http://www.legislation.gov.uk/id/eudn/2015/444

CHAPTER 3PHYSICAL SECURITY AIMED AT PROTECTING CLASSIFIED INFORMATION

Article 17Physical security requirements and measures

1.

Physical security measures shall be selected on the basis of a threat assessment made by the Commission Security Authority, where appropriate in consultation with other Commission departments, other Union institutions, agencies or bodies and/or competent authorities in the Member States. The Commission shall apply a risk management process for protecting EUCI on its premises to ensure that a commensurate level of physical protection is afforded against the assessed risk. The risk management process shall take account of all relevant factors, in particular:

(a)

the classification level of EUCI;

(b)

the form and volume of EUCI, bearing in mind that large quantities or a compilation of EUCI may require more stringent protective measures to be applied;

(c)

the surrounding environment and structure of the buildings or areas housing EUCI; and

(d)

the assessed threat from intelligence services which target the Union, its institutions, bodies or agencies, or the Member States and from sabotage, terrorist, subversive or other criminal activities.

2.

The Commission Security Authority, applying the concept of defence in depth, shall determine the appropriate combination of physical security measures to be implemented. To that effect, the Commission Security Authority shall develop minimum standards, norms and criteria, set out in implementing rules.

3.

The Commission Security Authority is authorised to conduct entry and exit searches to act as a deterrent to the unauthorised introduction of material or the unauthorised removal of EUCI from premises or buildings.

4.

When EUCI is at risk of being overlooked, even accidentally, the Commission departments concerned shall take the appropriate measures, as defined by the Commission Security Authority, to counter this risk.

5.

For new facilities, physical security requirements and their functional specifications shall be defined in consent with the Commission Security Authority as part of the planning and design of the facilities. For existing facilities, physical security requirements shall be implemented in accordance with the minimum standards, norms and criteria set out in implementing rules.