- Latest available (Revised)
- Original (As adopted by EU)
Commission Decision (EU, Euratom) 2015/444Show full title
Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 on the security rules for protecting EU classified information
You are here:
What Version
Advanced Features
- Show Geographical Extent(e.g. England, Wales, Scotland and Northern Ireland)
- Show Timeline of Changes
More Resources
This is a Decision originating from the EU
This is a legislation item that originated from the EU
After exit day there will be three versions of this legislation to consult for different purposes. The legislation.gov.uk version is the version that applies in the UK. The EU Version currently on EUR-lex is the version that currently applies in the EU i.e you may need this if you operate a business in the EU.
The web archive version is the official version of this legislation item as it stood on exit day before being published to legislation.gov.uk and any subsequent UK changes and effects applied. The web archive also captured associated case law and other language formats from EUR-Lex.
Changes over time for: CHAPTER 1
Changes to legislation:
There are currently no known outstanding effects for the Commission Decision (EU, Euratom) 2015/444, CHAPTER 1.
Changes to Legislation
Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.
CHAPTER 1U.K. BASIC PRINCIPLES AND MINIMUM STANDARDS
Article 1U.K.Definitions
For the purpose of this Decision, the following definitions shall apply:
(1)
‘Commission department’ means any Commission Directorate-General or service, or any Cabinet of a Member of the Commission;
(2)
‘cryptographic (Crypto) material’ means cryptographic algorithms, cryptographic hardware and software modules, and products including implementation details and associated documentation and keying material;
(3)
‘declassification’ means the removal of any security classification;
(4)
‘defence in depth’ means the application of a range of security measures organised as multiple layers of defence;
(5)
‘document’ means any recorded information regardless of its physical form or characteristics;
(6)
‘downgrading’ means a reduction in the level of security classification;
(7)
‘handling’ of EUCI means all possible actions to which EUCI may be subject throughout its life-cycle. It comprises its creation, registration, processing, carriage, downgrading, declassification and destruction. In relation to Communication and Information Systems (CIS) it also comprises its collection, display, transmission and storage;
(8)
‘holder’ means a duly authorised individual with an established need-to-know who is in possession of an item of EUCI and is accordingly responsible for protecting it;
(9)
‘implementing rules’ means any set of rules or security notices adopted in accordance with Chapter 5 of Commission Decision (EU, Euratom) 2015/443(1);
(10)
‘material’ means any medium, data carrier or item of machinery or equipment, either manufactured or in the process of manufacture;
(11)
‘originator’ means the Union institution, agency or body, Member State, third state or international organisation under whose authority classified information has been created and/or introduced into the Union's structures;
(12)
‘premises’ means any immovable or assimilated property and possessions of the Commission;
(13)
‘security risk management process’ means the entire process of identifying, controlling and minimising uncertain events that may affect the security of an organisation or of any of the systems it uses. It covers the entirety of risk-related activities, including assessment, treatment, acceptance and communication;
(14)
‘Staff Regulations’ means the Staff Regulations of officials of the European Union and the Conditions of Employment of other servants of the European Union, as laid down by Regulation (EEC, Euratom, ECSC) No 259/68 of the Council(2);
(15)
‘threat’ means a potential cause of an unwanted incident which may result in harm to an organisation or any of the systems it uses; such threats may be accidental or deliberate (malicious) and are characterised by threatening elements, potential targets and attack methods;
(16)
‘vulnerability’ means a weakness of any nature that can be exploited by one or more threats. A vulnerability may be an omission or it may relate to a weakness in controls in terms of their strength, completeness or consistency and may be of a technical, procedural, physical, organisational or operational nature.
Article 2U.K.Subject matter and scope
1.This Decision lays down the basic principles and minimum standards of security for protecting EUCI.
2.This Decision shall apply to all Commission departments and in all premises of the Commission.
