This document is an excerpt from the EUR-Lex website
Document 52020XC0515(01)
Commission Notice Guidelines on annual audit reports to be submitted in accordance with Article 15(8) of Directive 2014/40/EU in the context of the EU traceability system for tobacco products (Text with EEA relevance) 2020/C 167/01
Commission Notice Guidelines on annual audit reports to be submitted in accordance with Article 15(8) of Directive 2014/40/EU in the context of the EU traceability system for tobacco products (Text with EEA relevance) 2020/C 167/01
Commission Notice Guidelines on annual audit reports to be submitted in accordance with Article 15(8) of Directive 2014/40/EU in the context of the EU traceability system for tobacco products (Text with EEA relevance) 2020/C 167/01
C/2020/3057
OJ C 167, 15.5.2020, p. 1–9
(BG, ES, CS, DA, DE, ET, EL, EN, FR, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)
15.5.2020 |
EN |
Official Journal of the European Union |
C 167/1 |
COMMISSION NOTICE
Guidelines on annual audit reports to be submitted in accordance with Article 15(8) of Directive 2014/40/EU in the context of the EU traceability system for tobacco products
(Text with EEA relevance)
(2020/C 167/01)
DISCLAIMER: The aim of this document is to provide guidance to an approved auditor on the scope of the audit and the procedure for submitting the annual audit report. It is not legally binding but provides general guidelines with recommendations and reflects on best practices. These guidelines are without prejudice to any national rules.
1. Introduction
Articles 15 of Directive 2014/40/EU of the European Parliament and of the Council (1) provide for the establishment of an EU-wide system of traceability for tobacco products in order to address the issue of illicit trade. The system became operational on 20 May 2019.
As part of that system Article 15(8) of Directive 2014/40/EU requires Member States to ensure that manufacturers and importers of tobacco products conclude data storage contracts with an independent third party (‘third-party provider’) for the purpose of establishing a data storage facility to host data related to tobacco products of individual manufacturers and importers (‘primary repository’).
To safeguard the independent operation of the traceability system, Article 15(8) of Directive 2014/40/EU stipulates that an external auditor shall monitor the activities of the primary repository and its third-party provider. The auditor shall be proposed and paid by the tobacco manufacturer, and be approved by the Commission. The external auditor shall submit its assessment by means of an annual report to the national competent authorities and to the Commission assessing in particular any irregularities in relation to access.
This document is intended to provide guidance to an approved auditor on the scope of the audit and the procedure for submitting the annual audit report. It should be read in conjunction with Commission Implementing Regulation (EU) 2018/574 (2), which sets out the technical requirements for the establishment and operation of the traceability system, including for primary repositories and Commission Delegated Regulation (EU) 2018/573 (3) defining the key elements of data storage contracts to be concluded as part of a traceability system.
This document is offered as a tool to assist approved auditors; these are non-binding guidelines and they do not create any new legal obligations. To the extent that these guidelines may interpret legislation, the Commission’s position is without prejudice to any interpretation of this Directive that may be issued by the Court of Justice of the European Union.
2. General context of audits
Each primary repository contracted by a manufacturer is subject to an annual audit process. Where the same third-party provider operates two or more primary repositories, a separate audit should be carried out and a separate audit report should be submitted for each repository.
An audit should be conducted in relation to a primary repository and its related services, including an assessment of whether the respective third-party provider and, if applicable, its sub-contractors comply with the relevant legislative requirements set out in Directive 2014/40/EU, Implementing Regulation (EU) 2018/574 and Delegated Regulation (EU) 2018/573.
Each manufacturer or importer must notify the Commission of the auditor it proposes to audit its primary repository and the respective third-party provider. All proposed auditors are subject to approval by the Commission.
3. Scope of audits
Scope and objective
Audit reports should be submitted in order to inform the national competent authorities and the Commission about the findings of auditors, in particular concerning any irregularities in relation to access to the data stored by primary repositories.
Audit reports should dedicate separate chapters to each of the six domains outlined below. Each chapter should address the verification points of the respective domain, as listed in the checklist provided in the Annex.
