1.When letting a classified contract, the contracting authority, together with the Commission security authority, shall ensure that the contractor's obligations regarding the protection of EUCI provided to that contractor or generated in the performance of the contract are an integral part of the contract. Contract-specific security requirements shall take the form of a security aspects letter (SAL). A sample template of a SAL is set out in Annex III.
2.Before signing a classified contract, the contracting authority shall prepare, after consulting the Commission security authority, a security classification guide (SCG) for the tasks to be performed and information generated in the performance of the contract, or at programme or project level, where applicable. The SCG shall be part of the SAL.
3.Programme or project-specific security requirements shall take the form of a programme (or project) security instruction (PSI). The PSI may be drafted using the provisions of the SAL template as set out in Annex III. The PSI shall be developed by the Commission department managing the programme or project, in close cooperation with the Commission security authority, and submitted for advice to the Commission Security Expert Group. Where a contract is part of a programme or project with its own PSI, the SAL of the contract shall have a simplified form and shall include reference to the security provisions set out in the PSI of the programme or project.
4.The contracting authority shall be considered the originator of classified information created and handled for the performance of the contract.
5.The contracting authority, through the Commission security authority, shall notify the NSAs/DSAs of all contractors and subcontractors about the conclusion of classified contracts or subcontracts and any extensions or early terminations of such contracts or subcontracts. A list of country requirements is provided in Annex IV.
6.Contracts involving information classified RESTREINT UE/EU RESTRICTED shall include a contract security clause making the provisions set out in Annex III, Appendix E binding upon the contractor. Those contracts shall include an SAL setting out, as a minimum, the requirements for handling RESTREINT UE/EU RESTRICTED information including information assurance aspects and specific requirements to be fulfilled by the contractor under delegation from the contracting authority for the accreditation of the contractor's CIS handling RESTREINT UE/EU RESTRICTED information.
7.Where RESTREINT UE/EU RESTRICTED information is provided to tenderers or to potential contractors, the minimum requirements mentioned in paragraph 6 shall be included in tenders or in relevant non-disclosure arrangements concluded at the tender stage.
8.Where this is required by Member States' national laws and regulations, NSAs/DSAs ensure that contractors or subcontractors under their jurisdiction comply with the applicable security provisions for the protection of RESTREINT UE/EU RESTRICTED information and conduct verification visits to contractors' facilities located in their territory. Where the NSA/DSA is not under such an obligation, the contracting authority shall ensure that the contractor implements the required security provisions set out in Annex III.
1.The Commission department, as contracting authority, shall ensure that classified contracts include provisions indicating that personnel of a contractor or subcontractor who, for the performance of the classified contract or subcontract, require access to EUCI may be granted such access only if:
(a)it has been established that they have a need-to-know;
(b)for information classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET, they have been granted a PSC at the relevant level by the respective NSA/DSA or any other competent security authority;
(c)they have been briefed on the applicable security rules for protecting EUCI, and have acknowledged their responsibilities with regard to protecting such information.
2.If a contractor or subcontractor wishes to employ a national of a non-EU country in a position that requires access to EUCI classified CONFIDENTIEL UE/EU CONFIDENTIAL or SECRET UE/EU SECRET, it is the responsibility of the contractor or subcontractor to initiate the security clearance procedure of such a person in accordance with national laws and regulations applicable at the location where access to the EUCI is to be granted.