EUROPEAN COMMISSION
Brussels, 22.3.2022
COM(2022) 119 final
2022/0084(COD)
Proposal for a
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on information security in the institutions, bodies, offices and agencies of the Union
{SWD(2022) 65 final} - {SWD(2022) 66 final}
EXPLANATORY MEMORANDUM
1.CONTEXT OF THE PROPOSAL
•Reasons for and objectives of the proposal
This proposal is part of the EU Security Union Strategy 1 adopted by the Commission on 24 July 2020 and laying down its commitment to bring the European Union's added value to the national efforts in the area of security. Part of this engagement is the initiative to streamline the internal legal frameworks for information security in all Union institutions and bodies.
A key feature of the Strategic Agenda for 2019-2024 adopted by the European Council in June 2019 is to protect our societies from the ever evolving threats targeting the information handled by institutions and bodies. In its conclusions 2 , the European Council called in particular on ‘the EU institutions, together with the Member States, to work on measures to enhance the resilience and improve the security culture of the European Union against cyber and hybrid threats from outside the EU, and to better protect the EU’s information and communication networks, and its decision-making processes, from malicious activities of all kinds’.
In the same line, the General Affairs Council of December 2019 3 concluded that the EU institutions and bodies, supported by Member States, should develop and implement a comprehensive set of measures to ensure their security. This echoes a long standing request from the Council Security Committee to investigate a common core of security rules for the Council, the Commission and the European External Action Service 4 .
Currently, the Union institutions and bodies either have their own information security rules, based on their Rules of procedure or founding act, or they do not have information security rules at all. This is mostly the case of some small entities, which lack any formal information security policies.
Due to the ever-increasing amounts of sensitive non-classified and European Union classified information (‘EUCI’) that the Union institutions and bodies need to share between themselves and considering the dramatic development of the threat landscape, the European administration is exposed to attack in all its areas of activity. The information handled by our institutions and bodies is very attractive for the threat actors and needs to be appropriately protected. This requires swift action aiming at enhancing its protection.
Therefore and in order to increase the protection of the information handled by the European administration, this initiative aims to streamline the different legal frameworks of the Union institutions and bodies in the field by:
•Establishing harmonised and comprehensive categories of information, as well as common handling rules for all Union institutions and bodies,
•Setting up a lean cooperation scheme on information security between Union institutions and bodies able to foster a coherent information security culture across the European administration,
•Modernising the information security policies at all levels of classification/categorisation, for all Union institutions and bodies, taking into account the digital transformation and the development of teleworking as a structural practice.
•Consistency with existing policy provisions in the policy area
This initiative is in accordance with a wide range of EU policies in the area of security and information security.
Back in 2016, the European Parliament and the Council adopted a Directive 5 concerning measures for a high common level of security of network and information systems across the Union. This Directive was the first EU wide legislative measure meant to increase the cooperation between Member States on cybersecurity. While the Commission has adopted in December 2020 a proposal for the review of this instrument, introducing supervisory measures for the national authorities, the Union administration remains outside its scope.
In the same vein and to complement the efforts of Member States in the area of security, it is of paramount importance that the Union institutions and bodies achieve a high level of protection for their information and their related Information and Communication Systems with a view to safeguarding the information security.
In July 2020, the Commission adopted the Security Union Strategy 6 , with a comprehensive commitment from the EU to complement Member States’ efforts in all areas of security. This Strategy runs from 2020 to 2025 and outlines four main pillars of action: a future-proof security environment, tackling evolving threats, protecting Europeans from terrorism and organised crime and a strong European security ecosystem. Several of the topics addressed under these pillars focus on security of information, cybersecurity, cooperation and information exchange, and critical infrastructure.
In line with the Security Union Strategy, the European Commission proposes the creation of a minimum set of rules on information security across all the Union institutions and bodies, which will trigger mandatory and high common standards for the secure exchange of information. This initiative represents the engagement of the institutions and bodies to set within the European administration the same level of ambition in the field of security as required from the Member States.
On 16 December 2020, the Commission and the High Representative for Foreign Affairs and Security Policy presented a new EU Cybersecurity Strategy 7 . It set out priorities and key actions to build up Europe’s resilience, autonomy, leadership and operational capacity in the face of growing and complex threats to its network and information systems, and to advance a global and open cyberspace and its international partnerships thereof. It is equally important that the Union institutions and bodies contribute to the achievement of these priorities by establishing equivalent requirements in the field of both information security and cybersecurity.
This proposal together with the proposal for a Regulation laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union, seek to complete the regulatory picture of the Security Union Strategy with dedicated requirements for the European administration. In view of the interlinkages between information security and cybersecurity, a coherent approach to the protection of non-classified information should be ensured between these two proposals.
•Consistency with other Union policies
This initiative also takes account of other Union policies that are relevant to the information security.
In the area of data protection and applicable to the European Union and European Atomic Energy Community ('Euratom') administration there is Regulation (EU) 2018/1725 8 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data. In the same line, we need to mention that for some Union institutions and bodies the EU legislators have adopted specific relevant rules for the protection of personal data.
In the area of transparency, this proposal builds on the principles enshrined in the Regulation (EC) No 1049/2001 9 regarding public access to European Parliament, Council and Commission documents, with respect to other relevant rules.
2.LEGAL BASIS, SUBSIDIARITY AND PROPORTIONALITY
•Legal basis
Considering the objective and the content of this proposal, its most appropriate legal basis is Article 298 of the Treaty on the Functioning of European Union (TFEU) and Article 106a of the Treaty establishing the European Atomic Energy Community.
Article 298 TFEU was introduced by the Lisbon Treaty and enables the legislators to establish provisions with a view to creating an efficient and independent administration that will support the institutions, bodies, offices and agencies in carrying out their mission.
An efficient and independent administration relies on the security of its information. With a view to achieving their mission, the Union institutions and bodies shall benefit from a secure environment for the information they handle and store on a daily basis. In addition, providing a common baseline of standards mandatory for all would guarantee a high level of security, reduce the risk of weak links in supporting interoperability among institutions and bodies and leverage synergies thus enhancing the administration’s resilience facing evolving threats.
Furthermore, with an overall aim to achieve a high common level of security for the EUCI and non-classified information handled and stored by the Union institutions and bodies, this proposal enables the European administration to better protect from external interferences and spying activities.
Article 298 TFEU enables the Union to establish common rules for the whole of the European administration to ensure that all Union institutions and bodies treat the EUCI and the non-classified information similarly. As such, this Regulation lays down rules applicable to the administration and may indirectly impose obligations only to the individuals performing tasks on behalf of this administration or on a contractual basis (not including the Commissioners, the Representatives of Member States acting within the Council, the Members of the European Parliament, the Judges of the Union Courts or the Members of the European Court of Auditors).
According to Article 298 TFEU, the European Parliament and the Council shall act by means of a regulation and in accordance with the ordinary legislative procedure.
This proposal needs an additional legal basis as it also covers the information related to some activities of the European Atomic Energy Community. Such information is not Euratom Classified Information, but it is treated by the Union institutions and bodies under the general regime of EUCI.
This additional legal basis is Article 106a of the Treaty establishing the European Atomic Energy Community, which renders Article 298 TFEU applicable to the above mentioned Euratom activities as well.
•Subsidiarity (for non-exclusive competence)
According to the principle of subsidiarity laid down in Article 5(3) of the Treaty on European Union, action at EU level should be taken only when the aims envisaged cannot be achieved sufficiently by Member States alone and can therefore, by reason of the scale or effects of the proposed action, be better achieved by the EU.
Since only the Union can adopt rules governing EUCI and sensitive non-classified information handled and stored by the Union institution and bodies, the subsidiary principle does not apply.
•Proportionality
The establishment of a common baseline of information security to all Union institutions and bodies is necessary to contribute to an independent and efficient administration.
In accordance with the principle of proportionality laid down in Article 5(4) TEU, the provisions of the Regulation are not overly prescriptive and leave room for different levels of specific action, in line with the security maturity level of each Union institution and body.
Furthermore, the solution has limited impact on fundamental rights of individuals. Hence, the proposal does not go beyond what is necessary to address the problem of not having a common set of information security rules for all Union institutions and bodies.
•Choice of the instrument
A regulation based on Article 298 of the TFEU is considered the appropriate legal instrument.
It is justified by the predominance of elements that require a uniform application that does not leave margins of implementation to the Union institutions and bodies and that creates a minimum horizontal framework.
3.RESULTS OF EX-POST EVALUATIONS, STAKEHOLDER CONSULTATIONS AND IMPACT ASSESSMENTS
•Ex-post evaluations/fitness checks of existing legislation
Not Applicable
•Stakeholder consultations
The Commission has carried out a broad consultation of the key stakeholders on various aspects related to information security rules of the Union institutions and bodies. The overall aim of the consultation activities was to collect relevant input for the preparation of a legislative initiative on information security rules common to all Union institutions and bodies. The consultations sought to collect inputs on:
•Problems related to the existing framework of information security within the Union institutions and bodies that stakeholders consider should be addressed in the initiative;
•The relevance, effectiveness, efficiency and added value of the initiative;
•The anticipated impacts of the initiative and possible other consequences for the stakeholders.
In preparation of this legislative proposal, the Commission has consulted the following categories of stakeholders:
1.Union institutions, bodies, offices and agencies;
2.National security authorities in the Member States;
3.Research experts from JRC.
Given the particular characteristic of this initiative, which is exclusively applicable to the Union institutions and bodies, with little impact on the European citizens and businesses, Commission services chose to prioritise the collection of viewpoints from the relevant stakeholder groups. As such, no public consultation was conducted specifically for this legislative initiative.
Over the course of the consultation process, Commission services used the following methods and forms of consultation:
1.An opportunity for all interested parties to provide feedback on the Inception Impact Assessment via the Commission’s ‘Have your say’ platform;
2.A targeted questionnaire addressed to the information security experts within the Union institutions and bodies via online EU survey;
3.A targeted questionnaire addressed to the Member States national security authorities via online EU survey;
4.A request for a tailored risk assessment of the core information security assets and,
5.Numerous meetings and exchanges with counterparts from institutions, bodies, offices and agencies, as well as from the Member States national security authorities.
As main inputs from the consultation activities, the Commission highlights the following:
•The fragmentation of the relevant legal frameworks between our institutions and bodies creates significant duplication of efforts for creating and maintaining internal rules as well as non-interoperable practices in handling information. For the Member States, the diversity of these rules increases the risks of misunderstanding, misinterpreting and non-compliance;
•While establishing a baseline of information security for all Union institutions and bodies would create an ecosystem with standardised security rules and implemented best practices, the diversity and the different business environment of each Union institution and body shall be taken into account and local solutions should be allowed;
•This initiative needs to respect the autonomy and the different security maturity levels of each Union institution and body, which will remain fully responsible for their organisation of information security;
•Collection and use of expertise
The Commission used its own resources to perform the stakeholders’ consultation. The Security Directorate of DG HR has done the related work on the surveys, videoconferences and other workshops. This task involved both the selection of participants and the organisation of events and the processing of the input received.
The Joint Research Center (JRC) performed a risk assessment of the main information security assets, used as a basis for the Impact analysis.
•Impact assessment
This initiative is exclusively addressed to the Union institutions and bodies and has a limited impact to the Member States and individuals. Therefore, it was not necessary to perform a throughout impact assessment as there were no clearly identifiable or significant impacts on citizens and businesses. A comprehensive Roadmap was published on Europa website and gathered feedback from the relevant stakeholders.
•Regulatory fitness and simplification
Not Applicable
•Fundamental rights
The EU is committed to ensuring high standards of protection of fundamental rights. This initiative ensures full compliance with the fundamental rights as enshrined in the Charter of Fundamental Rights of the European Union 10 , as follows:
•The right to good administration 11
By enhancing the security of information they handle when treating the affairs of European citizens, the Union institutions and bodies contribute to the achievement of the principle of good administration.
•Protection of personal data 12
All processing of personal data in the framework of this proposal would be conducted in trusted environments and in full respect of the Regulation (EU) 2018/1725 of the European Parliament and of the Council.
•Right of access to documents 13
Public access to EUCI and sensitive non-classified documents remains fully governed by Regulation (EC) 1049/2001 of the European Parliament and of the Council.
•Right to intellectual property 14
While handling and storing non-classified information and EUCI, the Union institutions and bodies protect the intellectual property in accordance with Directive 2001/29/EC of the European Parliament and of the Council 15 .
•Freedom of expression and information 16
While everybody has the freedom to receive and share information and ideas without interference by public authority, this shall not prevent the Union from establishing the conditions for accessing, handling and storing certain types of information, based on their confidentiality level.
The exercise of these freedoms may be subject to conditions and restrictions provided by law and necessary in a democratic society, in order to prevent the disclosure of information received in confidence and in the interest of EU security.
4.BUDGETARY IMPLICATIONS
This proposal requires the assignment of one AD official and one AST assistant for the permanent Secretariat of the Coordination Group which is provided by the Commission, in the Security Directorate of the Directorate-General for Human Resources and Security.
For the institutions and bodies there are cost savings expected in terms of the shared and collaborative tasks as well as from preventing potential economic damages resulted from security incidents, due to improvements in information security. On the other side, the financial efforts required for the implementation of the new legislation can be covered as part of the existing information security improvement programmes in each Union institution and body.
5.OTHER ELEMENTS
•Implementation plans and monitoring, evaluation and reporting arrangements
The proposal provides for the obligation of the Commission to report each 3 years to the European Parliament and to the Council on the implementation of this Regulation, including the functioning of the governance set up by this Regulation.
Moreover and every 5 years, the Commission shall evaluate this Regulation with a view to assessing its actual performance and based on this, whether any modification to the legislation is necessary.
•Detailed explanation of the specific provisions of the proposal
This proposal is structured around the requirements for handling and storing non-classified information and EUCI, which are the main subjects of the initiative and whose enhanced protection represents its underlying purpose.
Subject and scope (Article 1 and Article 2)
This Regulation is set to create a minimum set of information security rules applicable to all Union institutions and bodies.
It applies to all information handled and stored by the Union institutions and bodies, including the information related to European Atomic Energy Community activities, other than Euratom Classified Information. Both the non-classified information and the EUCI are covered by this Regulation.
Definitions and general principles (Articles 3 to 5)
The definitions provided under Article 3 are based on the current rules on information security adopted separately by the Union institutions and bodies.
Besides the general principles of the Union legislation: transparency, proportionality, efficiency and accountability, this Regulation provides for the main binding guiding lines, such as separate information security risk management process carried out by each Union institution and body and the assessment of their information in order to be properly categorised.
Governance and organisation of security (Articles 6 to 8)
All Union institutions and bodies shall cooperate in an Interinstitutional Information Security Coordination Group, which acts by consensus and in the common interest of the Union institutions and bodies.
The Coordination Group gathers the Security Authorities of all institutions and bodies and establishes guidance documents on the implementation of this Regulation. It liaises regularly with the National Security Authorities of the Member States, gathered in an Information Security Committee.
Five sub-groups composed by experts representing different institutions and bodies are set up with a view to streamlining the procedures and other practical aspects related to the information security.
Each Union institution and body is required to designate a Security Authority, which is responsible for defining internal policies on the Information security and for implementing them. The Security Authority establishes specific functions such as the Information Assurance Authority, the Information Assurance Operational Authority, the Security Accreditation Authority, the TEMPEST Authority, the Crypto Approval Authority and the Crypto Distribution Authority, which may be delegated to another institution or body for efficiency or resources reasons.
Information assurance and communication and information systems (Articles 9 to 11)
The Regulation establishes a sub-group on information assurance with the objective of enhancing the coherence across the Union institutions and bodies between the information security rules and the cybersecurity baseline as defined by the Regulation laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.
The Union institutions and bodies are required to comply with the principles mentioned under these articles and adopt separate internal rules for specific security measures, adjusted to their own security environment.
Non-classified information (Articles 12 to 17 and Annex I)
The Regulation provides for 3 categories of non-classified information: information for public use, normal information and sensitive non-classified information. All categories are defined, while markings and handling conditions are stipulated for protecting such information.
With a view to coordinating the work on equivalence between particular categories established by some Union institutions and bodies and common categories provided by the Regulation, the proposal sets up a sub-group on non-classified information.
EUCI (Articles 18 to 58 and Annexes II to VI)
As the most voluminous of the proposal, this chapter is structured in seven sections, as follows: General provisions, Personnel security, Physical security, Management of EUCI, Protection in communication and information systems, Industrial security and Sharing EUCI and exchanging classified information.
The section on general provisions provides for four levels of EUCI: TRES SECRET UE/EU TOP SECRET, SECRET UE/EU SECRET, CONFIDENTIEL UE/EU CONFIDENTIAL, RESTREINT UE/EU RESTRICTED and provides for an obligation of Union institutions and bodies to take the necessary security measures in accordance with the results of an information security risk management process.
Each of the remaining sections focus on the standards of EUCI protection, related to their specific area. The details for this protection of EUCI are specified in the Annexes II to V. Annex VI provides for the table of equivalence of EUCI with the security classifications of Member States and European Atomic Energy Community.
With the aim to streamline the relevant processes in the field and to avoid duplication of effort, the Regulation sets up sub-groups on information assurance, on non-classified information, on physical security, on accreditation of communication and information systems handling and storing EUCI and on EUCI sharing and exchange of classified information.
Final provisions (Articles 59 to 62)
The final provisions ensure the transition from the current rules and procedures to the new legal framework set by this Regulation. They concern the internal rules on information security currently applicable in the Union institutions and bodies, the recognition of assessment visits carried out before the start of application of the Regulation, the treatment of previously concluded administrative arrangements and the continuation of specific security frameworks applicable to grant agreements.
This Regulation is set to apply after 2 years from the date of its entry into force.
2022/0084 (COD)
Proposal for a
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on information security in the institutions, bodies, offices and agencies of the Union
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 298 thereof,
Having regard to the Treaty establishing the European Atomic Energy Community, and in particular Article 106a thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national Parliaments,
Acting in accordance with the ordinary legislative procedure,
Whereas:
(1)Union institutions and bodies currently have their own information security rules, based on their rules of procedure or their founding act, or do not have such rules at all. In that context, each Union institution and body invests significant efforts in adopting different approaches, leading to a situation where exchange of information is not always reliable. The lack of a common approach hinders the deployment of common tools building on an agreed set of rules depending on the security needs of the information to be protected.
