Council Decision of 31 March 2011 on the security rules for protecting EU classified information (2011/292/EU)

Article 10U.K.Protection of EUCI handled in communication and information systems

1.Information Assurance (IA) in the field of communication and information systems is the confidence that such systems will protect the information they handle and will function as they need to, when they need to, under the control of legitimate users. Effective IA shall ensure appropriate levels of confidentiality, integrity, availability, non-repudiation and authenticity. IA shall be based on a risk management process.

2.‘Communication and Information System’ means any system enabling the handling of information in electronic form. A communication and information system shall comprise the entire assets required for it to operate, including the infrastructure, organisation, personnel and information resources. This Decision shall apply to Communication and Information Systems handling EUCI (CIS).

3.CIS shall handle EUCI in accordance with the concept of IA.

4.All CIS shall undergo an accreditation process. Accreditation shall aim at obtaining assurance that all appropriate security measures have been implemented and that a sufficient level of protection of the EUCI and of the CIS has been achieved in accordance with this Decision. The accreditation statement shall determine the maximum classification level of the information that may be handled in a CIS as well as the corresponding terms and conditions.

5.CIS handling information classified CONFIDENTIEL UE/EU CONFIDENTIAL and above shall be protected in such a way that the information cannot be compromised by unintentional electromagnetic emanations (TEMPEST security measures).

6.Where the protection of EUCI is provided by cryptographic products, such products shall be approved as follows:

(a)the confidentiality of information classified SECRET UE/EU SECRET and above shall be protected by cryptographic products approved by the Council as Crypto Approval Authority (CAA), upon recommendation by the Security Committee;

(b)the confidentiality of information classified CONFIDENTIEL UE/EU CONFIDENTIAL or RESTREINT UE/EU RESTRICTED shall be protected by cryptographic products approved by the Secretary-General of the Council (hereinafter referred to as ‘the Secretary-General’) as CAA, upon recommendation by the Security Committee.

Notwithstanding point (b), within Member States’ national systems, the confidentiality of EUCI classified CONFIDENTIEL UE/EU CONFIDENTIAL or RESTREINT UE/EU RESTRICTED may be protected by cryptographic products approved by a Member State’s CAA.

7.During transmission of EUCI by electronic means, approved cryptographic products shall be used. Notwithstanding this requirement, specific procedures may be applied under emergency circumstances or specific technical configurations as specified in Annex IV.

8.The competent authorities of the GSC and of the Member States respectively shall establish the following IA functions:

(a)an IA Authority (IAA);

(b)a TEMPEST Authority (TA);

(c)a Crypto Approval Authority (CAA);

(d)a Crypto Distribution Authority (CDA).

9.For each system, the competent authorities of the GSC and of the Member States respectively shall establish:

(a)a Security Accreditation Authority (SAA);

(b)an IA Operational Authority.

10.Provisions for implementing this Article are set out in Annex IV.