Article 1U.K.

The Rules of Procedure of the Joint Committee, as set out in the Annex to this Decision, are hereby adopted.

Article 2U.K.

This Decision shall enter into force on the date of its adoption.

ANNEXU.K.Rules of procedure of the Joint Committee established by the Agreement between the European Union and the Kingdom of Norway on administrative cooperation, combating fraud and recovery of claims in the field of value added tax

Article 1U.K.Composition and chairmanship

1.The Joint Committee shall be composed of representatives of the European Union and of the Kingdom of Norway (hereinafter referred to collectively as ‘the Parties’).

2.The European Union (‘the Union’) shall be represented by the European Commission. The Kingdom of Norway shall be represented by […].

3.The Joint Committee shall be chaired alternately by each of the Parties for two calendar years. The first period ends on 31 December of the year following the year of the entry into force of the Agreement. The first chair will be the Union.

Article 2U.K.Observers and experts

1.Representatives of the Member States of the Union may participate as observers.

2.The Joint Committee may also admit other persons to its meetings as observers.

3.Observers may be permitted by the chair to take part in the discussions and provide expertise. However, they shall not have voting rights and shall not participate in the formulation of the decisions and recommendations of the Joint Committee.

4.Experts with special expertise may also be invited with regard to specific agenda items.

Article 3U.K.Convening a meeting

1.Meetings of the Joint Committee shall be convened by the chair at least once every two years. Either Party may request that a meeting be convened.

2.The date and place of each meeting shall be determined and agreed between the Parties.

3.Meetings may also be held by means of teleconferencing/videoconferencing.

4.The chair shall communicate the invitation to the other Party, the observers referred to in Article 2(2) and the experts referred to in Article 2(4) at least 15 working days before the meeting. The European Commission shall invite the representatives of the Member States of the Union referred to in Article 2(1).

5.The meetings shall not be public unless otherwise agreed. The Joint Committee's deliberations shall be confidential.

Article 4U.K.Agenda

1.The chair shall draw up the provisional agenda for each meeting and submit it to the Parties no later than six months before the meeting. The final agenda shall be agreed between the Parties no later than 15 working days before the meeting and circulated by the chair.

2.Reference papers and supporting documentation shall be sent to the Parties no later than by the date on which the provisional agenda is sent.

3.For agenda items referring to decisions of the Joint Committee, the request for inclusion in the agenda and any related documents shall be sent to the Joint Committee at least seven months in advance of the meeting.

Article 5U.K.Secretarial support

1.The chair shall carry out the secretarial tasks of the Joint Committee. All correspondence to the Joint Committee, including requests for items to be included or removed from the agendas, shall be addressed to the chair.

2.Notwithstanding paragraph 1 of this Article, the Commission shall act as secretary for the communication of statistical data provided under Articles 20 and 39 of the Agreement.

Article 6U.K.Minutes of the meeting

1.The chair shall draft the minutes of each meeting. The chair shall circulate the minutes without delay and no later than one month after the meeting. The minutes shall be subject to mutual agreement between the Parties.

2.The chair shall send the adopted minutes to the other Party.

Article 7U.K.Adoption of decisions and recommendations

1.Any decisions and recommendations of the Joint Committee shall be subject to prior discussion between the Parties.

2.Decisions and recommendations of the Joint Committee shall be adopted during its meetings by unanimity.

3.Decisions or recommendations may be adopted by written procedure provided that both Parties agree.

Under the written procedure, the chair shall send draft decisions and recommendations to the Parties and shall lay down a time limit for them to express their position. If neither Party opposes a draft decision or recommendation before the expiry of that time limit, the adoption of that decision or recommendation shall be regarded as having been tacitly agreed to.

The chair shall inform the Parties of the outcome of the written procedure without delay, and no later than 14 calendar days after the expiry of the time limit referred to in the second subparagraph.

Article 8U.K.Expenses

Each Party, and when applicable each observer and expert, shall bear the expenses it incurs in taking part in the meetings of the Joint Committee.

Article 1U.K.Standard forms for the communication of information

Pursuant to Articles 21(1) and 40(1) of the Agreement, for the communication of information under Titles II and III of the Agreement, the competent authorities shall make use of the standard forms adopted for the implementation of Regulation (EU) No 904/2010 and Directive 2010/24/EU.

