The contracting authority shall ensure that all decisions related to EUCI transfer and carriage are in accordance with Decision (EU, Euratom) 2015/444 and its implementing rules, and with the terms of the classified contract, including the consent of the originator.
1.Electronic handling and transmission of EUCI shall be carried out in accordance with Chapters 5 and 6 of Decision (EU, Euratom) 2015/444 and its implementing rules.
The communication and information systems owned by a contractor and used to handle EUCI for the performance of the contract (‘contractor CIS’) shall be subject to accreditation by the responsible security accreditation authority (SAA). Any electronic transmission of EUCI shall be protected by cryptographic products approved in accordance with Article 36(4) of Decision (EU, Euratom) 2015/444. TEMPEST measures shall be implemented in accordance with Article 36(6) of that Decision.
2.The security accreditation of contractor CIS handling EUCI at RESTREINT UE/EU RESTRICTED level and any interconnection thereof may be delegated to the security officer of a contractor if this is permitted by national laws and regulations. Where that task is delegated, the contractor shall be responsible for implementing the minimum security requirements described in the SAL when handling RESTREINT UE/EU RESTRICTED information on its CIS. However, the relevant NSAs/DSAs and SAAs retain responsibility for the protection of RESTREINT UE/EU RESTRICTED information handled by the contractor and the right to inspect the security measures taken by the contractors. In addition, the contractor shall provide to the contracting authority and, where required by national laws and regulations, the competent national SAA, a statement of compliance certifying that the contractor CIS and related interconnections have been accredited for handling EUCI at RESTREINT UE/EU RESTRICTED level(1).
The transport of EUCI by commercial couriers shall abide by the relevant provisions of Commission decisions on implementing rules for handling RESTREINT UE/EU RESTRICTED information and CONFIDENTIEL UE/EU CONFIDENTIAL information.
1.The carriage of classified information by hand shall be subject to strict security requirements.
2.RESTREINT UE/EU RESTRICTED information may be hand carried by contractor personnel within the EU, provided the following requirements are met:
(a)the envelope or packaging used is opaque and bears no indication of the classification of its contents;
(b)the classified information does not leave the possession of the bearer;
(c)the envelope or packaging is not opened en route.
3.For information classified CONFIDENTIEL UE/EU CONFIDENTIAL and SECRET UE/EU SECRET, hand carriage by contractor personnel within an EU Member State is arranged in advance between the sending and receiving entities. The dispatching authority or facility informs the receiving authority or facility of the details of the consignment, including reference, classification, expected time of arrival and name of courier. Such hand carriage is permitted, provided the following requirements are met:
(a)the classified information is carried in a double envelope or packaging;
(b)the outer envelope or packaging is secured and bears no indication of the classification of its contents, while the inner envelope bears the level of classification;
(c)EUCI does not leave the possession of the bearer;
(d)the envelope or packaging is not opened en route;
(e)the envelope or packaging is carried in a lockable briefcase or similar approved container of such size and weight that it can be retained at all times in the personal possession of the bearer and not be consigned to a baggage hold;
(f)the courier carries a courier certificate issued by his/her competent security authority authorising the courier to carry the classified consignment as identified.
4.For hand carriage by contractor personnel of information classified CONFIDENTIEL UE/EU CONFIDENTIAL and SECRET UE/EU SECRET from one EU Member State to another, the following additional rules shall apply:
(a)the courier shall be responsible for the safe custody of the classified material carried until it is handed over to the recipient;
(b)in the event of a security breach, the sender's NSA/DSA may request that the authorities in the country where the breach occurred carry out an investigation, report their findings and take legal or other action as appropriate;
(c)the courier shall have been briefed on all the security obligations to be observed during carriage and shall have signed an appropriate acknowledgement;
(d)the instructions for the courier shall be attached to the courier certificate;
(e)the courier shall have been provided with a description of the consignment and an itinerary;
(f)the documents shall be returned to the issuing NSA/DSA upon completion of the journey(s) or be kept available by the recipient for monitoring purposes;
(g)if customs, immigration authorities or border police ask to examine and inspect the consignment, they shall be permitted to open and observe sufficient parts of the consignment so as to establish that it contains no material other than that which is declared;
(h)customs authorities should be urged to honour the official authority of the shipping documents and of the authorisation documents carried by the courier.
If a consignment is opened by customs, this should be done out of sight of unauthorised persons and in the presence of the courier where possible. The courier shall request that the consignment be repacked and shall ask the authorities conducting the inspection to reseal the consignment and confirm in writing that it was opened by them.
5.Hand carriage by contractor personnel of information classified RESTREINT UE/EU RESTRICTED, CONFIDENTIEL UE/EU CONFIDENTIAL and SECRET UE/EU SECRET to a third country or an international organisation will be subject to provisions of the security of information agreement or the administrative arrangement concluded between, respectively, the European Union or the Commission and that third country or international organisation.
The minimum requirements for communication and information systems handling EUCI at RESTREINT UE/EU RESTRICTED level are laid down in Annex III, Appendix E.