(2)While progress has been made towards more consistent rules for the protection of European Union classified information (‘EUCI’) and non-classified information, the interoperability of the relevant systems remains limited, preventing a seamless transfer of information between the different Union institutions and bodies. Further efforts should therefore be made to enable an interinstitutional approach to the sharing of EUCI and sensitive non-classified information, with common categories of information and common key handling principles. A baseline should also be envisaged to simplify procedures for sharing EUCI and sensitive non-classified information between Union institutions and bodies and with Member States.
(3)Therefore, relevant rules ensuring a common level of information security in all Union institutions and bodies should be laid down. They should constitute a comprehensive and coherent general framework for protecting EUCI and non-classified information, and should ensure equivalence of basic principles and minimum standards.
(4)The recent pandemic caused a significant change in working practices with remote communication tools becoming the rule. Therefore, many procedures that were still at least partly paper-based were rapidly adjusted to enable electronic processing and exchanges of information. These developments require changes in the handling and protection of information. This Regulation takes account of the new working practices.
(5)By creating a minimum common level of protection for EUCI and non-classified information, this Regulation contributes to ensuring that the Union institutions and bodies have the support of an efficient and independent administration in carrying out their missions. At the same time, each Union institution and body retains its autonomy in determining how to implement the rules laid down in this Regulation, in line with its own security needs. This Regulation shall in no case prevent Union institutions and bodies to fulfil their mission, as entrusted by the EU legislation, or encroach on their institutional autonomy.
(6)This Regulation is without prejudice to Regulation (Euratom) No 3/1958 17 , Regulation No 31 (EEC), 11 (EAEC), laying down the Staff Regulations of Officials and the Conditions of Employment of other servants of the European Economic Community and the European Atomic Energy Community 18 , Regulation (EC) 1049/2001 of the European Parliament and of the Council 19 , Regulation (EU) 2018/1725 of the European Parliament and of the Council 20 , Council Regulation (EEC, EURATOM) No 354/83 21 , Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council 22 , Regulation (EU) 2021/697 of the European Parliament and of the Council 23 , Regulation (EU) [...] of the European Parliament and of the Council 24 laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.
(7)In order to preserve the specific nature of the European Atomic Energy Community activities regulated by Regulation 3/1958 of the Council of the European Atomic Energy Community 25 , this Regulation should not apply to Euratom Classified Information. However, all information related to other Euratom activities not covered by Regulation 3/1958 should fall within the scope of this Regulation.
(8)With a view to establishing a formal structure for cooperation between Union institutions and bodies in the field of information security, it is necessary to set up an Interinstitutional Coordination Group (the ‘Coordination Group’) in which all Union institutions’ and bodies’ Security Authorities are represented. Without having decision-making powers, the Cordination Group should enhance the coherence of policies in the field of information security and should contribute to the harmonisation of the information security procedures and tools across the Union institutions and bodies.
(9)The Coordination Group’s work needs the support of experts in different areas of information security: categorisation and marking, communication and information systems, accreditation, physical security and sharing EUCI and exchanging classified information. In order to prevent duplication of effort across the Union institutions and bodies, thematic sub-groups should be therefore established. Moreover, where needed, the Coordination Group should be able to set up other subgroups with specific tasks.
(10)The Coordination Group should closely cooperate with the National Security Authorities of the Member States with a view to enhancing information security in the Union. An Information Security Committee of the Member States should therefore be set up to provide advice to the Coordination Group.
(11)While the common bodies representing all Union institutions and bodies are set up based on the cooperation principle, each institution and body should remain fully responsible for the security of information within its organisation. Each Union institution and body should have a Security Authority and where necessary, other authorities in charge of specific responsibilities related to information security.
(12)The principle of information security risk management should be at the core of the policy to be developed in the field by each Union institution and body. While the minimum requirements laid down in this Regulation must be met, each Union institution and body should adopt specific security measures for protecting information in accordance with the results of an internal risk assessment. In the same way, the technical means to protect the information should be adapted to the specific situation of each institution and body.
(13)Given the diversity of categories of non-classified information that the Union institutions and bodies have developed based on their own security information rules and in order to avoid delay in the implementation of this Regulation, Union institutions or bodies should be able to maintain their own marking system for internal purposes or in the exchange of information with their particular counterparts from other institutions and bodies or from the Member States.
(14)With the purpose of adjusting to the new teleworking practices, the networks used for connecting to the Union institution’s or body’s remote access services should be protected by adequate security measures.
(15)Since Union institutions and bodies frequently make use of contractors and outsourcing, it is important to establish common provisions relating to contractors’ personnel carrying out tasks related to information security.
(16)The substantive rules regarding access to EUCI in the internal rules of various Union institutions and bodies are currently aligned, but there are significant differences as regards denominations and required procedures. This creates a burden for the National Security Authorities of the Member States who need to adjust to different requirements. Thus it is necessary to provide for a common glossary and common procedures in the area of personnel security, thereby simplifying cooperation with the National Security Authorities of the Member States and limiting the risk of compromising EUCI.
(17)Given the disparity of resources amongst Union institutions and bodies and in order to streamline their relevant procedures and practices, the security clearance tasks can be entrusted to the Commission in order to provide a continuation of a long-standing practice in the field of security clearance and contribute to the centralisation of the tasks assigned to each Security Authority.
(18)The protection of EUCI is also ensured by technical and organisational measures which apply to the premises, buildings, rooms, offices or facilities of the Union institutions and bodies where EUCI is discussed, handled or stored. This Regulation provides for the implementation of an information security management process in the area of physical security which would allow Union institutions and bodies to select the appropriate security measures for their sites.
(19)All Union institutions and bodies handling and storing EUCI should establish physically protected areas in their sites, in order to ensure the same level of protection for the relevant levels of EUCI classification handled and stored within. Those areas should be designated as Administrative Areas and Secured Areas and respect common minimum standards for the protection of EUCI.
(20)Originator control is an important principle in the EUCI management, therefore it needs to be clearly stipulated and developed. In that regard, the creation of EUCI confers to the originator a responsibility which should cover the entire life cycle of the relevant EUCI document.
(21)Union institutions and bodies have been traditionally developed their communication and information systems autonomously, with insufficient attention to their interoperability across all Union institutions and bodies. It is therefore necessary to establish minimum security requirements concerning the Communication and Information Systems (CISs) handling and storing both EUCI and non-classified information with the aim to guarantee a seamless exchange of information with the relevant stakeholders.
(22)With the objective of achieving a single standard of accreditation of CISs handling and storing EUCI, the Union institutions and bodies should work together in a group set up for that purpose. It is recommended that all of them use that standard in order to contribute to a general level of EUCI protection. However, as regards organisational autonomy, the decision remains with the competent authority of each institution or body.
(23)All Union institutions and bodies should follow the same procedures and apply the same measures when awarding and implementing classified contracts or grant agreements. Thus it is necessary to clearly stipulate both the mandatory and the optional elements of a classified contracts and grant agreements. However, the measures for the protection of EUCI in relation with classified contracts and grant agreements should take into account the rules already developed separately in the area by the Union institutions and bodies together with the Member States.
(24)The close cooperation between Union institutions and bodies as well as the multitude of synergies developed among them involve the sharing of a large amount of information. For the sake of the classified information security, the trustworthiness of a Union institution or body should be assessed before they handle and store a specified level of EUCI.
(25)Furthermore, the sharing of EUCI between the Union institutions and bodies and the exchange of classified information with international organisations and third countries should also be regulated by appropriate security measures for the protection of that information. Where agreements on security of information are envisaged, the provisions of Article 218 of the Treaty should apply.
(26)The agreements on security of information are meant to ensure the overall legal framework for the exchange of classified information of the Union with the third countries and international organisations, it is also necessary to provide for the possibility of Union institutions and bodies to enter into administrative arrangements with a specific counterpart of a third country or of an international organisation for the purpose of exchanging EUCI.
(27)This Regulation establishes a framework common to all Union institutions and bodies. In order to avoid imposing an excesive administrative burden on the Union institutions and bodies in the process of adapting their internal security rules to the rules laid down in this Regulation, this Regulation should apply from 2 years after its entry into force.
(28)In accordance with paragraphs 22 and 23 of the Interinstitutional Agreement of 13 April 2016 on Better Law-Making 26 , the Commission should evaluate this Regulation in order to assess its actual effects and the need for any further action. The Commission should submit to the European Parliament and to the Council a report on the implementation of this Regulation, at the latest 3 years from the date of application.
(29)The European Data Protection Supervisor was consulted in accordance with Article 42 of Regulation (EU) 2018/1725 of the European Parliament and of the Council 27 and delivered an opinion on ...
HAVE ADOPTED THIS REGULATION:
Chapter 1
General provisions
Article 1
Subject matter
1.This Regulation lays down information security rules for all Union institutions and bodies.
Article 2
Scope
1.This Regulation shall apply to all information handled and stored by the Union institutions and bodies, including information related to activities of the European Atomic Energy Community, other than Euratom Classified Information.
2.It shall apply to the following confidentiality levels of information:
(a)three levels of non-classified information: public use, normal and sensitive non-classified;
(b)four levels of EU classified information: RESTREINT UE/EU RESTRICTED, CONFIDENTIEL UE/EU CONFIDENTIAL, SECRET UE/EU SECRET, TRES SECRET UE/EU TOP SECRET.
3.These levels are based on the damage that unauthorised disclosure may cause to the legitimate private and public interests, including those of the Union, Union institutions and bodies and Member States or other stakeholders, so that the appropriate protective measures can be applied.
Article 3
Definitions
For the purpose of this Regulation, the following definitions apply:
(a)‘information’ means any data in oral, visual, electronic, magnetic, or physical form, or in the form of material, equipment or technology and includes reproductions, translations and material in the process of development;
(b)‘information security’ means ensuring the authenticity, availability, confidentiality, integrity and non-repudiation of information;
(c)‘handling’ of information means all possible actions to which the information can be subject throughout its life cycle; it comprises its creation, collection, registration, assignment of a confidentiality level, processing, display, consultation, carriage, transmission, downgrading, declassification, archiving and destruction;
(d)'storing' means the act of keeping information on any medium to ensure its availability for future use;
(e)‘Union institutions and bodies’ means the Union institutions, bodies, offices and agencies set up by, or on the basis of, the Treaty on European Union, the Treaty on the functioning of European Union, the Treaty establishing the European Atomic Energy Community or a legislative act;
(f)‘Euratom classified information’ means information within the meaning of Regulation No 3/1958 of the Council of the European Atomic Energy Community;
(g)‘Security Authority’ means the security function of each Union institution and body, designated in accordance with its rules of procedure or founding act;
(h)‘information security risk management process’ means the entire process of identifying, controlling and minimising uncertain events that may affect the security of an organisation or of the systems it uses; it covers the entirety of risk-related activities, including assessment, treatment, acceptance and communication;
(i)‘asset’ means anything that is of value to a Union institution or body, its operations and their continuity, including information resources that support their mission;
(j)‘security operating procedures’ means a set of documented procedures, as referred to in Annex III, for the operation of a Secured Area, a communication and information system or other security-related asset or service to ensure its effectiveness;
(k)‘communication and information system’ or ‘CIS’ means any system enabling the handling and the storage of information in electronic form, including all assets required for its operation;
(l)‘information assurance’ means the certainty that the communication and information systems will protect the information they handle and store and will function as they need to, when they need to, under the control of legitimate users, while ensuring appropriate levels of authenticity, availability, confidentiality, integrity and non-repudiation;
(m)‘accreditation’ means the formal authorisation from the Security Accreditation Authority for a communication and information system to process, or a Secured Area to store a pre-defined level of EUCI;
(n)‘accreditation process’ means the steps and tasks required prior to accreditation;
(o)‘TEMPEST security measures’ means measures to protect any CIS handling and storing information classified CONFIDENTIEL UE/EU CONFIDENTIAL or higher against compromise of such information through unintentional electromagnetic emanations;
(p)‘CERT-EU’ means the Cybersecurity Centre for the Union institutions and bodies within the meaning of Regulation (EU) [...] of the European Parliament and of the Council laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union;
(q)‘information security incident’ means any event potentially compromising the authenticity, availability, confidentiality, integrity or non-repudiation of stored, transmitted or processed information;
(r)‘need-to-know’ means the necessity for an individual to access specified information handled or stored by an Union institution or body in order to fulfil the tasks of that particular Union institution or body;
(s)‘zero trust’ means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement of the existence of threats inside and outside traditional network boundaries;
(t)‘marking’ means a label that is applied to information to ensure that the appropriate security measures are applied;
(u)‘security marking’ means a marking indicating the level of confidentiality of the information;
(v)‘distribution marking’ means a marking indicating the intended addressees of information within originating Union institution or body;
(w)‘releasability marking’ means a marking indicating the permitted addressees outside the originating Union institution or body;
(x)‘system owner’ means the individual responsible for the overall procurement, development, integration, modification, operation, maintenance and retirement of a communication and information system;
(y)‘threat to information security’ means an event or agent that can reasonably be expected to adversely affect information security if not responded to and controlled;
(z)‘vulnerability’ means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited by one or more threats;
(aa)‘risk’ means the potential adverse effect of a given threat, possibly exploiting internal and external vulnerabilities of a Union institution or body or of the systems it uses, causing harm to the legitimate public and private interests, measured as a combination of the likelihood of threats occurring and their impact;
(ab)‘residual risk’ means the risk which remains after security measures have been implemented;
(ac)‘risk assessment’ means identifying threats and vulnerabilities and conducting the related risk analysis, there is to say the analysis of probability and impact;
(ad)‘risk treatment’ means mitigating, removing, reducing (through an appropriate combination of technical, physical, organisational or procedural measures), transferring or monitoring the risk;
(ae)‘European cybersecurity certificate’ means a certificate within the meaning of Article 2(11) of Regulation EU 2019/881 28 ;
(af)‘holder’ means a duly authorised individual with an established need-to-know who is in possession of an item of information requiring protection and accordingly responsible for protecting it;
(ag)‘material’ means any document, data carrier or item of machinery or equipment, either manufactured or in the process of manufacture;
(ah)‘European Union classified information’ or ‘EUCI’ means any information or material designated by an EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the Union or of one or more of the Member States;
(ai)‘authorisation to access EUCI’ means a decision by a Security Authority that an official, other servant or seconded national expert of a Union institution or body may be granted access to EUCI up to a specified level for a set period of time;
(aj)‘National Security Authority’ or ‘NSA’ means a government authority of a Member State with ultimate responsibility for the security of classified information in that Member State;
(ak)‘Designated Security Authority’ or ‘DSA’ means an authority of a Member State (NSA or any other competent authority) which is responsible for providing direction and assistance in the implementation of industrial security or in clearances procedures, or both;
(al)‘security investigation’ means the investigative procedures conducted by the competent authority of a Member State in accordance with its national law and regulations in order to obtain an assurance that nothing adverse is known which would prevent an individual from being granted a security clearance up to a specified level (CONFIDENTIEL UE/EU CONFIDENTIAL or higher);
(am)‘physical security’ means the application of physical, technical and organisational measures to premises, buildings, rooms, offices or facilities of a Union institution or body that require protection against unauthorised access to information that is handled, stored or discussed therein;
(an)‘sites’ means the premises, buildings, rooms, offices or facilities of a Union institution or body;
(ao)‘defence in depth’ means a type of security which uses several independent layers of security controls to ensure that where one fails another will be operative;
(ap)‘cryptographic (crypto) material’ means cryptographic algorithms, cryptographic hardware and software modules, and products including implementation details and associated documentation and keying material;
(aq)‘cryptographic product’ means a product whose primary and main functionality is the provision of security services (authenticity, availability, confidentiality, integrity and non-repudiation) through one or more cryptographic mechanisms;
(ar)‘originator’ means the Union institution or body, Member state, third country or international organisation under whose authority classified information has been created or introduced into the Union’s structures;
(as)‘document’ means any content, whatever its medium (paper, electronic, magnetic or other), in written form or visual or audiovisual recording;
(at)‘registration for security purposes’ means the application of procedures which record the life-cycle of material, including its dissemination and destruction;
(au)‘declassification’ means the removal of any security classification;
(av)‘downgrading’ means a reduction in the level of security classification;
(aw)‘classified contract’ means a framework contract or a contract, as referred to in Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council, entered into by a Union institution or body, with a contractor for the supply of movable or immovable assets, the execution of works or the provision of services, the performance of which requires or involves the handling, including creation, or storing of EUCI;
(ax)’classified grant agreement’ means an agreement whereby a Union institution or body awards a grant, as referred to in Title VIII of Regulation (EU, Euratom) 2018/1046, the performance of which requires or involves the handling, including creation, or storing of EUCI;
(ay)’classified subcontract’ means a contract entered into by a contractor or beneficiary of a Union institution or body, with a subcontractor for the supply of movable or immovable assets, the execution of works or the provision of services, the performance of which requires or involves the handling, including creation, or storing of EUCI;
(az)‘Programme or Project Security Instruction’ or ‘PSI’ means a list of security procedures which are applied to a specific programme or project in order to standardise security procedures;
(ba)‘Security Aspects Letter’ or ‘SAL’ means a set of special contractual conditions, issued by the contracting or granting authority, which forms an integral part of any classified contract or grant agreement involving access to or the creation of EUCI, that identifies the security requirements and those elements of the contract or grant requiring security protection;
(bb)‘Security Classification Guide’ or ‘SCG’ means a document which describes the elements of a programme, project, contract or grant agreement which are classified, specifying the applicable security classification levels;
Article 4
General principles
1.Each Union institution and body shall be responsible for the implementation of the provisions of this Regulation within its organisation taking account of its own information security risk management process.
