Legal provisions of COM(2022)119 - Information security in the institutions, bodies, offices and agencies of the Union

Please note

This page contains a limited version of this dossier in the EU Monitor.

dossier COM(2022)119 - Information security in the institutions, bodies, offices and agencies of the Union.
document COM(2022)119 EN
date March 22, 2022


Chapter 1
General provisions

Contents

Article 1 - Subject matter 

1. This Regulation lays down information security rules for all Union institutions and bodies.

Article 2 - Scope

1. This Regulation shall apply to all information handled and stored by the Union institutions and bodies, including information related to activities of the European Atomic Energy Community, other than Euratom Classified Information.

2. It shall apply to the following confidentiality levels of information:

(a)three levels of non-classified information: public use, normal and sensitive non-classified;

(b)four levels of EU classified information: RESTREINT UE/EU RESTRICTED, CONFIDENTIEL UE/EU CONFIDENTIAL, SECRET UE/EU SECRET, TRES SECRET UE/EU TOP SECRET.

3. These levels are based on the damage that unauthorised disclosure may cause to the legitimate private and public interests, including those of the Union, Union institutions and bodies and Member States or other stakeholders, so that the appropriate protective measures can be applied.

Article 3 - Definitions

For the purpose of this Regulation, the following definitions apply:

(a)‘information’ means any data in oral, visual, electronic, magnetic, or physical form, or in the form of material, equipment or technology and includes reproductions, translations and material in the process of development;

(b)‘information security’ means ensuring the authenticity, availability, confidentiality, integrity and non-repudiation of information;

(c)‘handling’ of information means all possible actions to which the information can be subject throughout its life cycle; it comprises its creation, collection, registration, assignment of a confidentiality level, processing, display, consultation, carriage, transmission, downgrading, declassification, archiving and destruction;

(d)'storing' means the act of keeping information on any medium to ensure its availability for future use;

(e)‘Union institutions and bodies’ means the Union institutions, bodies, offices and agencies set up by, or on the basis of, the Treaty on European Union, the Treaty on the functioning of European Union, the Treaty establishing the European Atomic Energy Community or a legislative act;

(f)‘Euratom classified information’ means information within the meaning of Regulation No 3/1958 of the Council of the European Atomic Energy Community;

(g)‘Security Authority’ means the security function of each Union institution and body,  designated in accordance with its rules of procedure or founding act;

(h)‘information security risk management process’ means the entire process of identifying, controlling and minimising uncertain events that may affect the security of an organisation or of the systems it uses; it covers the entirety of risk-related activities, including assessment, treatment, acceptance and communication;

(i)‘asset’ means anything that is of value to a Union institution or body, its operations and their continuity, including information resources that support their mission;

(j)‘security operating procedures’ means a set of documented procedures, as referred to in Annex III, for the operation of a Secured Area, a communication and information system or other security-related asset or service to ensure its effectiveness;

(k)‘communication and information system’ or ‘CIS’ means any system enabling the handling and the storage of information in electronic form, including all assets required for its operation;

(l)‘information assurance’ means the certainty that the communication and information systems will protect the information they handle and store and will function as they need to, when they need to, under the control of legitimate users, while ensuring appropriate levels of authenticity, availability, confidentiality, integrity and non-repudiation;

(m)‘accreditation’ means the formal authorisation from the Security Accreditation Authority for a communication and information system to process, or a Secured Area to store a pre-defined level of EUCI;

(n)‘accreditation process’ means the steps and tasks required prior to accreditation;

(o)‘TEMPEST security measures’ means measures to protect any CIS handling and storing information classified CONFIDENTIEL UE/EU CONFIDENTIAL or higher against compromise of such information through unintentional electromagnetic emanations;

(p)‘CERT-EU’ means the Cybersecurity Centre for the Union institutions and bodies within the meaning of Regulation (EU) [...] of the European Parliament and of the Council laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union;

(q)‘information security incident’ means any event potentially compromising the authenticity, availability, confidentiality, integrity or non-repudiation of stored, transmitted or processed information;

(r)‘need-to-know’ means the necessity for an individual to access specified information handled or stored by an Union institution or body in order to fulfil the tasks of that particular Union institution or body;

(s)‘zero trust’ means a security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement of the existence of threats inside and outside traditional network boundaries;

(t)‘marking’ means a label that is applied to information to ensure that the appropriate security measures are applied;

(u)‘security marking’ means a marking indicating the level of confidentiality of the information;

(v)‘distribution marking’ means a marking indicating the intended addressees of information within originating Union institution or body;

(w)‘releasability marking’ means a marking indicating the permitted addressees outside the originating Union institution or body;

(x)‘system owner’ means the individual responsible for the overall procurement, development, integration, modification, operation, maintenance and retirement of a communication and information system;

(y)‘threat to information security’ means an event or agent that can reasonably be expected to adversely affect information security if not responded to and controlled;  

(z)‘vulnerability’ means a weakness, susceptibility or flaw of an asset, system, process or control that can be exploited by one or more threats;

(aa)‘risk’ means the potential adverse effect of a given threat, possibly exploiting internal and external vulnerabilities of a Union institution or body or of the systems it uses, causing harm to the legitimate public and private interests, measured as a combination of the likelihood of threats occurring and their impact;

(ab)‘residual risk’ means the risk which remains after security measures have been implemented;

(ac)‘risk assessment’ means identifying threats and vulnerabilities and conducting the related risk analysis, there is to say the analysis of probability and impact;

(ad)‘risk treatment’ means mitigating, removing, reducing (through an appropriate combination of technical, physical, organisational or procedural measures), transferring or monitoring the risk;

(ae)‘European cybersecurity certificate’ means a certificate within the meaning of Article 2(11) of Regulation EU 2019/881 28 ;

(af)‘holder’ means a duly authorised individual with an established need-to-know who is in possession of an item of information requiring protection and accordingly responsible for protecting it;

(ag)‘material’ means any document, data carrier or item of machinery or equipment, either manufactured or in the process of manufacture;

(ah)‘European Union classified information’ or ‘EUCI’ means any information or material designated by an EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the Union or of one or more of the Member States;

(ai)‘authorisation to access EUCI’ means a decision by a Security Authority that an official, other servant or seconded national expert of a Union institution or body may be granted access to EUCI up to a specified level for a set period of time;

(aj)‘National Security Authority’ or ‘NSA’ means a government authority of a Member State with ultimate responsibility for the security of classified information in that Member State;

(ak)‘Designated Security Authority’ or ‘DSA’ means an authority of a Member State (NSA or any other competent authority) which is responsible for providing direction and assistance in the implementation of industrial security or in clearances procedures, or both;

(al)‘security investigation’ means the investigative procedures conducted by the competent authority of a Member State in accordance with its national law and regulations in order to obtain an assurance that nothing adverse is known which would prevent an individual from being granted a security clearance up to a specified level (CONFIDENTIEL UE/EU CONFIDENTIAL or higher);

(am)‘physical security’ means the application of physical, technical and organisational measures to premises, buildings, rooms, offices or facilities of a Union institution or body that require protection against unauthorised access to information that is handled, stored or discussed therein;

(an)‘sites’ means the premises, buildings, rooms, offices or facilities of a Union institution or body;

(ao)‘defence in depth’ means a type of security which uses several independent layers of security controls to ensure that where one fails another will be operative;

(ap)‘cryptographic (crypto) material’ means cryptographic algorithms, cryptographic hardware and software modules, and products including implementation details and associated documentation and keying material;

(aq)‘cryptographic product’ means a product whose primary and main functionality is the provision of security services (authenticity, availability, confidentiality, integrity and non-repudiation) through one or more cryptographic mechanisms;

(ar)‘originator’ means the Union institution or body, Member state, third country or international organisation under whose authority classified information has been created or introduced into the Union’s structures;

(as)‘document’ means any content, whatever its medium (paper, electronic, magnetic or other), in written form or visual or audiovisual recording;

(at)‘registration for security purposes’ means the application of procedures which record the life-cycle of material, including its dissemination and destruction;

(au)‘declassification’ means the removal of any security classification;

