFIDENTIAL or above shall be created only by a relevant (sub) registry with a secured copy-machine. The copies must be registered.

V.   CARRIAGE OF EUCI

30.

Carriage of EUCI shall be subject to the protective measures set out in paragraphs 32 to 42. When EUCI is carried on electronic media, and notwithstanding Article 7(4) of Annex A, the protective measures set out below may be supplemented by appropriate technical countermeasures prescribed by the EEAS Security Authority , so as to minimise the risk of loss or compromise.

31.

The EEAS Security Authority shall issue instructions on the carriage of EUCI in accordance with this Decision.

Within a building or self-contained group of buildings

32.

EUCI carried within a building or self-contained group of buildings shall be covered in order to prevent observation of its contents.

33.

Within a building or self-contained group of buildings, information classified TRES SECRET UE/EU TOP SECRET shall be carried by appropriately security cleared individuals, in a secured envelope bearing only the addressee’s name.

Within the EU

34.

EUCI carried between buildings or premises within the EU shall be packaged so that it is protected from unauthorised disclosure.

35.

The carriage of information classified up to SECRET UE/EU SECRET within the EU shall be by one of the following means:

(a)

military, government or diplomatic courier, as appropriate;

(b)

hand carriage, provided that:

(i)

EUCI does not leave the possession of the bearer, unless it is stored in accordance with the requirements set out in Annex A II;

(ii)

EUCI is not opened en route or read in public places;

(iii)

individuals are security cleared to the appropriate level and briefed on their security responsibilities;

(iv)

individuals are provided with a courier certificate where necessary;

(c)

postal services or commercial courier services, provided that:

(i)

they are approved by the relevant NSA in accordance with national laws and regulations;

(ii)

they apply appropriate protective measures in accordance with minimum requirements to be laid down in security guidelines pursuant to Article 21(1) of this Decision.

In the case of carriage from one Member State to another, the provisions of point (c) shall be limited to information classified up to CONFIDENTIEL UE/EU CONFIDENTIAL.

36.

Material classified CONFIDENTIEL UE/EU CONFIDENTIAL and SECRET UE/EU SECRET (e.g. equipment or machinery) which cannot be carried by the means referred to in paragraph 34 shall be transported as freight by commercial carrier companies in accordance with Annex A V.

37.

The carriage of information classified TRES SECRET UE/EU TOP SECRET between buildings or premises within the EU shall be by military, government or diplomatic courier, as appropriate.

From within the EU to the territory of a third State, or between EU entities in third States

38.

EUCI carried from within the EU to the territory of a third State, or between EU entities in third States, shall be packaged in such a way that it is protected from unauthorised disclosure.

39.

The carriage of information classified CONFIDENTIEL UE/EU CONFIDENTIAL and SECRET UE/EU SECRET from within the EU to the territory of a third State, and the carriage of any EUCI classified up to SECRET UE/EU SECRET between EU entities in third States, shall be by one of the following means:

(a)

military or diplomatic courier;

(b)

hand carriage, provided that:

(i)

the package bears an official seal, or is packaged so as to indicate that it is an official consignment and should not undergo customs or security scrutiny;

(ii)

individuals carry a courier certificate identifying the package and authorising them to carry the package;

(iii)

EUCI does not leave the possession of the bearer, unless it is stored in accordance with the requirements set out in Annex A II;

(iv)

EUCI is not opened en route or read in public places; and

(v)

individuals are security cleared to the appropriate level and briefed on their security responsibilities.

40.

The carriage of information classified CONFIDENTIEL UE/EU CONFIDENTIAL and SECRET UE/EU SECRET released by the EU to a third State or international organisation shall comply with the relevant provisions under a security of information Agreement or an administrative arrangement in accordance with Article 10(2) of Annex A.

41.

Information classified RESTREINT UE/EU RESTRICTED may also be carried from within the EU to the territory of a third State by postal services or commercial courier services.

42.

The carriage of information classified TRES SECRET UE/EU TOP SECRET from within the EU to the territory of a third State, or between EU entities in third States, shall be by military or diplomatic courier.

VI.   DESTRUCTION OF EUCI

43.

EU classified documents that are no longer required may be destroyed, without prejudice to the relevant rules and regulations on archiving.

44.

Documents subject to registration in accordance with Article 7(2) of Annex A shall be destroyed by the responsible registry on instruction from the holder or from a competent authority. The logbooks and other registration information shall be updated accordingly.

45.

For documents classified SECRET UE/EU SECRET or TRES SECRET UE/EU TOP SECRET, destruction shall be performed in the presence of a witness who shall be cleared to at least the classification level of the document being destroyed.

46.

The registrar and the witness, where the presence of the latter is required shall sign a destruction certificate, which shall be filed in the registry. The registry shall keep destruction certificates of TRES SECRET UE/EU TOP SECRET documents for a period of at least ten years and of documents CONFIDENTIEL UE/EU CONFIDENTIAL and SECRET UE/EU SECRET for a period of at least five years.

47.

Classified documents, including those classified RESTREINT UE/EU RESTRICTED, shall be destroyed by methods which meet relevant EU or equivalent standards or which have been approved by Member States in accordance with national technical standards so as to prevent reconstruction in whole or in part.

48.

The destruction of computer storage media used for EUCI shall be in accordance with procedures approved by the EEAS Security Authority.

VII.   SECURITY INSPECTIONS

EEAS security inspections

49.

In accordance with Article 16 of this Decision, the EEAS security inspections encompass:

(a)

general security inspections, whose aim shall be to assess the general security level of the EEAS Headquarters, Union Delegations and all dependent or related premises, especially in order to evaluate effectiveness of security measures implemented for protecting the EEAS security interests;

(b)

EUCI security inspections, whose aim shall be to evaluate, generally in view of an accreditation, the effectiveness of measures implemented for protecting EUCI in EEAS Headquarters and Union Delegations.

In particular, such inspections shall be carried out, inter alia to:

(i)

ensure that the required minimum standards for protecting EUCI laid down in this Decision are respected;

(ii)

emphasise the importance of security and effective risk management within the entities inspected;

(iii)

recommend countermeasures to mitigate the specific impact of loss of confidentiality, integrity or availability of classified information; and

(iv)

reinforce security authorities' ongoing security education and awareness programmes.

Conduct of and reporting on EEAS security inspections

50.

EEAS Security inspections shall be conducted by an inspection team of the Directorate responsible for HQ security and EEAS information security and, when necessary, with the support of security experts of other EU Institutions or Member States.

The inspection team shall have access to any location where EUCI is handled, in particular registries and CIS points of presence.

51.

EEAS Security inspections in Union Delegations shall be conducted in coordination with the Directorate responsible for Crisis Response Centre and whenever necessary, with the support of the Security Officers of the Member States’ embassies located in the third countries.

52.

Before the end of each calendar year, the EEAS Security Authority shall adopt a security inspection programme for the EEAS for the following year.

53.

Whenever necessary, security inspections that are not foreseen in the programme above can be arranged by the EEAS Security Authority.

54.

At the end of the security inspection, the main conclusions and recommendations shall be presented to the inspected entity. Thereafter, a report on the inspection shall be drawn up by the inspection team. Where corrective actions and recommendations have been proposed, sufficient details shall be included in the report to support the conclusions reached. The report shall be forwarded to the EEAS Security Authority, the Director for the Crisis Response Centre, with regard to security inspections in Union Delegations, and to the Head of the inspected entity.

A regular report shall be prepared under the responsibility of the Directorate responsible for HQ security and EEAS information security to highlight the lessons learned from the inspections conducted over a specified period and examined by the EEAS Security Committee.

Conduct of and reporting on security inspections in EU agencies and bodies established under Title V, Chapter 2 of the TEU

55.

The Directorate responsible for HQ security and EEAS information security may, where appropriate, designate contributing experts to participate in joint EU inspection teams carrying out inspections in EU agencies and bodies established under Title V, Chapter 2 of the TEU.

EEAS security inspections checklist

56.

The Directorate responsible for HQ security and EEAS information security shall draw up and update a security inspection checklist of items to be verified in the course of a EEAS security inspection. This checklist shall be forwarded to the EEAS Security Committee.

57.

The information to complete the checklist shall be obtained in particular during the inspection from the security management of the entity being inspected. Once completed with the detailed responses, the checklist shall be classified by agreement with the inspected entity. It shall not form part of the inspection report.

ANNEX A IV

PROTECTION OF EUCI HANDLED IN CIS

I.   INTRODUCTION

1.

This Annex sets out provisions for implementing Article 8 of Annex A.

2.

The following Information Assurance (IA) properties and concepts are essential for the security and correct functioning of operations on Communication and Information Systems (CIS):

Authenticity:

the guarantee that information is genuine and from bona fide sources;

Availability:

the property of being accessible and usable upon request by an authorised entity;

Confidentiality:

the property that information is not disclosed to unauthorised individuals, entities or processes;

Integrity:

the property of safeguarding the accuracy and completeness of information and assets;

Non-repudiation:

the ability to prove an action or event has taken place, so that this event or action cannot subsequently be denied.

II.   INFORMATION ASSURANCE PRINCIPLES

3.

The provisions set out below shall form the baseline for the security of any CIS handling EUCI. Detailed requirements for implementing these provisions shall be defined in IA security Guidelines.

Security risk management

4.

Security risk management shall be an integral part of defining, developing, operating and maintaining CIS. Risk management (assessment, treatment, acceptance and communication) shall be conducted as an iterative process jointly by representatives of the system owners, project authorities, operating authorities and security approval authorities, using a proven, transparent and fully understandable risk assessment process. The scope of the CIS and its assets shall be clearly defined at the outset of the risk management process.

5.

The EEAS competent authorities shall review the potential threats to CIS and shall maintain up-to-date and accurate threat assessments which reflect the current operational environment. They shall constantly update their knowledge of vulnerability issues and periodically review the vulnerability assessment to keep up with the changing information technology (IT) environment.

6.

