Search Legislation

Commission Decision (EU, Euratom) 2015/444Show full title

Commission Decision (EU, Euratom) 2015/444 of 13 March 2015 on the security rules for protecting EU classified information

 Help about what version

What Version

 Help about advanced features

Advanced Features

Close

This is a legislation item that originated from the EU

After exit day there will be three versions of this legislation to consult for different purposes. The legislation.gov.uk version is the version that applies in the UK. The EU Version currently on EUR-lex is the version that currently applies in the EU i.e you may need this if you operate a business in the EU.

The web archive version is the official version of this legislation item as it stood on exit day before being published to legislation.gov.uk and any subsequent UK changes and effects applied. The web archive also captured associated case law and other language formats from EUR-Lex.

Changes to legislation:

There are currently no known outstanding effects for the Commission Decision (EU, Euratom) 2015/444, CHAPTER 2. Help about Changes to Legislation

Close

Changes to Legislation

Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.

CHAPTER 2U.K. PERSONNEL SECURITY

Article 9U.K.Definitions

For the purpose of this Chapter, the following definitions apply:

(1)

‘authorisation for access to EUCI’ means a decision by the Commission Security Authority taken on the basis of an assurance given by a competent authority of a Member State that a Commission official, other servant or seconded national expert may, provided his ‘need-to-know’ has been determined and he has been appropriately briefed on his responsibilities, be granted access to EUCI up to a specified level (CONFIDENTIEL UE/EU CONFIDENTIAL or above) until a specified date; the individual thus described is said to be ‘security authorised’.

(2)

‘personnel security authorisation’ is the application of measures to ensure that access to EUCI is granted only to individuals who have:

(a)

a need-to-know;

(b)

been security authorised to the relevant level, where appropriate; and

(c)

been briefed on their responsibilities.

(3)

‘Personnel Security Clearance’ (PSC) means a statement by a competent authority of a Member State which is made following completion of a security investigation conducted by the competent authorities of a Member State and which certifies that an individual may, provided his ‘need-to-know’ has been determined and he has been appropriately briefed on his responsibilities, be granted access to EUCI up to a specified level (CONFIDENTIEL UE/EU CONFIDENTIAL or above) until a specified date;

(4)

‘Personnel Security Clearance Certificate’ (PSCC) means a certificate issued by a competent authority establishing that an individual holds a valid security clearance or a security authorisation issued by the Commission Security Authority and which shows the level of EUCI to which that individual may be granted access (CONFIDENTIEL UE/EU CONFIDENTIAL or above), the period of validity of the relevant security clearance or authorisation and the date of expiry of the certificate itself.

(5)

‘security investigation’ means the investigative procedures conducted by the competent authority of a Member State in accordance with its national laws and regulations in order to obtain an assurance that nothing adverse is known which would prevent an individual from being granted a security clearance up to a specified level (CONFIDENTIEL UE/EU CONFIDENTIAL or above).

Article 10U.K.Basic Principles

1.An individual shall only be granted access to EUCI after

(1)

his need-to-know has been determined;

(2)

he has been briefed on the security rules for protecting EUCI and the relevant security standards and guidelines, and has acknowledged his responsibilities with regard to protecting such information;

(3)

for information classified CONFIDENTIEL UE/EU CONFIDENTIAL and above, he has been security authorised to the relevant level or is otherwise duly authorised by virtue of his functions in accordance with national laws and regulations.

2.All individuals whose duties may require them to have access to EUCI classified CONFIDENTIEL UE/EU CONFIDENTIAL or above shall be security authorised to the relevant level before being granted access to such EUCI. The individual concerned shall consent in writing to being submitted to the personnel security clearance procedure. Failure to do so shall mean that the individual cannot be assigned to a post, function or task which involves access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above.

3.Personnel security clearance procedures shall be designed to determine whether an individual, taking into account his loyalty, trustworthiness and reliability, may be authorised to access EUCI.

4.The loyalty, trustworthiness and reliability of an individual for the purposes of being security cleared for access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above shall be determined by means of a security investigation conducted by the competent authorities of a Member State in accordance with its national laws and regulations.

5.The Commission Security Authority shall be solely responsible for liaising with the national security authorities (‘NSAs’) or other competent national authorities in the context of all security clearance issues. All contacts between Commission services and their staff and the NSAs and other competent authorities shall be conducted through the Commission Security Authority.

Article 11U.K.Security authorisation procedure

1.Each Director-General or head of service within the Commission shall identify the positions within his department for which the holders need to access information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above to perform their duties and so need to be security authorised.

2.As soon as it is known that an individual will be appointed to a position requiring access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above, the LSO of the Commission department concerned shall inform the Commission Security Authority, which shall transmit to the individual the security clearance questionnaire issued by the NSA of the Member State under whose nationality the individual has been appointed as a staff member of the European institutions. The individual shall consent in writing to being submitted to the security clearance procedure and return the completed questionnaire within the shortest deadline to the Commission Security Authority.