(av)‘downgrading’ means a reduction in the level of security classification;

(aw)‘classified contract’ means a framework contract or a contract, as referred to in Regulation (EU, Euratom) 2018/1046 of the European Parliament and of the Council, entered into by a Union institution or body, with a contractor for the supply of movable or immovable assets, the execution of works or the provision of services, the performance of which requires or involves the handling, including creation, or storing of EUCI;

(ax)’classified grant agreement’ means an agreement whereby a Union institution or body awards a grant, as referred to in Title VIII of Regulation (EU, Euratom) 2018/1046, the performance of which requires or involves the handling, including creation, or storing of EUCI;

(ay)’classified subcontract’ means a contract entered into by a contractor or beneficiary of a Union institution or body, with a subcontractor for the supply of movable or immovable assets, the execution of works or the provision of services, the performance of which requires or involves the handling, including creation, or storing of EUCI;

(az)‘Programme or Project Security Instruction’ or ‘PSI’ means a list of security procedures which are applied to a specific programme or project in order to standardise security procedures;

(ba)‘Security Aspects Letter’ or ‘SAL’ means a set of special contractual conditions, issued by the contracting or granting authority, which forms an integral part of any classified contract or grant agreement involving access to or the creation of EUCI, that identifies the security requirements and those elements of the contract or grant requiring security protection;

(bb)‘Security Classification Guide’ or ‘SCG’ means a document which describes the elements of a programme, project, contract or grant agreement which are classified, specifying the applicable security classification levels;

Article 4 - General principles 

1. Each Union institution and body shall be responsible for the implementation of the provisions of this Regulation within its organisation taking account of its own information security risk management process.

2. Non-compliance with this Regulation, in particular the unauthorised disclosure of  information with the confidentiality levels referred to in Article 2(2), except information for public use shall be subject to investigation and may  trigger personnel liability in accordance with the Treaties or with their relevant staff rules.

3. Union institutions and bodies shall assess all information they handle and store in order to categorise it in accordance with the confidentiality levels referred to in Article 2(2).

4. Union institutions and bodies shall determine the security needs of all information they handle and store considering the following aspects: 

(a)authenticity: the guarantee that information is genuine and from bona fide sources;

(b)availability: accessibility and usability upon request by an authorised entity;

(c)confidentiality: non-disclosure of information to unauthorised individuals, entities, or processes;

(d)integrity: the fact that the information is complete and completeness of information is unaltered;

(e)non-repudiation: the ability to prove an action or event has taken place, so that that event or action cannot subsequently be denied;

5. For each communication and information system under their responsibility, the Union institutions and bodies shall identify the highest confidentiality level that such communication and information system can handle and store, carry out a information security risk assessment and regularly monitor the security needs and the correct implementation of the identified protective measures. 

6. All Union institutions and bodies shall provide training and awareness activities on how to handle and store non-classified information and EUCI. 

Union institutions and bodies handling and storing EUCI shall organise mandatory training at least once every 5 years for all individuals authorised to access EUCI. The Union institutions and bodies concerned shall organise specific training for the specific functions entrusted with information security tasks.

A Union institution or body may coordinate such training and awareness activities with other Union institutions and bodies.

Article 5 - Information security risk management process

1. Each Union institution and body shall establish an information security risk management process for the protection of the information they handle and store.

2. The information security risk management process shall include the following steps:

(a)threat and vulnerability identification;

(b)risk assessment;

(c)risk treatment;

(d)risk acceptance;

(e)risk communication.

3. The information security risk management process shall take account of all factors relevant for the institution or body concerned, in particular:

(a)the confidentiality level of the information and the related legal obligations;

(b)the form and the quantity of the information and the facilities or CISs where the information is handled and stored;

(c)the persons accessing the information on sites or remotely;

(d)the surrounding environment and the structure of the buildings or areas storing the information,

(e)the threats targeting the Union, the Union institutions and bodies or the Member States from cyberattacks, supply chain attacks, espionage, sabotage, terrorist, subversive or other criminal activities;

(f)business continuity and disaster recovery;

(g)the results of inspections, audits or assessment visits, where applicable.

Chapter 2
Governance and organisation of security

Article 6 - Interinstitutional Information Security Coordination Group

1. An Interinstitutional Information Security Coordination Group (the ‘Coordination Group’) is established.

It shall be composed of all Security Authorities of the Union institutions and bodies, and shall have a mandate to define their common policy in the field of information security.

2. Acting by consent and in the common interest of all Union institutions and bodies, the Coordination Group shall:

(a)adopt its rules of procedures and annual common objectives and priorities;

(b)adopt decisions on the establishment of thematic sub-groups and their terms of reference;

(c)establish guidance documents on the implementation of this Regulation, in cooperation with the Interinstitutional Cybersecurity Board referred to in Article 9 of the Regulation EU [...] laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union, where appropriate; 

(d)set up dedicated platforms for sharing best practices and knowledge on common topics relevant to information security as well as for providing assistance in case of information security incidents;

(e)ensure that security measures are coordinated as necessary with the competent National Security Authorities for the purpose of protecting EUCI.

3. The Coordination Group shall designate a chairperson and two vice chairpersons from among its members, for a period of 3 years.

4. The Coordination Group shall meet at least once a year at the initiative of its chairperson or at the request of a Union institution or body.

5. The Coordination Group shall have the administrative support of a permanent secretariat provided by the Commission.

6. Each Union institution or body shall be appropriately represented in the Coordination Group and where applicable, in the thematic sub-groups.

7. Union institutions and bodies shall bring to the attention of the Coordination Group any significant information security policy development within their organisation.

8. In the performance of the tasks referred to in paragraph 2, point (e), the Coordination Group shall be assisted by an Information Security Committee.  That Committee shall be composed of one representative from each National Security Authority and shall be chaired by the Secretariat of the Coordination Group, referred to in paragraph 5. The Information Security Committee shall have an advisory role.

Article 7 - Thematic sub-groups

1. The Coordination Group shall set up the following permanent thematic sub-groups to facilitate the implementation of this Regulation:

(a)a sub-group on information assurance;

(b)a sub-group on non-classified information;

(c)a sub-group on physical security;

(d)a sub-group on accreditation of communication and information systems handling and storing EUCI;

(e)a sub-group on EUCI sharing and exchange of classified information.

2. Where necessary, the Coordination Group may set up ad-hoc sub-groups for a specific task and for a limited duration.

3. Except where otherwise provided in their terms of reference, the sub-groups shall be based on open membership representing the Union institution or body concerned. The members of the sub-groups shall be experts in the respective field of competence.

4. The Secretariat of the Coordination Group, referred to in Article 5(5), shall support the work of all sub-groups and ensure the communication between its members.                                 

Article 8 - Organisation of security

1. Each Union institution and body shall designate a Security Authority to assume the responsibilities assigned by this Regulation and, where applicable, by its internal security rules. In performing its tasks, each Security Authority shall have the support of the department or officer entrusted with Information Security tasks.

2. Where necessary, the Security Authority of each Union institution and body shall adopt internal implementing rules for the protection of information, in accordance with their specific mission, as entrusted by the EU law, and based on their institutional autonomy.

3. Where relevant, each Security Authority shall also assume the following functions:

(a)Information Assurance Authority in charge of developing information assurance security policies and security guidelines and monitoring their effectiveness and pertinence;

(b)Information Assurance Operational Authority responsible for developing security documentation, in particular the Security Operating Procedures and the crypto plan within the communication and information systems accreditation process;

(c)Security Accreditation Authority in charge of accrediting Secured Areas and CIS handling and storing EUCI;

(d)TEMPEST Authority responsible for approving the measures taken to protect against compromise of EUCI through unintentional electronic emanations;

(e)Crypto Approval Authority responsible for approving the use of encrypting technologies based on a request from the system owner;

(f)Crypto Distribution Authority responsible for distributing cryptographic materials used for protecting EUCI (encryption equipment, cryptographic keys, certificates, and related authenticators) to the users concerned.

4. The responsibilities of one or more of the functions referred to in paragraph 3 may be delegated to another Union institution or body whenever decentralised delivery of security offers significant efficiency, resource or time savings.