The aim of security risk management shall be to apply a set of security measures which results in a satisfactory balance between user requirements and residual security risk.

7.

The specific requirements, scale and the degree of detail determined by the relevant Security Accreditation Authority (SAA) for accrediting a CIS shall be commensurate with the assessed risk, taking account of all relevant factors, including the classification level of the EUCI handled in the CIS. Accreditation shall include a formal residual risk statement and acceptance of the residual risk by a responsible authority.

Security throughout the CIS-life cycle

8.

Ensuring security shall be a requirement throughout the entire CIS life-cycle from initiation to withdrawal from service.

9.

The role and interaction of each actor involved in a CIS with regard to its security shall be identified for each phase of the life-cycle.

10.

Any CIS, including its technical and non-technical security measures, shall be subject to security testing during the accreditation process to ensure that the appropriate level of assurance of the implemented security measures is obtained and to verify that they are correctly implemented, integrated and configured.

11.

Security assessments, inspections and reviews shall be performed periodically during the operation and maintenance of a CIS and when exceptional circumstances arise.

12.

Security documentation for a CIS shall evolve over its life-cycle as an integral part of the process of change and configuration management.

Best practice

13.

The EEAS shall cooperate with GSC, Commission and Member States to develop best practice for protecting EUCI handled on CIS. Best practice guidelines shall set out technical, physical, organisational and procedural security measures for CIS with proven effectiveness in countering given threats and vulnerabilities.

14.

The protection of EUCI handled on CIS shall draw on lessons learned by entities involved in IA within and outside the EU.

15.

The dissemination and subsequent implementation of best practice shall help achieve an equivalent level of assurance for the various CIS operated by the EEAS which handle EUCI.

Defence in depth

16.

To mitigate risk to CIS, a range of technical and non-technical security measures, organised as multiple layers of defence, shall be implemented. These layers shall include:

(a)

Deterrence: security measures aimed at dissuading any adversary planning to attack the CIS;

(b)

Prevention: security measures aimed at impeding or blocking an attack on the CIS;

(c)

Detection: security measures aimed at discovering the occurrence of an attack on the CIS;

(d)

Resilience: security measures aimed at limiting impact of an attack to a minimum set of information or CIS assets and preventing further damage; and

(e)

Recovery: security measures aimed at regaining a secure situation for the CIS.

The degree of stringency and applicability of such security measures shall be determined following a risk assessment.

17.

The EEAS competent authorities shall ensure that they can respond to incidents which may transcend organisational and national boundaries to coordinate responses and share information about these incidents and the related risk (computer emergency response capabilities).

Principle of minimality and least privilege

18.

Only the functionalities, devices and services to meet operational requirements shall be implemented in order to avoid unnecessary risk.

19.

CIS users and automated processes shall be given only the access, privileges or authorisations they require to perform their tasks in order to limit any damage resulting from accidents, errors, or unauthorised use of CIS resources.

20.

Registration procedures performed by a CIS, where required, shall be verified as part of the accreditation process.

Information Assurance awareness

21.

Awareness of the risks and available security measures is the first line of defence for the security of CIS. In particular all personnel involved in the life-cycle of CIS, including users, shall understand:

(a)

that security failures may significantly harm the CIS and the whole organisation;

(b)

the potential harm to others which may arise from interconnectivity and interdependency; and

(c)

their individual responsibility and accountability for the security of CIS according to their roles within the systems and processes.

22.

To ensure that security responsibilities are understood, IA education and awareness training shall be mandatory for all personnel involved, including senior management and CIS users.

Evaluation and approval of IT-security products

23.

The required degree of confidence in the security measures, defined as a level of assurance, shall be determined following the outcome of the risk management process and in line with the relevant security policies and security guidelines.

24.

The level of assurance shall be verified by using internationally recognised or nationally approved processes and methodologies. This includes primarily evaluation, controls and auditing.

25.

Cryptographic products for protecting EUCI shall be evaluated and approved by a national Crypto Approval Authority (CAA) of a Member State.

26.

Prior to being recommended for approval by the EEAS CAA in accordance with Article 8(5) of this Decision, such cryptographic products shall have undergone a successful second party evaluation by an Appropriately Qualified Authority (AQUA) of a Member State not involved in the design or manufacture of the equipment. The degree of detail required in a second party evaluation shall depend on the envisaged maximum classification level of EUCI to be protected by these products.

27.

Where warranted on specific operational grounds, the EEAS CAA may, upon recommendation by the Council Security Committee, waive the requirements under paragraphs 25 or 26 and grant an interim approval for a specific period in accordance with Article 8(5) of this Decision.

28.

An AQUA shall be a CAA of a Member State that has been accredited on the basis of criteria laid down by the Council to undertake the second evaluation of cryptographic products for protecting EUCI.

29.

The High Representative shall approve a security policy on the qualifications and approval of non-cryptographic IT security products.

Transmission within Secured Areas

30.

Notwithstanding the provisions of this Decision, when transmission of EUCI is confined within Secured Areas or Administrative Areas, unencrypted distribution or encryption at a lower level may be used based on the outcome of a risk management process and subject to the approval of the SAA.

Secure interconnection of CIS

31.

For the purposes of this Decision, an interconnection shall mean the direct connection of two or more IT systems for the purpose of sharing data and other information resources (e.g. communication) in a unidirectional or multidirectional way.

32.

A CIS shall treat any interconnected IT system as untrusted and shall implement protective measures to control the exchange of classified information.

33.

For all interconnections of CIS with another IT system the following basic requirements shall be met:

(a)

business or operational requirements for such interconnections shall be stated and approved by the competent authorities;

(b)

the interconnection shall undergo a risk management and accreditation process and shall require the approval of the competent SAAs; and

(c)

Boundary Protection Services (BPS) shall be implemented at the perimeter of all CIS.

34.

There shall be no interconnection between an accredited CIS and an unprotected or public network, except where the CIS has approved BPS installed for such a purpose between the CIS and the unprotected or public network. The security measures for such interconnections shall be reviewed by the competent Information Assurance Authority (IAA) and approved by the competent SAA.

When the unprotected or public network is used solely as a carrier and the data is encrypted by a cryptographic product approved in accordance with Article 8(5) of this Decision, such a connection shall not be deemed to be an interconnection.

35.

The direct or cascaded interconnection of a CIS accredited to handle TRES SECRET UE/EU TOP SECRET to an unprotected or public network shall be prohibited.

Computer storage media

36.

Computer storage media shall be destroyed in accordance with procedures approved by the EEAS Security Authority.

37.

Computer storage media shall be reused, downgraded or declassified in accordance with EEAS Guidelines on downgrading and declassifying EUCI established pursuant to Article 8(2) of this Decision.

Emergency circumstances

38.

Notwithstanding the provisions of this Decision, the specific procedures described below may be applied for a limited period of time in an emergency, such as during impending or actual crisis, conflict, war situations or in exceptional operational circumstances.

39.

EUCI may be transmitted using cryptographic products which have been approved for a lower classification level or without encryption with the consent of the competent authority if any delay would cause harm clearly outweighing the harm entailed by any disclosure of the classified material and if:

(a)

the sender and recipient do not have the required encryption facility or have no encryption facility; and

(b)

the classified material cannot be conveyed in time by other means.

40.

Classified information transmitted under the circumstances set out in paragraph 39 shall not bear any markings or indications distinguishing it from information which is unclassified or which can be protected by an available cryptographic product. Recipients shall be notified of the classification level, without delay, by other means.

41.

Should recourse be made to paragraph 39, a subsequent report shall be made to the Directorate responsible for HQ security and EEAS information security and, by it, to the EEAS Security Committee. This report will at least state the sender, the recipient and the originator of each piece of EUCI.

III.   INFORMATION ASSURANCE FUNCTIONS AND AUTHORITIES

42.

The following IA functions shall be established in the EEAS. These functions do not require single organisational entities. They shall have separate mandates. However, these functions, and their accompanying responsibilities, may be combined or integrated in the same organisational entity or split into different organisational entities, provided that internal conflicts of interests or tasks are avoided.

Information Assurance Authority (IAA)

43.

The IAA shall be responsible for:

(a)

developing IA security Guidelines and monitoring their effectiveness and relevance;

(b)

safeguarding and administering technical information related to cryptographic products;

(c)

ensuring that IA measures selected for protecting EUCI comply with the relevant Guidelines governing their eligibility and selection;

(d)

ensuring that cryptographic products are selected in compliance with Guidelines governing their eligibility and selection;

(e)

coordinating training and awareness on IA;

(f)

consulting with the system provider, the security actors and representatives of users in respect of IA security guidelines; and

(g)

ensuring appropriate expertise is available in the expert sub-area of the EEAS Security Committee for IA issues.

TEMPEST Authority

44.

The TEMPEST Authority (TA) shall be responsible for ensuring compliance of CIS with TEMPEST policies and guidelines. It shall approve TEMPEST countermeasures for installations and products to protect EUCI to a defined level of classification in its operational environment.

Crypto Approval Authority (CAA)

45.

The CAA shall be responsible for ensuring that cryptographic products comply with respective cryptographic Guidelines. It shall approve a cryptographic product to protect EUCI to a defined level of classification in its operational environment.

Crypto Distribution Authority (CDA)

46.

The CDA shall be responsible for:

(a)

managing and accounting for EU crypto material;

(b)

ensuring that appropriate procedures are enforced and channels established for accounting, secure handling, storage and distribution of all EU crypto material; and

(c)

ensuring the transfer of EU crypto material to or from individuals or services using it.

Security Accreditation Authority (SAA)

47.

