- Latest available (Revised)
- Original (As adopted by EU)
Council Decision of 23 September 2013 on the security rules for protecting EU classified information (2013/488/EU)
You are here:
What Version
Advanced Features
- Show Geographical Extent(e.g. England, Wales, Scotland and Northern Ireland)
- Show Timeline of Changes
Opening Options
More Resources
Revised version PDFs
- Revised 30/12/20190.60 MB
- Revised 26/04/20140.94 MB
Legislation originating from the EU
When the UK left the EU, legislation.gov.uk published EU legislation that had been published by the EU up to IP completion day (31 December 2020 11.00 p.m.). On legislation.gov.uk, these items of legislation are kept up-to-date with any amendments made by the UK since then.
This item of legislation originated from the EU
Legislation.gov.uk publishes the UK version. EUR-Lex publishes the EU version. The EU Exit Web Archive holds a snapshot of EUR-Lex’s version from IP completion day (31 December 2020 11.00 p.m.).
Changes over time for: ANNEX II
Changes to legislation:
This version of this Decision was derived from EUR-Lex on IP completion day (31 December 2020 11:00 p.m.). It has not been amended by the UK since then. Find out more about legislation originating from the EU as published on legislation.gov.uk.
Changes to Legislation
Revised legislation carried on this site may not be fully up to date. At the current time any known changes or effects made by subsequent legislation have been applied to the text of the legislation you are viewing by the editorial team. Please see ‘Frequently Asked Questions’ for details regarding the timescales for which new effects are identified and recorded on this site.
ANNEX IIU.K. PHYSICAL SECURITY
I.INTRODUCTIONU.K.
1.This Annex sets out provisions for implementing Article 8. It lays down minimum requirements for the physical protection of premises, buildings, offices, rooms and other areas where EUCI is handled and stored, including areas housing CIS.U.K.
2.Physical security measures shall be designed to prevent unauthorised access to EUCI by:U.K.
(a)
ensuring that EUCI is handled and stored in an appropriate manner;
(b)
allowing for segregation of personnel in terms of access to EUCI on the basis of their need-to-know and, where appropriate, their security clearance;
(c)
deterring, impeding and detecting unauthorised actions; and
(d)
denying or delaying surreptitious or forced entry by intruders.
II.PHYSICAL SECURITY REQUIREMENTS AND MEASURESU.K.
3.Physical security measures shall be selected on the basis of a threat assessment made by the competent authorities. The GSC and Member States shall each apply a risk management process for protecting EUCI on their premises to ensure that a commensurate level of physical protection is afforded against the assessed risk. The risk management process shall take account of all relevant factors, in particular:U.K.
(a)
the classification level of EUCI;
(b)
the form and volume of EUCI, bearing in mind that large quantities or a compilation of EUCI may require more stringent protective measures to be applied;
(c)
the surrounding environment and structure of the buildings or areas housing EUCI; and
(d)
the assessed threat from intelligence services which target the Union or Member States and from sabotage, terrorist, subversive or other criminal activities.
4.The competent security authority, applying the concept of defence in depth, shall determine the appropriate combination of physical security measures to be implemented. These can include one or more of the following:U.K.
(a)
a perimeter barrier: a physical barrier which defends the boundary of an area requiring protection;
(b)
intrusion detection systems (IDS): an IDS may be used to enhance the level of security offered by a perimeter barrier, or in rooms and buildings in place of, or to assist, security staff;
(c)
access control: access control may be exercised over a site, a building or buildings on a site or to areas or rooms within a building. Control may be exercised by electronic or electro-mechanical means, by security personnel and/or a receptionist, or by any other physical means;
(d)
security personnel: trained, supervised and, where necessary, appropriately security-cleared security personnel may be employed, inter alia, in order to deter individuals planning covert intrusion;
(e)
closed circuit television (CCTV): CCTV may be used by security personnel in order to verify incidents and IDS alarms on large sites or at perimeters;
(f)
security lighting: security lighting may be used to deter a potential intruder, as well as to provide the illumination necessary for effective surveillance directly by security personnel or indirectly through a CCTV system; and
(g)
any other appropriate physical measures designed to deter or detect unauthorised access or prevent loss of or damage to EUCI.
5.The competent authority can be authorised to conduct entry and exit searches to act as a deterrent to the unauthorised introduction of material or the unauthorised removal of EUCI from premises or buildings.U.K.
6.When EUCI is at risk from overlooking, even accidentally, appropriate measures shall be taken to counter this risk.U.K.
7.For new facilities, physical security requirements and their functional specifications shall be defined as part of the planning and design of the facilities. For existing facilities, physical security requirements shall be implemented to the maximum extent possible.U.K.