Chapter 3
Information assurance and communication and information systems (CISs)

Article 9 - Principles of information assurance

1. The assessment of the information security needs shall be taken into account from the start of the creation or at the procurement stage as regards all CISs including in-house, outsourced and hybrid CISs.

2. Any CIS that handles and stores EUCI shall be accredited in accordance with Chapter 5, Section 5. Any CIS that handles and stores sensitive non-classified information shall comply with the minimum requirements for sensitive non-classified information in CISs set out in Chapter 4.

Article 10 - Sub-group on information assurance

1. The sub-group on information assurance, as referred to in Article 7(1) point (a), shall have the following roles and responsibilities:

(a)providing guidance and best practices on the marking, handling and storing of information in CISs in close cooperation with the Interinstitutional cybersecurity board referred to in Article 9 of Regulation EU [XXX] laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union;

(b)establishing a metadata scheme for markings and all necessary technical information to contribute to an interoperable and seamless exchange of information across Union institutions and bodies, when interconnecting their respective CISs;

(c)contributing to the coherence between the information security rules and the cybersecurity baseline across all Union institutions and bodies, referred to in Article 5 of Regulation EU [XXX] laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.

Article 11 - Requirements for communication and information systems

1. Union institutions and bodies shall inform users about the confidentiality levels of information that can be handled and stored in a CIS. Where a CIS handles and stores multiple confidentiality levels, metadata and visual markings shall be used to ensure that the different levels can be distinguished.

2. Union institutions and bodies shall identify CIS’ users before granting them access to any confidentiality levels other than public use. Users shall be authenticated at a level of assurance that is appropriate to the confidentiality level. Where appropriate, a secure common identification scheme shall be used.

3. Adequate security logs shall be maintained for all CISs to ensure swift investigations in the event of breaches or leaks of information. Such logs shall be maintained for a duration established in the business impact assessment or in the relevant security policies, in a non-repudiable manner. 

Where a CIS handles and stores EUCI, logs related to need-to-know and access to information shall be maintained until the information is declassified. Security logs shall be searchable and accessible by the Security Authority.

4. Union institutions and bodies shall adopt internal rules on the security of CISs to specify the appropriate security measures in accordance with the security needs of the information to be handled and stored, and taking into account the jurisdictions in which the information is stored, transmitted to and handled.  Where applicable, those measures shall include the following:

(a)restrictions on the geographical location;

(b)consideration of potential conflicts of interest, boycotts or penalties relating to contractors;

(c)contractual provisions to ensure the security of information;

(d)encryption of information at rest and in transit;

(e)restrictions on the accessibility of Union institutions and bodies’ information by contractor personnel;

(f)protection of personal data in accordance with the applicable data protection legislation. 

5. The Union institutions and bodies shall manage their CISs in compliance with the following principles:  

(a)each CIS shall have a system owner or an Information Assurance Operational authority responsible for its security;

(b)an information security risk management process covering information security aspects shall be conducted;

(c)the security requirements and security operating procedures shall be formally defined, implemented, checked and reviewed;

(d)information security incidents shall be formally recorded and followed up, in accordance with Regulation EU [XXX] laying down measures for a high common level of cybersecurity at the institutions, bodies, offices and agencies of the Union.

Chapter 4
Non-classified information

Article 12 - Information for public use

1. Information intended for public use or official publication or already disclosed, which can be shared without restrictions inside or outside the Union institutions and bodies, shall be categorised and handled and stored as information for public use.

2. Union institutions and bodies may mark with ‘PUBLIC USE’ the information referred to in paragraph 1.

3. All Union institutions and bodies shall ensure the integrity and availability of information for public use by appropriate measures based on its security needs.

Article 13 - Normal information

1. Information intended for use by a Union institution or body in the execution of its functions which is neither sensitive non-classified nor for public use shall be categorised, handled and stored as normal information. This category covers all normal working level information processed in the Union institution or body concerned.

2. Normal information may be marked visually or in metadata where necessary to ensure its protection, particularly where shared outside Union institutions and bodies. The marking ‘EU NORMAL’ or the ‘name or acronym of the Union institution or body NORMAL’ (adjusted on a case-by-case basis) shall be used in that case.

3. Union institutions and bodies shall define standard protective measures for normal information taking into account guidance from the sub-group on non-classified information and any specific risks related to their tasks and activities.

4. Normal information shall be exchanged outside Union institutions and bodies only with natural or legal persons having a need-to-know.                                                                                                                                                            

Article 14 - Sensitive non-classified information

1. Union institutions and bodies shall categorise, handle and stored as sensitive non-classified all information that is not classified but which they must protect due to legal obligations or because of the harm that may be caused to the legitimate private and public interests, including those of the Union institutions and bodies, Member States or individuals by its unauthorised disclosure.

2. Each Union institution and body shall identify sensitive non-classified information by a visible security marking and shall define corresponding handling instructions in accordance with Annex I.

3. Union institutions and bodies shall protect sensitive non-classified information by applying appropriate measures in respect of its handling and storage.  Such information may only be made available inside Union institutions and bodies to individuals with a need-to-know for the fulfilment of their assigned tasks.

4. Sensitive non-classified information shall be exchanged outside Union institutions and bodies only with natural and legal persons that have a need-to-know while respecting the handling instructions accompanying the information. All parties involved shall be made aware of the appropriate handling instructions.

Article 15 - Protection of non-classified information and interoperability

1. Union institutions and bodies shall establish procedures for the reporting and management of any incident or suspected incident that could lead to a compromise of the security of non-classified information.

2. Where required, Union institutions and bodies shall use the markings provided for in Articles 12, 13 and 14. Exceptionally, other equivalent markings may be used internally and in relation with their particular counterparts from other Union institutions and bodies or from the Member States, when all parties agree. Such exception shall be notified to the sub-group on non-classified information, as referred to in Article 7(1), point (b).

3. Contractual safeguards shall be established to ensure the protection of normal and sensitive non-classified information processed by outsourced services.  The safeguards shall be designed to guarantee at least an equivalent level of protection to that provided by this Regulation, and shall include confidentiality and non-disclosure undertakings to be signed by all relevant service providers involved in the provision of the outsourced systems.

Article 16 - Sub-group on non-classified information 

1. The sub-group on non-classified information referred to in Article 7(1), point (b), shall have the following roles and responsibilities:

(a)streamlining the procedures relating to handling and storing the non-classified information and preparing the relevant guidance;

(b)coordinating with the sub-group on information assurance referred to in Article 7(1), point (a), on matters related to systems handling and storing non-classified information;

(c)preparing handling instructions for the different confidentiality levels of non-classified information;

(d)assisting Union institutions and bodies in establishing the equivalence between their particular categories of non-classified information and those provided for in Articles 12, 13 and 14;

(e)facilitating the sharing of non-classified information between Union institutions and bodies, by providing assistance and guidance.

Article 17 - Handling and storing of sensitive non-classified information in CISs

1. Union institutions and bodies shall ensure that CISs meet the following minimum requirements when handling and storing sensitive non-classified information:

(a)strong authentication shall be implemented to access SNC information and SNC information shall be encrypted in transmission and in storage;

(b)encryption keys used for storage shall be under the responsibility of the Union institution or body responsible for the operation of the CIS;

(c)SNC information shall be stored and processed in the Union;

(d)contractual provisions covering security of staff, assets and information shall be included in any outsourcing contracts;

(e)interoperable metadata shall be used to record the confidentiality level of electronic documents and to facilitate the automation of security measures;

(f)measures to prevent and detect data leaks shall be implemented by the Union institutions and bodies to protect sensitive non-classified information;

(g)security equipment bearing a European cybersecurity certificate shall be used, where available;

(h)implementation of security measures based on the principles of need-to-know and zero trust to minimise access to sensitive non-classified information by service providers and contractors.

2. Any derogation from the minimum requirements set out in paragraph 1 shall be subject to approval by the appropriate level of management of the Union institution or body concerned, on the basis of a risk assessment covering the legal and technical risks to the security of the sensitive non-classified information.