2. Non-compliance with this Regulation, in particular the unauthorised disclosure of information with the confidentiality levels referred to in Article 2(2), except information for public use shall be subject to investigation and may trigger personnel liability in accordance with the Treaties or with their relevant staff rules.
3.Union institutions and bodies shall assess all information they handle and store in order to categorise it in accordance with the confidentiality levels referred to in Article 2(2).
4.Union institutions and bodies shall determine the security needs of all information they handle and store considering the following aspects:
(a)authenticity: the guarantee that information is genuine and from bona fide sources;
(b)availability: accessibility and usability upon request by an authorised entity;
(c)confidentiality: non-disclosure of information to unauthorised individuals, entities, or processes;
(d)integrity: the fact that the information is complete and completeness of information is unaltered;
(e)non-repudiation: the ability to prove an action or event has taken place, so that that event or action cannot subsequently be denied;
5.For each communication and information system under their responsibility, the Union institutions and bodies shall identify the highest confidentiality level that such communication and information system can handle and store, carry out a information security risk assessment and regularly monitor the security needs and the correct implementation of the identified protective measures.
6.All Union institutions and bodies shall provide training and awareness activities on how to handle and store non-classified information and EUCI.
Union institutions and bodies handling and storing EUCI shall organise mandatory training at least once every 5 years for all individuals authorised to access EUCI. The Union institutions and bodies concerned shall organise specific training for the specific functions entrusted with information security tasks.
A Union institution or body may coordinate such training and awareness activities with other Union institutions and bodies.
Article 5
Information security risk management process
1.Each Union institution and body shall establish an information security risk management process for the protection of the information they handle and store.
2.The information security risk management process shall include the following steps:
(a)threat and vulnerability identification;
(b)risk assessment;
(c)risk treatment;
(d)risk acceptance;
(e)risk communication.
3.The information security risk management process shall take account of all factors relevant for the institution or body concerned, in particular:
(a)the confidentiality level of the information and the related legal obligations;
(b)the form and the quantity of the information and the facilities or CISs where the information is handled and stored;
(c)the persons accessing the information on sites or remotely;
(d)the surrounding environment and the structure of the buildings or areas storing the information,
(e)the threats targeting the Union, the Union institutions and bodies or the Member States from cyberattacks, supply chain attacks, espionage, sabotage, terrorist, subversive or other criminal activities;
(f)business continuity and disaster recovery;
(g)the results of inspections, audits or assessment visits, where applicable.
Chapter 2
Governance and organisation of security
Article 6
Interinstitutional Information Security Coordination Group
1.An Interinstitutional Information Security Coordination Group (the ‘Coordination Group’) is established.
It shall be composed of all Security Authorities of the Union institutions and bodies, and shall have a mandate to define their common policy in the field of information security.
2.Acting by consent and in the common interest of all Union institutions and bodies, the Coordination Group shall:
(a)adopt its rules of procedures and annual common objectives and priorities;
(b)adopt decisions on the establishment of thematic sub-groups and their terms of reference;
(c)establish guidance documents on the implementation of this Regulation, in cooperation with the Interinstitutional Cybersecurity Board referred to in Article 9 of the Regulation EU [...] laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union, where appropriate;
(d)set up dedicated platforms for sharing best practices and knowledge on common topics relevant to information security as well as for providing assistance in case of information security incidents;
(e)ensure that security measures are coordinated as necessary with the competent National Security Authorities for the purpose of protecting EUCI.
3.The Coordination Group shall designate a chairperson and two vice chairpersons from among its members, for a period of 3 years.
4.The Coordination Group shall meet at least once a year at the initiative of its chairperson or at the request of a Union institution or body.
5.The Coordination Group shall have the administrative support of a permanent secretariat provided by the Commission.
6.Each Union institution or body shall be appropriately represented in the Coordination Group and where applicable, in the thematic sub-groups.
7.Union institutions and bodies shall bring to the attention of the Coordination Group any significant information security policy development within their organisation.
8.In the performance of the tasks referred to in paragraph 2, point (e), the Coordination Group shall be assisted by an Information Security Committee. That Committee shall be composed of one representative from each National Security Authority and shall be chaired by the Secretariat of the Coordination Group, referred to in paragraph 5. The Information Security Committee shall have an advisory role.
Article 7
Thematic sub-groups
1.The Coordination Group shall set up the following permanent thematic sub-groups to facilitate the implementation of this Regulation:
(a)a sub-group on information assurance;
(b)a sub-group on non-classified information;
(c)a sub-group on physical security;
(d)a sub-group on accreditation of communication and information systems handling and storing EUCI;
(e)a sub-group on EUCI sharing and exchange of classified information.
2.Where necessary, the Coordination Group may set up ad-hoc sub-groups for a specific task and for a limited duration.
3.Except where otherwise provided in their terms of reference, the sub-groups shall be based on open membership representing the Union institution or body concerned. The members of the sub-groups shall be experts in the respective field of competence.
4.The Secretariat of the Coordination Group, referred to in Article 5(5), shall support the work of all sub-groups and ensure the communication between its members.
Article 8
Organisation of security
1.Each Union institution and body shall designate a Security Authority to assume the responsibilities assigned by this Regulation and, where applicable, by its internal security rules. In performing its tasks, each Security Authority shall have the support of the department or officer entrusted with Information Security tasks.
2.Where necessary, the Security Authority of each Union institution and body shall adopt internal implementing rules for the protection of information, in accordance with their specific mission, as entrusted by the EU law, and based on their institutional autonomy.
3.Where relevant, each Security Authority shall also assume the following functions:
(a)Information Assurance Authority in charge of developing information assurance security policies and security guidelines and monitoring their effectiveness and pertinence;
(b)Information Assurance Operational Authority responsible for developing security documentation, in particular the Security Operating Procedures and the crypto plan within the communication and information systems accreditation process;
(c)Security Accreditation Authority in charge of accrediting Secured Areas and CIS handling and storing EUCI;
(d)TEMPEST Authority responsible for approving the measures taken to protect against compromise of EUCI through unintentional electronic emanations;
(e)Crypto Approval Authority responsible for approving the use of encrypting technologies based on a request from the system owner;
(f)Crypto Distribution Authority responsible for distributing cryptographic materials used for protecting EUCI (encryption equipment, cryptographic keys, certificates, and related authenticators) to the users concerned.
4.The responsibilities of one or more of the functions referred to in paragraph 3 may be delegated to another Union institution or body whenever decentralised delivery of security offers significant efficiency, resource or time savings.
Chapter 3
Information assurance and communication and information systems (CISs)
Article 9
Principles of information assurance
1.The assessment of the information security needs shall be taken into account from the start of the creation or at the procurement stage as regards all CISs including in-house, outsourced and hybrid CISs.
2.Any CIS that handles and stores EUCI shall be accredited in accordance with Chapter 5, Section 5. Any CIS that handles and stores sensitive non-classified information shall comply with the minimum requirements for sensitive non-classified information in CISs set out in Chapter 4.
Article 10
Sub-group on information assurance
1.The sub-group on information assurance, as referred to in Article 7(1) point (a), shall have the following roles and responsibilities:
(a)providing guidance and best practices on the marking, handling and storing of information in CISs in close cooperation with the Interinstitutional cybersecurity board referred to in Article 9 of Regulation EU [XXX] laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union;
(b)establishing a metadata scheme for markings and all necessary technical information to contribute to an interoperable and seamless exchange of information across Union institutions and bodies, when interconnecting their respective CISs;
(c)contributing to the coherence between the information security rules and the cybersecurity baseline across all Union institutions and bodies, referred to in Article 5 of Regulation EU [XXX] laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.
Article 11
Requirements for communication and information systems
1.Union institutions and bodies shall inform users about the confidentiality levels of information that can be handled and stored in a CIS. Where a CIS handles and stores multiple confidentiality levels, metadata and visual markings shall be used to ensure that the different levels can be distinguished.
2.Union institutions and bodies shall identify CIS’ users before granting them access to any confidentiality levels other than public use. Users shall be authenticated at a level of assurance that is appropriate to the confidentiality level. Where appropriate, a secure common identification scheme shall be used.
3.Adequate security logs shall be maintained for all CISs to ensure swift investigations in the event of breaches or leaks of information. Such logs shall be maintained for a duration established in the business impact assessment or in the relevant security policies, in a non-repudiable manner.
Where a CIS handles and stores EUCI, logs related to need-to-know and access to information shall be maintained until the information is declassified. Security logs shall be searchable and accessible by the Security Authority.
4.Union institutions and bodies shall adopt internal rules on the security of CISs to specify the appropriate security measures in accordance with the security needs of the information to be handled and stored, and taking into account the jurisdictions in which the information is stored, transmitted to and handled. Where applicable, those measures shall include the following:
(a)restrictions on the geographical location;
(b)consideration of potential conflicts of interest, boycotts or penalties relating to contractors;
(c)contractual provisions to ensure the security of information;
(d)encryption of information at rest and in transit;
(e)restrictions on the accessibility of Union institutions and bodies’ information by contractor personnel;
(f)protection of personal data in accordance with the applicable data protection legislation.
5.The Union institutions and bodies shall manage their CISs in compliance with the following principles:
(a)each CIS shall have a system owner or an Information Assurance Operational authority responsible for its security;
(b)an information security risk management process covering information security aspects shall be conducted;
(c)the security requirements and security operating procedures shall be formally defined, implemented, checked and reviewed;
(d)information security incidents shall be formally recorded and followed up, in accordance with Regulation EU [XXX] laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.
Chapter 4
Non-classified information
Article 12
Information for public use
1.Information intended for public use or official publication or already disclosed, which can be shared without restrictions inside or outside the Union institutions and bodies, shall be categorised and handled and stored as information for public use.
2.Union institutions and bodies may mark with ‘PUBLIC USE’ the information referred to in paragraph 1.
3.All Union institutions and bodies shall ensure the integrity and availability of information for public use by appropriate measures based on its security needs.
Article 13
Normal information
1.Information intended for use by a Union institution or body in the execution of its functions which is neither sensitive non-classified nor for public use shall be categorised, handled and stored as normal information. This category covers all normal working level information processed in the Union institution or body concerned.
2.Normal information may be marked visually or in metadata where necessary to ensure its protection, particularly where shared outside Union institutions and bodies. The marking ‘EU NORMAL’ or the ‘name or acronym of the Union institution or body NORMAL’ (adjusted on a case-by-case basis) shall be used in that case.
3.Union institutions and bodies shall define standard protective measures for normal information taking into account guidance from the sub-group on non-classified information and any specific risks related to their tasks and activities.
4.Normal information shall be exchanged outside Union institutions and bodies only with natural or legal persons having a need-to-know.
Article 14
Sensitive non-classified information
1.Union institutions and bodies shall categorise, handle and stored as sensitive non-classified all information that is not classified but which they must protect due to legal obligations or because of the harm that may be caused to the legitimate private and public interests, including those of the Union institutions and bodies, Member States or individuals by its unauthorised disclosure.
2.Each Union institution and body shall identify sensitive non-classified information by a visible security marking and shall define corresponding handling instructions in accordance with Annex I.
3.Union institutions and bodies shall protect sensitive non-classified information by applying appropriate measures in respect of its handling and storage. Such information may only be made available inside Union institutions and bodies to individuals with a need-to-know for the fulfilment of their assigned tasks.
4.Sensitive non-classified information shall be exchanged outside Union institutions and bodies only with natural and legal persons that have a need-to-know while respecting the handling instructions accompanying the information. All parties involved shall be made aware of the appropriate handling instructions.
Article 15
Protection of non-classified information and interoperability
1.Union institutions and bodies shall establish procedures for the reporting and management of any incident or suspected incident that could lead to a compromise of the security of non-classified information.
2.Where required, Union institutions and bodies shall use the markings provided for in Articles 12, 13 and 14. Exceptionally, other equivalent markings may be used internally and in relation with their particular counterparts from other Union institutions and bodies or from the Member States, when all parties agree. Such exception shall be notified to the sub-group on non-classified information, as referred to in Article 7(1), point (b).
3.Contractual safeguards shall be established to ensure the protection of normal and sensitive non-classified information processed by outsourced services. The safeguards shall be designed to guarantee at least an equivalent level of protection to that provided by this Regulation, and shall include confidentiality and non-disclosure undertakings to be signed by all relevant service providers involved in the provision of the outsourced systems.
Article 16
Sub-group on non-classified information
1.The sub-group on non-classified information referred to in Article 7(1), point (b), shall have the following roles and responsibilities:
(a)streamlining the procedures relating to handling and storing the non-classified information and preparing the relevant guidance;
(b)coordinating with the sub-group on information assurance referred to in Article 7(1), point (a), on matters related to systems handling and storing non-classified information;
(c)preparing handling instructions for the different confidentiality levels of non-classified information;
(d)assisting Union institutions and bodies in establishing the equivalence between their particular categories of non-classified information and those provided for in Articles 12, 13 and 14;
(e)facilitating the sharing of non-classified information between Union institutions and bodies, by providing assistance and guidance.
Article 17
Handling and storing of sensitive non-classified information in CISs
1.Union institutions and bodies shall ensure that CISs meet the following minimum requirements when handling and storing sensitive non-classified information:
(a)strong authentication shall be implemented to access SNC information and SNC information shall be encrypted in transmission and in storage;
(b)encryption keys used for storage shall be under the responsibility of the Union institution or body responsible for the operation of the CIS;
(c)SNC information shall be stored and processed in the Union;
(d)contractual provisions covering security of staff, assets and information shall be included in any outsourcing contracts;
(e)interoperable metadata shall be used to record the confidentiality level of electronic documents and to facilitate the automation of security measures;
(f)measures to prevent and detect data leaks shall be implemented by the Union institutions and bodies to protect sensitive non-classified information;
(g)security equipment bearing a European cybersecurity certificate shall be used, where available;
(h)implementation of security measures based on the principles of need-to-know and zero trust to minimise access to sensitive non-classified information by service providers and contractors.
2.Any derogation from the minimum requirements set out in paragraph 1 shall be subject to approval by the appropriate level of management of the Union institution or body concerned, on the basis of a risk assessment covering the legal and technical risks to the security of the sensitive non-classified information.
3.The Information Assurance Authority of the Union institution or body concerned may check compliance with the principles set out in paragraph 1 at any time during the lifecycle of a CIS.
Chapter 5
EUCI
Section 1
General provisions
Article 18
Security classifications and markings
1.EUCI shall be classified at one of the following levels and shall be marked as follows:
(a)TRES SECRET UE/EU TOP SECRET: information and material the unauthorised disclosure of which could cause an exceptionally serious prejudice to the essential interests of the Union or of one or more of the Member States;
(b)SECRET UE/EU SECRET: information and material the unauthorised disclosure of which could seriously harm the essential interests of the Union or of one or more of the Member States;
(c)CONFIDENTIEL UE/EU CONFIDENTIAL: information and material the unauthorised disclosure of which could harm the essential interests of the Union or of one or more of the Member States;
(d)RESTREINT UE/EU RESTRICTED: information and material the unauthorised disclosure of which could be disadvantageous to the interests of the Union or of one or more of the Member States.
2.The Coordination Group shall adopt guidance documents on EUCI creation and classification.
Article 19
Suitability to handle and store EUCI
1.Any Union institution and body may handle and store EUCI where the following conditions are met:
(a)it establishes rules and procedures in accordance with this Regulation, ensuring the protection of information for a given classification level; and
(b)it has undergone an assessment visit in accordance with Article 53, and it has been subsequently certified that it can protect EUCI in accordance with this Regulation and where applicable, any other relevant rules and procedures.
2.The conditions set out in paragraph 1 shall be considered as met by default by the members of the sub-group on EUCI sharing and exchange of classified information referred to in Article 7(1), point (e).
Article 20
Protection of EUCI
1.The holder of any item of EUCI shall be responsible for its protection.
2.Where a Member State introduces classified information bearing a national security classification marking into the structures or networks of a Union institution or body, that institution or body shall protect that information in accordance with the corresponding classification marking laid down in the Agreement between the Member States of the European Union, meeting within the Council, regarding the protection of classified information exchanged in the interests of the European Union 29 . The corresponding table of equivalence is set out in Annex VI to this Regulation.
3.An aggregate of EUCI may warrant a level of protection corresponding to a higher classification than that of its individual components.
Article 21
EUCI security risk management process
1.The security Authority of each Union institution and body shall approve the security measures for protecting EUCI throughout its life-cycle in accordance with the outcome of a risk assessment performed by the respective Union institution or body.
2.The security measures taken by each Union institution and body shall be commensurate with the classification level of the information handled and stored, its form and volume, and the location and protective features of the facilities where EUCI is handled and stored and the locally assessed threat of malicious or criminal activities.
3.All Union institutions and bodies shall establish:
(a)contingency plans to ensure EUCI security during emergencies;
(b)business continuity plans including preventive and recovery measures to minimise the impact of major failures or security incidents on the handling and storage of EUCI.
Article 22
Breaches of security and compromise of EUCI
1.An act or omission of a Union institution or body or an individual, which is in breach of this Regulation, shall be considered as a breach of security.
2.EUCI shall be considered to have been compromised where as a result of a breach, it has been disclosed, wholly or in part, to one or more persons that are not authorised to access that information.
3.Any compromise or suspected compromise of EUCI shall be reported immediately to the Security Authority of the relevant Union institution or body, which shall conduct a security inquiry and take at least the following measures:
(a)inform the originator;
(b)ensure that the case is investigated by personnel not immediately concerned with the breach in order to establish the facts;
(c)assess the potential damage caused to the interests of the Union or of the Member States;
(d)take appropriate measures to prevent a recurrence;
(e)notify the competent authorities about the actual or potential compromise and the action taken.
Section 2
Personnel security
Article 23
Basic principles
1.The Security Authority of a Union institution or body may grant individuals access to EUCI where all the following conditions are met:
(a)the individuals have a need-to-know;
(b)the individuals have been briefed on the security rules and procedures for protecting EUCI and the relevant security standards and guidelines, and have acknowledged in writing their responsibilities with regard to protecting such information;
(c)for information classified CONFIDENTIEL UE/EU CONFIDENTIAL or higher, the individuals have been granted security clearance and have been authorised to the relevant level.