Audits should be carried out in accordance with that checklist, which sets out the required domains and verification points in line with ISO/IEC 27001:2013 on Information Security Management Systems (4). To that end, auditors should note that Article 10 of Commission Delegated Regulation (EU) 2018/573 refers to ISO/IEC 27001:2013 as the preferred information security management standard in the context of operating primary repositories.
Domain |
Objectives |
Organisational and physical security |
To establish a management framework for information security within the organisation. To ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered. To prevent unauthorised physical access, damage or interference to organisation, including information and information processing facilities. To prevent loss, damage, theft or compromise of assets and interruption to the organisation’s operations. |
Operations Security |
To ensure correct and secure operations of information processing facilities. To protect against loss of data. To record events and generate evidence. To ensure integrity of operational systems. To prevent exploitation of technical vulnerabilities. |
Access control (users and applications) |
To limit access to information and information processing facilities. To ensure authorised user access and to prevent unauthorised access to system and services. To make users accountable for safeguarding their authentication information. To prevent unauthorised access to systems and applications. To ensure that information security is designed and implemented within the development lifecycle of information systems. |
Communications security |
To ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information. To ensure the protection of information in networks and its supporting information processing facilities. To maintain the security of information transferred within the organisation and within external entities. |
Business continuity |
To ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses. Information security continuity shall be embedded in the organisation business continuity management systems. To ensure availability of information processing facilities. To avoid breaches of legal, statutory, regulatory or contractual obligations related to information security and of any security requirements. |
Assets and Data integrity |
To identify the organisational assets and define the appropriate protection responsibilities. To ensure that information receives an appropriate level of protection. To prevent unauthorised disclosure, modification, removal or destruction of information stored on media. |
Conclusions and recommendations
Conclusions of an audit should be provided for each verification point listed in the checklist.
An audit report should only highlight and elaborate findings related to non-compliance issues or other identified risks. Findings should also be accompanied by appropriate recommendations setting out the actions required to eliminate the issues and shortcomings identified during the audit.
4. Procedural aspects
Frequency
Auditors are required to submit their audit reports on an annual basis. Since the traceability system became operational on 20 May 2019, auditors are invited to submit their first annual audit reports, covering the first operational year of the traceability system (i.e. 20 May 2019 to 19 May 2020), by 30 November 2020. Thereafter, auditors are invited to submit annual reports for subsequent operational years by the end of October of each calendar year.
Audit follow-up
Where a follow-up is carried out to assess whether the concerned third-party provider has adequately implemented the recommendations of the annual audit report, the auditor, where possible, is invited to submit the results to the Commission and to the national competent authorities within three months from the submission of the annual audit report.
5. Procedural aspects of audit reports
Information on auditors
The names of the auditor(s) and, where applicable, the associated audit firm(s), should be indicated in the introduction of the audit report.
Format
The audit report should be provided in electronic format (searchable, non-protected PDF).
If possible, the auditors are invited to submit the annual reports to the Commission in English.
Submission procedure
The annual audit report and any follow up to such report, should be submitted electronically via email to SANTE-TT-SW@ec.europa.eu with the following subject: ‘Audit report [Follow-up to the audit report] for [year] – [Name of contracting manufacturer] – [Name of audited third-party provider]’
Transparency
In order to promote the overall transparency and accountability of the traceability system for tobacco products, the Commission invites the manufacturers, on a voluntary basis, to agree with their respective auditors to submit to the Commission also a public version of their audit report, excluding any personal and commercially sensitive data.
Such public versions of the audit reports would be published on Commission’s dedicated webpage.
(1) Directive 2014/40/EU of the European Parliament and of the Council of 3 April 2014 on the approximation of the laws, regulations and administrative provisions of the Member States concerning the manufacture, presentation and sale of tobacco and related products and repealing Directive 2001/37/EC (OJ L 127, 29.4.2014, p. 1).