III.EQUIPMENT FOR THE PHYSICAL PROTECTION OF EUCIU.K.
8.When acquiring equipment (such as security containers, shredding machines, door locks, electronic access control systems, IDS, alarm systems) for the physical protection of EUCI, the competent security authority shall ensure that the equipment meets approved technical standards and minimum requirements.U.K.
9.The technical specifications of equipment to be used for the physical protection of EUCI shall be set out in security guidelines to be approved by the Security Committee.U.K.
10.Security systems shall be inspected at regular intervals and equipment shall be maintained regularly. Maintenance work shall take account of the outcome of inspections to ensure that equipment continues to operate at optimum performance.U.K.
11.The effectiveness of individual security measures and of the overall security system shall be re-evaluated during each inspection.U.K.
IV.PHYSICALLY PROTECTED AREASU.K.
12.Two types of physically protected areas, or the national equivalents thereof, shall be established for the physical protection of EUCI:U.K.
(a)
Administrative Areas; and
(b)
Secured Areas (including technically Secured Areas).
In this Decision, all references to Administrative Areas and Secured Areas, including technically Secured Areas, shall be understood as also referring to the national equivalents thereof.
13.The competent security authority shall establish that an area meets the requirements to be designated as an Administrative Area, a Secured Area or a technically Secured Area.U.K.
14.For Administrative Areas:U.K.
(a)
a visibly defined perimeter shall be established which allows individuals and, where possible, vehicles to be checked;
(b)
unescorted access shall be granted only to individuals who are duly authorised by the competent authority; and
(c)
all other individuals shall be escorted at all times or be subject to equivalent controls.
15.For Secured Areas:U.K.
(a)
a visibly defined and protected perimeter shall be established through which all entry and exit are controlled by means of a pass or personal recognition system;
(b)
unescorted access shall be granted only to individuals who are security-cleared and specifically authorised to enter the area on the basis of their need-to-know; and
(c)
all other individuals shall be escorted at all times or be subject to equivalent controls.
16.Where entry into a Secured Area constitutes, for all practical purposes, direct access to the classified information contained in it, the following additional requirements shall apply:U.K.
(a)
the level of highest security classification of the information normally held in the area shall be clearly indicated;
(b)
all visitors shall require specific authorisation to enter the area, shall be escorted at all times and shall be appropriately security cleared unless steps are taken to ensure that no access to EUCI is possible.
17.Secured Areas protected against eavesdropping shall be designated technically Secured Areas. The following additional requirements shall apply:U.K.
(a)
such areas shall be IDS equipped, be locked when not occupied and be guarded when occupied. Any keys shall be controlled in accordance with Section VI;
(b)
all persons and material entering such areas shall be controlled;
(c)
such areas shall be regularly physically and/or technically inspected as required by the competent security authority. Such inspections shall also be conducted following any unauthorised entry or suspicion of such entry; and
(d)
such areas shall be free of unauthorised communication lines, unauthorised telephones or other unauthorised communication devices and electrical or electronic equipment.
18.Notwithstanding point (d) of paragraph 17, before being used in areas where meetings are held or work is being performed involving information classified SECRET UE/EU SECRET and above, and where the threat to EUCI is assessed as high, any communications devices and electrical or electronic equipment shall first be examined by the competent security authority to ensure that no intelligible information can be inadvertently or illicitly transmitted by such equipment beyond the perimeter of the Secured Area.U.K.
19.Secured Areas which are not occupied by duty personnel on a 24-hour basis shall, where appropriate, be inspected at the end of normal working hours and at random intervals outside normal working hours, unless an IDS is in place.U.K.
20.Secured Areas and technically Secured Areas may be set up temporarily within an Administrative Area for a classified meeting or any other similar purpose.U.K.
21.Security operating procedures shall be drawn up for each Secured Area stipulating:U.K.
(a)
the level of EUCI which may be handled and stored in the area;
(b)
the surveillance and protective measures to be maintained;
(c)
the individuals authorised to have unescorted access to the area by virtue of their need-to-know and security clearance;
(d)
where appropriate, the procedures for escorts or for protecting EUCI when authorising any other individuals to access the area; and
(e)
any other relevant measures and procedures.
22.Strong rooms shall be constructed within Secured Areas. The walls, floors, ceilings, windows and lockable doors shall be approved by the competent security authority and afford protection equivalent to a security container approved for the storage of EUCI of the same classification level.U.K.
V.PHYSICAL PROTECTIVE MEASURES FOR HANDLING AND STORING EUCIU.K.
23.EUCI which is classified RESTREINT UE/EU RESTRICTED may be handled:U.K.