3.Notwithstanding any specific indications concerning particular groups of staff, this Decision shall apply to the Members of the Commission, to Commission staff under the scope of the Staff Regulations and of the Conditions of Employment of other servants of the European Communities to national experts seconded to the Commission (SNEs), to service providers and their staff, to trainees and to any individual with access to Commission buildings or other assets, or to information handled by the Commission.
4.The provisions of this Decision shall be without prejudice to Decision 2002/47/EC, ECSC, Euratom and Decision 2004/563/EC, Euratom.
Article 3U.K.Definition of EUCI, security classifications and markings
1.‘European Union classified information’ (EUCI) means any information or material designated by an EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States.
2.EUCI shall be classified at one of the following levels:
(a) TRES SECRET UE/EU TOP SECRET
:
information and material the unauthorised disclosure of which could cause exceptionally grave prejudice to the essential interests of the European Union or of one or more of the Member States;
(b) SECRET UE/EU SECRET
:
information and material the unauthorised disclosure of which could seriously harm the essential interests of the European Union or of one or more of the Member States;
(c) CONFIDENTIEL UE/EU CONFIDENTIAL
:
information and material the unauthorised disclosure of which could harm the essential interests of the European Union or of one or more of the Member States;
(d) RESTREINT UE/EU RESTRICTED
:
information and material the unauthorised disclosure of which could be disadvantageous to the interests of the European Union or of one or more of the Member States.
3.EUCI shall bear a security classification marking in accordance with paragraph 2. It may bear additional markings, which are not classification markings, but are intended to designate the field of activity to which it relates, identify the originator, limit distribution, restrict use or indicate releasability.
Article 4U.K.Classification management
1.Each Member of the Commission or Commission department shall ensure that EUCI it creates, is appropriately classified, clearly identified as EUCI and retains its classification level for only as long as necessary.
2.Without prejudice to Article 26 below, EUCI shall not be downgraded or declassified nor shall any of the security classification markings referred to in Article 3(2) be modified or removed without the prior written consent of the originator.
3.Where appropriate, implementing rules on handling EUCI, including a practical classification guide, shall be adopted in accordance with Article 60 below.
Article 5U.K.Protection of classified information
1.EUCI shall be protected in accordance with this Decision and its implementing rules.
2.The holder of any item of EUCI shall be responsible for protecting it, in accordance with this Decision and its implementing rules, according to the rules laid out in Chapter 4 below.
3.Where Member States introduce classified information bearing a national security classification marking into the structures or networks of the Commission, the Commission shall protect that information in accordance with the requirements applicable to EUCI at the equivalent level, as set out in the table of equivalence of security classifications contained in Annex I.
4.An aggregate of EUCI may warrant a level of protection corresponding to a higher classification than that of its individual components.
Article 6U.K.Security risk management
1.Security measures for protecting EUCI throughout its life-cycle shall be commensurate in particular with its security classification, the form and the volume of the information or material, the location and construction of facilities housing EUCI and the locally assessed threat of malicious and/or criminal activities, including espionage, sabotage and terrorism.
2.Contingency plans shall take account of the need to protect EUCI during emergency situations in order to prevent unauthorised access, disclosure or loss of integrity or availability.
3.Preventive and recovery measures to minimise the impact of major failures or incidents on the handling and storage of EUCI shall be included in all services' business continuity plans.
Article 7U.K.Implementation of this Decision
1.Where necessary, implementing rules to supplement or support this Decision shall be adopted in accordance with Article 60 below.
2.The Commission departments shall take all necessary measures falling under their responsibility in order to ensure that, when handling or storing EUCI or any other classified information, this Decision and the relevant implementing rules are applied.
3.The security measures taken in implementation of this Decision shall be compliant with the principles for security in the Commission laid down in Article 3 of Decision (EU, Euratom) 2015/443.
4.The Director-General for Human Resources and Security shall set up the Commission Security Authority within the Directorate-General for Human Resources and Security. The Commission Security Authority shall have the responsibilities assigned to it by this Decision and its implementing rules.