2.Union institutions and bodies shall take into account the loyalty, trustworthiness and reliability of an individual as determined by means of a security investigation conducted by the competent authorities of the Member State of which the applicant is a citizen or a national.
3.Union institutions and bodies may accept security clearances from third countries and international organisations with which the Union has a security of information agreement.
4.Union institutions and bodies may manage the clearance processes autonomously or seek a Service Level Agreement ('SLA') with the Commission for security clearance purposes.
Where a SLA is concluded, the Commission Security Authority shall be the contact point between the security offices of the Union institution and body concerned and the national competent authorities of the Member States in the context of security clearance issues.
5.The Security Authority of each Union institution and body shall keep records of their security clearances, briefings, written acknowledgements and authorisations to access EUCI.
6.Union institutions and bodies that conclude an SLA with the Commission shall make the relevant records available to the Commission’s Security Authority regarding as a minimum the level of EUCI to which the individual may be granted access, the date of issue of the authorisation to access EUCI and its period of validity. Those records shall be accessible to other Union institutions and bodies with an SLA, where justified.
Article 24
Authorisation to access EUCI
1.Each Union institution and body shall identify the positions within its organisation requiring access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or higher in order for the holder to perform their duties.
2.Whenever an individual needs to be authorised to access information classified CONFIDENTIEL UE/EU CONFIDENTIAL or higher, the institution or body concerned shall inform the competent Security Authority, which shall proceed with the formalities required in point 1 of Annex II.
3.The Security Authority of each Union institution and body shall be responsible for granting, suspending, withdrawing and renewing authorisations to access EUCI for their staff.
4.In exceptional circumstances, where duly justified in the interests of the service and pending completion of a full security investigation, the Security Authority of a Union institution or body may grant a temporary authorisation for individuals to access EUCI for a specific position, without prejudice to the provisions regarding renewal of authorisation to access EUCI and upon verification of the relevant National Security Authority.
5.Union institutions and bodies shall follow the procedures for managing authorisation to access EUCI set out in Annex II.
Article 25
Recognition of authorisations to access EUCI
1.An authorisation to access EUCI up to the specified level shall be valid in any Union institution or body to which the individual is assigned.
2.Union institutions and bodies shall accept authorisations to access EUCI granted by other Union institution or body.
3.Where the holder of an authorisation to access EUCI takes up employment in another Union institution or body, that Union institution or body shall notify the relevant NSA of a change of employer, through the competent Security Authority.
Article 26
EUCI briefings
1.The Security Authority of a Union institution or body shall brief all individuals who need to access EUCI on any threats to security and about their obligation to report any suspicious activity. The briefing shall take place before access to EUCI is granted and at least every 5 years thereafter.
2.After receiving the briefing referred to in paragraph 1, all individuals concerned shall acknowledge in writing that they have understood their obligations regarding the protection of EUCI and the consequences where EUCI is compromised.
3.The briefing referred to in paragraph 1 shall include the following information:
(a)any individual who is responsible for a breach of the security rules laid down in this Regulation may be liable to disciplinary action in accordance with the applicable rules and regulations;
(b)any individual who is responsible for compromising or losing EUCI may be liable to disciplinary or legal action in accordance with the applicable law, rules and regulations.
4.Where individuals who have been granted authorisations to access EUCI no longer require such access, Union institutions and bodies shall ensure that those individuals are aware of, and where appropriate acknowledge in writing, their obligations in respect of the continued protection of EUCI.
5.The task of creating and managing the EUCI briefings may be shared between Union institutions and bodies provided that their specific requirements are taken into account.
Section 3
Physical security
Article 27
Basic principles
1.Each Union institution and body shall determine the physical security measures appropriate to its sites, in accordance with Annex III and the principle of defence in depth, on the basis of a risk assessment performed by its Security Authority. The measures shall ensure the following objectives:
(a)to deny access to EUCI or forced entry by an intruder;
(b)to deter, impede and detect unauthorised actions and respond to security incidents as soon as possible;
(c)to allow for segregation of personnel in their access to EUCI on a need-to-know basis and where appropriate, on a security clearance basis.
2.Union institutions and bodies shall put in place physical security measures for all sites where EUCI is discussed, stored or handled, including areas housing communication and information systems as referred to in Section 5 of this Chapter.
3.Only security equipment approved by the Security Authority of a Union institution or body shall be used for physically protecting information classified CONFIDENTIEL UE/EU CONFIDENTIAL or higher.
4.Union institutions and bodies may share Secured Areas, as referred to in Annex III, for handling and storing EUCI, upon conclusion of an agreement.
Article 28
Sub-group on physical security
1.The sub-group on physical security as referred to in Article 7(1), point (c), shall have the following roles and responsibilities:
(a)preparing guidance documents relative to physical security matters;
(b)defining the general security criteria for acquiring equipment such as security containers, shredding machines, door locks, electronic access control systems, intrusion detection systems and alarm systems for the physical protection of EUCI;
(c)assisting Union institutions and bodies in determining the appropriate security measures for their sites;
(d)proposing compensatory measures for the protection of EUCI when EUCI is handled outside the physically protected areas of a Union institution and body.,
Article 29
Physical protection of EUCI
1.To ensure the physical protection of EUCI, the Union institutions and bodies shall establish the following physically protected areas:
(a)administrative areas, as referred to in Annex III;
(b)where appropriate, Secured Areas including Class I, Class II and technically Secured Areas, as referred to in Annex III.
2.The Security Authority of the Union institution and body concerned shall conduct an internal inspection to verify whether the conditions for an area to be established as an Administrative Area or a Secured Area, set out in Annex III, are met. Where the inspection report indicates that the conditions are met, the Security Authority may issue an accreditation for the Secured Area to protect EUCI up to the stated level for a period not exceeding 5 years.
The Security Authority of the Union institution or body concerned shall be responsible for carrying out the re-accreditation process of its Secured Areas, before the expiry of the accreditation or whenever changes have been implemented within the accredited area.
3.Each Union institution and body shall adopt procedures for managing keys and combination settings for offices, rooms, strong rooms and security containers for level CONFIDENTIEL UE/EU-CONFIDENTIAL and for higher levels.
4.The Security Authority may authorise entry and exit searches to deter and detect the unauthorised introduction of material or the unauthorised removal of EUCI from sites.
5.Union institutions and bodies shall establish the measures for the physical protection of the EUCI in accordance with Annex III.
Section 4
Management of EUCI
Article 30
Basic principles
1.Union institutions and bodies shall record, file, preserve and eventually eliminate, sample or transfer their EUCI documents to the relevant archives in accordance with retention policy and rules specific to the files of each Union institution and body.
2.Any Union institution and body which is the originator of EUCI shall determine the security classification of that information upon its creation and in accordance with Article 18(1).
3.Union institutions and bodies shall clearly communicate the classification level to recipients, either by means of a classification marking or by an announcement, where the information is delivered in oral form.
4.The security measures applicable to the original document shall apply to drafts, copies and translations thereof.
5.Union institutions and bodies shall establish the measures for EUCI management in accordance with Annex IV.
Article 31
Creation of EUCI
2. Union institutions and bodies under whose authority EUCI is created shall ensure that the following requirements are met:
(a)each page shall be marked clearly with the classification level;
(b)each page shall be numbered;
(c)the document shall bear a reference number, where applicable a registration number and a subject, which is not itself EUCI, unless it is marked as such;
(d)the document shall include its date of creation;
(e)all the annexes and enclosures shall be listed, whenever possible on the first page;
(f)documents classified SECRET UE/EU SECRET or higher shall bear a copy number on every page, where they are to be distributed in multiple copies. Electronic copies that are distributed outside the holding system shall bear a unique identifier based on an electronic signature.
Article 32
Originator control
1.The Union institution or body under whose authority an EUCI document is created shall have originator control over that document. The originator shall determine the classification level of the document and shall be responsible for its initial dissemination. Without prejudice to Regulation 1049/2001, the originator’s prior written consent shall be obtained before the information is:
(a)declassified or downgraded;
(b)used for purposes other than those established by the originator;
(c)forwarded to any entity outside the Union institution or body holding the information, including a third country or international organisation, another Union institution or body, Member States, a contractor or prospective contractor, a beneficiary or prospective beneficiary;
(d)copied and translated in case of TRES SECRET-UE/EU-TOP SECRET level.
2.Where the originator of an EUCI document cannot be identified, the Union institution or body holding that classified information shall exercise originator control.
3.Originators of any EUCI document shall keep a record of any classified sources used for producing classified documents, including details of sources originally from Member States, international organisations or third countries. Where appropriate, aggregated classified information shall be marked in such a way as to preserve the identification of the originators of the classified source materials used.
Article 33
Classification markings
1.Where appropriate, in addition to one of the security classification markings, EUCI documents may bear additional markings, such as distribution or releasability markings or to indicate the originator.
2.Different parts of a EUCI document may require different classifications and shall be marked accordingly. The overall classification level of a document or file shall be at least as high as that of its most highly classified component.
3.Documents containing parts with different classification levels shall be structured so that parts with a different classification level may be easily identified and detached if necessary.
Article 34
EUCI registry system
1.All Union institutions and bodies that handle and store information classified CONFIDENTIEL UE/EU CONFIDENTIEL or higher shall establish one or more EUCI registries to ensure its registration for security purposes when it arrives at or leaves a Union institution or body.
2.All EUCI registries shall be established in Secured Areas, as referred to in Annex III.
3.Union institutions and bodies shall assign a Registry Control Officer (‘RCO’) to manage each EUCI registry. The RCO shall have appropriate security clearance and shall be authorised in accordance with Article 24. Union institutions and bodies shall ensure the proper training for their RCO.
Article 35
Downgrading and declassifying
1.Information shall be classified only for as long as it requires protection. EUCI that no longer needs the original classification shall be downgraded to a lower level. EUCI that no longer needs to be considered as classified at all shall be declassified.
2.At the time of creation of EUCI, the originator shall indicate, where possible, and in particular for information classified RESTREINT UE/EU RESTRICTED, whether the EUCI can be downgraded or declassified on a given date or following a specific event.
3.The originating Union institution or body shall be responsible for deciding whether a EUCI document can be downgraded or declassified. It shall review the information and assess the risks regularly and at least every 5 years in order to determine whether the original classification level is still appropriate.
4.Union institutions and bodies holding EUCI of which they are not the originator shall not downgrade or declassify that document, nor shall they modify or remove any of the markings referred to in Article 18(1) without the prior written consent of the originator.
5.Union institutions and bodies may partially downgrade or declassify EUCI they create. In such cases a downgraded or declassified extract shall be produced.
6.Union institutions and bodies shall inform the recipient organisation of the EUCI of its downgrading or declassification.
Article 36
Markings on downgraded and declassified documents
1.Where Union institutions and bodies decide to declassify an EUCI document, consideration shall be given as to whether it is to bear a sensitive non-classified information distribution marking.
2.The original classification marking at the top and bottom of every page shall be visibly crossed out using the ‘strikethrough’ functionality for electronic formats, or manually for print-outs. The original classification marking shall not be removed.
3.The first page or the cover page shall be stamped as downgraded or declassified and completed with the details of the authority responsible for downgrading or declassifying and the corresponding date. Downgrading or declassification of electronic EUCI documents shall be evidenced by an electronic signature under the authority of the originator.
Article 37
Destruction and deletion of EUCI
1.Union institutions and bodies shall review EUCI, both on paper and in CISs, at least every 5 years to determine whether they are to be destroyed or deleted. Where EUCI is destroyed or deleted, they shall instruct anyone having previously received that EUCI.
2.Union institutions and bodies may destroy duplicates of EUCI which are no longer required, taking account of the relevant rules on document management for the originals.
3.Union institutions and bodies shall only destroy any hard copy of information classified CONFIDENTIEL UE/EU CONFIDENTIAL or higher by their Registry Control Officer. The RCO shall update the logbooks and other registration information accordingly, keeping essential metadata of the destroyed document.
Documents classified SECRET UE/EU SECRET and higher shall only be destroyed by the RCO in the presence of a witness who shall have security clearance to at least the classification level of the document being destroyed.
4.The RCO and where applicable, the witness, shall sign a destruction certificate which shall be filed in the registry. The certificate shall be kept for at least 5 years in the case of information classified CONFIDENTIEL UE/EU CONFIDENTIAL and SECRET-UE/EU-SECRET and for at least 10 years in the case of information classified at TRES SECRET-UE/EU-TOP SECRET level.
Article 38
Evacuation and destruction of EUCI in an emergency
1.Each Union institution and body shall develop emergency evacuation and destruction plans based on local conditions to safeguard EUCI that is at significant risk of falling into unauthorised hands.
The operational details of emergency evacuation and destruction plans shall themselves be classified as RESTREINT UE/EU RESTRICTED.
2.In the event of an emergency, where there is an imminent risk of unauthorised disclosure of EUCI, Union institutions and bodies shall evacuate EUCI.
Where evacuation is not possible, EUCI shall be destroyed in such a way that it cannot be reconstructed in whole or in part.
3.The originator and the originating registry shall be informed of the emergency evacuation or destruction of registered EUCI.
4.Where emergency plans have been activated, priority shall be given to evacuating or destroying the higher levels of EUCI first, including the enciphering equipment.
Article 39
Archiving
1.Union institutions and bodies shall decide whether and when to archive EUCI, and the corresponding practical measures, in accordance with their policy on document management.
2.EUCI documents shall not be transferred to the Historical Archives of the European Union.
Section 5
Protection of EUCI in communication and information systems (CISs)
Article 40
Sub-group on accreditation of communication and information systems handling and storing EUCI
The sub-group on accreditation of CISs handling and storing EUCI, as referred to in Article 7(1), point (d), shall have the following roles and responsibilities:
(a)assisting the Union institutions and bodies in their accreditation processes;
(b)recommending a standard for accreditation to be followed by all Union institutions and bodies;
(c)disseminating and sharing best practices and guidance regarding the accreditation of CISs.
Article 41
Communication and information systems
Union institutions and bodies shall meet the following requirements in relation with CISs handling and storing EUCI:
(a)the system owner or Information Assurance Operational Authority shall consult the Security Accreditation Authority before developing, procuring or enabling a CIS to handle and store EUCI in order to determine the requirements for accreditation;
(b)key security principles for the design of CIS handling and storing EUCI shall apply at the inception of the project, as part of the information security risk management process and taking into account need-to-know, minimal functionality, defence in depth, least privilege, segregation of duties and four eyes;
(c)the storage, central processing and network management components of a CIS handling and storing EUCI shall be installed in a Secured Area, as referred to in Annex III;
(d)implement ‘TEMPEST security measures’ which shall be commensurate with the risk of exploitation and the level of classification of the information;
(e)all staff involved in the operation of a CIS handling and storing EUCI shall notify to the Security Authority and the relevant system owner or Information Assurance Operational Authority any potential security weaknesses, incidents, breaches of security or system compromises that may have an impact on the protection of the CIS or the EUCI therein;
(f)where relevant, the Security Authority shall notify the Security Authorities of any other Union institutions and bodies concerned of potential security weaknesses or incidents that could affect their CISs handling and storing EUCI.
Article 42
Cryptographic products
1.Approved cryptographic products shall be used for transmission and storage of EUCI by electronic means. The list of approved cryptographic products shall be maintained by the Council, on the basis of input from the National Security Authorities.
2.Where the list referred to in paragraph 1 does not include any suitable product for the intended purpose, the Crypto Approval Authority of the Union institution or body concerned shall request an interim approval from the Council. Where possible, a cryptographic product that is approved by the National Security Authority of a Member State shall be selected.
The Council shall take the necessary steps to ensure that a suitable product is added to the list.
3.Approvals of cryptographic products shall be valid for a maximum of 5 years and reviewed on a yearly basis thereafter.
4.The Council shall remove any cryptographic product from the list of approved cryptographic products for which national approval has been withdrawn or has expired.
5.The Coordination Group shall inform the Council on a yearly basis of any cryptographic products that it recommends for evaluation by a Crypto Authority Approval of a Member State on the basis of a survey carried out in the Union institutions and bodies.
Article 43
Accreditation of CISs handling and storing EUCI
1.By accrediting CISs handling and storing EUCI, Union institutions and bodies shall confirm that all appropriate security measures have been implemented and that a sufficient level of protection of EUCI and of the CIS has been achieved in accordance with this Regulation.
2.The CIS owner or the Information Assurance Operational Authority shall be responsible for the preparation of the accreditation files and documentation, including manuals for different types of users.
3.The Security Accreditation Authority of each Union institution and body shall be responsible for establishing an accreditation process with clear conditions that need approval, for all CISs under their authority.
4.Where a CIS handling and storing EUCI involve both Union institutions and bodies and National Security Authorities, the Union institutions and bodies concerned shall establish, through further implementing rules adopted pursuant to Article 8(2), a joint Security Accreditation Board in charge of the system’s accreditation. That Board shall be composed of Security Accreditation Authority representatives of the parties involved and shall be chaired by the Security Accreditation Authority of the Union institution or body that owns the CIS.
Article 44
Accreditation process of a CIS handling and storing EUCI
1.All CISs handling and storing EUCI shall undergo an accreditation process, based upon the principles of information assurance, the level of detail of which shall be commensurate with the level of protection required.
2.The accreditation process shall result in an accreditation statement determining the maximum classification level of the information that may be handled and stored in a CIS as well as the corresponding terms and conditions. The accreditation statement shall be based on the formal validation of the risk assessment and of the security measures implemented for the CIS concerned, providing assurance on the following elements:
(a)the information security risk management process has been properly carried out;
(b)the system owner or risk owner has knowingly accepted the residual risk;
(c)a sufficient level of protection of the CIS, and of the EUCI handled and stored in it, has been achieved in accordance with this Regulation.
3.The Security Accreditation Authority of a Union institution or body shall formally validate the accreditation statement. Upon successful validation, the Security Accreditation Authority shall issue an approval to operate which determines the maximum classification level of the EUCI that may be handled in the CIS as well as the corresponding terms and conditions for operation. The approval shall be issued for a specified period. Where one or more of the required security measures are not in place but this does not significantly impact the overall security, an interim approval to operate may be issued, specifying the points for remediation.