The structure and layout of the standard forms may be adapted to any new requirements and capabilities of the communication and information exchange systems, provided that the data and information contained therein are not substantially altered.

Article 2U.K.Transmission of information via the CCN/CSI network

All information communicated pursuant to Titles II and III of the Agreement shall be transmitted only by electronic means via the Common Communication Network / Common System Interface (CCN/CSI) network, unless this is impracticable for technical reasons.

Article 3U.K.Organisation of contacts between central liaison offices and liaison departments

1.In order to organise contacts between the central liaison offices and liaison departments referred to in point (b) of Article 4(2) and point (b) of Article 4(3) of the Agreement, the competent authorities shall make use of the rules adopted for the implementation of Directive 2010/24/EU.

2.The central liaison offices designated pursuant to Article 4(2) of the Agreement shall keep the list of liaison departments and competent officials designated pursuant to Article 4(3) and (4) up-to-date and make it available to the other central liaison offices via electronic means.

Article 4U.K.

This Decision shall enter into force on the date of its adoption.

Article 1U.K.

1.The service level agreements set out in Annexes I and II to this Decision shall be concluded between the European Commission, representing the European Union, and the Kingdom of Norway and shall be binding on the Parties to the Agreement from the day following their approval by the Joint Committee.

2.Either Party to the Agreement may request a revision of the service level agreements by sending a request to the chair of the Joint Committee. Until the Joint Committee decides on the proposed changes, the provisions of the last concluded version of the relevant service level agreement will remain in force.

Article 2U.K.

This Decision shall enter into force on the date of its adoption.

ANNEX IU.K.Service Level Agreement for the systems and the applications for administrative cooperation and recovery of claims in the area of VAT

1.APPLICABLE ACTS AND REFERENCE DOCUMENTSU.K.

1.1.APPLICABLE ACTSU.K.

This Service Level Agreement (‘SLA’) takes into account the list of agreements and applicable decisions listed below.

1.2.REFERENCE DOCUMENTSU.K.

This SLA takes into account the information provided in the following reference documents. Applicable versions of the documents are published on CIRCABC or ITSM Web Portal.

2.TERMINOLOGYU.K.

2.1.ACRONYMSU.K.

2.2.DEFINITIONSU.K.

3.INTRODUCTIONU.K.

This document consists of a SLA between the Kingdom of Norway (‘Norway’) and the European Commission (‘the Commission’), collectively referred as ‘the Parties to the SLA’.

3.1.SCOPE OF THE SLAU.K.

Article 5 of the Agreement specifies that ‘A service level agreement ensuring the technical quality and quantity of the services for the functioning of the communication and information exchange systems shall be concluded’.

This SLA sets out the relationship between Norway and the Commission concerning the use of the systems and applications for administrative cooperation and recovery of claims in the area of VAT, and between Norway and the Member States concerning the exchange of forms.

The following systems are operational and are subject to the terms of the SLA:

• Exchange of Forms (EoF);

• Monitoring, statistics and testing.

The Commission steers the process to achieve agreement for the administrative cooperation by means of information technology. This involves standards, procedures, tools, technology and infrastructure. Assistance to Norway is provided to ensure data exchange systems are available and are properly implemented. The monitoring, supervision and evaluation of the overall system is also provided by the Commission. Furthermore the Commission provides Norway with guidelines to be respected in relation to this exchange of information.

All targets referred to in the SLA will be applicable under normal working conditions only.

In case of events of force majeure, the applicability of the SLA for Norway will be suspended for the duration of these force majeure conditions.

Force majeure represents an unpredictable event or occurrence outside the control of Norway or the Commission, and which is not attributable to any act or failure to take preventive action by the responsible Party. Such events shall refer to government actions, war, fire, explosion, flood, import or export regulations or embargoes and labour disputes.

The Party invoking the force majeure shall inform the other Party without delay about the impossibility to provide services or to accomplish the SLA targets due to force majeure incidents, setting out the affected services and targets. When the incidence of force majeure has ceased the affected Party shall likewise inform the other Party without delay.

3.2.AGREEMENT PERIODU.K.

The SLA is binding on the Parties from the day following its approval by the Joint Committee established by Article 41 of the Agreement (‘the Joint Committee’).

4.RESPONSIBILITIESU.K.

