‘Commission department’ means any Commission Directorate-General or service, or any Cabinet of a Member of the Commission;

‘cryptographic (Crypto) material’ means cryptographic algorithms, cryptographic hardware and software modules, and products including implementation details and associated documentation and keying material;

‘declassification’ means the removal of any security classification;

‘defence in depth’ means the application of a range of security measures organised as multiple layers of defence;

‘document’ means any recorded information regardless of its physical form or characteristics;

‘downgrading’ means a reduction in the level of security classification;

‘handling’ of EUCI means all possible actions to which EUCI may be subject throughout its life-cycle. It comprises its creation, registration, processing, carriage, downgrading, declassification and destruction. In relation to Communication and Information Systems (CIS) it also comprises its collection, display, transmission and storage;

‘holder’ means a duly authorised individual with an established need-to-know who is in possession of an item of EUCI and is accordingly responsible for protecting it;

‘implementing rules’ means any set of rules or security notices adopted in accordance with Chapter 5 of Commission Decision (EU, Euratom) 2015/443(1);

‘material’ means any medium, data carrier or item of machinery or equipment, either manufactured or in the process of manufacture;

‘originator’ means the Union institution, agency or body, Member State, third state or international organisation under whose authority classified information has been created and/or introduced into the Union's structures;

‘premises’ means any immovable or assimilated property and possessions of the Commission;

‘security risk management process’ means the entire process of identifying, controlling and minimising uncertain events that may affect the security of an organisation or of any of the systems it uses. It covers the entirety of risk-related activities, including assessment, treatment, acceptance and communication;

‘Staff Regulations’ means the Staff Regulations of officials of the European Union and the Conditions of Employment of other servants of the European Union, as laid down by Regulation (EEC, Euratom, ECSC) No 259/68 of the Council(2);

‘threat’ means a potential cause of an unwanted incident which may result in harm to an organisation or any of the systems it uses; such threats may be accidental or deliberate (malicious) and are characterised by threatening elements, potential targets and attack methods;

‘vulnerability’ means a weakness of any nature that can be exploited by one or more threats. A vulnerability may be an omission or it may relate to a weakness in controls in terms of their strength, completeness or consistency and may be of a technical, procedural, physical, organisational or operational nature.