Council Decision of 31 March 2011 on the security rules for protecting EU classified information (2011/292/EU)

Article 1U.K.Purpose, scope and definitions

1.This Decision lays down the basic principles and minimum standards of security for protecting EUCI.

2.These basic principles and minimum standards shall apply to the Council and the GSC and be respected by the Member States in accordance with their respective national laws and regulations, in order that each may be assured that an equivalent level of protection is afforded to EUCI.

3.For the purposes of this Decision, the definitions set out in Appendix A shall apply.

Article 2U.K.Definition of EUCI, security classifications and markings

1.‘EU classified information’ (EUCI) means any information or material designated by an EU security classification, the unauthorised disclosure of which could cause varying degrees of prejudice to the interests of the European Union or of one or more of the Member States.

2.EUCI shall be classified at one of the following levels:

3.EUCI shall bear a security classification marking in accordance with paragraph 2. It may bear additional markings to designate the field of activity to which it relates, identify the originator, limit distribution, restrict use or indicate releasability.

Article 3U.K.Classification management

1.The competent authorities shall ensure that EUCI is appropriately classified, clearly identified as classified information and retains its classification level for only as long as necessary.

2.EUCI shall not be downgraded or declassified nor shall any of the markings referred to in Article 2(3) be modified or removed without the prior written consent of the originator.

3.The Council shall approve a security policy on creating EUCI which shall include a practical classification guide.

Article 4U.K.Protection of classified information

1.EUCI shall be protected in accordance with this Decision.

2.The holder of any item of EUCI shall be responsible for protecting it in accordance with this Decision.

3.Where Member States introduce classified information bearing a national security classification marking into the structures or networks of the European Union, the Council and the GSC shall protect that information in accordance with the requirements applicable to EUCI at the equivalent level as set out in the table of equivalence of security classifications contained in Appendix B.

4.Large quantities or a compilation of EUCI may warrant a level of protection corresponding to a higher classification.

Article 5U.K.Security risk management

1.Risk to EUCI shall be managed as a process. This process shall be aimed at determining known security risks, defining security measures to reduce such risks to an acceptable level in accordance with the basic principles and minimum standards set out in this Decision and at applying these measures in line with the concept of defence in depth as defined in Appendix A. The effectiveness of such measures shall be continuously evaluated.

2.Security measures for protecting EUCI throughout its life-cycle shall be commensurate in particular with its security classification, the form and the volume of the information or material, the location and construction of facilities housing EUCI and the locally assessed threat of malicious and/or criminal activities, including espionage, sabotage and terrorism.

3.Contingency plans shall take account of the need to protect EUCI during emergency situations in order to prevent unauthorised access, disclosure or loss of integrity or availability.

4.Preventive and recovery measures to minimise the impact of major failures or incidents on the handling and storage of EUCI shall be included in business continuity plans.

Article 6U.K.Implementation of this Decision

1.Where necessary, the Council, on recommendation by the Security Committee, shall approve security policies setting out measures for implementing this Decision.

2.The Security Committee may agree at its level security guidelines to supplement or support this Decision and any security policies approved by the Council.

Article 7U.K.Personnel security

1.Personnel security is the application of measures to ensure that access to EUCI is granted only to individuals who have:

• a need-to-know,

• been security cleared to the relevant level, where appropriate, and

• been briefed on their responsibilities.

2.Personnel security clearance procedures shall be designed to determine whether an individual, taking into account his loyalty, trustworthiness and reliability, may be authorised to access EUCI.

3.All individuals in the GSC whose duties may require them to have access to EUCI classified CONFIDENTIEL UE/EU CONFIDENTIAL or above shall be security cleared to the relevant level before being granted access to such EUCI. The personnel security clearance procedure for GSC officials and other servants is set out in Annex I.

4.Member States’ personnel referred to in Article 14(3) whose duties may require access to EUCI classified CONFIDENTIEL UE/EU CONFIDENTIAL or above shall be security cleared to the relevant level or otherwise duly authorised by virtue of their functions, in accordance with national laws and regulations, before being granted access to such EUCI.

5.Before being granted access to EUCI and at regular intervals thereafter, all individuals shall be briefed on and acknowledge their responsibilities to protect EUCI in accordance with this Decision.

6.Provisions for implementing this Article are set out in Annex I.

Article 8U.K.Physical security

1.Physical security is the application of physical and technical protective measures to prevent unauthorised access to EUCI.

2.Physical security measures shall be designed to deny surreptitious or forced entry by an intruder, to deter, impede and detect unauthorised actions and to allow for segregation of personnel in their access to EUCI on a need-to-know basis. Such measures shall be determined based on a risk management process.