The purpose of this SLA is to ensure the quality and quantity of the services to be delivered by the Commission and by Norway in order to make the specified systems and applications for administrative cooperation and recovery of claims in the area of VAT available to Norway and to the Commission.

4.1.SERVICES PROVIDED BY THE COMMISSION TO NORWAYU.K.

The Commission shall make the following services available:

• Operational services as follows:

  • Helpdesk and operations:

    (a)

    Helpdesk Support;

    (b)

    Incident Handling;

    (c)

    Monitoring and Notification;

    (d)

    Training;

    (e)

    Security Management;

    (f)

    Reporting and statistics;

    (g)

    Consulting.

  • Reference centre:

    (a)

    Information management;

    (b)

    Documentation centre (CIRCABC).

In order to provide these services, the Commission shall maintain the following applications:

• Statistical applications;

• CIRCABC;

• Service desk tool.

4.2.SERVICES PROVIDED BY NORWAY TO COMMISSIONU.K.

Norway shall do the following:

• communicate to the Commission any available information relevant to their application of the Agreement;

• communicate to the Commission any exceptional conditions;

• provide annually the statistics regarding the communication of information set out in Article 20 of the Agreement.

5.SERVICE LEVEL REVIEWU.K.

This chapter provides a detailed description of the quantitative and qualitative aspects of the services to be provided by the Commission and by Norway as described above.

5.1.COMMISSION SERVICE LEVELSU.K.

5.1.1.Service deskU.K.

5.1.1.1.AgreementU.K.

The Commission shall make available a Service Desk in order to respond to any questions and to report any problems which Norway experiences with the systems and applications for administrative cooperation and recovery of claims in the area of VAT or any component that could affect them. This Service Desk will be operated by ITSM and its operating hours shall be the same as the ITSM working hours.

The availability of the ITSM Service Desk shall be ensured in at least 95 % of the operating hours. All questions or problems can be communicated to the service desk during the ITSM working hours by telephone, fax or e-mail and outside those working hours by e-mail or fax message. Where these questions or problems are sent outside the working hours of the ITSM they shall be automatically deemed to have arrived at 8:00 CET on the next working day.

The Service Desk shall register and classify the service calls in a Service Management Tool and shall inform the reporting Party of any change in status regarding their service calls.

The ITSM shall deliver a first line support to the users and shall dispatch any service call, which is the responsibility of another party (e.g. developer's team, ITSM contractors) within the specified time. ITSM shall ensure compliance with the registration deadlines in at least 95 % of the cases occurring over a reporting month.

The ITSM shall monitor the resolution procedure for all service calls and shall start an escalation procedure by informing the Commission where the resolution period exceeds a predefined threshold, which will depend on the type of problem.

The priority level shall determine both the response and the resolution times. This is set by ITSM, but Member States or the Commission may require a specific priority level.

The registration time is the maximum time interval that is allowed to pass between the time of the receipt of the email and the sending of the acknowledgment email.

The resolution time is the time interval between the registration of the incident and the resolution information being sent to the issuer. This also includes the time involved in closing the incident.

These shall not be absolute deadlines as they take into account only the time when ITSM acts on the service call. When a service call is dispatched to Norway, the Commission or another party (e.g. developer's team, ITSM contractors) then this time does not form part of the resolution time of ITSM.

ITSM shall ensure the compliance with the registration and resolution deadlines in at least 95 % of the cases occurring over a reporting month.

5.1.1.2.ReportingU.K.

The Commission shall report on all service calls related to the systems and applications for administrative cooperation and recovery of claims in the area of VAT as follows:

• all the service calls closed during the month for Norway;

• all the service calls created during the month for Norway;

• all the service calls pending at the reporting date and time for Norway.

5.1.2.Statistical ServiceU.K.

5.1.2.1.AgreementU.K.

The Commission shall generate statistics about the number of exchanged forms in the VAT and recovery domain using CCN/Mail, which are available on the ITSM Web portal.

5.1.2.2.ReportingU.K.

The Commission shall produce a report on the conformance test reports, where applicable, and shall make them available to Norway.

5.1.3.Exchange of FormsU.K.

5.1.3.1.AgreementU.K.

The following table illustrates the maximum transmission deadline or answer time for the exchange of forms as defined in the legislation.

5.1.3.2.ReportingU.K.