3.The Commission Security Authority shall forward the completed security clearance questionnaire to the NSA of the Member State under whose nationality the individual has been appointed as a staff member of the European institutions, requesting that a security investigation be undertaken for the level of EUCI to which the individual will require access.

4.Where information relevant to a security investigation is known to the Commission Security Authority concerning an individual who has applied for a security clearance, the Commission Security Authority, acting in accordance with the relevant rules and regulations, shall notify the competent NSA thereof.

5.Following completion of the security investigation, and as soon as possible after having been notified by the relevant NSA of its overall assessment of the findings of the security investigation, the Commission Security Authority:

(a)may grant an authorisation for access to EUCI to the individual concerned and authorise access to EUCI up to the relevant level until a date specified by him but for a maximum of 5 years, where the security investigation results in an assurance that nothing adverse is known which would call into question the loyalty, trustworthiness and reliability of the individual;

(b)shall, where the security investigation does not result in such an assurance, in accordance with the relevant rules and regulations, notify the individual concerned, who may ask to be heard by the Commission Security Authority, who in turn may ask the competent NSA for any further clarification it can provide according to its national laws and regulations. If the outcome of the security investigation is confirmed, the authorisation for access to EUCI shall not be issued.

6.The security investigation together with the results obtained shall be subject to the relevant laws and regulations in force in the Member State concerned, including those concerning appeals. Decisions by the Commission Security Authority shall be subject to appeals in accordance with the Staff Regulations.

7.The Commission shall accept the authorisation for access to EUCI granted by any other Union institution, body or agency provided it remains valid. Authorisations shall cover any assignment by the individual concerned within the Commission. The Union institution, body or agency in which the individual is taking up employment will notify the relevant NSA of the change of employer.

8.If an individual's period of service does not commence within 12 months of the notification of the outcome of the security investigation to the Commission Security Authority, or if there is a break of 12 months in an individual's service, during which time he has not been employed by the Commission or by any other Union Institution, body or agency, or in a position with a national administration of a Member State, the Commission Security Authority shall refer the matter to the relevant NSA for confirmation that the security clearance remains valid and appropriate.

9.Where information becomes known to the Commission Security Authority concerning a security risk posed by an individual who holds a valid security authorisation, the Security Authority, acting in accordance with the relevant rules and regulations, shall notify the competent NSA thereof.

10.Where an NSA notifies the Commission Security Authority of the withdrawal of an assurance given in accordance with paragraph 5(a) for an individual who holds a valid authorisation for access to EUCI, the Commission Security Authority may ask for any clarification the NSA can provide according to its national laws and regulations. If the adverse information is confirmed by the relevant NSA, the security authorisation shall be withdrawn and the individual shall be excluded from access to EUCI and from positions where such access is possible or where he might endanger security.

11.Any decision to withdraw or suspend an authorisation for access to EUCI from any individual falling under the scope of this Decision, and, where appropriate, the reasons for doing so, shall be notified to the individual concerned, who may ask to be heard by the Commission Security Authority. Information provided by an NSA shall be subject to the relevant laws and regulations in force in the Member State concerned. Decisions made in this context by the Commission Security Authority shall be subject to appeals in accordance with the Staff Regulations.

12.Commission departments shall make sure that national experts seconded to them for a position requiring security authorisation to access EUCI shall present, prior to taking up their assignment, a valid PSC or Personnel Security Clearance Certificate (‘PSCC’), according to national law and regulations, to the Commission Security Authority, who, on the basis thereof, will grant a security authorisation for access to EUCI up to the level equivalent to the one referred to in the national security clearance, with a maximum validity for the duration of their assignment.

Access to EUCI for individuals duly authorised by virtue of their functions

13.The Members of the Commission, who have access to EUCI by virtue of their functions on the basis of the Treaty, shall be briefed on their security obligations in respect of protecting EUCI.

Security Clearance and security authorisation records

14.Records of security clearances and authorisations granted for access to EUCI shall be maintained by the Commission Security Authority in accordance with this Decision. These records shall contain as a minimum the level of EUCI to which the individual may be granted access, the date of issue of the security clearance and its period of validity.

15.The Commission Security Authority may issue a PSCC showing the level of EUCI to which the individual may be granted access (CONFIDENTIEL UE/EU CONFIDENTIAL or above), the date of validity of the relevant authorisation for access to EUCI and the date of expiry of the certificate itself.

Renewal of security authorisations

16.After the initial granting of security authorisations and provided that the individual has had uninterrupted service with the European Commission or another Union Institution, body or agency and has a continuing need for access to EUCI, the security authorisation for access to EUCI shall be reviewed for renewal, as a general rule, every five years from the date of notification of the outcome of the last security investigation on which it was based.