The SAA for each system shall be responsible for:

(a)

ensuring that CIS comply with the relevant security Guidelines, providing a statement of approval for CIS to handle EUCI to a defined level of classification in its operational environment, stating the terms and conditions of the accreditation, and criteria under which re-approval is required;

(b)

establishing a security accreditation process, in accordance with the relevant Guidelines, clearly stating the approval conditions for CIS under its authority;

(c)

defining a security accreditation strategy setting out the degree of detail for the accreditation process commensurate with the required level of assurance;

(d)

examining and approving security-related documentation, including risk management and residual risk statements, System-specific Security Requirement Statements (hereinafter referred to as ‘SSRSs’), security implementation verification documentation and Security Operating Procedures (hereinafter referred to as ‘SecOPs’), and ensuring that it complies with the EEAS's security rules and Guidelines;

(e)

checking implementation of security measures in relation to the CIS by undertaking or sponsoring security assessments, inspections or reviews;

(f)

defining security requirements (e.g. personnel security clearance levels) for sensitive positions in relation to the CIS;

(g)

endorsing the selection of approved cryptographic and TEMPEST products used to provide security for a CIS;

(h)

approving, or where relevant, participating in the joint approval of the interconnection of a CIS to other CIS; and

(i)

consulting the system provider, the security actors and representatives of the users with respect to security risk management, in particular the residual risk, and the terms and conditions of the approval statement.

48.

The EEAS SAA shall be responsible for accrediting all CIS operating within the remit of the EEAS.

Security Accreditation Board (SAB)

49.

A joint SAB shall be responsible for accrediting CIS within the remit of both the EEAS SAA and Member States’ SAAs. It shall be composed of an SAA representative from each Member State and be attended by an SAA representative of the GSC and Commission. Other entities with nodes on a CIS shall be invited to attend when that system is under discussion.

The SAB shall be chaired by a representative of the EEAS SAA. It shall act by consensus of SAA representatives of institutions, Member States and other entities with nodes on the CIS. It shall make periodic reports on its activities to the EEAS Security Committee and shall notify it of all accreditation statements.

Information Assurance Operational Authority

50.

The IA Operational Authority for each system shall be responsible for:

(a)

developing security documentation in line with security Guidelines, in particular the System-specific Security Requirement Statement (SSRS) including the residual risk statement, the Security Operating Procedures (SecOPs) and the crypto plan within the CIS accreditation process;

(b)

participating in selecting and testing the system-specific technical security measures, devices and software, to supervise their implementation and to ensure that they are securely installed, configured and maintained in accordance with the relevant security documentation;

(c)

participating in selecting TEMPEST security measures and devices if required in the SSRS and ensuring that they are securely installed and maintained in cooperation with the TA;

(d)

monitoring implementation and application of the SecOPs and, where appropriate, delegating operational security responsibilities to the system owner;

(e)

managing and handling cryptographic products, ensuring the custody of crypto and controlled items and, if so required, ensuring the generation of cryptographic variables;

(f)

conducting security analysis reviews and tests, in particular to produce the relevant risk reports, as required by the SAA;

(g)

providing CIS-specific IA training;

(h)

implementing and operating CIS-specific security measures.


ANNEX A V

INDUSTRIAL SECURITY

I.   INTRODUCTION

1.

This Annex sets out provisions for implementing Article 9 of Annex A. It lays down general security provisions applicable to industrial or other entities in pre-contract negotiations and throughout the life-cycle of classified contracts let by the EEAS.

2.

The EEAS Security Authority shall approve Guidelines on industrial security outlining in particular detailed requirements regarding Facility Security Clearances (FSCs), Security Aspects Letters (SALs), visits, transmission and carriage of EUCI.

II.   SECURITY ELEMENTS IN A CLASSIFIED CONTRACT

Security classification guide (SCG)

3.

Prior to launching an invitation to tender or letting a classified contract, the EEAS, as the contracting authority, shall determine the security classification of any information to be provided to bidders and contractors, as well as the security classification of any information to be created by the contractor. For that purpose, the EEAS shall prepare a SCG to be used for the performance of the contract.

4.

In order to determine the security classification of the various elements of a classified contract, the following principles shall apply:

(a)

in preparing an SCG, the EEAS shall take into account all relevant security aspects, including the security classification assigned to information provided and approved to be used for the contract by the originator of the information;

(b)

the overall level of classification of the contract may not be lower than the highest classification of any of its elements; and

(c)

where relevant, the EEAS shall liaise with the Member States' NSAs/DSAs or any other competent security authority concerned in the event of any changes regarding the classification of information created by or provided to contractors in the performance of a contract and when making any subsequent changes to the SCG.

Security aspects letter (SAL)

5.

The contract-specific security requirements shall be described in an SAL. The SAL shall, where appropriate, contain the SCG and shall be an integral part of a classified contract or sub-contract.

6.

The SAL shall contain provisions requiring the contractor and/or subcontractor to comply with the minimum standards laid down in this Decision. Non-compliance with these minimum standards may constitute sufficient grounds for the contract to be terminated.

Programme/project security instructions (PSI)

7.

Depending on the scope of programmes or projects involving access to or handling or storage of EUCI, specific Programme/Project Security Instructions (PSI) may be prepared by the contracting authority designated to manage the programme or project. The PSI shall require the approval of the Member States’ NSAs/DSAs or any other competent security authority participating in the programme/project and may contain additional security requirements.

III.   FACILITY SECURITY CLEARANCE (FSC)

8.

The Directorate responsible for HQ security and EEAS information security shall request the NSA or DSA or other competent security authority of the Member State concerned to grant an FSC to indicate, in accordance with national laws and regulations, that an industrial or other entity can protect EUCI at the appropriate classification level (CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET) within its facilities. A contractor, subcontractor, or potential contractor or subcontractor shall not be provided with or granted access to EUCI, until proof of FSC has been transmitted to the EEAS.

9.

Where relevant, the EEAS, as the contracting authority, shall notify the appropriate NSA/DSA or any other competent security authority that an FSC is required in the pre-contractual stage or for performing the contract. An FSC or PSC shall be required in the pre-contractual stage where EUCI classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET has to be provided in the course of the bidding process.

10.

The EEAS as contracting authority shall not award a classified contract with a preferred bidder before having received confirmation from the NSA/DSA or any other competent security authority of the Member State in which the contractor or subcontractor concerned is registered that, where required, an appropriate FSC has been issued.

11.

The EEAS as contracting authority shall request the NSA/DSA or any other competent security authority which has issued an FSC to notify it of any adverse information affecting the FSC. In the case of a sub-contract, the NSA/DSA or any other competent security authority shall be informed accordingly.

12.

Withdrawal of an FSC by the relevant NSA/DSA or any other competent security authority shall constitute sufficient grounds for the EEAS, as the contracting authority, to terminate a classified contract or exclude a bidder from the competition.

IV.   Personnel Security Clearances (PSCs) for Contractors’ personnel

13.

All personnel working for contractors requiring access to EUCI classified CONFIDENTIEL UE/EU CONFIDENTIAL or above shall have been appropriately security cleared and have a need-to-know to access the information. Although a PSC is not required for access to EUCI at the level of RESTREINT UE/EU RESTRICTED, the need-to-know for such access shall exist.

14.

Applications for the PSCs for contractor personnel shall be made to the NSA/DSA responsible for the entity.

15.

The EEAS shall point out to contractors wishing to employ a national of a third State in a position that requires access to EUCI, that it is the responsibility of the NSA/DSA of the Member State in which the hiring entity is located and incorporated to determine whether the individual can be granted access to such information, in accordance with this Decision, and to confirm that the originator’s consent must have been provided before such access is given.

V.   CLASSIFIED CONTRACTS AND SUB-CONTRACTS

16.

Where EUCI is provided to a bidder at the pre-contractual stage, the invitation to tender shall contain a provision obliging a bidder which fails to submit a bid or which is not selected to return all classified documents within a specified period of time.

17.

Once a classified contract or sub-contract has been awarded, the EEAS, as the contracting authority, shall notify the contractor’s or subcontractor’s NSA/DSA or any other competent security authority about the security provisions of the classified contract.

18.

When such contracts are terminated or they end, the EEAS, as the contracting authority (and/or the NSA/DSA or any other competent security authority, as appropriate, in the case of a sub-contract) shall promptly notify the NSA/DSA or any other competent security authority of the Member State in which the contractor or subcontractor is registered.

19.

As a general rule, the contractor or subcontractor shall be required to return to the contracting authority, upon termination or ending of the classified contract or sub-contract, any EUCI held by it.

20.

Specific provisions for the disposal of EUCI during the performance of the contract or upon its termination or ending shall be laid down in the SAL.

21.

Where the contractor or subcontractor is authorised to retain EUCI after termination or ending of a contract, the minimum standards contained in this Decision shall continue to be complied with and the confidentiality of EUCI shall be protected by the contractor or subcontractor.

22.

The conditions under which the contractor may subcontract shall be defined in the invitation to tender and in the contract.

23.

A contractor shall obtain permission from the EEAS, as the contracting authority, before sub-contracting any parts of a classified contract. No subcontract may be awarded to industrial or other entities registered in a non-EU Member State which has not concluded a security of information Agreement with the EU.

24.

The contractor shall be responsible for ensuring that all sub-contracting activities are undertaken in accordance with the minimum standards laid down in this Decision and shall not provide EUCI to a subcontractor without the prior written consent of the contracting authority.

25.

With regard to EUCI created or handled by the contractor or subcontractor, the rights incumbent on the originator shall be exercised by the contracting authority.

VI.   VISITS IN CONNECTION WITH CLASSIFIED CONTRACTS

26.

Where the EEAS, contractors or subcontractors require access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET in each other’s premises for the performance of a classified contract, visits shall be arranged by liaison with the NSAs/DSAs or any other competent security authority concerned. This is without prejudice to the prerogative of the NSAs/DSAs, in the context of specific projects, to agree on a procedure whereby such visits can be arranged directly.

27.

All visitors shall hold an appropriate PSC and have a ‘need-to-know’ for access to the EUCI related to the EEAS contract.

28.

Visitors shall be given access only to EUCI related to the purpose of the visit.

VII.   TRANSMISSION AND CARRIAGE OF EUCI

29.

With regard to the transmission of EUCI by electronic means, the relevant provisions of Article 8 of Annex A, and of Annex A IV shall apply.

30.