Norway shall also provide on an annual basis to the Commission statistical data via e-mail regarding to the communication of information as set out in Articles 20 and 39 of the Agreement [RD.3.].

5.1.4.Problem ManagementU.K.

5.1.4.1.AgreementU.K.

Norway shall maintain an adequate problem registration(8) and follow-up mechanism for any problems affecting their application host, system software, data and applications software.

Problems with any part of the CCN network (Gateways and/or Exchange Mail servers) shall be reported to ITSM immediately.

5.1.4.2.ReportingU.K.

Norway shall inform the ITSM where they have an internal problem with the technical infrastructure related to their own systems and applications for administrative cooperation and recovery of claims in the area of VAT.

Where Norway considers that a problem reported to ITSM is not being addressed or resolved or was not addressed or resolved in a satisfactory way, it shall report this to the Commission as soon as possible.

5.1.5.Security ManagementU.K.

5.1.5.1.Agreement(9) U.K.

Norway shall protect its systems and applications for administrative cooperation and recovery of claims in the area of VAT against security violations and shall keep track of any security violations and of any security improvements made.

Norway shall apply the security recommendations and/or requirements specified in the following documents:

5.1.5.2.ReportingU.K.

Norway shall on an ad-hoc basis report to the Commission on any security violations and on any measures taken.

5.2.NORWAY'S SERVICE LEVELSU.K.

5.2.1.All Service Level Management AreasU.K.

5.2.1.1.AgreementU.K.

Norway shall register any unavailability problems or changes(10) regarding to the technical, functional and organisational aspects of Norway's systems and applications for administrative cooperation and recovery of claims in the area of VAT.

5.2.1.2.ReportingU.K.

Norway shall inform the ITSM where necessary in relation to any unavailability problems or changes regarding the technical, functional or organisational aspects of their system. ITSM shall always be informed for any changes regarding the operating personnel (operators, system administrators).

5.2.2.Service deskU.K.

5.2.2.1.AgreementU.K.

Norway shall make available a service desk for responding to incidents assigned to Norway, for giving assistance and to carry out testing. The working hours of the service desk should be the same as the working hours of the ITSM Service Desk during ITSM working days. Norway's service desk shall operate at a minimum between 10:00-16:00 CET during working days, except on its national holiday. It is recommended that Norway's service desk follows the ITIL service support guidelines in handling the questions and incidents.

5.2.2.2.ReportingU.K.

Norway shall inform the ITSM where necessary in relation to any availability problem related to its service desk.

6.QUALITY MEASUREMENTU.K.

6.1.AGREEMENTU.K.

The Commission shall evaluate the reports (activity reports generated by ITSM, notifications, statistics, other information) received from the ITSM and Norway, shall determine the levels of adherence to this SLA and in case of problems shall contact Norway in order to solve the problem and to ensure that the quality of the service is in line with this agreement.

6.2.REPORTINGU.K.

The Commission shall report on a monthly basis to Norway the level of the service as defined in Section 5.1.2.

7.APPROVAL OF THE SLAU.K.

The Service Level Agreement has to be approved by the Joint Committee in order to be applicable.

8.CHANGES TO THE SLAU.K.

The Service Level Agreement will be reviewed following a written request from the Commission or Norway to the Joint Committee.

Until the Joint Committee decides on the proposed changes, the provisions of the current SLA remain in force. The Joint Committee acts as the decision making body for the present agreement.

9.CONTACT POINTU.K.

For any questions or remarks regarding this document, feel free to contact:

SERVICE PROVIDER - SERVICE DESK

support@itsmtaxud.europa.eu

ANNEX IIU.K.Service Level Agreement for the Common Communication Network / Common System Interface services (‘CCN/CSI SLA’)

1.APPLICABLE ACTS AND REFERENCE DOCUMENTSU.K.

1.1.APPLICABLE ACTSU.K.

This CCN/CSI SLA takes into account the list of agreements and applicable decisions provided below.

1.2.REFERENCE DOCUMENTSU.K.

This CCN/CSI SLA takes into account the information provided in the following reference documents. Applicable versions of the documents are those available at the time of signing this agreement.

2.TERMINOLOGYU.K.

2.1.ACRONYMSU.K.

2.2.DEFINITIONS OF TERMS FOR THE PURPOSE OF THE CCN/CSI SLAU.K.