3. The Information Assurance Authority of the Union institution or body concerned may check compliance with the principles set out in paragraph 1 at any time during the lifecycle of a CIS.

Chapter 5
EUCI

Section 1
General provisions

Article 18 - Security classifications and markings

1. EUCI shall be classified at one of the following levels and shall be marked as follows:

(a)TRES SECRET UE/EU TOP SECRET: information and material the unauthorised disclosure of which could cause an exceptionally serious prejudice to the essential interests of the Union or of one or more of the Member States;

(b)SECRET UE/EU SECRET: information and material the unauthorised disclosure of which could seriously harm the essential interests of the Union or of one or more of the Member States;

(c)CONFIDENTIEL UE/EU CONFIDENTIAL: information and material the unauthorised disclosure of which could harm the essential interests of the Union or of one or more of the Member States;

(d)RESTREINT UE/EU RESTRICTED: information and material the unauthorised disclosure of which could be disadvantageous to the interests of the Union or of one or more of the Member States.

2. The Coordination Group shall adopt guidance documents on EUCI creation and classification.

Article 19 - Suitability to handle and store EUCI

1. Any Union institution and body may handle and store EUCI where the following conditions are met:

(a)it establishes rules and procedures in accordance with this Regulation, ensuring the protection of information for a given classification level; and

(b)it has undergone an assessment visit in accordance with Article 53, and it has been subsequently certified that it can protect EUCI in accordance with this Regulation and where applicable, any other relevant rules and procedures.

2. The conditions set out in paragraph 1 shall be considered as met by default by the members of the sub-group on EUCI sharing and exchange of classified information referred to in Article 7(1), point (e).

Article 20 - Protection of EUCI

1. The holder of any item of EUCI shall be responsible for its protection.

2. Where a Member State introduces classified information bearing a national security classification marking into the structures or networks of a Union institution or body, that institution or body shall protect that information in accordance with the corresponding classification marking laid down in the Agreement between the Member States of the European Union, meeting within the Council, regarding the protection of classified information exchanged in the interests of the European Union 29 . The corresponding table of equivalence is set out in Annex VI to this Regulation.

3. An aggregate of EUCI may warrant a level of protection corresponding to a higher classification than that of its individual components.

Article 21 - EUCI security risk management process

1. The security Authority of each Union institution and body shall approve the security measures for protecting EUCI throughout its life-cycle in accordance with the outcome of a risk assessment performed by the respective Union institution or body.

2. The security measures taken by each Union institution and body shall be commensurate with the classification level of the information handled and stored, its form and volume, and the location and protective features of the facilities where EUCI is handled and stored and the locally assessed threat of malicious or criminal activities.

3. All Union institutions and bodies shall establish:

(a)contingency plans to ensure EUCI security during emergencies;

(b)business continuity plans including preventive and recovery measures to minimise the impact of major failures or security incidents on the handling and storage of EUCI.                           

Article 22 - Breaches of security and compromise of EUCI

1. An act or omission of a Union institution or body or an individual, which is in breach of this Regulation, shall be considered as a breach of security. 

2. EUCI shall be considered to have been compromised where as a result of a breach, it has been disclosed, wholly or in part, to one or more persons that are not authorised to access that information.

3. Any compromise or suspected compromise of EUCI shall be reported immediately to the Security Authority of the relevant Union institution or body, which shall conduct a security inquiry and take at least the following measures:

(a)inform the originator;

(b)ensure that the case is investigated by personnel not immediately concerned with the breach in order to establish the facts;

(c)assess the potential damage caused to the interests of the Union or of the Member States;

(d)take appropriate measures to prevent a recurrence;

(e)notify the competent authorities about the actual or potential compromise and the action taken. 

Section 2
Personnel security 

Article 23 - Basic principles

1. The Security Authority of a Union institution or body may grant individuals access to EUCI where all the following conditions are met:

(a)the individuals have a need-to-know;

(b)the individuals have been briefed on the security rules and procedures for protecting EUCI and the relevant security standards and guidelines, and have acknowledged in writing their responsibilities with regard to protecting such information;

(c)for information classified CONFIDENTIEL UE/EU CONFIDENTIAL or higher, the individuals have been granted security clearance and have been authorised to the relevant level.

2. Union institutions and bodies shall take into account the loyalty, trustworthiness and reliability of an individual as determined by means of a security investigation conducted by the competent authorities of the Member State of which the applicant is a citizen or a national. 

3. Union institutions and bodies may accept security clearances from third countries and international organisations with which the Union has a security of information agreement.

4. Union institutions and bodies may manage the clearance processes autonomously or seek a Service Level Agreement ('SLA') with the Commission for security clearance purposes.

Where a SLA is concluded, the Commission Security Authority shall be the contact point between the security offices of the Union institution and body concerned and the national competent authorities of the Member States in the context of security clearance issues. 

5. The Security Authority of each Union institution and body shall keep records of their security clearances, briefings, written acknowledgements and authorisations to access EUCI.

6. Union institutions and bodies that conclude an SLA with the Commission shall make the relevant records available to the Commission’s Security Authority regarding as a minimum the level of EUCI to which the individual may be granted access, the date of issue of the authorisation to access EUCI and its period of validity. Those records shall be accessible to other Union institutions and bodies with an SLA, where justified.

Article 24 - Authorisation to access EUCI

1. Each Union institution and body shall identify the positions within its organisation requiring access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or higher in order for the holder to perform their duties.

2. Whenever an individual needs to be authorised to access information classified CONFIDENTIEL UE/EU CONFIDENTIAL or higher, the institution or body concerned shall inform the competent Security Authority, which shall proceed with the formalities required in point 1 of Annex II.

3. The Security Authority of each Union institution and body shall be responsible for granting, suspending, withdrawing and renewing authorisations to access EUCI for their staff.

4. In exceptional circumstances, where duly justified in the interests of the service and pending completion of a full security investigation, the Security Authority of a Union institution or body may grant a temporary authorisation for individuals to access EUCI for a specific position, without prejudice to the provisions regarding renewal of authorisation to access EUCI and upon verification of the relevant National Security Authority.

5. Union institutions and bodies shall follow the procedures for managing authorisation to access EUCI set out in Annex II. 

Article 25 - Recognition of authorisations to access EUCI

1. An authorisation to access EUCI up to the specified level shall be valid in any Union institution or body to which the individual is assigned.

2. Union institutions and bodies shall accept authorisations to access EUCI granted by other Union institution or body. 

3. Where the holder of an authorisation to access EUCI takes up employment in another Union institution or body, that Union institution or body shall notify the relevant NSA of a change of employer, through the competent Security Authority.

Article 26 - EUCI briefings

1. The Security Authority of a Union institution or body shall brief all individuals who need to access EUCI on any threats to security and about their obligation to report any suspicious activity.  The briefing shall take place before access to EUCI is granted and at least every 5 years thereafter. 

2. After receiving the briefing referred to in paragraph 1, all individuals concerned shall acknowledge in writing that they have understood their obligations regarding the protection of EUCI and the consequences where EUCI is compromised.

3. The briefing referred to in paragraph 1 shall include the following information:

(a)any individual who is responsible for a breach of the security rules laid down in this Regulation may be liable to disciplinary action in accordance with the applicable rules and regulations; 

(b)any individual who is responsible for compromising or losing EUCI may be liable to disciplinary or legal action in accordance with the applicable law, rules and regulations.

4. Where individuals who have been granted authorisations to access EUCI no longer require such access, Union institutions and bodies shall ensure that those individuals are aware of, and where appropriate acknowledge in writing, their obligations in respect of the continued protection of EUCI.

5. The task of creating and managing the EUCI briefings may be shared between Union institutions and bodies provided that their specific requirements are taken into account. 

Section 3
Physical security

Article 27 - Basic principles

1. Each Union institution and body shall determine the physical security measures appropriate to its sites, in accordance with Annex III and the principle of defence in depth, on the basis of a risk assessment performed by its Security Authority. The measures shall ensure the following objectives:

(a)to deny access to EUCI or forced entry by an intruder;

(b)to deter, impede and detect unauthorised actions and respond to security incidents as soon as possible;

(c)to allow for segregation of personnel in their access to EUCI on a need-to-know basis and where appropriate, on a security clearance basis. 