With regard to the carriage of EUCI, the relevant provisions of Annex A III shall apply, in accordance with national laws and regulations.

31.

For the transport of classified material as freight, the following principles shall be applied when determining security arrangements:

(a)

security shall be assured at all stages during transportation from the point of origin to the final destination;

(b)

the degree of protection afforded to a consignment shall be determined by the highest classification level of material contained within it;

(c)

an FSC at the appropriate level shall be obtained for companies providing transportation, if it also implies that classified information is stored in contractors' facilities. In any case, personnel handling the consignment shall be appropriately security cleared in accordance with Annex A I;

(d)

prior to any cross-border movement of material classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET, a transportation plan shall be drawn up by the consignor and approved by the EEAS when appropriate in liaison with the NSA/DSAs of both the consignor and the consignee or any other competent security authority concerned;

(e)

journeys shall be point to point to the extent possible, and shall be completed as quickly as circumstances permit;

(f)

whenever possible, routes should be only through Member States. Routes through States other than Member States should only be undertaken when authorised by the EEAS or any other competent security authority of the States of both the consignor and the consignee.

VIII.   TRANSFER OF EUCI TO CONTRACTORS LOCATED IN THIRD STATES

32.

EUCI shall be transferred to contractors and subcontractors located in third States that have a valid security agreement with the EU in accordance with security measures agreed between the EEAS, as the contracting authority, and the NSA/DSA of the third State concerned where the contractor is registered.

IX.   HANDLING AND STORAGE OF INFORMATION CLASSIFIED RESTREINT UE/EU RESTRICTED

33.

In liaison, as appropriate, with the NSA/DSA of the Member State the EEAS, as the contracting authority, shall be entitled to conduct visits to contractors’/subcontractors’ facilities on the basis of contractual provisions in order to verify that the relevant security measures for the protection of EUCI at the level RESTREINT UE/EU RESTRICTED as required under the contract have been put in place.

34.

To the extent necessary under national laws and regulations, NSAs/DSAs or any other competent security authority shall be notified by the EEAS as the contracting authority of contracts or sub-contracts containing information classified RESTREINT UE/EU RESTRICTED.

35.

An FSC or a PSC for contractors or subcontractors and their personnel shall not be required for contracts let by the EEAS containing information classified RESTREINT UE/EU RESTRICTED.

36.

The EEAS, as the contracting authority, shall examine the responses to invitations to tender for contracts which require access to information classified RESTREINT UE/EU RESTRICTED, notwithstanding any requirement relating to FSC or PSC which may exist under national laws and regulations.

37.

The conditions under which the contractor may subcontract shall be in accordance with paragraphs 22-24.

38.

Where a contract involves handling information classified RESTREINT UE/EU RESTRICTED in a CIS operated by a contractor, the EEAS as contracting authority shall ensure that the contract or any sub-contract specifies the necessary technical and administrative requirements regarding accreditation of the CIS commensurate with the assessed risk, taking account of all relevant factors. The scope of accreditation of such CIS shall be agreed between the contracting authority and the relevant NSA/DSA.

ANNEX A VI

EXCHANGE OF CLASSIFIED INFORMATION WITH THIRD STATES AND INTERNATIONAL ORGANISATIONS

I.   INTRODUCTION

1.

This Annex sets out provisions for implementing Article 10 of Annex A.

II.   FRAMEWORKS GOVERNING THE EXCHANGE OF CLASSIFIED INFORMATION

2.

The EEAS may exchange EUCI with third States or international organisations in accordance with Article 10(1) of Annex A.

To support the HR in performing the responsibilities set out in Article 218 TFEU:

(a)

the relevant EEAS geographical or thematic department, in consultation with the Directorate responsible for HQ security and EEAS information security, shall, when appropriate, identify the need for a long term exchange of EUCI with the third State or international organisation concerned;

(b)

the Directorate responsible for HQ security and EEAS information security, in consultation with the relevant EEAS geographical department, shall, where appropriate, submit to the HR the draft texts to be proposed to the Council by virtue of Article 218(3),(5), and (6) of TFEU;

(c)

the Directorate responsible for HQ security and EEAS information security shall support the HR in conducting negotiations;

(d)

in relation to Agreements or Arrangements with third States for their participation in CSDP crisis management operations as referred to in Article 10(1)(c) of Annex A, the EEAS shall assist the HR for the proposals to be submitted to the Council in accordance with Article 218(3), (5) and (6) of TFEU, and shall support the HR in conducting negotiations.

3.

Where Security of Information Agreements provide for technical Implementing Arrangements to be agreed between the Directorate responsible for HQ security and EEAS information security and the competent security authority of the third State or international organisation in question, such arrangements shall take account of the level of protection provided by the security regulations, structures and procedures in place in the third State or international organisation concerned. The Directorate responsible for HQ security and EEAS information security shall coordinate with the Security Directorate of the Directorate General for Human Resources and Security of the Commission and the Security Office of the General Secretariat of the Council with respect to such arrangements.

4.

Where a long-term need exists for the EEAS to exchange information classified in principle no higher than RESTREINT UE/EU RESTRICTED with a third State or international organisation, and where it has been established that the party in question does not have a sufficiently developed security system for it to be possible to enter into a security of information agreement, the HR may, after having obtained the unanimous favourable opinion of the EEAS Security Committee in accordance with Article 15(5) of this Decision, enter into an Administrative Arrangement with the competent security authorities of the third State or international organisation in question.

5.

No EUCI shall be exchanged by electronic means with a third State or international organisation unless explicitly provided for in the Security of Information Agreement or Administrative Arrangement.

6.

Under an Administrative Arrangement on the exchange of classified information, the EEAS and the third State or International Organisation shall each designate a registry as the main point of entry and exit for classified information exchanged. For the EEAS, this will be the EEAS central registry.

7.

Administrative Arrangements shall as a general rule take the form of an exchange of letters.

III   ASSESSMENT VISITS

8.

Assessment visits referred to in Article 17 of this Decision shall be conducted by mutual agreement with the third State or international organisation concerned, and shall evaluate:

(a)

the regulatory framework applicable for protecting classified information;

(b)

any specific features of the third State or international organisation's security laws, regulations, policies or procedures which may have an impact on the maximum level of classified information that may be exchanged;

(c)

the security measures and procedures currently in place for the protection of classified information; and

(d)

security clearance procedures for the level of EUCI to be released.

9.

No EUCI shall be exchanged before an assessment visit has been conducted and the level at which classified information may be exchanged between the parties has been determined, based on the equivalency of the level of protection that will be afforded to it.

If, pending such an assessment visit, the HR is made aware of any exceptional or urgent reasons for exchanging classified information, the EEAS Security Authority shall:

(a)

first seek the originator's written consent to establish that there are no objections to release.

(b)

may decide to release, provided that the unanimous favourable opinion of the Member States as represented in the EEAS Security Committee has been obtained.

If the EEAS cannot establish the originator, the EEAS Security Authority shall assume the originator's responsibility after having obtained the unanimous favourable opinion of the EEAS Security Committee.

IV.   AUTHORITY TO RELEASE EUCI TO THIRD STATES OR INTERNATIONAL ORGANISATIONS

10.

Where a framework exists in accordance with Article 10(1) of Annex A for exchanging classified information with a third State or international organisation, the decision to release EUCI by the EEAS to a third State or international organisation shall be taken by the EEAS Security Authority.

11.

If the originator of the classified information to be released, including the originators of source material it may contain, is not the EEAS, the EEAS Security Authority shall first seek the originator’s written consent to establish that there are no objections to release. If the EEAS cannot establish the originator, the EEAS Security Authority shall assume the originator’s responsibility after having obtained the unanimous favourable opinion of the Member States as represented in the EEAS Security Committee.

V.   EXCEPTIONAL AD HOC RELEASE OF EUCI

12.

In the absence of one of the frameworks referred to in Article 10(1) of Annex A, and when the interests of the EU or of one or more of its Member States require the release of EUCI for political, operational or urgent reasons, EUCI may exceptionally be released to a third State or international organisation once the following actions have been taken.

The EEAS Security Authority, shall, after ensuring that conditions referred to in Paragraph 11 above are met:

(a)

to the extent possible, verify with the security authorities of the third State or international organisation concerned that its security regulations, structures and procedures are such that EUCI released to it will be protected in accordance with standards no less stringent than those laid down in this Decision;

(b)

invite the EEAS Security Committee to formulate an opinion, on the basis of the available information, regarding the confidence that can be placed on the security regulations, structures and procedures in the third State or international organisation to which the EUCI is to be released;

(c)

may decide to release, provided that the unanimous favourable opinion of the Member States as represented in the EEAS Security Committee has been obtained.

13.

In the absence of one of the frameworks referred to in Article 10(1) of Annex A, the third party in question shall undertake in writing to protect the EUCI appropriately.