3.INTRODUCTIONU.K.

This document consists of a Common Communication Network / Common System Interface Service Level Agreement (CCN/CSI SLA) between the European Commission (‘Service Provider’) and the Kingdom of Norway (‘Service Requester’), collectively referred as ‘the Parties to the SLA’.

In particular the ‘Service Provider’ includes the organisational units of DG TAXUD, as listed below:

• DG TAXUD B2 unit coordinating all CCN/CSI activities;

• ITSM3 Operations providing operational services;

• CCN2DEV providing CCN software (evolutionary and corrective maintenance services);

• Trans-European Backbone network provider (CCN/WAN, currently OBS).

Based on the nature of the requested service, one of the Service Providers will fulfil the task.

The ‘Service Requester’ is the national administration (NA) of the Kingdom of Norway. The concerned organisational units within the NA are:

• the National CCN Support Centre in charge of the support and management of the DG TAXUD CCN Infrastructure equipment located at NA premises as well as the national infrastructure supporting the applications running over the CCN/CSI infrastructure;

• the National Application Support Centre in charge of the national support of the EC applications running in the National Domain and using the CCN/CSI infrastructure services;

• the National Application Development Teams in charge of the development of applications using the CCN/CSI infrastructure including their sub-contractors.

3.1.SCOPE OF THE CCN/CSI SLAU.K.

Article 5 of the Agreement specifies that ‘A service level agreement ensuring the technical quality and quantity of the services for the functioning of the communication and information exchange systems shall be concluded’.

This CCN/CSI SLA sets out the relationship between and the Commission (Service Provider) and the Kingdom of Norway (Service Requester), concerning the operational phase of the Common Communication Network / Common System Interface system (‘CCN/CSI system’).

It defines the required level of the service provided to the Service Requester. It also provides for a mutual understanding of service level expectations and the responsibilities of the involved Parties to the SLA.

This document describes the services and service levels provided currently by the Service Provider.

All targets referred to in the CCN/CSI SLA will be applicable under normal working conditions only.

In case of events of force majeure, no Party shall be liable for any failure to perform its obligations where such failure is as a result of natural disaster (including fire, flood, earthquake, storm, hurricane or other natural disaster), war, invasion, act of foreign enemies, hostilities (whether war is declared or not), civil war, rebellion, revolution, insurrection, military or usurped power or confiscation, terrorist activities, nationalisation, government sanction, blockage, embargo, labour dispute, strike, lockout or interruption or long-term failure of the commercial electricity grid.

3.2.CCN/CSI SERVICE DEFINITION AND CHARACTERISTICSU.K.

The Common Communication Network / Common System Interface is a tool for exchange of tax information between the National Administrations in the field of Taxation and Anti-Fraud. The main characteristics of the CCN/CSI system infrastructure are listed hereafter:

3.3.AGREEMENT PERIODU.K.

The CCN/CSI SLA is binding on the Parties from the day following its approval by the Joint Committee established by Article 41 of the Agreement (‘the Joint Committee’).

4.RESPONSIBILITIESU.K.

4.1.OBLIGATIONS OF THE SERVICE PROVIDER (OSP)U.K.

The Service Provider shall:

4.2.OBLIGATIONS OF THE SERVICE REQUESTER (OSR)U.K.

The Service Requester shall:

4.3.SERVICES PROVIDED BY THE SERVICE PROVIDERU.K.

4.3.1.IT Service DeskU.K.

The Service Provider offers a consolidated IT Service Desk with Incident and Problem Management. The IT Service Desk extends the range of classical help desk services and offers a more global-focused approach, allowing business processes to be integrated into the CCN/CSI service management.

Indeed, the IT Service Desk not only handles incidents, problems and questions, but also provides an interface for other activities such as change requests, maintenance contracts, software licences, service level management, configuration management, availability management, security management and IT service continuity management.

The IT Service Desk also spontaneously notifies the Service Requester of any urgent information, thus acting as an information-dispatching centre for the Service Requester.

A Notification is defined as a message issued by the Service Provider warning Service Requester of an event that may affect the CCN/CSI operations: gateway unavailability, system outage, malfunctions, infrastructure maintenance or software update.