(a)
in a Secured Area;
(b)
in an Administrative Area provided the EUCI is protected from access by unauthorised individuals; or
(c)
outside a Secured Area or an Administrative Area provided the holder carries the EUCI in accordance with paragraphs 28 to 41 of Annex III and has undertaken to comply with compensatory measures laid down in security instructions issued by the competent security authority to ensure that EUCI is protected from access by unauthorised persons.
24.EUCI which is classified RESTREINT UE/EU RESTRICTED shall be stored in suitable locked office furniture in an Administrative Area or a Secured Area. It may temporarily be stored outside a Secured Area or an Administrative Area provided the holder has undertaken to comply with compensatory measures laid down in security instructions issued by the competent security authority.U.K.
25.EUCI which is classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET may be handled:U.K.
(a)
in a Secured Area;
(b)
in an Administrative Area provided the EUCI is protected from access by unauthorised individuals; or
(c)
outside a Secured Area or an Administrative Area provided the holder:
(i)
carries the EUCI in accordance with paragraphs 28 to 41 of Annex III;
(ii)
has undertaken to comply with compensatory measures laid down in security instructions issued by the competent security authority to ensure that EUCI is protected from access by unauthorised persons;
(iii)
keeps the EUCI at all times under his personal control; and
(iv)
in the case of documents in paper form, has notified the relevant registry of the fact.
26.EUCI which is classified CONFIDENTIEL UE/EU CONFIDENTIAL and SECRET UE/EU SECRET shall be stored in a Secured Area either in a security container or in a strong room.U.K.
27.EUCI which is classified TRÈS SECRET UE/EU TOP SECRET shall be handled in a Secured Area.U.K.
28.EUCI which is classified TRÈS SECRET UE/EU TOP SECRET shall be stored in a Secured Area under one of the following conditions:U.K.
(a)
in a security container in line with paragraph 8 with at least one of the following supplementary controls:
(i)
continuous protection or verification by cleared security staff or duty personnel;
(ii)
an approved IDS in combination with response security personnel;
(b)
in an IDS-equipped strong room in combination with response security personnel.
29.Rules governing the carriage of EUCI outside physically protected areas are set out in Annex III.U.K.
VI.CONTROL OF KEYS AND COMBINATIONS USED FOR PROTECTING EUCIU.K.
30.The competent security authority shall define procedures for managing keys and combination settings for offices, rooms, strong rooms and security containers. Such procedures shall protect against unauthorised access.U.K.
31.Combination settings shall be committed to memory by the smallest possible number of individuals needing to know them. Combination settings for security containers and strong rooms storing EUCI shall be changed:U.K.
(a)
on receipt of a new container;
(b)
whenever there is a change in personnel knowing the combination;
(c)
whenever a compromise has occurred or is suspected;
(d)
when a lock has undergone maintenance or repair; and
(e)
at least every 12 months.
Options/Help
Print Options
PrintThe Whole Decision
PrintThis Annex only
You have chosen to open the Whole Decision
The Whole Decision you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
You have chosen to open Schedules only
The Schedules you have selected contains over 200 provisions and might take some time to download. You may also experience some issues with your browser, such as an alert box that a script is taking a long time to run.
Would you like to continue?
Legislation is available in different versions:
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As adopted by EU): The original version of the legislation as it stood when it was first adopted in the EU. No changes have been applied to the text.
See additional information alongside the content
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Opening Options
Different options to open legislation in order to view more content on screen at once
More Resources
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as adopted version that was used for the EU Official Journal
- lists of changes made by and/or affecting this legislation item
- all formats of all associated documents
- correction slips
- links to related legislation and further information resources
Timeline of Changes
This timeline shows the different versions taken from EUR-Lex before exit day and during the implementation period as well as any subsequent versions created after the implementation period as a result of changes made by UK legislation.
The dates for the EU versions are taken from the document dates on EUR-Lex and may not always coincide with when the changes came into force for the document.
For any versions created after the implementation period as a result of changes made by UK legislation the date will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. For further information see our guide to revised legislation on Understanding Legislation.
More Resources
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as adopted version that was used for the print copy
- correction slips
Click 'View More' or select 'More Resources' tab for additional information including:
- lists of changes made by and/or affecting this legislation item
- confers power and blanket amendment details
- all formats of all associated documents
- links to related legislation and further information resources
All content is available under the Open Government Licence v3.0 except where otherwise stated. This site additionally contains content derived from EUR-Lex, reused under the terms of the Commission Decision 2011/833/EU on the reuse of documents from the EU institutions. For more information see the EUR-Lex public statement on re-use.