4.At any moment in the life cycle of a CIS, the Security Accreditation Authority of the Union institution or body concerned may take the following actions:
(a)apply an accreditation process;
(b)audit or inspect the CIS;
(c)where the conditions for operation are no longer satisfied, such as when a security incident has revealed a significant vulnerability in the CIS, require the establishment and effective implementation of a security improvement plan within a well-defined timescale, potentially withdrawing permission to operate the CIS until the conditions for operation are satisfied.
5.The system owner or the Information Assurance Operational Authority shall make a formal report to the Security Accreditation Authority annually during the period of validity of an approval to operate, including a summary of any significant incidents, changes and risk factors.
Article 45
Emergency circumstances
1.Union institutions and bodies may apply specific procedures to transmit or store classified EUCI in an emergency, such as during impending or actual crises, conflicts, war situations or in exceptional operational circumstances, after approval by their Crypto Approval Authority.
2.Under the circumstances referred to in paragraph 1, EUCI may be transmitted using cryptographic products which have been approved for a lower classification level or without encryption with the consent of the competent authority where any delay would cause harm clearly outweighing the harm entailed by any disclosure of the classified material and subject to the following conditions:
(a)the sender or the recipient do not have the required encryption facility;
(b)the classified material cannot be conveyed in time by other means.
3.Classified information transmitted in accordance to in paragraph 2 shall not bear any markings or indications distinguishing it from information which is unclassified or which can be protected by an available cryptographic product. Recipients shall be notified of the classification level, without delay, by other means.
4.A subsequent report on the transmission of EUCI under the circumstances referred to in paragraph 1 shall be submitted to the relevant Security Authority.
Section 6
Industrial security
Article 46
Basic principles
1.Each Union institution or body, as contracting or granting authority, shall ensure that the minimum standards on industrial security set out in this Section and the conditions for the protection of EUCI in classified contracts and grant agreements set out in Annex V, are referred to or incorporated in the contracts or grant agreements and complied with when awarding classified contracts or grant agreements.
2.Industrial security is the application of measures to ensure the protection of EUCI by the following individuals or entities:
(a)under direct management 30 , within the framework of classified contracts, by:
(i)candidates or tenderers throughout the tendering and contracting procedure;
(ii)contractors or subcontractors throughout the life-cycle of classified contracts;
(b)under direct management 31 , within the framework of classified grant agreements, by
(i)applicants during grant award procedures;
(ii)beneficiaries or subcontractors throughout the life-cycle of classified grant agreements.
(c)under indirect management, within the framework of financial framework partnership agreements (‘FFPA’) and the related contribution agreements by the entrusted entities throughout the life cycle of these agreements.
3.As the entrusting entity, the Union institution or body shall describe the specific security requirements for the entrusted entity in the security chapter of the FFPA and the related contribution agreements. These requirements shall be based on the security principles and provisions as contained in this Regulation in relation to classified contracts and grant agreements, which apply mutatis mutandis.
4.Classified contracts and classified grant agreements shall not involve information classified TRES SECRET UE/EU TOP SECRET.
5.Provisions in this Chapter referring to classified contracts or contractors, or to classified grants or beneficiaries, shall also apply to classified subcontracts or subcontractors within the meaning of, respectively, classified contracts or grants.
6.Union institutions and bodies, as contracting or granting authorities, shall closely cooperate with the security authorities or any other competent authorities of the country on whose territory the contractual party or the grant recipient is registered, as well as with the security or any other competent authorities of the contracted or grant awarded international organisation.
7.Union institutions and bodies, as contracting or granting authorities, shall communicate with the security authorities or any other competent authorities through their Security Authorities.
8.Union institutions and bodies, as contracting or granting authorities, shall notify the authorities referred to in paragraph 6, through its Security Authority, whenever a classified contract or grant agreement has been signed.
The notification shall include relevant data such as the names of the contractor or beneficiaries, the duration of the classified contract or grant agreement, and the maximum level of classification.
Union institutions and bodies, as contracting or granting authorities, shall also notify the authorities referred to in paragraph 6 whenever classified contracts or grant agreements are prematurely terminated.
9.Union institutions and bodies, as contracting or granting authorities, may award classified contracts or classified parts of grants only to entities registered in those third countries or established by those international organisations that have concluded a security of information agreement with the Union. Where the EUCI concerned contains personal data, any transfer of the latter to a third country or international organisation shall be made in accordance with Regulation (EU) 2018/1725.
Article 47
Security elements in a classified contract or grant agreement
1.Classified contracts or grant agreements shall include the following security elements:
(a)security classification guide;
(b)security aspects letter.
2.Classified contracts or grant agreements may include a Programme or Project Security Instruction.
Article 48
Security Classification Guide
1.Before signing a classified contract or grant agreement, the Union institution or body, as contracting or granting authority, shall determine the security classification of any information to be created by contractors or beneficiaries, or by their sub-contractors. For that purpose, it shall prepare a Security Classification Guide to be used for the performance of the classified contract or grant agreement.
2.The Security Classification Guide may be modified throughout the life of the programme or project, as referred to in Article 50, contract or grant agreement and the elements of information may be re-classified or downgraded.
3.In order to determine the security classification of the various elements of a classified contract or grant agreement, the following principles shall apply:
(a)in preparing a Security Classification Guide, the Union institution or body, as contracting or granting authority, shall take into account all relevant security aspects, including the security classification assigned to information provided and approved to be used for the classified contract or grant agreement by the originator of the information;
(b)the overall level of classification of the classified contract or grant shall not be lower than the highest classification of any of its elements;
(c)where relevant, the Union institution or body concerned, as contracting or granting authority, shall liaise, through their Security Authority, with the security authorities or any other competent authorities of the country concerned where making any changes to the Security Classification Guide.
Article 49
Security Aspects Letter
1.Each Union institution or body, as contracting or granting authority, shall describe the specific security requirements of the classified contract or grant in a Security Aspect Letter. That letter shall include the Security Classification Guide and shall be an integral part of a classified contract, grant agreement or sub-contract.
2.The Security Aspect Letter shall contain provisions requiring the contractor or beneficiary, and their subcontractors, to comply with the provisions laid down in this Regulation and any further implementing rules adopted pursuant to Article 8(2) regarding industrial security. The Security Aspect Letter shall clearly indicate that non-compliance with such provisions may constitute sufficient grounds for the termination of the classified contract or grant agreement.
Article 50
Programme or Project Security Instruction
1.Union institutions and bodies, as contracting or granting authorities, may develop a Programme or Project Security Instruction, in close cooperation with their Security Authorities, in particular for programmes and projects characterised by their considerable scope, scale or complexity, or by the multitude or the diversity of contractors, beneficiaries and other partners and stakeholders involved.
2.The Security Authority of each Union institution or body, as contracting or granting authority, shall submit the specific Programme or Project Security Instruction for advice to the relevant Member State advisory security body consisting of their National Security Authorities and/or Designated Security Authorities.
When a Union institution or body does not have such an advisory body, the Programme or Project Security Instruction shall be submitted to the Information Security Committee, referred to in Article 6(8).
Section 7
Sharing EUCI and exchanging classified information
Article 51
Basic principles
1.All Union institutions and bodies may share EUCI with other Union institutions or bodies under the conditions set out in Article 54.
2.Union institutions and bodies may share EUCI with Member States and the European Atomic Energy Community provided that they protect that information in accordance with the corresponding classification marking laid down in the Agreement between the Member States of the Union, meeting within the Council, regarding the protection of classified information exchanged in the interests of the Union and the corresponding table set out in Annex VI to this Regulation.
3.Union institutions and bodies shall only exchange classified information with third countries or international organisations with which a Security of information agreement or an administrative arrangement has been concluded in accordance with Articles 55 and 56.
Such agreements and arrangements shall contain provisions to ensure that third countries or international organisations receiving EUCI protect such information at a level commensurate with its classification level and corresponding to minimum standards that are no less stringent than those laid down in this Regulation.
4.Where there is no Security of information agreement or administrative arrangement in place, a Union institution or body may, in exceptional circumstances, release EUCI to another Union institution or body, a third country or an international organisation in accordance with Article 58.
5.Union institutions and bodies shall designate those registries that serve as the main points of entry and exit for EUCI shared with other Union institutions or bodies or classified information exchanged with third countries and international organisations.
Article 52
Sub-group on EUCI sharing and exchange of classified information
1.The sub-group on EUCI sharing and exchange of classified information, referred to in Article 7(1), point (e), shall have the following roles and responsibilities:
(a)organising assessment visits to Union institutions and bodies, third countries and international organisations and adoption of the yearly programme of visits;
(b)preparing and carrying out of the assessment visits;
(c)drawing up a report on the outcome of the visits referred to in point (a).
except in cases referred to in Article 56(2).
2.The sub-group on EUCI sharing and exchange of classified information shall be composed of representatives from the Commission, the Council and the European External Action Service and shall work by consensus.
Article 53
Assessment visits related to EUCI sharing
1.The sub-group on EUCI sharing and exchange of classified information shall carry out assessment visits in full cooperation with the officials of the Union institution or body being visited. It may seek assistance from the NSA on whose territory the Union institution or body is located.
2.The assessment visits to the Union institutions and bodies concerned shall serve the following purposes:
(a)to check whether the requirements for protecting EUCI laid down in this Regulation are complied with and therefore, whether the measures implemented are effective;
(b)to emphasise the importance of security and effective risk management within the organisation visited;
(c)to recommend countermeasures to mitigate the specific impact of loss of availability, confidentiality or integrity of classified information;
(d)to reinforce security authorities’ ongoing security education and awareness programmes.
3.At the end of the assessment visit, the sub-group on EUCI sharing and exchange of classified information shall carry out the following tasks:
(a)draw up a report with the main conclusions of the assessment;
(b)seek the opinion of the Information Security Committee, referred to in Article 6(8), on the report;
(c)send the report for follow up to the security authority of the Union institution or body visited.
4.Where the report proposes any corrective action or makes recommendations, a follow-up visit shall be organised for the purpose of verifying whether such action was taken or recommendations followed.
Article 54
Sharing EUCI
1.A Union institution or body may share EUCI with another Union institution or body where the following conditions are fulfilled:
(a)there is a proven need for the exchange;
(b)an assessment visit has been carried out at the Union institution or body concerned, in accordance with Article 53, the outcome of which certifies the capacity of that Union institution or body to handle and store a specified level of EUCI;
(c)the Security Authority of the Union institution or body concerned decides that it may share information classified up to a specified level with other such certified Union institutions and bodies.
2.The secretariat of the Coordination Group shall establish a list of EUCI levels that may be handled and stored by each Union institution and body fulfilling the conditions in paragraph 1, points (b) and (c). It shall regularly update that list.
Article 55
Security of information agreements
1.Where it is necessary to exchange classified information with a third country or an international organisation on a long term basis, the competent institution or body shall seek to negotiate and conclude a security of information agreement, in accordance with Article 218 of the Treaty on the Functioning of the European Union.
2.A security of information agreement shall establish the basic principles and the minimum standards governing the exchange of classified information between the Union and a third country or international organisation.
3.Security of information agreements shall provide for technical implementing arrangements to be agreed between the competent security authorities of the relevant Union institutions and bodies and the competent security authority of the third country or international organisation concerned.
4.Prior to the approval of the technical implementing arrangements, referred to in paragraph 3, the sub-group on EUCI sharing and exchange of classified information shall carry out an assessment visit in accordance with Article 57.
Article 56
Administrative arrangements with third countries and international organisations
1.Where their rules of procedure or founding acts provide for such possibility, Union institutions and bodies may enter into an administrative arrangement with their counterparts in a third country or international organisation, after informing the EUCI sharing and exchange of classified information sub-group, where the following conditions are met:
(a)the Union institution or body concerned needs to exchange, on a long-term basis information classified, as a general rule, no higher than RESTREINT UE/EU RESTRICTED with its counterpart in a third country or international organisation;
(b)the Union institution or body concerned satisfies the conditions set out in Article 54(1);
(c)the report of the assessment visit, referred to in Article 57, certifies that the relevant counterpart in the third country or international organisation concerned has the capacity to handle and store a specified level of EUCI.
2.Before concluding an administrative arrangement, an assessment visit shall be conducted in accordance with the principles in Article 57. The Union institution or body seeking the administrative arrangement may request the Subgroup on EUCI sharing to conduct the assessment visit on its behalf or to participate in the visit.
3.The Security Authority of the Union institution or body seeking the administrative arrangement shall decide on any specific conditions governing the exchange as well as on the maximum level of EUCI which may be exchanged. That level shall not be higher than the level set for sharing EUCI with other Union institutions and bodies, in accordance with Article 54, and, where applicable, should not be higher than that provided for under a Security of Information Agreement with the same third country or international organisation.
Article 57
Assessment visits for the exchange of classified information with third countries and international organisations
1.An assessment visit to a third country or international organisation shall be conducted to determine whether an Union institution or body may exchange classified information with the third country or international organisation concerned.
2.The aim of the assessment visit shall be to assess the effectiveness of the security rules and procedures in the third country or international organisation concerned as regards the protection of EUCI at a given level. The assessment visit shall be carried out in mutual agreement with the third country or international organisation concerned.
3.The assessment visits shall evaluate at least the following:
(a)the regulatory framework applicable for protecting classified information and its adequacy for the protection of EUCI at a given level;
(b)any specific features of the security policy and the way in which security is organised in the third country or international organisation which may have an impact on the level of classified information that may be exchanged;
(c)the security measures and procedures actually in place;
(d)security clearance procedures relative to the EUCI level to be released.
4.The Information Security Committee referred to in Article 6(8) shall receive a report on the findings of such visits before the EUCI is actually released to the third country or international organisation concerned. Where relevant, the report shall also be shared with the Union institution or body concerned.
5.The security authorities of the Union institution or body concerned shall communicate to the third country or international organisation the date as from when it is in a position to exchange EUCI, as well as the maximum level of EUCI which may be exchanged in hard copy or by electronic means.
6.Follow-up visits shall be organised where the following conditions are met:
(a)it is necessary to raise the level of EUCI which may be exchanged;
(b)the Union institution or body concerned has been notified of fundamental changes in the security arrangements of the third country or international organisation that might have an impact on how EUCI is protected;
(c)there has been a serious security information incident involving unauthorised disclosure of EUCI.
Article 58
Exceptional ad-hoc release of EUCI
1.In the absence of a security of information agreement or an administrative arrangement, where a Union institution or body determines that there is an exceptional need to release EUCI to another Union institution or body or to a third country or international organisation, or
where a security of information agreement or an administrative arrangement has been concluded and a Union institution or body determines that there is an exceptional need to release a higher level of EUCI than already stipulated under the agreement or arrangement, the Union institution or body providing EUCI shall take the following steps:
(a)to the extent possible, verify with the security authorities of the third country, international organisation or receiving Union institution or body that their security rules, structures and procedures can ensure the protection of EUCI released to standards no less stringent than those set in this Regulation;
(b)seek an opinion from the Information Security Committee, referred to in Article 6(8), on the basis of the verification made pursuant to point (a), unless operational circumstances require an immediate ad-hoc release, in which case the Information Security Committee shall be subsequently informed.
2.All documents released pursuant to this Article shall bear a releasability marking indicating the third country, international organisation or Union institution or body to which it has been released.
3.Prior to or upon actual release, the Union institution or body providing EUCI shall seek a written undertaking from the receiving party that it will protect the EUCI it receives. Where applicable, it shall be requested to undertake to protect the EUCI in accordance with the basic principles and the minimum standards set out in this Regulation.
Chapter 6
Final provisions
Article 59
Implementation
1.The Coordination Group shall establish information security guidance for implementing this Regulation.
2.Based on their specific needs, Union institutions and bodies may adopt internal rules for the purpose of implementing this Regulation, in accordance with Article 8(2).
Article 60
Transitional provisions
1.The internal rules on information security adopted by individual Union institution or body before ¨[dd/mm/yyyy date of application] shall be reviewed by [3 years after the entry into force of this Regulation] at the latest.
2.All Union institutions and bodies that have been assessed either by Commission or Council or EEAS before the [dd/mm/yyyy date of applicability], as suitable to handle and store EUCI, shall be considered as meeting the conditions referred to in Article 19(1).
3.Any administrative arrangement concluded by the Union institutions and bodies with third countries and international organisations before [dd/mm/yyyy date of application] shall remain valid.
4.Where the Member States on whose territory the beneficiaries of the Commission grant agreement under the European Defence Industrial Development Programme have decided to have a specific security framework for the protection and handling of nationally classified information relating to the grant agreement concerned, the Commission, when applying industrial security procedures contained in this Regulation, will respect this security framework until the end of life cycle of the grant agreement.
Article 61
Monitoring and evaluation
1.By [dd/mm/yyyy 3 years after the date of application] at the latest, the Commission shall present a report on the implementation of this Regulation to the European Parliament and the Council.
2.No sooner than [5 years after the date of application] and every 5 years thereafter, the Commission shall carry out an evaluation of this Regulation and present a report on the main findings to the European Parliament and the Council.
Article 62
Entry into force and application
1.This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
2.It shall apply from [date: the first day of the month following the period of 2 years after the date of entry into force]
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels,
For the European Parliament For the Council
The President The President
[...] [...]
LEGISLATIVE FINANCIAL STATEMENT
1.FRAMEWORK OF THE PROPOSAL/INITIATIVE
1.1.Title of the proposal/initiative
1.2.Policy area(s) concerned
1.3.The proposal/initiative relates to:
1.4.Objective(s)
1.4.1.General objective(s)
1.4.2.Specific objective(s)
1.4.3.Expected result(s) and impact
1.4.4.Indicators of performance
1.5.Grounds for the proposal/initiative
1.5.1.Requirement(s) to be met in the short or long term including a detailed timeline for roll-out of the implementation of the initiative
1.5.2.Added value of Union involvement (it may result from different factors, e.g. coordination gains, legal certainty, greater effectiveness or complementarities). For the purposes of this point 'added value of Union involvement' is the value resulting from Union intervention which is additional to the value that would have been otherwise created by Member States alone.