The IT Service Desk interface to Service Requester is achieved through the Service Provider contact point or through the ITSM Web portal, which provides on-line services to the Service Requester such as service call tracking; ACT and the CCN Web portal which provides CSI packages download area, access to statistics and monitoring information, etc.

4.3.1.1.Incident and problem managementU.K.

This service deals with incidents originating from Service Desk users (including system operations). An incident may be defined as a simple request for information or clarification, but may also be categorized as the reporting of non-compliant behaviour of a specific component.

An incident is defined as an unexpected event that is not part of the standard operation of the infrastructure or a failure that degrades an operational CCN/CSI service. An incident is solved when the service is restored.

The incident can be related to the following Configuration Items (CI):

• the hardware under responsibility of the Service Provider: CCN gateways, security devices, Customer Premises Routers (CPR) and other network connectivity devices on the EuroDomain (DG TAXUD CCN Infrastructure) LAN;

• the software running on the encryption devices;

• the system software running on the gateways: Operating System, basic communication software such as TCP/IP, etc.;

• the third-party software running on the gateways such as Tuxedo, MQSeries, Sun ONE Directory Server, PostgreSQL, Apache, etc.;

• the CCN Mail III;

• the CCN/CSI software running on the gateways;

• the CSI software running on the Application Platforms;

• SIAP (Secure Internet Access Point) – Unified Defence.

A problem is identified either from a single incident which has an extremely adverse impact on the user service and for which the cause is unknown, or from multiple incidents exhibiting common symptoms. A problem is solved when the cause is identified and removed.

When an incident occurs, the situation is investigated in order to restore the operational CCN/CSI services (if needed) and to find the root cause of the incident. The Service Provider helps to resolve incidents in the NA application software, at the level of the interface with CCN/CSI, as long as this has no impact on the other services to be provided by the Service Provider. The Service Provider assistance consists in providing information about the correct usage of CCN/CSI. It does not consist in participating in the debugging of NA application software.

4.3.2.Tools supporting the Service ManagementU.K.

The monitoring of the CCN gateway infrastructure, applications and CCN queues is supported by the IBM® Tivoli Monitoring (Tivoli Monitoring) and IBM Tivoli Composite Application Manager (ITCAM) product family.

The CCN Tivoli Monitoring and Reporting service, based on IBM Tivoli Monitoring suite, provides the following functionalities:

• monitor the applications queues located on the CCN Gateways (WebSphere MQ);

• monitor the operating system status of the CCN Gateways;

• CPU usage, Disk space, Memory usage, Network usage, Processes;

• Out of Band HW monitoring;

• monitor the running processes of the CCN components located on the CCN Gateways;

• monitor the CCN Mail III infrastructure;

• provide to the CCN Tivoli users a view on the previous monitored information;

• generate pre-defined alerts on the previous monitored components;

• provide reports based on collected historical data (CCN Tivoli Data Warehouse);

• give information about the availability and performance of the CCN/CSI infrastructure over time, reporting important trends in a consistent and integrated manner.

4.3.3.ICT Infrastructure Management and OperationsU.K.

The Service Provider is called upon to install, operate, and maintain the CCN/CSI operational infrastructure so as to guarantee the agreed availability levels.

The CCN/CSI operational infrastructure is composed of the EuroDomain relay devices (CCN Gateways), security devices, customer premises router and telecommunications.

This service covers:

• Availability Management;

• Contingency Management;

• Application Configuration Data management;

• Security Management.

And also includes:

• the coordination of the moving of CCN/CSI equipment;

• the coordination of deployment of new sites;

• the capacity planning of the CCN infrastructure;

• follow-up of the above-requested activity during the monthly progress meeting. This meeting is QA'ed and consists of all contracting parties contributing to the CCN/CSI service;

• facilitation of ‘freeze’ requests. These can be requested only by authorized users to a DG TAXUD dedicated official;

• design, planning, deployment, operations, technical support & retirement of HW, OS and COTS;

• Network Services;

• HW& OS & COTS Services;

• Backup & Restore;

• Job Management Service;

• Production & Maintenance of ICT Infrastructure Management Related Plans i.e. ICT Infrastructure Plan, Availability Plan, Capacity Plan, Continuity Plan;

• Feasibility Studies linked to Infrastructure.

4.3.3.1.Availability ManagementU.K.

The main service that the Service Provider has to provide is to ensure that the CCN/CSI system is ‘up and running’ at the required availability level.