3.Physical security measures shall be put in place for all premises, buildings, offices, rooms and other areas in which EUCI is handled or stored, including areas housing communication and information systems as defined in Article 10(2).

4.Areas in which EUCI classified CONFIDENTIEL UE/EU CONFIDENTIAL or above is stored shall be established as Secured Areas in accordance with Annex II and approved by the competent security authority.

5.Only approved equipment or devices shall be used for protecting EUCI at the level CONFIDENTIEL UE/EU CONFIDENTIAL or above.

6.Provisions for implementing this Article are set out in Annex II.

Article 9U.K.Management of classified information

1.The management of classified information is the application of administrative measures for controlling EUCI throughout its life-cycle to supplement the measures provided for in Articles 7, 8 and 10 and thereby help deter, detect and recover from deliberate or accidental compromise or loss of such information. Such measures relate in particular to the creation, registration, copying, translation, carriage and destruction of EUCI.

2.Information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above shall be registered for security purposes prior to distribution and on receipt. The competent authorities in the GSC and in the Member States shall establish a registry system for this purpose. Information classified TRÈS SECRET UE/EU TOP SECRET shall be registered in designated registries.

3.Services and premises where EUCI is handled or stored shall be subject to regular inspection by the competent security authority.

4.EUCI shall be conveyed between services and premises outside physically protected areas as follows:

(a)as a general rule, EUCI shall be transmitted by electronic means protected by cryptographic products approved in accordance with Article 10(6);

(b)when the means referred to in point (a) are not used, EUCI shall be carried either:

5.Provisions for implementing this Article are set out in Annex III.

Article 10U.K.Protection of EUCI handled in communication and information systems

1.Information Assurance (IA) in the field of communication and information systems is the confidence that such systems will protect the information they handle and will function as they need to, when they need to, under the control of legitimate users. Effective IA shall ensure appropriate levels of confidentiality, integrity, availability, non-repudiation and authenticity. IA shall be based on a risk management process.

2.‘Communication and Information System’ means any system enabling the handling of information in electronic form. A communication and information system shall comprise the entire assets required for it to operate, including the infrastructure, organisation, personnel and information resources. This Decision shall apply to Communication and Information Systems handling EUCI (CIS).

3.CIS shall handle EUCI in accordance with the concept of IA.

4.All CIS shall undergo an accreditation process. Accreditation shall aim at obtaining assurance that all appropriate security measures have been implemented and that a sufficient level of protection of the EUCI and of the CIS has been achieved in accordance with this Decision. The accreditation statement shall determine the maximum classification level of the information that may be handled in a CIS as well as the corresponding terms and conditions.

5.CIS handling information classified CONFIDENTIEL UE/EU CONFIDENTIAL and above shall be protected in such a way that the information cannot be compromised by unintentional electromagnetic emanations (TEMPEST security measures).

6.Where the protection of EUCI is provided by cryptographic products, such products shall be approved as follows:

(a)the confidentiality of information classified SECRET UE/EU SECRET and above shall be protected by cryptographic products approved by the Council as Crypto Approval Authority (CAA), upon recommendation by the Security Committee;

(b)the confidentiality of information classified CONFIDENTIEL UE/EU CONFIDENTIAL or RESTREINT UE/EU RESTRICTED shall be protected by cryptographic products approved by the Secretary-General of the Council (hereinafter referred to as ‘the Secretary-General’) as CAA, upon recommendation by the Security Committee.

Notwithstanding point (b), within Member States’ national systems, the confidentiality of EUCI classified CONFIDENTIEL UE/EU CONFIDENTIAL or RESTREINT UE/EU RESTRICTED may be protected by cryptographic products approved by a Member State’s CAA.

7.During transmission of EUCI by electronic means, approved cryptographic products shall be used. Notwithstanding this requirement, specific procedures may be applied under emergency circumstances or specific technical configurations as specified in Annex IV.

8.The competent authorities of the GSC and of the Member States respectively shall establish the following IA functions:

(a)an IA Authority (IAA);

(b)a TEMPEST Authority (TA);

(c)a Crypto Approval Authority (CAA);

(d)a Crypto Distribution Authority (CDA).

9.For each system, the competent authorities of the GSC and of the Member States respectively shall establish:

(a)a Security Accreditation Authority (SAA);

(b)an IA Operational Authority.

10.Provisions for implementing this Article are set out in Annex IV.