2. Union institutions and bodies shall put in place physical security measures for all sites where EUCI is discussed, stored or handled, including areas housing communication and information systems as referred to in Section 5 of this Chapter.

3. Only security equipment approved by the Security Authority of a Union institution or body shall be used for physically protecting information classified CONFIDENTIEL UE/EU CONFIDENTIAL or higher.

4. Union institutions and bodies may share Secured Areas, as referred to in Annex III, for handling and storing EUCI, upon conclusion of an agreement.

Article 28 - Sub-group on physical security

1. The sub-group on physical security as referred to in Article 7(1), point (c), shall have the following roles and responsibilities:

(a)preparing guidance documents relative to physical security matters;

(b)defining the general security criteria for acquiring equipment such as security containers, shredding machines, door locks, electronic access control systems, intrusion detection systems and alarm systems for the physical protection of EUCI;

(c)assisting Union institutions and bodies in determining the appropriate security measures for their sites;

(d)proposing compensatory measures for the protection of EUCI when EUCI is handled outside the physically protected areas of a Union institution and body., 

Article 29 - Physical protection of EUCI

1. To ensure the physical protection of EUCI, the Union institutions and bodies shall establish the following physically protected areas:

(a)administrative areas, as referred to in Annex III;

(b)where appropriate, Secured Areas including Class I, Class II and technically Secured Areas, as referred to in Annex III.

2. The Security Authority of the Union institution and body concerned shall conduct an internal inspection to verify whether the conditions for an area to be established as an Administrative Area or a Secured Area, set out in Annex III, are met. Where the inspection report indicates that the conditions are met, the Security Authority may issue an accreditation for the Secured Area to protect EUCI up to the stated level for a period not exceeding 5 years.

The Security Authority of the Union institution or body concerned shall be responsible for carrying out the re-accreditation process of its Secured Areas, before the expiry of the accreditation or whenever changes have been implemented within the accredited area. 

3. Each Union institution and body shall adopt procedures for managing keys and combination settings for offices, rooms, strong rooms and security containers for level CONFIDENTIEL UE/EU-CONFIDENTIAL and for higher levels.

4. The Security Authority may authorise entry and exit searches to deter and detect the unauthorised introduction of material or the unauthorised removal of EUCI from sites.

5. Union institutions and bodies shall establish the measures for the physical protection of the EUCI in accordance with Annex III.                                       

Section 4
Management of EUCI

Article 30 - Basic principles

1. Union institutions and bodies shall record, file, preserve and eventually eliminate, sample or transfer their EUCI documents to the relevant archives in accordance with retention policy and rules specific to the files of each Union institution and body. 

2. Any Union institution and body which is the originator of EUCI shall determine the security classification of that information upon its creation and in accordance with Article 18(1).

3. Union institutions and bodies shall clearly communicate the classification level to recipients, either by means of a classification marking or by an announcement, where the information is delivered in oral form.

4. The security measures applicable to the original document shall apply to drafts, copies and translations thereof.

5. Union institutions and bodies shall establish the measures for EUCI management in accordance with Annex IV. 

Article 31 - Creation of EUCI

2. Union institutions and bodies under whose authority EUCI is created shall ensure that the following requirements are met:

(a)each page shall be marked clearly with the classification level;

(b)each page shall be numbered;

(c)the document shall bear a reference number, where applicable a registration number and a subject, which is not itself EUCI, unless it is marked as such;

(d)the document shall include its date of creation;

(e)all the annexes and enclosures shall be listed, whenever possible on the first page;

(f)documents classified SECRET UE/EU SECRET or higher shall bear a copy number on every page, where they are to be distributed in multiple copies. Electronic copies that are distributed outside the holding system shall bear a unique identifier based on an electronic signature.

Article 32 - Originator control

1. The Union institution or body under whose authority an EUCI document is created shall have originator control over that document. The originator shall determine the classification level of the document and shall be responsible for its initial dissemination. Without prejudice to Regulation 1049/2001, the originator’s prior written consent shall be obtained before the information is:

(a)declassified or downgraded;

(b)used for purposes other than those established by the originator;

(c)forwarded to any entity outside the Union institution or body holding the information, including a third country or international organisation, another Union institution or body, Member States, a contractor or prospective contractor, a beneficiary or prospective beneficiary;

(d)copied and translated in case of TRES SECRET-UE/EU-TOP SECRET level.

2. Where the originator of an EUCI document cannot be identified, the Union institution or body holding that classified information shall exercise originator control.

3. Originators of any EUCI document shall keep a record of any classified sources used for producing classified documents, including details of sources originally from Member States, international organisations or third countries. Where appropriate, aggregated classified information shall be marked in such a way as to preserve the identification of the originators of the classified source materials used.

Article 33 - Classification markings

1. Where appropriate, in addition to one of the security classification markings, EUCI documents may bear additional markings, such as distribution or releasability markings or to indicate the originator.

2. Different parts of a EUCI document may require different classifications and shall be marked accordingly. The overall classification level of a document or file shall be at least as high as that of its most highly classified component.

3. Documents containing parts with different classification levels shall be structured so that parts with a different classification level may be easily identified and detached if necessary.

Article 34 - EUCI registry system

1. All Union institutions and bodies that handle and store information classified CONFIDENTIEL UE/EU CONFIDENTIEL or higher shall establish one or more EUCI registries to ensure its registration for security purposes when it arrives at or leaves a Union institution or body.

2. All EUCI registries shall be established in Secured Areas, as referred to in Annex III.

3. Union institutions and bodies shall assign a Registry Control Officer (‘RCO’) to manage each EUCI registry.  The RCO shall have appropriate security clearance and shall be authorised in accordance with Article 24. Union institutions and bodies shall ensure the proper training for their RCO.

Article 35 - Downgrading and declassifying

1. Information shall be classified only for as long as it requires protection.  EUCI that no longer needs the original classification shall be downgraded to a lower level. EUCI that no longer needs to be considered as classified at all shall be declassified.

2. At the time of creation of EUCI, the originator shall indicate, where possible, and in particular for information classified RESTREINT UE/EU RESTRICTED, whether the EUCI can be downgraded or declassified on a given date or following a specific event.

3. The originating Union institution or body shall be responsible for deciding whether a EUCI document can be downgraded or declassified.  It shall review the information and assess the risks regularly and at least every 5 years in order to determine whether the original classification level is still appropriate.

4. Union institutions and bodies holding EUCI of which they are not the originator shall not downgrade or declassify that document, nor shall they modify or remove any of the markings referred to in Article 18(1) without the prior written consent of the originator.

5. Union institutions and bodies may partially downgrade or declassify EUCI they create. In such cases a downgraded or declassified extract shall be produced.

6. Union institutions and bodies shall inform the recipient organisation of the EUCI of its downgrading or declassification.

Article 36 - Markings on downgraded and declassified documents

1. Where Union institutions and bodies decide to declassify an EUCI document, consideration shall be given as to whether it is to bear a sensitive non-classified information distribution marking.

2. The original classification marking at the top and bottom of every page shall be visibly crossed out using the ‘strikethrough’ functionality for electronic formats, or manually for print-outs. The original classification marking shall not be removed.

3. The first page or the cover page shall be stamped as downgraded or declassified and completed with the details of the authority responsible for downgrading or declassifying and the corresponding date. Downgrading or declassification of electronic EUCI documents shall be evidenced by an electronic signature under the authority of the originator.

Article 37 - Destruction and deletion of EUCI

1. Union institutions and bodies shall review EUCI, both on paper and in CISs, at least every 5 years to determine whether they are to be destroyed or deleted. Where EUCI is destroyed or deleted, they shall instruct anyone having previously received that EUCI.

2. Union institutions and bodies may destroy duplicates of EUCI which are no longer required, taking account of the relevant rules on document management for the originals.