Appendix A

Definitions

For the purposes of this Decision, the following definitions apply:

(a)

‘Accreditation’ means the process leading to a formal statement by the Security Accreditation Authority (SAA) that a system is approved to operate with a defined level of classification, in a particular security mode in its operational environment and at an acceptable level of risk, based on the premise that an approved set of technical, physical, organisational and procedural security measures has been implemented;

(b)

‘Asset’ means anything that is of value to an organisation, its business operations and their continuity, including information resources that support the organisation’s mission;

(c)

‘Authorisation to access EUCI’ means an authorisation by the EEAS Security Authority, which is taken in accordance with this Decision after a PSC has been issued by the competent authorities of a Member State, and which certifies that an individual may, provided his ‘need-to-know’ has been determined, be granted access to EUCI up to a specified level (CONFIDENTIEL UE/EU CONFIDENTIAL or above) until a specified date in accordance with Article 2 of Annex A I;

(d)

‘Breach’ is an act or omission by an individual which is contrary to the security rules laid down in this Decision and/or to the security policies or guidelines setting out any measures necessary for its implementation;

(e)

‘CIS life-cycle’ means the entire duration of existence of a CIS, which includes initiation, conception, planning, requirements analysis, design, development, testing, implementation, operation, maintenance and decommissioning;

(f)

‘Classified contract’ means a contract entered into by the EEAS with a contractor for the supply of goods, execution of works or provision of services, the performance of which requires or involves access to or the creation of EUCI;

(g)

‘Classified subcontract’ means a contract entered into by a contractor of the EEAS with another contractor (i.e. the subcontractor) for the supply of goods, execution of works or provision of services, the performance of which requires or involves access to or the creation of EUCI;

(h)

‘Communication and information system’ (CIS) means any system enabling the handling of information in electronic form. A communication and information system shall comprise the entire assets required for it to operate, including the infrastructure, organisation, personnel and information resources;

(i)

‘Compromise of EUCI’ means the total or partial disclosure of EUCI to unauthorised persons or entities – see Article 9(2);

(j)

‘Contractor’ means an individual or legal entity possessing the legal capacity to undertake contracts;

(k)

‘Cryptographic (Crypto) products’ are cryptographic algorithms, cryptographic hardware and software modules, and products including implementation details and associated documentation and keying material;

(l)

‘CSDP operation’ means a military or civilian crisis management operation under Title V, Chapter 2, of the TEU;

(m)

‘Declassification’ means the removal of any security classification;

(n)

‘Defence in depth’ means the application of a range of security measures organised as multiple layers of defence;

(o)

‘Designated Security Authority’ (DSA) means an authority responsible to the National Security Authority (NSA) of a Member State which is responsible for communicating to industrial or other entities national policy on all matters of industrial security and for providing direction and assistance in its implementation. The function of DSA may be carried out by the NSA or by any other competent authority;

(p)

‘Document’ means any recorded information regardless of its physical form or characteristics;

(q)

‘Downgrading’ means a reduction in the level of security classification;

(r)

‘EU classified information’ (EUCI) means any information or material the unauthorized disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States, designated by an EU security classification – see Article 2 (f);

(s)

‘Facility Security Clearance’ (FSC) means an administrative determination by an NSA or DSA that, from the security viewpoint, a facility can afford an adequate level of protection to EUCI of a specified security classification level and its personnel who require access to EUCI have been appropriately security cleared and briefed on the relevant security requirements necessary to access and protect EUCI;

(t)

‘Handling’ of EUCI means all possible actions to which EUCI may be subject throughout its life-cycle. It comprises its creation, processing, carriage, downgrading, declassification and destruction. In relation to CIS it also comprises its collection, display, transmission and storage;

(u)

‘Holder’ means a duly authorised individual with an established need-to-know who is in possession of an item of EUCI and is accordingly responsible for protecting it;

(v)

‘Industrial or other entity’ means an entity involved in supplying goods, executing works or providing services; this may be an industrial, commercial, service, scientific, research, educational or development entity or a self-employed individual;

(w)

‘Industrial security’ is the application of measures to ensure the protection of EUCI by contractors or subcontractors in pre-contract negotiations and throughout the life-cycle of classified contracts – see Article 9 (1) of Annex A;

(x)

‘Information Assurance’ in the field of communication and information systems is the confidence that such systems will protect the information they handle and will function as they need to, when they need to, under the control of legitimate users. Effective IA shall ensure appropriate levels of confidentiality, integrity, availability, non-repudiation and authenticity. IA shall be based on a risk management process — see Article 8(1) of Annex A;

(y)

‘Interconnection’ means, for the purposes of this Decision, the direct connection of two or more IT systems for the purpose of sharing data and other information resources (e.g. communication) in a unidirectional or multidirectional way— see Annex A IV, paragraph 31;

(z)

‘Management of classified information’ is the application of administrative measures for controlling EUCI throughout its life-cycle to supplement the measures provided for in Articles 5, 6 and 8 and thereby help deter, detect and recover from deliberate or accidental compromise or loss of such information. Such measures relate in particular to the creation, registration, copying, translation, carriage, handling, storage and destruction of EUCI — see Article 7(1) of Annex A;

(aa)

‘Material’ means any document or item of machinery or equipment, either manufactured or in the process of manufacture;

(bb)

‘Originator’ means the EU institution, agency or body, Member State, third state or international organisation under whose authority classified information has been created and/or introduced into the EU"s structures;

(cc)

‘Personnel security’ is the application of measures to ensure that access to EUCI is granted only to individuals who have:

a need-to-know;

for access to CONFIDENTIEL UE/EU CONFIDENTIAL information or above, been security cleared to the relevant level, or are otherwise duly authorised by virtue of their functions in accordance with national laws and regulations; and

been briefed on their responsibilities -

in accordance with Article 5(1) of Annex A;

(dd)

‘Personnel Security Clearance’ (PSC) for access to EUCI means a statement by a competent authority of a Member State which is made following completion of a security investigation conducted by the competent authorities of a Member State and which certifies that an individual may, provided his ‘need-to-know’ has been determined, be granted access to EUCI up to a specified level (CONFIDENTIEL UE/EU CONFIDENTIAL or above) until a specified date; the individual thus described is said to be ‘security cleared’;

(ee)

‘Personnel Security Clearance Certificate’ (PSCC) means a certificate issued by a competent authority establishing that an individual is security cleared and holds a valid PSC or Authorisation from Director for HQ security and EEAS information security for access to EUCI, and which shows the level of EUCI to which that individual may be granted access (CONFIDENTIEL UE/EU CONFIDENTIAL or above), the date of validity of the relevant PSC and the date of expiry of the certificate itself;

(ff)

‘Physical security’ is the application of physical and technical protective measures to deter unauthorised access to EUCI - see Article 6 of Annex A;

(gg)

‘Programme/Project Security Instruction’ (PSI) means a list of security procedures which are applied to a specific programme/project in order to standardise security procedures. It may be revised throughout the programme/project;

(hh)

‘Registration’ means the application of procedures that record the life-cycle of information, including its dissemination and destruction - see Annex A III, paragraph 21;

(ii)

‘Residual risk’ means the risk which remains after security measures have been implemented, given that not all threats are countered and not all vulnerabilities can be eliminated;

(jj)

‘Risk’ means the potential that a given threat will exploit internal and external vulnerabilities of an organisation or of any of the systems it uses and thereby cause harm to the organisation and to its tangible or intangible assets. It is measured as a combination of the likelihood of threats occurring and their impact;

(kk)

‘Risk acceptance’ is the decision to agree to the further existence of a residual risk after risk treatment.

(ll)

‘Risk assessment’ consists of identifying threats and vulnerabilities and conducting the related risk analysis, i.e. the analysis of probability and impact.

(mm)

‘Risk communication’ consists of developing awareness of risks among CIS user communities, informing approval authorities such risks and reporting them to operating authorities.

(nn)

‘Risk management process’ means the entire process of identifying, controlling and minimising uncertain events that may affect the security of an organisation or of any of the systems it uses. It covers the entirety of risk-related activities, including assessment, treatment, acceptance and communication;

(oo)

‘Risk treatment’ consists of mitigating, removing, reducing (through an appropriate combination of technical, physical, organisational or procedural measures), transferring or monitoring the risk.

(pp)

‘Security Aspects Letter’ (SAL) means a set of special contractual conditions issued by the contracting authority which forms an integral part of any classified contract involving access to or the creation of EUCI, that identifies the security requirements or those elements of the contract requiring security protection – see Annex A V, Section II;

(qq)

‘Security Classification Guide’ (SCG) means a document which describes the elements of a programme or contract which are classified, specifying the applicable security classification levels. The SCG may be expanded throughout the life of the programme or contract and the elements of information may be re-classified or downgraded; where an SCG exists it shall be part of the SAL – see Annex A V, Section II;

(rr)

‘Security investigation’ means the investigative procedures conducted by the competent authority of a Member State in accordance with its national laws and regulations in order to obtain an assurance that nothing adverse is known which would prevent an individual from being granted a national or EU PSC for access to EUCI up to a specified level (CONFIDENTIEL UE/EU CONFIDENTIAL or above);

(ss)

‘Security Operating Procedures’ (SecOPs) means a description of the security policy implementation to be adopted, of the operating procedures to be followed and of the personnel responsibilities;

(tt)

‘Sensitive non-classified information’ means information or material that the EEAS must protect because of legal obligations laid down in the Treaties or in acts adopted in implementation thereof, and/or because of its sensitivity. Sensitive non-classified information includes, but is not limited to, information or material covered by the obligation of professional secrecy, as referred to in Article 339 TFEU, information covered by the interests protected in Article 4 of Regulation (EC) No 1049/2001 (1) read in conjunction with the relevant case-law of the Court of Justice of the European Union, or personal data within the scope of Regulation (EU) 2018/1725.

(uu)

‘Specific Security Requirement Statement’ (SSRS) means a binding set of security principles to be observed and of detailed security requirements to be implemented, underlying the process of certification and accreditation of CIS;

(vv)

‘TEMPEST’ means the investigation, study and control of compromising electromagnetic emanations and the measures to suppress them;

(ww)

‘Threat’ means a potential cause of an unwanted incident which may result in harm to an organisation or any of the systems it uses; such threats may be accidental or deliberate (malicious) and are characterised by threatening elements, potential targets and attack methods;

(xx)

‘Vulnerability’ means a weakness of any nature that can be exploited by one or more threats. Vulnerability may be an omission or it may relate to a weakness in controls in terms of their strength, completeness or consistency and may be of a technical, procedural, physical, organisational or operational nature.


(1)  Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents (OJ L 145, 31.5.2001, p. 43).