Article 11U.K.Industrial security

1.Industrial security is the application of measures to ensure the protection of EUCI by contractors or subcontractors in pre-contract negotiations and throughout the life-cycle of classified contracts. Such contracts shall not involve access to information classified TRÈS SECRET UE/EU TOP SECRET.

2.The GSC may entrust by contract tasks involving or entailing access to or the handling or storage of EUCI by industrial or other entities registered in a Member State or in a third State which has concluded an agreement or an administrative arrangement in accordance with Article 12(2)(a) or (b).

3.The GSC, as contracting authority, shall ensure that the minimum standards on industrial security set out in this Decision, and referred to in the contract, are complied with when awarding classified contracts to industrial or other entities.

4.The National Security Authority (NSA), the Designated Security Authority (DSA) or any other competent authority of each Member State shall ensure, to the extent possible under national laws and regulations, that contractors and subcontractors registered in their territory take all appropriate measures to protect EUCI in pre-contract negotiations and when performing a classified contract.

5.The NSA, DSA or any other competent security authority of each Member State shall ensure, in accordance with national laws and regulations, that contractors or subcontractors registered in the said Member State participating in classified contracts or sub-contracts which require access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET within their facilities, either in the performance of such contracts or during the pre-contractual stage, hold a Facility Security Clearance (FSC) at the relevant classification level.

6.Contractor or subcontractor personnel who, for the performance of a classified contract, require access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET shall be granted a Personnel Security Clearance (PSC) by the respective NSA, DSA or any other competent security authority in accordance with national laws and regulations and the minimum standards laid down in Annex I.

7.Provisions for implementing this Article are set out in Annex V.

Article 12U.K.Exchange of classified information with third States and international organisations

1.Where the Council determines that there is a need to exchange EUCI with a third State or international organisation, an appropriate framework shall be put in place to that effect.

2.In order to establish such a framework and define reciprocal rules on the protection of classified information exchanged:

(a)the Council shall conclude agreements on security procedures for exchanging and protecting classified information (hereinafter referred to as ‘security of information agreements’); or

(b)the Secretary-General may enter into administrative arrangements in accordance with paragraph 17 of Annex VI where the classification level of EUCI to be released is as a general rule no higher than RESTREINT UE/EU RESTRICTED.

3.Security of information agreements or administrative arrangements referred to in paragraph 2 shall contain provisions to ensure that when third States or international organisations receive EUCI, such information is given protection appropriate to its classification level and according to minimum standards which are no less stringent than those laid down in this Decision.

4.The decision to release EUCI originating in the Council to a third State or international organisation shall be taken by the Council on a case-by-case basis, according to the nature and content of such information, the recipient’s need-to-know and the measure of advantage to the EU. If the originator of the classified information for which release is desired is not the Council, the GSC shall first seek the originator’s written consent to release. If the originator cannot be established, the Council shall assume the former’s responsibility.

5.Assessment visits shall be arranged to ascertain the effectiveness of the security measures in place in a third State or international organisation for protecting EUCI provided or exchanged.

6.Provisions for implementing this Article are set out in Annex VI.

Article 13U.K.Breaches of security and compromise of EUCI

1.A breach of security occurs as the result of an act or omission by an individual which is contrary to the security rules laid down in this Decision.

2.Compromise of EUCI occurs when, as a result of a breach of security, it has wholly or in part been disclosed to unauthorised persons.

3.Any breach or suspected breach of security shall be reported immediately to the competent security authority.

4.Where it is known or where there are reasonable grounds to assume that EUCI has been compromised or lost, the competent security authority shall take all appropriate measures in accordance with the relevant laws and regulations to:

(a)inform the originator;

(b)ensure that the case is investigated by personnel not immediately concerned with the breach in order to establish the facts;

(c)assess the potential damage caused to the interests of the EU or of the Member States;

(d)take appropriate measures to prevent a recurrence; and

(e)notify the appropriate authorities of the action taken.

5.Any individual who is responsible for a breach of the security rules laid down in this Decision may be liable to disciplinary action in accordance with the applicable rules and regulations. Any individual who is responsible for compromising or losing EUCI shall be liable to disciplinary and/or legal action in accordance with the applicable laws, rules and regulations.

Article 14U.K.Responsibility for implementation

1.The Council shall take all necessary measures to ensure overall consistency in the application of this Decision.

2.The Secretary-General shall take all necessary measures to ensure that, when handling or storing EUCI or any other classified information, this Decision is applied in premises used by the Council and within the GSC, including in its liaison offices in third States, by GSC officials and other servants, by personnel seconded to the GSC and by GSC contractors.