17.The Commission Security Authority may extend the validity of the existing security authorisation for a period of up to 12 months, if no adverse information has been received from the relevant NSA or other competent national authority within a period of two months from the date of transmission of the request for renewal and the corresponding security clearance questionnaire. If, at the end of this 12-month period, the relevant NSA or other competent national authority has not notified the Commission Security Authority of its opinion, the individual shall be assigned to duties which do not require a security authorisation.

Article 12U.K.Security authorisation briefings

1.After having participated in the security authorisation briefing organised by the Commission Security Authority, all individuals who have been security authorised shall acknowledge in writing that they have understood their obligations in respect of protecting EUCI and the consequences if EUCI is compromised. A record of such a written acknowledgement shall be kept by the Commission Security Authority.

2.All individuals who are authorised to have access to, or required to handle EUCI, shall initially be made aware, and periodically briefed on the threats to security and must report immediately to the Commission Security Authority any approach or activity that they consider suspicious or unusual.

3.All individuals who cease to be employed in duties requiring access to EUCI shall be made aware of, and where appropriate acknowledge in writing, their obligations in respect of the continued protection of EUCI.

Article 13U.K.Temporary security authorisations

1.In exceptional circumstances, where duly justified in the interests of the service and pending completion of a full security investigation, the Commission Security Authority, may, after consulting the NSA of the Member State of which the individual is a national and subject to the outcome of preliminary checks to verify that no relevant adverse information is known, grant a temporary authorisation for individuals to access EUCI for a specific function, without prejudice to the provisions regarding renewal of security clearances. Such temporary authorisations for access to EUCI shall be valid for a single period not exceeding six months and shall not permit access to information classified TRES SECRET UE/EU TOP SECRET.

2.After having been briefed in accordance with Article 12(1), all individuals who have been granted a temporary authorisation shall acknowledge in writing that they have understood their obligations in respect of protecting EUCI and the consequences if EUCI is compromised. A record of such a written acknowledgement shall be kept by the Commission Security Authority

Article 14U.K.Attendance at classified meetings organised by the Commission

1.Commission departments responsible for organising meetings at which information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above is discussed shall, through their LSO or through the meeting organiser, inform the Commission Security Authority well in advance of the dates, times, venue and participants of such meetings.

2.Subject to the provisions of Article 11(13), individuals assigned to participate in meetings organised by the Commission at which information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above is discussed, may only do so upon confirmation of their security clearance or security authorisation status. Access to such classified meetings shall be denied to individuals for whom the Commission Security Authority has not seen a PSCC or other proof of security clearance, or, to participants of the Commission who are not in possession of a security authorisation.

3.Before organising a classified meeting, the responsible meeting organiser or the LSO of the Commission department organising the meeting, shall request external participants to provide the Commission Security Authority a PSCC or other proof of security clearance. The Commission Security Authority shall inform the LSO or the meeting organiser of PSCC or other proof of PSC received. Where applicable, a consolidated list of names may be used, giving the relevant proof of security clearance.

4.Where the Commission Security Authority is informed by the competent authorities that a PSC has been withdrawn from an individual whose duties require attendance at meetings organised by the Commission, the Commission Security Authority shall notify the LSO of the Commission department responsible for organising the meeting.

Article 15U.K.Potential Access to EUCI

Couriers, guards and escorts shall be security authorised to the appropriate level or otherwise appropriately investigated in accordance with national laws and regulations, be briefed on security procedures for protecting EUCI and be instructed on their duties for protecting such information entrusted to them.

Back to top

Options/Help

Print Options

Close

Legislation is available in different versions:

Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.

Original (As adopted by EU): The original version of the legislation as it stood when it was first adopted in the EU. No changes have been applied to the text.

Close

See additional information alongside the content

Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.

Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.

Close

Opening Options

Different options to open legislation in order to view more content on screen at once

Close

More Resources

Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as adopted version that was used for the EU Official Journal
  • lists of changes made by and/or affecting this legislation item
  • all formats of all associated documents
  • correction slips
  • links to related legislation and further information resources
Close

Timeline of Changes

This timeline shows the different versions taken from EUR-Lex before exit day and during the implementation period as well as any subsequent versions created after the implementation period as a result of changes made by UK legislation.

The dates for the EU versions are taken from the document dates on EUR-Lex and may not always coincide with when the changes came into force for the document.

For any versions created after the implementation period as a result of changes made by UK legislation the date will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. For further information see our guide to revised legislation on Understanding Legislation.

Close

More Resources

Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:

  • the original print PDF of the as adopted version that was used for the print copy
  • correction slips

Click 'View More' or select 'More Resources' tab for additional information including:

  • lists of changes made by and/or affecting this legislation item
  • confers power and blanket amendment details
  • all formats of all associated documents
  • links to related legislation and further information resources