The Service Provider ensures that all CCN/CSI sites are interconnected through a Wide Area Network (WAN) offering the necessary resilience and capacity to ensure the proper functioning of critical business applications using the CCN/CSI infrastructure and services.

The availability management service covers the following items:

• global access in all connected NAs;

• the provision of the local loop (+ a backup line) between the WAN local access point (PoP) and the National Administration premises;

• the Customer Premises Router (CPR) installation, configuration, and maintenance;

• the Security Device (i.e. SSG encryption-firewall box) installation and maintenance;

• communication gateways located on the DMZ, at every local site (i.e. CCN Gateways);

• the central CCN Mail III system.

The Service Provider also provides statistical information on the availability collected under operational circumstances and a monitoring service, both for pro-active problem tracking and statistical purposes.

4.3.3.2.Contingency ManagementU.K.

The Service Provider is responsible for the CCN/CSI components located in the DG TAXUD CCN Infrastructure at each CCN/CSI site.

The Contingency service aims at restoring the agreed service levels within an agreed timeframe in case of partial or complete dysfunction or destruction of the CCN/CSI system by providing the Service Requesters with help and items such as:

• software backup of CCN gateways (at every site);

• central CCN backup site;

• redundant encryption devices;

• switching capabilities between production and backup gateways;

• spare units for hardware devices;

• dual telecom access lines to the CCN backbone (at every site);

• assistance in installation and configuration of CCN/CSI items in the DG TAXUD CCN Infrastructure;

• recovery procedures.

4.3.3.3.Application Configuration Data ManagementU.K.

This service concerns the management of configuration data, required by CCN/CSI applications, by the Service Provider.

These configuration data are stored in the central CCN/CSI Directory. The central CCN/CSI Directory management is shared between the Service Provider and the National Administrations. Each National Administration is in charge of the management of its local CCN/CSI users. The rest is managed by the Service Provider.

Examples of configurations subject to an Administration Service Request are:

• definition of a local admin profile;

• registration of an application service;

• registration of an application queue;

• registration of a message type;

• validation of application configuration data;

• registration of administration roles;

• contact list management.

4.3.4.Security ManagementU.K.

This service concerns the management of the security items, required by CCN/CSI environment, by the Service Provider.

Security is managed as well on the level of the involved server equipment (OS), network equipment and on operational level.

Information exchanges over the CCN/CSI network are protected to ensure optimal confidentiality and data integrity.

Security services include:

• site-to-site encryption and protection against unwanted accesses enforced by firewall/encryption devices;

• access control mechanisms (authentication, authorisation, accounting) at site level enforced at CCN Gateway and supported by local administration tools (ADM3G);

• session-level security enforced by message-level encryption (CSI secure), SSL mutual authentication and encryption (HTTPS & NJCSI), POP-S and IMAP-S (secure e-mail transport);

• SIAP unified defence mechanism for secured internet access to CCN services.

4.3.5.Documentation managementU.K.

The Service Provider maintains the whole CCN/CSI technical documentation (i.e. technical document, user guides, frequently asked questions, newsletters, upcoming events, etc.) up-to-date, which acts as Documentation Centre.

This includes the documentation related to the CCN/CSI infrastructure: Oracle-Tuxedo, IBM-MQ, CCN Gateways, CCN Mail III, CSI software, procedures, reports, history of communication with partners, etc.

The Service Provider manages a list of documentation, related to the CCN/CSI that can be communicated to Service Requester. These documents are available on CIRCABC, and the ITSM Portal.

The Service Provider automatically updates the list with the newly approved version of the documents.

4.3.6.Reporting and statisticsU.K.

The Service Provider provides the Service Requester with the following reporting facilities through the CCN and ITSM Web Portal:

• on-line availability figures for CCN Gateways and CCN Mail III servers;

• on-line newsletters;

• statistics on CCN/CSI exchanges.

The Service Provider also regularly holds IT Tech & Infra meeting, where the reporting and statistics are presented.

4.3.7.TrainingU.K.

The Service Provider works out courses and performs training related to the technical aspects of the CCN/CSI system. The standard courses are organised in training packages divided into modules. As a general rule, training sessions are organised every year. The standard training packages are distributed twice a year via DG TAXUD and available online on the ITSM Portal.

5.SERVICE LEVEL MEASUREMENTU.K.

