1.All EUCI documents should be managed in compliance with the Commission's policy on document management and consequently should be registered, filed, preserved and finally eliminated, sampled or transferred to the Historical Archives in accordance with the common Commission-level retention list for European Commission files.
2.Information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above shall be registered for security purposes prior to distribution and on receipt. Information classified TRES SECRET UE/EU TOP SECRET shall be registered in designated registries.
3.Within the Commission, a EUCI registry system shall be set up in accordance with the provisions of Article 27.
4.Commission departments and premises where EUCI is handled or stored shall be subject to regular inspection by the Commission Security Authority.
5.EUCI shall be conveyed between services and premises outside physically protected areas as follows:
(a)as a general rule, EUCI shall be transmitted by electronic means protected by cryptographic products approved in accordance with Chapter 5;
(b)when the means referred to in point (a) are not used, EUCI shall be carried either:
on electronic media (e.g. USB sticks, CDs, hard drives) protected by cryptographic products approved in accordance with Chapter 5; or
in all other cases, as prescribed in implementing rules.
1.Information shall be classified where it requires protection with regard to its confidentiality, in accordance with Article 3(1).
2.The originator of EUCI shall be responsible for determining the security classification level, in accordance with the relevant implementing rules, standards and guidelines regarding classification, and for the initial dissemination of the information.
3.The classification level of EUCI shall be determined in accordance with Article 3(2) and with the relevant implementing rules.
4.The security classification shall be clearly and correctly indicated, regardless of whether the EUCI is on paper, oral, electronic or in any other form.
5.Individual parts of a given document (i.e. pages, paragraphs, sections, annexes, appendices, attachments and enclosures) may require different classifications and be marked accordingly, including when stored in electronic form.
6.The overall classification level of a document or file shall be at least as high as that of its most highly classified component. When information from various sources is collated, the final product shall be reviewed to determine its overall security classification level, since it may warrant a higher classification than its component parts.
7.To the extent possible, documents containing parts with different classification levels shall be structured so that parts with a different classification level may be easily identified and detached if necessary.
8.The classification of a letter or note covering enclosures shall be as high as the highest classification of its enclosures. The originator shall indicate clearly at which level it is classified when detached from its enclosures by means of an appropriate marking, e.g.:
CONFIDENTIEL UE/EU CONFIDENTIAL
Without attachment(s) RESTREINT UE/EU RESTRICTED
In addition to one of the security classification markings set out in Article 3(2), EUCI may bear additional markings, such as:
an identifier to designate the originator;
any caveats, code-words or acronyms specifying the field of activity to which the document relates, a particular distribution on a need-to-know basis or restrictions on use;
releasability markings;
where applicable, the date or specific event after which it may be downgraded or declassified.
1.Standardised abbreviated classification markings may be used to indicate the classification level of individual paragraphs of a text. Abbreviations shall not replace the full classification markings.
2.The following standard abbreviations may be used within EU classified documents to indicate the classification level of sections or blocks of text of less than a single page:
TS-UE/EU-TS
S-UE/EU-S
C-UE/EU-C
R-UE/EU-R
1.When creating an EU classified document:
(a)each page shall be marked clearly with the classification level;
(b)each page shall be numbered;
(c)the document shall bear a registration number and a subject, which is not itself classified information, unless it is marked as such;
(d)the document shall be dated;
(e)documents classified SECRET UE/EU SECRET or above shall bear a copy number on every page, if they are to be distributed in several copies.
2.Where it is not possible to apply paragraph 1 to EUCI, other appropriate measures shall be taken in accordance with implementing rules.
1.At the time of its creation, the originator shall indicate, where possible, whether EUCI can be downgraded or declassified on a given date or following a specific event.
2.Each Commission department shall regularly review EUCI for which it is the originator to ascertain whether the classification level still applies. A system to review the classification level of registered EUCI which has originated in the Commission no less frequently than every five years shall be established by implementing rules. Such a review shall not be necessary where the originator has indicated from the outset that the information will automatically be downgraded or declassified and the information has been marked accordingly.
3.Information classified RESTREINT UE/EU RESTRICTED having originated in the Commission will be considered to be automatically declassified after thirty years, in accordance with Regulation (EEC, Euratom) No 354/83 as amended by Council Regulation (EC, Euratom) No 1700/2003(1).
1.Without prejudice to Article 52 paragraph 5 below, in each Commission department in which EUCI is handled or stored at the level of CONFIDENTIEL UE/EU CONFIDENTIAL and SECRET UE/EU SECRET, a responsible local EUCI registry shall be identified to ensure that EUCI is handled in accordance with this Decision.
2.The EUCI registry managed by the Secretariat-General shall be the Commission's Central EUCI Registry. It shall act as:
the Local EUCI Registry for the Commission's Secretariat-General,
the EUCI registry for the private offices of Members of the Commission, unless these have a designated local EUCI registry,
the EUCI registry for Directorates-General or services which do not have a local EUCI registry,
the main point of entry and exit for all information classified RESTREINT UE/EU RESTRICTED and up to including SECRET UE/EU SECRET exchanged between the Commission and its services and third States and international organisations, and, when provided for in specific arrangements, for other Union institutions, agencies and bodies.
3.Within the Commission, a registry shall be designated by the Commission Security Authority to act as the central receiving and dispatching authority for information classified TRES SECRET UE/EU TOP SECRET. Where necessary, subordinate registries may be designated to handle that information for registration purposes.
4.The subordinate registries may not transmit TRES SECRET UE/EU TOP SECRET documents directly to other subordinate registries of the same central TRES SECRET UE/EU TOP SECRET registry or externally without the express written approval of the latter.