3. Union institutions and bodies shall only destroy any hard copy of information classified CONFIDENTIEL UE/EU CONFIDENTIAL or higher by their Registry Control Officer. The RCO shall update the logbooks and other registration information accordingly, keeping essential metadata of the destroyed document.

Documents classified SECRET UE/EU SECRET and higher shall only be destroyed by the RCO in the presence of a witness who shall have security clearance to at least the classification level of the document being destroyed.

4. The RCO and where applicable, the witness, shall sign a destruction certificate which shall be filed in the registry. The certificate shall be kept for at least 5 years in the case of information classified CONFIDENTIEL UE/EU CONFIDENTIAL and SECRET-UE/EU-SECRET and for at least 10 years in the case of information classified at TRES SECRET-UE/EU-TOP SECRET level.

Article 38 - Evacuation and destruction of EUCI in an emergency

1. Each Union institution and body shall develop emergency evacuation and destruction plans based on local conditions to safeguard EUCI that is at significant risk of falling into unauthorised hands.

The operational details of emergency evacuation and destruction plans shall themselves be classified as RESTREINT UE/EU RESTRICTED.

2. In the event of an emergency, where there is an imminent risk of unauthorised disclosure of EUCI, Union institutions and bodies shall evacuate EUCI. 

Where evacuation is not possible, EUCI shall be destroyed in such a way that it cannot be reconstructed in whole or in part.

3. The originator and the originating registry shall be informed of the emergency evacuation or destruction of registered EUCI.

4. Where emergency plans have been activated, priority shall be given to evacuating or destroying the higher levels of EUCI first, including the enciphering equipment. 

Article 39 - Archiving

1. Union institutions and bodies shall decide whether and when to archive EUCI, and the corresponding practical measures, in accordance with their policy on document management.

2. EUCI documents shall not be transferred to the Historical Archives of the European Union.

Section 5
Protection of EUCI in communication and information systems (CISs)

Article 40 - Sub-group on accreditation of communication and information systems handling and storing EUCI

The sub-group on accreditation of CISs handling and storing EUCI, as referred to in Article 7(1), point (d), shall have the following roles and responsibilities:

(a)assisting the Union institutions and bodies in their accreditation processes;

(b)recommending a standard for accreditation to be followed by all Union institutions and bodies;

(c)disseminating and sharing best practices and guidance regarding the accreditation of CISs.

Article 41 - Communication and information systems

Union institutions and bodies shall meet the following requirements in relation with CISs handling and storing EUCI:

(a)the system owner or Information Assurance Operational Authority shall consult the Security Accreditation Authority before developing, procuring or enabling a CIS to handle and store EUCI in order to determine the requirements for accreditation;

(b)key security principles for the design of CIS handling and storing EUCI shall apply at the inception of the project, as part of the information security risk management process and taking into account need-to-know, minimal functionality, defence in depth, least privilege, segregation of duties and four eyes;

(c)the storage, central processing and network management components of a CIS handling and storing EUCI shall be installed in a Secured Area, as referred to in Annex III;

(d)implement ‘TEMPEST security measures’ which shall be commensurate with the risk of exploitation and the level of classification of the information;

(e)all staff involved in the operation of a CIS handling and storing EUCI shall notify to the Security Authority and the relevant system owner or Information Assurance Operational Authority any potential security weaknesses, incidents, breaches of security or system compromises that may have an impact on the protection of the CIS or the EUCI therein;

(f)where relevant, the Security Authority shall notify the Security Authorities of any other Union institutions and bodies concerned of potential security weaknesses or incidents that could affect their CISs handling and storing EUCI.

Article 42 - Cryptographic products

1. Approved cryptographic products shall be used for transmission and storage of EUCI by electronic means. The list of approved cryptographic products shall be maintained by the Council, on the basis of input from the National Security Authorities.

2. Where the list referred to in paragraph 1 does not include any suitable product for the intended purpose, the Crypto Approval Authority of the Union institution or body concerned shall request an interim approval from the Council. Where possible, a cryptographic product that is approved by the National Security Authority of a Member State shall be selected.

The Council shall take the necessary steps to ensure that a suitable product is added to the list.

3. Approvals of cryptographic products shall be valid for a maximum of 5 years and reviewed on a yearly basis thereafter.

4. The Council shall remove any cryptographic product from the list of approved cryptographic products for which national approval has been withdrawn or has expired.

5. The Coordination Group shall inform the Council on a yearly basis of any cryptographic products that it recommends for evaluation by a Crypto Authority Approval of a Member State on the basis of a survey carried out in the Union institutions and bodies.

Article 43 - Accreditation of CISs handling and storing EUCI

1. By accrediting CISs handling and storing EUCI, Union institutions and bodies shall confirm that all appropriate security measures have been implemented and that a sufficient level of protection of EUCI and of the CIS has been achieved in accordance with this Regulation.

2. The CIS owner or the Information Assurance Operational Authority shall be responsible for the preparation of the accreditation files and documentation, including manuals for different types of users.

3. The Security Accreditation Authority of each Union institution and body shall be responsible for establishing an accreditation process with clear conditions that need approval, for all CISs under their authority.

4. Where a CIS handling and storing EUCI involve both Union institutions and bodies and National Security Authorities, the Union institutions and bodies concerned shall establish, through further implementing rules adopted pursuant to Article 8(2), a joint Security Accreditation Board in charge of the system’s accreditation. That Board shall be composed of Security Accreditation Authority representatives of the parties involved and shall be chaired by the Security Accreditation Authority of the Union institution or body that owns the CIS.

Article 44 - Accreditation process of a CIS handling and storing EUCI

1. All CISs handling and storing EUCI shall undergo an accreditation process, based upon the principles of information assurance, the level of detail of which shall be commensurate with the level of protection required.

2. The accreditation process shall result in an accreditation statement determining the maximum classification level of the information that may be handled and stored in a CIS as well as the corresponding terms and conditions. The accreditation statement shall be based on the formal validation of the risk assessment and of the security measures implemented for the CIS concerned, providing assurance on the following elements:

(a)the information security risk management process has been properly carried out;

(b)the system owner or risk owner has knowingly accepted the residual risk; 

(c)a sufficient level of protection of the CIS, and of the EUCI handled and stored in it, has been achieved in accordance with this Regulation.

3. The Security Accreditation Authority of a Union institution or body shall formally validate the accreditation statement. Upon successful validation, the Security Accreditation Authority shall issue an approval to operate which determines the maximum classification level of the EUCI that may be handled in the CIS as well as the corresponding terms and conditions for operation. The approval shall be issued for a specified period. Where one or more of the required security measures are not in place but this does not significantly impact the overall security, an interim approval to operate may be issued, specifying the points for remediation.

4. At any moment in the life cycle of a CIS, the Security Accreditation Authority of the Union institution or body concerned may take the following actions:

(a)apply an accreditation process;

(b)audit or inspect the CIS;

(c)where the conditions for operation are no longer satisfied, such as when a security incident has revealed a significant vulnerability in the CIS, require the establishment and effective implementation of a security improvement plan within a well-defined timescale, potentially withdrawing permission to operate the CIS until the conditions for operation are satisfied.

5. The system owner or the Information Assurance Operational Authority shall make a formal report to the Security Accreditation Authority annually during the period of validity of an approval to operate, including a summary of any significant incidents, changes and risk factors.

Article 45 - Emergency circumstances

1. Union institutions and bodies may apply specific procedures to transmit or store classified EUCI in an emergency, such as during impending or actual crises, conflicts, war situations or in exceptional operational circumstances, after approval by their Crypto Approval Authority.

2. Under the circumstances referred to in paragraph 1, EUCI may be transmitted using cryptographic products which have been approved for a lower classification level or without encryption with the consent of the competent authority where any delay would cause harm clearly outweighing the harm entailed by any disclosure of the classified material and subject to the following conditions:

(a)the sender or the recipient do not have the required encryption facility; 

(b)the classified material cannot be conveyed in time by other means.

3. Classified information transmitted in accordance to in paragraph 2 shall not bear any markings or indications distinguishing it from information which is unclassified or which can be protected by an available cryptographic product. Recipients shall be notified of the classification level, without delay, by other means.