(2) Commission Implementing Regulation (EU) 2018/574 of 15 December 2017 on technical standards for the establishment and operation of a traceability system for tobacco products (OJ L 96, 16.4.2018, p. 7).
(3) Commission Delegated Regulation (EU) 2018/573 of 15 December 2017 on key elements of data storage contracts to be concluded as part of a traceability system for tobacco products (OJ L 96, 16.4.2018, p. 1).
(4) ISO/IEC 27001:2013. Information technology – Security techniques – Information security management systems – Requirements. The requirements set out in ISO/IEC 27001:2013 are generic and are intended to be applicable to all organisations, regardless of type, size or nature.
ANNEX
Checklist for audits of primary repositories
Domain |
Verification points (1) |
Regulatory guidance |
Evidence guidance |
||||||||||||||||||||||||||
Organisational and physical security |
A.6 Organisation of Information Security
A.7 Human resource Security
A.11 Physical and Environmental security
|
On A.6 and A.11: The repository must be physically located on the territory of the EU. Data must not be stored in or transferred to a third country. (Art. 15(8) Directive 2014/40/EU) The repository must be guarded by security procedures and systems ensuring that access to the repository is only granted to competent authorities of Member States, the Commission and external auditors. On A.7: The provider of the repository, as well as any of its subcontractor(s), must be independent and exercise their functions impartially. The requirements on legal independence, financial independence, and absence of conflict of interest, apply. (Art. 35 of Implementing Regulation (EU) 2018/574) |
Organisation’s organigram in place, job descriptions signed by key personnel, attended courses of relevance for the respective roles. List of appointments (CISO, DPO, etc.), and description of responsibilities and tasks for security roles. Evidence of personnel attendance at training (e.g. accepted invitation, date and agenda of training, signed participation list during the awareness workshop, etc.). Policies/procedures for Human Resource security regularly reviewed and updated (procedures execution records). Basic implementation of physical security measures and control of the surroundings, such as door and cabinet locks, burglar alarm, fire alarms, fire extinguishers, CCTVs, etc. List of personnel with authorised access and authorisation credentials. Documented policy for physical security measures and control of the surroundings, including description of the relevant facilities and systems. Detailed inventory with hardware resources used for administration purposes. |
||||||||||||||||||||||||||
Operations Security |
A.12 Operations Security
|
On A.12.3: All repository components and services must have sufficient back-up mechanisms in place. (Art. 25(1)(i) of Implementing Regulation (EU) 2018/574) On A.12.4: The repository must contain a complete audit trail of all operations concerning the stored data and users performing related operations, including the nature of these operations and the history of user access. (Art. 25(1)(m) of Implementing Regulation (EU) 2018/574) Guidelines on evidence in relation to events and logging:
|
Maintenance security procedure properly documented and approved by senior management. Clearly defined minimum security maintenance process. List of all contracts with third parties (2). Explicit security requirements in the contracts with third parties supplying IT products, IT services, outsourced business processes, helpdesks, etc. Documented security policy for contracts with third parties Documented comments or change logs of the policy. Vendor risk assessment/management policy and/or procedure in place and maintained. Documented amendment or termination of relationships with third parties. Reports from related awareness and training exercises. Systems, tools and procedures for incident detection and analysis. Documented incident detection and analysis policy, addressing purpose, scope, roles and responsibilities and coordination among all related entities, including clients. Existence of reports related to the detection and escalation of past security incidents. Up-to-date documentation of the incident detection policy and related procedures and systems. Inventory of major past incidents detected and escalated, including all related information (cause, impact, order of actions taken). Evidence of past cyber exercises conducted, including the dates when they were conducted. |
||||||||||||||||||||||||||
Access control (users and applications) |
A.9 Access Control
A.14 System Acquisition, Development and Maintenance
|
On A.9: Access to data facilities, and the data stored therein, must be limited to Member States, the European Commission, and approved external auditors. (Art. 15(8) of Directive 2014/40/EU; Art. 25(1)(j) of Implementing Regulation (EU) 2018/574) |