5.EUCI registries shall be established as Secured Areas as defined in Chapter 3, and accredited by the Commission's Security Accreditation Authority (SAA).
1.Each EUCI registry shall be managed by a Registry Control Officer (‘RCO’).
2.The RCO shall be appropriately security-cleared.
3.The RCO shall be subject to the supervision of the LSO within the Commission department, as far as the application of the provisions regarding the handling of EUCI documents and compliance with the relevant security rules, standards and guidelines is concerned.
4.Within his responsibility for managing the EUCI Registry to which he has been assigned, the RCO shall assume the following overall tasks in accordance with this Decision and the relevant implementing rules, standards and guidelines:
manage operations relating to the registration, preservation, reproduction, translation, transmission, dispatch and destruction or transfer to the historical archives service of EUCI,
verify periodically the need to maintain the classification of information,
assume any other tasks related to the protection of EUCI defined in implementing rules.
1.For the purposes of this Decision, registration for security purposes (hereinafter referred to as ‘registration’) means the application of procedures which record the life-cycle of EUCI, including its dissemination.
2.All information or material classified CONFIDENTIEL UE/EU CONFIDENTIAL and above shall be registered in designated registries when it is received in or dispatched from an organisational entity.
3.When EUCI is handled or stored using a Communication and Information System (CIS), registration procedures may be performed by processes within the CIS itself.
4.More detailed provisions concerning the registration of EUCI for security purposes shall be laid down in implementing rules.
1.TRES SECRET UE/EU TOP SECRET documents shall not be copied or translated without the prior written consent of the originator.
2.Where the originator of documents classified SECRET UE/EU SECRET and below has not imposed caveats on their copying or translation, such documents may be copied or translated on instruction from the holder.
3.The security measures applicable to the original document shall apply to copies and translations thereof.
1.EUCI shall be carried in such a way as to protect it from unauthorised disclosure during its carriage.
2.Carriage of EUCI shall be subject to the protective measures, which shall:
be commensurate with the level of classification of the EUCI carried, and
be adapted to the specific conditions of its carriage, in particular depending on whether EUCI is carried:
within a Commission building or a self-contained group of Commission buildings,
between Commission buildings located in the same Member State,
within the Union,
from within the Union to the territory of a third State, and
be adapted to the nature and form of the EUCI.
3.These protective measures shall be laid down in detail in implementing rules, or, in case of projects and programmes referred to in Article 42, as an integral part of the relevant Programme or Project Security Instructions (PSI).
4.The implementing rules or PSI shall include provisions commensurate with the level of EUCI, regarding:
the type of carriage, such as hand carriage, carriage by diplomatic or military courier, carriage by postal services or commercial courier services,
packaging of EUCI,
technical countermeasures for EUCI carried on electronic media,
any other procedural, physical or electronic measure,
registration procedures,
use of security authorised personnel.
5.When EUCI is carried on electronic media, and notwithstanding Article 21, paragraph 5, the protective measures set out in the relevant implementing rules may be supplemented by appropriate technical countermeasures approved by the Commission Security Authority so as to minimise the risk of loss or compromise.
1.EU classified documents which are no longer required may be destroyed, taking account of regulations on archives and of the Commission's rules and regulations on document management and archiving, and in particular with the Common Commission-Level Retention List.
2.EUCI of the level of CONFIDENTIEL UE/EU CONFIDENTIAL and above shall be destroyed by the RCO of the responsible EUCI registry on instruction from the holder or from a competent authority. The RCO shall update the logbooks and other registration information accordingly.
3.For documents classified SECRET UE/EU SECRET or TRES SECRET UE/EU TOP SECRET, such destruction shall be performed by the RCO in the presence of a witness who shall be cleared to at least the classification level of the document being destroyed.
4.The registrar and the witness, where the presence of the latter is required, shall sign a destruction certificate, which shall be filed in the registry. The RCO of the responsible EUCI registry shall keep destruction certificates of TRES SECRET UE/EU TOP SECRET documents for a period of at least 10 years and for documents classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET for a period of at least five years.
5.Classified documents, including those classified RESTREINT UE/EU RESTRICTED, shall be destroyed by methods which shall be defined in implementing rules and which shall meet relevant EU or equivalent standards.
6.Computer storage media used for EUCI shall be destroyed in accordance with procedures laid down in implementing rules.
1.Commission departments holding EUCI shall prepare plans based on local conditions for the safeguarding of EU classified material in a crisis including if necessary emergency destruction and evacuation plans. They shall promulgate instructions deemed necessary to prevent EUCI from falling into unauthorised hands.
2.The arrangements for the safeguarding and/or destruction of CONFIDENTIEL UE/EU CONFIDENTIAL and SECRET UE/EU SECRET material in a crisis shall under no circumstances adversely affect the safeguarding or destruction of TRES SECRET UE/EU TOP SECRET material, including the enciphering equipment, whose treatment shall take priority over all other tasks.
3.In the event of an emergency, if there is an imminent risk of unauthorised disclosure, EUCI shall be destroyed by the holder in such a way that it cannot be reconstructed in whole or in part. The originator and originating registry shall be informed of the emergency destruction of registered EUCI.
4.More detailed provisions for destruction of EUCI shall be laid down in implementing rules.
Council Regulation (EC, Euratom) No 1700/2003 of 22 September 2003 amending Regulation (EEC, Euratom) No 354/83 concerning the opening to the public of the historical archives of the European Economic Community and the European Atomic Energy Community (OJ L 243, 27.9.2003, p. 1).