3.Member States shall take all appropriate measures, in accordance with their respective national laws and regulations, to ensure that when EUCI is handled or stored, this Decision is respected by:

(a)personnel of Member States’ Permanent Representations to the European Union, and national delegates attending meetings of the Council or of its preparatory bodies, or participating in other Council activities;

(b)other personnel in Member States’ national administrations, including personnel seconded to those administrations, whether they serve on the territory of the Member States or abroad;

(c)other persons in the Member States duly authorised by virtue of their functions to have access to EUCI; and

(d)Member States’ contractors, whether on the territory of the Member States or abroad.

Article 15U.K.The organisation of security in the Council

1.As part of its role in ensuring overall consistency in the application of this Decision, the Council shall approve:

(a)agreements referred to in Article 12(2)(a);

(b)decisions authorising the release of EUCI to third States and international organisations;

(c)an annual inspection programme proposed by the Secretary-General and recommended by the Security Committee for inspections of Member States’ services and premises and of EU agencies and bodies established under Title V, Chapter 2 of the TEU as well as of Europol and Eurojust, and assessment visits to third States and international organisations in order to ascertain the effectiveness of measures implemented for protecting EUCI; and

(d)security policies as foreseen in Article 6(1).

2.The Secretary-General shall be the GSC’s Security Authority. In that capacity, the Secretary-General shall:

(a)implement the Council’s security policy and keep it under review;

(b)coordinate with Member States’ NSAs on all security matters relating to the protection of classified information relevant for the Council’s activities;

(c)grant EU PSCs to GSC officials and other servants in accordance with Article 7(3) before they may be granted access to information classified CONFIDENTIEL UE/EU CONFIDENTIAL or above;

(d)as appropriate, order investigations into any actual or suspected compromise or loss of classified information held by or originating in the Council and request the relevant security authorities to assist in such investigations;

(e)undertake periodic inspections of the security arrangements for protecting classified information on GSC premises;

(f)undertake periodic inspections of the security arrangements for protecting EUCI in EU agencies and bodies established under Title V, Chapter 2, of the TEU, Europol, Eurojust, as well as in crisis management operations established under Title V, Chapter 2, of the TEU and by EU Special Representatives (EUSR) and the members of their teams;

(g)undertake, jointly and in agreement with the NSA concerned, periodic inspections of the security arrangements for protecting EUCI in Member States’ services and premises;

(h)coordinate security measures with the competent authorities of the Member States which are responsible for protecting classified information and, as appropriate, third States or international organisations, including on the nature of threats to the security of EUCI and the means of protection against them;

(i)enter into the administrative arrangements referred to in Article 12(2)(b); and

(j)undertake initial and periodic assessment visits to third States or international organisations in order to ascertain the effectiveness of measures implemented for protecting EUCI provided to or exchanged with them.

The Security Office of the GSC shall be at the disposal of the Secretary-General to assist in these responsibilities.

3.For the purposes of implementing Article 14(3), Member States should:

(a)designate an NSA responsible for security arrangements for protecting EUCI in order that:

NSAs are listed in Appendix C;

(b)ensure that their competent authorities provide information and advice to their governments, and through them to the Council, on the nature of threats to the security of EUCI and the means of protection against them.

Article 16U.K.Security Committee

1.A Security Committee is hereby established. It shall examine and assess any security matter within the scope of this Decision and make recommendations to the Council as appropriate.

2.The Security Committee shall be composed of representatives of the Member States’ NSAs and be attended by a representative of the Commission and of the European External Action Service. It shall be chaired by the Secretary-General or by his designated delegate. It shall meet as instructed by the Council, or at the request of the Secretary-General or of an NSA.

Representatives of EU agencies and bodies established under Title V, Chapter 2, of the TEU, as well Europol and Eurojust, may be invited to attend when questions concerning them are discussed.

3.The Security Committee shall organise its activities in such a way that it can make recommendations on specific areas of security. It shall establish an expert sub-area for IA issues and other expert sub-areas as necessary. It shall draw up terms of reference for such expert sub-areas and receive reports from them on their activities including, as appropriate, any recommendations for the Council.

Article 17U.K.Replacement of previous decision

1.This Decision shall repeal and replace Council Decision 2001/264/EC of 19 March 2001 adopting the Council’s security regulations(1).

2.All EUCI classified in accordance with Decision 2001/264/EC shall continue to be protected in accordance with the relevant provisions of this Decision.

Article 18U.K.Entry into force

This Decision shall enter into force on the date of its publication in the Official Journal of the European Union.