http://www.legislation.gov.uk/id/eudn/2015/444

CHAPTER 3PHYSICAL SECURITY AIMED AT PROTECTING CLASSIFIED INFORMATION

Article 18Equipment for the physical protection of EUCI

1.

Two types of physically protected areas shall be established for the physical protection of EUCI:

(a)

Administrative Areas; and

(b)

Secured Areas (including technically Secured Areas).

2.

The Commission Security Accreditation Authority shall establish that an area meets the requirements to be designated as an Administrative Area, a Secured Area or a technically Secured Area.

3.

For Administrative Areas:

(a)

a visibly defined perimeter shall be established which allows individuals and, where possible, vehicles to be checked;

(b)

unescorted access shall be granted only to individuals who are duly authorised by the Commission Security Authority or any other competent authority; and

(c)

all other individuals shall be escorted at all times or be subject to equivalent controls.

4.

For Secured Areas:

(a)

a visibly defined and protected perimeter shall be established through which all entry and exit is controlled by means of a pass or personal recognition system;

(b)

unescorted access shall be granted only to individuals who are security-cleared and specifically authorised to enter the area on the basis of their need-to-know;

(c)

all other individuals shall be escorted at all times or be subject to equivalent controls.

5.

Where entry into a Secured Area constitutes, for all practical purposes, direct access to the classified information contained in it, the following additional requirements shall apply:

(a)

the level of highest security classification of the information normally held in the area shall be clearly indicated;

(b)

all visitors shall require specific authorisation to enter the area, shall be escorted at all times and shall be appropriately security cleared unless steps are taken to ensure that no access to EUCI is possible.

6.

Secured Areas protected against eavesdropping shall be designated technically Secured Areas. The following additional requirements shall apply:

(a)

such areas shall be equipped with an Intrusion Detection System (‘IDS’), be locked when not occupied and be guarded when occupied. Any keys shall be managed in accordance with Article 20;

(b)

all persons and material entering such areas shall be controlled;

(c)

such areas shall be regularly physically and/or technically inspected by the Commission Security Authority. Such inspections shall also be conducted following any unauthorised entry or suspicion of such entry; and

(d)

such areas shall be free of unauthorised communication lines, unauthorised telephones or other unauthorised communication devices and electrical or electronic equipment.

7.

Notwithstanding point (d) of paragraph 6, before being used in areas where meetings are held or work is being performed involving information classified SECRET UE/EU SECRET and above, and where the threat to EUCI is assessed as high, any communications devices and electrical or electronic equipment shall first be examined by the Commission Security Authority to ensure that no intelligible information can be inadvertently or illicitly transmitted by such equipment beyond the perimeter of the Secured Area.

8.

Secured Areas which are not occupied by duty personnel on a 24-hour basis shall, where appropriate, be inspected at the end of normal working hours and at random intervals outside normal working hours, unless an IDS is in place.

9.

Secured Areas and technically Secured Areas may be set up temporarily within an Administrative Area for a classified meeting or any other similar purpose.

10.

The LSO of the Commission department concerned shall draw up Security Operating Procedures (SecOPs) for each Secured Area under his responsibility stipulating, in accordance with the provisions of this Decision and its implementing rules:

(a)

the level of EUCI which may be handled and stored in the area;

(b)

the surveillance and protective measures to be maintained;

(c)

the individuals authorised to have unescorted access to the area by virtue of their need-to-know and security authorisation;

(d)

where appropriate, the procedures for escorts or for protecting EUCI when authorising any other individuals to access the area;

(e)

any other relevant measures and procedures.

11.

Strong rooms shall be constructed within Secured Areas. The walls, floors, ceilings, windows and lockable doors shall be approved by the Commission Security Authority and afford protection equivalent to a security container approved for the storage of EUCI of the same classification level.