Appendix B

Equivalence of security classifications

EU

TRES SECRET UE/EU TOP SECRET

SECRET UE/EU SECRET

CONFIDENTIEL UE/EU CONFIDENTIAL

RESTREINT UE/EU RESTRICTED

EURATOM

EURA TOP SECRET

EURA SECRET

EURA CONFIDENTIAL

EURA RESTRICTED

Belgium

Très Secret (Loi 11.12.1998)

Zeer Geheim (Wet 11.12.1998)

Secret (Loi 11.12.1998)

Geheim (Wet 11.12.1998)

Confidentiel (Loi 11.12.1998)

Vertrouwelijk (Wet 11.12.1998)

Nota (1) below

Bulgaria

Cтpoгo ceкретно

Ceкретно

Поверително

За служебно ползване

Czech Republic

Přísně tajné

Tajné

Důvěrné

Vyhrazené

Denmark

YDERST HEMMELIGT

HEMMELIGT

FORTROLIGT

TIL TJENESTEBRUG

Germany

STRENG GEHEIM

GEHEIM

VS (2) — VERTRAULICH

VS — NUR FÜR DEN DIENSTGEBRAUCH

Estonia

Täiesti salajane

Salajane

Konfidentsiaalne

Piiratud

Ireland

Top Secret

Secret

Confidential

Restricted

Greece

Άκρως Απόρρητο

Abr: ΑΑΠ

Απόρρητο

Abr: (ΑΠ)

Εμπιστευτικό

Αbr: (ΕΜ)

Περιορισμένης Χρήσης

Abr: (ΠΧ)

Spain

SECRETO

RESERVADO

CONFIDENCIAL

DIFUSIÓN LIMITADA

France

TRÈS SECRET

TRÈS SECRET DÉFENSE (3)

SECRET

SECRET DÉFENSE (3)

CONFIDENTIEL DÉFENSE (3)  (4)

Nota (5) below

Croatia

VRLO TAJNO

TAJNO

POVJERLJIVO

OGRANIČENO

Italy

Segretissimo

Segreto

Riservatissimo

Riservato

Cyprus

Άκρως Απόρρητο

Αbr: (AΑΠ)

Απόρρητο

Αbr: (ΑΠ)

Εμπιστευτικό

Αbr: (ΕΜ)

Περιορισμένης Χρήσης

Αbr: (ΠΧ)

Latvia

Sevišķi slepeni

Slepeni

Konfidenciāli

Dienesta vajadzībām

Lithuania

Visiškai slaptai

Slaptai

Konfidencialiai

Riboto naudojimo

Luxembourg

Très Secret Lux

Secret Lux

Confidentiel Lux

Restreint Lux

Hungary

‘Szigorúan titkos!’

‘Titkos!’

‘Bizalmas!’

‘Korlátozott terjesztésű!’

Malta

L-Ogħla Segretezza

Top Secret

Sigriet

Secret

Kunfidenzjali

Confidential

Ristrett

Restricted (6)

Netherlands

Stg. ZEER GEHEIM

Stg. GEHEIM

Stg. CONFIDENTIEEL

Dep. VERTROUWELIJK

Austria

Streng Geheim

Geheim

Vertraulich

Eingeschränkt

Poland

Ściśle Tajne

Tajne

Poufne

Zastrzeżone

Portugal

Muito Secreto

Secreto

Confidencial

Reservado

Romania

Strict secret de importanță deosebită

Strict secret

Secret

Secret de serviciu

Slovenia

STROGO TAJNO

TAJNO

ZAUPNO

INTERNO

Slovakia

Prísne tajné

Tajné

Dôverné

Vyhradené

Finland

ERITTÄIN SALAINEN

YTTERST HEMLIG

SALAINEN

HEMLIG

LUOTTAMUKSELLINEN

KONFIDENTIELL

KÄYTTÖ RAJOITETTU

BEGRÄNSAD TILLGÅNG

Sweden

Kvaliciferat hemlig

Hemlig

Konfidentiell

Begränsat hemlig


(1)  Diffusion Restreinte/Beperkte Verspreiding is not a security classification in Belgium. Belgium handles and protects ‘RESTREINT UE/EU RESTRICTED’ information in a manner no less stringent than the standards and procedures described in the security rules of the Council of the European Union.

(2)  Germany: VS = Verschlusssache.

(3)  Information generated by France before 1 July 2021 and classified 'TRÈS SECRET DÉFENSE', 'SECRET DÉFENSE' and 'CONFIDENTIEL DÉFENSE' continue to be handled and protected at the equivalent level of 'TRÈS SECRET UE/EU TOP SECRET', 'SECRET UE/EU SECRET' and 'CONFIDENTIEL UE/EU CONFIDENTIAL' respectively.

(4)  France handles and protects ‘CONFIDENTIEL UE/EU CONFIDENTIAL’ information in accordance with the French security measures for protecting 'SECRET' information.

(5)  France does not use the classification ‘RESTREINT’ in its national system. France handles and protects ‘RESTREINT UE/EU RESTRICTED’ information in a manner no less stringent than the standards and procedures described in the security rules of the Council of the European Union.

(6)  The Maltese and English markings for Malta can be used interchangeably.


NOTICES FROM MEMBER STATES

26.7.2023   

EN

Official Journal of the European Union

C 263/74


List of natural mineral waters recognised by Member States, United Kingdom (Northern Ireland) and EEA countries

(2023/C 263/05)

In accordance with Article 1 of Directive 2009/54/EC of the European Parliament and of the Council of 18 June 2009 on the exploitation and marketing of natural mineral waters (1), the Commission is publishing in the Official Journal of the European Union the list of natural mineral waters recognised as such by the Member States.

The following list replaces any list of recognised natural mineral waters previously published.

1.   MEMBER STATES

List of natural mineral waters recognised by Belgium

Trade description

Name of source

Place of exploitation

Bru

Bru

Chevron

Chaudfontaine

Thermale

Chaudfontaine

Chevron

Monastère

Chevron

Christianabronnen

Christiana

Gavere

Clémentine

Clémentine

Spixhe

Ginstberg

Ginstbergbron

Scheldewindeke

Harre

Harre

Werbomont-Ferrières

Koningsbronnen

Koning

Brakel

Leberg

Leberg

Roosdal

Love my planet®

L’OR

Chevron

Ordal

Ordal

Ranst

Spa

Marie-Henriette

Spa

Spa

Barisart

Spa

Spa

Reine

Spa

Sty

Sty

Céroux-Mousty

Sunco

Sunco

Ninove

Toep

Toep

Brakel

Top

Top

Brakel

1

Volette

Etalle

Val

Val

Boortmeerbeek

Valvert

Valvert

Etalle

Villers Monopole

Villers

Villers-le-Gambon

List of natural mineral waters recognised by Bulgaria

Trade description

Name of source

Place of exploitation

Банкя

(Bankya)

Банкя сондаж ТК 1 Иваняне

(Bankya sondazh TK 1 Ivanyane)

Банкя

(Bankya)

Вега

(Vega)

Шивачево извор Хаджи Димитър

(Shivachevo izvor Hadzhi Dimitar)

Шивачево

(Shivachevo)

Велинград

(Velingrad)

Велинград сондаж 5 Горски пункт

(Velingrad sondazh 5 Gorski punkt)

Велинград

(Velingrad)

Водица

(Voditza)

Водица сондаж Р-2

(Voditsa sondazh R-2)

Водица

(Voditsa)

Горна баня

(Gorna bania)

Горна баня сондаж 3

(Gorna banya sondazh 3)

Горна баня

(Gorna banya)

Горна баня

(Gorna bania)

Горна баня сондаж 4 и извор Домус дере

(Gorna banya sondazh 4 i izvor Domus dere)

Горна баня

(Gorna banya)

Девин

(Devin)

Девин сондаж 3

(Devin sondazh 3)

Девин

(Devin)

Девин

(Devin)

Девин сондаж 5

(Devin sondazh 5)

Девин

(Devin)

Долна баня

(Dolna bania)

Долна баня сондаж 141

(Dolna banya sondazh 141)

Долна баня

(Dolna banya)

Долче Вита

(Dolce Vita)

Шивачево извор Хаджи Димитър

(Shivachevo izvor Hadzhi Dimitar)

Шивачево

(Shivachevo)

Драгойново

(Dragoynovo)

Драгойново сондаж 9

(Dragoynovo sondazh 9)

Драгойново

(Dragoynovo)

77Княжево

(Kniajevo)

Княжево сондаж 1 хг

(Knyazhevo sondazh 1 hg)

Княжево

(Knyazhevo)

Княжевска

(Knyazhevska)

Княжево сондаж Книжна фабрика

(Knyazhevo sondazh Knizhna fabrika)

Княжево

(Knyazhevo)

Ком

(Kom)

Бързия сондаж 1

(Barzia sondazh 1)

Бързия

(Barzia)

Леново

(Lenovo)

Леново сондаж 12

(Lenovo sondazh 12)

Леново

(Lenovo)

Михалково

(Mihalkovo)

Михалково сондажи 1аВП и 1 ВКП

(Mihalkovo sondazhi 1aVP i 1 VKP)

Михалково

(Mihalkovo)

Пирин Спринг

(Pirin Spring)

Баничан сондаж 273

(Banichan sondazh 273)

Баничан

(Banichan)

Старо Железаре

(Staro Jelezare)

Старо Железаре сондажи 2 и 4

(Staro Zhelezare sondazhi 2 i 4)

Старо Железаре

(Staro Zhelezare)

Хисар

(Hisar)

Хисаря сондажи 1 и 7

(Hisarya sondazhi 1 i 7)

Хисаря

(Hisarya)

Хисар

(Hissar)

Хисаря извор Чобан чешма

(Hisarya izvor Choban cheshma)

Хисаря

(Hisarya)

Хисаря

(Hissaria)

Хисаря сондаж 7

(Hisarya sondazh 7)

Хисаря

(Hisarya)

List of natural mineral waters from third countries recognised by Bulgaria

Trade description

Name of source

Place of exploitation

Пелистерка

(Pelisterka)

Меджитлия извор D-1

(Medzitlija izvor D-1)

Меджитлия Македония

(Medzitlija, Republic of North Macedonia)

Мая

(Maya)

Експлоатационен кладенец ЕБ-2

(eksploatatsionen kladenets EB-2)

Гари, Република Северна Македония

(Gari, Republic of North Macedonia)

List of natural mineral waters recognised by the Czech Republic

Trade description

Name of source

Place of exploitation

Aqua Maria

Aqua Maria

Mariánské Lázně

BOHEMIA quelle

BQ-2

Rohatec

Dobrá voda

Dobrá voda

Byňov

Hanácká kyselka

Hanácká kyselka

Horní Moštěnice

IL SANO

IL SANO

Chodová Planá

Korunní

Korunní

Stráž nad Ohří

Krondorf

BJ-142

Stráž nad Ohří

Magnesia

Magnesia

Mnichov u Mariánských Lázní

Mattoni

Mattoni

Kyselka u Karlových Varů

Ondrášovka

Ondrášovka

Ondrášov

Poděbradka

Poděbradka

Poděbrady - Velké Zboží

Vratislavická kyselka

Vratislavická kyselka

Vratislavice nad Nisou

List of natural mineral waters recognised by Denmark

Trade description

Name of source

Place of exploitation

Aqua d’or

Aqua d’or-kilden

Fasterholt

7330 Brande

Denice

Denicekilden

Fasterholt

7330 Brande

Carlsberg Kurvand

Arnakke Kilde

Silkeborg Bad

8600 Silkeborg

Kærspringeren

Vinten-Kilden

Brønsholmvej 11

Vinten

8700 Horsens

Iskilde

Iskilden

Skårdal

Langkær 29 Hem

8660 Skanderborg

Egekilde

Egekilde

Faxe Bryggeri A/S

Allé 1

4640 Fakse

Kildevæld

Kildevæld

Sdr. Saltumvej 4

9493 Saltum

Nornir

Nornir

Skerrisvej 4

7330 Brande

Krusmølle Kilde

Krusmølle Kilde

Krusmølle Kilden v/Krusmølle i Sdr. Jylland

Holk

Holk

Amtsvejen 133

Mellerup

8900 Randers/Århus

Fruenskilde

Fruenskilde

Højgårdvej 23

7100 Vejle

Boring 7

Boring 7

Bornholms Kildevand ApS

Piledamsstræde 6

3730 Nexø

Balders Kilde

Balders Kilde

Risbølvej

7250 Hejnsvig

Valdemars Slot Mineralvand

Valdemars Slot

Valdemars Slot A/S

5700 Svendborg

Brokilde

Brokilde

Ringstedvej 13

4520 Svinninge

List of natural mineral waters from third countries recognised by Denmark

Trade description

Name of source

Place of exploitation

Hildon Natural Mineral Water

Hildon Borehole

The Hildon Estate

Deeside Natural Mineral Water

Lower Spring

Pannanich Wells

Royal Deeside Natural Mineral Water

Upper East Spring

Pannanich Wells

Ty Nant

Ty Nant Water

Bethania, Llanon, Wales, UK

ASDA Natural Mineral Water

Elmhurst Spring

Elmhurst, Lichfield, Staffordshire, UK

Kingshill Natural Mineral Water

Kingshill

Newmains, Lanarkshire, United Kingdom

List of natural mineral waters recognised by Germany

Trade description

Name of source

Place of exploitation

1-Aqua-Quelle

1-Aqua-Quelle

Thür

--- (3)

Adelheidquelle

Bad Überkingen

--- (3)

Adelindis-Quelle

Bad Buchau

--- (4)

Aquana

Löningen

--- (3)

AQUANT

Gemarkung Fallingbostel

--- (4)

Arnoldi Quelle

Warburg-Germete

--- (3)

Bad Nieratz-Quelle

Wangen im Allgäu

--- (3)

Brunnen 13

Gemeinde Eichenzell, Gemarkung Lütter, Flur 4, Flurstück Nr. 37/3

--- (3)

Brunnen 14

Gemeinde Eichenzell, Gemarkung Rönshausen, Flur 13, Flurstück Nr. 12/10

--- (4)

Brunnen 2

Grüneberg

--- (3)

Brunnen S11

Schwollen

--- (3)

Brunnen S9

Schwollen

--- (3)

Brunnen Schlackental

Bad Harzburg

--- (3)

Consia

Dorsten

--- (2)

Dionysius

Paderborn

--- (3)

Eifelparkquelle

Brohl-Lützing

--- (3)

Enzo-Quelle

Bad Überkingen

--- (4)

Falkenberg-Quelle

Löhne

--- (4)

Feldquell

Gütersloh

--- (3)

FONSANA

Baruth/Mark

--- (4)

Freisinger Mineralquelle

Freising

--- (3)

Frischlandquelle

Haigerloch

--- (4)

Harzer Viktoriabrunnen

Langelsheim

--- (4)

Harzer Weinbrunnen

Langelsheim

--- (4)

Hebequelle

Mühringen

--- (4)

Heinberg-Quelle

Warburg-Germete

--- (4)

Ho-Ga

Sittensen

--- (4)

Jungbrunnen

Uelzen

--- (2)

Lilian Mineralbrunnen

Belm

--- (4)

Marcus-Quelle

Bad Driburg

--- (4)

Margarethen-Quelle

Goslar-Grauhof

--- (2)

Move

Höhbeck-Pevesdorf

--- (4)

Mühlenbergquelle

Bad Pyrmont

--- (3)

Natur

Dorsten

--- (3)

Naturparkquelle Rottenburg

Rottenburg am Neckar-Bad Niedernau

--- (4)

Oberharzer Brunnen

Altenau/Oberharz

--- (3)

Paulinenquelle

Rottenburg Bieringen

--- (4)

Power Mineralwasserbrunnen 92/94

Belm

--- (3)

Quelle 33

Reutlingen

--- (4)

Riechenberger Klosterquelle

Goslar

--- (3)

Rilchinger

Rilchingen-Hanweiler

--- (2)

S1

Schwollen

--- (4)

Sankt Ansgari Quelle

Haselünne

--- (3)

Stefans Quelle

Tauberbischofsheim-Distelhausen

--- (4)

Steinquelle

Goslar

--- (4)

Talquelle

Goslar-Oker

--- (2)

Tausendwasser

Schwollen

--- (3)

Urstromquelle

Baruth/Mark

--- (3)

Venus-Quelle

Kißlegg

7 Mountains (Naturell, Classic und Medium)

Artus-Quelle (Mineralquelle 6)

Bornheim-Roisdorf

Abenstaler Quelle

Eichentaler

Elsenbach

Abenstaler Quelle

Elsendorf-Horneck

Achalm

Quelle 29

Reutlingen

Adelholzener Alpenquellen

Adelholzener AlpenQuell Bergen

Bad Adelholzen

Adelholzener Alpenquellen

Adelholzener PrimusQuelle

Bad Adelholzen

Adello

Adello-Quelle

Bad Liebenwerda

Adello

Adello Quelle

Ebersburg

Aegidius (Classic, Medium und Naturell)

Rheinlandquelle

(Mineralquelle 8)

Bornheim-Roisdorf

Aera

Genussquelle 3

Emsdetten

Ahrtal Quelle

Ahrtalquelle

Sinzig

Akpinar

Westfalenborn

Steinheim-Vinsebeck

Aktisa

Aktisa-Brunnen

Bad Vilbel

Alasia

Alasia Mineralquelle

Ebersburg

Alasia

Alasia Mineralquelle

Bad Liebenwerda

(Quellort: Maasdorf)

Albertus-Quelle

Albertus-Quelle (II)

Dasing

Alb-Perle

Alb-Quelle

Aspach-Rietenau

Alete Mineralquelle

Alete Mineralquelle

Polling-Weiding/Kreis Mühldorf am Inn

Allgäuer Alpenwasser

Allgäuer Alpenwasser

Oberstaufen

Aloisius Quelle

Aloisius Quelle

Gundelfingen an der Donau

Alosa

Tiefenquelle

Wagenfeld

Alstertaler

St. Georg Quelle

Norderstedt

Alter Brunnen

Alter Brunnen

Bad Camberg-Oberselters

Alter Theresienbrunnen

Alter Theresienbrunnen

Bad Kissingen

Alvara

Alvara

Bochum

Alvara-Quelle

Alvara-Quelle

Mendig

alwa

alwa-Quelle

Sersheim

Alwa

bonalwa

Bad Peterstal-Griesbach

Amadeus-Quelle

Amadeus-Quelle (Brunnen 2)

Mönchengladbach

Amalienbrunnen

Amalienbrunnen

Bad Doberan

Ambassador

Ambassador-Quelle

Bad Liebenwerda

Andreasquelle

Andreasquelle

Sulzbach am Main-Soden

Anhaltiner Bergquelle

Anhaltiner Bergquelle

Hecklingen-Gänsefurth

Antonius-Quelle

Antonius-Quelle

Warburg-Germete

Apodis

Genussquelle 1

Emsdetten

Apollinaris

Classic

Bad Neuenahr-Ahrweiler

Apollinaris Silence

Silence

Bad Neuenahr-Ahrweiler

Aqua +

Abt

Dorsten

Aqua Box Naturell

Naturell Quelle

Fachingen

Aqua Culinaris, Naturalis, Surf

Altmühltaler Quelle

Brunnen 1+2

Treuchtlingen

Aqua Exquisite

Urstromtaler

Baruth/Mark

Aqua Fun

Elfen-Quelle

Haigerloch-Bad Imnau

Aqua Mia

Geotaler

Löhne

Aqua Nordic

Aqua Nordic

Husum-Rosendahl

AQUA RÖMER SANFT & STILL

Sanft & Still Quelle

Großerlach

Aqua SELECT

Melanchthon

Karlsdorf-Neuthard

Aqua Vitale

Vitale Quelle Sersheim

Sersheim

Aqua-frisch

Heinberg-Quelle

Warburg-Germete

Aquarissima

(Aquarissima Classic, Aquarissima Medium)