5.1.SERVICE LEVELU.K.

The Service Level is a measure of the quality of the services provided by the Service Provider. It is computed by a Service Quality Indicator or SQI.

It is expected that the Service Requester complies with its obligations (see §4.2) to achieve the agreed Service Level.

5.2.APPLICABLE SERVICE QUALITY INDICATORSU.K.

5.2.1.Individual CCN/CSI Site AvailabilityU.K.

This SQI provides the lowest measured availability of an individual site during the ‘Full Period’, i.e. 24/7, for a given month. The CCN/CSI SLA limit is defined as follows:

5.2.2.SQI on the Duty PeriodU.K.

The Service Provider's ‘Duty Period’ is the hours of coverage of the Service Desk function. The duty is ensured by the Service Provider SD 24/24, 7 days a week including public holidays.

Depending of the CI's Service Window, there is an immediate action (24/7) or the intervention is scheduled for the next Service Window. Letter, fax, e-mails and electronic requests (through the ITSM Portal) are accepted at any moment. Incoming requests are registered as ‘Service Calls’ in the Service Provider Service Desk management system.

The SLA limit is defined as follows:

5.2.3.SQI on the Notification ServiceU.K.

The Service Provider provides notifications services to the Service Requester.

There are two types of notifications, for Urgent Notifications and for Normal Notifications:

This indicator measures the respect of deadline for announcement (via mass mails) of scheduled unavailability.

5.2.4.SQI on the Contingency ManagementU.K.

Cold Standby (Switch Procedure, Backup & Restore or CCN over Internet)

The appropriate type of switch to be performed depends on a thorough analysis of the specific national administration setup and the problem at hand.

The maximum delay to switch from any national administration Production Gateway to an appropriate CCN Backup Gateway solution is defined as follows:

5.2.5.SQI on the Application Configuration Data managementU.K.

The maximum delay to implement an Application Configuration Request via the ACT (Application Configuration Tool) for a single site is defined as follows:

5.2.6.SQI on the Acknowledgment DelayU.K.

The maximum delay between the time a request is received by the Service Desk and the time an acknowledgment (i.e. Service Call number) is sent to the service requester, is defined as follows:

Incidents are classified according to their priority levels.

The priority of an incident is a number between 1 and 4:

5.2.7.SQI on the Resolution DelayU.K.

The resolution delay is the elapsed time between the moment the incident is acknowledged by the Service Provider and the moment the Service Provider repairs the root cause of the incident or implements a workaround.

According to the priority, the resolution delay is defined as follows:

6.APPROVAL OF THE SLAU.K.

The Service Level Agreement has to be approved by the Joint Committee in order to be applicable.

7.CHANGES TO THE SLAU.K.

The CCN/CSI SLA will be reviewed following a written request from the Commission or the Kingdom of Norway to the Joint Committee.

Until the Joint Committee decides on the proposed changes, the provisions of the CCN/CSI SLA in force are applicable. The Joint Committee acts as the decision making body for the current CCN/CSI SLA.

8.CONTACT POINTU.K.

For all operational services, the ITSM3 Operations acts as single point of contact. Its coordinates are provided below:

ITSM3 Operations - IBM

Toll free: + 800 777 4477

Caller paid: + 40 214 058 422

support@itsmtaxud.europa.eu

http://portal.ccntc.ccncsi.int:8080/portal

(CCN Web Portal - for CCN Registered users)

https://itsmtaxud.europa.eu/smt/ess.do

(ITSM Web Portal - for Service Calls)

Article 1U.K.Installation costs

The initial amount to be paid by the Kingdom of Norway for the establishment of virtual private network (VPN) access is 20 000 EUR.

The amount shall be paid within 60 days following adoption of this Decision.

Article 2U.K.Yearly financial contribution

The yearly financial contribution that the Kingdom of Norway shall pay to the general budget of the Union shall be 20 000 EUR. The amount shall be paid each year by 1 September.

The contribution shall cover expenditure related to the development, maintenance and upgrade of IT solutions (CCN/CSI, e-forms, etc.).

Article 3U.K.Method of payment

The contributions under Articles 1 and 2 shall be paid in euros into the euro-denominated bank account of the Commission indicated in the debit note.

Article 4U.K.

This Decision shall enter into force on the date of its adoption.