CHAPTER 1 BASIC PRINCIPLES AND MINIMUM STANDARDS
Article 1Definitions
Article 2Subject matter and scope
Article 3Definition of EUCI, security classifications and markings
Article 4Classification management
Article 5Protection of classified information
Article 6Security risk management
Article 7Implementation of this Decision
Article 8Breaches of security and compromise of EUCI
CHAPTER 2 PERSONNEL SECURITY
Article 9Definitions
Article 10Basic Principles
Article 11Security authorisation procedure
Article 12Security authorisation briefings
Article 13Temporary security authorisations
Article 14Attendance at classified meetings organised by the Commission
Article 15Potential Access to EUCI
CHAPTER 3 PHYSICAL SECURITY AIMED AT PROTECTING CLASSIFIED INFORMATION
Article 16Basic principles
Article 17Physical security requirements and measures
Article 18Equipment for the physical protection of EUCI
Article 19Physical protective measures for handling and storing EUCI
Article 20Management of keys and combinations used for protecting EUCI
CHAPTER 4 MANAGEMENT OF EU CLASSIFIED INFORMATION
Article 21Basic principles
Article 22Classifications and markings
Article 23Markings
Article 24Abbreviated classification markings
Article 25Creation of EUCI
Article 26Downgrading and declassification of EUCI
Article 27EUCI registry system in the Commission
Article 28Registry control officer
Article 29Registration of EUCI for security purposes
Article 30Copying and translating EU classified documents
Article 31Carriage of EUCI
Article 32Destruction of EUCI
Article 33Destruction of EUCI in emergencies
CHAPTER 5 PROTECTION OF EU CLASSIFIED INFORMATION IN COMMUNICATION AND INFORMATION SYSTEMS (CIS)
Article 34Basic principles of Information Assurance
Article 35Definitions
Article 36CIS handling EUCI
Article 37Accreditation of CIS handling EUCI
Article 38Emergency circumstances
CHAPTER 6 INDUSTRIAL SECURITY
Article 39Basic principles
Article 40Definitions
Article 41Procedure for classified contracts or grant agreements
Article 42Security elements in a classified contract or grant agreement
Article 43Access to EUCI for contractors' and beneficiaries' staff
Article 44Facility security clearance
Article 45Provisions for classified contracts and grant agreements
Article 46Specific provisions for classified contracts
Article 47Visits in connection with classified contracts
Article 48Transmission and carriage of EUCI in connection with classified contracts or classified grant agreements
Article 49Transfer of EUCI to contractors or grant beneficiaries located in third states
Article 50Handling of information classified RESTREINT UE/EU RESTRICTED in the context of classified contracts or classified grant agreements
CHAPTER 7 EXCHANGE OF CLASSIFIED INFORMATION WITH OTHER UNION INSTITUTIONS, AGENCIES, BODIES AND OFFICES, WITH MEMBER STATES, AND WITH THIRD STATES AND INTERNATIONAL ORGANISATIONS
Article 51Basic principles
Article 52Exchange of EUCI with other Union institutions, agencies, bodies and offices
Article 53Exchange of EUCI with Member States
Article 54Exchange of EUCI with third States and international organisations
Article 55Security of information agreements
Article 56Administrative arrangements
Article 57Exceptional ad hoc release of EUCI
CHAPTER 8 FINAL PROVISIONS
Article 58Replacement of previous decision
Article 59Classified information created before the entry into force of this Decision
Article 60Implementing rules and security notices
Article 61Entry into force
ANNEX I EQUIVALENCE OF SECURITY CLASSIFICATIONS
ANNEX II LIST OF ABBREVIATIONS
ANNEX III LIST OF NATIONAL SECURITY AUTHORITIES
BELGIUM
BULGARIA
CZECH REPUBLIC
DENMARK
GERMANY
ESTONIA
GREECE
SPAIN
FRANCE
CROATIA
IRELAND
ITALY
CYPRUS
LATVIA
LITHUANIA
LUXEMBOURG
HUNGARY
MALTA
NETHERLANDS
AUSTRIA
POLAND
PORTUGAL
ROMANIA
SLOVENIA
SLOVAKIA
FINLAND
SWEDEN
UNITED KINGDOM

Commission Decision (EU, Euratom) 2015/444

of 13 March 2015

on the security rules for protecting EU classified information

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union, and in particular Article 249 thereof,

Having regard to the Treaty establishing the European Atomic Energy Community, and in particular Article 106 thereof,

Having regard to the Protocol No 7 on the Privileges and Immunities of the European Union annexed to the Treaties, and in particular Article 18 thereof,

Whereas:

(1)

The Commission's security provisions regarding the protection of European Union Classified Information (EUCI) need to be reviewed and updated, taking into account institutional, organisational, operational and technological developments.

(2)
The European Commission has entered into instruments on security matters for its principal sites with the governments of Belgium, Luxembourg and Italy1
(3)

The Commission, the Council and the European External Action Service are committed to applying equivalent security standards for protecting EUCI.

(4)

It is important that, where appropriate, the European Parliament and other Union institutions, agencies, bodies or offices, are associated with the principles, standards and rules for protecting classified information which are necessary in order to protect the interests of the Union and its Member States.

(5)

Risk to EUCI shall be managed as a process. This process shall be aimed at determining known security risks, defining security measures to reduce such risks to an acceptable level in accordance with the basic principles and minimum standards set out in this Decision and at applying these measures in line with the concept of defence in depth. The effectiveness of such measures shall be continuously evaluated.

(6)

Within the Commission, physical security aimed at protecting classified information is the application of physical and technical protective measures intended to prevent unauthorised access to EUCI.

(7)
The management of EUCI is the application of administrative measures for controlling EUCI throughout its life-cycle to supplement the measures provided for in Chapters 2, 3 and 5 of this Decision and thereby help deter, detect and recover from deliberate or accidental compromise or loss of such information. Such measures relate in particular to the creation, storage, registration, copying, translation, downgrading, declassification, carriage and destruction of EUCI and they supplement the general rules on document management of the Commission (Decisions 2002/47/EC2, ECSC, Euratom and 2004/563/EC, Euratom3).
(8)The provision of this Decision shall be without prejudice to:
  1. (a)
    Regulation (Euratom) No 34;
  2. (b)
    Regulation (EC) No 1049/2001 of the European Parliament and of the Council5;
  3. (c)
    Regulation (EC) No 45/2001 of the European Parliament and of the Council6;
  4. (d)
    Council Regulation (EEC, Euratom) No 354/837,

HAS ADOPTED THIS DECISION: