Council Decision of 23 September 2013 on the security rules for protecting EU classified information (2013/488/EU)

Article 10U.K.Protection of EUCI handled in communication and information systems

1.Information Assurance (IA) in the field of communication and information systems is the confidence that such systems will protect the information they handle and will function as they need to, when they need to, under the control of legitimate users. Effective IA shall ensure appropriate levels of confidentiality, integrity, availability, non-repudiation and authenticity. IA shall be based on a risk management process.

2.‘Communication and Information System’ (CIS) means any system enabling the handling of information in electronic form. A CIS shall comprise the entire assets required for it to operate, including the infrastructure, organisation, personnel and information resources. This Decision shall apply to CIS handling EUCI.

3.CIS shall handle EUCI in accordance with the concept of IA.

4.All CIS shall undergo an accreditation process. Accreditation shall aim at obtaining assurance that all appropriate security measures have been implemented and that a sufficient level of protection of the EUCI and of the CIS has been achieved in accordance with this Decision. The accreditation statement shall determine the maximum classification level of the information that may be handled in a CIS as well as the corresponding terms and conditions.

5.Security measures shall be implemented to protect CIS handling information classified CONFIDENTIEL UE/EU CONFIDENTIAL and above against compromise of such information through unintentional electromagnetic emanations (‘TEMPEST security measures’). Such security measures shall be commensurate with the risk of exploitation and the level of classification of the information.

6.Where the protection of EUCI is provided by cryptographic products, such products shall be approved as follows:

(a)the confidentiality of information classified SECRET UE/EU SECRET and above shall be protected by cryptographic products approved by the Council as Crypto Approval Authority (CAA), upon recommendation by the Security Committee;

(b)the confidentiality of information classified CONFIDENTIEL UE/EU CONFIDENTIAL or RESTREINT UE/EU RESTRICTED shall be protected by cryptographic products approved by the Secretary-General of the Council (‘the Secretary-General’) as CAA, upon recommendation by the Security Committee.

Notwithstanding point (b), within Member States’ national systems, the confidentiality of EUCI classified CONFIDENTIEL UE/EU CONFIDENTIAL or RESTREINT UE/EU RESTRICTED may be protected by cryptographic products approved by a Member State’s CAA.

7.During transmission of EUCI by electronic means, approved cryptographic products shall be used. Notwithstanding this requirement, specific procedures may be applied under emergency circumstances or specific technical configurations as specified in Annex IV.

8.The competent authorities of the GSC and of the Member States respectively shall establish the following IA functions:

(a)an IA Authority (IAA);

(b)a TEMPEST Authority (TA);

(c)a Crypto Approval Authority (CAA);

(d)a Crypto Distribution Authority (CDA).

9.For each system, the competent authorities of the GSC and of the Member States respectively shall establish:

(a)a Security Accreditation Authority (SAA);

(b)an IA Operational Authority.

10.Provisions for implementing this Article are set out in Annex IV.