Article 1U.K.

The technical specifications referred to in Article 6(5) of Regulation (EU) No 211/2011 are set out in the Annex.

Article 2U.K.

This Regulation shall enter into force on the 20th day following its publication in the Official Journal of the European Union.

ANNEXU.K.

1.TECHNICAL SPECIFICATIONS AIMING AT IMPLEMENTING ARTICLE 6(4)(a) OF REGULATION (EU) No 211/2011U.K.

In order to prevent automated submission of a statement of support using the system, the signatory goes through an adequate verification process in line with current practice before submission of a statement of support. One possible verification process is the use of strong ‘captcha’.

2.TECHNICAL SPECIFICATIONS AIMING AT IMPLEMENTING ARTICLE 6(4)(b) OF REGULATION (EU) No 211/2011U.K.

Information assurance standards U.K.

2.1.Organisers provide documentation showing that they fulfil the requirements of standard ISO/IEC 27001, short of adoption. For that purpose, they have:U.K.

2.2.Organisers choose security controls based on the risk analysis in 2.1(a) from the following standards:U.K.

Application of these standards can be limited to the parts of the organisation that are relevant for the online collection system. For instance, human resources security can be limited to any staff that has physical or networking access to the online collection system, and physical/environmental security can be limited to the building(s) hosting the system.

Functional requirements U.K.

2.3.The online collection system consists of a web-based application instance set up for the purpose of collecting statements of support for a single citizens’ initiative.U.K.

2.4.If administering the system requires different roles, then different levels of access control are established according to the principle of least privilege.U.K.

2.5.The publicly accessed features are clearly separated from the features destined for administration purposes. No access control hinders reading of the information available in the public area of the system, including information on the initiative and the electronic statement of support form. Signing up for an initiative is possible only via this public area.U.K.

2.6.The system detects and prevents submission of duplicate statements of support.U.K.

Application level security U.K.

2.7.The system is suitably protected against known vulnerabilities and exploits. For this purpose it satisfies, inter alia, the following requirements:U.K.

Database security and data integrity U.K.

2.8.Where online collection systems used for different citizens’ initiatives share hardware and operating system resources, they do not share any data, including access/encryption credentials. In addition, this is reflected in the risk assessment and in the implemented countermeasures.U.K.

2.9.The risk that someone authenticates on the database using ‘pass-the-hash’ is mitigated.U.K.

2.10.The data provided by the signatories is only accessible to the database administrator/organiser.U.K.

2.11.Administrative credentials, personal data collected from signatories and its backup are secured via strong encryption algorithms in line with point 2.7.7(b). However, the Member State where the statement of support will be counted, the date of submission of the statement of support and the language in which the signatory filled in the statement of support form may be stored unencrypted in the system.U.K.

2.12.Signatories only have access to the data submitted during the session in which they complete the statement of support form. Once the statement of support form is submitted the above session is closed and the submitted data is not accessible anymore.U.K.

2.13.Signatories’ personal data are only available in the system, including the backup, in encrypted format. For the purpose of data consultation or certification by the national authorities in accordance with Article 8 of Regulation (EU) No 211/2011, organisers may export the encrypted data in accordance with point 2.7.7(a).U.K.

2.14.The persistence of the data entered in the statement of support form is atomic. That is, once the user has entered all required details in the statement of support form, and validates his/her decision to support the initiative, the system either successfully commits all of the form data to the database, or, in case of error, fails by saving no data at all. The system informs the user of the success or failure of his/her request.U.K.

2.15.The DBMS used is up to date and continuously patched for newly discovered exploits.U.K.

2.16.All system activity logs are in place. The system makes sure that audit logs recording exceptions and other security-relevant events listed below may be produced and kept until the data is destroyed in accordance with Article 12(3) or (5) of Regulation (EU) No 211/2011. Logs are adequately protected, for instance by storage on encrypted media. Organisers/administrators regularly check the logs for suspicious activity. Log contents include at least:U.K.

Infrastructure security — physical location, network infrastructure and server environment U.K.

2.17. Physical security U.K.

Whatever the type of hosting used, the machine hosting the application is properly protected, which provides:

2.18. Network security U.K.

2.18.1.The system is hosted on an Internet facing server installed on a demilitarised zone (DMZ) and protected by a firewall.U.K.

2.18.2.When relevant updates and patches of the firewall product become public, then such updates or patches are installed expediently.U.K.

2.18.3.All inbound and outbound traffic to the server (destined to the online collection system) is inspected by the firewall rules and logged. The firewall rules deny all traffic that is not needed for the secure use and administration of the system.U.K.

2.18.4.The online collection system must be hosted on an adequately protected production network segment that is separated from segments used to host non-production systems such as development or testing environments.U.K.

2.18.5.Local area network (LAN) security measures are in place such as:U.K.

2.19. OS and web/application server security U.K.

2.19.1.A proper security configuration is in place including the elements listed in point 2.7.6.U.K.

2.19.2.Applications run with the lowest set of privileges that they require to run.U.K.

2.19.3.Administrator access to the management interface of the online collection system has a short session time-out (maximum 15 minutes).U.K.

2.19.4.When relevant updates and patches of the OS, the application runtimes, applications running on the servers, or anti-malware become public, then such updates or patches are installed expediently.U.K.

2.19.5.The risk that someone authenticates on the system using ‘pass-the-hash’ is mitigated.U.K.

2.20. Organiser client security U.K.

For the sake of end-to-end security, the organisers take necessary measures to secure their client application/device that they use to manage and access the online collection system, such as:

3.TECHNICAL SPECIFICATIONS AIMING AT IMPLEMENTING ARTICLE 6(4)(c) OF REGULATION (EU) No 211/2011U.K.

3.1.The system provides the possibility to extract for each individual Member State a report listing the initiative and the personal data of the signatories subject to verification by the competent authority of that Member State.U.K.

3.2.Exporting of signatories’ statements of support is possible in the format of Annex III to Regulation (EU) No 211/2011. The system may in addition provide for the possibility of exporting the statements of support in an interoperable format such as the extensible mark-up language (XML).U.K.

3.3.The exported statements of support are marked as being of limited distribution to the Member State concerned, and labelled as personal data.U.K.

3.4.The electronic transmission of exported data to the Member States is secured against eavesdropping using suitable end-to-end encryption.U.K.