4. A subsequent report on the transmission of EUCI under the circumstances referred to in paragraph 1 shall be submitted to the relevant Security Authority.

Section 6
Industrial security

Article 46 - Basic principles

1. Each Union institution or body, as contracting or granting authority, shall ensure that the minimum standards on industrial security set out in this Section and the conditions for the protection of EUCI in classified contracts and grant agreements set out in Annex V, are referred to or incorporated in the contracts or grant agreements and complied with when awarding classified contracts or grant agreements.

2. Industrial security is the application of measures to ensure the protection of EUCI by the following individuals or entities:

(a)under direct management 30 , within the framework of classified contracts, by:

(i)candidates or tenderers throughout the tendering and contracting procedure;

(ii)contractors or subcontractors throughout the life-cycle of classified contracts;

(b)under direct management 31 , within the framework of classified grant agreements, by

(i)applicants during grant award procedures;

(ii)beneficiaries or subcontractors throughout the life-cycle of classified grant agreements.

(c)under indirect management, within the framework of financial framework partnership agreements (‘FFPA’) and the related contribution agreements by the entrusted entities throughout the life cycle of these agreements.

3. As the entrusting entity, the Union institution or body shall describe the specific security requirements for the entrusted entity in the security chapter of the FFPA and the related contribution agreements. These requirements shall be based on the security principles and provisions as contained in this Regulation in relation to classified contracts and grant agreements, which apply mutatis mutandis.

4. Classified contracts and classified grant agreements shall not involve information classified TRES SECRET UE/EU TOP SECRET.

5. Provisions in this Chapter referring to classified contracts or contractors, or to classified grants or beneficiaries, shall also apply to classified subcontracts or subcontractors within the meaning of, respectively, classified contracts or grants.

6. Union institutions and bodies, as contracting or granting authorities, shall closely cooperate with the security authorities or any other competent authorities of the country on whose territory the contractual party or the grant recipient is registered, as well as with the security or any other competent authorities of the contracted or grant awarded international organisation.

7. Union institutions and bodies, as contracting or granting authorities, shall communicate with the security authorities or any other competent authorities through their Security Authorities.

8. Union institutions and bodies, as contracting or granting authorities, shall notify the authorities referred to in paragraph 6, through its Security Authority, whenever a classified contract or grant agreement has been signed.

The notification shall include relevant data such as the names of the contractor or beneficiaries, the duration of the classified contract or grant agreement, and the maximum level of classification.

Union institutions and bodies, as contracting or granting authorities, shall also notify the authorities referred to in paragraph 6 whenever classified contracts or grant agreements are prematurely terminated.

9. Union institutions and bodies, as contracting or granting authorities, may award classified contracts or classified parts of grants only to entities registered in those third countries or established by those international organisations that have concluded a security of information agreement with the Union. Where the EUCI concerned contains personal data, any transfer of the latter to a third country or international organisation shall be made in accordance with Regulation (EU) 2018/1725.

Article 47 - Security elements in a classified contract or grant agreement

1. Classified contracts or grant agreements shall include the following security elements:

(a)security classification guide;

(b)security aspects letter.

2. Classified contracts or grant agreements may include a Programme or Project Security Instruction.

Article 48 - Security Classification Guide 

1. Before signing a classified contract or grant agreement, the Union institution or body, as contracting or granting authority, shall determine the security classification of any information to be created by contractors or beneficiaries, or by their sub-contractors. For that purpose, it shall prepare a Security Classification Guide to be used for the performance of the classified contract or grant agreement.

2. The Security Classification Guide may be modified throughout the life of the programme or project, as referred to in Article 50, contract or grant agreement and the elements of information may be re-classified or downgraded. 

3. In order to determine the security classification of the various elements of a classified contract or grant agreement, the following principles shall apply:

(a)in preparing a Security Classification Guide, the Union institution or body, as contracting or granting authority, shall take into account all relevant security aspects, including the security classification assigned to information provided and approved to be used for the classified contract or grant agreement by the originator of the information;

(b)the overall level of classification of the classified contract or grant shall not be lower than the highest classification of any of its elements; 

(c)where relevant, the Union institution or body concerned, as contracting or granting authority, shall liaise, through their Security Authority, with the security authorities or any other competent authorities of the country concerned where making any changes to the Security Classification Guide.

Article 49 - Security Aspects Letter

1. Each Union institution or body, as contracting or granting authority, shall describe the specific security requirements of the classified contract or grant in a Security Aspect Letter. That letter shall include the Security Classification Guide and shall be an integral part of a classified contract, grant agreement or sub-contract.

2. The Security Aspect Letter shall contain provisions requiring the contractor or beneficiary, and their subcontractors, to comply with the provisions laid down in this Regulation and any further implementing rules adopted pursuant to Article 8(2) regarding industrial security. The Security Aspect Letter shall clearly indicate that non-compliance with such provisions may constitute sufficient grounds for the termination of the classified contract or grant agreement.

Article 50 - Programme or Project Security Instruction 

1. Union institutions and bodies, as contracting or granting authorities, may develop a Programme or Project Security Instruction, in close cooperation with their Security Authorities, in particular for programmes and projects characterised by their considerable scope, scale or complexity, or by the multitude or the diversity of contractors, beneficiaries and other partners and stakeholders involved.

2. The Security Authority of each Union institution or body, as contracting or granting authority, shall submit the specific Programme or Project Security Instruction for advice to the relevant Member State advisory security body consisting of their National Security Authorities and/or Designated Security Authorities.

When a Union institution or body does not have such an advisory body, the Programme or Project Security Instruction shall be submitted to the Information Security Committee, referred to in Article 6(8).

Section 7
Sharing EUCI and exchanging classified information

Article 51 - Basic principles

1. All Union institutions and bodies may share EUCI with other Union institutions or bodies under the conditions set out in Article 54.

2. Union institutions and bodies may share EUCI with Member States and the European Atomic Energy Community provided that they protect that information in accordance with the corresponding classification marking laid down in the Agreement between the Member States of the Union, meeting within the Council, regarding the protection of classified information exchanged in the interests of the Union and the corresponding table set out in Annex VI to this Regulation.  

3. Union institutions and bodies shall only exchange classified information with third countries or international organisations with which a Security of information agreement or an administrative arrangement has been concluded in accordance with Articles 55 and 56.

Such agreements and arrangements shall contain provisions to ensure that third countries or international organisations receiving EUCI protect such information at a level commensurate with its classification level and corresponding to minimum standards that are no less stringent than those laid down in this Regulation.

4. Where there is no Security of information agreement or administrative arrangement in place, a Union institution or body may, in exceptional circumstances, release EUCI to another Union institution or body, a third country or an international organisation in accordance with Article 58.

5. Union institutions and bodies shall designate those registries that serve as the main points of entry and exit for EUCI shared with other Union institutions or bodies or classified information exchanged with third countries and international organisations.  

Article 52 - Sub-group on EUCI sharing and exchange of classified information

1. The sub-group on EUCI sharing and exchange of classified information, referred to in Article 7(1), point (e), shall have the following roles and responsibilities:

(a)organising assessment visits to Union institutions and bodies, third countries and international organisations and adoption of the yearly programme of visits;

(b)preparing and carrying out of the assessment visits;

(c)drawing up a report on the outcome of the visits referred to in point (a). 

except in cases referred to in Article 56(2).

2. The sub-group on EUCI sharing and exchange of classified information shall be composed of representatives from the Commission, the Council and the European External Action Service and shall work by consensus. 

Article 53 - Assessment visits related to EUCI sharing

1. The sub-group on EUCI sharing and exchange of classified information shall carry out assessment visits in full cooperation with the officials of the Union institution or body being visited. It may seek assistance from the NSA on whose territory the Union institution or body is located.

2. The assessment visits to the Union institutions and bodies concerned shall serve the following purposes:

(a)to check whether the requirements for protecting EUCI laid down in this Regulation are complied with and therefore, whether the measures implemented are effective;

(b)to emphasise the importance of security and effective risk management within the organisation visited;

(c)to recommend countermeasures to mitigate the specific impact of loss of availability, confidentiality or integrity of classified information; 

(d)to reinforce security authorities’ ongoing security education and awareness programmes.