Access control policy including description of roles, groups, access rights, procedures for granting and revoking the right to access the information systems. Rule definition for deleting no longer used accounts after a short period of time. Access control related matrices (e.g. control matrix for segregation of duties, remote access control, etc.). Access rights section included in access control policy/procedures. The access control policy includes a register of mapping of access rights to the relevant resources and/or processes. Tailored and documented administration accounts with specific access rights given to the relevant personnel. Documented management of administrator accounts process. Logs of administrator account activity available. Administration information systems isolated and segregated from the rest of the infrastructure for enhanced resilience. Formally documented software requirements for ensuring compatibility. |
||||||||||||||||||||||||||
Communications security |
A.10 Cryptographics
A.13 Communications security
|
On A.13: Data exchange between primary repositories and the secondary repository and router must take place in accordance with the technical specifications set out by the provider of the secondary repository. (Art. 28(1) of Implementing Regulation (EU) 2018/574) All electronic communication must be carried out using secure means. Applicable security protocols and connectivity rules must be based on non-proprietary open standards. (Art. 36(1) of Implementing Regulation (EU) 2018/574) |
Appropriate cryptographic processes exist. Safeguards to protect the secrecy of (private) key(s) are in place. System configuration policy and/or procedure in place and maintained. System configuration tables. Timetable and plan of system configuration review cycles. Documented past exercises/tests of critical information systems in place. Timetable and plan of security configuration reviews. Documentation about the implementation of the segregation of the network and system and of the data. Monitoring reports of critical network and information systems. Documented policy for monitoring procedures, including minimum monitoring requirements. Proof of existing tools for monitoring systems. |
||||||||||||||||||||||||||
Business continuity |
A.16 Information security incident Management
A.17 Information Security Aspects of Business Continuity Management
A.18 Compliance
|
On A.17: All repository components and services must meet a monthly uptime of at least 99,5 %. (Art. 25(1)(i) of Implementing Regulation (EU) 2018/574) Data portability must be secured in accordance with the applicable common data dictionary. (Art. 36(2) of Implementing Regulation (EU) 2018/574) Provider must have in place an applicable exit plan. (Art. 19 of Delegated Regulation (EU) 2018/573) On A.18.1: Data processing activities must comply with Regulation (EU) 2016/679 (the General Data Protection Regulation), and be in line with the Data Processing Agreement (DPA) established between the provider of the primary repository and the provider of the secondary repository. |
Formally documented service continuity strategy, including recovery time objectives for key services and processes. Contingency plans for critical systems, including clear steps and procedures for common threats, triggers for activation, steps and recovery time objectives. Records of individual training activities as well as post-exercise reports. Measures in place for dealing with disasters (e.g. earthquake, flooding, fire), such as failover sites in other regions, backups of critical data that need to be carried out in a remote location (geographically distinct from the data centre collecting and processing the data), at a sufficient distance to escape any damage from a disaster at the main site etc. Formally documented policy/procedures for deploying disaster recovery capabilities, including list of natural and/or major disasters that could affect the services, and a list of disaster recovery capabilities (either those available internally or provided by third parties). Records of individual training activities for personnel involved in the disaster recovery operations. |
||||||||||||||||||||||||||
Assets and Data integrity |
A.8 Asset Management
|
On A.8.1: Consider assets related with databases and repositories (i.e. database management system, database objects, database server). On A.8.2: High sensitivity. Data contains trade sensitive information. Data is used for investigations conducted by national and EU authorities. |
Documented policy/procedures for asset management, including roles, responsibilities, assets and configurations that are subject to the policy. List of centrally managed critical assets and critical system configurations managed and maintained. Software/hardware asset management formally documented and maintained. Up to date asset management policy/procedures, review comments and/or change logs. |
(1) The numbering of the verification points corresponds to the numbering in ISO/IEC 27001:2013. In case of deviations, reference should be made to the numbering used in this document.
(2) A third party is an independent entity that is involved in the functioning of a service but is not the principal one and has a lesser interest in the service provision (e.g. upstream (supplier, vendor) or downstream (distributor, reseller).