5.Within each Commission department, the Local Security Officer (LSO), as referred to in Article 20 of Decision (EU, Euratom) 2015/443, shall have the following overall responsibilities for protecting EUCI in accordance with this Decision, in close cooperation with the Directorate-General for Human Resources and Security:
(a)managing requests for security authorisations for staff;
(b)contributing to security training and awareness briefings;
(c)supervising the department's Registry Control Officer (RCO);
(d)reporting on breaches of security and compromise of EUCI;
(e)holding spare keys and a written record of each combination setting;
(f)assuming other tasks related to the protection of EUCI or defined by implementing rules.
Article 8U.K.Breaches of security and compromise of EUCI
1.A breach of security occurs as the result of an act or omission by an individual which is contrary to the security rules laid down in this Decision and its implementing rules.
2.Compromise of EUCI occurs when, as a result of a breach of security, it has wholly or in part been disclosed to unauthorised persons.
3.Any breach or suspected breach of security shall be reported immediately to the Commission Security Authority.
4.Where it is known or where there are reasonable grounds to assume that EUCI has been compromised or lost, a security inquiry shall be conducted in accordance with Article 13 of Decision (EU, Euratom) 2015/443.
5.All appropriate measures shall be taken to:
(a)inform the originator;
(b)ensure that the case is investigated by personnel not immediately concerned with the breach in order to establish the facts;
(c)assess the potential damage caused to the interests of the Union or of the Member States;
(d)take appropriate measures to prevent a recurrence; and
(e)notify the appropriate authorities of the action taken.
6.Any individual who is responsible for a breach of the security rules laid down in this Decision may be liable to disciplinary action in accordance with the Staff regulations. Any individual who is responsible for compromising or losing EUCI shall be liable to disciplinary and/or legal action in accordance with the applicable laws, rules and regulations.
(1)
Commission Decision (EU, Euratom) 2015/443 of 13 March 2015 on Security in the Commission (See page 41 of this Official Journal).
(2)
Regulation (EEC, Euratom, ECSC) No 259/68 of the Council of 29 February 1968 laying down the Staff Regulations of Officials and the Conditions of Employment of Other Servants of the European Communities and instituting special measures temporarily applicable to officials of the Commission (Conditions of Employment of Other Servants) (OJ L 56, 4.3.1968, p. 1).
Options/Help
Print Options
PrintThe Whole Decision
PrintThis Chapter only
Legislation is available in different versions:
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As adopted by EU): The original version of the legislation as it stood when it was first adopted in the EU. No changes have been applied to the text.
See additional information alongside the content
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Opening Options
Different options to open legislation in order to view more content on screen at once
More Resources
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as adopted version that was used for the EU Official Journal
- lists of changes made by and/or affecting this legislation item
- all formats of all associated documents
- correction slips
- links to related legislation and further information resources
Timeline of Changes
This timeline shows the different versions taken from EUR-Lex before exit day and during the implementation period as well as any subsequent versions created after the implementation period as a result of changes made by UK legislation.
The dates for the EU versions are taken from the document dates on EUR-Lex and may not always coincide with when the changes came into force for the document.
For any versions created after the implementation period as a result of changes made by UK legislation the date will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. For further information see our guide to revised legislation on Understanding Legislation.
More Resources
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as adopted version that was used for the print copy
- correction slips
Click 'View More' or select 'More Resources' tab for additional information including:
- lists of changes made by and/or affecting this legislation item
- confers power and blanket amendment details
- all formats of all associated documents
- links to related legislation and further information resources
All content is available under the Open Government Licence v3.0 except where otherwise stated. This site additionally contains content derived from EUR-Lex, reused under the terms of the Commission Decision 2011/833/EU on the reuse of documents from the EU institutions. For more information see the EUR-Lex public statement on re-use.