http://www.legislation.gov.uk/id/eur/2014/463

CHAPTER IPROVISIONS IMPLEMENTING REGULATION (EU) NO 223/2014 WITH REGARD TO THE FUND FOR EUROPEAN AID TO THE MOST DEPRIVED (FEAD)

ELECTRONIC DATA EXCHANGE SYSTEM (Empowerment under Article 30(4) of Regulation (EU) No 223/2014)

Article 6Security of data transmitted through SFC2014

1.

The Commission shall establish an information technology security policy (hereinafter referred to as ‘SFC IT security policy’) for SFC2014 applicable to personnel using SFC2014 in accordance with relevant Union rules, in particular Commission Decision C(2006) 36028 and its implementing rules. The Commission shall designate a person or persons responsible for defining, maintaining and ensuring the correct application of the security policy to SFC2014.

2.

Member States and European institutions other than the Commission, who have received access rights to SFC2014, shall comply with the IT security terms and conditions published in the SFC2014 portal and the measures that are implemented in SFC2014 by the Commission to secure the transmission of data, in particular in relation to the use of the technical interface referred to in Article 5(1) of this Regulation.

3.

Member States and the Commission shall implement and ensure the effectiveness of the security measures adopted to protect the data they have stored and transmitted through SFC2014.

4.

Member States shall adopt national, regional or local information security policies covering access to SFC2014 and automatic input of data into it, ensuring a minimum set of security requirements. These national, regional or local IT security policies can refer to other security documents. Each Member State shall ensure that these IT security policies apply to all authorities using SFC2014.

5.

These national, regional or local IT security policies shall include:

(a)

the IT security aspects of the work performed by the person or persons responsible for managing the access rights referred to in Article 3(3) of this Regulation in case of application of direct use;

(b)

in case of national, regional or local computer systems connected to SFC2014, through a technical interface referred to in Article 5(1) of this Regulation the security measures for those systems allowing to be aligned with SFC2014 security requirements.

For the purposes of point (b) of the first subparagraph, the following aspects shall be covered, as appropriate:

(a)

physical security;

(b)

data media and access control;

(c)

storage control;

(d)

access and password control;

(e)

monitoring;

(f)

interconnection with SFC2014;

(g)

communication infrastructure;

(h)

human resources management prior to employment, during employment and after employment;

(i)

incident management.

6.

These national, regional or local IT security policies shall be based on a risk assessment and the measures described shall be proportionate to the risks identified.

7.

The documents setting out the national, regional or local IT security policies shall be made available to the Commission upon request.

8.

Member States shall designate, at a national level, a person or persons responsible for maintaining and ensuring the application of the national, regional or local IT security policies. That person or these persons shall act as a contact point with the person or persons designated by the Commission and referred to in Article 6(1) of this Regulation.

9.

Both the SFC IT security policy and the relevant national, regional and local IT security policies shall be updated in the event of technological changes, the identification of new threats or other relevant developments. In any event, they shall be reviewed on an annual basis to ensure that they continue to provide an appropriate response.