3. At the end of the assessment visit, the sub-group on EUCI sharing and exchange of classified information shall carry out the following tasks:

(a)draw up a report with the main conclusions of the assessment;

(b)seek the opinion of the Information Security Committee, referred to in Article 6(8), on the report;

(c)send the report for follow up to the security authority of the Union institution or body visited.

4. Where the report proposes any corrective action or makes recommendations, a follow-up visit shall be organised for the purpose of verifying whether such action was taken or recommendations followed.

Article 54 - Sharing EUCI

1. A Union institution or body may share EUCI with another Union institution or body where the following conditions are fulfilled:

(a)there is a proven need for the exchange;

(b)an assessment visit has been carried out at the Union institution or body concerned, in accordance with Article 53, the outcome of which certifies the capacity of that Union institution or body to handle and store a specified level of EUCI;

(c)the Security Authority of the Union institution or body concerned decides that it may share information classified up to a specified level with other such certified Union institutions and bodies.

2. The secretariat of the Coordination Group shall establish a list of EUCI levels that may be handled and stored by each Union institution and body fulfilling the conditions in paragraph 1, points (b) and (c).  It shall regularly update that list. 

Article 55 - Security of information agreements

1. Where it is necessary to exchange classified information with a third country or an international organisation on a long term basis, the competent institution or body shall seek to negotiate and conclude a security of information agreement, in accordance with Article 218 of the Treaty on the Functioning of the European Union.

2. A security of information agreement shall establish the basic principles and the minimum standards governing the exchange of classified information between the Union and a third country or international organisation.

3. Security of information agreements shall provide for technical implementing arrangements to be agreed between the competent security authorities of the relevant Union institutions and bodies and the competent security authority of the third country or international organisation concerned.

4. Prior to the approval of the technical implementing arrangements, referred to in paragraph 3, the sub-group on EUCI sharing and exchange of classified information shall carry out an assessment visit in accordance with Article 57.

Article 56 - Administrative arrangements with third countries and international organisations

1. Where their rules of procedure or founding acts provide for such possibility, Union institutions and bodies may enter into an administrative arrangement with their counterparts in a third country or international organisation, after informing the EUCI sharing and exchange of classified information sub-group, where the following conditions are met:

(a)the Union institution or body concerned needs to exchange, on a long-term basis information classified, as a general rule, no higher than RESTREINT UE/EU RESTRICTED with its counterpart in a third country or international organisation;

(b)the Union institution or body concerned satisfies the conditions set out in Article 54(1);

(c)the report of the assessment visit, referred to in Article 57, certifies that the relevant counterpart in the third country or international organisation concerned has the capacity to handle and store a specified level of EUCI.

2. Before concluding an administrative arrangement, an assessment visit shall be conducted in accordance with the principles in Article 57. The Union institution or body seeking the administrative arrangement may request the Subgroup on EUCI sharing to conduct the assessment visit on its behalf or to participate in the visit. 

3. The Security Authority of the Union institution or body seeking the administrative arrangement shall decide on any specific conditions governing the exchange as well as on the maximum level of EUCI which may be exchanged. That level shall not be higher than the level set for sharing EUCI with other Union institutions and bodies, in accordance with Article 54, and, where applicable, should not be higher than that provided for under a Security of Information Agreement with the same third country or international organisation.  

Article 57 - Assessment visits for the exchange of classified information with third countries and international organisations

1. An assessment visit to a third country or international organisation shall be conducted to determine whether an Union institution or body may exchange classified information with the third country or international organisation concerned.

2. The aim of the assessment visit shall be to assess the effectiveness of the security rules and procedures in the third country or international organisation concerned as regards the protection of EUCI at a given level. The assessment visit shall be carried out in mutual agreement with the third country or international organisation concerned.

3. The assessment visits shall evaluate at least the following:

(a)the regulatory framework applicable for protecting classified information and its adequacy for the protection of EUCI at a given level;

(b)any specific features of the security policy and the way in which security is organised in the third country or international organisation which may have an impact on the level of classified information that may be exchanged;

(c)the security measures and procedures actually in place; 

(d)security clearance procedures relative to the EUCI level to be released.

4. The Information Security Committee referred to in Article 6(8) shall receive a report on the findings of such visits before the EUCI is actually released to the third country or international organisation concerned. Where relevant, the report shall also be shared with the Union institution or body concerned.

5. The security authorities of the Union institution or body concerned shall communicate to the third country or international organisation the date as from when it is in a position to exchange EUCI, as well as the maximum level of EUCI which may be exchanged in hard copy or by electronic means.

6. Follow-up visits shall be organised where the following conditions are met:

(a)it is necessary to raise the level of EUCI which may be exchanged;

(b)the Union institution or body concerned has been notified of fundamental changes in the security arrangements of the third country or international organisation that might have an impact on how EUCI is protected; 

(c)there has been a serious security information incident involving unauthorised disclosure of EUCI.  

Article 58 - Exceptional ad-hoc release of EUCI

1. In the absence of a security of information agreement or an administrative arrangement, where a Union institution or body determines that there is an exceptional need to release EUCI to another Union institution or body or to a third country or international organisation, or

where a security of information agreement or an administrative arrangement has been concluded and a Union institution or body determines that there is an exceptional need to release a higher level of EUCI than already stipulated under the agreement or arrangement, the Union institution or body providing EUCI shall take the following steps:

(a)to the extent possible, verify with the security authorities of the third country, international organisation or receiving Union institution or body that their security rules, structures and procedures can ensure the protection of EUCI released to standards no less stringent than those set in this Regulation;

(b)seek an opinion from the Information Security Committee, referred to in Article 6(8), on the basis of the verification made pursuant to point (a), unless operational circumstances require an immediate ad-hoc release, in which case the Information Security Committee shall be subsequently informed.

2. All documents released pursuant to this Article shall bear a releasability marking indicating the third country, international organisation or Union institution or body to which it has been released.

3. Prior to or upon actual release, the Union institution or body providing EUCI shall seek a written undertaking from the receiving party that it will protect the EUCI it receives.  Where applicable, it shall be requested to undertake to protect the EUCI in accordance with the basic principles and the minimum standards set out in this Regulation.

Chapter 6
Final provisions

Article 59 - Implementation

1. The Coordination Group shall establish information security guidance for implementing this Regulation.

2. Based on their specific needs, Union institutions and bodies may adopt internal rules for the purpose of implementing this Regulation, in accordance with Article 8(2).

Article 60 - Transitional provisions

1. The internal rules on information security adopted by individual Union institution or body before ¨[dd/mm/yyyy date of application] shall be reviewed by [3 years after the entry into force of this Regulation] at the latest.

2. All Union institutions and bodies that have been assessed either by Commission or Council or EEAS before the [dd/mm/yyyy date of applicability], as suitable to handle and store EUCI, shall be considered as meeting the conditions referred to in Article 19(1).

3. Any administrative arrangement concluded by the Union institutions and bodies with third countries and international organisations before [dd/mm/yyyy date of application] shall remain valid.

4. Where the Member States on whose territory the beneficiaries of the Commission grant agreement under the European Defence Industrial Development Programme have decided to have a specific security framework for the protection and handling of nationally classified information relating to the grant agreement concerned, the Commission, when applying industrial security procedures contained in this Regulation, will respect this security framework until the end of life cycle of the grant agreement.

Article 61 - Monitoring and evaluation

1. By [dd/mm/yyyy 3 years after the date of application] at the latest, the Commission shall present a report on the implementation of this Regulation to the European Parliament and the Council.

2. No sooner than [5 years after the date of application] and every 5 years thereafter, the Commission shall carry out an evaluation of this Regulation and present a report on the main findings to the European Parliament and the Council.

Article 62 - Entry into force and application

1. This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

2. It shall apply from [date: the first day of the month following the period of 2 years after the date of entry into force]

This Regulation shall be binding in its entirety and directly applicable in all Member States.