Commission Decision (EU, Euratom) 2015/444Dangos y teitl llawn

CHAPTER 1U.K. BASIC PRINCIPLES AND MINIMUM STANDARDS

Article 1U.K.Definitions

For the purpose of this Decision, the following definitions shall apply:

Article 2U.K.Subject matter and scope

1.This Decision lays down the basic principles and minimum standards of security for protecting EUCI.

2.This Decision shall apply to all Commission departments and in all premises of the Commission.

3.Notwithstanding any specific indications concerning particular groups of staff, this Decision shall apply to the Members of the Commission, to Commission staff under the scope of the Staff Regulations and of the Conditions of Employment of other servants of the European Communities to national experts seconded to the Commission (SNEs), to service providers and their staff, to trainees and to any individual with access to Commission buildings or other assets, or to information handled by the Commission.

4.The provisions of this Decision shall be without prejudice to Decision 2002/47/EC, ECSC, Euratom and Decision 2004/563/EC, Euratom.

Article 3U.K.Definition of EUCI, security classifications and markings

1.‘European Union classified information’ (EUCI) means any information or material designated by an EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States.

2.EUCI shall be classified at one of the following levels:

3.EUCI shall bear a security classification marking in accordance with paragraph 2. It may bear additional markings, which are not classification markings, but are intended to designate the field of activity to which it relates, identify the originator, limit distribution, restrict use or indicate releasability.

Article 4U.K.Classification management

1.Each Member of the Commission or Commission department shall ensure that EUCI it creates, is appropriately classified, clearly identified as EUCI and retains its classification level for only as long as necessary.

2.Without prejudice to Article 26 below, EUCI shall not be downgraded or declassified nor shall any of the security classification markings referred to in Article 3(2) be modified or removed without the prior written consent of the originator.

3.Where appropriate, implementing rules on handling EUCI, including a practical classification guide, shall be adopted in accordance with Article 60 below.

Article 5U.K.Protection of classified information

1.EUCI shall be protected in accordance with this Decision and its implementing rules.

2.The holder of any item of EUCI shall be responsible for protecting it, in accordance with this Decision and its implementing rules, according to the rules laid out in Chapter 4 below.

3.Where Member States introduce classified information bearing a national security classification marking into the structures or networks of the Commission, the Commission shall protect that information in accordance with the requirements applicable to EUCI at the equivalent level, as set out in the table of equivalence of security classifications contained in Annex I.

4.An aggregate of EUCI may warrant a level of protection corresponding to a higher classification than that of its individual components.

Article 6U.K.Security risk management

1.Security measures for protecting EUCI throughout its life-cycle shall be commensurate in particular with its security classification, the form and the volume of the information or material, the location and construction of facilities housing EUCI and the locally assessed threat of malicious and/or criminal activities, including espionage, sabotage and terrorism.

2.Contingency plans shall take account of the need to protect EUCI during emergency situations in order to prevent unauthorised access, disclosure or loss of integrity or availability.

3.Preventive and recovery measures to minimise the impact of major failures or incidents on the handling and storage of EUCI shall be included in all services' business continuity plans.

Article 7U.K.Implementation of this Decision

1.Where necessary, implementing rules to supplement or support this Decision shall be adopted in accordance with Article 60 below.

2.The Commission departments shall take all necessary measures falling under their responsibility in order to ensure that, when handling or storing EUCI or any other classified information, this Decision and the relevant implementing rules are applied.

3.The security measures taken in implementation of this Decision shall be compliant with the principles for security in the Commission laid down in Article 3 of Decision (EU, Euratom) 2015/443.

4.The Director-General for Human Resources and Security shall set up the Commission Security Authority within the Directorate-General for Human Resources and Security. The Commission Security Authority shall have the responsibilities assigned to it by this Decision and its implementing rules.

5.Within each Commission department, the Local Security Officer (LSO), as referred to in Article 20 of Decision (EU, Euratom) 2015/443, shall have the following overall responsibilities for protecting EUCI in accordance with this Decision, in close cooperation with the Directorate-General for Human Resources and Security:

(a)managing requests for security authorisations for staff;

(b)contributing to security training and awareness briefings;

(c)supervising the department's Registry Control Officer (RCO);

(d)reporting on breaches of security and compromise of EUCI;

(e)holding spare keys and a written record of each combination setting;

(f)assuming other tasks related to the protection of EUCI or defined by implementing rules.

Article 8U.K.Breaches of security and compromise of EUCI

1.A breach of security occurs as the result of an act or omission by an individual which is contrary to the security rules laid down in this Decision and its implementing rules.

2.Compromise of EUCI occurs when, as a result of a breach of security, it has wholly or in part been disclosed to unauthorised persons.

3.Any breach or suspected breach of security shall be reported immediately to the Commission Security Authority.

4.Where it is known or where there are reasonable grounds to assume that EUCI has been compromised or lost, a security inquiry shall be conducted in accordance with Article 13 of Decision (EU, Euratom) 2015/443.

5.All appropriate measures shall be taken to:

(a)inform the originator;

(b)ensure that the case is investigated by personnel not immediately concerned with the breach in order to establish the facts;

(c)assess the potential damage caused to the interests of the Union or of the Member States;

(d)take appropriate measures to prevent a recurrence; and

(e)notify the appropriate authorities of the action taken.

6.Any individual who is responsible for a breach of the security rules laid down in this Decision may be liable to disciplinary action in accordance with the Staff regulations. Any individual who is responsible for compromising or losing EUCI shall be liable to disciplinary and/or legal action in accordance with the applicable laws, rules and regulations.