1.5.3.Lessons learned from similar experiences in the past
1.5.4.Compatibility with the Multiannual Financial Framework and possible synergies with other appropriate instruments
1.5.5.Assessment of the different available financing options, including scope for redeployment
1.6.Duration and financial impact of the proposal/initiative
1.7.Management mode(s) planned
2.MANAGEMENT MEASURES
2.1.Monitoring and reporting rules
2.2.Management and control system(s)
2.2.1.Justification of the management mode(s), the funding implementation mechanism(s), the payment modalities and the control strategy proposed
2.2.2.Information concerning the risks identified and the internal control system(s) set up to mitigate them
2.2.3.Estimation and justification of the cost-effectiveness of the controls (ratio of "control costs ÷ value of the related funds managed"), and assessment of the expected levels of risk of error (at payment & at closure)
2.3.Measures to prevent fraud and irregularities
3.ESTIMATED FINANCIAL IMPACT OF THE PROPOSAL/INITIATIVE
3.1.Heading(s) of the multiannual financial framework and expenditure budget line(s) affected
3.2.Estimated financial impact of the proposal on appropriations
3.2.1.Summary of estimated impact on operational appropriations
3.2.2.Estimated output funded with operational appropriations
3.2.3.Summary of estimated impact on administrative appropriations
3.2.4.Compatibility with the current multiannual financial framework
3.2.5.Third-party contributions
3.3.Estimated impact on revenue
LEGISLATIVE FINANCIAL STATEMENT
1.FRAMEWORK OF THE PROPOSAL/INITIATIVE
1.1.Title of the proposal/initiative
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on information security in the institutions, bodies, offices and agencies of the Union
1.2.Policy area(s) concerned
European public administration
The information security rules of Union institutions and bodies should together constitute a comprehensive and coherent general framework within the European administration for protecting information, and should ensure equivalence of basic principles and minimum standards. The level of protection afforded to information should also be equivalent across all Union institutions and bodies.
1.3.The proposal/initiative relates to:
a new action
◻ a new action following a pilot project/preparatory action 32
◻ the extension of an existing action
◻ a merger or redirection of one or more actions towards another/a new action
1.4.Objective(s)
1.4.1.General objective(s)
The general objective of the initiative is to create information security rules for all Union institutions and bodies with the aim to ensuring an enhanced and consistent protection against the evolving threats to their information.
1.4.2.Specific objective(s)
• SO 1: Establish harmonised and comprehensive categories of information, as well as common handling requirements for all information handled by the European administration, and facilitate secure information exchange between the Union institutions and bodies, while minimising the impact on Member States.
• SO 2: Ensure that all Union institutions and bodies identify any security gaps in their processes and implement the measures required to ensure a level playing field of information security.
• SO 3: Establish a lean cooperation scheme on information security between Union institutions and bodies able to foster a coherent information security culture across the European administration.
• SO 4: Modernise the information security policies at all levels of classification/categorization, for all Union institutions and bodies, taking into account the digital transformation and the development of teleworking as a structural practice.
1.4.3.Expected result(s) and impact
Specify the effects which the proposal/initiative should have on the beneficiaries/groups targeted.
The proposal will have the following effects on the Union institutions and bodies:
–Review of their internal rules and procedures with the aim to adapting to the Regulation;
–Categorize all information handled in line with the scheme provided by the Regulation;
–Ensure that their communication and information systems are complaint with the requirements laid down in the Regulation;
–Participate in the Interinstitutional Information Security Coordination Group (‘Coordination Group’).
The Member States will benefit from this Regulation as cooperation with Union institutions and bodies in all relevant fields (personnel security, industrial security or information sharing) would be based on same concepts, rules and procedures.
1.4.4.Indicators of performance
Specify the indicators for monitoring progress and achievements.
Indicators relevant for Specific objective no 1
–Adoption of suitable guidelines
–Implementation of new markings
–Publication of updated handling instructions for all categories of information
–Implementation of common systems handling sensitive non-classified information and EUCI
Indicators relevant for Specific objective no 2
–Number of recommendations made / implemented
–Number of information leaks across institutions and bodies
Indicators relevant for Specific objective no 3
–Statistics on centralised versus local procurement
–Inspection reports
–Number of queries dealt with by the Secretariat of the Information security coordination group
Indicators relevant for Specific objective no 4
–Number of users undergoing training
–Level of awareness of staff for the information security rules
–Percentage of staff enabled to work with secure teleworking equipment
1.5.Grounds for the proposal/initiative
1.5.1.Requirement(s) to be met in the short or long term including a detailed timeline for roll-out of the implementation of the initiative
The implementation of this initiative will follow a phased approach as follows:
–2022/2023: adoption of the Regulation, enter into force
–2024/2025: review by all Union institutions and bodies of their internal rules on information security with the aim of adjusting them to the Regulation
–2025: organisational work for the set-up of the Coordination Group and its Secretariat, as well as of the technical sub-groups
–2024/2025: start of application for the Regulation
–2025/2026: adoption of Rules of procedure for the Coordination group and the technical sub-groups
–2026-2028: work on guidance documents as support for the implementation of the Regulation, exchange of best practices across institutions and bodies
–2029/2030: preparation of first evaluation of the Regulation (every 5 years from the date of application)
–2030: first evaluation of the Regulation
1.5.2.Added value of Union involvement (it may result from different factors, e.g. coordination gains, legal certainty, greater effectiveness or complementarities). For the purposes of this point 'added value of Union involvement' is the value resulting from Union intervention which is additional to the value that would have been otherwise created by Member States alone.
The initiative contributes to ensuring that the Union institutions and bodies are assisted in their mission by an open, efficient and independent administration.
It adds to the general national efforts of Member States in the area of EU security by protecting the institutions and bodies from external interferences and spying activities.
1.5.3.Lessons learned from similar experiences in the past
N/A
1.5.4.Compatibility with the Multiannual Financial Framework and possible synergies with other appropriate instruments
The project requires the reallocation/assignment of 2FTEs for the Secretariat of the Information Security coordination group.
Other projects, such as the development of common tools and the centralisation of some activities is already partly ongoing and covered by SLAs and framework contracts.
1.5.5.Assessment of the different available financing options, including scope for redeployment
See previous section.
1.6.Duration and financial impact of the proposal/initiative
◻ limited duration
–◻ in effect from [DD/MM]YYYY to [DD/MM]YYYY
–◻ Financial impact from YYYY to YYYY for commitment appropriations and from YYYY to YYYY for payment appropriations.
– unlimited duration
1.7.Management mode(s) planned 33
Direct management by the Commission and by each Union institution and body
– by its departments, including by its staff in the Union delegations
–◻ by the executive agencies
◻ Shared management with the Member States
◻ Indirect management by entrusting budget implementation tasks to:
–◻ third countries or the bodies they have designated;
–◻ international organisations and their agencies (to be specified);
–◻ the EIB and the European Investment Fund;
–◻ bodies referred to in Articles 70 and 71 of the Financial Regulation;
–◻ public law bodies;
–◻ bodies governed by private law with a public service mission to the extent that they are provided with adequate financial guarantees;
–◻ bodies governed by the private law of a Member State that are entrusted with the implementation of a public-private partnership and that are provided with adequate financial guarantees;
–◻ persons entrusted with the implementation of specific actions in the CFSP pursuant to Title V of the TEU, and identified in the relevant basic act.
–If more than one management mode is indicated, please provide details in the ‘Comments’ section.
Comments
2.MANAGEMENT MEASURES
2.1.Monitoring and reporting rules
Specify frequency and conditions.
Every 5 years the Regulation will be evaluated and the Commission will report on its findings to the Council and the European Parliament.
2.2.Management and control system(s)
2.2.1.Justification of the management mode(s), the funding implementation mechanism(s), the payment modalities and the control strategy proposed
The Regulation lays down rules on information security applicable to all Union institutions and bodies. Monitoring of its proper implementation will take place through a coordination group involving all the security authorities of the institutions and bodies.
Full responsibility for security remains in the hand of the security authority of each institution or body, and subject to the existing internal control framework of each institution or body.
2.2.2.Information concerning the risks identified and the internal control system(s) set up to mitigate them
The Regulation will create a baseline of information security rules and ensure transparency of security measures for information exchanges between Union institutions and bodies, it will thus reduce the information security related risks across the board.
The Regulation is compliant with the Internal Control Standards, and includes a risk-based approach for policy-making.
2.2.3.Estimation and justification of the cost-effectiveness of the controls (ratio of "control costs ÷ value of the related funds managed"), and assessment of the expected levels of risk of error (at payment & at closure)
The existing control mechanisms for the institutions and bodies will be applicable. Compliance with the Regulation and information security related risks should be reported in institutions’ and bodies’ annual risk reporting.
2.3.Measures to prevent fraud and irregularities
Specify existing or envisaged prevention and protection measures, e.g. from the Anti-Fraud Strategy.
N/A
3.ESTIMATED FINANCIAL IMPACT OF THE PROPOSAL/INITIATIVE
3.1.Heading(s) of the multiannual financial framework and expenditure budget line(s) affected
·Existing budget lines
In order of multiannual financial framework headings and budget lines.
|
Heading of multiannual financial framework |
Budget line |
Type of
|
Contribution |
|||
|
Number
|
Diff./Non-diff. 34 |
from EFTA countries 35 |
from candidate countries 36 |
from third countries |
within the meaning of Article 21(2)(b) of the Financial Regulation |
|
|
H7 |
20 01 02 01 |
Non-diff. |
NO |
NO |
NO |
NO |
·New budget lines requested
In order of multiannual financial framework headings and budget lines.
|
Heading of multiannual financial framework |
Budget line |
Type of
|
Contribution |
|||
|
Number
|
Diff./Non-diff. |
from EFTA countries |
from candidate countries |
from third countries |
within the meaning of Article 21(2)(b) of the Financial Regulation |
|
|
None |
YES/NO |
YES/NO |
YES/NO |
YES/NO |
||
3.2.Estimated financial impact of the proposal on appropriations
3.2.1.Summary of estimated impact on operational appropriations
– The proposal/initiative does not require the use of operational appropriations
– The proposal/initiative requires the use of operational appropriations, as explained below:
EUR million (to three decimal places)
|
Heading of multiannual financial
|
Number |
|
DG: <…….> |
Year
|
Year
|
Year
|
Year
|
Enter as many years as necessary to show the duration of the impact (see point 1.6) |
TOTAL |
|||||
|
• Operational appropriations |
|||||||||||
|
Budget line 38 |
Commitments |
(1a) |
|||||||||
|
Payments |
(2a) |
||||||||||
|
Budget line |
Commitments |
(1b) |
|||||||||
|
Payments |
(2b) |
||||||||||
|
Appropriations of an administrative nature financed from the envelope of specific programmes 39 |
|||||||||||
|
Budget line |
(3) |
||||||||||
|
TOTAL appropriations
|
Commitments |
=1a+1b +3 |
|||||||||
|
Payments |
=2a+2b +3 |
||||||||||
|
|
Commitments |
(4) |
||||||||
|
Payments |
(5) |
|||||||||
|
• TOTAL appropriations of an administrative nature financed from the envelope for specific programmes |
(6) |
|||||||||
|
TOTAL appropriations
|
Commitments |
=4+ 6 |
||||||||
|
Payments |
=5+ 6 |
|||||||||
If more than one operational heading is affected by the proposal / initiative, repeat the section above:
|
• TOTAL operational appropriations (all operational headings) |
Commitments |
(4) |
||||||||
|
Payments |
(5) |
|||||||||
|
TOTAL appropriations of an administrative nature financed from the envelope for specific programmes (all operational headings) |
(6) |
|||||||||
|
TOTAL appropriations
|
Commitments |
=4+ 6 |
||||||||
|
Payments |
=5+ 6 |
|||||||||
|
|
7 |
‘Administrative expenditure’ |
This section should be filled in using the 'budget data of an administrative nature' to be firstly introduced in the Annex to the Legislative Financial Statement (Annex V to the internal rules), which is uploaded to DECIDE for interservice consultation purposes.
EUR million (to three decimal places)
|
Year
|
Year
|
Year
|
Year
|
Year
|
TOTAL |
|||
|
DG: HR |
||||||||
|
• Human resources |
0.314 |
0.314 |
0.314 |
0.314 |
0.314 |
1.570 |
||
|
• Other administrative expenditure |
||||||||
|
TOTAL DG <…….> |
Appropriations |
0.314 |
0.314 |
0.314 |
0.314 |
0.314 |
1.570 |
|
|
TOTAL appropriations
|
(Total commitments = Total payments) |
0.314 |
0.314 |
0.314 |
0.314 |
0.314 |
1.570 |
EUR (to three decimal places)
|
Year
|
Year
|
Year
|
Year
|
Year
|
TOTAL |
|||
|
TOTAL appropriations
|
Commitments |
0.314 |
0.314 |
0.314 |
0.314 |
0.314 |
1.570 |
|
|
Payments |
0.314 |
0.314 |
0.314 |
0.314 |
0.314 |
1.570 |
||
3.2.2.Estimated output funded with operational appropriations
Commitment appropriations in EUR million (to three decimal places)
|
Indicate objectives and outputs ⇩ |
Year
|
Year
|
Year
|
Year
|
Enter as many years as necessary to show the duration of the impact (see point 1.6) |
TOTAL |
|||||||||||||
|
OUTPUTS |
|||||||||||||||||||
|
Type 40 |
Average cost |
No |
Cost |
No |
Cost |
No |
Cost |
No |
Cost |
No |
Cost |
No |
Cost |
No |
Cost |
Total No |
Total cost |
||
|
SPECIFIC OBJECTIVE No 1 41 … |
|||||||||||||||||||
|
- Output |
|||||||||||||||||||
|
- Output |
|||||||||||||||||||
|
- Output |
|||||||||||||||||||
|
Subtotal for specific objective No 1 |
|||||||||||||||||||
|
SPECIFIC OBJECTIVE No 2 ... |
|||||||||||||||||||
|
- Output |
|||||||||||||||||||
|
Subtotal for specific objective No 2 |
|||||||||||||||||||
|
TOTALS |
|||||||||||||||||||
3.2.3.Summary of estimated impact on administrative appropriations
–◻ The proposal/initiative does not require the use of appropriations of an administrative nature
–The proposal/initiative requires the use of appropriations of an administrative nature, as explained below:
EUR million (to three decimal places)
|
Year
|
Year
|
Year
|
Year
|
Year
|
TOTAL |
|
HEADING 7
|
||||||
|
Human resources |
0.314 |
0.314 |
0.314 |
0.314 |
0.314 |
1.570 |
|
Other administrative expenditure |
||||||
|
Subtotal HEADING 7
|
0.314 |
0.314 |
0.314 |
0.314 |
0.314 |
1.570 |
|
Outside HEADING 7
42
|
||||||
|
Human resources |
||||||
|
Other expenditure
|
||||||
|
Subtotal
|
|
TOTAL |
0.314 |
0.314 |
0.314 |
0.314 |
0.314 |
1.570 |
The appropriations required for human resources and other expenditure of an administrative nature will be met by appropriations from the DG that are already assigned to management of the action and/or have been redeployed within the DG, together if necessary with any additional allocation which may be granted to the managing DG under the annual allocation procedure and in the light of budgetary constraints.
3.2.3.1.Estimated requirements of human resources
–◻ The proposal/initiative does not require the use of human resources.
–The proposal/initiative requires the use of human resources, as explained below:
Estimate to be expressed in full time equivalent units
|
Year
|
Year
|
Year 2025 |
Year 2026 |
Year 2027 |
||
|
20 01 02 01 (Headquarters and Commission’s Representation Offices) |
2 |
2 |
2 |
2 |
2 |
|
|
20 01 02 03 (Delegations) |
||||||
|
01 01 01 01 (Indirect research) |
||||||
|
01 01 01 11 (Direct research) |
||||||
|
Other budget lines (specify) |
||||||
|
20 02 01 (AC, END, INT from the ‘global envelope’) |
||||||
|
20 02 03 (AC, AL, END, INT and JPD in the delegations) |
||||||
|
XX 01 xx yy zz 43 |
- at Headquarters |
|||||
|
- in Delegations |
||||||
|
01 01 01 02 (AC, END, INT - Indirect research) |
||||||
|
01 01 01 12 (AC, END, INT - Direct research) |
||||||
|
Other budget lines (specify) |
||||||
|
TOTAL |
2 |
2 |
2 |
2 |
2 |
|
XX is the policy area or budget title concerned.
The human resources required will be met by staff from the DG who are already assigned to management of the action and/or have been redeployed within the DG, together if necessary with any additional allocation which may be granted to the managing DG under the annual allocation procedure and in the light of budgetary constraints.
Description of tasks to be carried out:
|
Officials and temporary staff |
Secretariat of the information security coordination group: 1 AD official + 1 AST official |
|
External staff |
3.2.4.Compatibility with the current multiannual financial framework
The proposal/initiative:
–can be fully financed through redeployment within the relevant heading of the Multiannual Financial Framework (MFF).
The proposal requires allocating two staffs to the permanent secretariat of the Interinstitutional Coordination Group, located in HR.DS.
–◻ requires use of the unallocated margin under the relevant heading of the MFF and/or use of the special instruments as defined in the MFF Regulation.
Explain what is required, specifying the headings and budget lines concerned, the corresponding amounts, and the instruments proposed to be used.
–◻ requires a revision of the MFF.
Explain what is required, specifying the headings and budget lines concerned and the corresponding amounts.
3.2.5.Third-party contributions
The proposal/initiative:
– does not provide for co-financing by third parties
–◻ provides for the co-financing by third parties estimated below:
Appropriations in EUR million (to three decimal places)
|
Year
|
Year
|
Year
|
Year
|
Total |
|
|
Specify the co-financing body |
|||||
|
TOTAL appropriations co-financed |
Remark: the proposal will intensify current cooperations on information security through SLAs.
3.3.Estimated impact on revenue
–The proposal/initiative has no financial impact on revenue.