Auenquelle

Rhens

Aquarissima Naturelle

Gebirgsquelle

Rhens

AquaRömer

Aqua Römer Quelle

Mainhardt

Aquastar

Adello Quelle

Ebersburg

AquaStar

AquaStar

Friedberg-Dorheim

AQUATA

Aquata

Karlsdorf-Neuthard

AquaVita

Laurentius Quelle

Mainhardt

Aquintéll

Aquintéll

Duisburg

Aquintéll Quelle

Aquintéll Quelle

Bad Brückenau

Aquintus Mineralwasser

Aquintus Quelle

Dortmund

Aquintus Quelle

Aquintus Quelle

Duisburg-Walsum

Aqva Azzurra

Aqva Quelle

Bad Überkingen

Ardey Quelle

Ardey Quelle

Duisburg-Walsum

Ardey Quelle Exquisit

Ardey Quelle

Dortmund

Arienheller

Arienheller

Rheinbrohl-Arienheller

Arienheller-Brunnen

Arienheller-Quelle

Rheinbrohl-Arienheller

Ariston-Sprudel

Ariston-Sprudel

Mendig

Ariwa

David-Quelle

Bad Peterstal

Arkia Mineralwasser

Ried-Quelle

Bad Vilbel

Arkona Quelle

Arkona Quelle

Güstrow

Arolser ‘Schloßbrunnen’

Arolser ‘Schloßbrunnen’

Arolsen

ARRET

Arret-Quelle

Bad Hönningen

Artesia-Quelle

Artesia-Quelle

Reuth bei Erbendorf

Artus

Rheintalquelle

Brohl-Lützing

Artus (Naturell, Classic und Medium)

Artus-Quelle (Mineralquelle 6)

Bornheim-Roisdorf

ASS

Scharmühlquelle

Bad Vilbel-Gronau

ASS

ASS

Horn-Bad Meinberg

ASSINDIA

Assindia-Quelle

Haan

Astra

Astra

Bad Vilbel

Auburg

Auburg-Quelle

Wagenfeld

Auenwald

Auenquelle

Wöpse

Augusta-Victoria-Quelle

Augusta-Victoria-Quelle

Löhnberg-Selters

Autenrieder Schloßgartenbrunnen

Autenrieder Schloßgartenbrunnen

Ichenhausen-Autenried

Autenrieder Schloßgartenquelle

Autenrieder Schloßgartenquelle

Ichenhausen-Autenried

Avanus-Mineralbrunnen

Avanus-Mineralbrunnen

Belm

Avara Mineralwasser

Q2-Quelle

Bad Liebenzell

Azur

Azur Quelle Ortelsdorf

Lichtenau

Azur

Azur-Quelle

Bad Vilbel

Bad Brambacher Mineralquelle

Bad Brambacher Mineralquelle

Bad Brambach

Bad Camberger Taunusquelle

Taunusquelle

Bad Camberg-Oberselters

Bad Driburger

Bad Driburger Mineralquelle I

Bad Driburg

Bad Dürrheimer

Johannisquelle

Bad Dürrheim

Bad Dürrheimer

Weissenberger Quelle

Bad Dürrheim

Bad Kissinger

Bad Kissinger

Bad Kissingen

Bad Kissinger Theresien Quelle

Theresien Quelle

Bad Kissingen

Bad Liebenwerda

Bad Liebenwerda Mineralquelle

Bad Liebenwerda

Bad Liebenzeller

Q1 Quelle

Bad Liebenzell

Bad Liebenzeller Mineralwasser Paracelsus

Q1-Quelle

Bad Liebenzell

Bad Nauheimer

Bad Nauheimer

Friedberg-Dorheim

Bad Nauheimer Ur-Quelle

Bad Nauheimer Urquelle

Friedberg-Dorheim

Bad Pyrmonter

Bad Pyrmonter

Bad Pyrmont

Bad Reichenhaller Mineralwasser

Karlsteiner Mineralwasser

Bad Reichenhall

Bad Salzschlirfer Mineralwasser

Retzmann-Brunnen

Bad Salzschlirf

Bad Suderoder Mineralbrunnen

Bad Suderoder Mineralbrunnen

Bad Suderode

Bad Vilbeler Hermanns Quelle

Bad Vilbeler Hermanns Quelle

Bad Vilbel

Bad Vilbeler UrQuelle

Bad Vilbeler UrQuelle

Bad Vilbel

Bad Windsheimer Urquelle

Bad Windsheimer Urquelle

Bad Windsheim

BadnerLand

Johannisquelle

Bad Dürrheim

BadnerLand

Kniebis-Quelle

Bad Griesbach

BadnerLand

Weissenberger Quelle

Bad Dürrheim

Badquelle

Badquelle

Neuenburg-Steinenstadt

Balduin Quelle

Balduin Quelle

Dreis

Baldus Quelle

Baldus-Quelle

Löhnberg

Barbarossa-Brunnen

Barbarossa-Brunnen

Sinzig

Baron von Westfalen

Baron von Westfalen

Horn-Bad Meinberg

Baron-von-Westfalen

Westfalenborn

Steinheim-Vinsebeck

Basinus

Bonaris Quelle

Neustadt an der Aisch

Basinus

Krönungsquelle

Bad Windsheim

Basinus

Sinus-Quelle

Eilenburg

Bella Fontanis

Fontanis-Quelle

Sachsenheim-Spielberg

BellAir

Q1-Quelle

Bad Liebenzell

Bellaqua

Franziskusquelle

Bad Peterstal

Bellaris

Bellaris-Quelle

Bellheim/Pfalz

Berg

B2

Schwollen

Berg Quellen

B3

Schwollen

Berg Quellen

B1

Schwollen (Quellort: Rinzenberg)

Bergische Waldquelle

Bergische Waldquelle

Haan

Bergquelle

Bergquelle

Goslar-Oker

BERG-QUELLE

Bergquelle

Thalfang

Bernadett-Brunnen

Bernadett-Brunnen

Ingolstadt

Bernsteiner, Heimatwasser, Kondrauer

Diepold-Quelle

Waldsassen-Kondrau

Beta

Baron-von-Westfalen-Quelle

Steinheim-Vinsebeck

Biberacher Mineralwasser

Biberacher Mineralbrunnen

Heilbronn am Neckar

Bietzener Wiesen

Bietzener Wiesen

Merzig

Billetalquelle

Billetalquelle

Reinbek

Bio Kristall

BioKristall-Quelle

Neumarkt i.d.OPf.

Bios

Bios Quelle

Stralsund

Bischofsquelle

Bischofsquelle

Dodow

Biskirchener Karlssprudel

Biskirchener Karlssprudel

Leun-Biskirchen

Bissinger Auerquelle

Aquabella Quelle

Auerquelle

Bissingen/Schwaben

Black Forest

Hansjakob-Quelle

Bad Rippoldsau

Blankenburger Wiesenquell

Blankenburger Wiesenquell

Blankenburg/Harz

Bonatur

Tiefenquelle

Bielefeld

Brandenburger Quell

Brandenburger Quell

Diedersdorf

Breisgauer Mineralwasser

Breisgauer Mineralquelle

Neuenburg-Steinenstadt

Brillant Quelle

Brillant-Quelle

Thalfang

Brohler

Karlsquelle

Brohl-Lützing

Brunnen 2

Brunnen 2

Duisburg

Brunnen 2a

Brunnen 2a

Duisburg

Brunnen 2b

Brunnen 2b

Duisburg

Brunnen 3a

Brunnen 3a

Duisburg-Walsum

Brunnen HB 3.1

Brunnen HB 3.1

Bad Camberg-Oberselters

Brunnen HB4.2

Brunnen HB4.2

Bad Camberg-Oberselters

Brunnen J6

Brunnen J6

Duisburg-Walsum

Brunnthaler

Brunnthaler

Burgheim

Buchhorn Quelle

Buchhorn Quelle

Eberstadt-Buchhorn

Burgenperle

Burgenperle-Quelle

Reutlingen-Rommelsbach

BurgQuelle

Lahnstein I

Lahnstein

Burg-Quelle

Sauerborn

Plaidt

Burgwallbronn

Burgwallbronn

Duisburg-Walsum

Caldener Mineralbrunnen

Caldener Mineralbrunnen

Calden-Westuffeln

Callisto

Westfalenborn

Steinheim-Vinsebeck

Carat

Felsenquelle

Bielefeld (Quelle in Gütersloh)

Carolinen

Ursprungsquelle (Brunnen 9)

Bielefeld

Carolinen Naturelle

Carolinen Medium

Carolinen Classic

Bio-Quelle

Bielefeld

Carolinen®

Bio-Urquelle

Bielefeld

Carolinen®

Urgesteinsquelle

Bielefeld

Carolinen®

Urquelle

Bielefeld

Carolinen®

Ursprungsquelle

Bielefeld

Cascada

Cascada

Bad Windsheim

Caspar Heinrich

Caspar-Heinrich-Quelle II

Bad Driburg

Catharinen Quelle

Catharinen Quelle

Bad Camberg-Oberselters

Cherusker

Westfalenborn

Steinheim-Vinsebeck

Christinen

Teutoburger Bergquelle

Bielefeld

Christinen Babywasser

Teuto-Quelle

Bielefeld

Clarissa

Heinberg-Quelle

Warburg-Germete

Claudius

Claudius

Trappenkamp

Comburg

Comburg Quelle

Schwäbisch Hall

Cora-Quelle

Cora-Quelle

Erkrath

Coronet

LIBU-Quelle

Bochum

Dalphin

Dalphin Quelle

Erkrath

Dauner Mineralquelle

Dauner Mineralquelle

Daun

Dauner Urquelle

Dauner Quelle IV

Daun

Del Bon

Del Bon Quelle

Thalfang

Delta

Delta-Quelle

Steinheim-Vinsebeck

Diamantquelle

Diamantquelle

Langelsheim

Diana Mineralwasser

Berg-Quelle 1

Neubulach-Liebelsberg

Dietenbronner

Lazarus-Quelle

Schwendi-Dietenbronn

Dreibogen-Quelle

Dreibogen-Quelle

Eichendorf-Adldorf

Dreikönigsquelle

Dreikönigsquelle

Rheinbrohl

Drei