–◻ The proposal/initiative has the following financial impact:
on own resources
on other revenue
please indicate, if the revenue is assigned to expenditure lines
EUR million (to three decimal places)
|
Budget revenue line: |
Appropriations available for the current financial year |
Impact of the proposal/initiative 45 |
|||
|
Year
|
Year
|
Year
|
Year
|
||
For assigned revenue, specify the budget expenditure line(s) affected.
Other remarks (e.g. method/formula used for calculating the impact on revenue or any other information).
EUROPEAN COMMISSION
Brussels, 22.3.2022
COM(2022) 119 final
ANNEX
to the
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on information security in the institutions, bodies, offices and agencies of the Union
{SWD(2022) 65 final} - {SWD(2022) 66 final}
ANNEX I
Protective measures for handling sensitive non-classified information
Marking and handling of sensitive non-classified information
1.Documents containing sensitive non-classified information must be marked using a security marking and, where relevant, one or more distribution marking or markings specifying the target audience as appropriate. The standard security marking shall be the word ‘SENSITIVE’ in upper case, except in cases referred to in Article 15(2).
2.Documents containing sensitive non-classified information must only be accessible to recipients with a need-to-know for official purposes. Where distribution markings are used, permission must be requested from the originating Union institution or body to extend the distribution of a document.
3.All persons handling sensitive non-classified information must be made aware of the handling instructions.
4.Documents marked SENSITIVE are downgraded to EU NORMAL or PUBLIC USE, through the removal or striking of the markings.
5.When Union institutions and bodies destroy documents containing sensitive non-classified information, this must be done in such a way that they cannot be easily reconstructed. Paper copies must be shredded and electronic copies must be securely overwritten, physically destroyed or otherwise rendered irrecoverable.
Protection of sensitive non-classified information when working outside the sites of Union institutions and bodies
6.Sensitive non-classified information must be protected from eavesdropping and observation during teleworking and missions outside the office, and must not be handled or stored in public.
7.Documents containing sensitive non-classified information must only be handled and stored on equipment or applications that are appropriately secured under the responsibility of Union institutions and bodies.
8.Union institutions and bodies must provide means to prevent unauthorised persons, including relatives, from accessing sensitive non-classified information handled or stored by the equipment of a Union institution or body, when working outside the place of employment.
9.Union institutions and bodies must instruct their personnel to:
(a)protect Union institutions or bodies’ equipment handling sensitive non-classified information from theft, loss and damage and report immediately any adverse security event impacting their devices or the information therein;
(b)not share their devices with any unauthorised persons;
(c)not use the equipment for non-work related activities.
10.Union institutions and bodies must ensure that, as far as possible, their equipment or their appropriately secured applications are used to handle and store any sensitive non-classified documents in electronic format outside their sites. Handling of physical copies of sensitive non-classified documents outside the office should be avoided.
11.Where teleconference or videoconference tools are used, Union institutions and bodies must minimise the risk of unauthorised persons seeing or hearing the discussions by appropriately authenticating participants and using encrypted communications tools compatible with the need-to-know.
12.Union institutions and bodies shall provide training to all personnel working remotely on the handling of sensitive non-classified information when working outside the office.
Sharing sensitive non-classified information
13.Documents containing sensitive non-classified information may be shared between Union institutions and bodies without additional formalities.
14.Union institutions and bodies must only share documents containing sensitive non-classified information outside all Union institutions and bodies on the basis of a commitment that binds parties to respect the handling instructions.
15.Union institutions and bodies must notify the recipients of sensitive non-classified information of the obligation to not share the information with any parties outside the audience indicated by the distribution markings unless allowed by the originator.
16.Union institutions and bodies must protect the sensitive non-classified information that is provided or shared electronically through appropriate security measures including encryption in transit using appropriate cryptographic mechanisms.
EUROPEAN COMMISSION
Brussels, 22.3.2022
COM(2022) 119 final
ANNEX
to the
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on information security in the institutions, bodies, offices and agencies of the Union
{SWD(2022) 65 final} - {SWD(2022) 66 final}
ANNEX II
Procedures for managing the authorisation to access European Union classified information (‘EUCI’)
Definitions
For the purposes of this Annex, the following definitions apply:
1) ‘personnel Security Clearance’ or ‘PSC’ means a statement by a relevant authority of a Member State which is made following completion of a security investigation conducted by the competent authority and which certifies that an individual may be granted access to EUCI up to a specified level (CONFIDENTIEL UE/EU CONFIDENTIAL or higher) and for a set period of time;
2) ‘personnel Security Clearance Certificate’ means a certificate issued by a competent authority establishing that an individual holds a valid security clearance, or equivalent, or a security authorisation and that shows the level of EUCI to which that individual may be granted access (CONFIDENTIEL UE/EU CONFIDENTIAL or higher), the period of validity of the relevant security clearance or authorisation and the date of expiry of the certificate itself.
Granting an authorisation to access EUCI
1.The Security Authority of the Union institution and body concerned must seek the written consent of the individual for the security clearance procedure before sending a completed security clearance questionnaire to the National Security Authority of the Member State of nationality of the applicant.
2.Where information relevant to a security investigation becomes known to a Union institution or body, concerning an individual who has applied for a security clearance for access to EUCI, the competent Security Authority, acting in accordance with this Regulation, must notify the relevant National Security Authority thereof.
3.Following notification of the relevant National Security Authority’s overall assessment of the findings of the security investigation, the competent Security Authority:
(a)may grant an authorisation to access EUCI to the individual concerned up to the relevant level for a limited period of time, in so far as the security investigation concludes on the loyalty, trustworthiness and reliability of the individual;
(b)must notify the applicant where the security investigation does not result in such a guarantee, in accordance with its relevant internal rules.
4.Where the individual starts service 12 months or more after the date of the notification of the result of the security investigation, or when there is a break of 12 months in the individual’s service, the competent Security Authority must seek confirmation from the relevant National Security Authority about the validity of the security clearance.
Suspension and withdrawal of authorisation
5.Where information concerning a security risk posed by an individual who has authorisation to access EUCI becomes known to the Union institution or body concerned, the Security Authority of that Union institution or body must notify the relevant National Security Authority thereof and may suspend the individual’s access to EUCI or withdraw authorisation to access EUCI.
6.Where an National Security Authority notifies the relevant Union institution or body that there is no longer assurance for an individual who has access to EUCI, the Security Authority of the Union institution or body concerned must withdraw its security authorisation and exclude the individual from access to EUCI in accordance with its relevant internal rules.
Renewal of authorisation
7.After the initial granting of security authorisation and provided that the individual has had uninterrupted service with a Union institution or body and has a continuing need for access to EUCI, the authorisation to access EUCI must be reviewed for renewal before it expires.
8.The Security Authority of the Union institution and body concerned may extend the validity of an authorisation to access EUCI for a period of up to 12 months, where no adverse information has been received from the relevant National Security Authority or other competent national authority within a period of 2 months from the date of transmission of the request for renewal and the corresponding clearance questionnaire.
Where, at the end of the 12-month period referred to in the first subparagraph, the security investigation has still not been completed, the individual must not be assigned to duties that do require a security clearance.
9.The individual concerned must take a refresher course on handling and storing EUCI each time their security clearance is renewed.
Exceptional temporary security authorisation
10.The Security Authority of the Union institution or body concerned may exceptionally grant temporary authorisation to access EUCI provided that the competent National Security Authority has conducted a preliminary check, based on the completed and transmitted security questionnaire, to verify that no relevant adverse information is known.
11.Temporary authorisation to access EUCI can be valid for one single period not exceeding 6 months and must not allow access to information classified TRES SECRET UE/EU TOP SECRET.
12.After receiving a briefing in accordance with Article 26, all individuals who have been granted temporary authorisation to access EUCI must acknowledge in writing that they have understood their obligations in respect of protecting EUCI and the consequences if EUCI is compromised. The Security Authority of the Union institution or body concerned must keep a record of the written acknowledgement.
National experts seconded to Union institutions and bodies
13.All Union institutions and bodies must ensure that national experts seconded to them for a position requiring security clearance present, prior to taking up their assignment, a valid Personnel Security Clearance or Personnel Security Clearance Certificate, according to national law and regulations, to the competent Security Authority. Provided that the requirements referred to in Article 23(1) are met, the Security Authority may then grant an authorisation to access EUCI up to the level equivalent to the one referred to in the national security clearance, with a maximum validity not longer than the duration of their assignment.
Access to classified meetings
14.As regards the organisation of meetings where information classified CONFIDENTIEL UE/EU CONFIDENTIAL or higher is to be discussed, Union institutions and bodies must ensure that all participants are granted a security cleareance or that their security authorisation status is known.
15.On the basis of the records for access to EUCI, the competent Security Authority of the Union institution or body concerned may issue a Personnel Security Clearance Certificate to an individual where it is needed for attendance at meetings outside that Union institution or body. The Personnel Security Clearance Certificate must state the level of EUCI to which the individual may be granted access (CONFIDENTIEL UE/EU CONFIDENTIAL or higher), the date of validity of relevant authorisation for access to EUCI and the date of expiry of the certificate itself.
EUROPEAN COMMISSION
Brussels, 22.3.2022
COM(2022) 119 final
ANNEX
to the
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on information security in the institutions, bodies, offices and agencies of the Union
{SWD(2022) 65 final} - {SWD(2022) 66 final}
ANNEX III
Measures for the physical protection of European Union classified information (‘EUCI’)
Equipment and organisational measures for the physical protection of EUCI
1.An Administrative Area must meet the following requirements:
(a)have a visibly defined perimeter which allows individuals and, where possible, vehicles to be checked;
(b)ensure that windows that might allow unauthorised visual access to EUCI within the area are made opaque or equipped with blinds, curtains, or other coverings;
(c)unescorted access is to be granted only to individuals who are duly authorised by the Security Authority of the Union institution or body concerned;
(d)all other individuals are escorted at all times or be subject to equivalent controls.
2.In addition to the requirements provided in point 1, a Secured Area must meet the following requirements:
(a)have a visibly defined and protected perimeter through which entry and exit is controlled at all times;
(b)be free of unauthorised communication lines, unauthorised telephones or other unauthorised communication devices and electrical or electronic equipment;
(c)be equipped with access control and real time monitoring intrusion detection system (‘IDS’) combined with response security personnel;
(d)be inspected at the end of normal working hours and at random intervals outside normal working hours where it is not occupied by duty personnel on a 24-hour basis and there is no real time monitoring IDS in place;
(e)be managed by trained, supervised and appropriately security cleared security personnel;
(f)have security operating procedures including the following elements:
(i)the level of EUCI which may be handled, discussed and stored in the area;
(ii)the surveillance and protective measures to be maintained;
(iii)the individuals authorised to have unescorted access to the area by virtue of their authorisation to access EUCI and need-to-know;
(iv)where appropriate, the procedures for escorts or for protecting EUCI when authorising any other individuals to access the area;
(v)any other relevant measures and procedures.
3.Where entry into a Secured Area constitutes direct access to the classified information contained in it, the area must be established as a Class I Area and where that is not the case the area must be established as a Class II area.
For both classes of Secured Area referred to in the first subparagraph and in addition to the requirements provided in point 2, the Security Department/Officer of the Union institution or body concerned must clearly indicate the level of the highest security classification of the information normally held in the area and must clearly define a perimeter which allows individuals and, where possible, vehicles to be checked.
Union institutions and bodies must ensure that individuals accessing a Secured Area fulfil the following criteria:
(a)require specific authorisation to enter the area;
(b)be escorted at all times;
(c)be appropriately security cleared unless steps are taken to ensure that no access to EUCI is possible.
4.A Secured Area protected against passive and active eavesdropping must be designated as a technically Secured Area. The following requirements apply in addition to those for Secured Areas:
(a)it must be equipped with an IDS, be locked when not occupied and be guarded when occupied. Any keys must be managed in accordance with Article 29(3);
(b)it must be inspected regularly, physically or technically, or both, by the Security Authority of the Union institution or body concerned. Such inspections must also be conducted following any unauthorised entry or suspicion of such entry;
(c)it must have appropriate acoustic and TEMPEST protection.
5.All persons entering technically Secured Areas must comply with the requirements set out in point 3.
6.Secured Areas and technically Secured Areas may be set up temporarily within an Administrative Area for a classified meeting or any other similar purpose.
7.Strong rooms must be constructed within Secured Areas. A strong room is a room with reinforced physical construction where the Security Authority of the Union institution or body concerned approves the walls, floors, ceilings, windows and lockable doors. Such rooms must afford equivalent protection to a security container approved for the storage of EUCI of the same classification level.
Physical protective measures for handling and storing EUCI
8.EUCI which is classified RESTREINT UE/EU RESTRICTED must be handled and stored in any of the following areas:
(a)in a Secured Area;
(b)in an Administrative Area provided the EUCI is protected from access by unauthorised individuals;
(c)outside a Secured Area or Administrative Area provided the holder has undertaken to comply with compensatory measures decided by the Security Authority of each Union institution and body.
9.EUCI which is classified RESTREINT UE/EU RESTRICTED must be stored in locked office furniture in an Administrative Area or a Secured Area. It may temporarily be stored outside an Administrative Area or a Secured Area provided the holder has undertaken to store the documents concerned in appropriate locked office furniture when they are not being read or discussed.
10.Union institutions and bodies may handle and store RESTREINT UE/EU RESTRICTED information outside their sites provided the relevant information be protected appropriately. For such purpose, Union institutions and bodies must comply with the measures provided in point 8(c).
11.CONFIDENTIEL UE/EU CONFIDENTIAL and SECRET UE/EU SECRET information must be handled and stored in one of the following areas:
(a)in a Secured Area;
(b)in an Administrative Area provided the EUCI is protected from access by unauthorised individuals;
(c)outside a Secured Area or an Administrative Area where limited in volume and time and provided the holder has undertaken to comply with compensatory measures decided by the Security Authority of the Union institution or body concerned. In addition, the holder of EUCI must take the following steps:
(i)notify the relevant registry of the fact that classified documents are being handled outside protected areas;
(ii)keep the document under their control at all times.
12.CONFIDENTIEL UE/EU CONFIDENTIAL and SECRET UE/EU SECRET information must be stored in a Secured Area accredited to that level by the competent Security Accreditation Authority of the Union institution or body concerned, either inside a security container or inside a strong room.
13.Documents classified CONFIDENTIEL UE/EU CONFIDENTIAL or higher can only be copied by the relevant Registry.
14.TRES SECRET UE/EU TOP SECRET information must be handled and stored in a Secured Area accredited to that level. To that end, Union institutions and bodies may conclude the necessary arrangements to use a Secured Area hosted and accredited to the appropriate level by the Security Accreditation Authority of another Union institution and body.
15.TRES SECRET UE/EU TOP SECRET information must be stored in a Secured Area, accredited to that level by the Security Accreditation Authority of the competent Union institution or body concerned, under one of the following conditions:
(a)in a security container approved by the Security Authority of each Union institution and body with one of the following supplementary controls:
(i)continuous protection or verification by cleared security staff or duty personnel;
(ii)an approved IDS in combination with security response personnel.
(b)in an IDS equipped strong room in combination with security response personnel.
EUROPEAN COMMISSION
Brussels, 22.3.2022
COM(2022) 119 final
ANNEX
to the
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on information security in the institutions, bodies, offices and agencies of the Union
{SWD(2022) 65 final} - {SWD(2022) 66 final}
ANNEX IV
Security measures for European Union classified information (‘EUCI’) management
For the purposes of this Annex, ‘commercial courier’ means the national postal services and private carriers that offer a service where documents are delivered in exchange for a fee and is either personally hand carried or tracked.
Carriage of EUCI
1.Whenever possible, Union institutions and bodies that take EUCI outside Secured Areas or Administrative Areas must send it electronically by appropriate accredited means or protect it by approved cryptographic products.
2.When carrying EUCI, Union institutions and bodies must apply protective measures, meeting the following requirements:
(a)be commensurate with the level of classification of the EUCI carried;
(b)be adapted to the specific conditions of its carriage, as well as to the nature and the form of EUCI carried.
3.Where carried physically by hand in the form of paper documents or on removable storage media, the EUCI must remain in the possession of the bearer and must not be opened until it reaches its final destination.
4.Individuals or couriers carrying information classified CONFIDENTIEL UE/EU CONFIDENTIAL or higher must be security authorised, briefed on their security responsibilities and where necessary, must be provided with a courier certificate, issued by the relevant department’s EUCI Registry.
5.Guards and escorts must be security cleared to the relevant level and be briefed on security procedures for protecting EUCI.
6.Where using removable storage media, Union institutions and bodies must either protect the media by an encryption product or encrypt the documents themselves.
Packaging of EUCI
7.As regards the packaging of EUCI, Union institutions and bodies must ensure that the contents are covered from view.
8.RESTREINT UE/EU RESTRICTED information must be carried in at least one layer of opaque packaging, such as envelopes, opaque folders or a briefcase. Information classified CONFIDENTIEL UE/EU CONFIDENTIAL or higher must be carried in two layers of opaque packaging.
9.The outer packaging must not bear any indication of the nature or classification level of its contents. The inner layer of packaging must bear the EUCI marking. Both layers must state the intended recipient’s name, job title and address, as well as a return address in case delivery proves to be impossible.
Transport by commercial couriers
10.Commercial couriers may convey information classified RESTREINT UE/EU RESTRICTED and CONFIDENTIEL UE/EU CONFIDENTIAL within a Member State and from one Member State to another. Commercial couriers may deliver SECRET UE/EU SECRET information only within a Member State and provided that they are approved by the relevant National Security Authority. No EUCI at TRES SECRET UE/EU TOP SECRET level can be entrusted to a commercial courier.
11.Commercial courier services must deliver consignments of information classified CONFIDENTIEL UE/EU CONFIDENTIAL or higher only to the Registry Control Officer, to the duly authorised substitute or to the intended recipient. A registration receipt form must be placed inside the inner envelope or inner layer of packaging for the recipient to complete and return. The registration receipt, which in itself is not classified, must quote the reference number, date and copy number of the document, but not the subject.
12.Delivery receipts are required in the outer envelope or outer packaging. The delivery receipt, which in itself is not classified, must quote the reference number, date and copy number of the document, but not the subject.
13.The courier service must obtain and provide the sender with proof of delivery of the consignment on the signature and tally record, or the courier must obtain receipts or package numbers.
14.The sender must liaise with the named recipient before the consignment is sent to reach an agreement on a suitable date and time for delivery.
15.Commercial couriers may use the services of a sub-contractor.
16.Services offered by commercial couriers providing electronic transmission of registered delivery documents must not be used for EUCI.
Measures related to classified meetings
17.Union institutions and bodies must forewarn the participants of the intention of discussing classified topics during a meeting, and of the corresponding security measures that will apply.
18.Union institutions and bodies must check that participants at classified meetings have a need-to-know, and where appropriate they must be security cleared and/or authorised to the appropriate level.
19.Union institutions and bodies must only discuss information classified CONFIDENTIEL UE/EU CONFIDENTIAL or higher in a meeting room that has been accredited at the appropriate level or higher. Similarly, only accredited IT equipment must be used where classified information is conveyed during a meeting. The Chair must ensure that unauthorised portable electronic devices are left outside the meeting room.
20.The meeting organisers of Union institutions and bodies must inform their Security Authority of any external visitors who will attend a meeting classified CONFIDENTIEL UE/EU CONFIDENTIAL or higher that is to be held on the premises of the Union institution or body concerned.
21.Only Communication and Information Systems accredited in accordance with Chapter 5, Section 5 of this Regulation may be used where classified information is conveyed during virtual meetings.
EUROPEAN COMMISSION
Brussels, 22.3.2022
COM(2022) 119 final
ANNEX
to the
Proposal for a REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on information security in the institutions, bodies, offices and agencies of the Union
{SWD(2022) 65 final} - {SWD(2022) 66 final}
ANNEX V
Protection of European Union classified information (‘EUCI’) in classified contracts and grant agreements
For the purposes of this Annex, in addition to the definitions set out in Annexes II and IV, ‘Facility security clearance’ or ‘FSC’ means an administrative determination by an National Security Authority, a Designated Security Authority or any other competent security authority that, from the security viewpoint, a facility can afford an adequate level of protection to EUCI to a specified security classification level.
Access to EUCI by personnel of contractors and beneficiaries
1.Each Union institution or body, as contracting or granting authority, shall ensure that classified contracts or grant agreements include provisions indicating that personnel of a contractor, subcontractor or beneficiary who, for the performance of the classified contract, subcontract or grant agreement, require access to EUCI may be granted such access only if the following conditions are met:
(a)it has been established that they have a need-to-know;
(b)for information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET, they have been granted a Personnel Security Clearance (‘PSC’) at the relevant level by the respective National Security Authority, Designated Security Authority or any other competent security authority;
(c)they have been briefed on the applicable security rules for protecting EUCI, and have acknowledged their responsibilities with regard to protecting such information.
2.Where a contractor or beneficiary wishes to employ a national of a third country in a position that requires access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET, it is the responsibility of the contractor or beneficiary to initiate the security clearance procedure of such a person in accordance with national laws and regulations applicable at the location where access to the EUCI is to be granted.
Facility security clearance (‘FSC’)
3.A Facility security clearance (‘FSC’) is granted by the National Security Authority or Designated Security Authority or any other competent security authority of a Member State to indicate that in accordance with national laws and regulations, an entity can protect EUCI at the appropriate classification level (CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET) within its facilities.
4.A Union institution or body, as contracting or granting authority, must notify, through its Security Authority, the appropriate National Security Authority or Designated Security Authority or any other competent security authority where an FSC is required for performing the contract or grant agreement.
5.An FSC is required where information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET has to be provided to the facilities of the candidates, the tenderers or applicants in the course of the procurement or grant award procedure.
6.A Union institution or body, as contracting or granting authority, must have received confirmation, through its Security Authority, of an FSC for the candidate, tenderer or contractor, or for the grant applicant or beneficiary before granting it access to EUCI.
7.Where Member States do not issue FSCs for certain establishments under national laws, the contracting or granting authority must verify with the National Security Authority or Designated Security Authority concerned whether those establishments are capable of handling EUCI at the required level.
8.With the exception of the cases referred to in point 7, the Union institution or body, as contracting authority, must not sign a classified contract or a classified grant agreement before receiving confirmation, through its Security Authority, from the relevant National Security Authority, Designated Security Authority or any other competent national authority that an appropriate FSC has been issued.
9.Withdrawal of an FSC by the relevant National Security Authority, Designated Security Authority or any other competent security authority constitutes sufficient grounds for the contracting or granting authority to terminate a classified contract or grant agreement, or exclude a candidate, tenderer or applicant from the competition.
Provisions for tendering and implementation ofclassified contracts and grant agreements
10.Where EUCI is provided to a candidate, tenderer or applicant during the procurement or selection procedure, the call for tender or call for proposal must include an obligation for the candidate, tenderer or applicant which is not selected, to return all classified documents within a specified period of time.
11.As a general rule, the contractor or grant beneficiary is required to return any EUCI held by it to the contracting or granting authority upon termination of the classified contract or the grant agreement or upon the end of the participation of a grant beneficiary.
12.Specific provisions for the disposal of EUCI during the performance of the classified contract or grant agreement or upon its termination must be laid down in the Security Aspects Letter .
13.Where the contractor or grant beneficiary is authorised to retain EUCI after termination of a classified contract or grant agreement, they must continue to comply with the minimum standards contained in this Regulation and the confidentiality of EUCI must be protected by the contractor or the grant beneficiary.
14.The conditions relevant for the protection of EUCI under which the contractor or beneficiary may subcontract must be defined in the call for tender or the call for proposals, and in the classified contract or grant agreement.
15.A contractor or beneficiary must obtain permission from the contracting or granting authority before subcontracting any parts of a classified contract or classified parts of a grant agreement.
16.The contractor or beneficiary must be responsible for ensuring that all subcontracting activities are undertaken in accordance with the minimum standards laid down in this Regulation and must not provide EUCI to a subcontractor without the prior written consent of the contracting or granting authority.
17.With regard to EUCI created by the contractor or beneficiary, the Union institution or body, which is the contracting or granting authority, is considered the originator and exercises the rights incumbent on the originator.
18.Where Member States require an FSC or a Personnel Security Clearance for contracts, grant agreements or subcontracts at RESTREINT UE/EU RESTRICTED level under their national laws and regulations, the Union institutions and bodies, as contracting or granting authorities, must not use those national requirements to place additional obligations on other Member States or exclude tenderers, applicants, contractors, beneficiaries or subcontractors from Member States that have no such FSC or Personnel Security Clearance requirements for access to RESTREINT UE/EU RESTRICTED information from related contracts, grant agreements or subcontracts, or a competition for such.
Visits in connection with classified contracts and grant agreements
19.Where the Union institutions and bodies, contractors, beneficiaries or subcontractors require access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET on each other’s premises in the context of the implementation of a classified contract or grant agreement, visits must be arranged in liaison with the National Security Authorities, Designated Security Authorities or any other competent security authorities concerned.
20.The visits referred to in point 19 are subject to the following requirements:
(a)the visit must have an official purpose related to a classified contract or grant agreement;
(b)visitors must hold a Personnel Security Clearance at the required level and have a need-to-know in order to access EUCI used or generated in the performance a classified contract or grant agreement;
(c)a formal request to visit must be submitted either to the facility’s relevant National Security Authority or Designated Security Authority or to the Security Authority of the Union institution or body concerned at least 15 days before the date of the visit.
21.In the context of specific projects, the relevant National Security Authority or Designated Security Authority and the Security Authority of the Union institution or body concerned, may agree on a procedure whereby visits in relation to a specific classified contract or grant can be arranged directly between the visitor’s security officer and the security officer of the facility to be visited. Such an exceptional procedure must be set out in the Programme or Project Security Instruction or other specific arrangements.
22.Visits involving access to information classified RESTREINT UE/EU RESTRICTED must be arranged directly between the sending and receiving entity.
Electronic transmission of EUCI in connection with classified contracts and grant agreements
23.Electronic handling and transmission of EUCI must be carried out in accordance with Chapter 5, Section 5.
The CISs owned by a contractor, beneficiary or subcontractor and used to handle and store EUCI for the performance of the contract or grant agreement must be subject to accreditation by the Security Accreditation Authority (‘SAA’) of the country or the international organisation under whose authority the contractor, beneficiary or subcontractor functions.
Any electronic transmission of EUCI in the context of classified contracts and grant agreements must be protected by cryptographic products approved in accordance with Article 42.
24.The security accreditation of contractors’ or beneficiaries’ CIS handling EUCI at RESTREINT UE/EU RESTRICTED level and any interconnection thereof may be delegated to the security officer of a contractor or beneficiary where allowed by national laws and regulations.
Where the security accreditation task is delegated, the contractor or beneficiary must be responsible for implementing the security requirements described in the Security Aspects Letter when handling RESTREINT UE/EU RESTRICTED information in its CIS. The relevant National Security Authorities or National Security Authorities and SAAs retain responsibility for the protection of information classified RESTREINT UE/EU RESTRICTED handled or stored by the contractor or beneficiary and the right to inspect the security measures taken by the contractor or beneficiary.
In addition, the contractor or beneficiary must provide the Union institution and body, as contracting or granting authority, and where required by national laws and regulations, the competent national SAA, with a statement of compliance certifying that the contractor or beneficiary CIS and related interconnections have been accredited for handling and storing EUCI at RESTREINT UE/EU RESTRICTED level.
Hand carriage of EUCI in connection with classified contracts and grant agreements
25.The hand carriage of classified information related to the classified contracts and grant agreements must be subject to strict security requirements.
26.RESTREINT UE/EU RESTRICTED information may be hand carried by contractor or beneficiary personnel within the European Union, provided the following requirements are met:
(a)the envelope or packaging used is opaque and bears no indication of the classification of its contents;
(b)the bearer retains possession of the classified information at all times;
(c)the envelope or packaging is not opened until it reaches its final destination.
27.As regards information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET, hand carriage by contractor or beneficiary personnel within a Member State is arranged in advance between the sending and receiving entities.
The dispatching authority or facility informs the receiving authority or facility of the details of the consignment, including reference, classification, expected time of arrival and name of courier. Hand carriage is permitted, provided the following requirements are met:
(a)the classified information is carried in a double envelope or packaging;
(b)the outer envelope or packaging is secured and bears no indication of the classification of its contents, while the inner envelope bears the level of classification;
(c)the bearer retains possession of EUCI at all times;
(d)the envelope or packaging is not opened until it reaches its final destination;
(e)the envelope or packaging is carried in a lockable briefcase or similar approved container of such size and weight that it can be kept at all times by the bearer;
(f)the courier carries a courier certificate issued by their competent Security Authority authorising the courier to carry the classified consignment as identified.
28.As regards hand carriage by contractor or beneficiary personnel of information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET from one Member State to another, in addition to the requirements set out in point 27 the following additional rules apply:
(a)the courier is responsible for the safe custody of the classified material carried until it is handed over to the recipient;
(b)in the event of a security breach, the sender’s National Security Authority or Designated Security Authority may request the authorities in the country where the breach occurred to carry out an investigation, report their findings and take legal or other action as appropriate;
(c)the courier must have been briefed on all the security obligations to be observed during carriage and must have signed an appropriate acknowledgement;
(d)the instructions for the courier must be attached to the courier certificate;
(e)the courier must be provided with a description of the consignment and an itinerary;
(f)the courier certificate and the associated documents must be returned to the issuing National Security Authority or Designated Security Authority upon completion of the trip or trips or be kept available by the recipient of the courier certificate for monitoring purposes;
(g)where customs, immigration authorities or border police ask to examine and inspect the consignment, they must be permitted to open and observe sufficient parts of the consignment so as to establish that it contains no material other than that which is declared;
(h)customs authorities should be urged to honour the official authority of the shipping documents and of the authorisation documents carried by the courier.
Where a consignment is opened by customs, it should be done out of sight of unauthorised persons and in the presence of the courier where possible. The courier must request that the consignment be repacked and ask the authorities conducting the inspection to reseal the consignment and confirm in writing that it was opened by them.
29.Hand carriage by contractor or beneficiary personnel of information classified up to SECRET UE/EU SECRET level to a third country or an international organisation is subject to the provisions of the security of information agreement concluded between the European Union and that third country or international organisation.
Transport of EUCI by commercial couriers and as freight in connection with classified contracts and grant agreements
30.The transport of EUCI by commercial couriers must be conducted in accordance with the relevant provisions of Annex IV.
31.As regards the transport of classified material as freight, the following principles must be applied when determining security arrangements:
(a)security must be assured at all stages during transportation from the point of origin to the final destination;
(b)the degree of protection afforded to a consignment must be determined by the highest classification level of material contained within it;
(c)an FSC at the appropriate level must be obtained for companies providing transportation. In such cases, personnel handling the consignment must be security cleared;
(d)prior to any cross-border movement of material classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET, a transportation plan must be drawn up by the consignor and approved by the National Security Authority, Designated Security Authority or any other competent security authority concerned;
(e)trips must be point to point to the extent possible, and must be completed as quickly as the circumstances permit;
(f)wherever possible, routes must be only through Member States. Routes through third countries must only be undertaken if authorised by the National Security Authority, Designated Security Authority or any other competent security authority of the States of both the consignor and the consignee.
EUROPEAN COMMISSION
Brussels, 22.3.2022
COM(2022) 119 final
Proposal for a
ANNEX
to the
REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
on information security in the institutions, bodies, offices and agencies of the Union
{SWD(2022) 65 final} - {SWD(2022) 66 final}
ANNEX VI
Equivalence of security classifications
Member State and EURATOM Equivalent Security Classifications
|
EU |
TRES SECRET UE/EU TOP SECRET |
SECRET UE/EU SECRET |
CONFIDENTIEL UE/EU CONFIDENTIAL |
RESTREINT UE/EU RESTRICTED |
|
EURATOM |
EURA TOP SECRET |
EURA SECRET |
EURA CONFIDENTIAL |
EURA RESTRICTED |
|
Belgium |
Très Secret (Loi 11.12.1998) Zeer Geheim (Wet 11.12.1998) |
Secret (Loi 11.12.1998) Geheim (Wet 1.12.1998) |
Confidentiel (Loi 11.12.1998) Vertrouwelijk (Wet 11.12.1998) |
nota 1 below |
|
Bulgaria |
Cтpoгo ceкретно |
Ceкретно |
Поверително |
За служебно ползване |
|
Czech Republic |
Přísně tajné |
Tajné |
Důvěrné |
Vyhrazené |
|
Denmark |
YDERST HEMMELIGT |
HEMMELIGT |
FORTROLIGT |
TIL TJENESTEBRUG |
|
Germany |
STRENG GEHEIM |
GEHEIM |
VS 2 — VERTRAULICH |
VS — NUR FÜR DEN DIENSTGEBRAUCH |
|
Estonia |
Täiesti salajane |
Salajane |
Konfidentsiaalne |
Piiratud |
|
Ireland |
Top Secret |
Secret |
Confidential |
Restricted |
|
Greece |
Άκρως Απόρρητο Abr: ΑΑΠ |
Απόρρητο Abr: (ΑΠ) |
Εμπιστευτικό Αbr: (ΕΜ) |
Περιορισμένης Χρήσης Abr: (ΠΧ) |
|
Spain |
SECRETO |
RESERVADO |
CONFIDENCIAL |
DIFUSIÓN LIMITADA |
|
France |
TRÈS SECRET TRÈS SECRET DÉFENSE 3 |
SECRET SECRET DÉFENSE(3) |
CONFIDENTIEL DÉFENSE (3) 4 |
nota 5 below |
|
Croatia |
VRLO TAJNO |
TAJNO |
POVJERLJIVO |
OGRANIČENO |
|
Italy |
Segretissimo |
Segreto |
Riservatissimo |
Riservato |
|
Cyprus |
Άκρως Απόρρητο Αbr: (ΑΑΠ) |
Απόρρητο Αbr: (ΑΠ) |
Εμπιστευτικό Αbr: (ΕΜ) |
Περιορισμένης Χρήσης Αbr: (ΠΧ) |
|
Latvia |
Sevišķi slepeni |
Slepeni |
Konfidenciāli |
Dienesta vajadzībām |
|
Lithuania |
Visiškai slaptai |
Slaptai |
Konfidencialiai |
Riboto naudojimo |
|
Luxembourg |
Très Secret Lux |
Secret Lux |
Confidentiel Lux |
Restreint Lux |
|
Hungary |
‘Szigorúan titkos!’ |
‘Titkos!’ |
‘Bizalmas!’ |
‘Korlátozott terjesztésű!’ |
|
Malta |
L-Ogħla Segretezza Top Secret |
Sigriet Secret |
Kunfidenzjali Confidential |
Ristrett Restricted 6 |
|
Netherlands |
Stg. ZEER GEHEIM |
Stg. GEHEIM |
Stg. CONFIDENTIEEL |
Dep. VERTROUWELIJK |
|
Austria |
Streng Geheim |
Geheim |
Vertraulich |
Eingeschränkt |
|
Poland |
Ściśle Tajne |
Tajne |
Poufne |
Zastrzeżone |
|
Portugal |
Muito Secreto |
Secreto |
Confidencial |
Reservado |
|
Romania |
Strict secret de importanță deosebită |
Strict secret |
Secret |
Secret de serviciu |
|
Slovenia |
STROGO TAJNOt |
TAJNO |
ZAUPNO |
INTERNO |
|
Slovakia |
Prísne tajné |
Tajné |
Dôverné |
Vyhradené |
|
Finland |
ERITTÄIN SALAINEN YTTERST HEMLIG |
SALAINEN HEMLIG |
LUOTTAMUKSELLINEN KONFIDENTIELL |
KÄYTTÖ RAJOITETTU BEGRÄNSAD TILLGÅNG |
|
Sweden |
Kvalificerat hemlig |
Hemlig |
Konfidentiell |
Begränsat hemlig |